chapter 7 computer assisted audit techniques caats l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter 7: Computer-Assisted Audit Techniques [CAATs] PowerPoint Presentation
Download Presentation
Chapter 7: Computer-Assisted Audit Techniques [CAATs]

Loading in 2 Seconds...

play fullscreen
1 / 37

Chapter 7: Computer-Assisted Audit Techniques [CAATs] - PowerPoint PPT Presentation


  • 2152 Views
  • Uploaded on

Chapter 7: Computer-Assisted Audit Techniques [CAATs]. IT Auditing & Assurance, 2e, Hall & Singleton. CLASSES OF INPUT CONTROLS. Source document controls Data coding controls Batch controls Validation controls Input error correction Generalized data input systems. SOURCE DOCUMENT CONTROLS.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Chapter 7: Computer-Assisted Audit Techniques [CAATs]' - kosey


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
chapter 7 computer assisted audit techniques caats

Chapter 7:Computer-Assisted Audit Techniques [CAATs]

IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton

classes of input controls
CLASSES OF INPUT CONTROLS
  • Source document controls
  • Data coding controls
  • Batch controls
  • Validation controls
  • Input error correction
  • Generalized data input systems

IT Auditing & Assurance, 2e, Hall & Singleton

source document controls
SOURCE DOCUMENT CONTROLS
  • Controls in systems using physical source documents
  • Source document fraud
  • To control for exposure, control procedures are needed over source documents to account for each one
    • Use pre-numbered source documents
    • Use source documents in sequence
    • Periodically audit source documents

IT Auditing & Assurance, 2e, Hall & Singleton

data coding controls
DATA CODING CONTROLS
  • Checks on data integrity during processing
    • Transcription errors
      • Addition errors, extra digits
      • Truncation errors, digit removed
      • Substitution errors, digit replaced
    • Transposition errors
      • Single transposition: adjacent digits transposed (reversed)
      • Multiple transposition: non-adjacent digits are transposed
  • Control = Check digits
    • Added to code when created (suffix, prefix, embedded)
      • Sum of digits (ones): transcription errors only
      • Modulus 11: different weights per column: transposition and transcription errors
    • Introduces storage and processing inefficiencies

IT Auditing & Assurance, 2e, Hall & Singleton

batch controls
BATCH CONTROLS
  • Method for handling high volumes of transaction data – esp. paper-fed IS
  • Controls of batch continues thru all phases of system and all processes (i.e., not JUST an input control)
    • All records in the batch are processed together
    • No records are processed more than once
    • An audit trail is maintained from input to output
  • Requires grouping of similar input transactions

IT Auditing & Assurance, 2e, Hall & Singleton

validation controls
VALIDATION CONTROLS
  • Intended to detect errors in data before processing
  • Most effective if performed close to the source of the transaction
  • Some require referencing a master file

IT Auditing & Assurance, 2e, Hall & Singleton

validation controls7
VALIDATION CONTROLS
  • Field Interrogation
    • Missing data checks
    • Numeric-alphabetic data checks
    • Zero-value checks
    • Limit checks
    • Range checks
    • Validity checks
    • Check digit
  • Record Interrogation
    • Reasonableness checks
    • Sign checks
    • Sequence checks
  • File Interrogation
    • Internal label checks (tape)
    • Version checks
    • Expiration date check

IT Auditing & Assurance, 2e, Hall & Singleton

input error correction
INPUT ERROR CORRECTION
  • Batch – correct and resubmit
  • Controls to make sure errors dealt with completely and accurately
  • Immediate Correction
  • Create an Error File
    • Reverse the effects of partially processed, resubmit corrected records
    • Reinsert corrected records in processing stage where error was detected
  • Reject the Entire Batch

IT Auditing & Assurance, 2e, Hall & Singleton

generalized data input systems gdis
GENERALIZED DATA INPUT SYSTEMS (GDIS)
  • Centralized procedures to manage data input for all transaction processing systems
  • Eliminates need to create redundant routines for each new application
  • Advantages:
    • Improves control by having one common system perform all data validation
    • Ensures each AIS application applies a consistent standard of data validation
    • Improves systems development efficiency

