Computer-Aided Audit Tools

and Techniques
 Introduction to Input Controls 2

Designed to ensure that the transactions that bring data into the
system are valid, accurate, and complete

Data input procedures can be either:

 Source document-triggered (batch)
 Direct input (real-time)

Source document input requires human involvement and is prone to

clerical errors

Direct input employs real-time editing techniques to identify and

correct errors immediately

ASI CAATT
FBE UBAYA
 Classes of Input Controls 3

1) Source document controls

2) Data coding controls
3) Batch controls
4) Validation controls
5) Input error correction
6) Generalized data input systems

ASI CAATT
FBE UBAYA
 #1-Source Document Controls 4

 Controls in systems using physical source

documents
 Source document fraud
 To control for exposure, control procedures are
needed over source documents to account for
each one
 Use pre-numbered source documents
 Use source documents in sequence
 Periodically audit source documents

ASI CAATT
FBE UBAYA
 #2-Data Coding Controls 5

 Checks on data integrity during processing

 Transcription errors
 Addition errors, extra digits
 Truncation errors, digit removed
 Substitution errors, digit replaced
 Transposition errors
 Single transposition: adjacent digits transposed (reversed)
 Multiple transposition: non-adjacent digits are transposed
 Control = Check digits
 Added to code when created (suffix, prefix, embedded)
 Sum of digits (ones): transcription errors only
 Modulus 11: different weights per column: transposition and
transcription errors
 Introduces storage and processing inefficiencies

ASI CAATT
FBE UBAYA
 #3-Batch Controls 6

 Method for handling high volumes of transaction data –

esp. paper-fed IS
 Controls of batch continues thru all phases of system
and all processes (i.e., not JUST an input control)
1) All records in the batch are processed together
2) No records are processed more than once
3) An audit trail is maintained from input to output

 Requires grouping of similar input transactions

ASI CAATT
FBE UBAYA
 #3-Batch Controls 7

 Requires controlling batch throughout

 Batch transmittal sheet (batch control record) – Figure 7-1
 Unique batch number (serial #)
 A batch date
 A transaction code
 Number of records in the batch
 Total dollar value of financial field
 Sum of unique non-financial field
• Hash total
• E.g., customer number
 Batch control log – Figure 7-3
 Hash totals

ASI CAATT
FBE UBAYA
 #4-Validation Controls 8

 Intended to detect errors in data before processing

 Most effective if performed close to the source of the

transaction

 Some require referencing a master file

ASI CAATT
FBE UBAYA
 #4-Validation Controls 9

 Field Interrogation
 Missing data checks
 Numeric-alphabetic data checks
 Zero-value checks
 Limit checks
 Range checks
 Validity checks
 Check digit
 Record Interrogation
 Reasonableness checks
 Sign checks
 Sequence checks
 File Interrogation
 Internal label checks (tape)
 Version checks
 Expiration date check

ASI CAATT
FBE UBAYA
 #5-Input Error Connection 10

 Batch – correct and resubmit

 Controls to make sure errors dealt with completely and accurately

1) Immediate Correction
2) Create an Error File
 Reverse the effects of partially processed, resubmit corrected
records
 Reinsert corrected records in processing stage where error
was detected
3) Reject the Entire Batch

ASI CAATT
FBE UBAYA
 #6-Generalized Data Input Systems (GDIS) 11

 Centralized procedures to manage data input for all transaction

processing systems

 Eliminates need to create redundant routines for each new

application

 Advantages:
 Improves control by having one common system perform all
data validation
 Ensures each AIS application applies a consistent standard of
data validation
 Improves systems development efficiency

ASI CAATT
FBE UBAYA
 #6-Generalized Data Input Systems (GDIS) 12

 Major components:

1) Generalized Validation Module

2) Validated Data File

3) Error File

4) Error Reports

5) Transaction Log

ASI CAATT
FBE UBAYA
 Classes of Processing Controls 13

1) Run-to-Run Controls

2) Operator Intervention Controls

3) Audit Trail Controls

ASI CAATT
FBE UBAYA
 #1-Run-to-Run (Batch) 14

 Use batch figures to monitor the batch as

it moves from one process to another
1) Recalculate Control Totals
2) Check Transaction Codes
3) Sequence Checks

ASI CAATT
FBE UBAYA
 #2-Operator Intervention 15

 When operator manually enters controls into the

system

 Preference is to derive by logic or provided by system

ASI CAATT
FBE UBAYA
 #3-Audit Trail Controls 16

 Every transaction becomes traceable from input to

output
 Each processing step is documented
 Preservation is key to auditability of AIS
 Transaction logs
 Log of automatic transactions
 Listing of automatic transactions
 Unique transaction identifiers [s/n]
 Error listing

ASI CAATT
FBE UBAYA
 Output Controls 17

 Ensure system output:

1) Not misplaced
2) Not misdirected
3) Not corrupted
4) Privacy policy not violated
 Batch systems more susceptible to exposure, require
greater controls
 Controlling Batch Systems Output
 Many steps from printer to end user
 Data control clerk check point
 Unacceptable printing should be shredded
 Cost/benefit basis for controls
 Sensitivity of data drives levels of controls

ASI CAATT
FBE UBAYA
 Output Controls 18

 Output spooling – risks:

 Access the output file and change critical data
values
 Access the file and change the number of
copies to be printed
 Make a copy of the output file so illegal output
can be generated
 Destroy the output file before printing take
place

