Upload
juana-narvaez
View
98
Download
0
Embed Size (px)
Citation preview
Computer-Assisted Audit Toolsand Techniques
GROUP IV:ENRIQUEZ, JaysonESCOBEDO, XybelleNARVAEZ. Juana MariePAZ, Gene KellyRED, SunshineRENIVA, LeandraROMANA, Fatima BiancaULAYE, Vanessa
Learning objectives: Be familiar with the classes of transaction input
controls used by accounting applications. Understand the objectives and techniques used
to implement processing controls, including run-to-run, operator intervention, and audit trail controls.
Understand the methods used to establish effective output controls for both batch and real-time systems.
Know the difference between black box and white box auditing.
Be familiar with the key features of the five CAATTs discussed in the chapter.
APPLICATION CONTROL
Programmed procedures designed to deal with potential exposures that threaten specific applications.
Fall into three broad categories: Input controls; Processing controls; and Output controls
INTRODUCTION TO INPUT CONTROLS Designed to ensure that the transactions that bring
data into the system are valid, accurate, and complete
Data input procedures can be either: Source document-triggered (batch) Direct input (real-time)
Source document input requires human
involvement and is prone to clerical errors. Direct input employs real-time editing techniques to
identify and correct errors immediately
CLASSES OF INPUT CONTROLS
1) Source document controls
2) Data coding controls
3) Batch controls
4) Validation controls
5) Input error correction
6) Generalized data input systems
#1-SOURCE DOCUMENT CONTROLS Controls in systems using physical source
documents
Source document fraud
To control for exposure, control procedures are needed over source documents to account for each one
Use pre-numbered source documents Use source documents in sequence Periodically audit source documents
#2-DATA CODING CONTROLS
Checks on data integrity during processing Transcription errors
Addition errors, extra digits Truncation errors, digit removed Substitution errors, digit replaced
Transposition errors Single transposition: adjacent digits transposed (reversed) Multiple transposition: non-adjacent digits are transposed
Control = Check digits Added to code when created (suffix, prefix,
embedded) Sum of digits (ones): transcription errors only Modulus 11: different weights per column: transposition and
transcription errors Introduces storage and processing inefficiencies
#3-BATCH CONTROLS Method for handling high volumes of
transaction data – esp. paper-fed IS
Controls of batch continues thru all phases of system and all processes (i.e., not JUST an input control)
1) All records in the batch are processed together2) No records are processed more than once3) An audit trail is maintained from input to output
Requires grouping of similar input transactions
#3-BATCH CONTROLS Requires controlling batch throughout
Batch transmittal sheet (batch control record) – Figure 7-1 Unique batch number (serial #) A batch date A transaction code Number of records in the batch Total dollar value of financial field Sum of unique non-financial field
• Hash total• E.g., customer number
Batch control log – Figure 7-3 Hash totals
#4-VALIDATION CONTROLS
Intended to detect errors in data before processing
Most effective if performed close to the source of the transaction
Some require referencing a master file
#4-VALIDATION CONTROLS Field Interrogation
Missing data checks Numeric-alphabetic data checks Zero-value checks Limit checks Range checks Validity checks Check digit
Record Interrogation Reasonableness checks Sign checks Sequence checks
File Interrogation Internal label checks (tape) Version checks Expiration date check
#5-INPUT ERROR CORRECTION Batch – correct and resubmit Controls to make sure errors dealt with completely
and accurately
1) Immediate Correction
2) Create an Error File Reverse the effects of partially
processed, resubmit corrected records Reinsert corrected records in
processing stage where error was detected
3) Reject the Entire Batch
#6-GENERALIZED DATA INPUT SYSTEMS (GDIS)
Centralized procedures to manage data input for all transaction processing systems
Eliminates need to create redundant routines for each new application
Advantages: Improves control by having one common
system perform all data validation Ensures each AIS application applies a
consistent standard of data validation Improves systems development efficiency
#6-GDIS
Major components:1) Generalized Validation Module2) Validated Data File3) Error File 4) Error Reports5) Transaction Log
CLASSES OF PROCESSING CONTROLS
1) Run-to-Run Controls
2) Operator Intervention Controls
3) Audit Trail Controls
#1-RUN-TO-RUN (BATCH) Use batch figures to monitor
the batch as it moves from one process to another
1) Recalculate Control Totals2) Check Transaction Codes3) Sequence Checks
#2-OPERATOR INTERVENTION When operator manually enters
controls into the system
Preference is to derive by logic or provided by system
#3-AUDIT TRAIL CONTROLS Every transaction becomes traceable from input to
output
Each processing step is documented
Preservation is key to auditability of AIS Transaction logs Log of automatic transactions Listing of automatic transactions Unique transaction identifiers [s/n] Error listing
OUTPUT CONTROLS Ensure system output:
1) Not misplaced2) Not misdirected3) Not corrupted4) Privacy policy not violated
Batch systems more susceptible to exposure, require greater controls Controlling Batch Systems Output
Many steps from printer to end user Data control clerk check point Unacceptable printing should be shredded Cost/benefit basis for controls Sensitivity of data drives levels of controls
OUTPUT CONTROLS Output spooling – risks:
