Chapter 17—IT Controls Part III: Systems Development, Program Changes, and

Application Controls

TRUE/FALSE

1. Programs in their compiled state are very susceptible to the threat of unauthori
zed modification.

ANS: F

2. Maintenance access to systems increases the risk that logic will be corrupted ei
ther by the accident or intent to defraud.

ANS: T

3. Source program library controls should prevent and detect unauthorized access to
application programs.

ANS: T

4. A check digit is a method of detecting data coding errors.

ANS: T

5. Input controls are intended to detect errors in transaction data after processin
g.

ANS: F

6. A header label is an internal, machine-readable label.

ANS: T

7. The user test and acceptance procedure is the last point at which the user can d
etermine the system’s acceptability prior to it going into service.

ANS: T

8. A run-to-run control is an example of an output control.

ANS: F

9. Shredding computer printouts is an example of an output control.

ANS: T

10. In a CBIS environment, all input controls are implemented after data is input.

ANS: F

11. Achieving batch control objectives requires grouping similar types of input tran
sactions (such as sales orders) together in batches and then controlling the batc
hes throughout data processing.

ANS: T

12. The "white box" tests of program controls are also known as auditing through the
computer.

ANS: T

13. The presence of a SPLMS effectively guarantees program integrity.

ANS: F

14. When using the test data method, the presence of multiple error messages indicat
es a flaw in the preparation of test transactions.

ANS: F

15. The Base Case System Evaluation is a variation of the test data method.

ANS: T

16. Tracing is a method used to verify the logical operations executed by a computer
application.

ANS: T

17. Generalized audit software packages are used to assist the auditor in performing
substantive tests.

ANS: T

18. The results of a parallel simulation are compared to the results of a production
run in order to judge the quality of the application processes and controls.

ANS: T

19. Firms with an independent internal audit staff may conduct tests of the system d
evelopment life cycle on an ongoing basis.

ANS: T

20. The programmer’s authority table will specify the libraries a programmer may access.

ANS: T

21. Use of the integrated test facility poses no threat to organizational data files
.

ANS: F

MULTIPLE CHOICE
 1. Which statement is not correct? The audit trail in a computerized environment
a. consists of records that are stored sequentially in an audit file
b. traces transactions from their source to their final disposition
c. is a function of the quality and integrity of the application programs
d. may take the form of pointers, indexes, and embedded keys
ANS: A

2. Which control is not associated with new systems development activities?

a. reconciling program version numbers
b. program testing
c. user involvement
d. internal audit participation
ANS: A

3. Routine maintenance activities require all of the following controls except

a. documentation updates
b. testing
c. formal authorization
d. internal audit approval
ANS: D

4. Which statement is correct?

a. compiled programs are very susceptible to unauthorized modification
b. the source program library stores application programs in source code form
c. modifications are made to programs in machine code language
d. the source program library management system increases operating efficiency
ANS: B

5. Which control is not a part of the source program library management system?
a. using passwords to limit access to application programs
b. assigning a test name to all programs undergoing maintenance
c. combining access to the development and maintenance test libraries
d. assigning version numbers to programs to record program modifications
ANS: C

6. Which control ensures that production files cannot be accessed without specific
permission?
a. Database Management System
b. Recovery Operations Function
c. Source Program Library Management System
d. Computer Services Function
ANS: C

7. Program testing
a. involves individual modules only, not the full system
b. requires creation of meaningful test data
c. need not be repeated once the system is implemented
d. is primarily concerned with usability
ANS: B
 8. The correct purchase order number, 123456, was incorrectly recorded as shown in
the solutions. All of the following are transcription errors except
a. 1234567
b. 12345
c. 124356
d. 123454
ANS: C

9. Which of the following is correct?

a. check digits should be used for all data codes
b. check digits are always placed at the end of a data code
c. check digits do not affect processing efficiency
d. check digits are designed to detect transcription and transposition errors
ANS: D

10. Which statement is not correct? The goal of batch controls is to ensure that dur
ing processing
a. transactions are not omitted
b. transactions are not added
c. transactions are free from clerical errors
d. an audit trail is created
ANS: C

11. An example of a hash total is

a. total payroll checks–$12,315
b. total number of employees–10
c. sum of the social security numbers–12,555,437,251
d. none of the above
ANS: C

12. Which statement is not true? A batch control record

a. contains a transaction code
b. records the record count
c. contains a hash total
d. control figures in the record may be adjusted during processing
e. All the above are true
ANS: E

13. Which of the following is not an example of a processing control?

a. hash total.
b. record count.
c. batch total.
d. check digit
ANS: D

14. Which of the following is an example of input control test?

a. sequence check
b. zero value check
c. spooling check
 d. range check
ANS: D

15. Which input control check would detect a payment made to a nonexistent vendor?
a. missing data check
b. numeric/alphabetic check
c. range check
d. validity check
ANS: D

16. The employee entered "40" in the "hours worked per day" field. Which check would
detect this unintentional error?
a. numeric/alphabetic data check
b. sign check
c. limit check
d. missing data check
ANS: C

17. An inventory record indicates that 12 items of a specific product are on hand. A
customer purchased two of the items, but when recording the order, the data entr
y clerk mistakenly entered 20 items sold. Which check could detect this error?
a. numeric/alphabetic data checks
b. limit check
c. range check
d. reasonableness check
ANS: B

18. Which check is not an input control?

a. reasonableness check
b. validity check.
c. spooling check
d. missing data check
ANS: C

19. A computer operator was in a hurry and accidentally used the wrong master file t
o process a transaction file. As a result, the accounts receivable master file wa
s erased. Which control would prevent this from happening?
a. header label check
b. expiration date check
c. version check
d. validity check
ANS: A

20. Run-to-run control totals can be used for all of the following except
a. to ensure that all data input is validated
b. to ensure that only transactions of a similar type are being processed
c. to ensure the records are in sequence and are not missing
d. to ensure that no transaction is omitted
ANS: A
 21. Methods used to maintain an audit trail in a computerized environment include al
l of the following except
a. transaction logs
b. Transaction Listings.
c. data encryption
d. log of automatic transactions
ANS: C

22. Risk exposures associated with creating an output file as an intermediate step i
n the printing process (spooling) include all of the following actions by a compu
ter criminal except
a. gaining access to the output file and changing critical data values
b. using a remote printer and incurring operating inefficiencies
c. making a copy of the output file and using the copy to produce illegal output re
ports
d. printing an extra hardcopy of the output file
ANS: B

23. Which statement is not correct?

a. only successful transactions are recorded on a transaction log
b. unsuccessful transactions are recorded in an error file
c. a transaction log is a temporary file
d. a hardcopy transaction listing is provided to users
ANS: C

24. Input controls include all of the following except

a. check digits
b. Limit check.
c. spooling check
d. missing data check
ANS: C

25. Which of the following is an example of an input error correction technique?

a. immediate correction
b. rejection of batch
c. creation of error file
d. all are examples of input error correction techniques
ANS: D

26. Which test of controls will provide evidence that the system as originally imple
mented was free from material errors and free from fraud? Review of the documenta
tion indicates that
a. a cost-benefit analysis was conducted
b. the detailed design was an appropriate solution to the user's problem
c. tests were conducted at the individual module and total system levels prior to i
mplementation
d. problems detected during the conversion period were corrected in the maintenance
phase
ANS: C
 27. Which statement is not true?
a. An audit objective for systems maintenance is to detect unauthorized access to a
pplication databases.
b. An audit objective for systems maintenance is to ensure that applications are fr
ee from errors.
c. An audit objective for systems maintenance is to verify that user requests for m
aintenance reconcile to program version numbers.
d. An audit objective for systems maintenance is to ensure that the production libr
aries are protected from unauthorized access.
ANS: A

28. When the auditor reconciles the program version numbers, which audit objective i
s being tested?
a. protect applications from unauthorized changes
b. ensure applications are free from error
c. protect production libraries from unauthorized access
d. ensure incompatible functions have been identified and segregated
ANS: A

