Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

hall, accounting information systems

Chapter 17
IT Controls Part III:
Systems Development,
Program Changes, and
Application Controls
Accounting Information Systems, 7e
James A. Hall
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Objectives for Chapter 17
 Be familiar with the controls and audit tests
relevant to the systems development process.
 Understand the risks and controls associated
with program change procedures and the role
of the source program library.
 Understand the auditing techniques (CAATTs)
used to verify the effective functioning of
application controls.
 Understand the auditing techniques used to
perform substantive tests in an IT
environment.
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
2
Systems Development Activities





Authorizing development of new systems
Addressing and documenting user needs
Technical design phases
Participation of internal auditors
Testing program modules before implementing
 Testing individual modules by a team of users,
internal audit staff, and systems professionals
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
3
System Development Life Cycle
Figure 14-1
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
4
Systems Development
Auditing objectives: ensure that...
 SDLC activities are applied consistently
and in accordance with management’s
policies
 the system as originally implemented was
free from material errors and fraud
 the system was judged to be necessary
and justified at various checkpoints
throughout the SDLC
 system documentation is sufficiently
accurate and complete to facilitate audit
and maintenance activities
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
5
Systems Development IC






New systems must be authorized.
Feasibility studies were conducted.
User needs were analyzed and addressed.
Cost-benefit analysis was done.
Proper documentation was completed.
All program modules must be thoroughly
tested before they are implemented.
 Checklist of problems was kept.
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
6
System Maintenance IC
 Last, longest and most costly phase of
SDLC
 Up to 80-90% of entire cost of a
system
 All maintenance actions should require
 Technical specifications
 Testing
 Documentation updates
 Formal authorizations for any changes
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
7
Program Change
Auditing objectives: detect
unauthorized program
maintenance and determine that...
 maintenance procedures protect
applications from unauthorized
changes
 applications are free from material
errors
 program libraries are protected from
unauthorized access
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
8
Source Program Library
 Source program library (SPL)
 library of applications and software
 place where programs are
developed and modified
 once compiled into machine
language, no longer vulnerable
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
9
Uncontrolled Access to the SPL
Figure 17-2
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
10
Controlled SPL Environments
 SPL Management Systems (SPLMS)
protect the SPL by controlling the
following functions:
 storing programs on the SPL
 retrieving programs for maintenance
purposes
 deleting obsolete programs from the
library
 documenting program changes to
provide an audit trail of the changes
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
11
Source Program Library under the
Control of SPL Management Software
Figure 17-3
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
12
SPL Control Features




Password control
Separation of test libraries
Audit trails
Reports that enhance management
control and the audit function
 Assigns program version numbers
automatically
 Controlled access to maintenance
commands
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
13
Program Change
 Auditing procedures: verify that
programs were properly maintained,
including changes
 Specifically, verify…
 identification and correction of
unauthorized program changes
 identification and correction of application
errors
 control of access to systems libraries
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
14
Application Controls
 Narrowly focused exposures within a
specific system, for example:







