Scribd
Upload
1K views39 pages

Week 8 Computer-Assisted Audit Techniques ch07

This document discusses computer-assisted audit techniques (CAATs). It covers several topics related to CAATs including classes of input controls, batch controls, validation controls, error correction procedures, generalized data input systems, classes of processing controls, output controls, and testing computer application controls using black box and white box approaches. The overall purpose of CAATs is to automate auditing procedures to improve efficiency and effectiveness.

Uploaded by

SHYAILA ANISHA DE LAVANDA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
1K views39 pages

Week 8 Computer-Assisted Audit Techniques ch07

This document discusses computer-assisted audit techniques (CAATs). It covers several topics related to CAATs including classes of input controls, batch controls, validation controls, error correction procedures, generalized data input systems, classes of processing controls, output controls, and testing computer application controls using black box and white box approaches. The overall purpose of CAATs is to automate auditing procedures to improve efficiency and effectiveness.

Uploaded by

SHYAILA ANISHA DE LAVANDA
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 39

Pertemuan 8

Chapter 7:
Computer-Assisted Audit
Techniques [CAATs]

IT Auditing & Assurance, 2e, Hall &


Singleton
IT Auditing & Assurance, 2e, Hall & Singleton
CHAPTER REVIEW
CHAPTER 1 Auditing and Internal Control 1
CHAPTER 2 Auditing IT Governance Controls 35
CHAPTER 3 Security Part I: Auditing Operating Systems and Networks
67
CHAPTER 4 Security Part II: Auditing Database Systems 129
CHAPTER 5 Systems Development and Program Change Activities 171
CHAPTER 6 Transaction Processing and Financial Reporting Systems
Overview 223

CHAPTER 7 Computer-Assisted Audit Tools and


Techniques 289

CHAPTER 8 Data Structures and CAATTs for Data Extraction 327


CHAPTER 9 Auditing the Revenue Cycle 393
CHAPTER 10 Auditing the Expenditure Cycle 469
CHAPTER 11 Enterprise Resource Planning Systems 545
CHAPTER 12 Business Ethics, Fraud, and Fraud Detection 585
IT Auditing & Assurance, 2e, Hall &
Singleton
INTRODUCTION TO INPUT CONTROLS
 Designed to ensure that the transactions that bring
data into the system are valid, accurate, and
complete
 Data input procedures can be either:
 Source document-triggered (batch) – human
involvement
 Direct input (real-time) - real time editing

IT Auditing & Assurance, 2e, Hall & Singleton


CLASSES OF INPUT CONTROLS
1) Source document controls
2) Data coding controls
3) Batch controls
4) Validation controls
5) Input error correction
6) Generalized data input
systems
IT Auditing & Assurance, 2e, Hall & Singleton
#1-SOURCE DOCUMENT CONTROLS
 Controls in systems using physical source
documents
 Source document fraud
 To control for exposure, control procedures
are needed over source documents to
account for each one
 Use pre-numbered source documents
 Use source documents in sequence
 Periodically audit source documents

IT Auditing & Assurance, 2e, Hall & Singleton


IT Auditing & Assurance, 2e, Hall & Singleton
#2-DATA CODING CONTROLS
 Checks on data integrity during processing
 Transcription errors
 Addition errors, extra digits 12345123455
 Truncation errors, digit removed 123451234
 Substitution errors, digit replaced 1234512355
 Transposition errors
 Single transposition: adjacent digits transposed (reversed)
 1234521345
 Multiple transposition: non-adjacent digits are transposed
 1234514325
 Control = Check digits
 Added to code when created (suffix, prefix,
embedded)
 Sum of digits (ones): transcription errors only
 Modulus 11: different weights per column: transposition and
transcription errors
 Storage andITprocessing inefficiencies
Auditing & Assurance, 2e, Hall & Singleton
#3-BATCH CONTROLS
 Method for handling high volumes of
transaction data – esp. paper-fed IS

 Controls of batch continues thru all phases of


system and all processes (i.e., not JUST an
input control)

1) All records in the batch are processed together


2) No records are processed more than once
3) An audit trail is maintained from input to output

 Requires grouping of similar input transactions

IT Auditing & Assurance, 2e, Hall & Singleton


Batch Processing

IT Auditing & Assurance, 2e, Hall & Singleton


IT Auditing & Assurance, 2e, Hall & Singleton
#3-BATCH CONTROLS (cont’d)
 Requires controlling batch throughout
 Batch transmittal sheet (batch control record) –
Figure 7-1, p. 302
 Unique batch number (serial #)
 A batch date
 A transaction code
 Number of records in the batch
 Total dollar value of financial field
 Sum of unique non-financial field
• Hash total
• E.g., customer number
 Batch control log – Figure 7-3, p 303
 Hash totals

