Professional Documents
Culture Documents
Technology
Audit Around Computer
Audit Through Computer
+
Application
Control
Testing
Application
Control
LEARNING OBJECTIVES
After studying this chapter, you should:
Be familiar with the classes of transaction input controls
used by accounting applications.
Understand the objectives and techniques used to
implement processing controls, including run-to-run,
operator intervention, and audit trail controls.
Understand the methods used to establish effective
output controls for both batch and real-time systems.
Know the difference between black box and white box
auditing.
Be familiar with the key features of the five CAATTs.
Application Control
Input data:
accurate,
complete,
authorized, and
correct.
Data:
processed as
intended in an
acceptable time
period.
Data stored:
accurate
and
complete.
Outputs:
accurate
and
complete.
A record :
maintained to track the
process of data from
input to storage and to
the eventual output.
2. Input Controls
Input controls at this stage are designed to ensure that these transactions are valid,
accurate, and complete.
Data input procedures can be either source:
document-triggered (batch): human involvement and prone to clrerical errors.
direct input (real time): real-time editing techniques.
Classes of Input Control
Input controls are devided into the following broad classes:
Source document controls
Data coding controls
Batch controls
Validation controls
Input error correction
Generalized data input systems
96543
4537838 hash total
How this number can be of use? Assume that after this batch of records leaves
data control, someone replaced one of the sales orders in the batch with a
fictitious record of the same dollar amount.
How would the batch control procedures detect this irregularity?
The hash total, calculated by the batch control procedures, would not balance.
Thus, the irregularity would be detected.
9
12
13
15
3. Processing Controls
Processing controls are divided into 3 categories: 1. run-to-run controls, 2. operator
intervention controls, and 3. Audit Trail Controls.
3.1 Run-to-Run Controls
Run-to-run controls use batch figures to monitor the batch as it moves from one
programmed procedure (run) to another. These controls ensure that each run in the
system processes the batch correctly and completely. Batch control figures may be
contained in either a separate control record created at the data input stage or an
internal label.
Specific uses of run-to-run control figures:
Recalculate Control Totals.
After each major operation in the process and after each run, dollar amount fields,
hash totals, and record counts are accumulated and compared to the corresponding
values stored in the control record.
Transaction Codes.
The transaction code of each record in the batch is compared to the transaction code
contained in the control record. This ensures that only the correct type of transaction
is being processed.
19
3. Processing Controls
3.1 Run-to-Run Controls
Sequence Checks.
In systems that use sequential master files,
the order of the transaction records in the
batch is critical to correct and complete
processing. As the batch moves through the
process, it must be re-sorted in the order of
the master file used in each run. Sequence
check control compares the sequence of
each record in batch w/ the previous record.
Run-to-run controls in revenue cycle system:
Comprises 4 runs: (1) data input, (2) AR update,
(3) inventory update, and (4) output. At end of
AR run, batch control figure are recalculated
and reconciled w/ the control totals passed
from the data input run. These figures are
then passed to inventory update run, where
they are again recalculated, reconciled, and
passed to output run.
20
3. Processing Controls
3.2 Operator Intervention Controls
Systems sometimes require operator intervention to initiate certain actions, such as
entering control totals for a batch of records Operator intervention increases the
human error, thus need intervention controls.
3.3 Audit Trail Controls
The audit trail can become fragmented and difficult to follow, example of audit trail:
Transaction Logs.
Every trans successfully processed by the system should be recorded on a trans
log, which serves as a journal. System should produce a hard copy trans listing of all
successful trans, then go to appropriate users to facilitate reconciliation w/ input.
21
3. Processing Controls
3.3 Audit Trail Controls
Log of Automatic Transactions.
Some transactions are triggered internally by the system. Ex: when inventory drops
below a preset reorder point, and the system automatically processes a PO.
Listing of Automatic Transactions.
The responsible end user should receive a detailed listing of all internally generated
transactions.
Unique Transaction Identifiers.
Each transaction processed by the system must be uniquely identified with a
transaction number. In real-time systems, which do not use source documents, the
system should assign each transaction a unique number.
Error Listing.
A listing of all error records should go to the appropriate user to support error
correction and resubmission.
22
4. Output Controls
Output Controls ensure that system output is not lost, misdirected, or corrupted and
that privacy is not violated. Exposures of this sort can cause financial, reputation, legal
losses.
The type of processing method (batch > realtime) in use influences the choice of
controls employed to protect system output.
4.1 Controlling Batch Systems Output
Batch systems usually produce output in the form of hard copy, which typically
requires the involvement of intermediaries in its production and distribution.
Controls each phase in the output process:
4.1.1 Output Spooling Control.
A spool is a temporary memory allocation for a system output. A computer
criminal may use this opportunity to perform any of unauthorized acts:
Change critical data values (such as dollar amounts on checks).
Change the number of copies of output to be printed.
Make a copy of the output file to produce illegal output reports.
Destroy the output file before output printing takes place.
25
4. Output Controls
4.1 Controlling Batch Systems Output
4.1.2 Print Programs Controls.
Print program controls are designed to deal with exposures:
(1) the production of unauthorized copies of output
(2) employee browsing of sensitive data.
()4.1.3 Bursting Control.
The bursting clerk may make an unauthorized copy of the report, remove a page
from the report, or read sensitive information. The primary control against these
exposures is supervision.
()4.1.4 Waste Control.
Computer output waste represents a potential exposure. Passing it through a
paper shredder can easily destroy sensitive computer output.
()4.1.5 Data Control.
Data control group is responsible for verifying the accuracy of computer output
before it is distributed to the user.
26
4. Output Controls
4.1 Controlling Batch Systems Output
4.1.6 Report Distribution Control
The primary risks include reports being lost, stolen, or misdirected in transit to
user. Control includes the name and address of user should be printed on report.
4.1.7 End User Controls.
Once in the hands of user, output reports should be reexamined for any errors.
Once a report has served its purpose, it should be stored in a secure location until
its retention period has expired.
4.2 Controlling Real-Time Systems Output
Real-time systems direct their output to the users computer screen, terminal, or
printer. This method of distribution eliminates the various intermediaries in the
journey from the computer center to the user.
The threat to real-time output is interception, disruption, destruction, or corruption of
the output message as it passes along the communications link. This threat comes
from : (1) equipment failure; and (2) subversive acts, whereby a computer criminal
intercepts the output message transmitted b/w sender and receiver.
27
30
31
32
33
34
36
38