Add to collection(s) Add to saved
  1. Business
  2. Finance

CIS-496 / I.S. Auditing

advertisement 
IT Audit & Assurance
Chapter 7:
Computer-Assisted Audit
Techniques [CAATs]
Introduction to Input Controls
‰ Designed to ensure that the transactions
that bring data into the system are valid,
accurate, and complete.
‰ Data input procedures can be either:
‰source document-triggered (batch)
‰direct input (real-time).
‰ Source document input requires human
involvement and is prone to clerical
errors.
‰ Direct input employs real-time editing
techniques to identify and correct errors
immediately.
Classes of Input Controls
1)
2)
3)
4)
5)
6)
Source document controls
Data coding controls
Batch controls
Validation controls
Input error correction
Generalized data input
systems
#1-Source Documents Controls
‰ Controls in systems using physical
source documents
‰ Source document fraud
‰ To control for exposure, control
procedures are needed over source
documents to account for each one
‰ Use pre-numbered source documents
‰ Use source documents in sequence
‰ Periodically audit source documents
#2-Data Coding Controls
‰ Checks on data integrity during processing
1) Transcription errors
‰ Addition errors, extra digits
‰ Truncation errors, digit removed
‰ Substitution errors, digit replaced
2) Transposition errors
‰ Single transposition: Adjacent digits transposed (reversed)
‰ Multiple transposition: Non-adjacent digits are transposed
‰ Control = Check digits
‰ Added to code when created (suffix, prefix,
embedded)
‰ Sum of digits (ones) – transcription errors only
‰ modulus 11: different weights per column – transposition and
transcription errors
‰ Introduces storage and processing inefficiencies
#3-Batch Controls
‰ Method for handling high volumes of
transaction data – esp. paper-fed IS
‰ Controls of batch continues thru all
phases of system and all processes (i.e.,
not JUST an input control)
1) All records in the batch are processed
together
2) No records are processed more than once
3) An audit trail is maintained from input to
output
‰ Requires grouping of similar input
transactions
#3-Batch Controls
‰ Requires controlling batch throughout
‰ Batch transmittal sheet (batch control
record) – Figure 7-1, p. 302
9
9
9
9
9
9
Unique batch number (serial #)
A batch date
A transaction code
Number of records in the batch
Total dollar value of financial field
Sum of unique non-financial field
‰ Hash total
‰ E.g., customer number
‰ Batch control log – Figure 7-3, p 303
‰ Hash Totals
#4-Validation Controls
‰ Intended to detect errors in data
before processing
‰ Most effective if performed close to
the source of the transaction
‰ Some require referencing a master
file
#4-Validation Controls
1) Field Interrogation
‰ Missing data checks
‰ Numeric-Alphabetic data checks
‰ Zero-value checks
‰ Limit checks
‰ Range checks
‰ Validity checks
‰ Check digit
2) Record Interrogation
‰ Reasonableness checks
‰ Sign checks
‰ Sequence checks
3) File Interrogation
‰ Internal label checks (tape)
‰ Version checks
‰ Expiration date check
#5-Input Error Correction
‰ Batch – correct and resubmit
‰ Controls to make sure errors dealt
with completely and accurately
1) Immediate Correction
2) Create an Error File
¾ Reverse the effects of partially
processed, resubmit corrected
records
¾ Reinsert corrected records in
processing stage where error was
detected
3) Reject the Entire Batch
#6-Generalized Data Input
Systems [GDIS]
‰ Centralized procedures to manage data
input for all transaction processing
systems
‰ Eliminates need to create redundant
routines for each new application
‰ Advantages:
1) Improves control by having one common
system perform all data validation
2) Ensures each AIS application applies a
consistent standard of data validation
3) Improves systems development
efficiency
#6-GDIS
‰ Major components:
1) Generalized Validation
Module
2) Validated Data File
3) Error File
4) Error Reports
5) Transaction Log
Classes of Processing Controls
1) Run-to-Run Controls
2) Operator Intervention
Controls
3) Audit Trail Controls
#1-Run-to-Run [Batch]
‰ Use batch figures to monitor
the batch as it moves from one
process to another.