accounts payable
cash disbursements
fixed asset accounting
payroll
sales order processing
cash receipts
general ledger
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
15
Application Controls
 Risks within specific applications
 Can affect manual procedures (e.g., entering
data) or embedded (automated) procedures
 Convenient to look at in terms of:
 input stage
 processing stage
 output stage
INPUT
PROCESSING
OUTPUT
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
16
Application Input Controls
 Goal of input controls - valid,
accurate, and complete input data
 Two common causes of input
errors:
 transcription errors – wrong character
or value
 transposition errors – ‘right’ character
or value, but in wrong place
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
17
Application Input Controls
 Check digits – data code is added to produce
a control digit
 especially useful for transcription and
transposition errors
 Missing data checks – control for blanks or
incorrect justifications
 Numeric-alphabetic checks – verify that
characters are in correct form
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
18
Application Input Controls
 Limit checks – identify values beyond
pre-set limits
 Range checks – identify values outside
upper and lower bounds
 Reasonableness checks – compare one
field to another to see if relationship is
appropriate
 Validity checks – compares values to
known or standard values
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
19
Application Processing Controls
 Programmed processes that
transform input data into
information for output
 Three categories:
 Batch controls
 Run-to-run controls
 Audit trail controls
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
20
Application Processing Controls
 Batch controls - reconcile system
output with the input originally
entered into the system
 Based on different types of batch
totals:
 total number of records
 total dollar value
 hash totals – sum of non-financial
numbers
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
21
Application Processing Controls
 Run-to-run controls - use batch
figures to monitor the batch as it moves
from one programmed procedure (run)
to another
 Audit trail controls - numerous logs
used so that every transaction can be
traced through each stage of processing
from its economic source to its
presentation in financial statements
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
22
Transaction Log to Preserve
the Audit Trail
Figure 17-7
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Application Output Controls
 Goal of output controls is to ensure
that system output is not lost,
misdirected, or corrupted, and that
privacy is not violated.
 In the following flowchart, there are
exposures at every stage.
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
24
Stages in the Output Process
Figure 17-8
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
25
Application Controls Output
 Output spooling – creates a file
during the printing process that may
be inappropriately accessed
 Printing – create two risks:
 production of unauthorized copies of
output
 employee browsing of sensitive data
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
26
Application Controls Output
 Waste – can be stolen if not
properly disposed of, e.g., shredding
 Report distribution – for sensitive
reports, the following are available:
 use of secure mailboxes
 require the user to sign for reports
in person
 deliver the reports to the user
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
27
Application Controls Output
 End user controls – end users need to
inspect sensitive reports for accuracy
 shred after used
 Controlling digital output – digital
output message can be intercepted,
disrupted, destroyed, or corrupted as it
passes along communications links
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
28
Testing Application Controls
 Techniques for auditing applications
fall into two classes:
1. testing application controls – two
general approaches:
– black box – around the computer
– white box – through the computer
2. examining transaction details and
account balances—substantive
testing
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
29
Auditing Around the Computer The Black Box Approach
Figure 17-9
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
30
Auditing through the Computer:
The ITF Technique
Figure 17-14
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
31
Testing Application Controls
 Black Box Approach – focuses on
input procedures and output results
 To Gain need understanding…
 analyze flowcharts
 review documentation
 conduct interviews
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
32
Testing Application Controls
 White Box Approach - focuses on
understanding the internal logic of
processes between input and output
 Common tests







Authenticity tests
Accuracy tests
Completeness tests
Redundancy tests
Access tests
Audit trail tests
Rounding error tests
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
33
White Box Testing Techniques
 Test data method: testing for logic or control
problems - good for new systems or systems
which have undergone recent maintenance
 base case system evaluation (BCSE) - using a
comprehensive set of test transactions
 tracing - performs an electronic walkthrough of
the application’s internal logic
 Test data methods are not fool-proof
 a snapshot - one point in time examination
 high-cost of developing adequate test data
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
34
White Box Testing Techniques
 Integrated test facility (ITF): an
automated, on-going technique that
enables the auditor to test an
application’s logic and controls during
its normal operation
 Parallel simulation: auditor writes
simulation programs and runs actual
transactions of the client through the
system
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
35
The Parallel Simulation Technique
Figure 17-15
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
36
Substantive Testing
 Techniques to substantiate account balances.
For example:
 search for unrecorded liabilities
 confirm accounts receivable to ensure they are
not overstated
 Requires first extracting data from the system.
Two technologies commonly used to select,
access, and organize data are:
 embedded audit module
 generalized audit software
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
37
Embedded Audit Module
 An ongoing module which filters out nonmaterial transactions
 The chosen, material transactions are
used for sampling in substantive tests
 Requires additional computing resources
by the client
 Hard to maintain in systems with high
maintenance
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
38
Embedded Audit Module
Technique
Figure 17-16
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
39
Generalized Audit Software
 Very popular & widely used
 Can access data files & perform
operations on them:






screen data
statistical sampling methods
foot & balance
format reports
compare files and fields
recalculate data fields
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
40
Using GAS to Access
Complex File Structure
Figure 17-18
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
41
Related documents
Calc 4.3 Homework Quiz
Calc 4.3 Homework Quiz
Chapter 3 - Organizational Culture
Chapter 3 - Organizational Culture
Mgnt PPoint CH 2
Mgnt PPoint CH 2
2 The Human Body in Health and Disease
2 The Human Body in Health and Disease
Chapter 9 - Delmar Cengage Learning
Chapter 9 - Delmar Cengage Learning
Ch.01-Kinney-9e
Ch.01-Kinney-9e
Ch11 - TTU
Ch11 - TTU
Download