IT Auditing & Assurance, 2e, Hall & Singleton


#4-VALIDATION CONTROLS
 Field Interrogation
 Missing data checks
 Numeric-alphabetic data checks
 Zero-value checks
 Limit checks
 Range checks
 Validity checks
 Check digit
 Record Interrogation
 Reasonableness checks (logic)
 Sign checks (+/- in finance)
 Sequence checks
 File Interrogation
 Internal label checks (tape)
 Version checks
 Expiration date check

IT Auditing & Assurance, 2e, Hall & Singleton


#5-INPUT ERROR CORRECTION
 Batch – correct and resubmit
 Controls to make sure errors dealt with
completely and accurately
1) Immediate Correction
2) Create an Error File
 Reverse the effects of partially
processed, resubmit corrected records
 Reinsert corrected records in
processing stage where error was
detected
3) Reject the Entire Batch

IT Auditing & Assurance, 2e, Hall & Singleton


#6-GENERALIZED DATA INPUT SYSTEMS
(GDIS)
 Centralized procedures to manage data input for
all transaction processing systems
 Eliminates need to create redundant routines for
each new application
 Advantages:
 Improves control by having one common
system perform all data validation
 Ensures each AIS application applies a
consistent standard of data validation
 Improves systems development efficiency

IT Auditing & Assurance, 2e, Hall & Singleton


#6-GDIS (cont’d)
 Major components:
1) Generalized Validation Module
2) Validated Data File
3) Error File
4) Error Reports
5) Transaction Log

IT Auditing & Assurance, 2e, Hall & Singleton


CLASSES OF PROCESSING
CONTROLS
1) Run-to-Run Controls

2) Operator Intervention
Controls

3) Audit Trail Controls

IT Auditing & Assurance, 2e, Hall & Singleton


#1-RUN-TO-RUN (BATCH)
 Use batch figures to monitor
the batch as it moves from
one process to another
1) Recalculate Control Totals
2) Check Transaction Codes
3) Sequence Checks

IT Auditing & Assurance, 2e, Hall & Singleton


#2-OPERATOR INTERVENTION
 When operator manually enters
controls into the system

 Preference is to derive by logic


or provided by system

IT Auditing & Assurance, 2e, Hall & Singleton


#3-AUDIT TRAIL CONTROLS
 Every transaction becomes traceable from
input to output
 Each processing step is documented
 Preservation is key to auditability of AIS
 Transaction logs
 Log of automatic transactions
 Listing of automatic transactions
 Unique transaction identifiers [s/n]
 Error listing

IT Auditing & Assurance, 2e, Hall & Singleton


IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS
 Ensure system output:
1) Not misplaced
2) Not misdirected
3) Not corrupted
4) Privacy policy not violated
 Batch systems more susceptible to exposure,
require greater controls
 Controlling Batch Systems Output
 Many steps from printer to end user
 Data control clerk check point
 Unacceptable printing should be shredded
 Cost/benefit basis for controls
 Sensitivity of data drives levels of controls

IT Auditing & Assurance, 2e, Hall & Singleton


OUTPUT CONTROLS (cont’d)
 Print Programs
 Operator Intervention:
1) Pausing the print program to load output paper
2) Entering parameters needed by the print run
3) Restarting the print run at a prescribed checkpoint
after a printer malfunction
4) Removing printer output from the printer for review
and distribution
 Print Program Controls
 Production of unauthorized copies
 Employ output document controls similar to source
document controls
 Unauthorized browsing of sensitive data by
employees
 Special multi-part paper that blocks certain fields

IT Auditing & Assurance, 2e, Hall & Singleton


IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS (cont’d)
 Bursting
 Supervision
 Waste
 Proper disposal of aborted copies
and carbon copies
 Data control
 Data control group – verify and log
 Report distribution
 Supervision
IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS (cont’d)
 Controlling real-time systems output
 Eliminates intermediaries : direct to computer
screen, terminal, or printer
 Threats:
 Interception
 Disruption
 Destruction
 Corruption
 Exposures:
 Equipment failure
 Subversive acts : intercepts output between
sender & receiver

IT Auditing & Assurance, 2e, Hall & Singleton


TESTING COMPUTER
APPLICATION CONTROLS

1) Black box (around)

2) White box (through)

IT Auditing & Assurance, 2e, Hall & Singleton


TESTING COMPUTER APPLICATION
CONTROLS-BLACK BOX
 Ignore internal logic of application
 Use functional characteristics
 Flowcharts
 Interview key personnel
 Advantages:
 Do not have to remove application from
operations to test it
 Appropriately applied:
 Simple applications
 Relative low level of risk