1) Recalculate Control Totals
2) Check Transaction Codes
3) Sequence Checks
#2-Operator Intervention
‰ When operator manually enters
controls into the system
‰ Preference is to derive by logic
or provided by system
#3-Audit Trail Controls
‰ Every transaction becomes traceable
from input to output
‰ Each processing step is documented
‰ Preservation is key to auditability of
AIS
‰ Transaction Logs
‰ Log of Automatic Transactions
‰ Listing of Automatic Transactions
‰ Unique Transaction Identifiers [s/n]
‰ Error Listing
Output Controls
‰ Ensure system output:
1)
2)
3)
4)
Not misplaced
Not misdirected
Not corrupted
Privacy policy not violated
‰ Batch systems more susceptible to
exposure, require greater controls
‰ Controlling Batch Systems Output
‰
‰
‰
‰
‰
Many steps from printer to end user
Data control clerk check point
Unacceptable printing should be shredded
Cost/Benefit basis for controls
Sensitivity of data drives levels of controls
Output Controls
‰ Output spooling – risks:
1) Access the output file and change
critical data values
2) Access the file and change the number
of copies to be printed
3) Make a copy of the output file so
illegal output can be generated
4) Destroy the output file before printing
take place
Output Controls
‰ Print Programs
‰ Operator Intervention:
1) Pausing the print program to load output paper
2) Entering parameters needed by the print run
3) Restarting the print run at a prescribed checkpoint
after a printer malfunction
4) Removing printer output from the printer for
review and distribution
‰ Print Program Controls
‰ Production of unauthorized copies
9 Employ output document controls similar to source
document controls
‰ Unauthorized browsing of sensitive data by
employees
9 Special multi-part paper that blocks certain fields
Output Controls
‰ Bursting
9 Supervision
‰ Waste
9 Proper disposal of aborted copies and
carbon copies
‰ Data Control
9 Data Control Group – verify and log
‰ Report Distribution
9 Supervision
Output Controls
‰ End User Controls
9 End User detection
‰ Report Retention:
‰ Statutory requirements (gov’t)
‰ Number of copies in existence
‰ Existence of softcopies (backups)
‰ Destroyed in a manner consistent with
the sensitivity of its contents
Output Controls
‰ Controlling Real-time Systems Output
‰ Eliminates intermediaries
‰ Threats:
‰ Interception
‰ Disruption
‰ Destruction
‰ Corruption
‰ Exposures:
‰ Equipment Failure
‰ Subversive Acts
9 Systems performance controls (Ch. 2)
9 Chain of custody controls (Ch. 5)
Testing Computer Application
Controls
1) Black Box (around)
2) White Box (through)
Testing Computer Application
Controls – Black Box
‰ Ignore internal logic of application
‰ Use functional characteristics
‰ Flowcharts
‰ Interview key personnel
‰ Advantages:
‰ Do not have to remove application
from operations to test it
‰ Appropriately applied:
‰ Simple applications
‰ Relative low level of risk
Testing Computer Application
Controls – White Box
‰ Relies on in-depth understanding of the
internal logic of the application
‰ Uses small volume of carefully crafted,
custom test transactions to verify
specific aspects of logic and controls
‰ Allows auditors to conduct precise test
with known outcomes, which can be
compared objectively to actual results
White Box Test Methods
1) Authenticity tests:
‰ Individuals / users
‰ Programmed procedure
‰ Messages to access system (e.g., logons)
‰ All-American University, student lab: logon,
reboot, logon *
2) Accuracy tests:
‰ System only processes data values that
conform to specified tolerances
3) Completeness tests:
‰ Identify missing data (field, records,
files)
White Box Test Methods
4) Redundancy tests:
‰ Process each record exactly once
5) Audit Trail tests:
‰ Ensure application and/or system
creates an adequate audit trail
9 Transactions listing
