Computer Assisted Audit

Technology
Audit Around Computer
Audit Through Computer
+
Application
Control
Testing
Application
Control

LEARNING OBJECTIVES
After studying this chapter, you should:
Be familiar with the classes of transaction input controls
used by accounting applications.
Understand the objectives and techniques used to
implement processing controls, including run-to-run,
operator intervention, and audit trail controls.
Understand the methods used to establish effective
output controls for both batch and real-time systems.
Know the difference between black box and white box
auditing.
Be familiar with the key features of the five CAATTs.

1. Defining Application Controls

Application controls:

Application Control

controls that pertain to scope of individual business processes or application system.

AC Objectives:

Input data:
accurate,
complete,
authorized, and
correct.

Data:
processed as
intended in an
acceptable time
period.

Data stored:
accurate
and
complete.

Outputs:
accurate
and
complete.

A record :
maintained to track the
process of data from
input to storage and to
the eventual output.

Defining Application Control

TYPES OF APPLICATION CONTROL
Input Controls

2. Input Controls
Input controls at this stage are designed to ensure that these transactions are valid,
accurate, and complete.
Data input procedures can be either source:
document-triggered (batch): human involvement and prone to clrerical errors.
direct input (real time): real-time editing techniques.
Classes of Input Control
Input controls are devided into the following broad classes:
Source document controls
Data coding controls
Batch controls
Validation controls
Input error correction
Generalized data input systems

2.1 Classes of Input Controls

SOURCE DOCUMENT CONTROLS
Use Pre-numbered Source Documents.
Use Source Documents in Sequence.
Periodically Audit Source Documents.
DATA CODING CONTROLS
Coding controls are checks on the integrity of data codes used in processing. A
customers account number, an inventory item number, and a chart of accounts
number are all examples of data codes.
Error includes transcription and transposition
Check Digits = add extra digit, to detect transposition errors. (ex: 5372 + 4)
Batch Controls = Batch transactions sheet, then input to system by its batch.

2.1 Classes of Input Controls

DATA CODING CONTROLS
Batch Controls: Effective method of managing high volumes of transactions. The
objective : to reconcile output produced by system with the input originally entered
into system.
This provides assurance that:
All records are processed.
No records processed > 1.
Audit trail of transactions is
created from input through
processing to the output.
Transmittal sheet captures inf:
A unique batch number
A batch date
A transaction code
The number of records in the batch (record count)
The total dollar value of a financial field (batch control total)
8
The total of a unique nonfinancial field
(hash total)

2.1 Classes of Input Controls

DATA CODING CONTROLS
Hash Totals.
A simple control technique that uses nonfinancial data to keep track of the
records in a batch. Any key field (customers account number, a PO number, or
an inventory item number), is used to calculate a hash total.
Example, the sales order number (SO#) field for an entire batch of sales order
records is summed to produce a hash total.
14327
67345

96543
4537838 hash total
How this number can be of use? Assume that after this batch of records leaves
data control, someone replaced one of the sales orders in the batch with a
fictitious record of the same dollar amount.
How would the batch control procedures detect this irregularity?
The hash total, calculated by the batch control procedures, would not balance.
Thus, the irregularity would be detected.
9

2.1 Classes of Input Controls

VALIDATION CONTROLS
Intended to detect errors in transaction data before the data are processed.
Validation procedures are most effective when they are performed as close to the
source of the transaction as possible.
There are three levels of input validation controls:
1. Field interrogation: Examine the characteristics of the data in the field.
Missing data checks: examine contents of a field for presence of blank space
Numeric-alphabetic data checks: determine the correct form of data in field.
Zero-value checks: used to verify that certain fields are filled with zeros.
Limit checks determine if the value in the field exceeds an authorized limit.
Range checks assign upper and lower limits to acceptable data values.
Validity checks compare actual values in a field against known acceptable
values: to verify such things as transaction codes or vendor code.
Check digit controls identify keystroke errors in key fields by testing the
internal validity of the code.
10

2.1 Classes of Input Controls

VALIDATION CONTROLS
There are three levels of input validation controls:
2. Record interrogation: validate the entire record by examining interrelationship of
its field values.
Reasonableness checks determine if a value in one field, which already pass a
limit check and a range check, is reasonable when considered with other data
fields in the record. Example: an employees pay rate of 18 dollars/ hour falls
within an acceptable range. However, this rate is excessive when compared to
the his job skill code of 693; this skill class never earn > $12/hour.
Sign checks: to see if the sign of a field is correct for the type of record being
processed. Example, in a sales order processing system, $ amount field must
be (+) for sales orders but (-) for sales return transactions.
Sequence checks: to determine if a record is out of order. In batch systems
that use sequential master files, the transaction files being processed must be
sorted in the same order as the primary keys of the corresponding master file.
Hence, before each transaction record is processed, its sequence is verified
relative to the previous record processed.
11

