chapter 7: computer-assisted audit techniques [caats]

IT Auditing & Assurance, 2e, Hall & Singleton

Chapter 7:Computer-Assisted Audit

Techniques [CAATs]



INTRODUCTION TO INPUT CONTROLS

Designed to ensure that the transactions that bring data into the system are valid, accurate, and complete

Data input procedures can be either: Source document-triggered (batch) Direct input (real-time)

Source document input requires human

involvement and is prone to clerical errors. Direct input employs real-time editing techniques to

identify and correct errors immediately


CLASSES OF INPUT CONTROLS

1) Source document controls2) Data coding controls3) Batch controls4) Validation controls5) Input error correction6) Generalized data input

systems


#1-SOURCE DOCUMENT CONTROLS

Controls in systems using physical source documents

Source document fraud To control for exposure, control procedures

are needed over source documents to account for each one Use pre-numbered source documents Use source documents in sequence Periodically audit source documents


#2-DATA CODING CONTROLS Checks on data integrity during processing

Transcription errors Addition errors, extra digits Truncation errors, digit removed Substitution errors, digit replaced

Transposition errors Single transposition: adjacent digits transposed (reversed) Multiple transposition: non-adjacent digits are transposed

Control = Check digits Added to code when created (suffix, prefix,

embedded) Sum of digits (ones): transcription errors only Modulus 11: different weights per column: transposition and

transcription errors Introduces storage and processing inefficiencies


#3-BATCH CONTROLS Method for handling high volumes of

transaction data – esp. paper-fed IS

Controls of batch continues thru all phases of system and all processes (i.e., not JUST an input control)

1) All records in the batch are processed together2) No records are processed more than once3) An audit trail is maintained from input to output

Requires grouping of similar input transactions


#3-BATCH CONTROLS Requires controlling batch throughout

Batch transmittal sheet (batch control record) – Figure 7-1, p. 302 Unique batch number (serial #) A batch date A transaction code Number of records in the batch Total dollar value of financial field Sum of unique non-financial field

• Hash total• E.g., customer number

Batch control log – Figure 7-3, p 303 Hash totals


#4-VALIDATION CONTROLS Intended to detect errors in data

before processing

Most effective if performed close to the source of the transaction

Some require referencing a master file


#4-VALIDATION CONTROLS Field Interrogation

Missing data checks Numeric-alphabetic data checks Zero-value checks Limit checks Range checks Validity checks Check digit

Record Interrogation Reasonableness checks Sign checks Sequence checks

File Interrogation Internal label checks (tape) Version checks Expiration date check


#5-INPUT ERROR CORRECTION Batch – correct and resubmit Controls to make sure errors dealt with

completely and accurately1) Immediate Correction2) Create an Error File

Reverse the effects of partially processed, resubmit corrected records

Reinsert corrected records in processing stage where error was detected

3) Reject the Entire Batch


#6-GENERALIZED DATA INPUT SYSTEMS (GDIS)

Centralized procedures to manage data input for all transaction processing systems

Eliminates need to create redundant routines for each new application

Advantages: Improves control by having one common

system perform all data validation Ensures each AIS application applies a

consistent standard of data validation Improves systems development efficiency


#6-GDIS

Major components:1) Generalized Validation Module2) Validated Data File3) Error File 4) Error Reports5) Transaction Log


CLASSES OF PROCESSING CONTROLS

1) Run-to-Run Controls

2) Operator Intervention Controls

3) Audit Trail Controls


#1-RUN-TO-RUN (BATCH)

Use batch figures to monitor the batch as it moves from one process to another1) Recalculate Control Totals2) Check Transaction Codes3) Sequence Checks


#2-OPERATOR INTERVENTION When operator manually enters

controls into the system

Preference is to derive by logic or provided by system


#3-AUDIT TRAIL CONTROLS Every transaction becomes traceable

from input to output Each processing step is documented Preservation is key to auditability of

AIS Transaction logs Log of automatic transactions Listing of automatic transactions Unique transaction identifiers [s/n] Error listing


OUTPUT CONTROLS Ensure system output:

1) Not misplaced2) Not misdirected3) Not corrupted4) Privacy policy not violated

Batch systems more susceptible to exposure, require greater controls Controlling Batch Systems Output

Many steps from printer to end user Data control clerk check point Unacceptable printing should be shredded Cost/benefit basis for controls Sensitivity of data drives levels of controls


OUTPUT CONTROLS Output spooling – risks:

Access the output file and change critical data values

Access the file and change the number of copies to be printed

Make a copy of the output file so illegal output can be generated

Destroy the output file before printing take place


OUTPUT CONTROLS Print Programs Operator Intervention:

