Chapter 17—IT Controls Part III: Systems Development, Program Changes, and Application Controls TRUE/FALSE 1. Programs in their compiled state are very susceptible to the threat of unauthorized modification. ANS: F 2. Maintenance access to systems increases the risk that logic will be corrupted either by the accident or intent to defraud. ANS: T 3. Source program library controls should prevent and detect unauthorized access to application programs. ANS: T 4. A check digit is a method of detecting data coding errors. ANS: T 5. Input controls are intended to detect errors in transaction data after processing. ANS: F 6. A header label is an internal, machine-readable label. ANS: T 7. The user test and acceptance procedure is the last point at which the user can determine the system’s acceptability prior to it going into service. ANS: T 8. A run-to-run control is an example of an output control. ANS: F 9. Shredding computer printouts is an example of an output control. ANS: T 10. In a CBIS environment, all input controls are implemented after data is input. ANS: F 11. Achieving batch control objectives requires grouping similar types of input transactions (such as sales orders) together in batches and then controlling the batches throughout data processing. ANS: T 12. The "white box" tests of program controls are also known as auditing through the computer. ANS: T 13. The presence of a SPLMS effectively guarantees program integrity. ANS: F 14. When using the test data method, the presence of multiple error messages indicates a flaw in the preparation of test transactions. ANS: F 15. The Base Case System Evaluation is a variation of the test data method. ANS: T 16. Tracing is a method used to verify the logical operations executed by a computer application. ANS: T 17. Generalized audit software packages are used to assist the auditor in performing substantive tests. ANS: T 18. The results of a parallel simulation are compared to the results of a production run in order to judge the quality of the application processes and controls. ANS: T 19. Firms with an independent internal audit staff may conduct tests of the system development life cycle on an ongoing basis. ANS: T 20. The programmer’s authority table will specify the libraries a programmer may access. ANS: T 21. Use of the integrated test facility poses no threat to organizational data files. ANS: F MULTIPLE CHOICE 1. Which statement is not correct? The audit trail in a computerized environment a consists of records that are stored sequentially in an audit file . b traces transactions from their source to their final disposition . c is a function of the quality and integrity of the application programs . d may take the form of pointers, indexes, and embedded keys . ANS: A 2. Which control is not associated with new systems development activities? a reconciling program version numbers . b program testing . c user involvement . d internal audit participation . ANS: A 3. Routine maintenance activities require all of the following controls except a documentation updates . b testing . c formal authorization . d internal audit approval . ANS: D 4. Which statement is correct? a compiled programs are very susceptible to unauthorized modification . b the source program library stores application programs in source code form . c modifications are made to programs in machine code language . d the source program library management system increases operating efficiency . ANS: B 5. Which control is not a part of the source program library management system? a using passwords to limit access to application programs . b assigning a test name to all programs undergoing maintenance . c combining access to the development and maintenance test libraries . d assigning version numbers to programs to record program modifications . ANS: C 6. Which control ensures that production files cannot be accessed without specific permission? a Database Management System . b Recovery Operations Function . c Source Program Library Management System . d Computer Services Function . ANS: C 7. Program testing a involves individual modules only, not the full system . b requires creation of meaningful test data . c need not be repeated once the system is implemented . d is primarily concerned with usability . ANS: B 8. The correct purchase order number, 123456, was incorrectly recorded as shown in the solutions. All of the following are transcription errors except a 1234567 . b 12345 . c 124356 . d 123454 . ANS: C 9. Which of the following is correct? a check digits should be used for all data codes . b check digits are always placed at the end of a data code . c check digits do not affect processing efficiency . d check digits are designed to detect transcription and transposition errors . ANS: D 10. Which statement is not correct? The goal of batch controls is to ensure that during processing a transactions are not omitted . b transactions are not added . c transactions are free from clerical errors . d an audit trail is created . ANS: C 11. An example of a hash total is a total payroll checks–$12,315 . b total number of employees–10 . c sum of the social security numbers–12,555,437,251 . d none of the above . ANS: C 12. Which statement is not true? A batch control record a contains a transaction code . b records the record count . c contains a hash total . d control figures in the record may be adjusted during processing . e All the above are true . ANS: E 13. Which of the following is not an example of a processing control? a . b . c . d . hash total. record count. batch total. check digit ANS: D 14. Which of the following is an example of input control test? a sequence check . b zero value check . c spooling check . d range check . ANS: D 15. Which input control check would detect a payment made to a nonexistent vendor? a missing data check . b numeric/alphabetic check . c range check . d validity check . ANS: D 16. The employee entered "40" in the "hours worked per day" field. Which check would detect this unintentional error? a numeric/alphabetic data check . b sign check . c limit check . d missing data check . ANS: C 17. An inventory record indicates that 12 items of a specific product are on hand. A customer purchased