9 Error files or reports for all exceptions
6) Rounding Error tests:
‰ “Salami slicing”
‰ Monitor activities – excessive ones are
serious exceptions; e.g, rounding and
thousands of entries into a single
account for $1 or 1¢
Computer Aided Audit Tools
and Techniques [CAATTs]
1)
2)
3)
4)
5)
6)
Test Data method
Base Case System Evaluation
Tracing
Integrated Test Facility [ITF]
Parallel Simulation
GAS
#1 - Test Data
‰ Used to establish the application
processing integrity
‰ Uses a “test deck”
‰ Valid data
‰ Purposefully selected invalid data
‰ Every possible:
‰ Input error
‰ Logical processes
‰ Irregularity
‰ Procedures:
1) Predetermined results and expectations
2) Run test deck
3) Compare
#2 – Base Case System
Evaluation [BCSE]
‰ Variant of Test Data method
‰ Comprehensive test data
‰ Repetitive testing throughout
SDLC
‰ When application is modified,
subsequent test (new) results can
be compared with previous results
(base)
#3 – Tracing
‰ Test data technique that takes step-by-
step walk through application
1) The trace option must be enabled for the
application
2) Specific data or types of transactions are
created as test data
3) Test data is “traced” through all
processing steps of the application, and
a listing is produced of all lines of code
as executed (variables, results, etc.)
‰ Excellent means of debugging a
faculty program
Test Data:
Advantages & Disadvantages
‰ Advantages of Test Data
1) They employ white box approach, thus
providing explicit evidence
2) Can be employed with minimal disruption to
operations
3) They require minimal computer expertise on
the part of the auditors
‰ Disadvantages of Test Data
1) Auditors must rely on IS personnel to obtain a
copy of the application for testing
2) Audit evidence is not entirely independent
3) Provides static picture of application integrity
4) Relatively high cost to implement, auditing
inefficiency
#4 – Integrated Test Facility
‰ ITF is an automated technique that
allows auditors to test logic and
controls during normal operations
‰ Set up a dummy entity within the
application system
1) Set up a dummy entity within the
application system
2) System able to discriminate between ITF
audit module transactions and routine
transactions
3) Auditor analyzes ITF results against
expected results
#5 – Parallel Simulation
‰ Auditor writes or obtains a copy of the
program that simulates key features or
processes to be reviewed / tested
1) Auditor gains a thorough understanding of
2)
3)
4)
5)
the application under review
Auditor identifies those processes and
controls critical to the application
Auditor creates the simulation using
program or Generalized Audit Software
(GAS)
Auditor runs the simulated program using
selected data and files
Auditor evaluates results and reconciles
differences
#5 – Parallel Simulation
‰ Auditor writes or obtains a copy of the
program that simulates key features or
processes to be reviewed / tested
1) Auditor gains a thorough understanding of
2)
3)
4)
5)
the application under review
Auditor identifies those processes and
controls critical to the application
Auditor creates the simulation using
program or Generalized Audit Software
(GAS)
Auditor runs the simulated program using
selected data and files
Auditor evaluates results and reconciles
differences
IT Audit & Assurance
Chapter 7:
Computer-Assisted Audit
Techniques [CAATs]
Related documents
Exam Style Questions
Exam Style Questions
Case
Case
Your GMC ID check event is due to be held on Thursday 28 March
Your GMC ID check event is due to be held on Thursday 28 March
Automated computation and batch processing for remote sensing
Automated computation and batch processing for remote sensing
EVANS & TATE LIMITED
EVANS & TATE LIMITED
Auditor Reporting ppt
Auditor Reporting ppt
Green Impact Auditor
Green Impact Auditor
Chapter 7
Chapter 7
Download
advertisement