BUSINESS

APPLICATION
SOFTWARE AUDIT
Module 6 – 13%
Knowing the Basics!
Business Model Business Process Business
Application

• a way an • Steps taken to • Various

organization meet the goal Software Tools
delivers its • E.g.: Inventory used to achieve
product / / Payroll • E.g.: Tally /
service Management Oracle /
• E.g.: Online Customized
only vs Brick & applications
Mortar

< < < < < < Controls > > > > > >

2
Importance of Controls
• Controls are vital check points to ensure compliance

• Avoid Frauds / Errors / Misstatement / Embezzlement

• Provide Assurance to Stakeholders

• Compliance with Law & Regulation

3
Types of Internal Controls
Preventive
Controls

Detective Control

Corrective Control

4
How the controls operate?

5
Implementations of Internal
Controls

Technical
Admin Physical
(Logical)
• Policy • Tools • Guards
• Procedures • Software • Locked
• Passwords Rooms

6
 Relationship between Controls &
Implementation
Preventive Detective Corrective

Admin  Policy  Audit Log  Incident Response

 Training  Review Plan
 BCP

Technical  Centrally Managed  Centrally Managed  Intrusion Prevention

Data Protection Policy & Lag Server System / Antivirus
software

Physical  Data center Access  Video Recorded  Response Team

Access

7
Internal Control: Components

General
Controls

Internal
Controls
IT / IS
Controls

8
IS Controls: Components

IT
IT General
Application IS Controls
Controls
Controls

9
Business Models and Controls
• Each business model shall have a basic control structure built into
its processes.
• Dependent upon the business application software used
• The nature of control, the way they are implemented and executed
depends upon the business model being put to use.

10
Business Application
• Applications used by entity to run its business.
• Eg:
• PoS (Point of Sale),
• Recording Attendance,
• Wage Payment,
• Automated e-payment

• The application covers / incorporates the key business processes of

the entity.
• What are the controls structure available to help entity achieve its
goals.

11
PARAMETERS FOR
SELECTION OF
BUSINESS
APPLICATION

12
Key Parameters
• Business Goal
• Nature of Business
• Geographical Spread
• Timing of Operations – 24 x 7 / Only on Holidays
• Volume of Transactions
• Regulatory Requirement

13
Examples Types
Accounting Application
Banking Application
ERP Application
Payroll Application

14
 Types
•Other Business Applications:

Office Management Software

Compliance Applications

Customer relationship management Software

Management Support Software

15
Types
•Other Business Applications:

Logistics Management Software

Legal matter management

Industry Specific Applications

16
Questions

17
 1. Initial adoption of Business Model adopted
by an organisation is dependent upon:
A. Business Applications
B. Business Objective
C. Controls in business applications
D. Business Laws

Answer: B
Business Objectives shall be the prime reason for adoption of business
models. Other answers may be valid reasons but are never the first reason
for adoption of a specific business model. “A business model describes
the rationale of how an organization creates, delivers, and captures
value (economic, social, cultural, or other forms of value). The process of
business model construction is part of business strategy.”

18
2. The first activity to be assessed
by IS Auditor is: _____________.
A. Business Application
B. Business Controls
C. Business Model
D. Business Laws

Answer: C
Business Model, needs to be assessed first by IS Auditor.
The, b and d, are assessment to be made later on. As an IS
Auditor it becomes important to understand the business
model adopted by an organisation for a better
understanding of risk associated with business model
adopted by an organisation.

19
3. Arrange the following in chronological order
A. Establishing the expected degree of reliance to be placed on internal control
B. Determining and programming the nature, timing, and extent of the audit
procedures to be performed
C. Coordinating the work to be performed
D. Acquiring knowledge of the client’s accounting system, policies and internal control
procedures

• The correct serial order:

a) A, B, C, D
b) D, A, B, C
c) D, C, B, A
d) B, C, D, A

Answer: B - D, A, B, C
As per SA 00 SA 00 on “OVERALL OBJECTIVES OF THE INDEPENDENT AUDITOR
AND THE CONDUCT OF AN AUDIT IN ACCORDANCE WITH STANDARDS ON 20
AUDITING, the steps to audit as mentioned at point b.
5. The best definition which fits
‘COBIT 5’ is that it is a:
A. Business framework for the governance and management
of enterprise IT.
B. System Audit Tool
C. Management tool for corporate governance
D. IT management tool

Answer: A
COBIT 5 can be best described as “Business framework for
the governance and management of enterprise IT by ‘a’.
Other answers are part of COBIT framework but not full
Framework.

21
AUDIT & REVIEW OF
APPLICATIONS
Controls & Testing

22
Application Controls

Application represents the interface between the user

and business function

Components of Application Controls

• Application Boundary Controls

• Input Controls
• Data Processing Controls
• Data File Controls
• Output Controls

23
Application Boundary Controls
The objective of boundary controls is to prevent
unauthorized access to applications and their data.

Data may be in any stage, input, processing, in transit or

being output.

Controls should restrict user access in accordance with

business policy and organization structure,

Protect other associated applications, systems software,

database and utilities from unauthorized access.

24
Application Boundary Controls
Logical security techniques for application boundary

Controls

Logon ids and passwords

Access to application from specified terminals only

Using Cryptographic Controls

Using audit trails

25
Areas of Review by Auditor
• Exchange of Information within the organization
• Exchange of Information Outside the organization
• Access to Third Party Resources by the Organization
• Third Party access to Organizations Resources

26
 Input Controls
Responsible Important since

for ensuring the accuracy and

substantial time is spent on input of data
completeness of data and

instruction input into an application

Involve human intervention
system.

Prone to error and fraud

27
Input Controls

Input controls address the

following:
• Source Document Design
• Data entry screen design
• Data code controls
• Batch Controls
• Data Input Validation Controls
• Data Input Error Handling and Reporting
• Instruction Input Controls
28
Application Input Control Types - Edits
•Prevent input from being entered that
may cause data-integrity problems

29
Few Common Input Edits
1. Numeric -
alphanumeric
restrictions

2. Dates and hour

fields set to
convert input into
the correct format

30
31

Few Common Input Edits

3. Transaction "reasonableness"
checks on inputs
32

Few Common Input Edits

4. Limited input fields prevent invalid entries
• E.g. Drop Down Lists

5. Duplicate entries not allowed for data that is to be

unique

6. “Logic" checks
• E.g. Parts Not Greater than
Sum
33

Few Common Input Edits

8. Programmed cutoff dates
• E.g. preventing wrong period inputs

9. Execution of a transaction not allowed

until valid data entered into all required
fields

10. Database operatives disallowed

• E.g. * or =
 Source Document Design
A well-designed source document
helps improve control in the
following ways:
• It reduces data entry errors
• Increases speed of data entry
• Ensures better control over the process
• Assists subsequent reference
34
Data entry screen design

Data entry field design

• These fields should be either to

the right or below the caption
• Option & check button should be
used when the user has to choose
from a small list of options
35
Data entry screen design

Tabbing and skipping

• During the data entry, user moves from field to field

by pressing the “tab” key.
• Automatic tabbing should be avoided since the fields
may be skipped for data entry
• Display rate
• It is the rate at which the characters or images should
be displayed.

Data entry screens should have fast &

consistent display rate 36
Data code controls

Types of data coding errors:

• Addition: Addition of an extra character in a

code
• Truncation: Omission of characters in the code
• Transcription: Recording wrong characters
• Transposition: Reversing adjacent characters
• Double transposition: Reversing characters
separated by one or more characters i.e.,
45123 is entered as 42153.
37
Data code controls
Factors affecting coding errors are:
• Length of the code – Long codes are naturally prone to
errors.
• Alphabetic numeric mix – The code should provide for
grouping of alphabets & numerical separately if both
are used.
• Choice of characters – Some alphabets are confused
with numerical such as B,I,O would be confused with
8,1,0
• Mixing uppercase/lowercase fonts
• Sequence of characters – Eg. Using ABC instead of
ACB
38
Data Code Controls – Check Digit

Check digits are redundant digits that helps

verify the accuracy of other characters in the
code that is checked.