two of the items, but when recording the order, the data entry clerk mistakenly entered 20 items sold. Which check could detect this error? a numeric/alphabetic data checks . b limit check . c range check . d reasonableness check . ANS: B 18. Which check is not an input control? a reasonableness check . b validity check. . c spooling check . d missing data check . ANS: C 19. A computer operator was in a hurry and accidentally used the wrong master file to process a transaction file. As a result, the accounts receivable master file was erased. Which control would prevent this from happening? a header label check . b expiration date check . c version check . d validity check . ANS: A 20. Run-to-run control totals can be used for all of the following except a to ensure that all data input is validated . b to ensure that only transactions of a similar type are being processed . c to ensure the records are in sequence and are not missing . d to ensure that no transaction is omitted . ANS: A 21. Methods used to maintain an audit trail in a computerized environment include all of the following except a transaction logs . b Transaction Listings. . c data encryption . d log of automatic transactions . ANS: C 22. Risk exposures associated with creating an output file as an intermediate step in the printing process (spooling) include all of the following actions by a computer criminal except a gaining access to the output file and changing critical data values . b using a remote printer and incurring operating inefficiencies . c making a copy of the output file and using the copy to produce illegal output reports . d printing an extra hardcopy of the output file . ANS: B 23. Which statement is not correct? a only successful transactions are recorded on a transaction log . b unsuccessful transactions are recorded in an error file . c a transaction log is a temporary file . d a hardcopy transaction listing is provided to users . ANS: C 24. Input controls include all of the following except a check digits . b Limit check. . c spooling check . d missing data check . ANS: C 25. Which of the following is an example of an input error correction technique? a immediate correction . b rejection of batch . c creation of error file . d all are examples of input error correction techniques . ANS: D 26. Which test of controls will provide evidence that the system as originally implemented was free from material errors and free from fraud? Review of the documentation indicates that a a cost-benefit analysis was conducted . b the detailed design was an appropriate solution to the user's problem . c tests were conducted at the individual module and total system levels prior to . implementation d problems detected during the conversion period were corrected in the maintenance phase . ANS: C 27. Which statement is not true? a An audit objective for systems maintenance is to detect unauthorized access to . application databases. b An audit objective for systems maintenance is to ensure that applications are free from . errors. c An audit objective for systems maintenance is to verify that user requests for . maintenance reconcile to program version numbers. d An audit objective for systems maintenance is to ensure that the production libraries are . protected from unauthorized access. ANS: A 28. When the auditor reconciles the program version numbers, which audit objective is being tested? a protect applications from unauthorized changes . b ensure applications are free from error . c protect production libraries from unauthorized access . d ensure incompatible functions have been identified and segregated . ANS: A 29. When auditors do not rely on a detailed knowledge of the application's internal logic, they are performing a black box tests of program controls . b white box tests of program controls . c substantive testing . d intuitive testing . ANS: A 30. All of the following concepts are associated with the black box approach to auditing computer applications except a the application need not be removed from service and tested directly . b auditors do not rely on a detailed knowledge of the application's internal logic . c the auditor reconciles previously produced output results with production input . transactions d this approach is used for complex transactions that receive input from many sources . ANS: D 31. Which test is not an example of a white box test? a determining the fair value of inventory . b ensuring that passwords are valid . c verifying that all pay rates are within a specified range . d reconciling control totals . ANS: A 32. When analyzing the results of the test data method, the auditor would spend the least amount of time reviewing a the test transactions . b error reports . c updated master files . d output reports . ANS: A 33. All of the following are advantages of the test data technique except a auditors need minimal computer expertise to use this method . b this method causes minimal disruption to the firm's operations . c the test data is easily compiled . d the auditor obtains explicit evidence concerning application functions . ANS: C 34. All of the following are disadvantages of the test data technique except a the test data technique requires extensive computer expertise on the part of the auditor . b the auditor cannot be sure that the application being tested is a copy of the current . application used by computer services personnel c the auditor cannot be sure that the application being tested is the same application used . throughout the entire year d preparation of the test data is time-consuming . ANS: A 35. All of the following statements are true about the integrated test facility (ITF) except a production reports are affected by ITF transactions . b ITF databases contain "dummy" records integrated with legitimate records . c ITF permits ongoing application auditing . d ITF does not disrupt operations or require the intervention of computer services . personnel ANS: A 36. Which statement is not true? Embedded audit modules a can be turned on and off by the auditor. . b reduce operating efficiency. . c may lose their viability in an environment where programs are modified frequently. . d identify transactions to be analyzed using white box tests. . ANS: D 37. Generalized audit software packages perform all of the following tasks except a recalculate data fields . b compare files and identify differences . c stratify statistical samples . d analyze results and form opinions . ANS: D SHORT ANSWER 1. Contrast the source program library (SPL) management system to the database management system (DBMS). ANS: The SPL software manages program files and the DBMS manages data files. 