IT Auditing & Assurance, 2e, Hall & Singleton


TESTING COMPUTER APPLICATION
CONTROLS-WHITE BOX
 Relies on in-depth understanding of the
internal logic of the application
 Uses small volume of carefully crafted,
custom test transactions to verify specific
aspects of logic and controls
 Allows auditors to conduct precise test
with known outcomes, which can be
compared objectively to actual results

IT Auditing & Assurance, 2e, Hall & Singleton


WHITE BOX TEST METHODS
1) Authenticity tests:
 Individuals / users
 Programmed procedure
 Messages to access system (e.g., logons)
 All-American University, student lab: logon,
reboot, logon *
2) Accuracy tests:
 System only processes data values that
conform to specified tolerances (range tests,
field tests, and limit tests)
3) Completeness tests:
 Identify missing data (field, records, files)

IT Auditing & Assurance, 2e, Hall & Singleton


WHITE BOX TEST METHODS
4) Redundancy tests:
 Process each record exactly once
5) Audit trail tests:
 Ensure application and/or system creates an
adequate audit trail
 Transactions listing
 Error files or reports for all exceptions

6) Rounding error tests:


 “Salami slicing”
 Monitor activities – excessive ones are serious
exceptions; e.g, rounding and thousands of
entries into a single account for $1 or 1¢

IT Auditing & Assurance, 2e, Hall & Singleton


COMPUTER AIDED AUDIT TOOLS AND
TECHNIQUES (CAATTs)

1) Test data method


2) Base case system evaluation
3) Tracing
4) Integrated Test Facility [ITF]
5) Parallel simulation
6) GAS

IT Auditing & Assurance, 2e, Hall & Singleton


#1 –TEST DATA
 Used to establish the application processing
integrity
 Uses a “test deck”
 Valid data
 Purposefully selected invalid data
 Every possible:
 Input error
 Logical processes
 Irregularity

 Procedures:
1) Predetermined results and expectations
2) Run test deck
3) Compare

IT Auditing & Assurance, 2e, Hall & Singleton


#2 – BASE CASE SYSTEM
EVALUATION (BCSE)
 Variant of Test Data method

 Comprehensive test data

 Repetitive testing throughout SDLC

 When application is modified, subsequent


test (new) results can be compared with
previous results (base)

IT Auditing & Assurance, 2e, Hall & Singleton


#3 – TRACING
 Test data technique that takes step-by-step
walk through application

1) The trace option must be enabled for the application


2) Specific data or types of transactions are created as
test data
3) Test data is “traced” through all processing steps of
the application, and a listing is produced of all lines
of code as executed (variables, results, etc.)

 Excellent means of debugging a faculty


program

IT Auditing & Assurance, 2e, Hall & Singleton


TEST DATA: ADVANTAGES AND
DISADVANTAGES
 Advantages of test data
1) They employ white box approach, thus providing explicit
evidence
2) Can be employed with minimal disruption to operations
3) They require minimal computer expertise on the part of
the auditors
 Disadvantages of test data
1) Auditors must rely on IS personnel to obtain a copy of
the application for testing
2) Audit evidence is not entirely independent
3) Provides static picture of application integrity
4) Relatively high cost to implement, auditing inefficiency

IT Auditing & Assurance, 2e, Hall & Singleton


#4 – INTEGRATED TEST FACILITY
 ITF is an automated technique that allows
auditors to test logic and controls during normal
operations
 Set up a dummy entity within the application
system
1) Set up a dummy entity within the application system
2) System able to discriminate between ITF audit module
transactions and routine transactions
3) Auditor analyzes ITF results against expected results

IT Auditing & Assurance, 2e, Hall & Singleton


#5 – PARALLEL SIMULATION
 Auditor writes or obtains a copy of the program
that simulates key features or processes to be
reviewed / tested
1) Auditor gains a thorough understanding of the
application under review
2) Auditor identifies those processes and controls critical
to the application
3) Auditor creates the simulation using program or
Generalized Audit Software (GAS)
4) Auditor runs the simulated program using selected
data and files
5) Auditor evaluates results and reconciles differences

IT Auditing & Assurance, 2e, Hall & Singleton


IT Auditing & Assurance, 2e, Hall & Singleton
Chapter 7:
Computer-Assisted
Audit Techniques
[CAATs]

IT Auditing & Assurance, 2e, Hall &


IT Auditing & Assurance, 2e, Hall &
Singleton
Singleton

You might also like