The program recalculates the check digits &

compare with the check digit in the code when
the code is entered to verify that code is
correct. Check digit may be pre-fix or suffix to
the actual data. 39
Calculation of check digit –

• Input number is 4871.

• If the weights for a four digit number were 5, 3, 2, 7
• then one multiply each number by the weightage 5×4 +
3×8 + 2×7 + 7×1 = 65, i.e. last letter to be considered as
check digit “5”
• Therefore revised number for transmission is 48715

40
Another Practical Example

41
Another Popular Example?

42
Types of batch controls
Total financial amount – Counter checking the total
financial amount of items processed in that batch with
the total individual financial amounts in the fields. Eg. In
a batch of 100 invoices it should be verified that the gross
total of individual sales value in the invoices matches the
total value of sales of all the invoices processed.

Hash total – These are totals of any numeric field in the

batch such as serial no. of invoices to counter check the
total of the field after input of data. E.g. In a batch 5
invoices no. 1,2,3,4,5 are processed. So adding these no.
will result in hash value amounting to 15. If any invoice no.
shall be changed then the hash value will also be changed.
43
Types of batch controls
Total items - Counter checking that the total no. of items
included on each document in the batch matches the
total no. of items processed. E.g. The total no. of units
sold as per each invoice should match the total no. of
items processed in the batch.

Total documents – Total no. of documents processed

should also be counter checked for correctness.

44
How to use hash total?
• A method for ensuring the accuracy of processed data. It is
a total of several fields of data in a file, including fields not
normally used in calculations, such as account number.
• For example,
• the dates of letters in a file may be added and separately noted as
hash total
• TIN Details of all Vendors of Purchase Report could be totaled and
compared to VAT Summary.
 Batch Total vs Hash Total
Batch Total is a physical count of units (Eg. Total
number of Invoices) & Hash Total is the total of any
other numerical data, say Total of TIN / PAN / Date
etc

45
Example

• While preparing the Wage Bill, what is the hash total and batch
total?
• Batch total – 3 – 3 workers / fields / entries
• Hash total – sum of worker ID = 172+9023+2652 = 11847
• Wage Bill Total = Hours worked * Rate per hour

46
Data Input Validation Controls
Input Authentication Controls

Manual signatures on input

document

Input menu available for

OCR (Optical Character
specified logins in case of
Recognition),
online inputs

Scanned input using Barcode Readers,

MICR (Magnetic ink character

reader) etc.
47
Edit Controls
Sequence Range and Limit Missing data
checks check check

Programmed Dependency
Duplicate check
Validity Check Match

Completeness Reasonableness
Table lookups
check check

48
Data Input Error Handling and Reporting

Input errors can be handled in the following

ways :
• Rejecting only transaction with error
• Reject the whole batch of transactions
• Accepting batch in suspense
• Accepting the batch and marking error transactions

49
 Processing Controls

Data processing controls perform validation check to identify errors during

processing of data. They are required to ensure both the completeness &
accuracy of the data being processed. Some of the data processing controls
are explained as follows :
• Run-to-run totals - These help in verifying data that is subject to process through
different stages. Eg. If current balance of ledger is 2 lacs & additional invoices for
the period is of .5 lacs then the total sales value should be Rs 2.5 lacs

50
 Processing Controls

Reasonableness verification – Two or more fields can be

compared & cross verified to ensure their correctness. Eg. The
statutory PF can be calculated on the gross pay amount to
verify if the PF contribution deducted is accurate.

