460 likes | 1.75k Vues
Chapter 7: Computer-Assisted Audit Techniques [CAATs]. IT Auditing & Assurance, 2e, Hall & Singleton. INTRODUCTION TO INPUT CONTROLS. Designed to ensure that the transactions that bring data into the system are valid, accurate, and complete Data input procedures can be either:
E N D
Chapter 7:Computer-Assisted Audit Techniques [CAATs] IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton
INTRODUCTION TO INPUT CONTROLS • Designed to ensure that the transactions that bring data into the system are valid, accurate, and complete • Data input procedures can be either: • Source document-triggered (batch) • Direct input (real-time) • Source document input requires human involvement and is prone to clerical errors. • Direct input employs real-time editing techniques to identify and correct errors immediately IT Auditing & Assurance, 2e, Hall & Singleton
CLASSES OF INPUT CONTROLS • Source document controls • Data coding controls • Batch controls • Validation controls • Input error correction • Generalized data input systems IT Auditing & Assurance, 2e, Hall & Singleton
#1-SOURCE DOCUMENT CONTROLS • Controls in systems using physical source documents • Source document fraud • To control for exposure, control procedures are needed over source documents to account for each one • Use pre-numbered source documents • Use source documents in sequence • Periodically audit source documents IT Auditing & Assurance, 2e, Hall & Singleton
#2-DATA CODING CONTROLS • Checks on data integrity during processing • Transcription errors • Addition errors, extra digits • Truncation errors, digit removed • Substitution errors, digit replaced • Transposition errors • Single transposition: adjacent digits transposed (reversed) • Multiple transposition: non-adjacent digits are transposed • Control = Check digits • Added to code when created (suffix, prefix, embedded) • Sum of digits (ones): transcription errors only • Modulus 11: different weights per column: transposition and transcription errors • Introduces storage and processing inefficiencies IT Auditing & Assurance, 2e, Hall & Singleton
#3-BATCH CONTROLS • Method for handling high volumes of transaction data – esp. paper-fed IS • Controls of batch continues thru all phases of system and all processes (i.e., not JUST an input control) • All records in the batch are processed together • No records are processed more than once • An audit trail is maintained from input to output • Requires grouping of similar input transactions IT Auditing & Assurance, 2e, Hall & Singleton
#3-BATCH CONTROLS • Requires controlling batch throughout • Batch transmittal sheet (batch control record) – Figure 7-1, p. 302 • Unique batch number (serial #) • A batch date • A transaction code • Number of records in the batch • Total dollar value of financial field • Sum of unique non-financial field • Hash total • E.g., customer number • Batch control log – Figure 7-3, p 303 • Hash totals IT Auditing & Assurance, 2e, Hall & Singleton
#4-VALIDATION CONTROLS • Intended to detect errors in data before processing • Most effective if performed close to the source of the transaction • Some require referencing a master file IT Auditing & Assurance, 2e, Hall & Singleton
#4-VALIDATION CONTROLS • Field Interrogation • Missing data checks • Numeric-alphabetic data checks • Zero-value checks • Limit checks • Range checks • Validity checks • Check digit • Record Interrogation • Reasonableness checks • Sign checks • Sequence checks • File Interrogation • Internal label checks (tape) • Version checks • Expiration date check IT Auditing & Assurance, 2e, Hall & Singleton
#5-INPUT ERROR CORRECTION • Batch – correct and resubmit • Controls to make sure errors dealt with completely and accurately • Immediate Correction • Create an Error File • Reverse the effects of partially processed, resubmit corrected records • Reinsert corrected records in processing stage where error was detected • Reject the Entire Batch IT Auditing & Assurance, 2e, Hall & Singleton
#6-GENERALIZED DATA INPUT SYSTEMS (GDIS) • Centralized procedures to manage data input for all transaction processing systems • Eliminates need to create redundant routines for each new application • Advantages: • Improves control by having one common system perform all data validation • Ensures each AIS application applies a consistent standard of data validation • Improves systems development efficiency IT Auditing & Assurance, 2e, Hall & Singleton
#6-GDIS • Major components: • Generalized Validation Module • Validated Data File • Error File • Error Reports • Transaction Log IT Auditing & Assurance, 2e, Hall & Singleton
CLASSES OF PROCESSING CONTROLS • Run-to-Run Controls • Operator Intervention Controls • Audit Trail Controls IT Auditing & Assurance, 2e, Hall & Singleton
#1-RUN-TO-RUN (BATCH) • Use batch figures to monitor the batch as it moves from one process to another • Recalculate Control Totals • Check Transaction Codes • Sequence Checks IT Auditing & Assurance, 2e, Hall & Singleton
#2-OPERATOR INTERVENTION • When operator manually enters controls into the system • Preference is to derive by logic or provided by system IT Auditing & Assurance, 2e, Hall & Singleton
#3-AUDIT TRAIL CONTROLS • Every transaction becomes traceable from input to output • Each processing step is documented • Preservation is key to auditability of AIS • Transaction logs • Log of automatic transactions • Listing of automatic transactions • Unique transaction identifiers [s/n] • Error listing IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS • Ensure system output: • Not misplaced • Not misdirected • Not corrupted • Privacy policy not violated • Batch systems more susceptible to exposure, require greater controls • Controlling Batch Systems Output • Many steps from printer to end user • Data control clerk check point • Unacceptable printing should be shredded • Cost/benefit basis for controls • Sensitivity of data drives levels of controls IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS • Output spooling – risks: • Access the output file and change critical data values • Access the file and change the number of copies to be printed • Make a copy of the output file so illegal output