View
248
Download
4
Tags:
Embed Size (px)
Citation preview
Chapter 17
Code Review, Test Data, and Code Comparison
Audit Evidence Collection and Evaluation
What was expected to happen / not happen?
What did happen?/not happen? What type of evidence do we have? Is the evidence reliable? What is the exposure and $ of risk
Evidence Collection Techniques
Program Code Review obtain program source-code listings
to evaluate the quality of the program code
Test Data design a sample of data to be
executed by the program Code Comparison
compare two versions of a program’s source or object code to determine if attributes are common
Where Do Program Defects Occur?
Tentative Conclusions a small number of program modules
will have a large number of faults Requirement specifications and
design errors are as prominent as coding errors
Design errors relate to interface problems with users
Objectives of Code Review
Identify erroneous code Identify unauthorized code Identify ineffective code Identify inefficient code Identify nonstandard code
Source-Code Review Methodology
1. Source Code Selection2. Review Programming Standards3. Understand the Program
Specifications4. Obtain Source Code5. Review Programming Language Used6. Review Source Code7. Formulate Flaw Hypotheses
Review Source Code
COBOL Reserved WordsSelect IfRedefines Go ToOpen/Close Go To…
Depending OnFile Status Perform…UntilInvalid Key Search/Search AllAccept InspectDisplay Evaluate…WhenCopy Call
Benefits & Costs of Code Review
Primary Benefit provides a level of detailed knowledge
about a program that auditors will find difficult to acquire using other evidence-collection techniques
Primary Disadvantage Cost
Black-Box Test-Data Design Methods
user interface errors errors in interfacing w/
external systems or databases efficiency problems initialization errors termination errors
Equivalence Partitioning The objective during test-data design
is to select a test-data design element that falls within the class and one that falls outside the class.
Decision Tree for Test-Data Design
White-Box Test-Data Design Methods
Focus is on whether defective execution paths exist in a program
Primary goal is to identify the control structure underlying the code full statement coverage full branch coverage full path coverage
Fig 17-8
Loop Testing Tested as part of a basis path testing
strategy Types of Loops
Simple loops have no other loops embedded within their control structure
Nested loops have other loops embedded within their control structure
Automated Aids Test data/file generators Test capture/playback tools Test coverage/execution path
monitor tools Test drivers/harnesses Test output comparators Static analyzers
Benefits & Costs of Test Data Major Benefit
allows auditors to examine the quality of program code directly
Major Disadvantage often time-consuming and costly
Program Code Comparison Provides some assurance that the
correct version of software is being audited
Provides some assurance that any software used as an audit tool is the correct version of the software
Types of Code Comparison Source-code Comparison
software provides meaningful listing of any discrepancies between two versions of source code
Object-code Comparison software provides listing of any
discrepancies between two versions of source code (does not identify nature and cause of discrepancies)
Benefits & Costs of Code Comparison
Primary Benefit easy was of identifying changes made
to programs neither costly to purchase nor to
execute Primary Cost
does not provide any evidence directly on the quality of the code being compared