Chapter 17

IT Controls Part III:

Systems Development, Program
Changes, and Application Controls
Accounting Information Systems, 5th edition
James A. Hall

COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star logo,
and South-Western are trademarks used herein under license
 Objectives for Chapter 15
• Controls and audit tests relevant to
systems development
• Risks and controls for program changes
and the source program library
• Auditing techniques (CAATTs) used to
verify application controls
• Auditing techniques used to perform
substantive tests in an IT environment
Systems Development Activities
• Authorizing development of new systems
• Addressing and documenting user needs
• Technical design phases
• Participation of internal auditors
• Testing program modules before
implementing
– Testing individual modules by a team of users,
internal audit staff, and systems professionals
 Systems Development Life Cycle

Business Needs and

Strategy

Legacy Situation
Business Requirements

1. Systems Strategy
-- Assessment
Assessment Feedback:
Feedback:
-- Develop
Develop Strategic
Strategic Plan
Plan User requests for New Systems
System Interfaces, Architecture
and User Requirements
High Priority Proposals undergo
Additional Study and Development

2. Project Initiation
- Feasibility
Feasibility Study
Study
-- Analysis
Analysis
- Conceptual
Conceptual Design
Design
- Cost/Benefit
Cost/Benefit Analysis
Analysis Feedback:
Feedback:
User requests for System
Selected System Proposals Improvements and Support
go forward for Detailed
Design

3. In-house Development 4. Commercial Packages

-- Construct
Construct -- Configure
Configure
-- Deliver
Deliver -- Test
Test
-- Roll-out
Roll-out

New and Revised

Systems Enter into
Production

5. Maintenance & Support

-- User
User help
help desk
desk
-- Configuration
Configuration Management
Management
-- Risk
Risk Management
Management && Security
Security
 Systems Development
Auditing objectives: ensure that...
– SDLC activities are applied consistently and in
accordance with management’s policies
– the system as originally implemented was free
from material errors and fraud
– the system was judged to be necessary and
justified at various checkpoints throughout the
SDLC
– system documentation is sufficiently accurate
and complete to facilitate audit and
maintenance activities
 Systems Development IC
• New systems must be authorized.
• Feasibility studies were conducted.
• User needs were analyzed and
addressed.
• Cost-benefit analysis was done.
• Proper documentation was completed.
• All program modules must be thoroughly
tested before they are implemented.
• Checklist of problems was kept.
 System Maintenance IC
• Last, longest and most costly phase of
SDLC
– Up to 80-90% of entire cost of a system
• All maintenance actions should require
– Technical specifications
– Testing
– Documentation updates
– Formal authorizations for any changes
 Program Change
Auditing objectives: detect unauthorized
program maintenance and determine that...
– maintenance procedures protect
applications from unauthorized changes
– applications are free from material errors
– program libraries are protected from
unauthorized access
 Source Program Library
• Source program library (SPL)
– library of applications and software
– place where programs are developed and
modified
– once compiled into machine language, no
longer vulnerable
Uncontrolled Access to the SPL
Controlled SPL Environments
• SPL Management Systems (SPLMS)
protect the SPL by controlling the
following functions:
– storing programs on the SPL
– retrieving programs for maintenance
purposes
– deleting obsolete programs from the library
– documenting program changes to provide
an audit trail of the changes
Source Program Library under the Control of SPL Management Software
 SPL Control Features
• Password control
• Separation of test libraries
• Audit trails
• Reports that enhance management control
and the audit function
• Assigns program version numbers
automatically
• Controlled access to maintenance
commands
 Program Change
• Auditing procedures: verify that
programs were properly maintained,
including changes
• Specifically, verify…
– identification and correction of unauthorized
program changes
– identification and correction of application
errors
– control of access to systems libraries
 Application Controls
• Narrowly focused exposures within a
specific system, for example:
– accounts payable
– cash disbursements
– fixed asset accounting
– payroll
– sales order processing
– cash receipts
– general ledger
 Application Controls
• Risks within specific applications
• Can affect manual procedures (e.g., entering
data) or embedded (automated) procedures
• Convenient to look at in terms of:
– input stage
– processing stage
– output stage

