James A.

Hall

Controls and audit tests relevant to systems

development
Risks and controls for program changes
Auditing techniques (CAATTs) used to verify
application controls
Auditing techniques used to perform
substantive tests in an IT environment

Authorizing development of new systems

To ensure their economic justification and feasibility.

Addressing and documenting user needs

Users need to be actively involved in the systems development process

Technical design phases

Translate user specifications into a set of detailed technical

specifications for a system that meets the users needs.

Participation of internal auditors

Internal audit department needs to be independent, objective, and

technically qualified.

Testing program modules before

implementing
Testing individual modules by a team of users, internal audit staff,
and systems professionals

User Test and Acceptance Procedures

The most important control over the systems development process.

This is the last point at which the user can determine the systems

acceptability prior to it going into service.

Auditing objectives: ensure that...

SDLC activities applied consistently and in

accordance with managements policies
system as originally implemented was free from
material errors and fraud
system was judged to be necessary and justified at
various checkpoints throughout the SDLC
system documentation is sufficiently accurate and
complete to facilitate audit and maintenance
activities

Audit Procedures:

New systems must be authorized.

Feasibility studies conducted.
User needs analyzed and addressed.
Cost-benefit analysis completed.
Proper documentation completed.
All program modules thoroughly tested before
implementation.
Checklist of problems was kept.

Auditing objectives: detect any unauthorized

program maintenance and determine that...

maintenance procedures protect

applications from unauthorized
changes
applications are free from material
errors
program libraries (where programs
are stored) are protected from
unauthorized access

Last, longest and most costly phase of

SDLC
Up to 80-90% of entire cost of a system

Audit Procedures:
All maintenance actions should require

Technical specifications
Testing
Documentation updates
Formal authorizations for changes

Auditing procedures: verify that programs

were properly maintained, including changes
Specifically, verify
identification and correction of unauthorized
program changes
identification and correction of application errors
control of access to systems libraries

Application controls are associated with specific

applications, such as payroll, purchases, and cash
disbursements systems.

These fall into three broad categories:

input controls
processing controls
output controls
INPUT

PROCESSING

OUTPUT

Are programmed procedures (routines) that

perform tests on transaction data to ensure
that they are free from errors

Goal of input controls - valid, accurate, and

complete input data

Check digits Two common causes of input errors:

transcription errors wrong character or value
transposition errors right character or value, but in wrong place
These problems may be controlled using a check digit.

Missing data checks control for blanks or incorrect justifications

If data are not properly justified or if a character is missing (has been
replaced with a blank), the value in the field will be improperly
processed.

Numeric-alphabetic checks This control identifies when data in a

particular field are in the wrong form.

For example, a customers account balance should not contain

alphabetic data, and the presence of it will cause a data processing
error.

Limit checks used to identify field values that exceed an

authorized limit.
Range checks data have upper and lower limits to their
acceptable values.
Reasonableness checks compare one field to another to see
if relationship is appropriate

Validity checks compares actual field values against known

acceptable values.

This control is used to verify such things as transaction codes,

state abbreviations,or employee job skill codes.

 Programmed

procedures

Processes that transform input data

into information for output

Three

categories:

Batch controls
Run-to-run controls
Audit trail controls

Batch controls -are used to manage the flow of high volumes of

transactions through batch processing systems.

The objective of batch control is to reconcile system output with

the input originally entered into the system.

Based on different types of batch totals:

total number of records
total dollar value
hash totals sum of non-financial numbers

Run-to-run control

is the use of batch figures to monitor the batch as it moves

from one programmed procedure (run) to another.
This ensures that each run in the system processes the batch
correctly and completely.

Audit trail controls

To ensure that every transaction can be traced

through each stage of processing from its economic source to
its presentation in financial statements.

 Goal

of output controls is to
ensure that system output is not
lost, misdirected, or corrupted,
and that privacy is not violated.
Exposures of this sort can cause
serious disruptions to operations
and may result in financial losses
to a firm.

Output spooling creates a file during the printing process that

may be inappropriately accessed
The management and auditors need to be aware of these potential
exposures and ensure that proper access and backup procedures
are in place to protect output files.

Printing create two risks:

production of unauthorized copies of output
employee browsing of sensitive data
An alternative privacy control is to direct the output to a special
remote printer that can be closely supervised.

Waste can be stolen if not properly disposed of

(shredding)
To control against this threat, all sensitive
computer output should be passed through a
paper shredder.
Report distribution The primary risks associated
with the distribution of sensitive reports include
their being lost, stolen, or misdirected in transit to
the user.
the following are available:
use of secure mailboxes
require user to sign for reports
deliver reports to user

End user controls Errors the user detects

should be reported to the appropriate
computer management.
shred after used
Controlling digital output digital output
message can be intercepted, disrupted,
destroyed, or corrupted as it passes along
communications links

Audit procedures fall into two classes:

1) testing application controls two general
approaches:
black box around the computer
white box through the computer

2) examining transaction details and account

balancessubstantive testing

 Black Box Approach

Auditors:
1) analyze flowcharts and interview knowledgeable
personnel in the clients organization to understand
the functional characteristics of the application.
2) test the application by reconciling production
input transactions processed by the application with
output results.
The output results are analyzed to verify the
applications compliance with its functional
requirements.

White Box Approach - relies on an indepth understanding of the internal logic

of the application being tested.
Common tests
Authenticity tests
Accuracy tests
Completeness tests
Redundancy tests
Access tests
Audit trail tests
Rounding error tests

Test data method: testing for logic or control problems Any

deviations between the actual results and those the auditor expects
may indicate a logic or control problem
good for new systems or systems which have undergone recent
maintenance

base case system evaluation (BCSE) - BCSE tests

are conducted with a set of test transactions containing all possible
transaction types.

tracing - performs an electronic walkthrough of the applications

internal logic

Integrated test facility (ITF): an automated, on-going technique

that enables the auditor to test an applications logic and controls
during its normal operation
First, ITF supports ongoing monitoring of controls as COSO
recommends.
Second, ITF-enhanced applications can be economically tested
without disrupting the users operations and without the
intervention of computer services personnel.
Parallel simulation: auditor writes simulation programs and runs
actual transactions of the client through the system

are so named because they are used to substantiate dollar amounts

in account balances.

For example:
search for unrecorded liabilities
confirm accounts receivable to ensure they are not
overstated

Substantive tests include but are not limited to the following:

1. Determining the correct value of inventory.
2. Determining the accuracy of prepayments and accruals.

Two technologies commonly used to select, access, and

organize data are:
embedded audit module
generalized audit software

 techniques use one or more programmed modules embedded

in a host application to select, for subsequent analysis, transactions that
meet predetermined conditions.

significantly reducing the amount of work the auditor must do to identify

significant transactions for substantive testing.

Very popular & widely used

GAS allows auditors to access electronically
coded data files and perform various
operations on their contents :

statistical sampling methods

screen data
foot & balance
format reports
compare files and fields
recalculate data fields

ACL software (ACCT4304, ACCT5324)

IDEA software (ACCT5324)

30