Access the output file and change critical data values
Access the file and change the number of copies to be printed
Make a copy of the output file so illegal output can be generated
Destroy the output file before printing take place
OUTPUT CONTROLS Print Programs
Operator Intervention:1) Pausing the print program to load output paper2) Entering parameters needed by the print run3) Restarting the print run at a prescribed checkpoint after a
printer malfunction4) Removing printer output from the printer for review and
distribution
Print Program Controls Production of unauthorized copies
Employ output document controls similar to source document controls
Unauthorized browsing of sensitive data by employees Special multi-part paper that blocks certain fields
OUTPUT CONTROLS Bursting
Supervision
Waste Proper disposal of aborted copies
and carbon copies
Data control Data control group – verify and log
Report distribution Supervision
OUTPUT CONTROLS End user controls
End user detection
Report retention: Statutory requirements (gov’t) Number of copies in existence Existence of softcopies (backups) Destroyed in a manner consistent
with the sensitivity of its contents
OUTPUT CONTROLS Controlling real-time systems output
Eliminates intermediaries Threats:
Interception Disruption Destruction Corruption
Exposures: Equipment failure Subversive acts
Systems performance controls (Ch. 2) Chain of custody controls (Ch. 5)
TESTING COMPUTER APPLICATION CONTROLS
1) Black box (around)
2) White box (through)
TESTING COMPUTER APPLICATION CONTROLS-BLACK BOX
Ignore internal logic of application Use functional characteristics
Flowcharts Interview key personnel
Advantages: Do not have to remove application from operations
to test it Appropriately applied:
Simple applications Relative low level of risk
TESTING COMPUTER APPLICATION CONTROLS-WHITE BOX
Relies on in-depth understanding of the internal logic of the application
Uses small volume of carefully crafted, custom test transactions to verify specific aspects of logic and controls
Allows auditors to conduct precise test with known outcomes, which can be compared objectively to actual results
WHITE BOX TEST METHODS1) Authenticity tests:
Individuals / users Programmed procedure Messages to access system (e.g., logons)
All-American University, student lab: logon, reboot, logon *
2) Accuracy tests: System only processes data values that conform to
specified tolerances
3) Completeness tests: Identify missing data (field, records, files)
WHITE BOX TEST METHODS4) Redundancy tests:
Process each record exactly once
5) Audit trail tests: Ensure application and/or system creates an
adequate audit trail Transactions listing Error files or reports for all exceptions
6) Rounding error tests: “Salami slicing” Monitor activities – excessive ones are serious
exceptions; e.g, rounding and thousands of entries into a single account for $1 or 1¢
COMPUTER AIDED AUDIT TOOLS AND TECHNIQUES (CAATTs)
1) Test data method2) Base case system evaluation3) Tracing4) Integrated Test Facility [ITF]5) Parallel simulation6) GAS
#1 –TEST DATA Used to establish the application processing
integrity
Uses a “test deck” Valid data Purposefully selected invalid data Every possible:
Input error Logical processes Irregularity
Procedures:1) Predetermined results and expectations2) Run test deck3) Compare
#2 – BASE CASE SYSTEM EVALUATION (BCSE) Variant of Test Data method
Comprehensive test data
Repetitive testing throughout SDLC
When application is modified, subsequent test (new) results can be compared with previous results (base)
#3 – TRACING Test data technique that takes step-by-step
walk through application
1) The trace option must be enabled for the application
2) Specific data or types of transactions are created as test data
3) Test data is “traced” through all processing steps of the application, and a listing is produced of all lines of code as executed (variables, results, etc.)
Excellent means of debugging a faculty program
TEST DATA: ADVANTAGES AND DISADVANTAGES Advantages of test data
1) They employ white box approach, thus providing explicit evidence
2) Can be employed with minimal disruption to operations3) They require minimal computer expertise on the part of
the auditors
Disadvantages of test data
1) Auditors must rely on IS personnel to obtain a copy of the application for testing
2) Audit evidence is not entirely independent3) Provides static picture of application integrity4) Relatively high cost to implement, auditing inefficiency
#4 – INTEGRATED TEST FACILITY ITF is an automated technique that allows auditors to test
logic and controls during normal operations
Set up a dummy entity within the application system
1) Set up a dummy entity within the application system2) System able to discriminate between ITF audit module
transactions and routine transactions3) Auditor analyzes ITF results against expected results
ITF: ADVANTAGES AND DISADVANTAGES Advantages of ITF
1) ITF supports ongoing monitoring of controls2) Applications of ITF can be economically tested without
the intervention of computer services personnel.
Disadvantages of ITF
1) Potential for corrupting the data files of the organization with test data.
#5 – PARALLEL SIMULATION Auditor writes or obtains a copy of the program that
simulates key features or processes to be reviewed / tested
1) Auditor gains a thorough understanding of the application under review
2) Auditor identifies those processes and controls critical to the application
3) Auditor creates the simulation using program or Generalized Audit Software (GAS)
4) Auditor runs the simulated program using selected data and files
5) Auditor evaluates results and reconciles differences
End of Report