29. When auditors do not rely on a detailed knowledge of the application's internal
logic, they are performing
a. black box tests of program controls
b. white box tests of program controls
c. substantive testing
d. intuitive testing
ANS: A

30. All of the following concepts are associated with the black box approach to audi
ting computer applications except
a. the application need not be removed from service and tested directly
b. auditors do not rely on a detailed knowledge of the application's internal logic
c. the auditor reconciles previously produced output results with production input
transactions
d. this approach is used for complex transactions that receive input from many sour
ces
ANS: D

31. Which test is not an example of a white box test?

a. determining the fair value of inventory
b. ensuring that passwords are valid
c. verifying that all pay rates are within a specified range
d. reconciling control totals
ANS: A

32. When analyzing the results of the test data method, the auditor would spend the
least amount of time reviewing
a. the test transactions
b. error reports
c. updated master files
 d. output reports
ANS: A

33. All of the following are advantages of the test data technique except
a. auditors need minimal computer expertise to use this method
b. this method causes minimal disruption to the firm's operations
c. the test data is easily compiled
d. the auditor obtains explicit evidence concerning application functions
ANS: C

34. All of the following are disadvantages of the test data technique except
a. the test data technique requires extensive computer expertise on the part of the
auditor
b. the auditor cannot be sure that the application being tested is a copy of the cu
rrent application used by computer services personnel
c. the auditor cannot be sure that the application being tested is the same applica
tion used throughout the entire year
d. preparation of the test data is time-consuming
ANS: A

35. All of the following statements are true about the integrated test facility (ITF
) except
a. production reports are affected by ITF transactions
b. ITF databases contain "dummy" records integrated with legitimate records
c. ITF permits ongoing application auditing
d. ITF does not disrupt operations or require the intervention of computer services
personnel
ANS: A

36. Which statement is not true? Embedded audit modules

a. can be turned on and off by the auditor.
b. reduce operating efficiency.
c. may lose their viability in an environment where programs are modified frequentl
y.
d. identify transactions to be analyzed using white box tests.
ANS: D

37. Generalized audit software packages perform all of the following tasks except
a. recalculate data fields
b. compare files and identify differences
c. stratify statistical samples
d. analyze results and form opinions
ANS: D

SHORT ANSWER

1. Contrast the source program library (SPL) management system to the database mana
gement system (DBMS).
 ANS:
The SPL software manages program files and the DBMS manages data files.

2. Describe two methods used to control the source program library.

ANS:
passwords, separation of development programs from maintenance programs, program
management reports, program version numbers, controlling maintenance commands

3. New system development activity controls must focus on the authorization, develo
pment, and implementation of new systems and its maintenance. Discuss at least fi
ve control activities that are found in an effective system development life cycl
e.

ANS:
System authorization activities assure that all systems are properly authorized
to ensure their economic justification and feasibility.

User specification activities should not be stifled by technical issues. Users c

an provide written description of the logical needs that must be satisfied by the
system.

Technical design activities must lead to specifications that meet user needs. Do
cumentation is both a control and evidence of control.

Internal audit involvement should occur throughout the process to assure that th
e system will serve user needs.

Program testing is to verify that data is processed as intended.

4. What are the three broad categories of application controls?

ANS:
input, processing, and output controls

5. How does privacy relate to output control?

ANS:
If the privacy of certain types of output, e.g., sensitive information about cli
ents or customers, a firm could be legally exposed.

6. What are the three categories of processing control?

ANS:
Batch controls, run-to-run controls, and audit trail controls.

7. What control issue is related to reentering corrected error records into a batch
processing system? What are the two methods for doing this?

ANS:
Errors detected during processing require careful handling, since these records
may already be partially processed. Simply resubmitting the corrected records at
the data input stage may result in processing portions of these transactions twic
e.
 Two methods are: (1) reverse the effects of the partially processed transactions
and resubmit the corrected records to the data input stage. The second method is
to reinsert corrected records into the processing stage at which the error was d
etected.

8. Output controls ensure that output is not lost, misdirected, or corrupted and th
at privacy is not violated. What are some output exposures or situations where ou
tput is at risk?

ANS:
output spooling, delayed printing, waste, report distribution

9. Input controls are programmed procedures (routines) that perform tests on transa
ction
data to ensure they are free from errors. Name four input controls and describe
what they test

ANS:
1. numeric-alphabetic checks look for the correct type of character content in a f
ield, numbers or letters;
2. limit checks verify that values are within preset limits;
3. range checks verify the values fall with in an acceptable range
4. reasonableness check determines if a value in one field, which has already pass
ed a limit check and a range check, is reasonable when considered along with data
in other fields of the record.

10. A __________________________ fraud affects a large number of victims but the har
m to each appears to be very small.

ANS:
salami

11. Describe a test of controls that would provide evidence that only authorized pro
gram maintenance is occurring.

ANS:
reconcile program version numbers, confirm maintenance authorizations

12. Auditors do not rely on detailed knowledge of the application's internal logic w
hen they use the __________________________ approach to auditing computer applica
tions.

ANS:
black box or auditing around the computer

13. Describe parallel simulation.

ANS:
The auditor writes a program that simulates the application under review. The si
mulation is used to reprocess production transactions that were previously proces
sed by the production application. The results of the simulation are compared to
the results of the original production run.
 14. What is meant by auditing around the computer versus auditing through the comput
er? Why is this so important?

ANS:
Auditing around the computer involves black box testing in which the auditors do
not rely on a detailed knowledge of the application's internal logic. Input is r
econciled with corresponding output. Auditing through the computer involves obtai
ning an in-depth understanding of the internal logic of the computer application.
As transactions become increasingly automated, the inputs and outputs may become
decreasingly visible. Thus, the importance of understanding the programming comp
onents of the system is crucial.

15. What is an embedded audit module?

ANS:
EAM techniques use one or more specially programmed modules embedded in a host a
pplication to select and record predetermined types of transactions for subsequen
t analysis. This method allows material transactions to be captured throughout th
e audit period. The auditor's substantive testing task is thus made easier since
they do not have to identify significant transactions for substantive testing.

16. What are the audit’s objectives relating to systems development?

ANS:
The auditor’s objectives are to ensure that (1) systems development activities are applied consistently
and in accordance with management’s policies to all systems development projects; (2) the system as
originally implemented was free from material errors and fraud; (3) the system was judged necessary
and justified at various checkpoints throughout the SDLC; and (4) system documentation is
sufficiently accurate and complete to facilitate audit and maintenance activities.

ESSAY

1. Outline the six controllable activities that relate to new systems development

ANS:
Systems Authorization Activities: All systems should be properly authorized to e
nsure their economic justification and feasibility. This requires a formal enviro
nment in which users submit requests to systems professionals in written form.

User Specification Activities: Users need to be actively involved in the systems

development process. Users should create a detailed written description of their
needs. It should describe the user’s view of the problem, not that of the systems professionals.

Technical Design Activities: The technical design activities translate user spec
ifications into a set of detailed technical specifications for a system that meet
s the user’s needs. The scope of these activities includes systems analysis, feasibility analysis, and
detailed systems design.

Internal Audit Participation: To meet the governance-related expectations of man

agement under SOX, an organization’s internal audit department needs to be independent, objective,
and technically qualified. As such, the internal auditor can play an important role in the control of
systems development activities.
 Program Testing: All program modules must be thoroughly tested before they are i
mplemented. This involves creating hypothetical master files and transactions fil
es that are processed by the modules being tested. The results of the tests are t
hen compared against predetermined results to identify programming and logic erro
rs.

User Test and Acceptance Procedures: Prior to system implementation, the individ
ual modules of the system need to be formally and rigorously tested as a whole. T
he test team should comprise of user personnel, systems professionals, and intern
al auditors. The details of the tests performed and their results need to be form
ally documented and analyzed. Once the test team is satisfied that the system mee
ts its stated requirements, the system can be transferred to the user.

2. Explain the three methods used to correct errors in data entry.

ANS:
Immediate Correction. In the direct data validation approach, error detection an
d correction take place during data entry. When an error or illogical relationshi
p is entered, the system should halt the data entry procedure until the error is
corrected.