Exception reports – These reports are generated to identify

errors in data processed. Such reports give the transaction code
& why a particular transaction was not processed or what is the
error in processing the transaction

51
Output Controls
Storage & logging of sensitive forms
Logging of output program execution
Retention controls
Control over Ctrl + P
Report Distribution
Spooling

52
Non- Repudiation
• is the assurance that someone cannot deny something

• refers to the ability to ensure that a party to a contract or a

communication cannot deny the authenticity of their signature on
a document or the sending of a message that they originated.

53
TECHNIQUES OF
REVIEW

54
How to review?
The procedure used to obtain evidence
include:

1. Inquiry and confirmation

2. Reperformance

3. Recalculation…
55
How to review?
The procedure used to obtain evidence
include:

4. Computation

5. Analytical Procedures

6. Inspection…

56
How to review?
The procedure used to obtain evidence
include:

7. Observation

8. Other generally
accepted methods

57
QUESTIONS?

58
1. Application controls shall
include all except
A. Application controls are a subset of internal controls.
B. The purpose is to collect timely, accurate and reliable
information.
C. It is part of the of IS Auditor’s responsibility to implement
the same.
D. It is part of business application software.

Answer: C
Represents what auditor’s verifies but not that what he/she
implements. Rest is part of definition and purpose of
application controls.

59
 2. As per Income Tax Act, 1961 and banking norms, all fixed deposit holders
of bank need to submit their PAN or form 60/61(a form as per Income Tax
Act/Rules). Bank in its account opening form, has not updated the need for
form 60/61 in case PAN is not there. This defines which control lapse as per
COBIT.

A. Source Data Preparation and Authorisation:

B. Source Data Collection and Entry
C. Accuracy, Completeness and Authenticity Checks
D. Processing Integrity and Validity

Answer: A
A is the correct answer as the source data capture is not
proper. Ensure that source documents are prepared by
authorised and qualified personnel following established
procedures, taking into account adequate segregation of
duties regarding the origination and approval of these
documents. Errors and omissions can be minimised through
good input form design.
60
3. In a public sector bank while updating master data for advances given, the
bank employee does not update “INSURANCE DATA”. This includes details of
Insurance Policy, Amount Insured, Expiry Date of Insurance and other related
information.

A. Source Data Preparation and Authorisation:

B. Source Data Collection and Entry
C. Accuracy, Completeness and Authenticity Checks
D. Processing Integrity and Validity

Answer: A
This ensures that transactions are accurate, complete
and valid. Validate data that were input, and edit or
send back for correction as close to the point of
origination as possible.
61
4. Emailed purchase order for 500
units was received as 5000 units.
A. Source Data Collection and Entry
B. Accuracy, Completeness and Authenticity Checks
C. Output Review, Reconciliation and Error Handling
D. Transaction Authentication and Integrity

Answer: D
D is the correct answer. As per COBIT, where transactions
are exchanged electronically, establish an agreed-upon
standard of communication and mechanisms necessary for
mutual authentication, including how transactions will be
represented, the responsibilities of both parties and how
exception conditions will be handled.

62
 5. An IS Auditor, processes a dummy transaction to check whether the
system is allowing cash payments in excess of Rs.20,000/-. This check by
auditor represents which of the following evidence collection technique?

A. Inquiry and confirmation

B. Re-calculation
C. Inspection
D. Re-performance

Answer: D
IS Auditor may process test data on application
controls to see how it responds.

63
 9. Company’s billing system does not allow billing to those dealers
who have not paid advance amount against proforma invoice. This
check is best called as:

A. Limit Check
B. Dependency Check
C. Range Check
D. Duplicate Check

Answer: B
Dependency check is one where value of one field is
related to that of another.
64
 10. While posting message on FACEBOOK, if user posts the same
message again, FACEBOOK gives a warning. The warning
indicates which control.

A. Limit Check
B. Dependency Check
C. Range Check
D. Duplicate Check

Answer: D
D is the answer as this is a duplicate check.