2.1 Classes of Input Controls

VALIDATION CONTROLS
There are three levels of input validation controls:
3. File interrogation: ensure that the correct file is being
processed by the system.
Internal label checks: verify that the file processed is the
one the program is actually calling for. Files stored on
magnetic tape should have an internal header label that is
placed at the beginning of the file.
Version checks: verify that the version of the file being
processed is correct. In a grandparentparentchild
approach, many versions of files may exist.
An expiration date check: prevents a file from being
deleted before it expires.

12

Internal label check

+ Expiration check

2.1 Classes of Input Controls

INPUT ERROR CORRECTION
When errors are detected in a batch, they must be corrected and the records
resubmitted for reprocessing. Three common error handling techniques:
Correct Immediately: in direct data validation approach, system should halt the
data entry procedure until the user corrects the error.
Create an Error File: When delayed validation is being used, individual errors
should be flagged to prevent them from being processed.
At the end of the validation procedure, the records flagged as errors are removed
from the batch and placed in a temporary error holding file until the errors can be
investigated, then corrected, and resubmit them as a separate batch for
reprocessing.
Reject the Batch. Some forms of errors are associated with the entire batch and
are not clearly attributable to individual records. An example of this type of error
is an imbalance in a batch control total.

13

2.1 Classes of Input Controls

GENERALIZED DATA INPUT SYSTEMS (GDIS)
This technique includes centralized procedures to manage data input for all of orgs
processing systems.
A GDIS has 5 major components:
1. Generalized validation module (GVM): performs standard validation routines to
many different applications, then customized to an individual applications needs.
Ex: GVM may apply range check to the hourly rate field of payroll records, w/ range
are $6 to $15.
2. Validated data file: the input data that are validated are stored temporary on a
validated data file, through which validated transactions flow to their respective
applications.
3. Error file: error records detected are stored in the file, corrected, and resubmitted
to GVM.
4. Error reports: standardized error reports are distributed to users to facilitate error
correction.
5. Transaction log: the transaction log (equivalent to the journal entry) is a permanent
record of all validated transactions.
14

2.1 Classes of Input Controls

THE PROCESS OF GENERALIZED DATA INPUT SYSTEMS (GDIS)

15

Topic 12: Input Controls

Manual IC: require authorization both before the input and after a review, use of concise
prenumbered forms, and train for data entry personnel.
Electronic IC: include user-friendly screen formats that prompt user for required
information and use of required fields.
A field check: a check to see if information in an entry field is complete.
To protect sensitive information, keystroke verification requires data to be entered
twice by different person if possible, and
highlights any differences. (e.g. confirmation
PW change)
Format check: data is entered in an
acceptable formats (e.g. date format).
Drop down menus: allow specific preset input
(e.g. list of provinces).

Topic 12: Input Controls

Edit check: automated test on data fields. Include:
Control totals: hash total sum of nonfinancial number that have no meaning. A
change in hash total indicates a record change.
Range test: allow entry between range of numbers or characters.
Numerical test: prevent alphabetic entry in number fields.
Limit check: entries above particular number are prevented or need approval.
Check digit: an extra digit is added that has an algorithmic relationship to the
remaining digits to show if the number was incorrectly entered by transposition. (e.g.
credit card)
Record count: tallies the number of records.
Historical comparison: measures variance from past records.
Overflow checking: places a memory or length limit on a field to prevent larger
numbers than maximum being entered.

Topic 12: Input Controls

Inquiry log: track all read-only access to records.
Automated inputs: automation reduces errors and increase input speeds. Include:
Optical character recognition (OCR): convert a scanned image into graphic data, then
store, retrieve, and process graphic data. (e.g. scan shipping receipt into a database).
Scanners: a device that digitizes graphic images.
Radio frequency identification (RFID): use tag in packaging, RFID read tag via radio
frequency and identify where the product is. Useful in tracking inventory. (e.g. DHL)

Bar codes: a machine-readable representation of data,

allowing for rapid reading and processing of associated
data (such as price or inventory level).
Magnetic ink character recognition (MICR): Included on
check (bank transaction), and indicate check no., account
no., routing no., and possibly check amount.