INPUT PROCESSING OUTPUT

 Application Input Controls
• Goal of input controls - valid,
accurate, and complete input data
• Two common causes of input
errors:
– transcription errors – wrong character or
value
– transposition errors – ‘right’ character or
value, but in wrong place
 Application Input Controls
• Check digits – data code is added to
produce a control digit
– especially useful for transcription and
transposition errors
• Missing data checks – control for blanks
or incorrect justifications
• Numeric-alphabetic checks – verify that
characters are in correct form
 Application Input Controls
• Limit checks – identify values beyond pre-
set limits
• Range checks – identify values outside
upper and lower bounds
• Reasonableness checks – compare one
field to another to see if relationship is
appropriate
• Validity checks – compares values to
known or standard values
Application Processing Controls
• Programmed procedures the
processes that transform input data
into information for output
• Three categories:
– Batch controls
– Run-to-run controls
– Audit trail controls
Application Processing Controls
• Batch controls - reconcile system
output with the input originally
entered into the system
• Based on different types of batch
totals:
– total number of records
– total dollar value
– hash totals – sum of non-financial
numbers
Application Processing Controls
• Run-to-run controls - use batch figures
to monitor the batch as it moves from one
programmed procedure (run) to another
• Audit trail controls - numerous logs
used so that every transaction can be
traced through each stage of processing
from its economic source to its
presentation in financial statements
Transaction Log to Preserve the
Audit Trail
 Application Output Controls
• Goal of output controls is to ensure
that system output is not lost,
misdirected, or corrupted, and that
privacy is not violated.
• In the following flowchart, there are
exposures at every stage.
Output Flowchart
 Application Controls Output
• Output spooling – creates a file
during the printing process that may
be inappropriately accessed
• Printing – create two risks:
– production of unauthorized copies of
output
– employee browsing of sensitive data
 Application Controls Output
• Waste – can be stolen if not properly
disposed of, e.g., shredding
• Report distribution – for sensitive
reports, the following are available:
– use of secure mailboxes
– require the user to sign for reports in
person
– deliver the reports to the user
 Application Controls Output
• End user controls – end users need
to inspect sensitive reports for
accuracy
– shred after used
• Controlling digital output – digital
output message can be intercepted,
disrupted, destroyed, or corrupted as it
passes along communications links
 Testing Application Controls
• Techniques for auditing applications
fall into two classes:
1) testing application controls – two
general approaches:
– black box – around the computer
– white box – through the computer
2) examining transaction details and
account balances—substantive testing
Auditing Around the Computer -
The Black Box Approach
Auditing through the Computer:
The ITF Technique
 Testing Application Controls
• Black Box Approach – focuses on
input procedures and output results
• To Gain need understanding…
– analyze flowcharts
– review documentation
– conduct interviews
 Testing Application Controls
• White Box Approach - focuses on
understanding the internal logic of processes
between input and output
• Common tests
– Authenticity tests
– Accuracy tests
– Completeness tests
– Redundancy tests
– Access tests
– Audit trail tests
– Rounding error tests
White Box Testing Techniques
• Test data method: testing for logic or control
problems - good for new systems or systems
which have undergone recent maintenance
– base case system evaluation (BCSE) - using a
comprehensive set of test transactions
– tracing - performs an electronic walkthrough of the
application’s internal logic
• Test data methods are not fool-proof
– a snapshot - one point in time examination
– high-cost of developing adequate test data
White Box Testing Techniques
• Integrated test facility (ITF): an
automated, on-going technique that
enables the auditor to test an
application’s logic and controls during its
normal operation
• Parallel simulation: auditor writes
simulation programs and runs actual
transactions of the client through the
system
 Auditing through the Computer:
The Parallel Simulation Technique
 Substantive Testing
• Techniques to substantiate account
balances. For example:
– search for unrecorded liabilities
– confirm accounts receivable to ensure they
are not overstated
• Requires first extracting data from the
system. Two technologies commonly used
to select, access, and organize data are:
– embedded audit module
– generalized audit software
 Embedded Audit Module
• An ongoing module which filters out non-
material transactions
• The chosen, material transactions are used
for sampling in substantive tests
• Requires additional computing resources
by the client
• Hard to maintain in systems with high
maintenance
 Substantive Testing:
Embedded Audit Module
 Generalized Audit Software
• Very popular & widely used
• Can access data files & perform operations on
them:
– screen data
– statistical sampling methods
– foot & balance
– format reports
– compare files and fields
– recalculate data fields
 Substantive Testing:
Generalized Audit Software