65
HOW TO AUDIT?
 AUDIT OF
APPLICATION
CONTROLS
What is IS Audit?
1. It is an examination of the controls within
an Information technology (IT)
infrastructure.

2. It is the process of collecting and

evaluating the evidence of an organization's
information systems, practices, and
operations.

68
What is IS Audit?
3. It focuses on determining
the risks that are relevant to
information assets, and

4. In assessing controls in
order to reduce or mitigate
these risks.

69
 How to perform IS Audit?
The fundamental principles of audit remain the
same.

IS audit like financial audit, focuses on the risk

arising from inadequate or inefficient controls.

The change is in perspective and approach.

70
 Fundamentals for establishing an
IS Audit Function

Audit mission: The first step is to outline this

• It also outlines the value addition that will

be provided and clarifies the purpose and
meaning for the audit function.

71
 Performing an IS Audit
STEP 1:
Engagement Planning:
• Objective(s), scope, timeline and deliverables,
• compliance with applicable laws and professional auditing standards,
• use of a risk-based approach, documentation and reporting

STEP II
Risk Assessment in Planning:
• Risk assessment approach and methodology
• develop the overall IS audit plan and determine priorities
• effective allocation of IS audit resources.
• Tools – RCM, Mgmt Discussion

STEP III.
Performance and Supervision:
• Conduct the work in accordance with the approved IS audit plan
• Cover identified risk and within the agreed-on schedule.
• Maintain on a progressive basis time & resource count
72
 Performing an IS Audit
STEP IV: Materiality:
• Consider potential weaknesses or absences of controls
• Check whether such weaknesses or absences of controls could result in a significant
deficiency or a material weakness.

STEP V: Evidence:
• Obtain sufficient and appropriate evidence to draw reasonable conclusions
• IS audit and assurance professionals shall evaluate the sufficiency of evidence obtained
• To support conclusions and achieve engagement objectives.

STEP VI: Using the Work of Other Experts:

• Consider using the work of other experts for the engagement
• Shall assess and approve the adequacy of the other experts’ professional qualifications,
competencies,
• Relevant experience, resources, independence and quality-control processes prior to
the engagement. 73
Computer Assisted Audit Techniques
CAAT is a significant tool for auditors to gather
evidences independently.

Gain access and to analyse data for a predetermined audit objective, and

Report the audit findings with evidences.

Helps the auditor to obtain evidence directly

on the quality of records produced and maintained in the system. 74

Needs for CAAT
1. For evidence collections

2. Analysis and interpretation of this evidence.

3. E-form evidence can only be verified using

CAAT.
75
Needs for CAAT
The ICAI Guidance note on CAAT describes CAATs
as important tools for the auditor in performing
audits.

CAATs may be used in performing various

auditing procedures including the following:
Tests of details of transactions and balances,
Analytical procedures, Tests of general controls,

Sampling programs to extract data for audit

testing, Tests of application controls .

76
Types of CAAT
Use the audit software developed by the
client

Design and develop his own audit software

Use a standard off the shelf Generalised

Audit Software
77
 Selecting, implementing and using CAATs
The following are some examples of CAATs, which can be used to
collect evidence :
ACL, IDEA etc

Utility Software such as Find, Search, flowcharting utilities

Spreadsheets such as Excel

Third party access control software

SQL Commands, OS commands 78

Selecting, implementing and using CAATs

RSAREF, DES, PGP

TCP Wrapper, SOCKS, TIS Toolkit

COPS, Tripwire, Tiger

ISS, SATAN, etc.

79
Continuous Auditing Approach

Continuous auditing is a process

through which an auditor
evaluates the particular
system(s) and thereby
generates audit reports on real
time basis.