Creation of an Error File. In the delayed data validation approach, errors are f
lagged and placed in an error file. Records with errors will not be processed unt
il the error is investigated and corrected.

Rejection of the Entire Batch. Some errors are associated with the entire batch
and are not attributable to individual records. An example of this is a control t
otal that does not balance. The entire batch is placed in the error file and will
be reprocessed when the error is corrected.

3. The presence of an audit trail is critical to the integrity of the accounting in

formation system. Discuss three of the techniques used to preserve the audit trai
l.

ANS:
Transaction logs list all transactions successfully processed by the system and
serve as journals, permanent records. Transactions that were not processed succes
sfully should be recorded in an error file.

After processing transactions, a paper transaction listing should be produced an

d used by appropriate users to reconcile input.

Logs and listings of automatic transactions should be produced for transactions

received or initiated internally by the system.

Error listing should document all errors and be sent to appropriate users to sup
port error correction.

4. Define each of the following input controls and give an example of how they may
be used:
a. Missing data check
b. Numeric/alphabetic data check
c. Limit check
d. Range check
 e. Reasonableness check
f. Validity check

ANS:
Missing data check. Some programming languages are restrictive as to the justification (right or lef
t) of data within the field. If data are not properly justified or if a character
is missing (has been replaced with a blank), the value in the field will be impr
operly processed. For example, the presence of blanks in a numeric data field may
cause a system failure. When the control routine detects a blank where it expect
s to see a data value, the error is flagged.

Numeric-alphabetic check. This control identifies when data in a particular field are in the wrong
form. F
or example, a customer’s account balance should not contain alphabetic data and the presence of it will
cause a data processing error. Therefore, if alphabetic data are detected, the error record flag is set.

Limit check. Limit checks are used to identify field values that exceed an authorized limit.
For example, assume the firm’s policy is that no employee works more than 44 hours per week. The
payroll system input control program can test the hours-worked field in the weekly payroll records for
values greater than 44.

Range check. Many times data have upper and lower limits to their acceptable values. For exam
ple, if the range of pay rates for hourly employees in a firm is between 8 and 20
dollars, this control can examine the pay rate field of all payroll records to e
nsure that they fall within this range.

Reasonableness check. The test determines if a value in one field, which has already passed a limit ch
eck and a range check, is reasonable when considered along with data in other fie
lds of the record. For example, assume that an employee’s pay rate of 18 dollars per hour falls within
an acceptable range. This rate is excessive, however, when compared to the employee’s job skill code
of 693; employees in this skill class should not earn more than 12 dollars per hour.

Validity check. A validity check compares actual field values against known acceptable values. F
or example, this control may be used to verify such things as valid vendor codes,
state abbreviations, or employee job skill codes. If the value in the field does
not match one of the acceptable values, the record is flagged as an error.

5. After data is entered into the system, it is processed. Processing control exist
s to make sure that the correct things happen during processing. Discuss processi
ng controls.

ANS:
Processing controls take three forms–batch controls, run-to-run controls, and audit trail controls.

Batch controls are used to manage the flow of high volumes of transactions through batch proces
sing systems. The objective of batch control is to reconcile output produced by t
he system with the input originally entered into the system. This provides assura
nce that:
_ All records in the batch are processed.
_ No records are processed more than once.
_ An audit trail of transactions is created from input through processing to the
output stage of the system.

Run-to-run controls use batch figures and new balances to monitor the batch as i
 t goes through the system–i.e. from run-to-run. These are to assure that no transactions are lost and that
all are processed completely.

Audit trail controls are designed to document the movement of transactions throu
gh the system. The most common techniques include the use of transaction logs and
transaction listings, unique transaction identifiers, logs and listings of autom
atic transactions, and error listings.

6. If input and processing controls are adequate, why are output controls needed?

ANS:
Output controls are designed to ensure that system output is not lost, misdirect
ed, or corrupted and that privacy is not violated. Great risk exists if checks ar
e misdirected, lost, or stolen. Certain types of data must be kept private–trade secrets, patents pending,
customer records, etc.