can be generated • Destroy the output file before printing take place IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS • Print Programs • Operator Intervention: • Pausing the print program to load output paper • Entering parameters needed by the print run • Restarting the print run at a prescribed checkpoint after a printer malfunction • Removing printer output from the printer for review and distribution • Print Program Controls • Production of unauthorized copies • Employ output document controls similar to source document controls • Unauthorized browsing of sensitive data by employees • Special multi-part paper that blocks certain fields IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS • Bursting • Supervision • Waste • Proper disposal of aborted copies and carbon copies • Data control • Data control group – verify and log • Report distribution • Supervision IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS • End user controls • End user detection • Report retention: • Statutory requirements (gov’t) • Number of copies in existence • Existence of softcopies (backups) • Destroyed in a manner consistent with the sensitivity of its contents IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS • Controlling real-time systems output • Eliminates intermediaries • Threats: • Interception • Disruption • Destruction • Corruption • Exposures: • Equipment failure • Subversive acts • Systems performance controls (Ch. 2) • Chain of custody controls (Ch. 5) IT Auditing & Assurance, 2e, Hall & Singleton
TESTING COMPUTER APPLICATION CONTROLS • Black box (around) • White box (through) IT Auditing & Assurance, 2e, Hall & Singleton
TESTING COMPUTER APPLICATION CONTROLS-BLACK BOX • Ignore internal logic of application • Use functional characteristics • Flowcharts • Interview key personnel • Advantages: • Do not have to remove application from operations to test it • Appropriately applied: • Simple applications • Relative low level of risk IT Auditing & Assurance, 2e, Hall & Singleton
TESTING COMPUTER APPLICATION CONTROLS-WHITE BOX • Relies on in-depth understanding of the internal logic of the application • Uses small volume of carefully crafted, custom test transactions to verify specific aspects of logic and controls • Allows auditors to conduct precise test with known outcomes, which can be compared objectively to actual results IT Auditing & Assurance, 2e, Hall & Singleton
WHITE BOX TEST METHODS • Authenticity tests: • Individuals / users • Programmed procedure • Messages to access system (e.g., logons) • All-American University, student lab: logon, reboot, logon * • Accuracy tests: • System only processes data values that conform to specified tolerances • Completeness tests: • Identify missing data (field, records, files) IT Auditing & Assurance, 2e, Hall & Singleton
WHITE BOX TEST METHODS • Redundancy tests: • Process each record exactly once • Audit trail tests: • Ensure application and/or system creates an adequate audit trail • Transactions listing • Error files or reports for all exceptions • Rounding error tests: • “Salami slicing” • Monitor activities – excessive ones are serious exceptions; e.g, rounding and thousands of entries into a single account for $1 or 1¢ IT Auditing & Assurance, 2e, Hall & Singleton
COMPUTER AIDED AUDIT TOOLS AND TECHNIQUES (CAATTs) • Test data method • Base case system evaluation • Tracing • Integrated Test Facility [ITF] • Parallel simulation • GAS IT Auditing & Assurance, 2e, Hall & Singleton
#1 –TEST DATA • Used to establish the application processing integrity • Uses a “test deck” • Valid data • Purposefully selected invalid data • Every possible: • Input error • Logical processes • Irregularity • Procedures: • Predetermined results and expectations • Run test deck • Compare IT Auditing & Assurance, 2e, Hall & Singleton
#2 – BASE CASE SYSTEM EVALUATION (BCSE) • Variant of Test Data method • Comprehensive test data • Repetitive testing throughout SDLC • When application is modified, subsequent test (new) results can be compared with previous results (base) IT Auditing & Assurance, 2e, Hall & Singleton
#3 – TRACING • Test data technique that takes step-by-step walk through application • The trace option must be enabled for the application • Specific data or types of transactions are created as test data • Test data is “traced” through all processing steps of the application, and a listing is produced of all lines of code as executed (variables, results, etc.) • Excellent means of debugging a faculty program IT Auditing & Assurance, 2e, Hall & Singleton
TEST DATA: ADVANTAGES AND DISADVANTAGES • Advantages of test data • They employ white box approach, thus providing explicit evidence • Can be employed with minimal disruption to operations • They require minimal computer expertise on the part of the auditors • Disadvantages of test data • Auditors must rely on IS personnel to obtain a copy of the application for testing • Audit evidence is not entirely independent • Provides static picture of application integrity • Relatively high cost to implement, auditing inefficiency IT Auditing & Assurance, 2e, Hall & Singleton
#4 – INTEGRATED TEST FACILITY • ITF is an automated technique that allows auditors to test logic and controls during normal operations • Set up a dummy entity within the application system • Set up a dummy entity within the application system • System able to discriminate between ITF audit module transactions and routine transactions • Auditor analyzes ITF results against expected results IT Auditing & Assurance, 2e, Hall & Singleton
#5 – PARALLEL SIMULATION • Auditor writes or obtains a copy of the program that simulates key features or processes to be reviewed / tested • Auditor gains a thorough understanding of the application under review • Auditor identifies those processes and controls critical to the application • Auditor creates the simulation using program or Generalized Audit Software (GAS) • Auditor runs the simulated program using selected data and files • Auditor evaluates results and reconciles differences IT Auditing & Assurance, 2e, Hall & Singleton
Chapter 7:Computer-Assisted Audit Techniques [CAATs] IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton