chapter 7 computer assisted audit techniques caats n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter 7: Computer-Assisted Audit Techniques [CAATs] PowerPoint Presentation
Download Presentation
Chapter 7: Computer-Assisted Audit Techniques [CAATs]

Loading in 2 Seconds...

play fullscreen
1 / 35

Chapter 7: Computer-Assisted Audit Techniques [CAATs] - PowerPoint PPT Presentation


  • 146 Views
  • Uploaded on

Chapter 7: Computer-Assisted Audit Techniques [CAATs]. IT Auditing & Assurance, 2e, Hall & Singleton. INTRODUCTION TO INPUT CONTROLS. Designed to ensure that the transactions that bring data into the system are valid, accurate, and complete Data input procedures can be either:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Chapter 7: Computer-Assisted Audit Techniques [CAATs]' - ulric-perez


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
chapter 7 computer assisted audit techniques caats

Chapter 7:Computer-Assisted Audit Techniques [CAATs]

IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton

introduction to input controls
INTRODUCTION TO INPUT CONTROLS
  • Designed to ensure that the transactions that bring data into the system are valid, accurate, and complete
  • Data input procedures can be either:
    • Source document-triggered (batch)
    • Direct input (real-time)
  • Source document input requires human involvement and is prone to clerical errors.
  • Direct input employs real-time editing techniques to identify and correct errors immediately

IT Auditing & Assurance, 2e, Hall & Singleton

classes of input controls
CLASSES OF INPUT CONTROLS
  • Source document controls
  • Data coding controls
  • Batch controls
  • Validation controls
  • Input error correction
  • Generalized data input systems

IT Auditing & Assurance, 2e, Hall & Singleton

1 source document controls
#1-SOURCE DOCUMENT CONTROLS
  • Controls in systems using physical source documents
  • Source document fraud
  • To control for exposure, control procedures are needed over source documents to account for each one
    • Use pre-numbered source documents
    • Use source documents in sequence
    • Periodically audit source documents

IT Auditing & Assurance, 2e, Hall & Singleton

2 data coding controls
#2-DATA CODING CONTROLS
  • Checks on data integrity during processing
    • Transcription errors
      • Addition errors, extra digits
      • Truncation errors, digit removed
      • Substitution errors, digit replaced
    • Transposition errors
      • Single transposition: adjacent digits transposed (reversed)
      • Multiple transposition: non-adjacent digits are transposed
  • Control = Check digits
    • Added to code when created (suffix, prefix, embedded)
      • Sum of digits (ones): transcription errors only
      • Modulus 11: different weights per column: transposition and transcription errors
    • Introduces storage and processing inefficiencies

IT Auditing & Assurance, 2e, Hall & Singleton

3 batch controls
#3-BATCH CONTROLS
  • Method for handling high volumes of transaction data – esp. paper-fed IS
  • Controls of batch continues thru all phases of system and all processes (i.e., not JUST an input control)
    • All records in the batch are processed together
    • No records are processed more than once
    • An audit trail is maintained from input to output
  • Requires grouping of similar input transactions

IT Auditing & Assurance, 2e, Hall & Singleton

3 batch controls1
#3-BATCH CONTROLS
  • Requires controlling batch throughout
    • Batch transmittal sheet (batch control record) – Figure 7-1, p. 302
      • Unique batch number (serial #)
      • A batch date
      • A transaction code
      • Number of records in the batch
      • Total dollar value of financial field
      • Sum of unique non-financial field
        • Hash total
        • E.g., customer number
    • Batch control log – Figure 7-3, p 303
    • Hash totals

IT Auditing & Assurance, 2e, Hall & Singleton

4 validation controls
#4-VALIDATION CONTROLS
  • Intended to detect errors in data before processing
  • Most effective if performed close to the source of the transaction
  • Some require referencing a master file

IT Auditing & Assurance, 2e, Hall & Singleton

4 validation controls1
#4-VALIDATION CONTROLS
  • Field Interrogation
    • Missing data checks
    • Numeric-alphabetic data checks
    • Zero-value checks
    • Limit checks
    • Range checks
    • Validity checks
    • Check digit
  • Record Interrogation
    • Reasonableness checks
    • Sign checks
    • Sequence checks
  • File Interrogation
    • Internal label checks (tape)
    • Version checks
    • Expiration date check

IT Auditing & Assurance, 2e, Hall & Singleton

5 input error correction
#5-INPUT ERROR CORRECTION
  • Batch – correct and resubmit
  • Controls to make sure errors dealt with completely and accurately
  • Immediate Correction
  • Create an Error File
    • Reverse the effects of partially processed, resubmit corrected records
    • Reinsert corrected records in processing stage where error was detected
  • Reject the Entire Batch