ASI CAATT
FBE UBAYA
 Output Controls 19

 Print Programs
 Operator Intervention:
1) Pausing the print program to load output paper
2) Entering parameters needed by the print run
3) Restarting the print run at a prescribed checkpoint after a
printer malfunction
4) Removing printer output from the printer for review and
distribution
 Print Program Controls
 Production of unauthorized copies
 Employ output document controls similar to source document controls
 Unauthorized browsing of sensitive data by employees
 Special multi-part paper that blocks certain fields

ASI CAATT
FBE UBAYA
 Output Controls 20

 Bursting
 Supervision
 Waste
 Proper disposal of aborted copies and carbon
copies
 Data control
 Data control group – verify and log
 Report distribution
 Supervision

ASI CAATT
FBE UBAYA
 Output Controls 21

 End user controls

 End user detection

 Report retention:
 Statutory requirements (gov’t)
 Number of copies in existence
 Existence of softcopies (backups)
 Destroyed in a manner consistent with the sensitivity
of its contents

ASI CAATT
FBE UBAYA
 Output Controls 22

 Controlling real-time systems output

 Eliminates intermediaries
 Threats:
 Interception
 Disruption
 Destruction
 Corruption
 Exposures:
 Equipment failure
 Subversive acts
 Systems performance controls (Ch. 2)
 Chain of custody controls (Ch. 5)

ASI CAATT
FBE UBAYA
 Black Box 23

 Ignore internal logic of application

 Use functional characteristics
 Flowcharts
 Interview key personnel
 Advantages:
 Do not have to remove application from operations to test it
 Appropriately applied:
 Simple applications
 Relative low level of risk

ASI CAATT
FBE UBAYA
 White Box 24

 Relies on in-depth understanding of the internal logic of

the application
 Uses small volume of carefully crafted, custom test
transactions to verify specific aspects of logic and
controls
 Allows auditors to conduct precise test with known
outcomes, which can be compared objectively to actual
results

ASI CAATT
FBE UBAYA
 White Box Test Methods 25

1) Authenticity tests:
 Individuals / users
 Programmed procedure
 Messages to access system (e.g., logons)
 All-American University, student lab: logon, reboot, logon *

2) Accuracy tests:
 System only processes data values that conform to
specified tolerances
3) Completeness tests:
 Identify missing data (field, records, files)

ASI CAATT
FBE UBAYA
 White Box Test Methods 26

4) Redundancy tests:
 Process each record exactly once
5) Audit trail tests:
 Ensure application and/or system creates an adequate audit trail
 Transactions listing
 Error files or reports for all exceptions
6) Rounding error tests:
 “Salami slicing”
 Monitor activities – excessive ones are serious exceptions; e.g,
rounding and thousands of entries into a single account for $1 or
1¢

ASI CAATT
FBE UBAYA
 Computer Aided Audit Tools and Controls(CAATTs) 27

1) Test data method

2) Base case system evaluation
3) Tracing
4) Integrated Test Facility [ITF]
5) Parallel simulation
6) GAS

ASI CAATT
FBE UBAYA
 #1 –Test Data 28

 Used to establish the application processing integrity

 Uses a “test deck”
 Valid data
 Purposefully selected invalid data
 Every possible:
 Input error
 Logical processes
 Irregularity
 Procedures:
1) Predetermined results and expectations
2) Run test deck
3) Compare

ASI CAATT
FBE UBAYA
 #2 – Base Case System Evaluation (BCSE) 29

 Variant of Test Data method

 Comprehensive test data

 Repetitive testing throughout SDLC

 When application is modified, subsequent test (new)

results can be compared with previous results (base)

ASI CAATT
FBE UBAYA
 #3 – Tracing 30

 Test data technique that takes step-by-step walk

through application
1) The trace option must be enabled for the application
2) Specific data or types of transactions are created as test data
3) Test data is “traced” through all processing steps of the
application, and a listing is produced of all lines of code as
executed (variables, results, etc.)

 Excellent means of debugging a faculty program

ASI CAATT
FBE UBAYA
 Test Data: Advantages and Disadvantages 31

 Advantages of test data

1) They employ white box approach, thus providing explicit evidence
2) Can be employed with minimal disruption to operations
3) They require minimal computer expertise on the part of the
auditors
 Disadvantages of test data
1) Auditors must rely on IS personnel to obtain a copy of the
application for testing
2) Audit evidence is not entirely independent
3) Provides static picture of application integrity
4) Relatively high cost to implement, auditing inefficiency

ASI CAATT
FBE UBAYA
 #4 – Integrated Test Facility 32

 ITF is an automated technique that allows auditors to

test logic and controls during normal operations
 Set up a dummy entity within the application system
1) Set up a dummy entity within the application system
2) System able to discriminate between ITF audit module
transactions and routine transactions
3) Auditor analyzes ITF results against expected results

ASI CAATT
FBE UBAYA
 #5 – Parallel Simulation 33

 Auditor writes or obtains a copy of the program that

simulates key features or processes to be reviewed / tested
1) Auditor gains a thorough understanding of the application under
review
2) Auditor identifies those processes and controls critical to the
application
3) Auditor creates the simulation using program or Generalized Audit
Software (GAS)
4) Auditor runs the simulated program using selected data and files
5) Auditor evaluates results and reconciles differences

ASI CAATT
FBE UBAYA
Thank You