3. Processing Controls
Processing controls are divided into 3 categories: 1. run-to-run controls, 2. operator
intervention controls, and 3. Audit Trail Controls.
3.1 Run-to-Run Controls
Run-to-run controls use batch figures to monitor the batch as it moves from one
programmed procedure (run) to another. These controls ensure that each run in the
system processes the batch correctly and completely. Batch control figures may be
contained in either a separate control record created at the data input stage or an
internal label.
Specific uses of run-to-run control figures:
Recalculate Control Totals.
After each major operation in the process and after each run, dollar amount fields,
hash totals, and record counts are accumulated and compared to the corresponding
values stored in the control record.
Transaction Codes.
The transaction code of each record in the batch is compared to the transaction code
contained in the control record. This ensures that only the correct type of transaction
is being processed.
19

3. Processing Controls
3.1 Run-to-Run Controls
Sequence Checks.
In systems that use sequential master files,
the order of the transaction records in the
batch is critical to correct and complete
processing. As the batch moves through the
process, it must be re-sorted in the order of
the master file used in each run. Sequence
check control compares the sequence of
each record in batch w/ the previous record.
Run-to-run controls in revenue cycle system:
Comprises 4 runs: (1) data input, (2) AR update,
(3) inventory update, and (4) output. At end of
AR run, batch control figure are recalculated
and reconciled w/ the control totals passed
from the data input run. These figures are
then passed to inventory update run, where
they are again recalculated, reconciled, and
passed to output run.
20

3. Processing Controls
3.2 Operator Intervention Controls
Systems sometimes require operator intervention to initiate certain actions, such as
entering control totals for a batch of records Operator intervention increases the
human error, thus need intervention controls.
3.3 Audit Trail Controls
The audit trail can become fragmented and difficult to follow, example of audit trail:
Transaction Logs.
Every trans successfully processed by the system should be recorded on a trans
log, which serves as a journal. System should produce a hard copy trans listing of all
successful trans, then go to appropriate users to facilitate reconciliation w/ input.

21

3. Processing Controls
3.3 Audit Trail Controls
Log of Automatic Transactions.
Some transactions are triggered internally by the system. Ex: when inventory drops
below a preset reorder point, and the system automatically processes a PO.
Listing of Automatic Transactions.
The responsible end user should receive a detailed listing of all internally generated
transactions.
Unique Transaction Identifiers.
Each transaction processed by the system must be uniquely identified with a
transaction number. In real-time systems, which do not use source documents, the
system should assign each transaction a unique number.
Error Listing.
A listing of all error records should go to the appropriate user to support error
correction and resubmission.

22

Topic 12: Processing Controls

Processing control: automated errors checks built into computer processing as well as
segregation of duties, such as controlling programmers access to files and records.
Data center operators access to applications should be restricted to equipment and
software installation and responding to errors, also override file names.
A console log or system control file should track operators interventions.
Access to configuration parameters within application must be controlled. Auditors
should reconcile actual versus planned configuration.
Completeness check: reject saving a record until all field are complete.
Control totals: totals are recorded in a system control file when an application
generates temporary files; an errors occurs if each control total doesnt match.
Date and file total check: logs of item and monetary totals with date and time stamps.
Exact duplicate entries are flagged as errors.
Auditors test for processing controls by inserting known test data and comparing it
against expected results (walkthrough-test or round-test?).

Topic 12: Processing Controls

Other processing controls, include:
Suspense file: a file used to retain transaction processed with errors.
Activity log: records actions of users by date, time, and access terminal (bedakan
dengan ITGC).
Processing logic test (e.g. posting check, zero balance check, cross-footing check):
various check that verify if accounts or transactions are at the expected level (e.g.
checking that an account actually has a zero balance after payment are processed,
other example?)
End-of-file procedures: prevent additional operations from taking place in a file when
the end of the file reached.
Primary and secondary key integrity check: verify encryption key security.