Continuous auditing
approach may be required to
be used in various
environments
80
 Types of Audit Tools
• Snapshots
• are digital pictures of procedures of the console that are saved and
stored in the memory
• snapshots are implemented for tracing application software and
mapping it.
• Selected transactions are marked with certain codes so that it
triggers the snapshots
• EX: Instruction set executed in the memory of the ATM machine for
processing withdrawal. Hence the error in code/ instruction can be
pinpointed and identified by the snapshot software.
• Areas to be looked into:
• Materiality
• Timing of Capture
• Timing of Reporting
 Types of Audit Tools
• Integrated Test Facility (ITF)
• Placing a fictitious / dummy record in the master file
• creation of a dummy entity in the application system files and the
processing of audit test data against the entity
• means of verifying processing authenticity, accuracy, and
completeness
• Employees unaware a transaction is taking place
• Majorly used for on-line processing systems
• How to remove this subsequently?
• Either give inputs to reverse it or
• Programmed to ignore the effect
 Types of Audit Tools
• System Control Audit Review File (SCARF)
• embedding audit software modules within a host
application system to provide continuous monitoring
• Information collected is written onto a special audit
file- the SCARF master files
• Auditors might use SCARF for
• Application system errors - independent check on the quality of
system processing
• Policy and procedural variances – Organizations adherence to
policies
• System exception – Salespersons trying to manipulate price
 Types of Audit Tools
• Continuous and Intermittent Simulation (CIS):
• variation of the SCARF
• Embeds audit module in database
• used to trap exceptions whenever the application system
uses a DBMS
• Process transactions independently (stimulates) and
compares it with the actual results
• Comparison of what has be been and what should have
been
• Exceptions identified by CIS are written to a exception log
file
Audit Hooks
• There are audit routines that flag suspicious
transactions
• auditors can be informed of questionable transactions
as soon as they occur
• approach of real-time notification displays a message
on the auditor’s terminal
 Concurrent Audit Tools

Online Audit SCARF/ Integrated Snapshots Continuous Audit Hooks

Techniques: EAM Test Intermittent
Facilities Simulation
Complexity: Very High High Medium Medium Low
Useful when: Regular Its not An audit trail Transactions Only select
processing beneficial to is required meeting transactions
cannot be use test certain or processes
interrupted data criteria need need to be
to be examined
examined
2. What is the primary basis of
audit strategy?
A. It should be knowledge-based.
B. It should be cycle-based.
C. It should be request-based.
D. It should be risk-based.

Answer: D

Audit Strategy is based on risk assessment done by the

auditor. Other answers do not represent basis for
deciding audit strategy.
87
3. Which of the following audit tools is MOST useful to an
IS auditor when an audit trail is required?

A. Integrated test facility (ITF)

B. Continuous and intermittent simulation (CIS)
C. Audit hooks
D. Snapshots

Answer: D
Snapshots is the right answer as in this technique IS auditor can
create evidence through IMAGE capturing? A snapshot tool is
most useful when an audit trail is required. ITF can be used to
incorporate test transactions into a normal production run of a
system. CIS is useful when transactions meeting certain criteria
need to be examined. Audit hooks are useful when only select
transactions or processes need to be examined.
88
4. The first step in the IS compliance audit testing is
to review which of the following?

A. Access security controls

B. Input controls
C. Processing controls
D. Output controls.

Answer: A
A is the first step towards compliance test. Other steps are more
part of application system transaction audit.

89
5. Cashier of a company has rights to create bank master in TALLY.
This error is reflection of poor definition for which type of control:

A. User Controls
B. Application Control
C. Input Control
D. Output Control

Answer: A
user controls are not properly defined. User controls need to
be defined based on NEED TO DO and NEED TO DO basis.
The above is reflection of a greater problem of improper
assessment user profiles created in the system.

90
6. An employees has left the
company. The first thing to do is…
A. Get a new one.
B. Disable his/her access rights.
C. Ask the employee to clear all dues/advances.
D. None of Above

Answer: B
The first thing to do as soon as an employee leaves the
company is to disable his/her access rights in system. This
needs to be done to prevent frauds being committed. Other
answers may be valid but are not the first thing to do.

91