2. Describe two methods used to control the source program library. ANS: passwords, separation of development programs from maintenance programs, program management reports, program version numbers, controlling maintenance commands 3. New system development activity controls must focus on the authorization, development, and implementation of new systems and its maintenance. Discuss at least five control activities that are found in an effective system development life cycle. ANS: System authorization activities assure that all systems are properly authorized to ensure their economic justification and feasibility. User specification activities should not be stifled by technical issues. Users can provide written description of the logical needs that must be satisfied by the system. Technical design activities must lead to specifications that meet user needs. Documentation is both a control and evidence of control. Internal audit involvement should occur throughout the process to assure that the system will serve user needs. Program testing is to verify that data is processed as intended. 4. What are the three broad categories of application controls? ANS: input, processing, and output controls 5. How does privacy relate to output control? ANS: If the privacy of certain types of output, e.g., sensitive information about clients or customers, a firm could be legally exposed. 6. What are the three categories of processing control? ANS: Batch controls, run-to-run controls, and audit trail controls. 7. What control issue is related to reentering corrected error records into a batch processing system? What are the two methods for doing this? ANS: Errors detected during processing require careful handling, since these records may already be partially processed. Simply resubmitting the corrected records at the data input stage may result in processing portions of these transactions twice. Two methods are: (1) reverse the effects of the partially processed transactions and resubmit the corrected records to the data input stage. The second method is to reinsert corrected records into the processing stage at which the error was detected. 8. Output controls ensure that output is not lost, misdirected, or corrupted and that privacy is not violated. What are some output exposures or situations where output is at risk? ANS: output spooling, delayed printing, waste, report distribution 9. Input controls are programmed procedures (routines) that perform tests on transaction data to ensure they are free from errors. Name four input controls and describe what they test ANS: 1. numeric-alphabetic checks look for the correct type of character content in a field, numbers or letters; 2. limit checks verify that values are within preset limits; 3. range checks verify the values fall with in an acceptable range 4. reasonableness check determines if a value in one field, which has already passed a limit check and a range check, is reasonable when considered along with data in other fields of the record. 10. A __________________________ fraud affects a large number of victims but the harm to each appears to be very small. ANS: salami 11. Describe a test of controls that would provide evidence that only authorized program maintenance is occurring. ANS: reconcile program version numbers, confirm maintenance authorizations 12. Auditors do not rely on detailed knowledge of the application's internal logic when they use the __________________________ approach to auditing computer applications. ANS: black box or auditing around the computer 13. Describe parallel simulation. ANS: The auditor writes a program that simulates the application under review. The simulation is used to reprocess production transactions that were previously processed by the production application. The results of the simulation are compared to the results of the original production run. 14. What is meant by auditing around the computer versus auditing through the computer? Why is this so important? ANS: Auditing around the computer involves black box testing in which the auditors do not rely on a detailed knowledge of the application's internal logic. Input is reconciled with corresponding output. Auditing through the computer involves obtaining an in-depth understanding of the internal logic of the computer application. As transactions become increasingly automated, the inputs and outputs may become decreasingly visible. Thus, the importance of understanding the programming components of the system is crucial. 15. What is an embedded audit module? ANS: EAM techniques use one or more specially programmed modules embedded in a host application to select and record predetermined types of transactions for subsequent analysis. This method allows material transactions to be captured throughout the audit period. The auditor's substantive testing task is thus made easier since they do not have to identify significant transactions for substantive testing. 