IT Auditing & Assurance, 2e, Hall & Singleton

6 generalized data input systems gdis
#6-GENERALIZED DATA INPUT SYSTEMS (GDIS)
  • Centralized procedures to manage data input for all transaction processing systems
  • Eliminates need to create redundant routines for each new application
  • Advantages:
    • Improves control by having one common system perform all data validation
    • Ensures each AIS application applies a consistent standard of data validation
    • Improves systems development efficiency

IT Auditing & Assurance, 2e, Hall & Singleton

6 gdis
#6-GDIS
  • Major components:
    • Generalized Validation Module
    • Validated Data File
    • Error File
    • Error Reports
    • Transaction Log

IT Auditing & Assurance, 2e, Hall & Singleton

classes of processing controls
CLASSES OF PROCESSING CONTROLS
  • Run-to-Run Controls
  • Operator Intervention Controls
  • Audit Trail Controls

IT Auditing & Assurance, 2e, Hall & Singleton

1 run to run batch
#1-RUN-TO-RUN (BATCH)
  • Use batch figures to monitor the batch as it moves from one process to another
    • Recalculate Control Totals
    • Check Transaction Codes
    • Sequence Checks

IT Auditing & Assurance, 2e, Hall & Singleton

2 operator intervention
#2-OPERATOR INTERVENTION
  • When operator manually enters controls into the system
  • Preference is to derive by logic or provided by system

IT Auditing & Assurance, 2e, Hall & Singleton

3 audit trail controls
#3-AUDIT TRAIL CONTROLS
  • Every transaction becomes traceable from input to output
  • Each processing step is documented
  • Preservation is key to auditability of AIS
    • Transaction logs
    • Log of automatic transactions
    • Listing of automatic transactions
    • Unique transaction identifiers [s/n]
    • Error listing

IT Auditing & Assurance, 2e, Hall & Singleton

output controls
OUTPUT CONTROLS
  • Ensure system output:
    • Not misplaced
    • Not misdirected
    • Not corrupted
    • Privacy policy not violated
  • Batch systems more susceptible to exposure, require greater controls
    • Controlling Batch Systems Output
      • Many steps from printer to end user
      • Data control clerk check point
      • Unacceptable printing should be shredded
      • Cost/benefit basis for controls
      • Sensitivity of data drives levels of controls

IT Auditing & Assurance, 2e, Hall & Singleton

output controls1
OUTPUT CONTROLS
  • Output spooling – risks:
    • Access the output file and change critical data values
    • Access the file and change the number of copies to be printed
    • Make a copy of the output file so illegal output can be generated
    • Destroy the output file before printing take place

IT Auditing & Assurance, 2e, Hall & Singleton

output controls2
OUTPUT CONTROLS
  • Print Programs
  • Operator Intervention:
    • Pausing the print program to load output paper
    • Entering parameters needed by the print run
    • Restarting the print run at a prescribed checkpoint after a printer malfunction
    • Removing printer output from the printer for review and distribution
  • Print Program Controls
    • Production of unauthorized copies
      • Employ output document controls similar to source document controls
    • Unauthorized browsing of sensitive data by employees
      • Special multi-part paper that blocks certain fields

IT Auditing & Assurance, 2e, Hall & Singleton

output controls3
OUTPUT CONTROLS
  • Bursting
    • Supervision
  • Waste
    • Proper disposal of aborted copies and carbon copies
  • Data control
    • Data control group – verify and log
  • Report distribution
    • Supervision

IT Auditing & Assurance, 2e, Hall & Singleton

output controls4
OUTPUT CONTROLS
  • End user controls
    • End user detection
  • Report retention:
    • Statutory requirements (gov’t)
    • Number of copies in existence
    • Existence of softcopies (backups)
    • Destroyed in a manner consistent with the sensitivity of its contents

IT Auditing & Assurance, 2e, Hall & Singleton

output controls5
OUTPUT CONTROLS
  • Controlling real-time systems output
    • Eliminates intermediaries
    • Threats:
      • Interception
      • Disruption
      • Destruction
      • Corruption
    • Exposures:
      • Equipment failure
      • Subversive acts
    • Systems performance controls (Ch. 2)
    • Chain of custody controls (Ch. 5)

IT Auditing & Assurance, 2e, Hall & Singleton

testing computer application controls
TESTING COMPUTER APPLICATION CONTROLS
  • Black box (around)
  • White box (through)

IT Auditing & Assurance, 2e, Hall & Singleton

testing computer application controls black box around
TESTING COMPUTER APPLICATION CONTROLS-BLACK BOX (AROUND)
  • Ignore internal logic of application
  • Use functional characteristics
    • Flowcharts
    • Interview key personnel
  • Advantages:
    • Do not have to remove application from operations to test it
  • Appropriately applied:
    • Simple applications
    • Relative low level of risk