4. Output Controls
Output Controls ensure that system output is not lost, misdirected, or corrupted and
that privacy is not violated. Exposures of this sort can cause financial, reputation, legal
losses.
The type of processing method (batch > realtime) in use influences the choice of
controls employed to protect system output.
4.1 Controlling Batch Systems Output
Batch systems usually produce output in the form of hard copy, which typically
requires the involvement of intermediaries in its production and distribution.
Controls each phase in the output process:
4.1.1 Output Spooling Control.
A spool is a temporary memory allocation for a system output. A computer
criminal may use this opportunity to perform any of unauthorized acts:
Change critical data values (such as dollar amounts on checks).
Change the number of copies of output to be printed.
Make a copy of the output file to produce illegal output reports.
Destroy the output file before output printing takes place.
25

4. Output Controls
4.1 Controlling Batch Systems Output
4.1.2 Print Programs Controls.
Print program controls are designed to deal with exposures:
(1) the production of unauthorized copies of output
(2) employee browsing of sensitive data.
()4.1.3 Bursting Control.
The bursting clerk may make an unauthorized copy of the report, remove a page
from the report, or read sensitive information. The primary control against these
exposures is supervision.
()4.1.4 Waste Control.
Computer output waste represents a potential exposure. Passing it through a
paper shredder can easily destroy sensitive computer output.
()4.1.5 Data Control.
Data control group is responsible for verifying the accuracy of computer output
before it is distributed to the user.
26

4. Output Controls
4.1 Controlling Batch Systems Output
4.1.6 Report Distribution Control
The primary risks include reports being lost, stolen, or misdirected in transit to
user. Control includes the name and address of user should be printed on report.
4.1.7 End User Controls.
Once in the hands of user, output reports should be reexamined for any errors.
Once a report has served its purpose, it should be stored in a secure location until
its retention period has expired.
4.2 Controlling Real-Time Systems Output
Real-time systems direct their output to the users computer screen, terminal, or
printer. This method of distribution eliminates the various intermediaries in the
journey from the computer center to the user.
The threat to real-time output is interception, disruption, destruction, or corruption of
the output message as it passes along the communications link. This threat comes
from : (1) equipment failure; and (2) subversive acts, whereby a computer criminal
intercepts the output message transmitted b/w sender and receiver.
27

Topic 12: Output Controls

Output controls: detective controls that find errors and verify the accuracy and
reasonableness of output data after processing is complete. Output controls, as following:
Error listings: auditors ensure that errors followed up w/o exceeding backlog limits, and
corrected reports are resubmitted.
Reference documents: when systems are interrupted, these logs show what was in
memory at the time of the interruption.
Spooling controls: a spool is a temporary memory allocation for a system output. These
controls regulate data spooling method.
Working documents: legal records, such as checks, invoices, or stock certificates are
safeguarded. There are audit evidence that can detect if input really match outputs.
Reports controls: include ensuring that the reports are accurate, simple, timely, and
meaningful, and that sensitive data is secured using distribution controls.
Exception reporting: highlight only unusual data, it helps to determine the sources of the
error (human error, processing error).

5. Testing Computer Application Controls

5.1 Black-Box Approach (Around the Computer)
Auditors do not rely on a detailed knowledge of the applications internal logic.
Auditors seek to understand the functional characteristics of the application by
analyzing flowcharts and interviewing knowledgeable personnel in the clients org.
The auditor tests the application by reconciling production input transactions
processed by the application with output results. The output results are analyzed to
verify the applications compliance with its functional requirements.
The advantage of the black-box
approach:
The application need not be
removed from service and tested
directly.
This approach is feasible for testing
applications that are relatively
simple.
29

5. Testing Computer Application Controls

5.2 White-Box Approach (Through the Computer)
Auditors rely on an in-depth understanding of the internal logic of the application.
Use several techniques for testing application logic directly. These techniques use
small numbers of specially created test transactions to verify specific aspects of an
applications logic and controls.
Some of the more common types of tests of controls include the following:
Authenticity tests:
Verify that an individual, a programmed procedure, or a message (such as an EDI
transmission) attempting to access a system is authentic. Authenticity controls
include user IDs, passwords, valid vendor codes, and authority tables.
Accuracy tests:
Ensure that the system processes only data values that conform to specified
tolerances. Examples include range tests, field tests, and limit tests.

30

5. Testing Computer Application Controls

5.2 White-Box Approach (Through the Computer)
Some of the more common types of tests of controls include the following:
Completeness tests:
Identify missing data within a single record and entire records missing from a
batch. The types of tests performed are field tests, record sequence tests, hash
totals, and control totals.
Redundancy tests:
Determine that an application processes each record only once. Redundancy
controls include the reconciliation of batch totals, record counts, hash totals,
and financial control totals.
Access tests:
Ensure that the application prevents authorized users from unauthorized access
to data. Access controls include passwords, authority tables, userdefined
procedures, data encryption, and inference controls.