1) Pausing the print program to load output paper2) Entering parameters needed by the print run3) Restarting the print run at a prescribed checkpoint after

a printer malfunction4) Removing printer output from the printer for review and

distribution Print Program Controls

Production of unauthorized copies Employ output document controls similar to source document

controls Unauthorized browsing of sensitive data by employees

Special multi-part paper that blocks certain fields


OUTPUT CONTROLS Bursting

Supervision Waste

Proper disposal of aborted copies and carbon copies

Data control Data control group – verify and log

Report distribution Supervision


OUTPUT CONTROLS End user controls

End user detection

Report retention: Statutory requirements (gov’t) Number of copies in existence Existence of softcopies (backups) Destroyed in a manner consistent

with the sensitivity of its contents


OUTPUT CONTROLS Controlling real-time systems output

Eliminates intermediaries Threats:

Interception Disruption Destruction Corruption

Exposures: Equipment failure Subversive acts

Systems performance controls (Ch. 2) Chain of custody controls (Ch. 5)


TESTING COMPUTER APPLICATION CONTROLS

1) Black box (around)

2) White box (through)


TESTING COMPUTER APPLICATION CONTROLS-BLACK BOX (AROUND)

Ignore internal logic of application Use functional characteristics

Flowcharts Interview key personnel

Advantages: Do not have to remove application from

operations to test it Appropriately applied:

Simple applications Relative low level of risk


TESTING COMPUTER APPLICATION CONTROLS-WHITE BOX (THROUGH)

Relies on in-depth understanding of the internal logic of the application

Uses small volume of carefully crafted, custom test transactions to verify specific aspects of logic and controls

Allows auditors to conduct precise test with known outcomes, which can be compared objectively to actual results


AROUND THE COMPUTER TEST METHODS

1) Authenticity tests: Individuals / users Programmed procedure Messages to access system (e.g.,

logons)2) Accuracy tests:

System only processes data values that conform to specified tolerances

3) Completeness tests: Identify missing data (field, records,

files)


AROUND THE COMPUTER TEST METHODS

4) Redundancy tests: Process each record exactly once

5) Audit trail tests: Ensure application and/or system

creates an adequate audit trail Transactions listing Error files or reports for all exceptions

6) Rounding error tests: “Salami slicing” Monitor activities – excessive ones are

serious exceptions; e.g, rounding and thousands of entries into a single account for $1 or 1¢


COMPUTER AIDED AUDIT TOOLS AND TECHNIQUES (CAATTs)

1) Test data method2) Base case system evaluation3) Tracing4) Integrated Test Facility [ITF]5) Parallel simulation6) GAS


#1 –TEST DATA Used to establish the application processing

integrity Uses a “test deck”

Valid data Purposefully selected invalid data Every possible:

Input error Logical processes Irregularity

Procedures:1) Predetermined results and expectations2) Run test deck3) Compare


#2 – BASE CASE SYSTEM EVALUATION (BCSE)

Variant of Test Data method

Comprehensive test data

Repetitive testing throughout SDLC

When application is modified, subsequent test (new) results can be compared with previous results (base)


#3 – TRACING Test data technique that takes step-by-step

walk through application

1) The trace option must be enabled for the application2) Specific data or types of transactions are created as

test data3) Test data is “traced” through all processing steps of

the application, and a listing is produced of all lines of code as executed (variables, results, etc.)

Excellent means of debugging a faculty program


TEST DATA: ADVANTAGES AND DISADVANTAGES

Advantages of test data1) They employ white box approach, thus providing explicit

evidence2) Can be employed with minimal disruption to operations3) They require minimal computer expertise on the part of

the auditors Disadvantages of test data

1) Auditors must rely on IS personnel to obtain a copy of the application for testing

2) Audit evidence is not entirely independent3) Provides static picture of application integrity4) Relatively high cost to implement, auditing inefficiency


#4 – INTEGRATED TEST FACILITY

ITF is an automated technique that allows auditors to test logic and controls during normal operations

Set up a dummy entity within the application system1) Set up a dummy entity within the application

system2) System able to discriminate between ITF audit

module transactions and routine transactions3) Auditor analyzes ITF results against expected

results


#5 – PARALLEL SIMULATION Auditor writes or obtains a copy of the

program that simulates key features or processes to be reviewed / tested1) Auditor gains a thorough understanding of the

application under review2) Auditor identifies those processes and controls

critical to the application3) Auditor creates the simulation using program or

Generalized Audit Software (GAS)4) Auditor runs the simulated program using

selected data and files5) Auditor evaluates results and reconciles

differences


Chapter 7:Computer-Assisted Audit

Techniques [CAATs]


chapter 7: computer-assisted audit techniques [caats]

Documents