IT Auditing & Assurance, 2e, Hall & Singleton

testing computer application controls white box through
TESTING COMPUTER APPLICATION CONTROLS-WHITE BOX (THROUGH)
  • Relies on in-depth understanding of the internal logic of the application
  • Uses small volume of carefully crafted, custom test transactions to verify specific aspects of logic and controls
  • Allows auditors to conduct precise test with known outcomes, which can be compared objectively to actual results

IT Auditing & Assurance, 2e, Hall & Singleton

around the computer test methods
AROUND THE COMPUTER TEST METHODS
  • Authenticity tests:
    • Individuals / users
    • Programmed procedure
    • Messages to access system (e.g., logons)
  • Accuracy tests:
    • System only processes data values that conform to specified tolerances
  • Completeness tests:
    • Identify missing data (field, records, files)

IT Auditing & Assurance, 2e, Hall & Singleton

around the computer test methods1
AROUND THE COMPUTER TEST METHODS
  • Redundancy tests:
    • Process each record exactly once
  • Audit trail tests:
    • Ensure application and/or system creates an adequate audit trail
      • Transactions listing
      • Error files or reports for all exceptions
  • Rounding error tests:
    • “Salami slicing”
    • Monitor activities – excessive ones are serious exceptions; e.g, rounding and thousands of entries into a single account for $1 or 1¢

IT Auditing & Assurance, 2e, Hall & Singleton

computer aided audit tools and techniques caatts
COMPUTER AIDED AUDIT TOOLS AND TECHNIQUES (CAATTs)
  • Test data method
  • Base case system evaluation
  • Tracing
  • Integrated Test Facility [ITF]
  • Parallel simulation
  • GAS

IT Auditing & Assurance, 2e, Hall & Singleton

1 test data
#1 –TEST DATA
  • Used to establish the application processing integrity
  • Uses a “test deck”
    • Valid data
    • Purposefully selected invalid data
    • Every possible:
      • Input error
      • Logical processes
      • Irregularity
  • Procedures:
    • Predetermined results and expectations
    • Run test deck
    • Compare

IT Auditing & Assurance, 2e, Hall & Singleton

2 base case system evaluation bcse
#2 – BASE CASE SYSTEM EVALUATION (BCSE)
  • Variant of Test Data method
  • Comprehensive test data
  • Repetitive testing throughout SDLC
  • When application is modified, subsequent test (new) results can be compared with previous results (base)

IT Auditing & Assurance, 2e, Hall & Singleton

3 tracing
#3 – TRACING
  • Test data technique that takes step-by-step walk through application
    • The trace option must be enabled for the application
    • Specific data or types of transactions are created as test data
    • Test data is “traced” through all processing steps of the application, and a listing is produced of all lines of code as executed (variables, results, etc.)
  • Excellent means of debugging a faculty program

IT Auditing & Assurance, 2e, Hall & Singleton

test data advantages and disadvantages
TEST DATA: ADVANTAGES AND DISADVANTAGES
  • Advantages of test data
    • They employ white box approach, thus providing explicit evidence
    • Can be employed with minimal disruption to operations
    • They require minimal computer expertise on the part of the auditors
  • Disadvantages of test data
    • Auditors must rely on IS personnel to obtain a copy of the application for testing
    • Audit evidence is not entirely independent
    • Provides static picture of application integrity
    • Relatively high cost to implement, auditing inefficiency

IT Auditing & Assurance, 2e, Hall & Singleton

4 integrated test facility
#4 – INTEGRATED TEST FACILITY
  • ITF is an automated technique that allows auditors to test logic and controls during normal operations
  • Set up a dummy entity within the application system
    • Set up a dummy entity within the application system
    • System able to discriminate between ITF audit module transactions and routine transactions
    • Auditor analyzes ITF results against expected results

IT Auditing & Assurance, 2e, Hall & Singleton

5 parallel simulation
#5 – PARALLEL SIMULATION
  • Auditor writes or obtains a copy of the program that simulates key features or processes to be reviewed / tested
    • Auditor gains a thorough understanding of the application under review
    • Auditor identifies those processes and controls critical to the application
    • Auditor creates the simulation using program or Generalized Audit Software (GAS)
    • Auditor runs the simulated program using selected data and files
    • Auditor evaluates results and reconciles differences

IT Auditing & Assurance, 2e, Hall & Singleton

chapter 7 computer assisted audit techniques caats1

Chapter 7:Computer-Assisted Audit Techniques [CAATs]

IT Auditing & Assurance, 2e, Hall & Singleton

IT Auditing & Assurance, 2e, Hall & Singleton