16. What are the audit’s objectives relating to systems development? ANS: The auditor’s objectives are to ensure that (1) systems development activities are applied consistently and in accordance with management’s policies to all systems development projects; (2) the system as originally implemented was free from material errors and fraud; (3) the system was judged necessary and justified at various checkpoints throughout the SDLC; and (4) system documentation is sufficiently accurate and complete to facilitate audit and maintenance activities. ESSAY 1. Outline the six controllable activities that relate to new systems development ANS: Systems Authorization Activities: All systems should be properly authorized to ensure their economic justification and feasibility. This requires a formal environment in which users submit requests to systems professionals in written form. User Specification Activities: Users need to be actively involved in the systems development process. Users should create a detailed written description of their needs. It should describe the user’s view of the problem, not that of the systems professionals. Technical Design Activities: The technical design activities translate user specifications into a set of detailed technical specifications for a system that meets the user’s needs. The scope of these activities includes systems analysis, feasibility analysis, and detailed systems design. Internal Audit Participation: To meet the governance-related expectations of management under SOX, an organization’s internal audit department needs to be independent, objective, and technically qualified. As such, the internal auditor can play an important role in the control of systems development activities. Program Testing: All program modules must be thoroughly tested before they are implemented. This involves creating hypothetical master files and transactions files that are processed by the modules being tested. The results of the tests are then compared against predetermined results to identify programming and logic errors. User Test and Acceptance Procedures: Prior to system implementation, the individual modules of the system need to be formally and rigorously tested as a whole. The test team should comprise of user personnel, systems professionals, and internal auditors. The details of the tests performed and their results need to be formally documented and analyzed. Once the test team is satisfied that the system meets its stated requirements, the system can be transferred to the user. 2. Explain the three methods used to correct errors in data entry. ANS: Immediate Correction. In the direct data validation approach, error detection and correction take place during data entry. When an error or illogical relationship is entered, the system should halt the data entry procedure until the error is corrected. Creation of an Error File. In the delayed data validation approach, errors are flagged and placed in an error file. Records with errors will not be processed until the error is investigated and corrected. Rejection of the Entire Batch. Some errors are associated with the entire batch and are not attributable to individual records. An example of this is a control total that does not balance. The entire batch is placed in the error file and will be reprocessed when the error is corrected. 3. The presence of an audit trail is critical to the integrity of the accounting information system. Discuss three of the techniques used to preserve the audit trail. ANS: Transaction logs list all transactions successfully processed by the system and serve as journals, permanent records. Transactions that were not processed successfully should be recorded in an error file. After processing transactions, a paper transaction listing should be produced and used by appropriate users to reconcile input. Logs and listings of automatic transactions should be produced for transactions received or initiated internally by the system. Error listing should document all errors and be sent to appropriate users to support error correction. 4. Define each of the following input controls and give an example of how they may be used: a. Missing data check b. Numeric/alphabetic data check c. Limit check d. Range check e. Reasonableness check f. Validity check ANS: Missing data check. Some programming languages are restrictive as to the justification (right or left) of data within the field. If data are not properly justified or if a character is missing (has been replaced with a blank), the value in the field will be improperly processed. For example, the presence of blanks in a numeric data field may cause a system failure. When the control routine detects a blank where it expects to see a data value, the error is flagged. Numeric-alphabetic check. This control identifies when data in a particular field are in the wrong form. For example, a customer’s account balance should not contain alphabetic data and the presence of it will cause a data processing error. Therefore, if alphabetic data are detected, the error record flag is set. Limit check. Limit checks are used to identify field values that exceed an authorized limit. For example, assume the firm’s policy is that no employee works more than 44 hours per week. The payroll system input control program can test the hours-worked field in the weekly payroll records for values greater than 44. Range check. Many times data have upper and lower limits to their acceptable values. For example, if the range of pay rates for hourly employees in a firm is between 8 and 20 dollars, this control can examine the pay rate field of all payroll records to ensure that they fall within this range. Reasonableness check. The test determines if a value in one field, which has already passed a limit check and a range check, is reasonable when considered along with data in other fields of the record. For example, assume that an employee’s pay rate of 18 dollars per hour falls within an acceptable range. This rate is excessive, however, when compared to the employee’s job skill code of 693; employees in this skill class should not earn more than 12 dollars per hour. Validity check. A validity check compares actual field values against known acceptable values. For example, this control may be used to verify such things as valid vendor codes, state abbreviations, or employee job skill codes. If the value in the field does not match one of the acceptable values, the record is flagged as an error. 