IT Auditing & Assurance, 2e, Hall & Singleton

classes of processing controls
CLASSES OF PROCESSING CONTROLS
  • Run-to-Run Controls
  • Operator Intervention Controls
  • Audit Trail Controls

IT Auditing & Assurance, 2e, Hall & Singleton

run to run batch
RUN-TO-RUN (BATCH)
  • Use batch figures to monitor the batch as it moves from one process to another
    • Recalculate Control Totals
    • Check Transaction Codes
    • Sequence Checks

IT Auditing & Assurance, 2e, Hall & Singleton

operator intervention
OPERATOR INTERVENTION
  • When operator manually enters controls into the system
  • Preference is to derive by logic or provided by system

IT Auditing & Assurance, 2e, Hall & Singleton

audit trail controls
AUDIT TRAIL CONTROLS
  • Every transaction becomes traceable from input to output
  • Each processing step is documented
  • Preservation is key to auditability of AIS
    • Transaction logs
    • Log of automatic transactions
    • Listing of automatic transactions
    • Unique transaction identifiers [s/n]
    • Error listing

IT Auditing & Assurance, 2e, Hall & Singleton

output controls
OUTPUT CONTROLS
  • Ensure system output:
    • Not misplaced
    • Not misdirected
    • Not corrupted
    • Privacy policy not violated
  • Batch systems more susceptible to exposure, require greater controls
    • Controlling Batch Systems Output
      • Many steps from printer to end user
      • Data control clerk check point
      • Unacceptable printing should be shredded
      • Cost/benefit basis for controls
      • Sensitivity of data drives levels of controls

IT Auditing & Assurance, 2e, Hall & Singleton

output controls15
OUTPUT CONTROLS
  • Output spooling – risks:
    • Access the output file and change critical data values
    • Access the file and change the number of copies to be printed
    • Make a copy of the output file so illegal output can be generated
    • Destroy the output file before printing take place

IT Auditing & Assurance, 2e, Hall & Singleton

output controls16
OUTPUT CONTROLS
  • Bursting
    • Supervision
  • Waste
    • Proper disposal of aborted copies and carbon copies
  • Data control
    • Data control group – verify and log
  • Report distribution
    • Supervision

IT Auditing & Assurance, 2e, Hall & Singleton

output controls17
OUTPUT CONTROLS
  • End user controls
    • End user detection
  • Report retention:
    • Statutory requirements (gov’t)
    • Number of copies in existence
    • Existence of softcopies (backups)
    • Destroyed in a manner consistent with the sensitivity of its contents

IT Auditing & Assurance, 2e, Hall & Singleton

testing computer application controls
TESTING COMPUTER APPLICATION CONTROLS
  • Around the computer
    • Rarely appropriate
  • Through the computer
    • Supported by continuous audit techniques

IT Auditing & Assurance, 2e, Hall & Singleton

testing computer application around the computer
TESTING COMPUTER APPLICATION AROUND THE COMPUTER
  • Ignore internal logic of application
  • Use functional characteristics
    • Flowcharts
    • Interview key personnel
  • Advantages:
    • Do not have to remove application from operations to test it
  • Appropriately applied:
    • Simple applications
    • Relative low level of risk

IT Auditing & Assurance, 2e, Hall & Singleton

testing computer application controls through the computer
TESTING COMPUTER APPLICATION CONTROLS THROUGH THE COMPUTER
  • Relies on in-depth understanding of the internal logic of the application
  • Uses small volume of carefully crafted, custom test transactions to verify specific aspects of logic and controls
  • Allows auditors to conduct precise test with known outcomes, which can be compared objectively to actual results

IT Auditing & Assurance, 2e, Hall & Singleton

computer aided audit tools and techniques caatts
COMPUTER AIDED AUDIT TOOLS AND TECHNIQUES (CAATTs)
  • Test data method
  • Base case system evaluation
  • Tracing
  • Integrated Test Facility [ITF]
  • Parallel simulation
  • GAS

IT Auditing & Assurance, 2e, Hall & Singleton

test data
TEST DATA
  • Used to establish the application processing integrity
  • Uses a “test deck”
    • Valid data
    • Purposefully selected invalid data
    • Every possible:
      • Input error
      • Logical processes
      • Irregularity
  • Procedures:
    • Predetermined results and expectations
    • Run test deck
    • Compare

