Embed Size (px)
DESCRIPTION
Citation preview
USING COMPUTER ASSISTED AUDIT TOOLS AND TECHNIQUES (CAATT’S)
Computer Assisted Audit Tools and Techniques
• Has two subcomponents: 1. Software used to increase an auditor’s
personal productivity and software used to perform data extraction and analysis,
2. Techniques to increase the efficiency and effectiveness of the audit function.
Input Controls
• Designed to ensure that the transactions that bring data into the system are valid, accurate, and complete
Data input procedures can be either: Source document-triggered (batch) Direct input (real-time)
Source document input requires human involvement and is prone to clerical errors.
Direct input employs real-time
editing techniques to identify and correct errors immediately
Classes of Input Controls
1) Source document controls
2) Data coding controls
3) Batch controls
4) Validation controls
5) Input error correction
6) Generalized data input systems
Source Document Controls
Controls in systems using physical source documents
To control for exposure, control procedures are needed over source documents to account for each one
Use pre-numbered source documents Use source documents in sequence Periodically audit source documents
Data Coding Controls
Checks on data integrity during processing Transcription errors
Addition errors Truncation errors Substitution errors
Transposition errors Single transposition Multiple transposition
Control = Check digits Added to code when created (suffix, prefix,
embedded) Sum of digits (ones): transcription errors only Modulus 11: different weights per column:
transposition and transcription errors Introduces storage and processing inefficiencies
Batch Controls
Method for handling high volumes of transaction data – esp. paper-fed IS
Controls of batch continues thru all phases of system and all processes (i.e., not JUST an input control)
1) All records in the batch are processed together 2) No records are processed more than once 3) An audit trail is maintained from input to output
Requires grouping of similar input transactions
Batch Controls
Requires controlling batch throughout
Batch transmittal sheet (batch control record) Unique batch number (serial #) A batch date A transaction code Number of records in the batch Total dollar value of financial field Sum of unique non-financial field
• Hash total • E.g., customer number
Batch control log
Hash totals
Validation Controls
Intended to detect errors in data before processing
Most effective if performed close to the source of the transaction
Some require referencing a master file
Field Interrogation Missing data checks Numeric-alphabetic data checks Zero-value checks Limit checks Range checks Validity checks Check digit
Record Interrogation Reasonableness checks Sign checks Sequence checks
File Interrogation Internal label checks (tape) Version checks Expiration date check
Input Error Connection
Batch – correct and resubmit
Controls to make sure errors dealt with completely and accurately
1) Immediate Correction 2) Create an Error File Reverse the effects of partially
processed, resubmit corrected records
Reinsert corrected records in processing stage where error was detected
3) Reject the Entire Batch
Generalized Data Input Systems (GDIS)
Centralized procedures to manage data input for all transaction processing systems
Eliminates need to create redundant routines for each new application
Advantages:
Improves control by having one common system perform all data validation
Ensures each AIS application applies a consistent standard of data validation
Improves systems development efficiency
Major components:
1) Generalized Validation Module
2) Validated Data File
3) Error File
4) Error Reports
5) Transaction Log
Process Controls
1) Run-to-Run Controls
2) Operator Intervention Controls
3) Audit Trail Controls
Run-to-Run (Batch)
Use batch figures to monitor the batch as it moves from one process to another
1) Recalculate Control Totals
2) Check Transaction Codes 3) Sequence Checks
Operator Intervention
When operator manually enters controls into the system
Preference is to derive by logic or provided by system
Audit Trail Controls
Every transaction becomes traceable from input to output
Each processing step is documented
Preservation is key to auditability of AIS Transaction logs Log of automatic transactions Listing of automatic transactions Unique transaction identifiers [s/n] Error listing
Output Controls
Ensure system output:
1) Not misplaced 2) Not misdirected 3) Not corrupted 4) Privacy policy not violated
Batch systems more susceptible to exposure, require greater controls
Controlling Batch Systems Output Many steps from printer to end user Data control clerk check point Unacceptable printing should be shredded Cost/benefit basis for controls Sensitivity of data drives levels of controls
Output spooling – risks:
Access the output file and change critical data values
Access the file and change the number of copies to be printed
Make a copy of the output file so illegal output can be generated
Destroy the output file before printing take place
Print Programs
Operator Intervention:
1) Pausing the print program to load output paper 2) Entering parameters needed by the print run 3) Restarting the print run at a prescribed checkpoint after
a printer malfunction 4) Removing printer output from the printer for review and
distribution
Print Program Controls
Production of unauthorized copies Employ output document controls similar to source
document controls Unauthorized browsing of sensitive data by employees
Special multi-part paper that blocks certain fields
Bursting Supervision
Waste Proper disposal of aborted
copies and carbon copies
Data control Data control group – verify
and log
Report distribution Supervision
End user controls End user detection
Report retention: Statutory requirements (gov’t) Number of copies in existence Existence of softcopies (backups) Destroyed in a manner consistent
with the sensitivity of its contents
Controlling real-time systems output
Eliminates intermediaries
Threats: Interception Disruption Destruction Corruption
Exposures: Equipment failure Subversive acts
Systems performance controls
Chain of custody controls
TESTING COMPUTER APPLICATION CONTROLS
1) Black box (around)
2) White box (through)
Black Box Testing
Ignore internal logic of application
Use functional characteristics Flowcharts Interview key personnel
Advantages: Do not have to remove application from
operations to test it
Appropriately applied: Simple applications Relative low level of risk
White Box Testing
Relies on in-depth understanding of the internal logic of the application
Uses small volume of carefully crafted, custom test transactions to verify specific aspects of logic and controls
Allows auditors to conduct precise test with known outcomes, which can be compared objectively to actual results
White Box Tests Methods
1) Authenticity tests: Individuals / users Programmed procedure Messages to access system (e.g., logons)
All-American University, student lab: logon, reboot, logon *
2) Accuracy tests: System only processes data values that
conform to specified tolerances
3) Completeness tests: Identify missing data (field, records,
files)
4) Redundancy tests: Process each record exactly once
5) Audit trail tests: Ensure application and/or system
creates an adequate audit trail Transactions listing Error files or reports for all exceptions
6) Rounding error tests: “Salami slicing” Monitor activities – excessive ones are
serious exceptions; e.g, rounding and thousands of entries into a single account for $1 or 1¢
Computer Aided Audit Tools and Controls (CAATTs) 1) Test data method 2) Base case system evaluation 3) Tracing 4) Integrated Test Facility [ITF] 5) Parallel simulation 6) GAS
Test Data Method
Used to establish the application processing integrity
Uses a “test deck” Valid data Purposefully selected invalid data Every possible:
Input error Logical processes Irregularity
Procedures: 1) Predetermined results and expectations 2) Run test deck 3) Compare
Base Case System Evaluation
Variant of Test Data method
Comprehensive test data
Repetitive testing throughout SDLC
When application is modified, subsequent test (new) results can be compared with previous results (base)
Tracing
Test data technique that takes step-by-step walk through application
1) The trace option must be enabled for
the application
2) Specific data or types of transactions are created as test data
3) Test data is “traced” through all processing steps of the application, and a listing is produced of all lines of code as executed (variables, results, etc.)
Excellent means of debugging a
faculty program
Test Data: Pro’s and Cons
Pro’s – They employ white
box approach, thus providing explicit evidence
– Can be employed
with minimal disruption to operations
– They require
minimal computer expertise on the part of the auditors
Cons – Auditors must rely
on IS personnel to obtain a copy of the application for testing
– Audit evidence is not entirely independent
– Provides static picture of application integrity
– Relatively high cost to implement, auditing inefficiency
Integrated Test Facility
ITF is an automated technique that allows auditors to test logic and controls during normal operations
Set up a dummy entity within the application system
1) Set up a dummy entity within the application system
2) System able to discriminate between ITF audit module transactions and routine transactions
3) Auditor analyzes ITF results against expected results
Parallel Simulation
Auditor writes or obtains a copy of the program that simulates key features or processes to be reviewed / tested
1) Auditor gains a thorough understanding of the application under review
2) Auditor identifies those processes and controls critical to the application
3) Auditor creates the simulation using program or Generalized Audit Software (GAS)
4) Auditor runs the simulated program using selected data and files
5) Auditor evaluates results and reconciles differences