7. Describe and contrast the test data method with the integrated test facility.

ANS:
In the test data method, a specially prepared set of input data is processed; th
e results of the test are compared to predetermined expectations. To use the test
data method, a copy of the current version of the application must be obtained.
The auditor will review printed reports, transaction listings, error reports, and
master files to evaluate application logic and control effectiveness. The test d
ata approach results in minimal disruption to the organization's operations and r
equires little computer expertise on the part of auditors.

The integrated test facility (ITF) is an automated approach that permits auditor
s to test an application's logic and controls during its normal operation. ITF da
tabases contain test records integrated with legitimate records. During normal op
erations, test transactions are entered into the stream of regular production tra
nsactions and are processed against the test records. The ITF transactions are no
t included with the production reports but are reported separately to the auditor
for evaluation. The auditor compares ITF results against expected results.

In contrast to the test data approach, the ITF technique promotes ongoing applic
ation auditing and does not interfere with the normal work of computer services e
mployees. In the test data approach, there is a risk that the auditor might perfo
rm the tests on a version of the application other than the production version; t
his cannot happen in the ITF approach. Both versions are relatively costly to imp
lement. The major risk with the ITF approach is that ITF data could become combin
ed with live data and the reports would be misstated; this cannot happen in the t
est data approach.

8. Contrast Embedded Audit Modules with Generalized Audit Software.

ANS:
Both techniques permit auditors to access, organize, and select data in support
of the substantive phase of the audit. The Embedded Audit Module (EAM) technique
embeds special audit modules into applications. The EAM captures specific transac
tions for auditor review. EAMs reduce operational efficiency and are not appropri
ate for environments with a high level of program maintenance.

Generalized Audit Software (GAS) permits auditors to electronically access audit

 files and to perform a variety of audit procedures. For example the GAS can reca
lculate, stratify, compare, format, and print the contents of files.

The EAM is an internal program that is designed and programmed into the applicat
ion. The GAS is an external package that does not affect operational efficiency o
f the program. GASs are easy to use, require little IT background on the part of
the user, are hardware independent, can be used without the assistance of compute
r service employees, and are not application-specific. On the other hand, EAMs ar
e programmed into a specific application by computer service professionals.

9. What is the purpose of the auditor's review of SDLC documentation?

ANS:
In reviewing the SDLC documentation, the auditor seeks to determine that complet
ed projects now in use reflect compliance with SDLC policies including:
· proper authorization of the project by users and computer service management,
· a preliminary feasibility study showed that the project had merit,
· that a detailed analysis of user needs was conducted,
· that a cost-benefit analysis was performed,
· that the project can be demonstrated to solve the users' problem, and
· that the system was thoroughly tested.

10. Microcomputers have traditionally been difficult to control, leaving auditors wi

th special problems in verifying physical controls. Discuss what an auditor's obj
ectives might be in testing microcomputer controls.

ANS:
The auditor must investigate several things: 1) that adequate supervision and op
erating procedures exist to compensate for the lack of segregation of duties that
occur when users are functioning also as programmers and operators; 2) that acce
ss to hardware, data and software is limited to authorized personnel; 3) that bac
kup procedures are in place and implemented to prevent data and program loss; and
4) that procedures for systems selection and acquisition assure high quality, er
ror free, applications. This is far from an ideal situation.

11. Contrast the "black box" approach to IT auditing and the "white box" approach. W
hich is preferred?

ANS:
The black box approach is not concerned with the application's internal workings
. The auditor examines documentation of the system, interviews personnel, and bas
es the evaluation on the logical consistency between input and output. This metho
d is often referred to as "auditing-around-the-computer" because there is no exam
ination of data as it is processed.

The white box approach, also called "auditing-through-the-computer," relies on k

nowledge of the internal workings of the systems and actually tests the applicati
on in action with test data having known results. Several white box techniques ar
e available. These include the test data method, base case evaluation, tracing, t
he integrated test facility, and parallel simulation. This method makes the compu
ter a tool of the audit as well as its target.