IT Auditing & Assurance, 2e, Hall & Singleton

tracing
TRACING
  • Test data technique that takes step-by-step walk through application
    • The trace option must be enabled for the application
    • Specific data or types of transactions are created as test data
    • Test data is “traced” through all processing steps of the application, and a listing is produced of all lines of code as executed (variables, results, etc.)
  • Excellent means of debugging a faculty program

IT Auditing & Assurance, 2e, Hall & Singleton

test data advantages and disadvantages
TEST DATA: ADVANTAGES AND DISADVANTAGES
  • Advantages of test data
    • They employ white box approach, thus providing explicit evidence
    • Can be employed with minimal disruption to operations
    • They require minimal computer expertise on the part of the auditors
  • Disadvantages of test data
    • Auditors must rely on IS personnel to obtain a copy of the application for testing
    • Audit evidence is not entirely independent
    • Provides static picture of application integrity
    • Relatively high cost to implement, auditing inefficiency

IT Auditing & Assurance, 2e, Hall & Singleton

continuous auditing
Continuous Auditing
  • Embedded Audit Module
  • Real and test transactions
  • Tagged transactions
  • Audit hooks

IT Auditing & Assurance, 2e, Hall & Singleton

integrated test facility
INTEGRATED TEST FACILITY
  • ITF is an automated technique that allows auditors to test logic and controls during normal operations
  • Set up a dummy entity within the application system
    • Set up a dummy entity within the application system
    • System able to discriminate between ITF audit module transactions and routine transactions
    • Auditor analyzes ITF results against expected results

IT Auditing & Assurance, 2e, Hall & Singleton

parallel simulation
PARALLEL SIMULATION
  • Auditor writes or obtains a copy of the program that simulates key features or processes to be reviewed / tested
    • Auditor gains a thorough understanding of the application under review
    • Auditor identifies those processes and controls critical to the application
    • Auditor creates the simulation using program or Generalized Audit Software (GAS)
    • Auditor runs the simulated program using selected data and files
    • Auditor evaluates results and reconciles differences
    • Out of date approach

IT Auditing & Assurance, 2e, Hall & Singleton

sedona esi framework
Sedona ESI Framework
  • Sedona Conference - White papers on keyword searches and electronic stored information (ESI)
  • Keyword list can cut costs substantially
  • Most searches turn up small percent of relevant documents and miss many critical documents
  • Risks for both under and over inclusive terms
  • Sedona framework provides higher quality and lower costs
keyword search and e discovery
Keyword Search and E-Discovery
  • E-discovery and document review expensive
  • Cost associated with heavy reliance on human review
  • Search solutions were not built with e-discovery in mind
  • Majority of companies do not have an effective retention or archiving plan for electronic documents
esi retention policy
ESI Retention Policy
  • Must comply with SOX and be scrutinized by legal
  • Categorize documents by type and retention period
  • Use different archival methods
  • Software can provide for efficient retrieval
  • Train employees to policy
e mail retention policy
E-Mail Retention Policy
  • Federal Rules of Civil Procedure, industry regulations and internal policies all influence which emails should be archived.
  • Safe harbor in eDiscovery rests in an organization adhering to its policies and procedures that guide the destruction of its email data.
  • Not all e-mails are the same: Set archive categories by nature of email.
  • Adopt a policy and do not vary from it.
redacted e mail and privacy
Redacted E-mail and Privacy
  • Deleted information may be recoverable from electronic documents
  • Policy should be specific as to what information must be deleted before issuing to a third party
  • Covered by federal laws and regs
  • Software available to filter and delete
cost of poor retention policy
Cost of Poor Retention Policy

The judge could …

  • instruct the jury to infer that the record(s) destroyed contained information unfavorable to your company.
  • order your company to pay cost of restoring any archival media on which a lost record is stored plus reasonable litigation expenses incurred by your opponent in filing a motion for discovery and production of the record.
beware the unmanaged im and email
Beware the Unmanaged IM and Email

36

Recipients may retain IM

IM immune to firewalls

IM may be offensive to employees

Track IM usage

Enable content filtering and blocking

Log and audit conversations

Do not allow encrypted IM

chapter 7 computer assisted audit techniques caats37

Chapter 7:Computer-Assisted Audit Techniques [CAATs]

IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton