IT auditing chapter 7: Computer assisted audit tools and techniques

Input Controls

Programmed procedures which perform tests on transaction data to ensure that they are free from errors before they are processed.

Falls into 3 categories: Field, Record, and File Interrogation

Input Controls: Field Interrogation

involves programmed procedures that examine the characteristics of the data in the field

Field Interrogation: Check Digit

A control digit that is added to the data code to detect common errors in data submitted for processing

Field Interrogation: Missing Data check

are used to examine the contents of a field for the presence of blank spaces

Field Interrogation: Numeric-Alphabetic check

identifies when data in a particular field are in the wrong form

Field Interrogation: Limit check

determines if the value in the field exceeds an authorized limit

Field Interrogation: Range Check

this control ensures that data inputs fall within rightful range

Field Interrogation: Validity Check

compares actual field values against known acceptable values to determine the authenticity of the input

Record Interrogation

procedures validate the entire record by examining the interrelationship of its field values

Record Interrogation: Reasonable check

determines if a value in one field, which has already passed a limit check and a range check, is reasonable when considered along with other data fields in the record

Record Interrogation: Sign check

verifies that the sign of a field is correct for the type of record being processed

Record Interrogation: Sequence check

used to determine if a record is out of order

File interrogation

ensures that the correct file is being processed by the system

File interrogation: Internal and external label checks

verifies that the file being processed is the one the program is actually calling for

File interrogation: Version checks

used to verify that the version of the file being processed is the correct one

File interrogation: Expiration Date check

prevents a file from being deleted before it expires

Processing Controls

are programmed procedures designed to ensure that an application’s logic is functioning properly

the 3 categories: run-to-run controls, operator intervention controls, and audit trail controls

Processing Controls: Run-to-run controls

designed to monitor the batch as it moves from one run to another. Ensures all records are processed only once, a transaction audit trail is created, and is accomplished through batch control data

Common error handling techniques: Correct immediately

upon detecting a keystroke error or an illogical relationship, the system will flag this and allow the data entry clerk to correct the error

Common error handling techniques: Create an error file

at the end of the validation procedure, the records flagged as errors are removed from the batch and placed in a temporary error holding file until the errors can be investigated

Common error handling techniques: Reject the batch

some forms of errors are associated with the entire batch and are nor clearly attributable to individual records. the most effective solution in this case is to cease processing and investigate whether this is a data control problem or a programming error in the run

Hash totals

refers to a simple control technique that uses non-financial data to keep track of the records in a batch

Processing Controls: Operator intervention controls

less prone to processing errors, reduce as much human involvement as possible

Processing Controls: Audit trail controls

the preservation of an audit trail to make every transaction in the accounting system be traceable through each stage of processing from its economic source to its presentation in financial statements

Audit controls: Transaction logs

every transaction successfully processed by the by the system should be recorded on a transaction log, which serves a journal

Audit controls: Log of automatic transactions

some transactions are triggered internally by the system. To maintain an audit trail of these activities, all internally generated

Computer-aided audit tools and techniques: Parallel Simulation

Requires the auditor to write a program that simulates key features or processes of the application under review. The simulated application is then used to reprocess transactions that were previously processed by the production application. The results obtained from the simulation are reconciled with the results of the original production run to establish a basis for making inferences about the quality of application