5. After data is entered into the system, it is processed. Processing control exists to make sure that the correct things happen during processing. Discuss processing controls. ANS: Processing controls take three forms–batch controls, run-to-run controls, and audit trail controls. Batch controls are used to manage the flow of high volumes of transactions through batch processing systems. The objective of batch control is to reconcile output produced by the system with the input originally entered into the system. This provides assurance that: _ All records in the batch are processed. _ No records are processed more than once. _ An audit trail of transactions is created from input through processing to the output stage of the system. Run-to-run controls use batch figures and new balances to monitor the batch as it goes through the system–i.e. from run-to-run. These are to assure that no transactions are lost and that all are processed completely. Audit trail controls are designed to document the movement of transactions through the system. The most common techniques include the use of transaction logs and transaction listings, unique transaction identifiers, logs and listings of automatic transactions, and error listings. 6. If input and processing controls are adequate, why are output controls needed? ANS: Output controls are designed to ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Great risk exists if checks are misdirected, lost, or stolen. Certain types of data must be kept private–trade secrets, patents pending, customer records, etc. 7. Describe and contrast the test data method with the integrated test facility. ANS: In the test data method, a specially prepared set of input data is processed; the results of the test are compared to predetermined expectations. To use the test data method, a copy of the current version of the application must be obtained. The auditor will review printed reports, transaction listings, error reports, and master files to evaluate application logic and control effectiveness. The test data approach results in minimal disruption to the organization's operations and requires little computer expertise on the part of auditors. The integrated test facility (ITF) is an automated approach that permits auditors to test an application's logic and controls during its normal operation. ITF databases contain test records integrated with legitimate records. During normal operations, test transactions are entered into the stream of regular production transactions and are processed against the test records. The ITF transactions are not included with the production reports but are reported separately to the auditor for evaluation. The auditor compares ITF results against expected results. In contrast to the test data approach, the ITF technique promotes ongoing application auditing and does not interfere with the normal work of computer services employees. In the test data approach, there is a risk that the auditor might perform the tests on a version of the application other than the production version; this cannot happen in the ITF approach. Both versions are relatively costly to implement. The major risk with the ITF approach is that ITF data could become combined with live data and the reports would be misstated; this cannot happen in the test data approach. 8. Contrast Embedded Audit Modules with Generalized Audit Software. ANS: Both techniques permit auditors to access, organize, and select data in support of the substantive phase of the audit. The Embedded Audit Module (EAM) technique embeds special audit modules into applications. The EAM captures specific transactions for auditor review. EAMs reduce operational efficiency and are not appropriate for environments with a high level of program maintenance. Generalized Audit Software (GAS) permits auditors to electronically access audit files and to perform a variety of audit procedures. For example the GAS can recalculate, stratify, compare, format, and print the contents of files. The EAM is an internal program that is designed and programmed into the application. The GAS is an external package that does not affect operational efficiency of the program. GASs are easy to use, require little IT background on the part of the user, are hardware independent, can be used without the assistance of computer service employees, and are not application-specific. On the other hand, EAMs are programmed into a specific application by computer service professionals. 9. What is the purpose of the auditor's review of SDLC documentation? ANS: In reviewing the SDLC documentation, the auditor seeks to determine that completed projects now in use reflect compliance with SDLC policies including: • proper authorization of the project by users and computer service management, • a preliminary feasibility study showed that the project had merit, • that a detailed analysis of user needs was conducted, • that a cost-benefit analysis was performed, • that the project can be demonstrated to solve the users' problem, and • that the system was thoroughly tested. 10. Microcomputers have traditionally been difficult to control, leaving auditors with special problems in verifying physical controls. Discuss what an auditor's objectives might be in testing microcomputer controls. ANS: The auditor must investigate several things: 1) that adequate supervision and operating procedures exist to compensate for the lack of segregation of duties that occur when users are functioning also as programmers and operators; 2) that access to hardware, data and software is limited to authorized personnel; 3) that backup procedures are in place and implemented to prevent data and program loss; and 4) that procedures for systems selection and acquisition assure high quality, error free, applications. This is far from an ideal situation. 11. Contrast the "black box" approach to IT auditing and the "white box" approach. Which is preferred? ANS: The black box approach is not concerned with the application's internal workings. The auditor examines documentation of the system, interviews personnel, and bases the evaluation on the logical consistency between input and output. This method is often referred to as "auditing-around-thecomputer" because there is no examination of data as it is processed. The white box approach, also called "auditing-through-the-computer," relies on knowledge of the internal workings of the systems and actually tests the application in action with test data having known results. Several white box techniques are available. These include the test data method, base case evaluation, tracing, the integrated test facility, and parallel simulation. This method makes the computer a tool of the audit as well as its target.