31

5. Testing Computer Application Controls

5.2 White-Box Approach (Through the Computer)
Some of the more common types of tests of controls include the following:
Audit trail tests:
Ensure that the application creates an adequate audit trail, includes transaction
log, posts data values to the appropriate accounts, transaction listings, and error
files, and reports for all exceptions.
Rounding error tests/ salami test:
Verify the correctness of rounding procedures.
Employ Rounding Program Control.
In the salami fraud, there would be thousands of entries into criminals
personal account, that may be detected. Clever programmer may disguise this
activity by funneling these entries through several intermediate temporary
accounts, which are then posted to a smaller number of intermediate
accounts and finally to the programmers personal account.

32

6. CAAT Tools and Techniques for Testing Controls

6.1 Test Data Method
Used to establish application integrity by
processing specially prepared sets of
input data through production
applications that are under review.
The results of each test are
compared to predetermined
expectations to obtain an
objective evaluation of
application logic and control
effectiveness.

33

6. CAAT Tools and Techniques for Testing Controls

6.1 Test Data Method
Creating Test Data
Auditors prepare a complete set of both valid and invalid transaction, to test every
possible input error, logical process, and irregularity.
Gaining knowledge of the applications internal logic
Obtaining the test data used to test program modules during the implementation
phase of the SDLC or creating additional test data that focus on the areas of the
program changes.
Base Case System Evaluation (BCSE)
BCSE tests are conducted with a set of test transactions containing all possible
transaction types. These are processed through repeated iterations during
systems development testing until consistent and valid results are obtained.

34

6. CAAT Tools and Techniques for Testing Controls

6.1 Test Data Method
Tracing
Tracing technique performs an electronic
walkthrough of the applications internal
logic. Tracing procedure involves 3 steps:
1. The application under review must
undergo a special compilation to
activate the trace option.
2. Specific transactions or types of
transactions are created as test data.
3. The test data trans are traced through
all processing stages, and a listing is
produced of all program instructions
that were executed during the test.
Example shows records from 2 payroll filesa transaction record and 2 records from
master file. The trace listing identifies the program statements that were executed and the
order of execution. Analysis of trace options indicates that Commands 0001 through 0020
were executed. At that point, the application transferred to Command 0060. This occurred
because the employee number (the key) of the transaction record did not match the key of
35
the first record in the master file. Then Commands
0010 through 0050 were executed.

6. CAAT Tools and Techniques for Testing Controls

6.1 Test Data Method
Advantages of Test Data Techniques
1. They employ throughthe- computer testing, thus providing the auditor with
explicit evidence concerning application functions.
2. If properly planned, test data runs can be employed with only minimal disruption
to the organizations operations.
3. They require only minimal computer expertise on the part of auditors.
)Disadvantages of Test Data Techniques
1. Auditors must rely on computer services personnel to obtain a copy of the
application for test purposes. The computer services may intentionally provide
auditor with the wrong version of the application.
2. They provide a static picture of application integrity at a single point in time.
3. Their relatively high cost of implementation, which results in audit inefficiency.
The auditor may devote considerable time to understanding program logic and
creating test data.

36

6. CAAT Tools and Techniques for Testing Controls

6.2 The Integrated Test Facility
An automated technique that enables the auditor to test an applications logic and
controls during its normal operation. The ITF is one or more audit modules designed
into the application during the systems development process.
ITF databases contain dummy integrated with legitimate records. During normal
operations, test trans are merged into the input stream of regular (production)
transactions and are processed against the files of the dummy company.
ITF audit modules are designed to discriminate between ITF transactions and routine
production data, by assigning a unique range of key values exclusively to ITF trans.
Advantages of ITF
(1) ITF supports ongoing monitoring of
controls., (2) Application w/ ITF can be
economically tested w/o disrupting
operation (efficient) and w/o intervention
of computer services (reliable).
Disadvantages of ITF
The potential for corrupting the data files
of the organization with test data.
37

6. CAAT Tools and Techniques for Testing Controls

6.3 Parallel Simulation
Parallel simulation requires the auditor to write a program that simulates key features
or processes of the application under review.
Creating a Simulation Program
1. Auditor must first gain a thorough
understanding of the application
under review. Complete and current
doc of the application.
2. Auditor must then identify those
processes and controls in the
application that are critical These are
the processes to be simulated.
3. Auditor creates the simulation using
a 4GL or GAS.
4. Auditor runs the simulation program
using selected production trans and
master file to produce a set of result.
5. Finally, the auditor evaluates and
reconciles the test results.

38

Informasi Lebih Lanjut,

Hubungi: