Management Control and Audit of Advanced EDP Systems

University of Mississippi
eGrove
Industry Guides (AAGs), Risk Alerts, and American Institute of Certified Public
Checklists Accountants (AICPA) Historical Collection
1977
Management, control, and audit of advanced EDP systems;

Computer services guidelines
American Institute of Certified Public Accountants. Auditing Advanced EDP Systems Task Force
Follow this and additional works at: https://egrove.olemiss.edu/aicpa_indev
Part of the Accounting Commons, and the Taxation Commons
Recommended Citation
American Institute of Certified Public Accountants. Auditing Advanced EDP Systems Task Force,
"Management, control, and audit of advanced EDP systems; Computer services guidelines" (1977).
Industry Guides (AAGs), Risk Alerts, and Checklists. 711.
https://egrove.olemiss.edu/aicpa_indev/711
This Book is brought to you for free and open access by the American Institute of Certified Public Accountants
(AICPA) Historical Collection at eGrove. It has been accepted for inclusion in Industry Guides (AAGs), Risk Alerts,
and Checklists by an authorized administrator of eGrove. For more information, please contact
egrove@olemiss.edu.
COMPUTER SERVICES GUIDELINES
Management, Control
and Audit of
Advanced EDP Systems
American Institute of Certified Public Accountants AICPA

Notice to R eaders
Computer services guidelines are published to assist members in

understanding and utilizing various aspects of data processing. These
guidelines represent the recommendations of the computer services
executive committee on the various topics covered.
P re p a re d by
Auditing Advanced EDP Systems Task Force
Everett C. Johnson, Chairman
Burton J. Cohen William E. Perry
Richard Gnospelius Kenneth A. Pollock
Leslie J. Hellenack Larry D. Van Horn
Paul Levine, Manager
A p p ro v e d by
Computer Services Executive Committee (1975-76)
Richard J. Guiltinan, Chairman Lawrence J. McDonald
John C. Broderick John W. Nuxall
Michael Carrozza, Jr. William E. Perry
John P. Harrison Howard M. Schnoll
James K. Loebbecke Paul B. Woodfin
Donald L. Adams, Managing Director
Paul Levine, Manager
COMPUTER SERVICES GUIDELINES
Management, Control
and Audit of
C o p y rig h t © 1 9 7 7 b y th e
A m e ric a n In stitu te of C e rtifie d P u b lic A c c o u n ta n ts , Inc.
1211 A v e n u e o f th e A m e ric a s , N e w York, N .Y . 1 0 0 3 6
Contents
PREFACE v
INTRODUCTION
Objectives and Concerns 1
Summary 2
Organization of the Report 2
NATURE OF THE AUDIT PROCESS

Audit Objectives and General Nature of the Audit Process 3
Study and Evaluation of Internal Control 3
Substantive Procedures 4
CHARACTERISTICS AND IMPLICATIONS OF ADVANCED SYSTEMS

Characteristics of Advanced Systems 5
Management Implications of Advanced EDP Systems 8
EFFECTIVE CONTROL AND AUDIT OF ADVANCED EDP SYSTEMS

Control and Auditability Objectives 10
Control Features 11
Auditability Features 13
Audit Tools 13
AUDIT APPROACHES FOR ADVANCED EDP SYSTEMS

Auditing Advanced EDP Systems— Some Differences 15
Auditing Approaches to Advanced Systems 18
SUMMARY, CONCLUSIONS, AND RECOMMENDATIONS

Conclusions 26
Recommendations 27
APPENDIX 1— ULTIMATE CORPORATION— A FUTURE

ADVANCED SYSTEM 28
APPENDIX 2—AUTHORIZATION CONCEPTS FOR

•INFORMATION PROCESSING SYSTEMS 30
Users 30
Processes 31
Data 31
Authorization Table Concept 32
APPENDIX 3— SUGGESTED PROCEDURES FOR AUDITORS

TO FOLLOW DURING SYSTEMS DESIGN 34
APPENDIX 4— GLOSSARY 36
For a v a rie ty of re a s o n s co n tro l u s u a lly ta k e s a A d e q u a te c o n tro l m e c h a n is m s h a v e b e e n
b a c k s e a t to o th e r o b je c tiv e s in th e d e v e lo p m e n t d e v is e d for m a n y p re s e n t-d a y system s, but
of in n o v a tiv e e le c tro n ic d a ta p ro c e s s in g te c h n o lo g ic a l d e v e lo p m e n ts a re le a d in g to
a p p lic a tio n s . T h e p re s s u re to b rin g a n e w m o re s y s te m c h a n g e s . A d v a n c e d s y s te m s are
a p p lic a tio n "o n th e a ir ” by its s c h e d u le d d a te n o w a re a lity . If th e h a rd w a re for th e s e s y s te m s
o ften c a u s e s d e s ir a b le co n tro l o b je c tiv e s to b e d o e s not p ro v id e a d e q u a te co n tro ls, o r if
o v e rlo o k e d o r not im p le m e n te d . T h is, in turn, o p e ra tin g s y s te m s d o not h a v e th e p ro c e s s in g
m a y re s u lt in th e n e e d to retrofit c o ntro l in te g rity to a s s u re p ro p e r tre a tm e n t of a ll
m e c h a n is m s — u s u a lly a t c o n s id e ra b le tra n s a c tio n s by a p p lic a tio n p ro g ra m s ,
e x p e n s e — a fte r th e a p p lic a tio n h as b e e n c o n tro llin g a n d a u d itin g th e s e s y s te m s a fte r th e y
o p e ra tin g for a tim e . h a v e b e g u n o p e ra tio n s w ill b e u n n e c e s s a rily
In a d d itio n , c o n s id e ra tio n of a u d it c o s tly a n d p e rh a p s less s u c c e s s fu l.
a p p r o a c h e s o ften is d e fe rre d until a n e w s ystem It is to h e lp p re v e n t s u c h s e rio u s a n d
h a s b e e n o p e ra tio n a l fo r s o m e tim e . T h e re fo re , e x p e n s iv e m is ta k e s th a t th is rep o rt h a s b e e n
o p p o rtu n itie s to u se c o st e ffe c tiv e E D P a u d it p re p a re d .
te c h n iq u e s m a y b e lost.
v
Chapter 1
Introduction
N e w d a ta p ro c e s s in g c o n c e p ts in la r g e -s c a le c o n s id e re d . A lso , c e rta in of th e s e a p p lic a tio n s
s ystem s, in c re a s e d c a p a b ilitie s of a re re le v a n t to to d a y ’s system s.
m in ic o m p u te r system s, a n d th e lin k in g of M o st im p o rta n tly , th is rep o rt is in te n d e d to
c o m m u n ic a tio n s a n d d a ta p ro c e s s in g are s tim u la te d is c u s s io n a n d re s e a rc h in a d v a n c e d
b rin g in g s o p h is tic a te d in fo rm a tio n s y s te m s to sys te m s te c h n o lo g y by c o m p u te r h a rd w a re
la rg e a n d s m a ll users a lik e . In th e fu tu re v irtu a lly m a n u fa c tu re rs , s o ftw a re d e v e lo p e rs , E D P
a ll b u s in e s s a c tiv itie s w ill in te ra c t in s o m e w a y p e rs o n n e l, m a n a g e m e n t, users, an d au d ito rs.
w ith E D P system s. C o n tro l a n d a u d ita b ility are T h is rep o rt d e fin e s or id e n tifie s p ro b le m s , but
p a ra m o u n t c o n s id e ra tio n s in th e d e s ig n of th e s e d o e s not p ro v id e fin a l c o n c lu s io n s o r solu tion s.
s ystem s. S in c e tra d itio n a l c o ntro l a n d a u d itin g H o p e fu lly , it m a y p ro v id e a p ortion of th e
te c h n iq u e s m a y not b e re s p o n s iv e to su ch im p e tu s n e e d e d to la u n c h th e study, re s e a rc h ,
s ystem s, n e w te c h n iq u e s m a y b e re q u ire d . a n d e x p e rim e n ta tio n th a t w ill b e re q u ire d to
T h e s c o p e of th is rep o rt in c lu d e s th e a re a s of d e v e lo p so u n d m a n a g e m e n t, co n tro l, a n d a u d it
m a n a g e m e n t a n d a u d ito r c o n c e rn a b o u t te c h n iq u e s a p p lic a b le to a d v a n c e d system s.
a d v a n c e d E D P system s, th e id e n tific a tio n of T h e m atte rs a d d r e s s e d h e re in sh ou ld be
s p e c ific p ro b le m s , a n d s o m e p ro p o s e d c o n s id e re d in th e d e s ig n a n d d e v e lo p m e n t of
so lu tio n s to th e s e p ro b le m s . B a s ic c o ntro l an d a d v a n c e d E D P s y s te m s to a s s u re th a t such
a u d it fe a tu re s for a d v a n c e d E D P s y s te m s a re s y s te m s m e e t a ll of m a n a g e m e n ts ’ n e e d s an d
p re s e n te d a n d p o s s ib le a u d it a p p r o a c h e s are c a n b e a u d ite d at a re a s o n a b le cost.
Objectives and Concerns

E D P s y s te m s a re n ow b e in g d e s ig n e d to re q u ire d to m a in ta in th e in te g rity of th e system s,
a c h ie v e s o m e of th e fo llo w in g o b je c tiv e s : a n d a u d ito rs w ill re q u ire n e w s k ills a n d
te c h n iq u e s to a u d it th e s e s y s te m s e ffe c tiv e ly .
1. D e riv e m a x im u m b e n e fit from th e c a p a b ility
T h is re p o rt re fle c ts th e c o n c e rn s of a u d ito rs
of lin k in g h ig h -s p e e d c o m p u tin g w ith
w ith a d v a n c e d E D P s y s te m s a n d h a s b e e n
h ig h -s p e e d c o m m u n ic a tio n s .
p re p a re d for th e c o n s id e ra tio n o f m a n a g e m e n t,
2. B rin g th e s ystem c lo s e r to th e user. U s e rs h a rd w a re m a n u fa c tu re rs , sys te m s d e s ig n e rs ,
m a y in c lu d e e m p lo y e e s , c u s to m e rs , a n d d e v e lo p e rs , a s w e ll as a u d ito rs . T h e
v e n d o rs , a n d oth ers. p rin c ip a l c o n c e rn s d is c u s s e d in th is re p o rt c a n
3. A u to m a te th e d e c is io n -m a k in g p ro c e s s a s it b e s u m m a riz e d as fo llo w s .
re la te s to e s ta b lis h e d m a n a g e m e n t
o b je c tiv e s . Internal Accounting Control
4. P ro v id e a s in g le r e lia b le s o u rc e of
□ C o n tro l fe a tu re s a n d p ro c e d u re s m ust b e
in fo rm a tio n re g a rd in g th e e n te rp ris e , a n d
p ro v id e d fo r c o m m u n ic a tio n -b a s e d n etw o rks
e lim in a te d u p lic a tio n o f re c o rd -k e e p in g by
a n d o th e r s y s te m s in w h ic h a c c o u n tin g
r e p la c in g p re v io u s ly s e p a ra te s y s te m s w ith
in fo rm a tio n c a n b e a c c e s s e d or c h a n g e d
o n e in te g ra te d s ystem .
from re m o te lo c a tio n s .
5. E lim in a te th e p rin tin g of la rg e a m o u n ts of
□ A u th o riz a tio n s y s te m s a re re q u ire d to c o ntro l
d e ta il a n d th e u se o f la rg e a m o u n ts of
a c c e s s to a n d th e p ro c e s s in g of a c c o u n tin g
p a p e rw o rk to s u p p o rt tra n s a c tio n s a n d o th e r
in fo rm a tio n a n d to m a in ta in a s e p a ra tio n of
a c tiv ity . e m p lo y e e fu n c tio n s .
A d v a n c e d E D P s y s te m s d e v e lo p e d to m e e t □ P ro g ra m m e d s y s te m c o n tro ls m u st b e
th e s e o b je c tiv e s w ill u se n e w p ro c e s s in g p ro v id e d s in c e a m a n u a l re v ie w o f in p u t by
c o n c e p ts ; thus, n e w m a n a g e m e n t s k ills a n d e m p lo y e e s w ill no lo n g e r b e a p p lic a b le
te c h n iq u e s w ill b e n e e d e d to m a n a g e th e s e w h e n a c c o u n tin g tra n s a c tio n s a re g e n e r a te d
sys te m s . N e w c o n tro l p ro c e d u re s w ill b e a n d p ro c e s s e d a u to m a tic a lly by th e system .
1
□ P ro v is io n s for tra c in g th e h is to ric a l flo w of of s ystem co n tro ls.
a c c o u n tin g tra n s a c tio n s s h o u ld b e p ro v id e d □ R e q u ire m e n ts for e ffe c tiv e a u d it te c h n iq u e s
in s y s te m s h a v in g a c c o u n tin g s ig n ific a n c e . a n d a u d it tim in g c o n s id e ra tio n s n e e d to b e
□ P ro v is io n s sh o u ld b e m a d e fo r tim e ly a n d a d d re s s e d .
e c o n o m ic a l re c o n s tru c tio n of a c c o u n tin g □ A u d ito rs n e e d to p a rtic ip a te in th e system
in fo rm a tio n in th e e v e n t of its d e s tru c tio n . d e s ig n a n d d e v e lo p m e n t p ro c e s s to a
□ M a n a g e m e n t, a u d ito rs , a n d o th e rs s h o u ld b e g re a te r e x te n t th an th e y h a v e in th e past.
p ro v id e d w ith fe e d b a c k on th e p e rfo rm a n c e □ A u d it c o st is s ig n ific a n tly a ffe c te d by th e
a n d in te g rity o f a d v a n c e d E D P s ystem s. d e s ig n of th e sys te m , th e u s e fu ln e s s of
sy s te m d o c u m e n ta tio n , a n d th e
Auditability
e ffe c tiv e n e s s of co n tro l of a c c o u n tin g
□ In c re a s e d a u d it re lia n c e w ill b e p la c e d on a p p lic a tio n s p ro c e s s e d on a d v a n c e d
c o n tro ls in a d v a n c e d E D P system s. s ystem s.
□ T h e a v a ila b ility of tra d itio n a l h a rd -c o p y
d o c u m e n ts a n d o th e r a u d it e v id e n c e is
EDP Technical Proficiency
d e c r e a s e d a n d th e a c c e p ta b ility of □ H ig h e r le v e ls of E D P te c h n ic a l k n o w le d g e
s ystem p ro d u c e d a u d it e v id e n c e w ill w ill b e n e c e s s a ry fo r m a n a g e m e n t, users,
b e c o m e h ig h ly d e p e n d e n t on th e a d e q u a c y a n d a u d ito rs .
Summary
C o o p e ra tio n b e tw e e n a u d ito rs , m a n a g e m e n t, 2. A u th o riz a tio n c o n c e p ts fo r v a lid a tin g u ser
users, h a rd w a re m a n u fa c tu re rs , a n d so ftw are re q u e s ts p rio r to p ro c e s s in g .
d e v e lo p e rs w ill h e lp e n s u re th a t a d v a n c e d 3. T e c h n iq u e s to e n s u re tim e ly p ro c e s s in g of
s y s te m s p ro v id e th e a d v a n ta g e s th e y a re a u th o riz e d tra n s a c tio n s , re c o rd in g of u ser
c a p a b le o f p ro v id in g w ith o u t in tro d u c in g a n d p ro c e s s a c tiv ity , a n d re trie v a l of
s e rio u s in te rn a l a c c o u n tin g c o ntro l d e fic ie n c ie s . h is to ric a l d a ta .
T h is p a p e r c a te g o riz e s th e a re a s th a t re q u ire
4. T o o ls a n d te c h n iq u e s fo r a u d itin g a d v a n c e d
a d d itio n a l co n tro l te c h n iq u e s a n d s u g g e s ts th e
s ystem s.
fo llo w in g a p p ro a c h e s :
1. T e c h n iq u e s a n d p ro c e d u re s fo r i d e n t i
fic a tio n of users.
Organization of the Report

C h a p te r 2 d e s c rib e s th e n a tu re a n d s c o p e of th e a u d it to o ls a n d te c h n iq u e s . C h a p te r 6
a u d it p ro c e s s as it re la te s to E D P s y s te m s for s u m m a riz e s th e rep o rt, p ro v id e s c o n c lu s io n s ,
re a d e rs u n fa m ilia r w ith th is a re a . C h a p te r 3 a n d m a k e s re c o m m e n d a tio n s .
in tro d u c e s th e c h a ra c te ris tic s o f a d v a n c e d E D P T h e rep o rt c o n ta in s fo u r a p p e n d ix e s .
sy s te m s , d is c u s s e s th e ir co n tro l im p lic a tio n s , A p p e n d ix 1 c o n ta in s an illu s tra tio n of an
a n d ra is e s v a rio u s c o n c e rn s a n d q u e s tio n s “a d v a n c e d ” E D P sy s te m th a t m ig h t s o m e d a y
a d d r e s s e d to m a n a g e m e n t. C h a p te r 4 p re s e n ts e x is t in a m y th ic a l o rg a n iz a tio n c a lle d U ltim a te
re c o m m e n d e d fe a tu re s for e ffe c tiv e co n tro l a n d C o rp o ra tio n . A p p e n d ix 2 p re s e n ts c e rta in
a u d itin g o f a d v a n c e d E D P s y s te m s a n d is a u th o riz a tio n c o n c e p ts re la te d to in fo rm a tio n
a d d r e s s e d to h a rd w a re m a n u fa c tu re rs a n d p ro c e s s in g s ystem s. S u g g e s te d a u d ito r
s o ftw a re d e s ig n e rs a s w e ll a s m a n a g e m e n t. p ro c e d u re s th a t m ig h t b e p e rfo rm e d d u rin g
C h a p te r 5 d is c u s s e s a u d it a p p r o a c h e s to sy s te m d e s ig n a re p re s e n te d in A p p e n d ix 3.
a d v a n c e d E D P s y s te m s a n d d e s c rib e s v a rio u s A p p e n d ix 4 is a b rie f g lo s s a ry .
2
Chapter 2
Nature of the Audit Process

Audit Objectives and General Nature of
the Audit Process
“T h e o b je c tiv e of th e o rd in a ry e x a m in a tio n of re p o rts p ro d u c e d by th e system . T h e first
fin a n c ia l s ta te m e n ts by th e in d e p e n d e n t a u d ito r c a te g o ry in c lu d e s p ro c e d u re s for th e stu d y a n d
is th e e x p re s s io n of an o p in io n on th e fa irn e s s e v a lu a tio n of in te rn a l co ntro l. T h e s e c o n d
w ith w h ic h th e y p re s e n t th e fin a n c ia l p o sitio n , c a te g o ry in c lu d e s p ro c e d u re s , c a lle d
resu lts of o p e ra tio n s , a n d c h a n g e s in fin a n c ia l s u b s ta n tiv e tests, d e s ig n e d to a s s is t th e a u d ito r
p o s itio n in c o n fo rm ity w ith g e n e r a lly a c c e p te d in fo rm u la tin g an o p in io n a b o u t th e v a lid ity an d
a c c o u n tin g p r in c ip le s .” 1 A lth o u g h s p e c ific a u d it th e re a s o n a b le n e s s of tra n s a c tio n s a n d th e
p ro c e d u re s m a y d iffer, th e a u d ito r’s o b je c tiv e p ro p rie ty of a c c o u n tin g tre a tm e n t of tra n s a c tio n s
d o e s not c h a n g e w h e n E D P is u tiliz e d in th e a n d b a la n c e s . In an a d v a n c e d system
a c c o u n tin g p ro c e s s . e n v iro n m e n t both c a te g o rie s of p ro c e d u re s c a n
In d e p e n d e n t a u d its in c lu d e tw o b ro a d re q u ire a u d it te c h n iq u e s th a t use or in v o lv e th e
c a te g o rie s of p ro c e d u re s d e s ig n e d to d e te rm in e c o m p u te r.
th e re lia b ility of a c c o u n tin g d a ta a n d fin a n c ia l
Study and Evaluation of Internal Control

An u n d e rs ta n d in g of th e p ro c e s s by w h ic h in te re s te d in a d m in is tra tiv e co ntro ls.
a c c o u n tin g in fo rm a tio n flo w s th ro u g h an T h e u se of E D P in an a c c o u n tin g system
a c c o u n tin g s ystem is fu n d a m e n ta l to th e re q u ire s a p p r o p ria te p ro c e d u re s to as s u re
a u d ito r’s e v a lu a tio n of in te rn a l a c c o u n tin g e ffe c tiv e in tern al a c c o u n tin g co ntro l. T y p ic a lly ,
c o n tro ls a n d to th e d e s ig n of a u d itin g m a n y in tern al a c c o u n tin g c o ntro l fu n ctio n s,
p ro c e d u re s . T h e a b ility to fo llo w th e flo w of w h ic h w e re o n c e p e rfo rm e d by s e p a ra te
a c c o u n tin g in fo rm atio n th ro u g h th e system , in d iv id u a ls in a m a n u a l system , h a v e now
n o rm a lly c a lle d an a u d it trail, o r m a n a g e m e n t b e c o m e c o n c e n tra te d in an E D P system ; thus,
trail, is of p a rtic u la r c o n c e rn to th e a u d ito r. T h e b a s ic a c c o u n tin g re c o rd s fre q u e n tly lose th e ir
b a s ic c o m p o n e n ts of th is flo w a re th e c o m p a n y ’s v is ib ility a n d c a n b e a lte re d w ith o u t le a v in g a
tra n s a c tio n s c o v e rin g th e e x c h a n g e of a s s e ts or tra c e . T h e s e re c o rd s m a y b e a c c e s s ib le to
s e rv ic e s w ith p a rtie s o u ts id e of th e c o m p a n y as p ro g ra m m e rs , o p e ra to rs , s ystem s p e rs o n n e l,
w e ll as in tern al tra n s fe rs w ith in it. a n d , in s o m e s itu atio n s, to users o v e r w h o s e
T h e in d e p e n d e n t a u d ito r is in te re s te d a c tio n s th e s e re c o rd s m a y b e u s e d to m a in ta in
p rin c ip a lly in in tern al a c c o u n tin g co ntro ls, a c c o u n ta b ility .
w h ic h a re c o n c e rn e d w ith th e s a fe g u a rd in g of T h e a u d ito r id e n tifie s in tern al a c c o u n tin g
a s s e ts a n d th e re lia b ility of fin a n c ia l re c o rd s . c o n tro ls u po n w h ic h re lia n c e c a n b e p la c e d as
C o n tro ls , su ch as th o s e c o n c e rn e d w ith a b a s is for re s tric tin g s u b s ta n tiv e tests. T h e
o p e ra tio n a l e ffic ie n c y , p e rs o n n e l p ra c tic e s , an d a u d ito r th en p e rfo rm s tests of c o m p lia n c e ,
so forth a re c a lle d a d m in is tra tiv e c o n tro ls an d w h ic h p ro v id e re a s o n a b le a s s u ra n c e th at
u s u a lly c o n c e rn th e in d e p e n d e n t a u d ito r o n ly a c c o u n tin g c o ntro l p ro c e d u re s are fu n c tio n in g
in d ir e c tly .2 H o w e v e r, in tern al a u d ito rs , th a t is, as p re s c rib e d .
p ro fe s s io n a l a u d ito rs e m p lo y e d by th e In a m a n u a l s ystem th e a u d ito r e x a m in e s
e n te rp ris e as d is tin g u is h e d from in d e p e n d e n t or e v id e n c e , su ch as in d ic a tio n s of a p p ro v a l a n d
“e x te r n a l” au d ito rs , fre q u e n tly a re v ery c a n c e lla tio n s , th a t in d ic a te s w h e th e r th e co ntro l
Statement
1 on Auditing Standards (SAS) no. 1 (New York: AICPA, 1972), Sec. 110.01.
2See SAS no. 1, Sec. 320, for a definition and discussion of accounting controls.
3
p ro c e d u re s w e re in fa c t fu n c tio n in g as In an a d v a n c e d E D P s ystem th e a u d ito r m ay
p re s c rib e d d u rin g th e p e rio d c o v e re d by th e u se th e c lie n t’s c o m p u te r s ystem to p erfo rm
fin a n c ia l s ta te m e n ts b e in g e x a m in e d . S im ila rly , tes ts of c o m p lia n c e . T h e a u d ito r, in e ffect, th en
in an E D P s ystem th e a u d ito r s e e k s a s s u ra n c e b e c o m e s d e p e n d e n t on th e in te g rity of th e
th a t c o ntro l p ro c e d u re s h a v e fu n c tio n e d sy s te m w h ile p e rfo rm in g th e s e tests a n d s h o u ld
th ro u g h o u t th a t p e rio d . S u ch a s s u ra n c e , fo llo w a d d itio n a l p ro c e d u re s to g a in a s s u ra n c e
h o w e v e r, is fre q u e n tly o b ta in e d in d iffe re n t re g a rd in g in te g rity o v e r a u d it p ro c e s s in g .
w a y s . P ro g ra m m e d E D P a c c o u n tin g c o n tro l T h e a u d ito r th en c o n s id e rs th e n a tu re of th e
p ro c e d u re s d e s ig n e d to d e te c t e rro n e o u s d a ta a c c o u n tin g s ystem , th e a d e q u a c y of p re s c rib e d
fre q u e n tly le a v e no v is ib le e v id e n c e in d ic a tin g a c c o u n tin g co n tro ls, a n d th e d e g r e e of
th a t th e p ro c e d u re s w e re p e rfo rm e d . T h e a u d ito r c o m p lia n c e w ith th o s e c o n tro ls a n d d e te rm in e s
c a n te s t th e s e c o n tro ls by re v ie w in g p ro c e s s e d th e e x te n t to w h ic h s u b s ta n tiv e te s tin g
tra n s a c tio n s to d e te rm in e w h e th e r u n a c c e p ta b le p ro c e d u re s c a n b e re s tric te d . S o m e s u b s ta n tiv e
c o n d itio n s e x is te d a n d w e re d e te c te d . For te s tin g is a lw a y s re q u ire d , s in c e a u d itin g
e x a m p le , a c o m p u te r p ro g ra m d e v e lo p e d a n d s ta n d a rd s d o not p e rm it th e a u d ito r to p la c e
run u n d e r th e a u d ito r’s c o ntro l m a y b e u tiliz e d to c o m p le te re lia n c e on in te rn a l c o ntro l to th e
re v ie w a file of s a le s tra n s a c tio n s fo r th e y e a r in e x c lu s io n of s u b s ta n tiv e a u d itin g p ro c e d u re s
o rd e r to d e te c t v a ria tio n s from a c o m p a n y ’s w ith re s p e c t to m a te ria l a m o u n ts in th e fin a n c ia l
s ta te d c re d it p o lic y . s ta te m e n ts .3
Substantive Procedures
S u b s ta n tiv e a u d it p ro c e d u re s a re d ire c te d at in fo rm atio n d e v e lo p e d by, o r a v a ila b le to, th e
o b ta in in g e v id e n c e as to th e v a lid ity a n d th e a u d ito r th a t p e rm its re a c h in g c o n c lu s io n s
p ro p rie ty of a c c o u n tin g tre a tm e n t of tra n s a c tio n s th ro u g h v a lid re a s o n in g .4
a n d b a la n c e s a n d m a y in c lu d e in s p e c tio n , T h e tra d itio n a l in d e p e n d e n t e v id e n c e , su ch
o b s e rv a tio n , in q u iry, a n d c o n firm a tio n . a s c o p ie s of in v o ic e s a n d p u rc h a s e o rd e rs , is
E v id e n c e s u p p o rtin g th e fin a n c ia l often re p la c e d b y c o m p u te r p re p a re d reco rd s.
s ta te m e n ts o b ta in e d th ro u g h th e s e p ro c e d u re s T h e re c o rd s u s u a lly a re in m a c h in e -s e n s ib le
c o n s is ts of th e u n d e rly in g a c c o u n tin g d a ta a n d form a n d c a n b e in s p e c te d o n ly by u sin g E D P
all c o rro b o ra tin g in fo rm atio n . T h is in c lu d e s te c h n iq u e s . W ith o u t a d e q u a te c o n tro ls o v e r
d o c u m e n ta ry m a te ria l s u c h a s c h e c k s , in v o ic e s , a c c e s s to p re c lu d e u n a u th o riz e d c h a n g e s ,
c o n tra c ts , a n d m in u te s of m e e tin g s , th e s e re c o rd s m a y p ro v id e little e v id e n c e for
c o n firm a tio n s a n d o th e r w ritte n re p re s e n ta tio n s a u d it p u rp o s e s .
b y k n o w le d g e a b le p e o p le , in fo rm a tio n o b ta in e d T h e e ffe c t of a d v a n c e d s y s te m s on th e a u d it
by th e a u d ito r from in q u iry, o b s e rv a tio n , p ro c e s s d is c u s s e d in th is c h a p te r is e x p lo re d in
in s p e c tio n , a n d p h y s ic a l e x a m in a tio n , an d o th e r g re a te r d e p th in c h a p te r 5.
3SAS no. 1, Sec. 320.71.

4SAS no. 1, Sec. 330.03 and 330.05.
4
Chapter 3
Characteristics and Implications

of Advanced Systems
E a rly c o m p u te r a p p lic a tio n s te n d e d to b e v is ib le a u d it tra il. S u c h sys te m s s h o u ld
s in g le -p u rp o s e sys te m s d e a lin g w ith o n e o rd in a rily b e d e s ig n e d to p ro v id e s o m e form of
c o m p o n e n t of the o rg a n iz a tio n , su ch as, p a y ro ll an a u d it trail. S y s te m in te ra c tio n w ith p e rs o n s or
or b illin g . A d v a n c e d a p p lic a tio n s now s y s te m s e x te rn a l to th e e n te rp ris e w ill p re s e n t
tra n s c e n d d e p a rtm e n ta l b o u n d a rie s an d c o ntro l p ro b le m s . S u c h fe a tu re s w ill likely
p erfo rm m u ltip le fu n c tio n s s im u lta n e o u s ly . b e c o m e m o re w id e s p r e a d a n d m o re c o m p le x as
A d v a n c e d sys te m s a re b e g in n in g to e n c o m p a s s te c h n o lo g y a d v a n c e s .
m ost or all of th e a c tiv itie s w ith in a b u s in e s s S u ch s o p h is tic a tio n fre q u e n tly m a k e s it
e n te rp ris e an d in te ra c t d ire c tly w ith th e im p r a c tic a b le to u se tra d itio n a l c o ntro l a n d
a d v a n c e d s y s te m s of o th e r firm s. T h e s e s ystem s a u d it te c h n iq u e s d e v e lo p e d for, a n d
m a y le a d to m o re e ffic ie n t a n d e ffe c tiv e a p p r o p ria te to, e a rlie r system s. B a tc h control
in fo rm a tio n m a n a g e m e n t, but th e y w ill in tro d u c e te c h n iq u e s , for e x a m p le , a re u n s u ita b le for
d iffe re n t c o ntro l a n d a u d it p ro b le m s . s y s te m s in w h ic h file s are im m e d ia te ly u p d a te d
A u to m a tic in te ra c tio n s a m o n g v a rio u s as e a c h tra n s a c tio n is e n te re d from v a rio u s
e le m e n ts of an a d v a n c e d s ystem m a y le a v e no g e o g ra p h ic lo c a tio n s .
Characteristics of Advanced Systems

A d v a n c e d E D P s y s te m s c a n b e la rg e o r s m a ll. p ro g ra m s , tra n s a c tio n s , d e c is io n rules, a n d so
M a n y " m in i-c o m p u te r s y s te m s ” in c o rp o ra te forth, c a n b e in tro d u c e d , m o d ifie d , or a c c e s s e d
a d v a n c e d system c h a ra c te ris tic s . For p u rp o s e s at sites d is ta n t from th e d a ta p ro c e s s in g
of th is rep o rt, a d v a n c e d E D P s y s te m s are th o se in s ta lla tio n . T h is is a m a rk e d c h a n g e from m ost
s y s te m s (la rg e or s m a ll) th at p o s s e s s o n e or e a rly E D P s y s te m s in w h ic h all a c c e s s , input,
m o re of th e fo llo w in g c h a ra c te ris tic s : p ro c e s s in g , a n d o u tp u t w a s p h y s ic a lly
a c c o m p lis h e d a n d c o n tro lle d at th e c o m p u te r
□ D a ta c o m m u n ic a tio n s
c e n te r.
□ D a ta in te g ra tio n D a ta c o m m u n ic a tio n s c a p a b ility m a y be
□ A u to m a tic tra n s a c tio n in itia tio n illu s tra te d by an a irlin e s re s e rv a tio n s ystem . A
□ U n c o n v e n tio n a l or te m p o ra ry a u d it trail n a tio n a l te rm in a l n e tw o rk is u s e d to
c o m m u n ic a te w ith a c e n tra l c o m p u te r system to
E a c h of th e s e fe a tu re s is d is c u s s e d b e lo w
re s e rv e s e a tin g s p a c e , c a n c e l re s e rv a tio n s , an d
to g e th e r w ith a s u m m a ry of its c o ntro l
in q u ire a b o u t th e b o o k in g status a n d
im p lic a tio n s .
p a s s e n g e rs on an y flig h t.
Data communications. D a ta c o m m u n ic a tio n s , S ys te m s of th is ty p e fre q u e n tly a re te rm e d
in th is co n te x t, is th e lin k in g of e le c tro n ic tra n s a c tio n -d riv e n or e v e n t-d riv e n b e c a u s e
c o m m u n ic a tio n s w ith e le c tro n ic d a ta e a c h tra n s a c tio n is e n te re d into th e system
p ro c e s s in g . T h e c o m p le x ity of d a ta in d iv id u a lly a n d im m e d ia te ly p ro c e s s e d a g a in s t
c o m m u n ic a tio n s s y s te m s ra n g e s from a s im p le a ll file s it w ill affe c t. T h is co n tra s ts w ith e a rlie r
re m o te te le ty p e te rm in a l lin k in g a s m a ll s y s te m s in w h ic h in p u t w a s fre q u e n tly c o lle c te d
c o m p u te r, to a c o m p le x n etw o rk of c o m p u te rs a n d b a tc h e d fo r s u b s e q u e n t p ro c e s s in g .
a n d te rm in a ls . D a ta c o m m u n ic a tio n fa c ilitie s D a ta c o m m u n ic a tio n s a ls o m a k e s
p ro v id e th e p ro c e s s in g lin k a g e s for d is trib u te d p ro c e s s in g p o s s ib le . For e x a m p le , a
tim e s h a rin g , o n -lin e , re a l-tim e , re m o te jo b n e tw o rk of s m a ll c o m p u te rs , u s u a lly u s e d for
entry, a n d d is trib u te d p ro c e s s in g system s. lo c a l p ro c e s s in g , c a n b e lin k e d to la rg e c e n tra l
In fo rm a tio n in th e s e s ystem s, in c lu d in g c o m p u te rs s u c h th a t s h a rin g of in fo rm a tio n a n d
5
p ro c e s s in g c a n o c c u r th ro u g h o u t th e netw ork. d is trib u te d s y s te m s c o m p u te rs at v a rio u s poin ts
S u ch n e tw o rk s a ls o p ro v id e la rg e s c a le in th e n etw o rk c a n m o d ify or a c c e s s in fo rm atio n
c o m p u tin g c a p a b ility to th e u s e r of sm a ll at o th e r lo c a tio n s .
c o m p u te rs .
T ra d itio n a l c o m p u te r s y s te m s u s u a lly
re q u ire in fo rm a tio n to b e e n te re d on s p e c ia l Data Integration. D a ta in te g ra tio n ca n le a d to
form s, s u b je c te d to c o n tro l to tal c h e c k in g , m o re e ffe c tiv e u se of th e c o m p u te r. E s s e n tia lly ,
re v ie w e d a n d a p p r o v e d by re s p o n s ib le it m in im iz e s re d u n d a n t re c o rd -k e e p in g w h ic h
e m p lo y e e s , a n d p ro c e s s e d in b a tc h e s by u s u a lly a ris e s w h e n s e p a ra te a p p lic a tio n s e a c h
c o m p u te r d e p a r tm e n t e m p lo y e e s . A d v a n c e d u se th e ir ow n s e p a ra te file s . For e x a m p le ,
system s e lim in a te m an y of th e s e p ro c e d u re s and a p p lic a tio n -o rie n te d file s m a y c o n ta in id e n tic a l
m a y a c c o m p lis h e q u iv a le n t fu n c tio n s in in fo rm a tio n fo r e a c h e m p lo y e e , as sh ow n in the
d iffe re n t w a y s . W h e n d a ta c o m m u n ic a tio n s ta b le b e lo w .
c a p a b ility is u s e d to p ro v id e d ire c t in te ra c tio n R e c o rd in g id e n tic a l d a ta e le m e n ts in m o re
w ith o u ts id e rs , in te rv e n tio n a n d re v ie w by th a n o n e file m a y w a s te c o m p u te r re s o u rc e s
e m p lo y e e s m a y b e e lim in a te d . For e x a m p le , s in c e a d d itio n a l file s p a c e m u st b e a llo c a te d in
b a n k c u rre n c y d is p e n s e rs or a u to m a te d te lle r o rd e r to re c o rd th e s a m e in fo rm a tio n in m u ltip le
te rm in a ls a re n ow c o m m o n in m a n y a re a s of th e lo c a tio n s ; a d d itio n a l p ro c e s s in g is re q u ire d to
co un try. A b a n k c u s to m e r inserts a s p e c ia l c a rd , m o d ify th e in fo rm a tio n in e a c h file w h e n
e n te rs a s p e c ia l id e n tific a tio n c o d e n u m b e r, a n d c h a n g e s o c c u r.
d e p r e s s e s keys to in d ic a te th e a m o u n t a n d ty p e P e rio d ic re v ie w m ust b e m a d e of id e n tic a l
of tra n s a c tio n s b e in g c o n s u m m a te d . C a s h is e le m e n ts in m u ltip le file s to m a k e c e rta in th e
d is p e n s e d , tra n s fe rre d b e tw e e n a c c o u n ts , v a lu e s in e a c h file a re th e s a m e a n d to c o rre c t
a p p lie d to loans, o r d e p o s ite d . T h e in fo rm atio n w ro n g v a lu e s . In an in te g ra te d system , it is often
is re c o rd e d e le c tro n ic a lly w ith o u t th e a c tio n or c o s t-e ffe c tiv e to re c o rd m ost in fo rm atio n
e v e n th e p re s e n c e of a b a n k e m p lo y e e . e le m e n ts o n ly o n c e a n d a u to m a tic a lly re trie v e
th e m w h e n d e s ire d for p ro c e s s in g .
Im p lic a tio n s . C o n tro ls at a ll lo c a tio n s T h e d a ta in th e p re v io u s e x a m p le c o u ld b e
a c c e s s in g th e s ystem a re e s s e n tia l. C on trol at p h y s ic a lly re c o rd e d in a d a ta b a s e system as
te rm in a l sites is im p o rta n t b e c a u s e c o m fo llo w s: O n e a re a of s to ra g e w o u ld c o n ta in th e
p u te riz e d in fo rm a tio n m ay b e s u b je c t to e m p lo y e e n u m b e r, n a m e , a d d re s s , a n d o th er
a lte ra tio n from an y te rm in a l in th e a b s e n c e of p e rs o n n e l in fo rm atio n ; a n o th e r s to ra g e a re a
su ch co n tro ls . P ro c e d u re s for id e n tific a tio n an d m ig h t c o n ta in a ll m a n u fa c tu rin g history
a u th o riz a tio n o f users a re n e c e s s a ry . W h e n tra n s a c tio n s in jo b n u m b e r s e q u e n c e (th o se
s e v e ra l c o m p u te rs or te rm in a ls at d iffe re n t tra n s a c tio n re c o rd s c o n ta in in g la b o r in fo rm atio n
lo c a tio n s a re u s e d in a system , w e a k c o n tro ls at w o u ld not c o n ta in an y e m p lo y e e in fo rm atio n ,
o n e lo c a tio n m a y c o m p ro m is e th e e ffe c tiv e n e s s rather, th e y w o u ld c o n ta in an id e n tifie r, c a lle d a
of c o n tro ls e ls e w h e re in th e system . p o in te r, s p e c ify in g w h e re th a t in fo rm a tio n c o u ld
D is trib u te d sys te m s a ls o n e e d c a re fu lly b e fo u n d ); a th ird a re a m ig h t c o n ta in p a y ro ll
d e s ig n e d c o n tro ls; not o n ly to p ro p e rly h a n d le d is b u rs e m e n t in fo rm a tio n th a t m ig h t c o n s is t of
th e d a ta tra n s m itte d , but a ls o to m a n a g e th e o n ly d a te p a id , g ro ss p ay, w ith h o ld in g , an d net
o p e ra tio n of e a c h in d iv id u a l c o m p u te r. A s w ith p a y a m o u n ts w ith p o in te rs to th e re la te d
te rm in a ls a c c e s s in g a c e n tra l c o m p u te r, m a n u fa c tu rin g h isto ry a n d p e rs o n n e l re c o rd s .
File
Manufacturing
Data Element Payroll Personnel History
1. Name
2. Employee number
3. Social security number
4. Home address and city
5. Rate of pay
6. Withholding information
7. Job assignment
8. Other skills
9. Education
10. Employee history
11. Next of kin, beneficiaries
12. Job hour charges
13. Job number
14. Date charged
15. Operation code
6
T h e d a ta b a s e m a n a g e m e n t system m a k e s th e a u to m a tic tra n s a c tio n in itia tio n uses
lo g ic a l c o n n e c tio n s b e tw e e n th e s e v a rio u s d a ta s e n s o r-b a s e d d a ta c o lle c tio n m e th o d s a n d /o r
e le m e n ts by u sin g th e p o in te rs a n d p ro d u c e s d a ta c o m m u n ic a tio n s , h a rd -c o p y d o c u m e n ts
th e e q u iv a le n ts of e a c h of th e th re e flie s m a y not b e p ro d u c e d , a lth o u g h th e s u p p o rtin g
d e s c rib e d in th e ta b le on p a g e 6. d a ta w o u ld b e re ta in e d in m a c h in e -s e n s ib le
form a n d w o u ld b e a v a ila b le for re c a ll. (S e e
Im p lic a tio n s . T o d a y ’s s y s te m s fre q u e n tly
A p p e n d ix 1 for an e x a m p le of such a s y s te m .)
h a v e fe a tu re s or c o n tro ls th a t restrict a c c e s s to
d a ta file s to a u th o riz e d p e rs o n s for a u th o riz e d Im p lic a tio n s . T h e s e sys te m s fre q u e n tly d o
p u rp o s e s . B e c a u s e d a ta b a s e in fo rm atio n m a y not u se h a rd -c o p y s o u rc e d o c u m e n ts to s u p p o rt
b e a v a ila b le to th e system at a ll tim e s , d iffe re n t tra n s a c tio n s o th e r th an th e a c tio n d o c u m e n ts
a u th o riz a tio n p ro c e d u re s w ill b e re q u ire d . A c re a te d by th e system . In th e c a s e of th e
c a re fu lly c o n s tru c te d system of a u th o riza tio n for a u to m a tic a lly g e n e r a te d p u rc h a s e o rd e r
a c c e s s to e a c h d a ta e le m e n t in th e system s y s te m s c ite d a b o v e , th e re m ay b e no m a n u a lly
sh o u ld b e e s ta b lis h e d to p re v e n t im p ro p e r re v ie w a b le o u tp u t to p e rm it an e v a lu a tio n of th e
a c c e s s or m a n ip u la tio n by p e rs o n s h a v in g no p ro p o s e d a c tio n . In th e a b s e n c e of a re a d a b le
le g itim a te p u rp o s e for a c c e s s in g th e d o c u m e n t s h o w in g a history of u s a g e , p la n n e d
in fo rm atio n . Thus, a u th o riz e d e m p lo y e e s in th e re q u ire m e n ts , p re s e n t b a la n c e s , a n d a m o u n ts
p e rs o n n e l d e p a rtm e n t m ig h t b e a b le to a c c e s s a lr e a d y on o rd e r, th e c o rre c tn e s s of th e
a n d c h a n g e p a y rate in fo rm atio n but w o u ld be a u to m a tic a lly in itia te d d o c u m e n t m a y b e
p re c lu d e d from a c c e s s in g or c h a n g in g d iffic u lt to ju d g e .
m a n u fa c tu rin g d a ta . It is o n ly th ro u g h su ch an H e re a g a in , s ystem c o n tro ls a s s u m e g re a t
a u th o riz a tio n system th at th e c o n c e p t of im p o rta n c e a n d it b e h o o v e s both m a n a g e m e n t
s e g r e g a tio n o f fu n c tio n s — a c o n c e p t f u n d a a n d a u d ito rs to a s s u re th e m s e lv e s th a t such
m e n ta l to a d e q u a te in te rn a l a c c o u n tin g c o ntro l c o n tro ls are d e s ig n e d into th e s ystem s an d
— c a n b e m a in ta in e d in an in te g ra te d system . c a n n o t b e c irc u m v e n te d . For e x a m p le , o n e su ch
R e s p o n s ib ility for e a c h d a ta e le m e n t in th e co ntro l for th e a u to m a tic a lly g e n e ra te d
d a ta b a s e s h o u ld b e e s ta b lis h e d . For e x a m p le , p u rc h a s e o rd e rs m ig h t b e to p rin t out s u p p o rtin g
o n ly o n e d e p a r tm e n t s h o u ld b e a b le to a d d in fo rm a tio n for a ll p u rc h a s e o rd e rs o v e r a g iv e n
n a m e s to th e c u s to m e r file , a s s ig n n u m b e rs , a n d a m o u n t a n d for a s p e c ifie d p e rc e n ta g e of
m a in ta in a d d r e s s e s for e a c h c u s to m e r e v e n s m a lle r p u rc h a s e o rd e rs . T h is s u p p o rtin g
th o u g h th is d a ta is a c c e s s e d by m a n y users. in fo rm a tio n c o u ld b e m a n u a lly re v ie w e d b e fo re
An a u d ito r n e e d in g in fo rm a tio n in a d a ta th e o rd e r is re le a s e d a n d s h o u ld b e re ta in e d for
b a s e w ill re q u ire a p p r o p ria te to o ls to a c c e s s it a u d it re v ie w p u rp o s e s . W h e re p o s s ib le , c o n tro ls
in an in d e p e n d e n t m a n n e r. S u c h a c c e s s m ay s h o u ld b e in c o rp o ra te d into s y s te m s of th is kin d
p re s e n t co n tro l, tim in g , a n d a u d ito r tra in in g to v a lid a te th e g e n u in e n e s s a n d re a s o n a b le n e s s
p ro b le m s . of a u to m a tic a lly in itia te d tra n s a c tio n s a n d to
p re v e n t or d e te c t e rro n e o u s tra n s a c tio n s .
Automatic Transaction Initiation. A u to m a tic
tra n s a c tio n in itia tio n is p re s e n t in m a n y sys te m s Unconventional or Temporary Audit Trail.
to d a y , an d its u se w ill in c re a s e in a d v a n c e d M o st E D P s y s te m s to d a y g e n e ra te a trail of
s ystem s. A lre a d y m a n y s y s te m s a u to m a tic a lly tra n s a c tio n a c tiv ity u s e d by both m a n a g e m e n t
g e n e ra te in v o ic e s , c h e c k s , or o rd e rs to ship, a n d a u d ito rs . T h is in fo rm a tio n is fre q u e n tly
p ro d u c e , or p u rc h a s e g o o d s — a c tio n s p rin te d in d e ta il, m a k in g it re a d ily a v a ila b le for
fre q u e n tly a re ta k e n w ith o u t h u m a n re v ie w of use. T h e s e p rin to u ts a re g ra d u a lly b e in g
th e ir c o rre c tn e s s . An in ven to ry co n tro l system d is c o n tin u e d as s y s te m s e v o lv e , a lth o u g h the
w ill se rv e to illu s tra te th e situ atio n . in fo rm a tio n m a y b e re ta in e d in m a c h in e -
In e a rly E D P s ystem s, w h e n o n -h a n d s e n s ib le form . A u d ito rs h a v e d e v e lo p e d an d
b a la n c e s re a c h e d c e rta in p re d e te rm in e d levels, p re s e n tly u se g e n e r a liz e d a u d it re trie v a l
th e c o m p u te r m a y h a v e p ro d u c e d a re o rd e r p a c k a g e s , or c o m p u te r p ro g ra m s , to a c c e s s
n o tic e . T h is n o tic e w o u ld b e re v ie w e d by an su ch in fo rm atio n .
e m p lo y e e a n d , if a p p ro p ria te , a p u rc h a s e o rd e r A ll s y s te m s s h o u ld p o s s e s s a u d it trail
w o u ld b e p re p a re d . A d v a n c e d s y s te m s h a v e c a p a b ilitie s , but s o m e a d v a n c e d s y s te m s m a y
e c o n o m ic o rd e r q u a n tity in fo rm a tio n in th e p ro d u c e a m a c h in e -s e n s ib le a u d it tra il w h o s e
s ystem a n d not o n ly d e te c t re o rd e r p o in ts but reten tio n p e rio d m a y b e re la tiv e ly short. T h e
a ls o p ro d u c e th e p u rc h a s e o rd e r for re s u p p ly in short reten tio n m a y res u lt from th e e x p e n s e of
th e m o st e c o n o m ic lot s ize . Is s u a n c e of such p re s e rv in g th e in fo rm a tio n for an e x te n d e d
p u rc h a s e o rd e rs w ith o u t h u m a n re v ie w h as p e rio d of tim e in m a c h in e -s e n s ib le form
b e c o m e c o m m o n a n d m a y b e c o m e m o re c o m p a re d to lo w e r c o st a lte rn a tiv e s , su ch as
w id e s p r e a d w h e n p u rc h a s e o rd e rs a re m ic ro fic h e .
tra n s m itte d d ire c tly to v e n d o r s y s te m s by d a ta In s o m e c a s e s tra n s a c tio n d o c u m e n ts are
c o m m u n ic a tio n s . In s o m e c a s e s , w h e re m ic ro film e d a n d th e d o c u m e n ts th e m s e lv e s
7
d e s tro y e d sh ortly a fte r o rig in a tio n . T h e m a g n e tic kin d u s e d by a u d ito rs a re no lo n g e r a v a ila b le for
m e d ia on w h ic h th e d a ta w a s e n te re d m a y b e in d e fin ite p e rio d s of tim e , c e rta in a u d it
“s c r a tc h e d ” (e le c tro n ic a lly e ra s e d ) a n d u s e d for p ro c e d u re s w ill c h a n g e . E xtern al a u d ito rs , for
o th e r p u rp o s e s . T o fo llo w th e a u d it tra il m a y e x a m p le , m a y h a v e to a lte r both th e tim in g of
n e c e s s ita te th e u se of a m ic ro film re a d e r. th e ir a u d itin g p ro c e d u re s a n d th e p ro c e d u re s
A lth o u g h h ig h -s p e e d m ic ro film re trie v a l th e m s e lv e s . T h e o rg a n iz a tio n ’s in tern al a u d ito rs
s y s te m s a re a v a ila b le , th e u se of g e n e r a liz e d m a y p ro v id e a s s is ta n c e to th e e x te rn a l a u d ito rs
a u d it re trie v a l p a c k a g e s is p re c lu d e d . by c o o rd in a tin g w ith th e m on th e s e le c tio n a n d
A b a c k u p c o p y or “d u m p ” of th e d a ta b a s e te s tin g of s p e c ific k in d s of c ritic a l tra n s a c tio n s .
p o s e s p a rtic u la r p ro b le m s for a u d ito rs , w h o T h is w o u ld re q u ire th e e x te rn a l a u d ito r to
w ill n e e d to b e k n o w le d g e a b le a b o u t th e b e c o m e m o re in v o lv e d in th e w o rk of th e in tern al
te c h n ic a l a n d c o m p le x stru ctu re of su ch a u d ito r .1 M a n a g e m e n t a ls o re q u ire s th e a b ility
m a te ria l in o rd e r to b e a b le to d e a l w ith it to in v e s tig a te re p o rte d resu lts a n d fre q u e n tly
e ffe c tiv e ly . S u ch d u m p s m a y b e of lim ite d v a lu e u ses a u d itin g te c h n iq u e s fo r th is p u rp o s e .
for a u d it p u rp o s e s . S u ita b le a u d it c a p a b ilitie s a n d th e re q u is ite
te c h n ic a l p ro fic ie n c y to d e a l w ith su ch
Im p lic a tio n s . If o rig in a l d o c u m e n ts of th e s itu a tio n s m ust b e d e v e lo p e d .
Management Implications of Advanced

EDP Systems
M a n a g e m e n t im p le m e n ts a d v a n c e d s ystem s a n d s im ila r c o n tro ls a n d th e re fo re ca n
w h e n it b e lie v e s th e y o ffe r p o te n tia l for a c c e s s a n y file , p ro g ra m , or ta b le , a n d m a k e
e n h a n c in g th e o r g a n iz a tio n ’s c o m p e titiv e u n tra c e a b le c h a n g e s . T h is c a p a b ility c o u ld
p o s itio n , im p ro v in g c o st c o n tro l, a n d fa c ilita tin g e x te n d to a n y o n e o b ta in in g th e a p p ro p ria te
o p e ra tio n s in g e n e ra l. M a n a g e m e n t s h o u ld p a s s w o rd s . C o n tro l p ro c e d u re s o v e r the
c o n s id e r th e to tal im p a c t of su ch s ystem s. a c tio n s of th o s e w h o a re re s p o n s ib le for
a c c e s s c o n tro ls a re n e e d e d .
Changing Environment. A s E D P e v o lv e s from
in d iv id u a l a p p lic a tio n s to th o s e th a t c o m p le te ly 3. T ra in in g of p ers o n n e l w h o w ill in te ra c t w ith
e n c o m p a s s o p e ra tin g a n d p la n n in g fu n c tio n s , it th e s ystem c a n b e a m a jo r u n d e rta k in g and
is v e ry p ro b a b le th a t s o m e o rg a n iz a tio n a l w ill in v o lv e m a n a g e rs , users, d e s ig n e rs ,
stru c tu re s w ill c h a n g e . A s m a n a g e m e n t p ro g ra m m e rs , o p e ra to rs , a u d ito rs ,
re c o g n iz e s in fo rm a tio n for w h a t it is, th a t is, an c u s to m e rs , s u p p lie rs , an d g o v e rn m e n t
o rg a n iz a tio n a l re s o u rc e , th e n e e d for a g e n c ie s .
a p p r o p ria te ly c o n tro llin g a n d m a n a g in g it
b e c o m e s o b v io u s . P ro p e r c h a n n e ls of As a d v a n c e d s y s te m s e v o lv e , th e re w ill be
in fo rm atio n , both w ith in th e o rg a n iz a tio n a n d a re d u c tio n in h u m a n in te rv e n tio n in th e
b e tw e e n it a n d its e n v iro n m e n t, w ill c u t a c ro s s p ro c e s s in g of in fo rm a tio n . S in c e c rite ria for
tra d itio n a l b o u n d a rie s a n d m a y p ro m o te d e c is io n -m a k in g w ill b e in c o rp o ra te d in th e
re s tru c tu rin g o f th e o rg a n iz a tio n to h e lp a c h ie v e c o m p u te r s y s te m s th e y s h o u ld b e a p p lie d
m a n a g e m e n t o b je c tiv e s . c o n s is te n tly . S u c h s y s te m s w ill re q u ire e ffe c tiv e
T h e c o n tin u e d c o m p u te riz a tio n a n d c o n tro l m e c h a n is m s to p re c lu d e th e en try an d
in te g ra tio n of fu n c tio n s into a u n ifie d system p ro c e s s in g of e rro n e o u s in fo rm atio n .
a ls o ra is e s c o n s id e ra tio n s for m a n a g e m e n t; D a ta m a y b e e n te re d from re m o te te rm in a ls
a m o n g th e m a re th e fo llo w in g : w ith o u t m a n u a l re v ie w . T h e re s u lt is th at
o p e ra tin g p e rs o n n e l a n d o u ts id e rs w ill d ire c tly
1. D a ta b a s e s in a d v a n c e d s y s te m s m a y in te ra c t w ith th e c o m p u te r. S u ch in te ra c tio n
c o n ta in v e ry s e n s itiv e c o rp o ra te d a ta , su ch re q u ire s c o n tro l m e c h a n is m s to stric tly m o n ito r
as s tra te g ie s , g o a ls , a n d fo re c a s ts . S p e c ia l a n d e n fo rc e a u th o riz a tio n a n d tra n s a c tio n
s a fe g u a rd s w ill b e n e e d e d re s tric tin g p ro c e s s in g rules.
a c c e s s to th is d a ta to a u th o riz e d u sers only. E rro n e o u s in p u t a c c e p te d by th e s ystem m a y
2. In m ost of to d a y ’s system s, c e rta in re m a in u n d e te c te d a n d c a u s e a d d itio n a l errors.
in d iv id u a ls a re re s p o n s ib le for p a s s w o rd s D e s ig n e rs of th e s e a d v a n c e d s y s te m s sh ou ld
S
1 ee Statement on Auditing Standards no. 9, The Effect of an Internal Audit Function on the Scope of the Independent
Auditor’s Examination (New York: AICPA, 1975).
8
p ro v id e a d e q u a te c o n tro ls to a llo w o n ly a u d it o b je c tiv e s c o u ld b e a c h ie v e d w ith o u t
a u th o riz e d use of th e system , to d e te c t a u d ito r in v o lv e m e n t w ith th e c o m p u te r system .
e rro n e o u s d a ta , a n d to p re v e n t su ch d a ta from A s th e s e d o c u m e n ts a n d o utpu ts are e lim in a te d
b e in g p ro c e s s e d . th e a u d ito r’s a p p r o a c h w ill c h a n g e . T h is m ay
C o n tro l s e e m s to fo llo w in n o v a tio n in E D P im p a c t a u d it c o s t— a s u b je c t of m a n a g e m e n t
system s. E arly p u n c h e d c a rd s y s te m s u s e d th e c o n c e rn . In an a d v a n c e d system e n v iro n m e n t,
s a m e c o n tro ls a s m a n u a l sys te m s until it w a s a u d it c o st m a y b e c o n s id e re d a c o m p o n e n t of
fo u n d th a t a c a rd c o u ld too e a s ily d is a p p e a r system cost. F ac to rs s u b s ta n tia lly a ffe c tin g
e ith e r a c c id e n ta lly or in te n tio n a lly . C o n tro l to ta ls a u d it co st in th is e n v iro n m e n t a re q u a lity of
o r “ h a s h ” to ta ls w e re in tro d u c e d to v a lid a te th e system d o c u m e n ta tio n , e ffe c tiv e n e s s of
a c c u ra c y a n d c o m p le te n e s s of a file. co n tro ls, e a s e of lo c a tin g , re trie v in g , an d te s tin g
W h e n m a g n e tic ta p e file s w e re d e v e lo p e d , in fo rm atio n , a n d a u d it m e th o d o lo g y .
th o s e s a m e c o n c e p ts w e re tra n s fe rre d to ta p e T h e a u d ito r re v ie w s system d o c u m e n ta tio n
la b e ls until it w a s fo u n d th a t they, too, c o u ld be to u n d e rs ta n d th e sy s te m a n d c h o o s e e ffic ie n t
b y p a s s e d e a s ily . W ith th e d e v e lo p m e n t of a u d it p ro c e d u re s to a c c o m p lis h th e a u d it
m a g n e tic d is c file s , h a rd w a re v e n d o rs c o rre c te d o b je c tiv e s . A u d it c o st is g re a tly in c re a s e d if
th e co ntro l w e a k n e s s of b y p a s s in g la b e ls by a d e q u a te d o c u m e n ta tio n is not a v a ila b le .
fo rc in g th e u ser to c re a te a la b e l for e v e ry d is c A p o o rly c o n tro lle d s ystem c o u ld a ls o
file u sed . g re a tly in c re a s e a u d it c o st b e c a u s e s u b s ta n tiv e
F a c ilitie s w ill b e n e e d e d for c o n tro l in a u d it tests c a n n o t b e re d u c e d . In s o m e of
in te g ra te d d a ta b a s e s a n d c o m m u n ic a tio n - th e s e s itu a tio n s a u d it te s tin g m ay b e c o m e
b a s e d s ystem s. P ro c e d u re s sh o u ld b e im p o s s ib le . M a n a g e m e n t sh o u ld c o n s id e r th e
e s ta b lis h e d to m a x im iz e th e o p p o rtu n ity for e ffe c t on a u d it e ffic ie n c y w h e n c o n s id e rin g
th o s e co n tro l fa c ilitie s to k e e p p a c e w ith future c o ntro l c o s ts a n d m a k in g d e c is io n s on th e
in n o v a tio n ra th e r th a n lag b e h in d . co ntro l s ystem te c h n iq u e s to b e e m p lo y e d .
If th e p o s s ib le d iffic u ltie s a n d risks of A u d ito rs a n d m a n a g e m e n t h a v e a c o m m o n a lity
a d v a n c e d E D P sys te m s a re not p ro p e rly of in terest in e ffe c tiv e co ntro l. P ru d e n t
a n a ly z e d , e v a lu a te d , a n d c o n s id e re d an d m a n a g e m e n t w ill, th e re fo re , re q u e s t a u d ito r
c o u n te re d in p la n n in g by m a n a g e m e n t, a s in g le in v o lv e m e n t d u rin g th e s ystem d e s ig n p ro c e s s .
a d v e rs e o c c u rre n c e c o u ld s e rio u s ly a ffe c t a T h is sh o u ld resu lt in s ig n ific a n t s u b s e q u e n t
firm ’s b u s in e s s . C o n tro ls m ust p ro v id e for a h igh a u d it e c o n o m ie s a n d s h o u ld p ro v id e
le v e l of system in teg rity. M a n a g e m e n t a n d m a n a g e m e n t w ith a d d itio n a l c o n fid e n c e th a t a
a u d ito rs w ill n e e d an o n g o in g c a p a b ility to w e ll c o n tro lle d s ystem w ill b e p ro d u c e d .
d e te rm in e th at system in te g rity is b e in g T h e a v a ila b ility of e ffe c tiv e to o ls a n d
m a in ta in e d . te c h n iq u e s for a u d it re trie v a l a n d te s tin g c a n
often h e lp im p ro v e a u d it e ffe c tiv e n e s s an d
Audit Implications for Management. E arly re d u c e a u d it cost. T h e re fo re , a lte rn a tiv e a u d it
E D P s y s te m s h a d both h a rd -c o p y s o u rc e m e th o d s a n d re la te d to o ls s h o u ld b e c o n s id e re d
d o c u m e n ts a n d d e ta ile d p rin te d o u tpu t. M a n y d u rin g s y s te m s d e s ig n .
9
Chapter 4
Effective Control and Audit of

T h is c h a p te r, w h ic h sets forth co n tro l a n d S u g g e s te d c o ntro l a n d a u d ita b ility fe a tu re s are
a u d itin g o b je c tiv e s for a d v a n c e d E D P system s, se t forth to g e th e r w ith s o m e p ra c tic a l
is d ire c te d to m a n a g e m e n t a n d to th e d e s ig n e rs m e th o d o lo g y for m e e tin g th e s e re q u ire m e n ts .
an d d e v e lo p e rs of h a rd w a re a n d so ftw are.
Control and Auditability Objectives

In tern al c o ntro l a n d a u d ita b ility o b je c tiv e s in p e rio d ic a lly w ith th e a c tu a l a s s e ts or o th e r
a d v a n c e d E D P s y s te m s c a n n o t b e a c h ie v e d by re s o u rc e s a n d a p p r o p ria te a c tio n is taken
th e a u d ito r a lo n e . C o n tro l a n d a u d ita b ility w ith re s p e c t to a n y d iffe re n c e s .
fe a tu re s m ust b e d e s ig n e d into a d v a n c e d
s y s te m s by both h a rd w a re m a n u fa c tu re rs an d Auditability Objectives
system a n d a p p lic a tio n s o ftw a re d e s ig n e rs .
□ A u d it tra ils s h o u ld id e n tify w h a t d e ta il
Control Objectives tra n s a c tio n s a re in c lu d e d in s u m m a riz e d
□ A c c e s s to a s s e ts is p e rm itte d o n ly in results. An a u d it trail s h o u ld c o n s is t of
a c c o r d a n c e w ith m a n a g e m e n t’s p o lic y a n d in fo rm atio n a b o u t w h o p e rfo rm e d w hat,
w h e n , in w h a t s e q u e n c e , a n d th e results
o b je c tiv e s . O b v io u s ly , c e rta in in d iv id u a ls
w ill re q u ire a c c e s s . T h e n u m b e r of p e rs o n s th ereo f.
h a v in g su ch a c c e s s sh o u ld b e lim ite d an d □ A u d it e v id e n c e s h o u ld b e c o n tro lle d an d
th e re s h o u ld b e a s e g re g a tio n of fu n c tio n s p ro te c te d from loss, a lte ra tio n , o r
b e tw e e n th e E D P d e p a r tm e n t a n d users. d e s tru c tio n .
□ T ra n s a c tio n s a re in itia te d in a c c o rd a n c e □ A u d it c o n tro l s h o u ld resu lt from a c h ie v in g

w ith m a n a g e m e n t’s a u th o riza tio n s . th e a b o v e c o ntro l o b je c tiv e s su ch th at th e
T ra n s a c tio n s m a y in c lu d e a c c o u n tin g a u d ito r c a n o b ta in a s s u ra n c e th a t th e a u d it
tra n s a c tio n s , s ystem or p ro g ra m c h a n g e s , p ro c e s s in g in te g rity is m a in ta in e d .
a u th o riz a tio n ta b le c h a n g e s , a n d so forth, □ A u d it to o ls a re p ro v id e d to p e rm it th e a u d ito r
a n d m a y o rig in a te e x te rn a lly or w ith in th e to in te rfa c e w ith s y s te m s a n d in fo rm a tio n in
system . an in d e p e n d e n t a n d c o s t e ffe c tiv e m a n n e r.
□ A ll tra n s a c tio n s a re p ro m p tly r e c o rd e d (1 ) to A d v a n c e d c o m p u te r s y s te m s m a y be
p e rm it p re p a ra tio n o f fin a n c ia l s ta te m e n ts in u n a u d ita b le u n le s s th e s e re q u ire m e n ts are
c o n fo rm ity w ith g e n e r a lly a c c e p te d p ro p e rly u n d e rs to o d a n d im p le m e n te d . O n e of
a c c o u n tin g p rin c ip le s or an y o th e r c rite ria th e p rim a ry p u rp o s e s of th is p a p e r is to id e n tify
a p p lic a b le to s u c h s ta te m e n ts a n d (2 ) to th o s e fe a tu re s th a t a re n e c e s s a ry fo r e ffe c tiv e
m a in ta in a c c o u n ta b ility for a ssets. c o ntro l a n d p ro v is io n of a u d ita b ility in an
□ A c c o u n ta b ility re c o rd s a re c o m p a re d a d v a n c e d E D P s y s te m s e n v iro n m e n t.
10
Control Features
T o a c h ie v e th e c o ntro l o b je c tiv e s in an T h e id e n tific a tio n m e th o d o lo g y im p le m e n te d
a d v a n c e d E D P s y s te m s e n v iro n m e n t, th e m ust a llo w an e n te rp ris e to c la s s ify users so th at
sy s te m s h o u ld b e d e s ig n e d to p ro v id e th e a ll s p e c ific s u b g ro u p s o r s in g le users c a n b e
fo llo w in g fe a tu re s : id e n tifie d b y th e s ystem . For e x a m p le , a system
c o u ld a llo w all a c c o u n tin g c le rk s a c c e s s to th e
1. U s e r Id e n tific a tio n . T h e s ystem s h o u ld
system th ro u g h s p e c ific te rm in a ls , but a llo w the
h a v e th e c a p a b ility to u n iq u e ly id e n tify e a c h
fin a n c ia l v ic e p re s id e n t a c c e s s th ro u g h an y
of th e s p e c ific p e rs o n s u sin g th e system .
te rm in a l. T h e id e n tific a tio n of users is th e
2. R e q u e s t A u th o riz a tio n . T h e s ystem sh ou ld p re c u rs o r to th e a u th o riz a tio n of u s e r a c tio n s .
b e a b le to d e te rm in e if th e p ro c e s s in g or
in fo rm a tio n re q u e s t of a u ser is a u th o riz e d . Request Authorization. O n c e th e u ser has
b e e n id e n tifie d th e s ystem sh o u ld p ro v id e th e
3. P ro c e s s In te g rity . T h e system s h o u ld b e
c a p a b ility to d e te rm in e p re c is e ly w h a t
c a p a b le of c o n tro llin g a n d p ro c e s s in g all
in fo rm a tio n c a n b e a c c e s s e d a n d w h a t
v a lid a te d u ser re q u e s ts in an a p p ro p ria te
p ro c e s s e s c a n b e p e rfo rm e d by th a t user.
tim e fra m e .
A lth o u g h s o m e te r m in a l-b a s e d s ystem s
4. A c tiv ity L o g g in g . T h e s ystem s h o u ld b e
p re s e n tly in c o rp o ra te a c c e s s a u th o riza tio n a n d
c a p a b le of re c o rd in g all u s e r a c tiv ity , such
a c tiv ity /s e c u rity rou tin es, th is c a p a b ility d o e s
a s th e n u m b e r of a tte m p te d lo g -o n s, re q u e s t
not e ffe c tiv e ly e x is t in m a n y sys te m s to d a y . For
ty p e , a n d th e like, as w e ll as re c o rd in g
e x a m p le , in th e a b s e n c e of e ffe c tiv e re q u e s t
in fo rm a tio n a b o u t th e p ro c e s s e s e x e c u te d .
a u th o riz a tio n p ro c e d u re s , a p p lic a tio n
User Identification. A c o rn e rs to n e of any p ro g ra m m e rs or system p ro g ra m m e rs c o u ld
c o ntro l system is th e d e te rm in a tio n of w h o is o b ta in u n a u th o riz e d a c c e s s to s to red d a ta or
a u th o riz e d to d o w h at. T h e re fo re , th e system p ro g ra m s . T h e s e in d iv id u a ls fre q u e n tly p o s s e s s
s h o u ld b e a b le to d e te rm in e w ith w h o m it is th e n e c e s s a ry a b ility to o b ta in su ch a c c e s s .
in te ra c tin g . T h e s ystem m ust b e a b le to id e n tify A d v a n c e d s y s te m s m ay c o n ta in a w id e
e a c h u s e r or set of users. It s h o u ld b e c a p a b le of ra n g e of s e n s itiv e in fo rm a tio n a n d sh o u ld be
re s p o n d in g to a w id e v a rie ty of re q u e s ts ra n g in g a b le to restrict users to o n ly th e d a ta th e y a re
from a c h ie f e x e c u tiv e o ffic e r w h o n e e d s a u th o riz e d to a c c e s s . N a tu ra lly , th is re q u ire s th e
in fo rm a tio n re la te d to c o m p e tito rs , ind u stry e n te rp ris e to id e n tify a n d m a in ta in s o m e ty p e of
tre n d s , e x e c u tiv e p e rfo rm a n c e , a n d so forth, to fo rm al a u th o riz a tio n p ro c e d u re . T h is c o u ld b e in
c le r ic a l p e rs o n n e l w h o m a y o n ly n e e d d e ta il th e form of an a u th o riz a tio n ta b le th a t w o u ld
tra n s a c tio n in fo rm atio n . re la te users to th e ty p e s of tra n s a c tio n s th ey
C u rre n tly , m ost in te ra c tiv e s y s te m s id e n tify a c o u ld p ro c e s s a g a in s t s p e c ific d a ta e le m e n ts .
s p e c ific s u b s e t of users by p a s s w o rd a n d /o r by O n c e th e s ystem h as id e n tifie d a s p e c ific
te rm in a l lo c a tio n . Thus, a n y o n e w h o kn ow s th e u ser or c la s s of users an a u th o riza tio n control
p a s s w o rd a n d w h o has a c c e s s to th e te rm in a l ro u tin e c o u ld d e te rm in e , by in te rro g a tin g th e
lo c a tio n c a n a c c e s s system file s . S o m e s ystem s a u th o riz a tio n ta b le , if th e u s e r h as b e e n
c a rry th is p ro c e s s a s te p fu rther a n d a llo w users a u th o riz e d to p ro c e s s th e tra n s a c tio n e n te re d
to n a m e a n d id e n tify th e ir ow n file s . Thus, e v e n a n d to a c c e s s th e in fo rm atio n or d a ta re q u ire d .
th o u g h o n e u ser c a n a c c e s s th e system , a n o th e r T h e a u th o riz a tio n ro u tin es s h o u ld b e fle x ib le so
u s e r’s file s c a n n o t b e a c c e s s e d u n le s s th e file th at fa c to rs su ch as th e tim e of d a y , te rm in a l
n a m e s a re know n. H o w e v e r, m ost of th e s e inp u t lo c a tio n , d a y of th e y ear, a n d so forth, ca n
in te ra c tiv e sys te m s h a v e an ‘‘a d m in is tra tiv e b e fa c to re d into th e p ro c e s s . W h e n a u ser
u s e r” w h o is re s p o n s ib le for is s u a n c e an d re q u e s t p a s s e s all a p p lic a b le a u th o riza tio n
c o n tro l of u ser id e n tity c o d e s a n d p a s s w o rd s tests, th e a p p r o p ria te a p p lic a tio n p ro g ra m th en
a n d c a n th e o re tic a lly a c c e s s a ll of th e w o u ld b e e x e c u te d a n d th e o u tp u t routed
in fo rm a tio n c o n ta in e d w ith in th e s ystem . A ny d ire c tly to th e u s e r or w h e re v e r d e s ig n a te d .
u ser w h o c a n o b ta in th e a d m in is tra tiv e u s e r’s A lth o u g h a c o m p re h e n s iv e a u th o riz a tio n
p a s s w o rd c a n d o th e s a m e . p ro c e s s w ith a ll th e s e c a p a b ilitie s p ro b a b ly
T h e re a re s o m e s p e c ific te c h n iq u e s u n d e r c o u ld not b e im p le m e n te d w ith p re s e n t-d a y
d e v e lo p m e n t th at w o u ld a llo w a s ystem to te c h n o lo g y , n e ith e r a u d ito rs nor system
u n iq u e ly id e n tify a g iv e n user. T h e u se of v o ic e d e s ig n e rs sh o u ld b e lim ite d to th in k in g in te rm s
print, th u m b print, or s im ila r te c h n o lo g y m ay of p re s e n t-d a y te c h n o lo g y . For e x a m p le , d a ta
b e c o m e c o m m o n in th e future. Future sys te m s d ic tio n a ry /d ire c to rie s , w h ic h id e n tify e a c h d a ta
s h o u ld b e a b le to s p e c ific a lly id e n tify users as e le m e n t a n d its re la tio n s h ip to o th e r d a ta
a re q u is ite to an y e ffe c tiv e u ser c o ntro l s c h e m e . e le m e n ts a n d p ro g ra m s , a re b e in g im p le m e n te d
11
in m a n y of to d a y ’s m o re a d v a n c e d c o m p u te r v a rie ty of users w ill b e in te ra c tin g w ith th e
s ystem s. T h is is a tre n d th a t w ill c o n tin u e a n d s ystem a n d e x e c u tin g th e s a m e o r d iffe re n t
th a t c o u ld b e e x p a n d e d to p ro v id e a u th o riza tio n p ro c e s s e s s im u lta n e o u s ly . T y p ic a l p ro c e s s e s
ta b le c a p a b ilitie s . Future c o m p u te r s y s te m s c a n in c lu d e c o m p ilin g a p ro g ra m , u p d a tin g
c o u ld h a v e e x p a n d e d d ic tio n a ry /d ire c to rie s or d a ta e le m e n ts , v a lid a tin g a u s e r’s p a s s w o rd ,
o th e r m e c h a n is m s th a t re la te users to a u th o riz e d a n d so forth. O n c e a sy s te m h as d e te rm in e d th at
in p u t re q u e s ts , p ro c e s s e s , a n d in fo rm atio n . T his a u s e r h as b e e n a u th o riz e d to e x e c u te a s p e c ific
k in d of lin k a g e w o u ld a llo w th e a u d ito r to p ro c e s s , th e s ystem m u st b e a b le to c o m p le te
d e te rm in e th e p ro c e s s e s e x e c u te d for a g iv e n th a t p ro c e s s w ith in th e tim e c o n s tra in ts re q u ire d
ty p e of in p u t re q u e s t. For e x a m p le , th e ty p ic a l by th e user.
p ro c e s s s te p s a s s o c ia te d w ith th e en try o f a To a c c o m p lis h th is th e s ystem m ust
s a le s tra n s a c tio n a re as fo llo w s: s c h e d u le e a c h u s e r p ro c e s s a n d p e rm it m u ltip le
u sers to a c c e s s m a n y of th e s a m e in fo rm atio n
P re p a ra tio n of s h ip p in g d o c u m e n ts .
e le m e n ts a lm o s t s im u lta n e o u s ly . A s a p ra c tic a l
P re p a ra tio n o f s a le s in v o ic e . m atter, th e s ystem m u st b e a b le to m a in ta in th e
U p d a te of th e a p p r o p ria te a c c o u n ts status of e a c h d a ta e le m e n t a n d co ntro l th e
r e c e iv a b le d a ta e le m e n ts . s e q u e n c e of a c c e s s a n d u p d a te .
U p d a te o f a p p r o p ria te p ro d u c t in ven to ry S p e c ific s ystem c o n tro ls a re re q u ire d to
d a ta e le m e n ts . m a in ta in p ro c e s s in te g rity a n d c o n s is te n c y , an d
to p e rm it re c o n s tru c tio n of e v e n ts a n d re c o v e ry
E x p lo s io n of p ro d u c ts s o ld into c o m p o n e n t
in th e e v e n t of sy s te m fa ilu re . T h e s e co n tro ls
p arts a n d /o r raw m a te ria l re q u ire m e n ts .
m a y re q u ire th e u se of h ig h -s p e e d m e m o ry to
T e s t for re o rd e r p o in t fo r all c o m p o n e n ts
re c o rd th e status o f a lI p ro g ra m s b e in g e x e c u te d
a n d /o r raw m a te ria ls a ffe c te d .
a n d d a ta a c c e s s e d or a s im ila r te c h n iq u e th at
U p d a te th e a p p r o p ria te s a le s re g is te rs .
a llo w s d e fin itiv e b o u n d a rie s to b e d ra w n aro u n d
U p d a te th e a p p r o p ria te s a le s c o m m is s io n p ro c e s s e s a n d th e ir e ffe c ts .
d a ta e le m e n ts . T h e resu lts of a n y g iv e n p ro c e s s a c tiv ity m ay
U p d a te an y a p p r o p ria te ro yalty d a ta n e c e s s ita te a sy s te m g e n e r a te d re s p o n s e to
e le m e n ts . c o m p u te r o p e ra tio n s , m a n a g e rs , au d ito rs , or
U p d a te th e a p p r o p ria te c o n tin g e n t lia b ility o th e rs w ith in th e e n te rp ris e . For e x a m p le , an
d a ta e le m e n ts if p ro d u c t is g u a r a n te e d o r o p e ra tio n s o ffic e r in a b a n k m a y w a n t to b e
w a rra n te e d . n o tifie d w h e n a n d by w h o m a tra n s a c tio n g re a te r
th a n a s tip u la te d d o lla r a m o u n t w a s p ro c e s s e d ,
U p d a te th e o th e r a p p r o p ria te d a ta
o r an a u d ito r m a y w a n t to kn o w w h e n a
e le m e n ts .
tra n s a c tio n a ffe c tin g a d o rm a n t a c c o u n t w a s
In a c o n v e n tio n a l s ystem , m ost of th e s e a re p ro c e s s e d — th e sy s te m c o u ld p ro v id e th is
tre a te d as s e p a ra te tra n s a c tio n s a n d are in fo rm a tio n .
h a n d le d b y s u c h d e p a rtm e n ts as s a le s , O th e r co n tro l fe a tu re s w ill b e re q u ire d if
a c c o u n tin g , or s h ip p in g . E a c h s te p w o u ld a d v a n c e d s y s te m s h a v e th e c a p a b ility to
re q u ire s o m e fo rm of a u th o riz a tio n p ro c e d u re . a n a ly z e th e resu lts of e a c h p ro c e s s in g s te p or
A p p lic a tio n s y s te m s h a v e b e e n a n d a re b e in g p ro g ra m e x e c u tio n a n d d y n a m ic a lly g e n e ra te ,
d e v e lo p e d th a t w o u ld h a v e th e c a p a b ility to e lim in a te , or re s e q u e n c e th e s te p s in th e q u e u e
p e rfo rm a ll of th e a b o v e s te p s a n d u p d a te all a w a itin g p ro c e s s in g .
a p p r o p ria te in fo rm a tio n e le m e n ts w h e n e v e r a
s a le s tra n s a c tio n is e n te re d into th e sys te m . T h e
Activity Logging. O n c e a s p e c ific s te p in a
p ro c e s s h as b e e n c o m p le te d , th e system sh ou ld
a u d ito r w ill no lo n g e r b e a b le to w a lk th ro u g h a
h a v e th e c a p a b ility to re c o rd o r log w h o
ty p ic a l tra n s a c tio n to u n d e rs ta n d th e p ro c e s s
e x e c u te d w h a t p ro c e s s s te p a n d w h a t d a ta
s te p s in v o lv e d ; he m ay, h o w e v e r, b e re q u ire d to
e le m e n ts w e re a ffe c te d . T h e s ystem m ust b e
a n a ly z e th e c o n te n ts of th e d ic tio n a ry /d ire c to ry
a b le to re c o rd th is d a ta on a file a c c e s s ib le only
to d e te rm in e th e p a th th a t a s p e c ific ty p e of
to s p e c ific p e rs o n n e l. T h is d a ta sh o u ld not b e
re q u e s t fo llo w s th ro u g h th e s ystem a n d th e
a c c e s s ib le to th o s e p e rs o n s o v e r w h o m
a u th o riz a tio n p ro c e d u re s re la te d th e re to .
a c c o u n ta b ility h as b e e n re c o rd e d . A s an
Process Integrity. C u rre n tly , as p ro g ra m s are e x a m p le , th e a c tiv ity log th a t re c o rd s p a s s w o rd
e x e c u te d in e ith e r a b a tc h or in te ra c tiv e m o d e , c h a n g e s m a d e by a u th o riz e d p e rs o n n e l sh ou ld
h a rd w a re c o n tro ls a n d o p e ra tin g system not b e a c c e s s ib le to th o s e p e rs o n n e l. S im ila rly ,
c o n tro ls m a in ta in p ro g ra m in teg rity. T h e s e th e a c tiv ity log th a t re c o rd s th e a u d ito r’s a c c e s s
c o n tro ls a re a c c e p ta b le now , but s h o u ld b e to th e d a ta b a s e m u st not b e a c c e s s ib le to th e
e x p a n d e d to m e e t a d v a n c e d system n e e d s for a u d ito r.
p ro g ra m a n d d a ta in teg rity. A lth o u g h th e p rim a ry p u rp o s e of th e a ctivity
In an a d v a n c e d s y s te m s e n v iro n m e n t a w id e log w o u ld b e fo r co n tro l, it w o u ld b e useful to
12
m a n a g e m e n t in re v ie w in g c o m p lia n c e w ith □ P ro c e s s (e s ) re q u e s te d
s ta te d p o lic ie s a n d p ro c e d u re s an d for o th er □ T im e a n d d a te of re q u e s t
a u d it p u rp o s e s .
□ P ro c e s s (e s ) p e rfo rm e d
An en try in this log n e e d not b e g e n e ra te d
□ R es u lts o b ta in e d
e a c h tim e a u ser e n te rs a tra n s a c tio n , o r e a c h
tim e a p ro c e s s s te p is e x e c u te d . R ath er, it is up T h e g e n e ra tin g a n d lo g g in g of th e fo re g o in g
to th e e n te rp ris e to id e n tify s p e c ific users, k in d s in fo rm atio n w ill a llo w th e a u d ito r or o th ers to
of tra n s a c tio n s , a n d p ro c e s s s te p s th a t re q u ire e ffe c tiv e ly m o n ito r w h o is a c c e s s in g w h a t
lo g g in g . For e x a m p le , th e a c tiv ity log m ig h t in fo rm atio n w ith in th e e n te rp ris e .
c o n ta in th e fo llo w in g in fo rm atio n :
□ Id e n tity of th e user
Auditability Features
T h e fe a tu re s d e s ir a b le in a d v a n c e d E D P th e p a s t th is h a s m e a n t th a t th e a u d ito r m ig h t
s y s te m s to e n s u re th a t th e s y s te m s a re g e n e r a lly c o p y file s re la te d to fin a n c ia l a p p lic a tio n s an d
a u d ita b le a re th e s a m e fe a tu re s d e s ira b le for p ro c e s s th e m on a s e p a ra te c o m p u te r system
e ffe c tiv e m a n a g e m e n t of th e in fo rm a tio n system . w ith s p e c ia lly w ritte n a u d it p ro g ra m s . H o w e v e r,
A p o s s ib le e x c e p tio n m ig h t b e th e form a n d w h e n s y s te m s h a v e th e h ig h level of co ntro l
p e rio d fo r reten tio n of in fo rm a tio n for a u d it a c h ie v a b le w ith th e re c o m m e n d e d control
p u rp o s e s . P re v io u s ly s ta te d a u d ita b ility fe a tu re s in th is c h a p te r, th e a u d ito r m ig h t g a in
o b je c tiv e s re la te to a u d it tra ils , a u d it e v id e n c e , a s s u ra n c e re g a rd in g th e in d e p e n d e n c e of a u d it
a u d it co n tro l, a n d a u d it to o ls. T h e s e a u d ita b ility p ro c e s s in g by re v ie w in g a c tiv ity lo g s th a t c o v e r
o b je c tiv e s m ig h t b e m e t if th e c o n tro l fe a tu re s p e rio d s d u rin g w h ic h th e a u d it p ro c e s s in g w a s
p re v io u s ly s ta te d a re im p le m e n te d into p e rfo rm e d .
a d v a n c e d c o m p u te r s ystem s. For e x a m p le , o n e T h e a u th o riz a tio n c o n tro l c o n c e p t a lo n e w ill
of th e a u d ita b ility o b je c tiv e s is a u d it contro l; th at p ro v id e a ll a u d ito rs of a d v a n c e d s y s te m s w ith
is, th e a u d ito r re q u ire s th e c a p a b ility to a u d it th e p o te n tia lly m u ch g re a te r in d e p e n d e n c e th an is
s ystem w ith o u t b e in g w h o lly d e p e n d e n t on it. In a v a ila b le to d a y .
Audit Tools
A u d it to o ls p ro v id e fle x ib le in fo rm a tio n re trie v a l a n d th e like to a id in th e a u d it effort. W ith th e s e
a n d te s tin g c a p a b ilitie s for th e a u d ito r. T h e s e ro u tin es th e a u d ito r w o u ld b e a b le to s ta tis tic a lly
c a p a b ilitie s a re o u tlin e d b e lo w a n d in c h a p te r 5. s e le c t ra n d o m s a m p le s fo r te s tin g a n d p erfo rm
A d v a n c e d E D P s y s te m s s h o u ld in c lu d e an a n a ly tic a l a u d it p ro c e d u re s .
e a s y -to -le a rn d e c la ra tiv e la n g u a g e th a t w ill A d d itio n a lly , th e a u d ito r sh o u ld b e p ro v id e d
a llo w a u d ito rs to in te rro g a te a d a ta b a s e , w ith th e c a p a b ility to s p e c ify w h ic h k in d s of u ser
p erfo rm m a th e m a tic a l o p e ra tio n s on d a ta b a s e re q u e s ts s h o u ld b e a u to m a tic a lly lo g g e d onto
e le m e n ts , fo rm a t o u tp u t file s , g e n e r a te reports, an a u d it file . T h e a u d ito r s h o u ld b e a b le to
a n d so forth. s p e c ify th a t a ll re q u e s ts , a s tip u la te d
N a tu ra lly , a u d ito rs s h o u ld b e a b le to p erfo rm p e rc e n ta g e of a ll re q u e s ts , or th o s e th a t m e e t a
th e s e o p e ra tio n s u s in g c o m p o u n d s e le c tio n g iv e n c rite ria , b e w ritte n to th e “a u d it lo g ” file.
c rite ria su ch th a t a s p e c ific s u b s e t of in fo rm atio n T h is c a p a b ility is d iffe re n t from an a c tiv ity log
c o u ld b e g e n e r a te d w ith o u t in v o lv e d th a t d o c u m e n ts w h o p e rfo rm e d w h a t req u est.
p ro g ra m m in g . For e x a m p le , an a u d ito r in a T h e a u d it log p ro v id e s th e a u d ito r w ith an a u d it
b a n k in g e n v iro n m e n t m a y w a n t to s e le c t o n ly trail of th e tra n s a c tio n s th a t w e re p ro c e s s e d
th o s e e m p lo y e e a c c o u n ts w ith a c c o u n t a g a in s t s p e c ific in fo rm a tio n e le m e n ts . For
b a la n c e s g re a te r th a n $ 1 ,0 0 0 th a t h a d m o re e x a m p le , th e a u d ito r w o u ld b e a b le to s p e c ify
th a n te n tra n s a c tio n s in a b iw e e k ly p e rio d . th at a ll tra n s a c tio n s a ffe c tin g a p a rtic u la r c a s h
T h e sy s te m s h o u ld p ro v id e th is k in d of g e n e ra l le d g e r a c c o u n t o r th a t a ll e m p lo y e e
c a p a b ility a n d p ro v id e users w ith s p e c ia l b a la n c e a c c o u n ts b e a u to m a tic a lly lo g g e d .
p u rp o s e ro u tin e s s u c h as s ta tis tic a l s a m p lin g , A d v a n c e d s y s te m s s h o u ld b e d e s ig n e d w ith
re g re s s io n a n a ly s is , m o d e l-b u ild in g m o d u le s , “ a u d it h o o k s ” th a t w o u ld a llo w th e a u d ito r’s
13
p ro g ra m s to b e in te g ra te d into th e n o rm al U s e rs w h o h a v e te rm in a l e q u ip m e n t a c c e s s the
p ro c e s s a c tiv itie s a s s o c ia te d w ith s p e c ific in fo rm a tio n system , a n d th e a u th o riza tio n
tra n s a c tio n s . T h is fe a tu re w o u ld p ro v id e the co n tro l ro u tin e a c c e s s e s th e a u th o riz a tio n ta b le
a u d ito r w ith th e c a p a b ility to m o n ito r p ro c e s s in g a n d d e te rm in e s w h e th e r or not a u s e r’s
a c tiv ity a n d s e le c t s p e c ific tra n s a c tio n s for id e n tific a tio n or s ig n -o n p a ra m e te rs a re
e x c e p tio n re p o rtin g or a u d it te s tin g . This a c c e p ta b le to th e sys te m . If th e y a re, u s e r
c a p a b ility c o u ld b e u s e d in v a rio u s w a y s . For e n te re d d a ta re la te d to tra n s a c tio n ty p e a re
e x a m p le , th e a u d it d e p a r tm e n t c o u ld b e n o tifie d v a lid a te d a g a in s t a p p r o p ria te e n trie s in th e
" o n -lin e ” w h e n a u ser re q u e s t of a s p e c ific kin d a u th o riz a tio n ta b le .
w a s e n te re d into th e sys te m . T h is ty p e of If all c rite ria a re m et, th e p ro c e s s in g
ro u tin e c o u ld b e u s e d to m o n ito r tra n s a c tio n s p ro g ra m (s ) a re th en c a lle d a n d co ntro l is
in v o lv in g d o rm a n t a c c o u n ts in a b a n k in g p a s s e d to th e m . W h e n p ro c e s s in g is c o m p le te ,
e n v iro n m e n t. S y s te m s a n d a p p lic a tio n s c o ntro l is p a s s e d b a c k to th e a u th o riza tio n
p ro g ra m c h a n g e s c o u ld b e s im ila rly m o n ito re d . co n tro l ro u tin e a n d a p p r o p ria te a c tiv ity logs
T o d a y , p o rta b le c o m p u te rs th at c a n p ro c e s s c re a te d .
in a “s ta n d -a lo n e ” e n v iro n m e n t, o r c o m m u n ic a te T h e p u rp o s e of th is s c h e m a tic is to p re s e n t
w ith a la rg e c o m p u te r s ystem are a re a lity . T h e on a c o n c e p tu a l le v e l th e c o ntro l fe a tu re s th at
a u d ito r c o u ld a c c e s s th e in fo rm atio n system , a u d ito rs b e lie v e a re n e c e s s a ry in an a d v a n c e d
s e le c t fin a n c ia l tra n s a c tio n s for te s tin g , a n d s y s te m s e n v iro n m e n t— it is not a p ro p o s e d
tra n s fe r th e s e tra n s a c tio n s to a s e p a ra te s o lu tion . T h e s e fe a tu re s w ill p e rm it th e co ntro l
" a u d ito r’s c o m p u te r” for a n a ly s is . T h is a p p r o a c h o b je c tiv e s re la tin g to a c c e s s to assets,
is fast b e c o m in g c o s t e ffe c tiv e in to d a y ’s tra n s a c tio n in itia tio n a n d re c o rd in g , an d
e n v iro n m e n t. A d v a n c e s in te c h n o lo g y w ill su re ly c o m p a ris o n of re c o rd s o f a c c o u n ta b ility to be
m a k e this a p p r o a c h e v e n m o re c o s t e ffe c tiv e a c h ie v e d .
to m o rrow . A ll of th e s e c a p a b ilitie s c a n b e in c o rp o ra te d
T h e in fo rm a tio n sy s te m s c h e m a tic (e x h ib it into an a d v a n c e d sys te m . If th e y are, th e y w ill
4 -1 ) d e p ic ts th e c o ntro l fe a tu re s d e s c r ib e d in p ro v id e m a n a g e m e n t a n d th e a u d ito r w ith m uch
th e p re v io u s s e c tio n s . n e e d e d control a n d a u d ita b ility features.
EXHIBIT 4 — 1 INFORMATION SYSTEM SCHEMATIC
Output
User Report
System Software1 User

Activity Authorization
Log Table
Application
Data
Audit Application
Hook Processing
Interface Program(s)
1Includes the following routines:

Input/output
Authorization control
Data management
Audit hook
System management
14
Chapter 5
Audit Approaches fa Advanced

EDP Systems
T h is c h a p te r re la te s a d v a n c e d E D P s y s te m s to term “a u d itin g a d v a n c e d E D P s y s te m s ” refers
th e a u d it p ro c e s s d e s c r ib e d in c h a p te r 2 an d to th o s e a u d itin g p ro c e d u re s th a t re la te to th e
p re s e n ts p o te n tia l p ro b le m a re a s w ith th e ir u n d e rs ta n d in g or te s tin g of su ch s y s te m s o r th e
re la te d a u d it c o n s id e ra tio n s a n d s u g g e s te d resu lts p ro d u c e d th e re fro m . S uch
to o ls a n d te c h n iq u e s fo r a u d ito rs . T h is c h a p te r u n d e rs ta n d in g a n d te s tin g is not an e n d in
p ro v id e s th e a u d ito r w ith a startin g p o in t for itself, but a p a rt of th e a u d it p ro c e s s .
c o n s id e rin g th e e ffe c t of an a d v a n c e d E D P M a n y a c c o u n tin g c o n tro l te c h n iq u e s in
s ystem on th e a u d it p ro c e s s . T h e m a te ria l is a d v a n c e d E D P s y s te m s w ill d iffe r m a rk e d ly from
d ire c te d to th e in d e p e n d e n t o r e x te rn a l a u dito r; th o s e in p re s e n t c o n v e n tio n a l E D P system s.
but, m a n y of th e a u d it te c h n iq u e s a n d N o n e th e le s s , th e re v ie w a n d e v a lu a tio n
a p p r o a c h e s m ay b e s u ite d fo r u se by in ternal a p p r o a c h to E D P a c c o u n tin g c o n tro ls fo llo w e d
a u d ito rs . T h is c h a p te r a ls o h as th e s e c o n d a ry by an a u d ito r w ill m o st lik e ly c o n tin u e to be
p u rp o s e of p ro v id in g in fo rm atio n to a lo n g th e lin e s set forth in th e A IC P A a u d it an d
m a n a g e m e n t a n d E D P p e rs o n n e l re g a rd in g a c c o u n tin g g u id e on th a t s u b je c t.1
a u d itin g c o n s id e ra tio n s re le v a n t to th e ir W h e n a u d itin g a d v a n c e d E D P system s, th e
a d v a n c e d E D P system s. a u d ito r w ill lik e ly p la c e a h ig h d e g r e e of
T h e p rin c ip a l o b je c tiv e of th e in d e p e n d e n t re lia n c e on a d v a n c e d E D P sys te m s co n tro ls a n d
a u d ito r is th e e x p re s s io n of an o p in io n on th e m a y u se th e s ystem to p erfo rm c o m p lia n c e an d
fa irn e s s of th e fin a n c ia l s ta te m e n ts of th e s u b s ta n tiv e te s tin g p ro c e d u re s d e s c rib e d in
e n te rp ris e in c o n fo rm ity w ith g e n e r a lly a c c e p te d c h a p te r 2. T h e re fo re , a u d it re v ie w of th e d e s ig n
a c c o u n tin g p rin c ip le s or w ith a c o m p re h e n s iv e an d d e v e lo p m e n t of an a d v a n c e d E D P system
b a s is of a c c o u n tin g o th e r th a n g e n e r a lly c a n h e lp a s s u re th a t co n tro l a n d a u d ita b ility a re
a c c e p te d a c c o u n tin g p rin c ip le s . T h e s tu d y a n d a d e q u a te ly c o n s id e re d . T h e a u d it
e v a lu a tio n of in tern al a c c o u n tin g co n tro l is an c o n s id e ra tio n s d u rin g th e s y s te m s d e s ig n s ta g e
in te rm e d ia te s tep in th e a u d it p ro c e s s . T h e are o u tlin e d in th is c h a p te r.
Auditing Advanced EDP Systems— Some

Differences
T h e a re a s of d iffe re n c e b e tw e e n c o n v e n tio n a l 7. T im in g of a u d it p ro c e d u re s
E D P s y s te m s an d a d v a n c e d E D P s ystem s, from
E a c h of th e s e is d is c u s s e d b e lo w w ith th e ir
an a u d itin g p o in t of v ie w , in c lu d e th e fo llo w in g :
a tte n d a n t a u d it c o n c e rn s .
1. C o m p le x ity
2. N a tu re of e v id e n tia l m a tte r Complexity. O n e of th e m ost s ig n ific a n t
p ro b le m s fa c in g th e a u d ito r of an a d v a n c e d E D P
3. R e la tio n s h ip b e tw e e n a c c o u n tin g co n tro ls
s ystem is u n d e rs ta n d in g th e flo w of a c c o u n tin g
a n d e v id e n tia l m a tte r
in fo rm atio n th ro u g h w h a t m a y b e a v e ry c o m p le x
4. N a tu re of a u d it c o ntro l
s e rie s of p ro c e s s in g s te p s th a t fre q u e n tly
5. A u d it trail c o n s id e ra tio n s in te ra c t w ith e a c h o th e r a n d w ith th o s e in o th e r
6. T e c h n iq u e s re q u ire d for a c c e s s to s ystem s. T h e a u d ito r’s p re lim in a ry o b je c tiv e s
in fo rm atio n a re to id e n tify (1 ) h ow tra n s a c tio n s are in itia te d
1See AICPA Audit and Accounting Guide, The Auditor's Study and Evaluation of Internal Control in EDP Systems (New York:
AICPA, 1977).
15
a n d flo w into th e fin a n c ia l s ta te m e n ts , (2 ) th e A lte rn a tiv e ly , if th e a u d ito r c h o o s e s not to rely
re la tio n s h ip b e tw e e n th e E D P a n d m a n u a l u po n a c c o u n tin g co n tro ls , c o m p lia n c e te s tin g is
p o rtio n s of th e s ystem , a n d (3 ) th e b a s ic not n e c e s s a ry , a lth o u g h s u b s ta n tiv e te s tin g
stru ctu re of a c c o u n tin g co ntro l. c a n n o t b e re d u c e d .
P ro p e r d o c u m e n ta tio n , a u d it re v ie w d u rin g In a d v a n c e d E D P s y s te m s th e a lte rn a tiv e of
s ystem d e s ig n , a n d e ffe c tiv e in tern al a u d it not re ly in g u p o n a c c o u n tin g c o n tro ls m a y not
re v ie w s of a d v a n c e d E D P s y s te m s c a n all exist. T h e a u d ito r m a y b e re q u ire d to u n d e rs ta n d
s ig n ific a n tly re d u c e th e tim e an d , c o n s e q u e n tly , a n d te s t for c o m p lia n c e th o s e c o n tro ls th a t e ffe c t
th e c o s t of th is p h a s e of th e au d it. th e fo llo w in g :
S ta n d a rd iz a tio n of s y s te m s (s u c h as o p e ra tin g
1. A ffe c t th e v a lid ity or in te g rity of system
s y s te m s a n d a p p lic a tio n s y s te m s ) by th e ir
c o n tro lle d o r in itia te d a u d it e v id e n c e .
d e v e lo p e rs , to g e th e r w ith an a p p r o a c h s im ila r to
th e “th ird p arty a u d ito r r e v ie w ,’’2 c o u ld a ls o 2. R e s tric t th e a b ility to a lte r e v id e n c e in
re d u c e a u d it cost. U n d e r th is s u g g e s te d m a c h in e -s e n s ib le form .
a p p ro a c h , an a u d itin g firm m ig h t o b ta in a 3. P ro v id e a b a s is for e ffe c tiv e a u d it control
system d e s c rip tio n s u ita b le fo r a u d it use, re v ie w w h e n th e a u d ito r re lie s on th e sy s te m for
a n d te s t th e s ta n d a rd iz e d system , a n d p ro v id e a te s tin g p u rp o s e s .
rep o rt d ire c te d to o th e r a u d ito rs d e s c rib in g th e
For e x a m p le , m ost b a n k c u rre n c y d is p e n s e rs
resu lts of th e s e p ro c e d u re s a n d s u g g e s t tests
p ro d u c e a tra n s a c tio n re c o rd , o n e c o p y of w h ic h
th a t an a u d ito r m ig h t p erfo rm on such a system .
is p ro v id e d to th e c u s to m e r. A s e c o n d c o p y is
Nature of Evidential Matter. T h e a u d ito r re ta in e d w ith in th e d is p e n s in g d e v ic e a n d is
n e e d s s u ffic ie n t c o m p e te n t e v id e n tia l m a tte r to u s e d to s u p p o rt th e d a ily tra n s a c tio n s , su ch as
afford a re a s o n a b le b a s is for an o p in io n th e c a s h d is b u rs e d . T h is tra n s a c tio n re co rd
re g a rd in g th e fin a n c ia l s ta te m e n ts u n d e r c o p y m ig h t p ro v id e u sefu l e v id e n c e fo r a u d it
e x a m in a tio n .3 In m a n u a l s y s te m s a n d s o m e E D P p u rp o s e s if th e c o n tro ls o v e r th e in itia tio n of
s ystem s, th is e v id e n c e in c lu d e s d o c u m e n ts tra n s a c tio n s a n d o v e r th e c re a tio n a n d h a n d lin g
e v id e n c in g a c tio n s (for e x a m p le , a p p ro v a ls ), of th e s e d o c u m e n ts a re e ffe c tiv e . If th e s e
tra n s a c tio n s , as s e ts , or o b lig a tio n s , w h ic h c o n tro ls a re not e ffe c tiv e , th e tra d itio n a l a u d it
th e a u d ito r c a n e x a m in e or co n firm w ith a p p r o a c h of e x te n d in g th e te s tin g of th e s e
in d e p e n d e n t p a rtie s . d o c u m e n ts w o u ld not b e e ffe c tiv e . In su ch a
M a c h in e -s e n s ib le e v id e n c e c a n b e c h a n g e d situ atio n , th e a u d ito r w o u ld h a v e to c o n s id e r
w ith o u t le a v in g a tra c e . T o d a y , a u d ito rs w h e th e r a lte rn a tiv e p ro c e d u re s , su ch as
fre q u e n tly c o m p a re ite m s s e le c te d from c o n firm a tio n w ith th e b a n k ’s c u s to m e rs , c o u ld
m a c h in e -s e n s ib le re c o rd s to a p p r o p ria te s o u rc e p ro v id e s a tis fa c to ry a u d it e v id e n c e , or w h e th e r
d o c u m e n ts to o b ta in s a tis fa c tio n th a t c o n tro ls a re so la c k in g th a t it is u n lik e ly th at any
tra n s a c tio n s h a v e b e e n p ro p e rly re c o rd e d . c o n c lu s io n s c a n b e m a d e from further a u d it
T h e s e a p p r o a c h e s m a y not b e fe a s ib le in s o m e te s tin g .
a d v a n c e d E D P s y s te m s b e c a u s e in d e p e n d e n t In o rd e r to a u d it e ffe c tiv e ly in an a d v a n c e d
or s u p p o rtin g d o c u m e n ts m a y not b e a v a ila b le . sys te m s e n v iro n m e n t, th e a u d ito r w ill p ro b a b ly
O th e r te c h n iq u e s w ill b e re q u ire d to p ro v id e a n d p la c e a h ig h d e g r e e of re lia n c e upo n th e
c o ntro l th e e v id e n tia l m a tte r n e e d e d by th e c o n tro ls in th e s ystem . E ffe c tiv e a c c o u n tin g
au d ito r. c o n tro ls a re re q u is ite to s u c h re lia n c e . T h e
a u d ito r, th e re fo re , m ay b e re q u ire d to
Relationship Between Accounting Controls u n d e rs ta n d a n d te s t th e s e co n tro ls. In th e
and Evidential Matter. In a p p ly in g a a b s e n c e of th e s e co n tro ls , th e a u d ito r m ay b e
tra d itio n a l a u d it a p p ro a c h , th e a u d ito r s e e k s to u n a b le to a u d it at a re a s o n a b le cost.
id e n tify a c c o u n tin g c o n tro ls u po n w h ic h
re lia n c e m a y b e p la c e d . T h e a u d ito r th en tests Nature of Audit Control. A ll a u d it te s tin g ,
c o m p lia n c e w ith th e s e c o n tro l p ro c e d u re s to w h e th e r m a n u a l or in v o lv in g E D P system s, m ust
o b ta in s a tis fa c tio n th a t th e y a re o p e ra tin g as b e p e rfo rm e d w ith in d e p e n d e n c e an d
p re s c rib e d . W h e n e v e r th e s e c o n tro ls a p p e a r to o b je c tiv ity . W h e n e v e r c lie n t p e rs o n n e l p ro v id e
b e fu n c tio n in g e ffe c tiv e ly , th e a u d ito r m a y b e in a s s is ta n c e in th e p e rfo rm a n c e of a u d it
a p o s itio n to re ly on th e m as a b a s is for p ro c e d u re s , an a c c e p te d p ra c tic e is to
a p p r o p ria te ly re s tric tin g th e e x te n t of s u p e rv is e , re v ie w , a n d te s t th is w o rk b e fo re
s u b s ta n tiv e a u d itin g p ro c e d u re s . p la c in g re lia n c e u po n it.
2See AICPA Audit and Accounting Guide, Audits of Service-Center-Produced Records (New York: AICPA, 1974), wherein the
concept of a review of an accounting system in use at a service center is made by a “third party auditor" and relied upon by
auditors of the customers of the service center.
3See SAS no. 1, Sec. 330.
16
W h e n th e a u d ito r p e rfo rm s tests in an E D P A ty p ic a l a u d it tra il e n v iro n m e n t m ig h t b e as
e n v iro n m e n t, c e rta in c lie n t p ro v id e d p ro g ra m s follow s: T h e a c c o u n ts re c e iv a b le system is
fre q u e n tly a re u sed . For e x a m p le , if th e a u d ito r d e s ig n e d to reta in m ic ro fic h e c o p ie s of
w e re to p re p a re , test, a n d p ro c e s s a p ro g ra m to c u s to m e rs ’ s ta te m e n ts for a u d it tra il p u rp o s e s .
m a k e s ta tis tic a l s e le c tio n s from file s m a in ta in e d T h is in fo rm a tio n is a ls o re ta in e d in
on a c lie n t E D P s ystem , th e a u d ito r u s u a lly w ill m a c h in e -s e n s ib le form on th e d a ta b a s e system
b e re q u ire d to use th e c lie n t’s o p e ra tin g system , for a p p r o x im a te ly tw o m onths, a fte r w h ic h tim e it
d a ta m a n a g e m e n t system , or s im ila r p ro g ra m s . is d e s tro y e d . In o rd e r to a u d it e ffic ie n tly , th e
In o rd e r to o b ta in s a tis fa c tio n th at a u d it re lia n c e a u d ito r w ill re q u ire a c c e s s to the
c a n b e a p p r o p ria te ly p la c e d on th o se p ro g ra m s m a c h in e -r e a d a b le re c o rd s . O th e rw is e , the
a n d th a t th e in teg rity of th e a u d it te s tin g h as not a u d ito r m a y b e fo rc e d into th e u n e c o n o m ic a l
b e e n c o m p ro m is e d , th e a u d ito r sh o u ld o b ta in a lte rn a tiv e of re v ie w in g la rg e v o lu m e s of
re a s o n a b le s a tis fa c tio n th a t th o s e e le m e n ts of m ic ro fic h e re c o rd s a n d a p p ly in g e s s e n tia lly
th e s ystem b e in g u s e d a re p ro p e rly fu n c tio n in g . m a n u a l a u d it p ro c e d u re s to th em .
In an a d v a n c e d sys te m s e n v iro n m e n t th is M a c h in e -s e n s ib le a u d it tra ils m ay e x is t for
re lia n c e m a y b e m o re d iffic u lt to o b ta in . sh o rter tim e s (a s little a s a fe w h o u rs) in s o m e
E ffe c tiv e a n d a u d ita b le co n tro ls o v e r a c c e s s to system s. T h e a u d ito r m a y c h o o s e to a c c e s s th is
s y s te m s p ro g ra m s , su ch as th e o p e ra tin g in fo rm atio n d ire c tly from th e d a ta b a s e . T h is
s ystem a n d th e d a ta b a s e m a n a g e m e n t system , a p p ro a c h is d is c u s s e d b e lo w . A n o th e r
c o u ld p ro v id e a b a s is for re lia n c e for a u d it a p p r o a c h is to u s e o n e o r m o re of th e to o ls a n d
p u rp o s e s . In th e a b s e n c e of su ch co n tro ls, th e te c h n iq u e s d is c u s s e d in th e last s e c tio n of this
a u d ito r m a y b e re q u ire d to u se an in d e p e n d e n t c h a p te r. T h e s e te c h n iq u e s m a y e n a b le th e
c o m p u te r s ystem or u se m o re c o s tly a lte rn a tiv e a u d ito r to c re a te " s e le c tiv e a u d it tr a ils ’’ b a s e d
p ro c e d u re s th at p ro v id e th e d e g r e e of upo n tra n s a c tio n ty p e , tra n s a c tio n am o u n t, tim e
in d e p e n d e n c e re q u ire d . of d a y , or an y o th e r c rite ria .
W h e n e v e r a u d it te s tin g is to b e p e rfo rm e d
u sin g E D P te c h n iq u e s in an a d v a n c e d s ystem s
Techniques Required for Access to
e n v iro n m e n t, th e fo llo w in g g e n e ra l p ro c e d u re s Information. A s m o re an d m ore inform ation is
a re s u g g e s te d : in te g ra te d into a d v a n c e d E D P system s,
c o m p u te r-a s s is te d a u d itin g te c h n iq u e s w ill
1. C o n s id e r w h ic h of th e fo llo w in g e le m e n ts of lik e ly b e c o m e th e m o st e c o n o m ic a l m e th o d to
th e c lie n t’s system a re b e in g re lie d u po n for a c c e s s th is info rm atio n for a u d it p urpo ses. T h e
th e a u d it tests to b e p e rfo rm e d : a u d ito r w ill re q u ire to o ls to a c c e s s in fo rm atio n
a. O p e ra tin g system c o n ta in e d in a d a ta b a s e a n d to a c c e s s control
b. D a ta b a s e m a n a g e m e n t system in fo rm a tio n re la tin g to a d v a n c e d E D P system s.
c. D a ta c o m m u n ic a tio n s system T h is c a p a b ility w ill b e fu n d a m e n ta l to
d. A p p lic a tio n p ro g ra m s p e rfo rm in g an e ffe c tiv e au d it.
2. C o n s id e r w h e th e r a p p r o p ria te c o n tro ls e x is t In a tra d itio n a l E D P system , in fo rm atio n
to p ro v id e a s a tis fa c to ry b a s is for re ly in g u s u a lly is s to re d or re c o rd e d (p h y s ic a l fo rm ) in a
u p o n e a c h of th e a b o v e id e n tifie d e le m e n ts . m a n n e r th a t re p re s e n ts th e lo g ic a l or c o n c e p tu a l
3. Id en tify how c o m p lia n c e w ith th e s e control v ie w (lo g ic a l fo rm ) of th e file . For e x a m p le , an
p ro c e d u re s c a n b e te s te d to th e e x te n t a c c o u n ts re c e iv a b le file m a y c o n ta in o n e or
d e e m e d n e c e s s a ry if re lia n c e is to b e p la c e d m o re re c o rd s fo r e a c h c u s to m e r w ith b a la n c e s
on such control p ro c e d u re s . d u e. E a c h re c o rd m ig h t c o n ta in th e c u s to m e r
n u m b e r, n a m e , a n d re la te d in fo rm atio n
4. P ro c e s s th e a u d it a p p lic a tio n a n d c o n s id e r
p e rta in in g to th a t c u s to m e r’s a c c o u n t. T h e s e
s o m e m e th o d of in d e p e n d e n t v e rific a tio n of
re c o rd s a re n o rm a lly o rd e re d in c u s to m e r
th e a u d it p ro c e s s in g results.
num ber sequence.
Audit Trail Considerations. O n e of th e In a m o d e rn d a ta b a s e system , in fo rm a tio n is
c h a ra c te ris tic s of a d v a n c e d sys te m s is th e use p h y s ic a lly re c o rd e d in a m a n n e r th a t b e a rs little
of u n c o n v e n tio n a l o r te m p o ra ry a u d it tra ils . re s e m b la n c e to its lo g ic a l form . For e x a m p le ,
A u d it tra ils in th e fo rm of tra n s a c tio n lis tin g s a n d th e lo g ic a l form of th e p re v io u s e x a m p le w o u ld
th e like m a y not e x is t in th e s e s ystem s. M o re b e u n c h a n g e d . T h e p h y s ic a l form m ig h t b e to
lik e ly , th e a u d it trail w ill e x is t in re c o rd on o n e a re a o f a d is c th e c u s to m e r
m a c h in e -s e n s ib le form fo r lim ite d p e rio d s of n u m b e r, n a m e , a d d re s s , a n d so forth. A n o th e r
tim e . M ic ro film , m ic ro fic h e , a n d h ig h ly d is c a re a m ig h t c o n ta in a ll s a le s tra n s a c tio n s in
c o n d e n s e d p rin to u ts a n d s u m m a rie s of d a te a n d in v o ic e n u m b e r s e q u e n c e . T h e s e
in fo rm a tio n w ill lik e ly c o n s titu te m o re p e rm a n e n t tra n s a c tio n re c o rd s w o u ld not c o n ta in a n y
fo rm s of a u d it tra il in fo rm atio n . D o c u m e n ts c u s to m e r in fo rm a tio n , rather, th e y w o u ld c o n ta in
s u p p o rtin g tra n s a c tio n s m a y not b e c e n tra lly a p o in te r to th e in fo rm a tio n in th e c u s to m e r d is c
file d a n d , in m a n y c a s e s , m a y not exist. a re a . A th ird d is c a re a m ig h t c o n ta in c u s to m e r
17
re m itta n c e in fo rm a tio n . T h is m ig h t c o n s is t of p u rp o s e s . An in te ra c tiv e sy s te m th at o p e ra te s
o n ly d a te re c e iv e d , a m o u n t, a n d p o in te rs to th e on a tw e n ty -fo u r-h o u r b a s is m a y not b e s u ita b le
re la te d s a le s tra n s a c tio n re c o rd s . T h e d a ta b a s e for a u d it u se u n le s s a p ro p e r cu to ff c a n be
m a n a g e m e n t s ystem m a k e s th e p re d e fin e d e s ta b lis h e d .
lo g ic a l c o n n e c tio n b e tw e e n th e s e re s p e c tiv e
p h y s ic a l d a ta e le m e n ts a n d w o u ld b e u s e d to Timing of Auditing Procedures. T h e a u d ito r
p ro d u c e th e lo g ic a l e q u iv a le n t of th e b a la n c e tra d itio n a lly h as p e rfo rm e d a u d it te s tin g so m e
d u e file d e s c rib e d in th e p re v io u s p a ra g ra p h . tim e afte r tra n s a c tio n s h a v e o c c u rre d . In an
O b v io u s ly , th e a u d ito r a c c e s s in g a d v a n c e d E D P s y s te m s e n v iro n m e n t, c e rta in
in fo rm a tio n in su ch a d a ta b a s e o rd in a rily w ill a u d itin g p ro c e d u re s w ill b e p e rfo rm e d
h a v e to u se th e d a ta b a s e m a n a g e m e n t system im m e d ia te ly fo llo w in g tra n s a c tio n o c c u rre n c e .
to m a k e th e n e c e s s a ry lo g ic a l c o n n e c tio n s In s o m e situ atio n s, a u d itin g p ro c e d u re s m ay be
b e tw e e n p h y s ic a l d a ta e le m e n ts . In th a t c a s e , p e rfo rm e d b e fo re tra n s a c tio n p ro c e s s in g is
th e a u d ito r s h o u ld c o n s id e r th e a u d it co ntro l c o m p le te . T h is m a y b e a c c o m p lis h e d by a u d ito r
im p lic a tio n s of su ch use. In d e p e n d e n t c o m p u te r c o n tro lle d c o m p u te r a u d it p ro g ra m s th a t a re
a u d it p ro g ra m s c o u ld b e d e v e lo p e d as an “e m b e d d e d ” in th e system . U n s c h e d u le d visits
a lte rn a tiv e to p la c in g re lia n c e on th e d a ta b a s e or te s tin g in itia te d from re m o te te rm in a ls are
m a n a g e m e n t s ystem . S u ch p ro g ra m s h a v e not o th e r te c h n iq u e s a p p lic a b le for th is e n v iro n
b e c o m e w id e ly u s e d , p rin c ip a lly b e c a u s e of th e m ent. Id e a lly , th e a u d ito r w ill b e c o m e in v o lv e d
c o m p le x ity of d e v e lo p in g a g e n e r a liz e d d u rin g th e s y s te m s d e s ig n p ro c e s s to e n s u re
a p p ro a c h to a c c e s s in g d a ta in p h y s ic a l form th a t n e c e s s a ry a c c o u n tin g co ntro ls, a u d it
from a v a rie ty o f d a ta b a s e fo rm ats. ro u tin es, a n d th e like a re in c o rp o ra te d into th e
G e n e ra lly , d a ta b a s e in fo rm atio n m u st b e at system .
a s ta tic p o in t in o rd e r to b e useful fo r a u d it
Auditing Approaches to Advanced Systems

T h e a u d ito r of an o rg a n iz a tio n u sin g a d v a n c e d 3. E D P co n tro l c o n c e p ts
E D P s y s te m s w ill n e e d to p o s s e s s a d e q u a te
A lth o u g h th e “g e n e r a l” a u d ito r w ill o b v io u s ly
k n o w le d g e a n d e x p e rie n c e of E D P in a d d itio n to
not re q u ire an in -d e p th k n o w le d g e in a ll th e s e
th a t re q u ire d in a c c o u n tin g , a u d itin g , ta x a tio n ,
a re a s , s o m e k n o w le d g e at th e c o n c e p tu a l level
an d re la te d s u b je c ts . M a n y s itu a tio n s w ill
w ill b e n e c e s s a ry in o rd e r to p ro p e rly s u p e rv is e
re q u ire th e a u d ito r to u tiliz e , s u p e rv is e , a n d
a n d re v ie w th e w o rk of th o s e E D P a u d it
re v ie w th e w o rk of E D P a u d it s p e c ia lis ts .
s p e c ia lis ts p o s s e s s in g s u c h in -d e p th
Technical Proficiency. S o m e of th e fu n c tio n a l k n o w le d g e . 4
a re a s o f s kill a n d p ro fic ie n c y th at w ill b e
The Auditor’s Participation During Systems
n e c e s s a ry for th e s e a u d ito rs an d E D P a u d it
Design. T h e a u d ito r is c o n c e rn e d w ith th e
s p e c ia lis ts in c lu d e th e fo llo w in g :
fo llo w in g k in d s of q u e s tio n s d u rin g th e d e s ig n of
a d v a n c e d E D P system s:
1. D a ta p ro c e s s in g fu n c tio n s
a. D a ta e n try te c h n iq u e s • W h a t co n tro l p ro c e d u re s s h o u ld b e in c lu d e d
in th e sy s te m to p ro v id e fo r e ffe c tiv e
b. C o m p u te r c o n fig u ra tio n s (for e x a m p le ,
a c c o u n tin g c o n tro l?
m in ic o m p u te rs a n d c o m m u n ic a tio n
n e tw o rk s ) • W h a t is th e b e s t a p p r o a c h fo r a u d itin g th e
s ystem in a c o s t e ffe c tiv e m a n n e r?
c. O p e ra tin g e n v iro n m e n ts (for e x a m p le ,
m u ltip ro c e s s in g a n d v irtu al s to ra g e ) • W h a t a u d it c a p a b ilitie s s h o u ld be
in c o rp o ra te d into th e s y s te m ?
d. F ile o rg a n iz a tio n a n d u p d a tin g (for
e x a m p le , ra n d o m p ro c e s s in g , in te g ra te d • W h a t d e g r e e of a u d it c o ntro l s h o u ld be
d a ta b a s e p ro c e s s in g , a n d s h a re d file s ) p ro v id e d o v e r a u d it p ro g ra m s a n d d a ta
e. P ro c e s s in g e n v iro n m e n ts (for e x a m p le , file s ?
b a tc h -m o d e a n d re a l-tim e ) T h e a u d ito r h a s th e b e s t o p p o rtu n ity to
2. E D P a u d itin g to o ls a n d te c h n iq u e s a s s u re th a t th e s e is su es a re s a tis fa c to rily
4See Elise G. Jancura, “Technical Proficiency for Auditing Computer Processed Accounting Records.” Journal of
Accountancy, October 1975.
18
re s o lv e d by re v ie w in g s y s te m s d u rin g the re s p o n s ib le for th e s e c o n tro ls s h o u ld b e s u b je c t
d e s ig n s ta g e . F re q u e n tly , th e a u d ito r m ay to c lo s e s u p e rv is io n a n d c o n tro l. For e x a m p le ,
s u g g e s t th a t a d d itio n a l c o ntro l p ro c e d u re s b e s y s te m s p ro g ra m m e rs , w h o a re re s p o n s ib le for
in c o rp o ra te d into th e system , th a t c e rta in m a in ta in in g th e p ro g ra m s in th e o p e ra tin g
u n n e c e s s a ry c o ntro l p ro c e d u re s b e e lim in a te d , system , w h ic h c o n tro ls th e fu n c tio n in g of a ll
o r th a t a d d itio n a l re c o rd s or te s tin g c a p a b ilitie s o th e r p ro g ra m s , c o u ld d is a b le a key co ntro l
b e p ro v id e d fo r a u d it p u rp o s e s . S u ch c o n tro ls fe a tu re , s u c h as th e n e c e s s ity for p a s s w o rd s to
m a y resu lt in m o re e ffic ie n t o p e ra tio n of th e a c c e s s d a ta , th e re b y re n d e rin g m a n y o th e r
system . M o d ific a tio n s a re m o re e a s ily m a d e c o n tro ls in th e sy s te m in e ffe c tiv e . An e ffe c tiv e
d u rin g s y s te m s d e s ig n ra th e r th an a fte r th e p ro c e d u re for re v ie w a n d a p p ro v a l of all
s ystem h a s b e c o m e o p e ra tio n a l. C h a n g e s to an c h a n g e s to o p e ra tin g system p ro g ra m s c o u ld be
o p e ra tio n a l system c a n b e e x tre m e ly c o s tly an d u sed to m itig a te th is p o s s ib ility . For e x a m p le , a
w ill m ost lik e ly b e m et w ith a g re a t d e a l of p ro g ra m is p re s e n tly a v a ila b le th a t c re a te s a log
re s is ta n c e . W h ile th is a p p r o a c h is a p p lic a b le to of all m o d ific a tio n s a p p lie d to th e o p e ra tin g
a ll E D P s ystem s, it is m u ch m o re im p o rta n t in system . T h is c o u ld p ro v e to b e a useful
a d v a n c e d E D P system s. m a n a g e m e n t a n d a u d it tool.
T h e g e n e ra l s te p s th at an a u d ito r m ig h t ta k e T h e a u d ito r s h o u ld c o n s id e r th e e ffe c t th at
d u rin g th e s y s te m s d e s ig n s ta g e a re se t forth in c o n tro ls at o th e r lo c a tio n s m a y h a v e on th o s e at
A p p e n d ix 3. th e lo c a tio n b e in g e v a lu a te d . For e x a m p le , in a
d is trib u te d s ystem , p o o r co n tro ls at o n e lo c a tio n
Review and Evaluation of Accounting c o u ld c o m p ro m is e o th e rw is e e ffe c tiv e c o n tro ls
Controls. B e c a u s e of th e c o m p le x ity of som e e ls e w h e re .
a d v a n c e d system s, a firs t-tim e re v ie w of
A p p lic a tio n C o n tro ls . A p p lic a tio n c o n tro ls
a c c o u n tin g c o n tro ls m a y b e tim e c o n s u m in g .
a re th o s e th at a p p ly to a s in g le a p p lic a tio n . For
T h is re v ie w , w h ic h m a y b e s u b s ta n tia lly
e x a m p le , th e co n tro l p ro c e d u re s th at w o u ld be
c o m p le te d d u rin g th e sys te m s d e s ig n s ta g e ,
u s e d in an a u to m a tic in ven to ry re o rd e rin g
sh o u ld b e fo llo w e d by s u b s e q u e n t re v ie w a n d
system w o u ld b e u n iq u e to th a t a p p lic a tio n .
te s tin g p ro c e d u re s . A u d its a t a la te r tim e
E x a m p le s of a p p lic a tio n c o ntro l p ro c e d u re s
m a y re q u ire re p e a tin g th e s e p ro c e d u re s .
in c lu d e th o s e d e s ig n e d to a llo w (1 ) o nly
T h e first re v ie w of a p ro p o s e d or an e x is tin g
a u th o riz e d in p u t to b e a c c e p te d for p ro c e s s in g ,
s ystem s h o u ld b e d ire c te d at g a in in g an (2 ) th e re v ie w a n d co n tro l of c o rre c tio n a n d
u n d e rs ta n d in g of th e system , id e n tify in g
re s u b m is s io n of errors d e te c te d by th e system ,
a c c o u n tin g c o n tro ls a n d th e a u d it trails,
a n d (3 ) p ro c e s s in g resu lts to b e s u b je c te d to
d e te rm in in g th e p o te n tia l d e g r e e of re lia n c e to
lim it a n d re a s o n a b le n e s s c h e c k s . A p p lic a tio n
b e p la c e d on th e co ntro ls, an d d e v e lo p in g an
co n tro ls, to b e e ffe c tiv e , d e p e n d u po n e ffe c tiv e
e ffe c tiv e a u d it a p p ro a c h . T h e p ro c e d u re s to be
g e n e ra l co ntro ls.
a p p lie d d u rin g th e s y s te m s d e s ig n s ta g e , w h ic h
T h e tre n d in s y s te m s d e v e lo p m e n t a p p e a r s
a re d is c u s s e d in th e p re c e d in g s e c tio n a n d in
to b e to w a rd g re a te r u se of “g e n e r a l” system s,
A p p e n d ix 3, ca n b e a d a p te d to m e e t th e
for e x a m p le , d a ta b a s e system s, w h e re p o s s ib le ,
o b je c tiv e s of a first re v ie w of an e x is tin g system .
a n d is m o v in g a w a y from sys te m s th a t h a n d le
S u b s e q u e n t p ro c e d u re s a re th o s e n e c e s s a ry
o nly a s in g le a p p lic a tio n . H e n c e , a g re a te r
to c o m p le te th e re v ie w , p erfo rm c o m p lia n c e
e m p h a s is w ill b e re q u ire d on th e re v ie w an d
te s tin g , e v a lu a te th e a c c o u n tin g c o n tro ls in th e
u n d e rs ta n d in g of g e n e ra l c o n tro ls as a re q u is ite
system , a n d d e te rm in e th e nature, tim in g , a n d
to th e e v a lu a tio n of a p p lic a tio n co ntro ls.
e x te n t of s u b s ta n tiv e te s tin g . T h e s e p ro c e d u re s
a ls o are o u tlin e d in A p p e n d ix 3. Audit Testing—Advanced System
G e n e ra l C o n tro ls . G e n e ra l c o n tro ls in c lu d e Considerations. A u d it te s tin g c a n be
th o s e th a t re la te to m o re th a n o n e a p p lic a tio n . c la s s ifie d into tw o ty p e s of tests:
T h e y in c lu d e su ch p ro c e d u re s as s e g re g a tio n of 1. S u b s ta n tiv e tests of th e v a lid ity of d a ta
fu n c tio n s , a n d c o n tro ls o v e r a c c e s s to d a ta a n d
u n d e rly in g tra n s a c tio n s a n d b a la n c e s .
p ro g ra m s . In an a d v a n c e d sys te m s
2. C o m p lia n c e tes ts d e s ig n e d to p ro v id e
e n v iro n m e n t, a h ig h d e g r e e of r e lia n c e u po n
a s s u ra n c e th a t th e c o n tro ls b e in g re lie d
g e n e ra l c o n tro ls w ill b e n e c e s s a ry . T h e g e n e ra l
u po n a re fu n c tio n in g p ro p e rly .
c o n tro ls in c o rp o ra te d into o p e ra tin g system s,
d a ta b a s e m a n a g e m e n t s ystem s, d a ta T h e a u d itin g p ro b le m s d is c u s s e d e a r lie r in
c o m m u n ic a tio n system s, a n d s im ila r s y s te m s this c h a p te r, p a rtic u la rly th o s e re la te d to
c a n b e k e y e le m e n ts th a t c o n trib u te to e ffe c tiv e e v id e n tia l m a tte r a n d re lia n c e on co ntro ls,
a c c o u n tin g co ntro l. sh o u ld b e c o n s id e re d w h e n a p p ly in g te s tin g
S in c e g e n e ra l c o n tro ls s p a n a p p lic a tio n te c h n iq u e s to a d v a n c e d E D P s ystem s. T h e
b o u n d a rie s , th e a c tiv itie s of p e rs o n n e l b a la n c e of th is c h a p te r w ill d is c u s s a u d it te s tin g
19
in an a d v a n c e d s y s te m s e n v iro n m e n t a n d w ill A c tu a l tra n s a c tio n s c a n b e te s te d m a n u a lly
d is c u s s th e c o n s id e ra tio n s for d e s ig n in g su ch o r c a n b e te s te d d u rin g c o m p u te r-a s s is te d a u d it
tests to g e th e r w ith s o m e to o ls a n d te c h n iq u e s te c h n iq u e s . L ive d a ta in c lu d e s a c tu a l
w h ic h m a y b e u sefu l fo r s u c h te s tin g . tra n s a c tio n s as th e y a re b e in g p ro c e s s e d .
H is to ric a l d a ta , on th e o th e r h a n d , in c lu d e s
S u b s ta n tiv e T e s tin g . T h e a u d ito r sh o u ld
tra n s a c tio n s th a t h a v e b e e n p ro c e s s e d
c o n s id e r th e p ro b le m s ra is e d u n d e r e v id e n tia l
c o m p le te ly .
m a tte r e a r lie r in th is c h a p te r w h e n d e s ig n in g
T e s tin g w ith s im u la te d o r d u m m y
s u b s ta n tiv e tests. S p e c ific a lly , th e a v a ila b ility of
tra n s a c tio n s in v o lv e s th e u se of a u d ito r
in d e p e n d e n t e v id e n c e , th e d e p e n d e n c e upo n
in tro d u c e d te s t tra n s a c tio n s in an a tte m p t to
th e p ro p e r fu n c tio n in g of c o n tro ls a n d th e ir
a s c e rta in w h e th e r a co n tro l o p e ra te s as
re la tio n s h ip to th e a c c e p ta b ility of th is
p re s c rib e d on th e s e tra n s a c tio n s . T h e system
e v id e n c e , a n d th e s u s c e p tib ility o f u n a u th o riz e d
b e in g te s te d in th is m a n n e r c o u ld b e th e a c tu a l
c h a n g e s to th is e v id e n c e s h o u ld a ll b e
s ystem o p e ra tin g in a live m o d e , or it c o u ld b e a
c o n s id e re d b y th e a u d ito r. C lo s e in te g ra tio n
c o p y of th e s ystem or p a rtic u la r p ro g ra m of
b e tw e e n c o m p lia n c e te s tin g a n d s u b s ta n tiv e
c o n c e rn . In s itu a tio n s w h e re a c o p y is u tiliz e d ,
te s tin g m a y b e re q u ire d .
th e a u d ito r n e e d s to o b ta in re a s o n a b le
C o m p lia n c e T e s tin g . A g e n e ra l a p p r o a c h to a s s u ra n c e th at th e p ro g ra m a n d c h a n g e s te s te d
d e s ig n in g a n d d e v e lo p in g c o m p lia n c e tests re p re s e n te d a c o p y of th o s e a c tu a lly u sed
c o u ld b e as fo llo w s: th ro u g h o u t th e p e rio d c o v e re d b y th e a u d it
p ro c e d u re . W h ile it m a y b e d iffic u lt to o b ta in
1. Id e n tify th e co n tro l p ro c e d u re s b e in g re lie d
e v id e n tia l m a tte r a b o u t w h ic h p ro g ra m s w e re
u p o n in th e fo llo w in g a re a s :
u sed , lib ra ria n s y s te m s th at m a in ta in a reco rd of
a. T o p la c e re lia n c e u po n th e c o n tro ls o v e r
a ll p ro g ra m m o d ific a tio n s c a n p ro v e to be
sy s te m p ro d u c e d e v id e n c e u s e d for
h e lp fu l.
s u b s ta n tiv e te s tin g .
b. To re d u c e th e e x te n t of s u b s ta n tiv e
te s tin g . Audit Testing—Tools and Techniques. T h is
c. To p la c e re lia n c e u po n sy s te m c o n tro ls or s e c tio n d is c u s s e s s o m e to o ls a n d
sy s te m p ro g ra m s w h ile p e rfo rm in g o th e r s o ftw a re -b a s e d te c h n iq u e s a p p lic a b le to
tests, a u d itin g in an a d v a n c e d sys te m s e n v iro n m e n t.
2. Id e n tify th e a p p r o p ria te tim e p e rio d s to b e T h e to o ls a n d te c h n iq u e s c a n b e d iv id e d into
c o v e re d by th e test. In a u d it s itu a tio n s th e fo llo w in g th re e g e n e ra l c a te g o rie s : (1 ) th o s e
th a t o p e ra te on live d a ta on a re a l-tim e b a s is , (2 )
s u b s ta n tia lly a ll o f th e p e rio d b e in g a u d ite d
is p re fe ra b le . th o s e th a t o p e ra te on h is to ric a l d a ta , a n d (3 )
th o s e th a t u tiliz e s im u la te d or d u m m y d a ta .
3. Id e n tify w h ic h k in d s of tra n s a c tio n s , logs, or
T h e te c h n iq u e s m a trix a t th e e n d of th is
o th e r re c o rd s of c o m p lia n c e a re a v a ila b le for
c h a p te r s u m m a riz e s th e in fo rm a tio n d is c u s s e d
te s tin g .
in th e fo llo w in g s e c tio n s . T h e fo llo w in g is not
4. C o n s id e r th e e x te n t to w h ic h e a c h of th e
in te n d e d to b e an e x h a u s tiv e list or te a c h in g
id e n tifie d re c o rd s m ig h t b e u s e d for o th e r g u id e , but ra th e r s e rv e s to fa m ilia r iz e th e re a d e r
a u d it p u rp o s e s . w ith s o m e a d v a n c e d a u d itin g te c h n iq u e s .
5. D e s ig n a n d a p p ly th e p a r tic u la r c o m p lia n c e
T e c h n iq u e s U s in g L iv e D a ta . T e c h n iq u e s in
test.
th is c a te g o ry u s u a lly re q u ire th a t a ll d a ta
6. D e te rm in e th e e ffe c t of th e te s tin g resu lts
re la tin g to th e p a rtic u la r te s t to b e p e rfo rm e d
u po n th e c o n tro ls b e in g e v a lu a te d .
b e s u b je c te d to an a u d it s e le c tio n s te p b e fo re or
C o m p lia n c e te s tin g c a n b e p e rfo rm e d u sing d u rin g n o rm al p ro c e s s in g . T h is s e le c tio n s tep
e ith e r a c tu a l tra n s a c tio n s , s u c h a s live or id e n tifie s s p e c ific tra n s a c tio n s o f a u d it interest.
h is to ric a l d a ta , or s im u la te d tra n s a c tio n s , su ch T h e id e n tific a tio n w o u ld u s u a lly b e b a s e d on
as d u m m y d a ta . a u d ito r d e te rm in e d c rite ria s u c h as d o lla r
W h e n th e a u d ito r e le c ts to te s t a c tu a l am o u n t, tra n s a c tio n ty p e , a u th o riz a tio n c o d e ,
tra n s a c tio n s , th e y a re u s u a lly te s te d fo r s ta tis tic a l s a m p lin g c o n s id e ra tio n s , a n d so
e v id e n c e th a t c o n tro l or sy s te m fe a tu re s b e in g forth. In m o st s itu a tio n s a ll tra n s a c tio n s of
re lie d u p o n by th e a u d ito r h a v e fu n c tio n e d in te re s t w o u ld b e p ro c e s s e d th ro u g h an a u d it
p ro p e rly . T ra n s a c tio n s , as v ie w e d in th is p ro g ra m o r “a u d it m o d u le ,” w h ic h p e rfo rm s the
co n text, c o u ld in c lu d e a c c o u n tin g tra n s a c tio n s re q u e s te d id e n tific a tio n . A u d it m o d u le s c o u ld
or s y s te m s tra n s a c tio n s , s u c h a s p ro g ra m or b e a p a rt of th e v e n d o r s u p p lie d o p e ra tin g
s ystem c h a n g e s . C o m p lia n c e te s ts a re in te n d e d s ystem , th e a p p lic a tio n p ro g ra m s , or s o m e o th e r
to p ro v id e a s s u ra n c e a b o u t th e co n tro ls , but not s ystem c o m p o n e n t.
a b o u t th e v a lid ity of th e u n d e rly in g a c c o u n tin g A u d it h oo ks a re p o in ts in a system th at a llo w
tra n s a c tio n s . a u d it m o d u le s o r p ro g ra m s to b e in te g ra te d into
20
th e n o rm al p ro c e s s in g a c tiv itie s . A u d it hooks c o u ld b e im p le m e n te d by u sin g an a u d it hook
c a n b e d e s c rib e d as “w in d o w s " into th e system a p p ro a c h . T ra n s a c tio n s h a v in g c e rta in a u d it
a n d a u d it m o d u le s c o u ld “ look th ro u g h " th e s e s ig n ific a n c e c a n b e p rin te d im m e d ia te ly on an
w in d o w s a n d s e le c t tra n s a c tio n s as th e y are a u d ito r’s te rm in a l or listed for a u d it fo llo w -u p at a
b e in g p ro c e s s e d . A u d it hook c a p a b ilitie s should later p o in t in tim e . S p e c ific tra n s a c tio n s c o u ld
b e p ro v id e d by s y s te m s d e s ig n e rs at c e rta in b e a n a ly z e d , a n d if th e y m e e t s p e c ific c rite ria
p o in ts in th e o p e ra tin g system , d a ta (that is, if th e tra n s a c tio n w a s of a c e rta in kind,
c o m m u n ic a tio n s s ystem , d a ta b a s e th e tra n s a c tio n a m o u n t w a s g re a te r or less than
m a n a g e m e n t s ystem , a n d a p p lic a tio n system . a g iv e n v a lu e , a n d so forth), a m e s s a g e
A ls o a u d it hooks s h o u ld b e p ro v id e d by th e in d ic a tin g th e ty p e of tra n s a c tio n w o u ld be
v e n d o rs of c o m p u te r h a rd w a re so th a t c e rta in fo rw a rd e d to th e a tte n tio n of th e s e c u rity o ffic e r
ty p e s of h a rd w a re c o n tro l o p e ra tio n s c o u ld be or o th e r a p p r o p ria te au th o rity a n d , if
s u b je c te d to a u d it te s tin g . A u d it hook c a p a b ility , a p p ro p ria te , to th e a u d ito r. In so m e c a s e s , a
o n c e in c o rp o ra te d , s h o u ld b e c a re fu lly re s p o n s e from th e s e c u rity d e p a rtm e n t or o th e r
c o n tro lle d . a p p r o p ria te au th o rity w o u ld b e n e c e s s a ry
O n c e th e p a rtic u la r tra n s a c tio n of a u d it b e fo re th e tra n s a c tio n c o u ld b e c o m p le te d . In
in te re s t h as b e e n id e n tifie d , it is a v a ila b le for o th e r c a s e s , no re s p o n s e w o u ld b e n e c e s s a ry .
a n a ly s is by th e a u d ito r a n d c o u ld b e re ta in e d in T h e n o rm a l a u d it u se of th is kind of d a ta w o u ld
m a c h in e -s e n s ib le form or p rin te d for b e to c h e c k c o m p lia n c e to p o lic y by re v ie w in g
s u b s e q u e n t a u d it fo llo w u p . E a c h of th e e x c e p tio n s .
te c h n iq u e s b e lo w is illu s tra tiv e of o n e ty p e of T h is te c h n iq u e m ig h t b e p a rtic u la rly useful
p ro c e s s in g of th e s e id e n tifie d tra n s a c tio n s . for s ig n ific a n t tra n s a c tio n s su ch as th o s e of very
la rg e d o lla r a m o u n t or th o s e h a v in g p o te n tia lly
“ T a g g in g ” tr a n s a c tio n s — A “ta g " o r in d ic a to r is
w id e s p r e a d c o ntro l im p lic a tio n s , for e x a m p le ,
a ffix e d to “ id e n tifie d tra n s a c tio n s " e a rly in the
c h a n g e s to key p o rtio n s of o p e ra tin g system
p ro c e s s in g c y c le . T h e a u d ito r is th e n p ro v id e d
p ro g ra m s . T h e live d a ta c a n b e n orm al
w ith a c o m p le te trail of all p a th s fo llo w e d by the
a c c o u n tin g tra n s a c tio n s , re q u e s ts for system
ta g g e d tra n s a c tio n in th e a p p lic a tio n system .
re s o u rc e s , su ch a s a c c e s s to c e rta in file s , or
T h is trail c a n b e in m a c h in e -s e n s ib le form or
n o n a c c o u n tin g a c tiv ity , su ch as p ro g ra m
p rin te d so it c a n b e a n a ly z e d by th e a u d ito r.
changes.
O th e r d a ta w ith w h ic h th e ta g g e d tra n s a c tio n
in te ra c ts at e a c h s ig n ific a n t p ro c e s s in g s tep A u d it lo g — T h e a u d it log is u s e d to p ro v id e a
c a n b e c a p tu re d a n d d is p la y e d for th e a u d ito r re c o rd or log of c e rta in d a ta p ro c e s s in g
as w e ll. a c tiv itie s w h e n e v e r th e y o c c u r. T h e p re v io u s ly
For e x a m p le , a ll s a le s tra n s a c tio n s o v e r a id e n tifie d tra n s a c tio n ty p e s a re w ritten into a
c e rta in a m o u n t o r a n y of a p re d e te rm in e d re c o rd o r file th at sh o u ld b e a v a ila b le o n ly to th e
list of c u s to m e rs c o u ld b e ta g g e d . T ra n s a c tio n a u d ito r. In s o m e d a ta b a s e system s, th e a u d it
d a ta , c re d it lim it, c u rre n t u n p a id b a la n c e d u e, log c o n ta in s a re c o rd of e v e ry tra n s a c tio n
d e lin q u e n t a m o u n ts d u e , a n d so forth, c o u ld b e p ro c e s s e d . T h e a u d ito r c o u ld la te r p rin t o r u se
re ta in e d to p e rm it th e a u d ito r to a n a ly z e th e o th e r te c h n iq u e s to a n a ly z e th e s e re c o rd s a n d
c re d it a p p ro v a l p ro c e s s . m a k e fu rth e r tests as c o n s id e re d a p p ro p ria te .
T h is te c h n iq u e c o u ld b e usefu l for An a u d it log n o rm a lly w o u ld reco rd e v e n ts as
c o m p lia n c e te s tin g p u rp o s e s . T h e a u d ito r m ig h t th e y o c c u rre d at a s p e c ific p o in t in a system .
p la c e m o re re lia n c e on th e resu lts b e c a u s e E x a m p le s in c lu d e a tte m p ts to a c c e s s a
a c tu a l tra n s a c tio n s a re u s e d in th e p ro c e s s in g . p a rtic u la rly s e n s itiv e file — in c lu d in g an
T h e flo w of tra n s a c tio n s th ro u g h th e s ystem c a n a u d ito r’s file — c h a n g e c e rta in p a s s w o rd s ,
b e p o rtra y e d in a m a n n e r th a t w ill g re a tly o v e rrid e c e rta in a p p ro v a l c rite ria , a n d so forth.
e n h a n c e th e a u d ito r’s u n d e rs ta n d in g o f th e S in c e it c a n b e u s e d to fo cu s a tte n tio n a t co n tro l
s ystem . In s o m e situ a tio n s , tra n s a c tio n ta g g in g p o in ts w ith in th e sys te m , th is te c h n iq u e is
m a y p ro v e to b e an a c c e p ta b le a lte rn a tiv e to a p ro b a b ly u sefu l as a p a rt of c o m p lia n c e te s tin g .
c o m p le te a u d it trail for all tra n s a c tio n s .
M o n ito rin g s y s te m s a c tiv ity in fo rm a tio n —
T h e c a p a b ility of c a p tu rin g a n d d is p la y in g M o n ito rin g is th e u se of h a rd w a re a n d /o r
a u d it in fo rm atio n for p re v io u s ly ta g g e d s o ftw a re to a n a ly z e th e a c tiv ity w ith in a
tra n s a c tio n s sh o u ld b e c o n s id e re d a n d
c o m p u te r sys te m . W h ile th e p rim e o b je c tiv e in
in c o rp o ra te d at th e tim e a sy s te m is d e s ig n e d .
m a n y o f th e a p p r o a c h e s in u s e to d a y is to
A tte m p ts to a p p ly su ch an a p p r o a c h to a
d e te rm in e th e e ffic ie n c y of u se of h a rd w a re a n d
p re v io u s ly d e s ig n e d a n d p ro g r a m m e d s ystem
s o ftw a re re s o u rc e s b y a p p lic a tio n s , th e y d o o ffe r
c a n b e e x tre m e ly co stly.
th e a u d ito r th e d a ta w ith w h ic h to re v ie w a c tu a l
R e a l-tim e n o tific a tio n — R e a l-tim e n o tific a tio n is s y s te m s a c tiv ity .
th e c o n tin u a l re v ie w of p re v io u s ly id e n tifie d T h e liv e d a ta to b e m o n ito re d n o rm a lly w o u ld
tra n s a c tio n ty p e s for a u d it p u rp o s e s . T h is re v ie w in c lu d e p ro g ra m in itia tio n s , d a ta file a c c e s s e s ,
21
h a rd w a re a llo c a tio n s , a n d so forth. F in a n c ia l tra n s a c tio n s a g a in s t th e a u d ito r’s c o p y of th e
tra n s a c tio n s u s u a lly w o u ld b e e x c lu d e d . T h e p ro g ra m . R es u lts c a n th e n b e c o m p a re d w ith th e
m o n ito rs g e n e r a lly use d a ta a b o u t the c o m p a n y 's resu lts to g a in so m e a s s u ra n c e th at
fu n c tio n in g of th e system an d te n d to a n s w e r the p ro c e s s in g is in a c c o r d a n c e w ith c o m p a n y
q u e s tio n s of w h o uses th e s ystem a n d w h a t p o lic y . T h e d e g r e e of su ch te s tin g w o u ld
system re s o u rc e s a re u sed . d e p e n d on th e e x is te n c e a n d o p e ra tio n of a
A p p lic a tio n s of th is te c h n iq u e c o u ld b e v a rie ty of c o n tro ls at th e in s ta lla tio n . Inp u t
e x p a n d e d to in c lu d e c o ntro l fu n c tio n s m a te ria l for m a n y a p p lic a tio n s is “s c r a tc h e d ”
p e rfo rm e d by th e h a rd w a re an d by sys te m s shortly afte r use; th e re fo re , su ch te s tin g u s u a lly
so ftw are. c a n n o t w a it until th e e n d of th e fis c a l ye a r. T his
a p p r o a c h c a n b e m o st e ffe c tiv e w h e n d o n e on a
T e c h n iq u e s U s in g H is to r ic a l D a ta . These
s u rp ris e b a s is .
te c h n iq u e s g e n e r a lly a re d e s ig n e d to p ro v id e
B e c a u s e of its p o te n tia l c o s tlin e s s , the
th e a u d ito r w ith th e c a p a b ility of w o rk in g w ith
a u d ito r m a y d e v is e m e th o d s o f d u p lic a tin g o nly
p re v io u s ly p ro c e s s e d d a ta in m a c h in e -s e n s ib le
c e rta in p ortio n s or m o d u le s of th e c lie n t’s
form . T h is d a ta w o u ld in c lu d e a c c o u n tin g
p ro g ra m a n d still o b ta in th e re q u ire d a s s u ra n c e .
tra n s a c tio n s , s y s te m s d a ta , an d s u m m a ry
A n o th e r te c h n iq u e w o u ld b e to use an a u d it
lev e l in fo rm a tio n . A lso , d a ta c a p tu re d d u rin g
la n g u a g e for s im u la tio n p u rp o s e s .
p ro c e s s in g by o n e o f th e p re v io u s ly d is c u s s e d
te c h n iq u e s c o u ld b e c o n s id e re d h is to ric a l d a ta E x te n d e d r e c o r d s — U n d e r th e e x te n d e d
if a n a ly z e d at a la te r tim e . A u d it hooks, as re c o rd s te c h n iq u e , a d d itio n a l in fo rm a tio n is
d e s c rib e d a b o v e , a re not n e c e s s a ry to a p p ly re ta in e d in e a c h re c o rd so th a t a c o m p le te a u d it
th e s e te c h n iq u e s b e c a u s e d a ta h as a lr e a d y trail c a n b e m a in ta in e d . For e x a m p le , a
b e e n p ro c e s s e d . c u s to m e r n a m e a n d a d d re s s re c o rd m ig h t be
d e s ig n e d so th a t p rio r v e rs io n s of th e a d d re s s
A u d it la n g u a g e s a n d p ro g ra m s — If an w ill b e m a in ta in e d as p a rt o f th e rec o rd . Thus, a
e a s y -to -le a rn a u d it la n g u a g e w a s a v a ila b le , c o m p le te a u d it tra il of a ll a d d re s s c h a n g e s
a u d ito rs c o u ld in te rro g a te d a ta b a s e file s , w ith in a p a rtic u la r a c c o u n t w o u ld b e a v a ila b le at
p erfo rm m a th e m a tic a l o p e ra tio n s on h is to ric a l a n y tim e . S in c e th is a p p r o a c h in c re a s e s th e
d a ta b a s e e le m e n ts , a n d fo rm a t o u tp u t file s o r re q u ire d a m o u n t o f s to ra g e c a p a c ity , it c o u ld
re p o rts b a s e d on c o m p o u n d s e le c tio n c rite ria b e c o m e q u ite e x p e n s iv e . U ntil a d v a n c e s in
w ith o u t th e n e e d fo r s p e c ia l p ro g ra m s . A u d ito rs te c h n o lo g y re d u c e s to ra g e co sts, th e e x te n d e d
c o u ld u se th is la n g u a g e fo r m ost of th e ir n e e d s , re c o rd s te c h n iq u e m a y b e u s e d w h e re th e
but th e sy s te m sh o u ld a llo w th e m th e c a p a b ility a v a ila b ility of th is kin d of a u d it trail w a rra n ts th e
to a d d th e ir o w n s p e c ia l-p u r p o s e m o d u le s su ch cost.
as s ta tis tic a l s a m p lin g , re g re s s io n a n a ly s is , or
b u s in e s s m o d e lin g . O th e r T e c h n iq u e s . T h is c a te g o ry of
A u d ito rs s h o u ld h a v e a v a ila b le a lib ra ry of te c h n iq u e s in c lu d e s th o s e th a t u se s im u la te d o r
g e n e r a liz e d p ro g ra m s to p erfo rm a u d it ta s k s d u m m y d a ta a n d th o s e th a t a n a ly z e p ro g ra m s
u n d e r th e ir co n tro l. T h e s e p ro g ra m s c o u ld b e by o th e r m e a n s . S in c e a c tu a l tra n s a c tio n s are
u s e d in c o m p lia n c e a n d s u b s ta n tiv e te s tin g . not u sed , th e s e te c h n iq u e s c a n p ro v id e
T h e c a p a b ilitie s a ffo rd e d by th e s e a s s u ra n c e o n ly a s to c o m p lia n c e .
la n g u a g e s a n d a u d it p ro g ra m s a ls o c a n b e
In te g ra te d te s t fa c ility (ITF ) — T h e in te g ra te d
u tiliz e d by m a n a g e m e n t a n d sh o u ld b e
te s t fa c ility is a m e a n s o f in tro d u c in g d u m m y
p ro v id e d b y both h a rd w a re a n d so ftw a re
d a ta into a live a p p lic a tio n s ystem to s e e
v e n d o rs .
w h e th e r it is p ro p e rly h a n d le d . T h e d a ta is
S im u la tio n — A n o th e r m e th o d of d e te rm in in g in tro d u c e d as th o u g h it w e re live d a ta a n d m ust
th e a c c u ra c y o f p ro c e s s e d d a ta is for th e a u d ito r b e re m o v e d at s o m e p o in t d u rin g the
to re p ro c e s s it a n d c o m p a re th e resu lts o b ta in e d a p p lic a tio n .
w ith th o s e g e n e r a te d by th e c o m p a n y ’s For e x a m p le , a d u m m y c u s to m e r a c c o u n t
p ro c e s s in g . T h is te c h n iq u e , c a lle d s im u la tio n or m a y b e set up a g a in s t w h ic h th e a u d ito r c o u ld
re p ro c e s s in g , c a n b e a p p lie d w ith a u d ito r issu e p u rc h a s e o rd e rs , re c e iv e g o o d s from th e
d e v e lo p e d p ro g ra m s , an a u d it la n g u a g e , or by c o m p a n y , return g o o d s , p a y for th e m , a n d so
an a u d ito r re v ie w of a u th e n tic a te d c o p ie s of th e forth. T h e s e d u m m y tra n s a c tio n s a re e n te re d
c o m p a n y ’s p ro g ra m s . T h e fo llo w in g e x a m p le a lo n g w ith th e real tra n s a c tio n s o f th e d a y w ith
m ig h t b e s t illu s tra te th e u se of th is te c h n iq u e . no d is tin c tio n b e tw e e n th e m . T h e a u d ito rs ca n
At th e b e g in n in g o f th e y e a r, th e a u d ito r o b s e rv e th e tre a tm e n t a c c o r d e d th e tra n s a c tio n
re q u e s ts c o p ie s of a ll a p p lic a tio n p ro g ra m s of on th e c o m p a n y ’s re c o rd s a n d h a v e so m e
interest. A t v a rio u s tim e s d u rin g th e y e a r, th e a s s u ra n c e th a t p re s c rib e d c o n tro ls a re, o r are
a u d ito r m a y a p p e a r a t th e c lie n t’s o ffic e a n d not, fu n c tio n in g p ro p e rly . E x c e p tio n a l
re q u e s t p ro c e s s in g of, say, y e s te rd a y ’s tra n s a c tio n s c a n b e a tte m p te d — ta k in g
22
u n w a rra n te d d is c o u n ts , o rd e rin g in e x c e s s of c o m p a rin g , th e a u d ito r o b ta in s a n d re v ie w s a
c re d it lim its, re tu rn in g m o re g o o d s th an c o ntro l c o p y of c lie n t p ro g ra m s of in te re s t at th e
p u rc h a s e d , a n d so forth— to v e rify c o m p lia n c e start of th e a u d it p e rio d . At a la te r tim e , th e
w ith s ta te d p o lic y . a u d ito r o b ta in s a c o p y of th e c u rre n t v e rs io n of
C lo s e c o ntro l of a ll ITF tra n s a c tio n s e n te re d th a t p ro g ra m a n d c o m p a re s th e cu rre n t c o p y
s h o u ld b e m a in ta in e d to a s s u re th a t th e fin a n c ia l w ith th e co n tro l c o p y . If th e re a re no d iffe re n c e s ,
s ta te m e n ts h a v e not b e e n in a d v e rte n tly th e a u d ito r h as so m e a s s u ra n c e th at th e
d is to rte d b y th e p ro c e s s in g o f te s t tra n s a c tio n s . p ro g ra m h as c o n tin u e d to p ro c e s s
If th is te c h n iq u e is in u se by in te rn a l a u d ito rs , p ro p e rly — h a v in g p re v io u s ly b e e n s a tis fie d as to
th e firm 's in d e p e n d e n t a u d ito rs s h o u ld v e rify its c o rre c tn e s s . If th e re a re d iffe re n c e s b e tw e e n
th a t all ITF tra n s a c tio n s h a v e b e e n b a c k e d out th e tw o, th e a p p ro v e d c h a n g e s m a d e to th e
p ro p e rly o r o th e rw is e c o n tro lle d . p ro g ra m s h o u ld b e re v ie w e d . T h is te c h n iq u e
m ig h t b e u s e d in c o n ju n c tio n w ith tra c in g or
P ro g ra m a n a ly s is te c h n iq u e s — S o m e a u d ito rs m a p p in g . T h is c a n b e a la b o rio u s an d
b e lie v e th a t a re v ie w of th e d e ta ile d p ro g ra m tim e -c o n s u m in g m e th o d , e s p e c ia lly if p ro g ra m s
s te p s is a useful a p p ro a c h to u n d e rs ta n d in g an d a re re la tiv e ly v o la tile . It re q u ire s a re la tiv e ly
e v a lu a tin g a c c o u n tin g co n tro ls. T h is a p p r o a c h c o m p re h e n s iv e p ro g ra m m in g k n o w le d g e on th e
m a y b e a p p r o p ria te w h e n th e re is no p r a c tic a b le p a rt of th e au d ito r.
a lte rn a tiv e to g a in in g an u n d e rs ta n d in g o f th e T h e re a re a s e rie s o f o th e r to o ls a n d
c o n tro ls or p ro c e s s in g s te p s in a p ro g ra m . te c h n iq u e s a v a ila b le to a u d ito rs for c e rta in
A lth o u g h th e re a re to o ls a v a ila b le to a s s is t th e situ atio n s. T h e s e in c lu d e th e fo llo w in g :
a u d ito r w ith su ch a re v ie w , th is a p p r o a c h c a n be
q u ite c o m p le x , tim e -c o n s u m in g , a n d re q u ire a • V a rio u s flo w c h a rtin g p a c k a g e s w h ic h e n a b le
d e ta ile d s y s te m s a n d p ro g ra m m in g k n o w le d g e . th e a u d ito r to p ro d u c e a flo w c h a rt of th e
T h is a p p r o a c h s h o u ld b e v ie w e d a s a p a rt of th e c o m p u te r p ro g ra m lo g ic . T h e a u d ito r starts
re v ie w o f th e system ; it p ro v id e s little or no w ith a p ro g ra m s o u rc e c o d e w h ic h is
a s s u ra n c e as to c o m p lia n c e . O n c e a p ro g ra m p ro c e s s e d by th e flo w c h a rtin g p a c k a g e
h as b e e n re v ie w e d , it s h o u ld b e te s te d as p ro d u c in g th e flo w c h a rt.
a p p r o p ria te for th e k in d of c o m p lia n c e • D e c is io n ta b le a n a ly s is p a c k a g e s w h ic h c a n
a s s u ra n c e d e s ire d . p ro d u c e th e lo g ic o f th e p ro g ra m in d e c is io n
P ro g ra m a n a ly s is te c h n iq u e s p e rm it th e ta b le fo rm at. S o m e of th e s e p a c k a g e s c a n u se
a u d ito r to a n a ly z e th e fu n c tio n in g of a c o m p u te r a d e c is io n ta b le as in p u t to g e n e ra te a
p ro g ra m or s e rie s of p ro g ra m s . T ra n s a c tio n d a ta p ro g ra m th a t c a n b e u s e d to s im u la te th e
is not u s e d in th e p ro c e s s . R ath er, th e ru les by p ro c e s s in g of th e p ro g ra m to b e te s te d .
w h ic h th e tra n s a c tio n w ill b e or h as b e e n • C ro s s -re fe re n c e s y s te m s w h ic h c a n p ro v id e
p ro c e s s e d a re a n a ly z e d . lis tin g s th a t sh o w e v e ry o c c u rre n c e of e a c h
In th e p ro c e s s of tra c in g , u sin g a s p e c ia l n a m e u s e d in a p ro g ra m . S u c h a lis tin g c a n
p ro g ra m , th e c o m p u te r is m a d e to p rin t out e a c h b e a v a lu a b le a id in th e re v ie w of a p ro g ra m .
c lie n t p ro g ra m s te p as it is p e rfo rm e d . T h e
• P e rfo rm a n c e a n a ly s is p a c k a g e s w h ic h c a n b e
a u d ito r c o u ld d e te rm in e by re v ie w in g th e
u s e d to d e te c t u n u s e d p o rtio n s of a p ro g ra m .
p rin to u t w h e th e r p ro c e s s in g has b e e n
T h is c a n b e useful fo r id e n tify in g p ro g ra m
c o m p le te d in a c c o r d a n c e w ith his
in stru c tio n s th at a re tr ig g e r e d by s p e c ia l or
u n d e rs ta n d in g of th e p ro g ra m lo g ic . T h e a u d ito r
u n u s u a l c irc u m s ta n c e s o r even ts.
m a y a c q u ire a b e tte r u n d e rs ta n d in g of th e
• T e st d a ta g e n e ra to rs w h ic h c a n q u ic k ly
a p p lic a tio n a n d b e c o m e a w a re of u n u s e d
c re a te file s c o n ta in in g v a lid a n d /o r in v a lid
p ortio n s of th e p ro g ra m (w h ic h m a y b e p o te n tia l
d a ta th a t c a n b e u s e d to p erfo rm h ig h v o lu m e ,
p ro b le m a re a s ). It is, h o w e v e r, a c o s tly
c o m p re h e n s iv e tests. T h is ca n fa c ilita te a
te c h n iq u e a n d s h o u ld b e u s e d o n ly w h e n it is
“te s t f ile ” a p p r o a c h for c o m p le x a d v a n c e d
n e c e s s a ry to re v ie w d e ta ile d c o d e a n d d e ta ile d
s y s te m s a n a lo g o u s to th e “test d e c k ”
e x e c u tio n .
a p p r o a c h u s e d by a u d ito rs in p u n c h e d c a rd
M a p p in g is b a s ic a lly a s u b s e t of tra c in g .
system s.
In s te a d of p rin tin g e v e ry step , th e re v ie w
p ro g ra m p rin ts out o n ly th e s te p s re la te d to
d e c is io n p o in ts in th e c lie n t p ro g ra m . T h e M a n y of th e s e te c h n iq u e s c a n b e u sed
a u d ito r c o u ld a g a in d e te rm in e if c e rta in p a rts of to g e th e r to p ro v id e h ig h ly e ffe c tiv e a u d it
th e p ro g ra m w e re not u s e d a n d c o u ld c a p a b ilitie s . For e x a m p le , th e u se of a te s t d a ta
in v e s tig a te to fin d out if th is w a s a p p ro p ria te . If g e n e ra to r, c o u p le d w ith a p e rfo rm a n c e a n a ly s is
th e s e le c te d s te p s w e re in fa c t p e rfo rm e d p a c k a g e , c a n p ro v id e an e x tre m e ly e ffe c tiv e
p ro p e rly , th e a u d ito r h as s o m e a s s u ra n c e th at te s tin g te c h n iq u e . A fte r th e test d a ta h as b e e n
th e p ro g ra m m e d c o n tro ls a re o p e ra tin g . c re a te d , it c a n b e p ro c e s s e d th ro u g h th e
In th e p ro c e s s of re c o m p ilin g a n d p ro g ra m to b e te s te d u n d e r th e c o ntro l of a
23
24
TECHNIQUES MATRIX
C ap ab ility
Technique U sed by D ata U sed Purpose A d v an tag e s D isa d va n ta g es
S u p p lied by
Transaction V endor o r a p p lica A udito rs and Live a cco u n t C o m p liance and su b Full ra n g e of A dds to ove rhea d
tag ging tio n system m a nage rs ing sta n tive test selectivity o f system , spe cia l
d e sig n e r progra m m in g
Real tim e S ystem s pro g ra m A udito rs and Live acco u n t C om p lia n ce test C ontrol and tim e lin ess C ost
n o tification m e r or v en dor m a nage rs ing and system and control
A u d it log S ystem d e sig n e r A u d ito rs and Live acco u n t C o m p lia n c e an d S pe cifie d tra n s C ost
con trol ing and system s u b s ta n tiv e te s t a ctio ns logg ed fo r
personnel a u dit review
M o nitorin g Vendor A u d ito rs and Live system R eview actual system S how s w h a t has R e q u ire s te c h n ic a l
m a nage rs activity ha ppened k n o w le d g e to in te rp re t
A u d it lang uag e V e n d o r an d system A u d ito rs and H istorica l and C o m p lia n c e an d s u b R etrieves d a ta fo r R equ ires som e p ro
and progra m s d e s ig n e r, s o ft m a nage rs live s ta n tiv e te st. P e rfo rm a u d it purposes. gram m in g kno w le dge
w a re h o u se , m a n u w id e v a rie ty o f R elative ly ea sy to by auditor. P rese ntly
fa c tu re r o r a u d it a u d it te s ts use, not e xp ensive lim ited to typ e s of
firm files th a t can be
accessed.
S im ulatio n A udito rs, inte rnal A udito rs H istorical D ete rm ine a ccu racy P erm its com pariso n E xtensive use can be
and e xte rna l w ith o f da ta processed w ith real p rocessing larg e c o n su m e r of
progra m cop y m a ch in e re source s
E xtended D esign o f client A u d ito rs and H istorical P ro v id e c o m p le te P rovides c om plete Very c o stly use of
re cords ap plication s m a nage rs tra il fo r a u d it an d acco u n t h isto ry m a chine re source s at
m a n a g e m e n t p u rp o s e s p resent
Integrated A udito rs, m ostly A udito rs D um m y C o m p lia n c e te s t R elative ly in e x M ust be "b a cke d o u t"
te s t fa cility internal pe nsive very ca re fu lly
P rogram a n alysis S p e c ia l s o ftw a re , A udito rs and U sually A u th e n tica tio n of G ive s b e tte r u n d e r N eed s a u d ito r
tech nique s c o n tra c to r o r progra m m e rs du m m y progra m o p eratio n. s ta n d in g o f a p p li k n o w le d g e o f p ro g ra m m in g ,
vendor C heck o f key points c a tio n ; g iv e s m ay be e x p e n s iv e ; use
in progra m execution a s s u ra n c e c o n tro ls fu l o n ly in c e rta in
a re fu n c tio n in g c irc u m s ta n c e s .
p e rfo rm a n c e a n a ly s is p a c k a g e . T h is te s t, a m o n g C e rtific a tio n of p ro g ra m s w o u ld p e rm it
o th e r th in g s , w ill p ro d u c e a list of p ro g ra m a u d ito rs to rely on th e p ro c e s s in g of s ta n d a rd
in stru ctio n s th at w e re not te s te d . T e s t d a ta can a u d it s o ftw a re p a c k a g e s , su ch as d a ta b a s e
th en b e m o d ifie d or e x p a n d e d to p ro d u c e a test m a n a g e rs , c o m p ile rs , a n d o th e r re trie v a l
file th a t w ill e x e rc is e e v e ry in stru ctio n in th e packages.
p ro g ra m . A u d ito rs c o u ld u se an in d e p e n d e n t
c o m p u te r in te rc o n n e c te d to a c lie n t’s a d v a n c e d
P o te n tia l T e c h n iq u e s .It is o b v io u s from th e E D P s ystem to fa c ilita te v a rio u s m o d e llin g ,
p a c e at w h ic h c o m p u te r te c h n o lo g y is s im u la tio n an d te s tin g te c h n iq u e s for
a d v a n c in g th at cu rre n t c o m p u te r te c h n iq u e s d e te rm in in g th e re a s o n a b le n e s s of o v e ra ll
m a y not b e s u ffic ie n t to satisfy th e a u d ito r’s re c o rd -k e e p in g . T h e s e c o m p u te rs a ls o c o u ld b e
re q u ire m e n ts in th e future. T w o te c h n iq u e s th at u s e d to re trie v e live d a ta a n d to a n a ly z e a n d test
m a y h e lp satisfy th e s e re q u ire m e n ts are sys te m s s o ftw a re w ith re la tiv e ly little r e lia n c e on
p ro g ra m c e rtific a tio n a n d in d e p e n d e n t th e c lie n t’s s ystem .
c o m p u te rs u s e d for a u d it p u rp o s e s .
25
Chapter 6
Summary Conclusions, and

Recommendations
C o n tin u e d c h a n g e in d a ta p ro c e s s in g b rin g to th e a tte n tio n of v a rio u s in te re s te d
c a p a b ilitie s a n d a p p r o a c h e s w ill im p a c t th e p a rtie s th e th in k in g of a u d ito rs w h o h a v e a lre a d y
b u s in e s s e n te rp ris e a n d its m a n a g e ria l style. b e e n a ffe c te d by s o m e of th e s e c h a n g e s . T h e
T h e a u d ito r’s role, w h ile not h a v in g c h a n g e d lo n g -ra n g e p o te n tia l a n d th e n e e d fo r c a re fu l
o b je c tiv e s , w ill in v o lv e s ig n ific a n tly a lte re d p la n n in g so as to ta k e a d v a n ta g e of th e s e
m e th o d s . c h a n g e s , w h ile still e ffe c tin g a d e q u a te co ntro l
T h e p rin c ip a l p u rp o s e of th is re p o rt w a s to of th e re s u lta n t s ystem s, h as b e e n e m p h a s iz e d .
Conclusions
D e v e lo p m e n t of th is rep o rt h as h ig h lig h te d th e su ch re q u ire m e n ts a fte r s y s te m s are
n e e d fo r c o m m u n ic a tin g th e fo llo w in g o p e ra tio n a l. W h e n u ser re q u ire m e n ts a re
m e s s a g e s to th e in d ic a te d p a rtie s . d e fin e d , in c lu d e th e a u d ito r’s re q u ire m e n ts an d
b e p re p a re d to u tiliz e th e co n tro l c a p a b ilitie s
Systems Designers and Providers of EDP b u ilt into th e h a rd w a re .
Hardware/Software. A d v a n c e d p ro d u c ts w ill
b e u s e d to d e v e lo p s y s te m s for b u s in e s s or Management. A u d ito rs , th ro u g h th e ir
o th e r o rg a n iz a tio n s . S u c h p ro d u c ts s h o u ld k n o w le d g e of c o ntro l c o n c e p ts a n d th e ir
p ro v id e h a rd w a re a n d s y s te m s so ftw a re e x p e rie n c e in a u d it situ a tio n s , c a n m a k e
fe a tu re s , s u c h as th e a u d it h oo k c a p a b ility c o n s tru c tiv e a n d c o st e ffe c tiv e c o n trib u tio n s to
d e s c r ib e d in c h a p te r 4, th a t w ill p e rm it w e ll s y s te m s of th e future. T h e ir in p u ts m ay ,be
c o n tro lle d a n d a u d ita b le a p p lic a tio n s y s te m s to s ig n ific a n t not o n ly a s to in itia l system d e s ig n
b e d e s ig n e d . If th e s e c a p a b ilitie s a re not b u ilt but as to th e o p e ra tio n a l e n v iro n m e n t a s w e ll.
into th e e q u ip m e n t a n d th e m a n u fa c tu re r-
s u p p lie d s o ftw a re , in d iv id u a l p u rc h a s e rs Auditors. T e c h n ic a l p ro fic ie n c y w ill b e put to
m a y b e fo rc e d to in v e s t s u b s ta n tia l p o rtio n s a m o st s e v e re te s t w o rk in g in a d v a n c e d
of th e ir d a ta p ro c e s s in g b u d g e ts to p ro v id e , e n v iro n m e n ts s u c h as th o s e d is c u s s e d in th is
th ro u g h o th e r m e a n s , th e c o n tro ls w h ic h c o u ld p a p e r. A u d it s k ills sh o u ld b e k e p t c o n tin u o u s ly
h a v e b e e n in te g ra te d into y o u r p ro d u c ts at c u rre n t th ro u g h a w e ll-c o n c e iv e d , m e tic u lo u s ly
s u b s ta n tia lly lo w e r co st. o p e r a te d e d u c a tio n a n d tra in in g p ro g ra m
S y s te m s d e v e lo p e d u sin g a d v a n c e d e n c o m p a s s in g c h a n g in g te c h n o lo g y . By m a k in g
h a rd w a re a n d c o n c e p ts w ill b e s u b je c te d to o th e rs a w a re of th e a u d ito r’s e x p e rtis e , a u d ito rs
a u d its . It is b e tte r to b e a w a re of th e a u d ito r’s w ill h a v e a g re a te r o p p o rtu n ity to a s s u m e a m o re
s p e c ific n e e d s a t th e tim e a d v a n c e d s y s te m s a c tiv e ro le in d e fin in g a p p r o p ria te a u d it
a re d e v e lo p e d , ra th e r th a n a tte m p t to retrofit re q u ire m e n ts a n d c o n tro ls for fu tu re system s.
26
Recommendations
T h e fo llo w in g re c o m m e n d a tio n s a re o ffe re d . of su ch system s.
C o m m u n ic a te w ith m a n a g e m e n t, sys te m s
Systems Designers and Providers of
d e s ig n e rs , a n d h a rd w a re /s o ftw a re
Hardware/Software. C o m m u n ic a te w ith
m a n u fa c tu re rs . A c q u a in t th e m w ith a u d it
a u d ito rs to c o n s id e r th e ir n e e d s , a n d u se th e ir
re q u ire m e n ts a n d th e d e s ira b ility of v a rio u s
c o ntro l e x p e rtis e as a c o m p le m e n t in d e v e lo p
co ntro ls.
m e n t of n e w system s.
T a k e th e in itia tiv e in c o m m u n ic a tin g to
C o n s id e r th e a u d ito rs ’ re q u ire m e n ts to
in te re s te d p a rtie s a b o u t th e e x p e rtis e of a u d ito rs
p erfo rm th e a ttest fu n c tio n on an in d e p e n d e n t
in d e fin in g a n d im p le m e n tin g co n tro ls.
b a s is a n d th e ir d e s ire to p erfo rm it u sing
T h e A IC P A s h o u ld c o n s id e r s p o n s o rin g ,
e ffe c tiv e a n d e c o n o m ic a l m eth o d s .
p e rh a p s on a jo in t b a s is w ith o th e r in te re s te d
P ro v id e in fo rm a tio n a b o u t c u rre n t a n d fu tu re
o rg a n iz a tio n s , th e fo llo w in g ty p e s of a c tiv itie s :
d e v e lo p m e n ts in a d v a n c e d system s.
1. E s ta b lis h in g a c o n tin u in g d ia lo g u e w ith
Management. T h e g o a ls of m a n a g e m e n t
m a jo r E D P v e n d o rs a n d s u p p lie rs to m a k e
p a ra lle l a n d s u p p o rt th o s e of a u d ito rs .
th e m a w a re of th e a u d ito rs ’ c o n c e rn s an d
T h e re fo re , m a n a g e m e n t s h o u ld m a in ta in an
re q u ire m e n ts in re g a rd to h a rd w a re /s o ftw a re
a w a re n e s s of s ig n ific a n t c h a n g e s in E D P
a u d it a n d c o n tro l c a p a b ilitie s . T h is effort
s y s te m s in o rd e r to e v a lu a te th e re s u ltin g im p a c t
s h o u ld e n c o m p a s s o p e ra tin g s y s te m s a n d
on th e b u s in e s s e n v iro n m e n t a n d th e n e e d to
o th e r s y s te m s s o ftw a re d e v e lo p e d by su ch
d e fin e a n d in stall a p p r o p ria te a c c o u n tin g
m a n u fa c tu re rs a n d by others.
co n tro ls. Further, m a n a g e m e n t s h o u ld c o n s id e r
2. D e v o tin g a d d itio n a l effort to d e fin in g th e
th e n e e d to c o n d u c t a c o n tin u in g d ia lo g u e w ith
re q u ire m e n ts for a g e n e r a liz e d so ftw a re
a u d ito rs to k e e p th e m in fo rm e d a b o u t p la n n e d
p a c k a g e c a p a b le of in te rfa c in g w ith a d a ta
c h a n g e s in d a ta p ro c e s s in g a p p lic a tio n
b a s e m a n a g e m e n t system . C o n s id e r
system s.
th e fe a s ib ility of in c lu d in g , w ith in c o m p u te r
M a n a g e m e n t sh o u ld ta k e th e in itia tiv e in
h a rd w a re , fe a tu re s th a t w o u ld s u p p o rt th e
o b ta in in g s u ffic ie n t a u d ito r in v o lv e m e n t in th e
b a s ic o b je c tiv e s of m a n a g e m e n t c o n tro l a n d
d e s ig n a n d in s ta lla tio n of a d v a n c e d E D P
a u d ita b ility .
s y s te m s to fo s te r th e im p le m e n ta tio n of in ternal
a c c o u n tin g co ntro ls. 3. Id e n tify in g a n d d e fin in g a ttrib u te s , co ntro ls,
M a n a g e m e n t s h o u ld reta in th e fin a l v o ic e in a n d d e v e lo p m e n t p ro c e d u re s th a t w o u ld
th e im p le m e n ta tio n of re c o m m e n d e d co ntro ls, fa c ilita te a “th ird p a rty ” a u d it re v ie w of
w e ig h in g th e co st of su ch c o n tro ls a g a in s t th e s o ftw a re w o u ld b e e x tre m e ly h e lp fu l,
re la tiv e risk of not im p le m e n tin g th em . p a rtic u la rly in re g a rd to sys te m s so ftw are.
T h e d e v e lo p m e n t of a p p lic a b le s ta n d a rd s for
Auditors. C o n tin u e to o b ta in e d u c a tio n su ch a re v ie w sh o u ld a ls o b e c o n s id e re d .
re g a rd in g c h a n g e s in E D P sys te m s a n d a s s is t in 4. D e v e lo p in g a c o n tin u in g e d u c a tio n p ro g ra m
d e fin in g an d im p le m e n tin g n e w a n d e ffe c tiv e to train a u d ito rs in th e te c h n ic a l a n d a u d it
co ntro ls, a n d n e w a n d e ffe c tiv e a u d it to o ls a n d c o n s id e ra tio n s in v o lv e d in a d v a n c e d E D P
te c h n iq u e s so as to a s s is t in th e b e n e fic ia l use s ystem s.
27
APPENDIX 1
Ultimate Corporation—A Future Advanced

System
U ltim a te C o rp o ra tio n is a h y p o th e tic a l e x a m p le in te rn a l or e x te rn a l. T h e in te g rity of U ltim a te ’s
of an a d v a n c e d E D P s ystem th at c o u ld b e p ro c e s s in g is d e p e n d e n t u p o n th e e ffe c tiv e n e s s
d e s ig n e d in th e future. U ltim a te is in te n d e d to of c o n tro ls in v e ry a d v a n c e d E D P system s.
p ro v id e a u sefu l illu s tra tio n of th e a u d itin g S p e c ific a lly , th e p ro b le m s fa c in g th e a u d ito r
p ro b le m s th a t s u c h s y s te m s c a n p re s e n t. of U ltim a te ’s fin a n c ia l s ta te m e n ts a re th e s e :
U ltim a te C o rp o ra tio n is in th e b u s in e s s of
p ro c e s s in g a n d fo rm u la tin g liq u id c h e m ic a ls . 1. A b s e n c e of a v a ila b le in d e p e n d e n t e v id e n c e
In v e n to rie s of ra w c h e m ic a ls a re m a in ta in e d in s u p p o rtin g tra n s a c tio n s .
la rg e vats. T h e s e v a ts a re e q u ip p e d w ith a 2. L a c k of a c le a r a u d it tra il.
s e n s in g d e v ic e w h ic h s ig n a ls U ltim a te ’s 3. L a c k of e v id e n c e of a u th o riz a tio n for
c o m p u te r s ystem , c a lle d U A S (U ltim a te tra n s a c tio n s .
A d v a n c e d S y s te m ), w h e n th e in ven to ry lev e l
4. T h e n e e d to p la c e h e a v y re lia n c e upo n th e
fa lls b e lo w th e re o rd e r point.
sy s te m o f in te rn a l co n tro l, s u c h as th o s e o v e r
U A S th e n a n a ly z e s th e fu tu re in ven to ry
a u th o riz a tio n a n d re c o rd in g of tra n s a c tio n s .
re q u ire m e n ts a n d e c o n o m ic o rd e r q u a n titie s to
5. T h e n e e d to u n d e rs ta n d th e flo w of
d e te rm in e th e a m o u n t to b e o rd e re d from o n e of
in fo rm a tio n th ro u g h th e p ro c e s s in g c y c le
U ltim a te ’s fo u r m a jo r v e n d o rs . U A S c a n c o n n e c t
a n d its re la tio n s h ip to co n tro ls.
its e lf by d a ta c o m m u n ic a tio n fa c ilitie s to e a c h of
th e fo u r v e n d o r’s c o m p u te rs . T h is c a p a b ility is 6. T h e n e e d to te s t th e c o n tro ls b e in g re lie d
u s e d to q u e ry th e v e n d o r ’s c o m p u te rs to u pon.
d e te rm in e th e a v a ila b ility a n d b e s t p ric e for 7. T h e n e e d fo r a u d ito r’s h a rd w a re o r so ftw are
e a c h item to b e o rd e re d . T h e a c tu a l o rd e r is to b e in c o rp o ra te d into th is system .
tra n s m itte d to th e s e le c te d v e n d o r c o m p u te r
from U A S by d a ta c o m m u n ic a tio n s a n d g iv e n a O n e a u d it a p p r o a c h to this s y s te m m ig h t
c o m m o n o rd e r/s h ip p e r n u m b e r. N o tra d itio n a l s u g g e s t th e u se of an a u d ito r’s s e n s o r on the
p u rc h a s e o rd e r d o c u m e n t is p re p a re d . p ip e lin e a n d th e in v e n to ry vats. T h e a u d ito r
T h e v e n d o r ’s c o m p u te r th e n p ro c e s s e s th e c o u ld re q u e s t a m a c h in e -s e n s ib le file of a ll
o rd e r for d e liv e ry . L iq u id c h e m ic a ls a re e le c tro n ic fu n d tra n s fe r tra n s a c tio n s from th e
d e liv e r e d th ro u g h a d ire c t p ip e lin e c o n n e c tin g b a n k a n d , from e a c h v e n d o r, a file c o n ta in in g
th e v e n d o r to U ltim a te . U ltim a te h as a s e n s in g th e ir re c o rd s of all tra n s a c tio n s w ith U ltim a te .
d e v ic e on th is p ip e lin e w h ic h m e te rs th e a m o u n t T h is in fo rm a tio n c o u ld th e n b e u s e d to v erify
of c h e m ic a l re c e iv e d a n d tra n s m its th a t d ire c tly in d e p e n d e n tly , e ith e r on a te s t b a s is or
to U A S . c o m p le te ly , U ltim a te ’s tra n s a c tio n s w ith its
W h e n U ltim a te h a s re c e iv e d th e o rd e re d m a jo r v e n d o rs w h ic h w e re p ro c e s s e d by this
a m o u n t, U A S th e n c o m m u n ic a te s d ire c tly to its s ystem . T h is a p p r o a c h w o u ld re q u ire h a rd w a re
b a n k ’s c o m p u te r. P a y m e n t for th e c h e m ic a ls (s u c h as s e n s o rs ) a n d s o ftw a re to o ls a n d
r e c e iv e d is m a d e by an e le c tro n ic fu n d tra n s fe r te c h n iq u e s to c o lle c t, a n a ly z e , a n d e v a lu a te this
sy s te m (E F T S ) from U ltim a te ’s b a n k a c c o u n t to in fo rm atio n .
th e v e n d o r's b a n k a c c o u n t. T h e v e n d o r’s T h e U ltim a te A d v a n c e d S y s te m c o n c e iv a b ly
c o m p u te r a c k n o w le d g e s re c e ip t of p a y m e n t c o u ld b e e x te n d e d to a p p ly to tra n s a c tio n s w ith
d ire c tly to U ltim a te ’s c o m p u te r. N o tra d itio n a l U ltim a te 's c u s to m e rs as w e ll as its v e n d o rs .
c h e c k e v id e n c e s th is p a y m e n t. U ltim a te c o u ld b e c o m e c o n n e c te d to its
U ltim a te C o rp o ra tio n o b v io u s ly p re s e n ts c u s to m e rs b y a d ire c t p ip e lin e as w e ll. In th is
s o m e u n iq u e a n d in te re s tin g a u d itin g p ro b le m s . e n v iro n m e n t, o n e c a n e n v is io n an e n tire ly
A n u m b e r of e v e n ts h a v e ta k e n p la c e d u rin g th is a u to m a te d p ro c e s s w ith in U ltim a te C o rp o ra tio n .
tra n s a c tio n c y c le . N o n e of th e s e e v e n ts h a v e F in a n c ia l s ta te m e n ts c o u ld b e p ro d u c e d d a ily
b e e n e v id e n c e d by a n y form of tra d itio n a l a n d th e a u d ito r's o p in io n th e re o n m ig h t b e
d o c u m e n ts as w e k n o w th e m . T h e re a re no re n d e re d w ith in hours.
p u rc h a s e o rd e rs , re c e iv in g rep o rts, v e n d o r O b v io u s ly , th is e x a m p le is s o m e w h a t
in v o ic e s , c a n c e le d c h e c k s , a c c o u n ts p a y a b le , s im p lifie d a n d fu tu ris tic . H o w e v e r, p o rtio n s of
or o th e r d o c u m e n ts o r tra n s a c tio n s , e ith e r th e U ltim a te s y s te m s a re in u s e to d a y . For
28
APPENDIX 1 Continued
e x a m p le , th e c h e m ic a l a n d p e tro le u m in d u s trie s v e n d o rs , or e v e n b e tw e e n c o m p e tito rs , a s is th e
both u se s e n s o r/c o m p u te r-b a s e d “ p ro c e s s c a s e in th e a irlin e ind u stry, is a ls o a g ro w in g
c o n tro l” s y s te m s for p ro d u c tio n p u rp o s e s . T h e p ra c tic e .
p o p u la rity of e le c tro n ic fu n d s tra n s fe r s y s te m s T h e s e s y s te m s p ro v id e s ig n ific a n t a u d it
h as b e e n g ro w in g s ig n ific a n tly . T h e u se of d a ta c h a lle n g e s to d a y a n d th e s e c h a lle n g e s su re ly
c o m m u n ic a tio n s b e tw e e n c u s to m e rs a n d w ill g ro w in the future.
29
APPENDIX 2
Authorization Concepts for Information

Processing Systems
T h is a p p e n d ix illu s tra te s o n e v ie w of an p ro g ra m s , a n d d e c is io n c rite ria of th e
in fo rm a tio n sy s te m a n d h as b e e n d e v e lo p e d to e n te rp ris e . T w o b ro a d c la s s ific a tio n s of d a ta
a tte m p t to c la rify o n e of th e key c o n tro ls — are s ta tic d a ta a n d d y n a m ic d a ta . S tatic d a ta
a u th o riz a tio n — th a t a u d ito rs b e lie v e is c o n s is ts of th e re c o rd s w h ic h re la te to
n e c e s s a ry in an a d v a n c e d sys te m s in fo rm a tio n th at is re la tiv e ly fix e d w ith in th e
e n v iro n m e n t. T h e in fo rm a tio n p ro c e s s in g e n te rp ris e s u c h as n a m e s a n d a d d re s s e s of
system d e s c r ib e d is in d ic a tiv e of th o s e th a t w ill e m p lo y e e s , p h y s ic a l p la n t lo c a tio n s , m a jo r
e x is t in th e d e v e lo p in g g e n e ra tio n of system s. c u s to m e r n a m e s a n d a d d re s s e s , p ro d u c t
T h e m a jo r e le m e n ts of an in fo rm atio n d e s c rip tio n s , a n d so forth. D y n a m ic d a ta
p ro c e s s in g s ystem a re th e s e : co n s is ts of th e d a ta a s s o c ia te d w ith th e
e v e n ts of th e e n te rp ris e th a t c h a n g e or
1. U s e rs — T h e s e a re in tern al p e rs o n n e l at all flu c tu a te on a d a ily or p e rio d ic b a s is . T his
le v e ls a n d o u ts id e rs w h o p re p a re an d w o u ld in c lu d e , but not b e lim ite d to, th e data"
re q u ire in fo rm a tio n th ro u g h in te ra c tio n w ith re la te d to th e n u m b e r a n d v a lu e of a g iv e n
th e sys te m . T h is in fo rm atio n c o n s is ts of d a ta p ro d u c t s o ld w ith in a lim ite d tim e s p an ,
re la te d to p a s t or fu tu re e v e n ts p re s e n te d in a su ch as an h our or a d a y . E s s e n tia lly ,
fo rm a t th a t is u n d e rs ta n d a b le a n d d y n a m ic d a ta is th e d a ta a s s o c ia te d w ith a
m e a n in g fu l to th e s p e c ific user. s in g le e v e n t w h ic h h as little m e a n in g in a n d
of itself. U s u a lly , it is o n ly a fte r th a t d a ta has
2. P ro c e s s e s — T h e te c h n iq u e s , p ro c e d u re s ,
b e e n s u m m a riz e d for a s p e c ific p e rio d o r set
p ro g ra m s , m ic ro c o d e , o r o th e r s te p s th at
o f e v e n ts th a t it b e c o m e s m e a n in g fu l
tra n s la te th e u s e r’s “re q u e s t" into the
in fo rm atio n to m e m b e rs of th e e n te rp ris e .
in fo rm a tio n re q u ire d to p erfo rm a g iv e n jo b
fu n c tio n . T h e s e th re e e le m e n ts o r m a jo r c o m p o n e n ts
3. D a ta — T h e s to re d re p re s e n ta tio n of th e of an in fo rm a tio n sy s te m w ill b e d is c u s s e d in
ev e n ts , re c o rd s , p la n s , p o lic ie s , p ro c e d u re s , d e ta il in th e fo llo w in g s e c tio n s .
Users
To fu rth e r an u n d e rs ta n d in g of in fo rm a tio n p la n n in g , co n tro l, a n d o p e ra tio n a l p u rp o s e s .
s ystem s, it is a d v a n ta g e o u s to c la s s ify users into • S yste m p ro g ra m m e rs a re th e e m p lo y e e s
th e fo llo w in g c a te g o rie s : p rim a rily c o n c e r n e d w ith g e n e ra tin g ,
u p d a tin g , m o d ify in g , a n d c o n tro llin g th e
• M a n a g e m e n t c o n s is ts of g e n e ra l, fu n c tio n a l, g e n e ra l s y s te m s s o ftw a re n o rm a lly fu rn is h e d
o r o p e ra tio n a l e m p lo y e e s w h o s e p rim a ry by th e h a rd w a re v e n d o r.
p u rp o s e it is to d ire c t o th ers a n d to a c h ie v e • E D P c o n tro l in v o lv e s th e E D P p e rs o n n e l w h o
e n d resu lts th ro u g h o th ers. T h is c a te g o ry of a re re s p o n s ib le fo r s a fe g u a rd in g th e E D P
u sers is p rim a rily in v o lv e d in th e p la n n in g e n v iro n m e n t in c lu d in g th e c re a tio n a n d
a n d c o n tro l a s p e c ts of th e e n te rp ris e . c h a n g e s to th e e n te rp ris e d a ta b a s e .
• O p e ra tio n s p e rs o n n e l a re th e e m p lo y e e s or • C o m p u te r o p e ra to rs a re th e E D P d e p a rtm e n t
o th ers w h o a re p rim a rily c o n c e rn e d w ith p e rs o n n e l p rim a rily c o n c e rn e d w ith
e n te rin g , u p d a tin g , re trie v in g , a n d m o n ito rin g a n d c o n tro llin g th e c o m p u te r
p ro c e s s in g d a ta . h a rd w a re .
• A u d ito rs a re e ith e r th e in te rn a l o r e x te rn a l T h e s e u sers m a y in te ra c t w ith an in fo rm atio n
a u d ito rs of th e e n te rp ris e . sy s te m e ith e r d ire c tly , th ro u g h te rm in a ls o r o th er
• A p p lic a tio n p ro g ra m m e rs a re th e e m p lo y e e s k in d s of in p u t, o r in d ire c tly , th ro u g h p re d e fin e d
p rim a rily in v o lv e d in th e d e v e lo p m e n t o f p ro c e s s e s th a t a re a p a rt o f a n o th e r c o m p u te r
a p p lic a tio n s o ftw a re w h o s p e c ify , in sy s te m th a t is in d ire c t c o n ta c t w ith th e p rim a ry
c o m p u te r te rm s , th e p ro c e s s e s th a t tra n s la te c o m p u te r s ystem .
th e d a ta into th e in fo rm a tio n re q u ire d for N a tu ra lly , th is is a g e n e r a liz e d o v e rv ie w of
30
th e p o s s ib le users w ith in a n y e n te rp ris e , a n d th e d is c u s s th e c o n c e p ts re la te d to E D P c o ntro l an d
g ro u p in g s a re re la tiv e ly a rb itra ry to e n a b le us to a u d ita b ility .
Processes
N o rm a lly , u sers re q u e s t th a t s p e c ific p ro c e s s e s E D P s ystem s, th e re a re o n ly tw o b a s ic fu n c tio n s
b e p e rfo rm e d by p re v io u s ly w ritte n a p p lic a tio n th e y c a n p e rfo rm on th e s to red d a ta b a s e :
p ro g ra m s on e ith e r d a ta sto re d w ith in th e E D P
1. R e trie v e o r s c a n d a ta . U s e rs c a n a c c e s s
s ystem , in p u t d a ta or d a ta e n te re d by th e user,
th e s to red d a ta a n d p re s e n t it in a form
or a c o m b in a tio n o f both s to red a n d in p u t d a ta .
m e a n in g fu l to th e e n te rp ris e .
In s o m e c a s e s , a g e n e r a liz e d in fo rm a tio n
2. C h a n g e d a ta . U s e rs c a n a c c e s s th e d a ta
re trie v a l s ystem m a y b e u s e d to p ro d u c e th e
b a s e a n d m o d ify th e form , v a lu e , lo c a tio n ,
in fo rm a tio n re q u ire d for a g iv e n user, or th e u ser
len g th , c h a ra c te r ty p e , d e riv a tio n
m a y e v e n d e v e lo p a p ro g ra m to g e n e ra te
a lo g o rith m , o r a n y of th e o th e r a ttrib u te s of
in fo rm a tio n of interest.
s p e c ific d a ta e le m e n ts as w e ll as a d d or
W h e th e r a g iv e n u ser u tiliz e s a se t of
d e le te d a ta from th e d a ta b as e .
p ro g ra m s d e v e lo p e d for a s p e c ific a p p lic a tio n
b y th e a p p lic a tio n p ro g ra m m e r or w h e th e r th e C u rre n tly , o n e o f th e k ey co n tro l w e a k n e s s e s
u ser is th e a p p lic a tio n p ro g ra m m e r w h o is of m a n y of th e p re s e n t E D P sys te m s is th e e a s e
p e rfo rm in g th e ta s k of d e v e lo p in g an w ith w h ic h th e s to re d d a ta c a n b e a c c e s s e d ,
a p p lic a tio n p ro g ra m , th e re a re th re e b a s ic m a n ip u la te d , o r in a d v e rte n tly d e s tro y e d by o n e
w a y s in w h ic h users c a n c o m m u n ic a te w ith th e or m o re of th e v a rio u s ty p e s of users. For
E D P S tystem : e x a m p le , “a p p lic a tio n p ro g ra m m e rs ’’ m a k in g
c h a n g e s to an e x is tin g a p p lic a tio n system
1. B a tc h . U s e rs a s s e m b le re la te d fre q u e n tly h a v e c o m p le te a c c e s s to th e
tra n s a c tio n s or re q u e s ts th at a re p ro d u c tio n (liv e ) v e rs io n of th e d a ta a s s o c ia te d
s u b s e q u e n tly p ro c e s s e d a g a in s t th e w ith th e s ystem . N a tu ra lly , o nly c o p ie s of live
a p p r o p ria te c o m b in a tio n of sto re d a n d /o r d a ta s h o u ld b e u s e d in te s tin g p ro g ra m
in p u t d a ta to p ro d u c e th e resu lts re q u ire d , c h a n g e s , a n d th e a p p lic a tio n p ro g ra m m e r
w h ic h a re th en m a d e a v a ila b le to users. sh o u ld not, in m o st situ a tio n s , h a v e a c c e s s to
live d a ta . S y s te m p ro g ra m m e rs a ls o c o u ld very
2. O n -lin e D ata Entry. U s in g d a ta en try
e a s ily d e v e lo p s u b ro u tin e s to m o d ify live d a ta if
d e v ic e s su ch as te le ty p e s (T T Y),
th e y a re a llo w e d a c c e s s to a p p lic a tio n system
k e y b o a r d /v id e o d is p la y units (V D U ), o r o th e r
d o c u m e n ta tio n . T h is c a n b e d o n e th ro u g h th e
users e n te r tra n s a c tio n d a ta u n d e r p ro g ra m
“s u p e rv is o r c a ll’’ fe a tu re a s s o c ia te d w ith m a n y
co ntro l. T h is is e ith e r sto re d on te m p o ra ry
o p e ra tin g s y s te m s o r by o th e r te c h n iq u e s . S in c e
file s for s u b s e q u e n t b a tc h u p d a tin g , or is
th e o p e ra tin g s ystem n o rm a lly d o e s all of th e
u s e d to u p d a te a p p r o p ria te d a ta e le m e n ts
in p u t/o u tp u t, a s ystem p ro g ra m m e r c o u ld
a n d return resu lts to users im m e d ia te ly .
d e v e lo p a s u b ro u tin e th a t w o u ld d e te rm in e
3. In te ra c tiv e . U s in g d a ta c o m m u n ic a tio n w h e n p a rtic u la r re c o rd s w ith in a s p e c ific
te rm in a ls , users in te ra c t w ith th e E D P s ystem a p p lic a tio n s ystem w e re p ro c e s s e d a n d m o d ify
to d e v e lo p a p p lic a tio n p ro g ra m s a n d /o r th e s e re c o rd s as d e s ire d . T hu s, it is im p e ra tiv e
m o d ify e x is tin g d a ta b a s e e le m e n ts , a n d th at a d v a n c e d s y s te m s lim it th e a p p lic a tio n
s u m m a riz e or o th e rw is e m a n ip u la te d a ta . p ro g r a m m e r’s a n d s ystem p ro g ra m m e r’s a c c e s s
to d a ta th a t w o u ld im p a c t th e fin a n c ia l
R e g a rd le s s of h ow users c o m m u n ic a te w ith s ta te m e n ts .
Data
A lth o u g h th e kin d , n atu re, a n d v a rie ty of d a ta 1. T ra n s a c tio n d a ta . D a ta a s s o c ia te d w ith th e
re la te d to a n y s p e c ific e n te rp ris e is u n iq u e , for e v e n ts of th e e n te rp ris e . For e x a m p le , a sale ,
th e p u rp o s e of th is d is c u s s io n it h as b e e n a n e w e m p lo y e e , a n e w p u rc h a s e o rd er, a n d
a rb itra rily c la s s ifie d into th e fo llo w in g so forth. S p e c ific a c c o u n tin g re la te d e v e n ts
c a te g o rie s : a re c a s h d is b u rs e m e n ts , c a s h re c e ip ts ,
31
s a le s , s h ip m e n ts of m a te ria l, a n d so forth. in ven to ry co n tro l, g e n e r a l le d g e r, s a le s ,
S p e c ific d a ta a s s o c ia te d w ith th e in itia tio n or a c c o u n ts re c e iv a b le , c a s h m a n a g e m e n t,
re c o rd in g o f an e v e n t m u st b e m a in ta in e d for a n d so forth.
a u d it p u rp o s e s . 5. G e n e ra l s y s te m s s o ftw a re . T h e s e a re th e
2. H is to r ic a l d a ta . T h is is d a ta re la te d to th e c o m p u te r p ro g ra m s re la te d to th e o p e ra tin g
c u rre n t a n d h is to ric a l status of th e system , la n g u a g e c o m p ile rs , s u c h as
e n te rp ris e . S p e c ific a lly , it c a n c o n s is t of C O B O L a n d F O R T R A N , d a ta b a s e
s u m m a ry d a ta re la te d to an y fu n c tio n , su ch m a n a g e m e n t sy s te m s , d a ta c o m m u n ic a tio n
as th e s a le of a p ro d u c t fo r a y e a r, th e system s, a n d v a rio u s u tility p ro g ra m s .
p ro d u c tio n c a p a c itie s of o n e o r m o re p lan ts, 6. S yste m c o n tro l s o ftw a re . T h e s e a re th e
th e n a m e s a n d a d d r e s s e s of e m p lo y e e s , a n d c o m p u te r p ro g ra m s u s e d to co n tro l a n d
so forth. A c c o u n tin g re la te d h is to ric a l d a ta re c o rd th e a c c e s s to a ll o th e r s to red d a ta .
c o n s is ts o f th e le d g e rs , jo u rn a ls , a n d a u d it T h is d a ta w o u ld in c lu d e p ro g ra m status a n d
tra il d a ta th a t s u p p o rt th e fin a n c ia l c h a n g e logs, p a s s w o rd co n tro l or
s ta te m e n ts , a n d th e re c o rd s re la te d to a u th o riz a tio n ta b le s , a n d s ystem
p e rp e tu a l in ven to ry, a c c o u n ts re c e iv a b le , a u th o riz a tio n ta b le s .
c a s h re c e ip ts , a n d p a y m e n ts th a t s u p p o rt 7. A u d it s o ftw a re . T h e s e a re th e c o m p u te r
a s s e t a c c o u n ta b ility . p ro g ra m s u s e d o r d e v e lo p e d b y th e a u d ito r
3. Id e n tify in g d a ta a n d d e c is io n to re trie v e a n d p ro c e s s d a ta , s im u la te
c rite ria . T h e s e a re th e s ta tic d a ta a p p lic a tio n s o ftw a re p ro g ra m s , g e n e ra te
a s s o c ia te d w ith th e p o lic ie s , p ro c e d u re s , s ta tis tic a l s a m p le s , a n d so forth.
a n d o p e ra tio n of th e e n te rp ris e . T y p ic a lly ,
8. S y s te m s ta b le s . T h e s e a re th e s ta tic d a ta
th e s e w o u ld in c lu d e p la n t lo c a tio n c o d e s
re la te d to th e u s e o f th e c o m p u te r h a rd w a re
a n d th e re la te d a d d re s s e s , p ro d u c t c o d e s
s y s te m s a n d c o u ld in c lu d e ta b le s w h ic h
a n d p ro d u c t d e s c rip tio n s , a n d o th e r s im ila r
d e s c r ib e or s p e c ify th e re s o u rc e s a v a ila b le ,
d a ta . S p e c ific a c c o u n tin g re la te d ta b le s
su ch a s te rm in a ls , p rin te rs , re a d e rs , s to ra g e
w o u ld in c lu d e c re d it lim its, d is c o u n ts ,
d e v ic e s , a n d c o m m u n ic a tio n lin e s w h ic h
in ven to ry re o rd e r le v e ls , a n d so forth.
d e s c r ib e th e n u m b e r, ty p e , c h a ra c te ris tic s ,
4. A p p lic a tio n s o ftw a re . T h e s e a re th e a n d a ttrib u te s o f th e s e d e v ic e s .
c o m p u te r p ro g ra m s d e v e lo p e d by th e 9. A u th o riz a tio n ta b le s . T h e s e a re th e d a ta
a p p lic a tio n p ro g ra m m e rs th a t tra n s fo rm w h ic h re la te u sers to th e p ro c e s s e s th e y c a n
u s e rs ’ re q u e s ts into v ia b le in fo rm atio n . p e rfo rm a n d to th e s p e c ific d a ta th e y c a n
S p e c ific a lly , a c c o u n tin g re la te d a p p lic a tio n a c c e s s as w e ll as re la tin g c e rta in re s tric te d
s o ftw a re im p a c ts a c c o u n ts p a y a b le d e v ic e s to th e c e n tra l p ro c e s s in g unit.
Authorization Table Concept

T h e a u th o riz a tio n ta b le (e x h ib it A ) d e p ic ts th e m o d ify o n ly th e d a ta re la te d to a p p lic a tio n
re la tio n s h ip b e tw e e n users, th e m e th o d u s e d to p ro g ra m s .
c o m m u n ic a te w ith E D P system s, th e p ro c e s s e s T h e system p ro g ra m m e r w o u ld a ls o b e a b le
p e rfo rm e d , a n d th e e n te rp ris e d a ta a c c e s s e d . to c o m m u n ic a te w ith th e E D P s ystem in an y
E x h ib it A a tte m p ts to h ig h lig h t w h a t c o u ld b e of th e th re e m o d e s but w o u ld b e re s tric te d to
c o n s id e re d ty p ic a l re la tio n s h ip s c o m m o n to s y s te m s d a ta , s u c h as th e o p e ra tin g system
m ost b u s in e s s e n te rp ris e s . For e x a m p le , it p ro g ra m s or C O B O L la n g u a g e c o m p ile r
sh ow s th a t m a n a g e m e n t w o u ld n o rm a lly ju s t b e p ro g ra m s . T h e a u d ito r, on th e o th e r h a n d , w o u ld
in te re s te d in s c a n n in g th e tra n s a c tio n a n d b e a b le to c o m m u n ic a te w ith th e sy s te m in an y
h is to ric a l d a ta . O n th e o th e r h an d , a p p lic a tio n of th e th re e m o d e s a n d b e a llo w e d to s c a n th e
p ro g ra m m e rs w o u ld w a n t to c o m m u n ic a te w ith e n tire d a ta b a s e but w o u ld not b e a b le to m o d ify
th e E D P s ystem in an y of th e th re e m o d e s , but or c h a n g e an y of th e d a ta e le m e n ts e x c e p t th o s e
sh o u ld h a v e th e c a p a b ility to both s c a n a n d th a t w e re s p e c ific a lly re la te d to a u d it p ro g ra m s .
32
EXHIBIT A
AUTHORIZATION TABLE
A u th o rized to A uth o rized

C o m m u n ic ate by P ro cessing A uthorized In fo rm a tio n to be A cce sse d
D ata In ter H istory D ecision A pp lica tion G en eral S ystem s S ys te m s A u th o rizatio n

Transaction A u d it
U sers B atch R ead U pd ate S ys te m s C ontrol R e so u rce C on trol
E ntry a c tive D ata D ata C riteria S oftw are S o ftw are
S oftw are S oftw are Data Tables
M anagem ent X X X X X X X X
O pe ratio ns X X X X X X X
A udito r X X X X X X X X X X X X X
A pplicatio n
progra m m e r X X X X X
S ystem s
progra m m e r X X X X X X
ED P control X X X X X X X
C om p uter
X X X X
o p erators
33
APPENDIX 3
Suggested Procedures for Auditors to

Follow During Systems Design
T h is a p p e n d ix in c lu d e s s o m e s u g g e s te d w ill lie in th e im m e d ia c y of p ro c e s s in g , it
p ro c e d u re s th a t m ig h t b e fo llo w e d by an a u d ito r m ig h t b e te m p tin g to e lim in a te so m e
in re v ie w in g th e s y s te m s d e s ig n s ta g e of an E D P tra d itio n a l s u p p o rtin g o p e ra tio n s , such
s ystem a n d c o n ta in s s u b s e q u e n t p ro c e d u re s as h a rd -c o p y d o c u m e n ta tio n s of input.
th a t c o u ld b e fo llo w e d for re v ie w in g a n d B. A d v a n c e d E D P s y s te m s w ill b e la rg e r
e v a lu a tin g a c c o u n tin g c o n tro ls o n c e su ch a an d m o re c o m p le x , lin k in g th e m a n y
s ystem b e c o m e s o p e ra tio n a l. in te rre la tio n s h ip s b e tw e e n s e g m e n ts of a
W h ile a re v ie w of s y s te m s d e s ig n is b u s in e s s . T h is c re a te s th e n e e d for m o re
c o n s id e re d to b e an im p o rta n t fa c to r in s trin g e n t c o n tro ls on in p u t a n d th e
fu rth e rin g th e im p le m e n ta tio n of a d e q u a te o p e ra tio n of th e s ystem , e s p e c ia lly
in te rn a l a c c o u n tin g c o n tro ls in s ig n ific a n t e d itin g a n d v a lid a tin g as p a rt of th e in itial
fin a n c ia l E D P a p p lic a tio n s , it is not a en try p ro c e s s .
re q u ire m e n t. T h e a b s e n c e o f su ch a re v ie w C. In th o s e a d v a n c e d E D P s y s te m s th at
w o u ld not p re c lu d e th e a u d ito r from re n d e rin g h a v e re m o te p ro c e s s in g c a p a b ilitie s
an o p in io n on th e fin a n c ia l s ta te m e n ts . A th e re s h o u ld b e a d e q u a te d is tin c tio n
p a rtic u la r s ystem m ig h t in c o rp o ra te o th e r b e tw e e n u p d a te a n d s y s te m s th at o nly
u s e r-o rie n te d c o n tro ls th a t w o u ld o b v ia te th e p ro v id e in q u iry. T h e fo llo w in g co n tro ls
n e e d fo r c o n tro ls th a t m ig h t h a v e b e e n m a y b e im p le m e n te d :
re c o m m e n d e d if th e a u d ito r h ad re v ie w e d th e
• In q u iry sy s te m c o n tro ls s h o u ld
a p p lic a tio n d u rin g its d e s ig n an d
e m p h a s iz e id e n tify in g users a n d th e
im p le m e n ta tio n .
d a ta th e y a re a u th o riz e d to a c c e s s .
Auditor Participation in Systems • U p d a te s ystem co n tro ls , in a d d itio n to
Design. T h e g e n e r a l s te p s th a t an a u d ito r th e a b o v e co n tro l, s h o u ld c o n c e n tra te on
m ig h t ta k e d u rin g th e s y s te m s d e s ig n s ta g e of th e v e rific a tio n a n d e d itin g of in p u t s in c e
an a d v a n c e d E D P sy s te m a re o u tlin e d b e lo w . m ost a d v a n c e d s y s te m s w ill use
d e s tru c tiv e u p d a te te c h n iq u e s on d ire c t
1. R e v ie w th e o b je c tiv e s of th e p ro p o s e d a c c e s s d e v ic e s th a t p ro c e s s o n e
s y s te m a n d th e o v e ra ll a p p r o a c h ta k e n to tra n s a c tio n a n d u p d a te o n e m a s te r
a c h ie v e th o s e o b je c tiv e s . re c o rd at a tim e . D e s tru c tiv e u p d a tin g
2. D e te rm in e th e im p a c t th a t th e system w ill re q u ire s p e rio d ic c o p ie s of m a s te r an d
h a v e on th e fin a n c ia l s ta te m e n ts a n d w h e th e r tra n s a c tio n file s for re c o n s tru c tio n if th e
erro rs in th e sy s te m m ig h t h a v e a m a te ria l c u rre n t m a s te r is lost.
e ffe c t on th o s e s ta te m e n ts . (S e e S ta te m e n t on
5. Id e n tify th e a u d it tra ils in th e system .
A u d itin g S ta n d a rd s N o. 1 (N e w York:
A u d it tra ils s h o u ld p ro v id e e v id e n c e th at
A IC P A , 1 9 7 2 ), S e c s . 3 2 0 .2 8 an d 3 2 0 .6 5 .)
p rin c ip a l co n tro l p ro c e d u re s a re fu n c tio n in g , or
3. R e v ie w th e p re s c rib e d p ra c tic e s a n d
th at no errors w e re e n c o u n te re d , a n d e v id e n c e
s ta n d a rd s for d o c u m e n tin g th e s ystem . T h e
as to h ow tra n s a c tio n s w e re p ro c e s s e d . T h e
d o c u m e n ta tio n sh o u ld b e c o m p le te d in a tim e ly
a v a ila b ility of th is in fo rm a tio n w ill s ig n ific a n tly
m a n n e r, a p p r o v e d by m a n a g e m e n t at e a c h
a ffe c t th e a u d it a p p r o a c h to b e u sed . In real tim e
s ta g e of sy s te m d e v e lo p m e n t, a n d sh o u ld
s y s te m s th e a u d it trail s h o u ld p ro v id e fe e d b a c k
c o n ta in , a m o n g o th e r th in g s , c le a r d e s c rip tio n s
at th e te rm in a l lo c a tio n a n d at th e c e n tra l
of th e a c c o u n tin g c o n tro ls a n d in fo rm a tio n flo w
c o m p u te r id e n tify in g —
th ro u g h th e s ystem .
4. D e te rm in e th e co n tro l p h ilo s o p h y to b e U s e rs
fo llo w e d in th e sys te m , for e x a m p le , w h ic h S y s te m u s e d
c o n tro ls a re th e b a s ic re s p o n s ib ility o f th e u s e r
In fo rm a tio n s en t a n d /o r re c e iv e d
v is -a -v is th e d a ta p ro c e s s in g d e p a rtm e n t, a n d
T im e of en try a n d /o r p ro c e s s in g
th e p rin c ip a l input, p ro c e s s in g , a n d o u tp u t
co n tro l p ro c e d u re s to b e fo llo w e d . P o te n tia l P la c e of e n try a n d /o r p ro c e s s in g
w e a k n e s s e s s h o u ld b e id e n tifie d a n d a d d itio n a l E rro r m e s s a g e s
c o n tro ls s u g g e s te d .
6. D e te rm in e th e n a tu re of th e a u d it
A. S in c e a d v a n ta g e s of a d v a n c e d sys te m s e v id e n c e th a t w ill b e a v a ila b le to s u p p o rt
34
tra n s a c tio n s p ro c e s s e d . C o n s id e r th e re lia b ility B. In tro d u c tio n of e rro n e o u s d a ta , s u c h as
a n d a c c e p ta b ility of th is e v id e n c e , p a rtic u la rly if in c o rre c t id e n tify in g n u m b e rs or in c o rre c t
it is sy s te m g e n e r a te d . T h e a v a ila b ility o f am o u n ts.
in d e p e n d e n t c o rro b o ra tiv e e v id e n c e sh o u ld C. In c o rre c t p ro c e s s in g or s u m m a riz a tio n of
a ls o b e c o n s id e re d ; fo r e x a m p le , c a n s ig n ific a n t d a ta if p ro g ra m s h a v e not b e e n
tra n s a c tio n s b e in d e p e n d e n tly c o n firm e d ? a d e q u a te ly p a r a lle le d a n d c o m p a re d
M a n y in s ta lla tio n s m a in ta in a log of all w ith s im ila r in fo rm a tio n p ro c e s s io n
tra n s a c tio n s a c c e p te d by th e system . S u c h a log by p re v io u s ly a d e q u a te s ystem s.
is u s u a lly m a in ta in e d in th e o rd e r of a c c e p ta n c e
9. C o n s id e r v a rio u s a u d it a p p r o a c h e s
o f tra n s a c tio n s a n d c o n ta in s a ll th e d e ta il
in c lu d in g p ro c e d u re s fo r re v ie w in g , te s tin g , a n d
n e c e s s a ry fo r c o m p le te re p ro c e s s in g o f th e
e v a lu a tin g th e a c c o u n tin g c o n tro ls a n d
tra n s a c tio n s in th e e v e n t of d a ta loss or
p ro c e d u re s for s u b s ta n tiv e te s tin g of th e resu lts
e q u ip m e n t fa ilu re .
o f p ro c e s s in g . D e te rm in e th e n a tu re o f an y
In th o s e in s ta n c e s w h e re th e system
s p e c ia l p ro g ra m m in g re q u ire d for a u d it
g e n e r a te s a tra n s a c tio n , as in th e a u to m a tic
p u rp o s e s u n d e r e a c h a p p ro a c h . S e le c t an
re o rd e r fu n c tio n in an in ven to ry co n tro l s y s te m , it
a p p r o a c h th a t p ro v id e s for e ffe c tiv e a u d it te s tin g
is im p o rta n t th a t th e s ystem d o c u m e n t th e
a t a re a s o n a b le c o st. T h e a u d ito r's e x a m in a tio n
e x is te n c e of th a t m a c h in e -g e n e ra te d tra n s a c tio n
of s y s te m s d o c u m e n ta tio n c a n b e u s e d to
by p ro d u c in g s o m e h a rd -c o p y m e m o ra n d u m
d e v e lo p a p re lim in a ry o p in io n as to th e
th a t c a n b e v e rifie d by an in d e p e n d e n t c h e c k of
a d e q u a c y o f p ro c e d u re s a n d to p ro v id e an
th e a c tiv ity .
in d ic a tio n to th e a u d ito r o f th o s e c o n tro ls w h o s e
7. R e v ie w th e p ro g ra m m in g a n d te s tin g
e x is te n c e s h o u ld b e v e rifie d a n d w h o s e
p ra c tic e s to b e fo llo w e d . T h e s e c a n s ig n ific a n tly
e ffe c tiv e n e s s s h o u ld b e e v a lu a te d .
a ffe c t th e e ffe c tiv e n e s s of th e co n tro l in th e
T h e a u d ito r sh o u ld c h e c k on th e p ro g re s s of
sys te m . C o n s id e r w h e th e r th e users w ill c o n d u c t
th e sy s te m th ro u g h th e d e s ig n , p ro g ra m m in g ,
tes ts o f th e system a n d w h e th e r a u d it te s tin g
te s tin g , c o n v e rs io n , a n d o p e ra tio n a l s ta g e s to
b e fo re th e sy s te m b e c o m e s o p e ra tio n a l w o u ld
a s s u re th at c h a n g e s d o not a d v e rs e ly a ffe c t th e
b e a p p ro p ria te .
e ffe c tiv e n e s s of c o n tro ls or th e a u d it a p p ro a c h .
In a d d itio n to te s tin g a ll th e a lte rn a te
M o n ito rin g c lie n t o p e ra tio n s o v e r a p e rio d
p ro c e s s in g p a th s th a t c a n e x is t in an o rd in a ry
of tim e is a n o th e r te c h n iq u e fo r o b s e rv in g a n d
p ro g ra m , liv e d a ta tests s h o u ld b e c o n s id e re d .
s u b s e q u e n tly e v a lu a tin g a c tu a l sys te m s
A ll of th e in te rre la tio n s h ip s , te rm in a l p o llin g ,
p e rfo rm a n c e , a lth o u g h it p ro v id e s no e v id e n c e
m e s s a g e q u e u in g , a n d p ro g ra m s e le c tio n th at
re g a rd in g th o s e c o n tro ls o r p ro c e d u re s th a t a re
sh o u ld e x is t to a c c o m m o d a te an a d v a n c e d
not c a lle d u p o n d u rin g th e p a rtic u la r p e rio d
s ystem a p p lic a tio n s h o u ld b e te s te d a lo n g w ith
u n d e r o b s e rv a tio n .
th e p ro c e s s in g .
8. T h e a u d ito r sh o u ld re v ie w th e p ro p o s e d
Subsequent Review of Accounting Controls.
p ro c e d u re s a n d c o n tro ls d u rin g th e c o n v e rs io n
O n c e a s ystem h as b e c o m e o p e ra tio n a l th e
of th e e x is tin g s ystem . T h e la c k of a d e q u a te
a u d ito r sh o u ld e v a lu a te th e a c tu a l e ffe c tiv e n e s s
c o n tro ls d u rin g c o n v e rs io n c o u ld resu lt in th e
of th e a c c o u n tin g c o n tro ls in th e system . T h is
fa ilu re to d e te c t s ig n ific a n t errors.
e v a lu a tio n sh o u ld b e re p e a te d d u rin g e a c h
E x a m p le s of errors th a t c o u ld o c c u r d u rin g
a u d it of an a d v a n c e d sys te m , at a m in im u m
th e c o n v e rs io n p ro c e s s a re —
a n n u a lly , o r at m o re fre q u e n t in te rv a ls if
A. C o m p le te or p a rtia l d e le tio n of a file . w a rra n te d .
35
APPENDIX 4
Glossary
A p p lic a tio n p ro g ra m m e r is a p e rs o n w h o is C o m p u te r a u d it s o ftw a re is g e n e r a liz e d
a u th o riz e d to c o d e a n d m a in ta in a p p lic a tio n s s o ftw a re d e v e lo p e d o r u s e d by an a u d ito r for file
p ro g ra m s s u c h a s a c c o u n ts p a y a b le , in ven to ry in te rro g a tio n , p e rfo rm a n c e of a rith m e tic
co n tro l, fin a n c ia l re p o rtin g p ro g ra m s , a n d so c a lc u la tio n s , a n d d e v e lo p m e n t of reports.
forth. C u rre n tly , su ch s o ftw a re is n o rm a lly lim ite d to
A u d ita b ility d e te rm in e s th e c h a ra c te ris tic s of a c c e s s in g file s w ith s ta n d a rd s e q u e n tia l or
a sy s te m th a t p e rm it d a ta to b e re v ie w e d for in d e x e d s e q u e n tia l s tru ctu res.
v a lid ity a n d a c c u ra c y , a n d th a t p e rm it c o n tro ls D ata b a s e is a c o lle c tio n of d a ta item s
to b e te s te d for in te g rity a n d re lia b ility . T h e s e re la te d to a ll or o n ly a p o rtio n of e n te rp ris e
c h a ra c te ris tic s a re im p o rta n t in o b ta in in g a c tiv ity . T o d a y , th e te rm im p lie s a stru c tu re d
a s s u ra n c e th a t th e fo llo w in g c o n d itio n s h a v e c o lle c tio n of d a ta ite m s th a t a re re la te d to an
b e e n a c c o m p lis h e d : e n te rp ris e ’s o p e ra tio n s , s u c h as th e fin a n c ia l
d a ta b a s e , a c u s to m e r d a ta b a s e , or s im ila r
1. U n ifo rm h a n d lin g o f a ll d a ta h as b e e n
o p e ra tio n .
p e rfo rm e d as a u th o riz e d .
D a ta b a s e m a n a g e m e n t s y s te m (D B M S ) is a
2. D a ta h a s b e e n c o m p le te ly a n d c o rre c tly
se t of in te g ra te d s o ftw a re ro u tin e s d e v e lo p e d to
p ro c e s s e d .
c re a te , m a in ta in , a n d a llo w a c c e s s to an
3. D a ta h a s b e e n re c o rd e d in a m a n n e r th a t
o rg a n iz e d a n d s tru c tu re d c o lle c tio n of re la te d
a llo w s it to b e tr a c e d from o rig in a tio n ,
d a ta item s. T h e D B M S h a n d le s th e m e c h a n ic s of
th ro u g h s u b s e q u e n t p ro c e s s in g , to u ltim a te
sto rin g , u p d a tin g , a n d a c c e s s in g th e d a ta ,
d is p o s itio n — an d in th e o p p o s ite d ire c tio n .
th e re b y a llo w in g th e a p p lic a tio n p ro g ra m m e r to
A u d ito r ’s c o m p u te r is a s p e c ia lly d e s ig n e d v ie w a lo g ic a l c o lle c tio n of d a ta e le m e n ts as a
c o m p u te r h a v in g th e c a p a b ility of in te rfa c in g file a n d re d u c in g th e p ro g r a m m e r’s c o n c e rn
w ith o th e r c o m p u te rs to te s t th e p ro p rie ty a n d w ith th e p h y s ic a l form o r stru c tu re of th e s e d a ta
in te g rity of th e ir s o ftw a re a n d file structures. It item s.
h a s th e a b ility to p e rfo rm v a rio u s o th e r a u d it D ata b a s e a d m in is tra to r is th e in d iv id u a l
fu n c tio n s on an in d e p e n d e n t b a s is from th e a u th o riz e d to d e fin e th e ru le s w h ic h g o v e rn an d
c o m p u te r sy s te m b e in g a u d ite d . c o n tro l a c c e s s of d a ta a n d th e m e th o d of
A u d it c o n tro l is th e m e a n s for o b ta in in g p h y s ic a l s to ra g e of th e d a ta . T h e fu n c tio n is
a s s u ra n c e re g a rd in g th e in te g rity o f a u d it h a n d le d v ia a d e s c rip tiv e d a ta b a s e la n g u a g e
te s tin g in c ir c u m s ta n c e s in w h ic h th e a u d ito r w h ic h p e rfo rm s th e fo llo w in g :
p la c e s re lia n c e on c e rta in c lie n t p ro g ra m s , su ch
1. D e fin e s a n d d e s c rib e s th e d a ta .
as o p e ra tin g s ystem s, d a ta b a s e m a n a g e m e n t
2. D e fin e s th e lo g ic a l re la tio n s h ip a n d
system s, a n d so forth, in o rd e r to p e rfo rm su ch
in te rre la tio n s h ip of th e v a rio u s s e g m e n ts of
te s tin g .
d a ta .
A u d it h o o k s a re th e c a p a b ilitie s
in c o rp o ra te d into th e h a rd w a re , s y s te m s 3. D e fin e s th e p h y s ic a l s to ra g e of th e d a ta an d
so ftw a re , a n d a p p lic a tio n s s o ftw a re th a t w ill its a ttrib u te s .
a llo w a u d ito r d e v e lo p e d s o ftw a re o r te s tin g 4. D e fin e s a n d d e s c r ib e s th e lo g ic a l v ie w of th e
c rite ria to b e fu lly in te g ra te d into n o rm al d a ta a s it m a y b e s e e n b y th e a p p lic a tio n
p ro cessin g activities. A u d it hooks w o u ld pro vid e p ro g ra m m e r a n d th e in te rre la tio n s h ip of th e
a u d ito rs w ith th e c a p a b ility to c a p tu re an y lo g ic a l v ie w s to th e d a ta structure.
tra n s a c tio n b e in g p ro c e s s e d by th e s ystem a n d 5. D e fin e s th e s e c u rity m e a s u re s a p p lic a b le to
ta k e w h a te v e r a c tio n is re q u ire d . e a c h u s e r a n d to th e d a ta b a s e .
A u d it tr a il is a m e a n s for id e n tify in g th e
a c tio n s ta k e n in p ro c e s s in g in p u t d a ta o r in D ata c o m m u n ic a tio n s p e rta in s to th e
p re p a rin g an o u tp u t s u c h th a t d a ta on a s o u rc e tra n s m is s io n of d a ta o v e r d is ta n c e s , such
d o c u m e n t c a n b e tr a c e d fo rw a rd to an outpu t, as by te le g r a p h , te le p h o n e , ra d io , d ire c tly to
for e x a m p le , a rep o rt, a n d an o u tp u t c a n b e e le c tro n ic d a ta p ro c e s s in g d e v ic e s .
tra c e d b a c k to t h e s o u rc e item s from w h ic h it is D a ta d ic tio n a ry /d ire c to ry is a s tru c tu re d
d e riv e d . N o te th a t th e a u d it trail c a n a ls o b e c o lle c tio n of in fo rm a tio n e le m e n ts th a t d e fin e
te rm e d an in q u iry or a m a n a g e m e n t trail a n d d e s c rib e th e d a ta e le m e n ts a s s o c ia te d w ith
b e c a u s e it is u s e d as a re fe re n c e tra il for in te rn a l o n e o r m o re d a ta b a s e s . Id e a lly , th e
o p e ra tio n s a n d m a n a g e m e n t as w e ll as for a u d it d ic tio n a ry /d ire c to ry d e fin e s e a c h d a ta b a s e a n d
tests. d e s c rib e s its a ttrib u te s re la te d to id e n tific a tio n ,
36
re p re s e n ta tio n , re la tio n s h ip , s e c u rity , in te g rity , a c c o r d a n c e w ith m a n a g e m e n t’s
a n d so forth. a u th o riza tio n .
D is trib u te d s y s te m s in c lu d e tw o or m o re d. T h e re c o rd e d a c c o u n ta b ility for a s s e ts is
c o m p u te rs p h y s ic a lly s e p a ra te d , but lin k e d c o m p a re d w ith th e e x is tin g a s s e ts at
to g e th e r w ith a c o m m u n ic a tio n n etw o rk th at re a s o n a b le in te rv a ls a n d a p p r o p ria te
a llo w s an y site to u tiliz e th e re s o u rc e s w ith in th e a c tio n is ta k e n w ith re s p e c t to any
n etw o rk. For e x a m p le , a s m a ll c o m p u te r at a d iffe re n c e s .
p la n t site c o u ld u se th e p o w e r of a la rg e r
c o m p u te r in th e n etw o rk to m a n ip u la te a n d so lv e T h e fo re g o in g d e fin itio n s a re not n e c e s s a rily
a lin e a r p ro g ra m a lo g o rith m re la te d to p la n t m u tu a lly e x c lu s iv e b e c a u s e s o m e of th e
s c h e d u lin g . p ro c e d u re s a n d re c o rd s c o m p re h e n d e d in
In te g ra te d te s t fa c ility (IT F ) is a m e a n s of a c c o u n tin g co n tro l m a y a ls o b e in v o lv e d in
in tro d u c in g d u m m y d a ta into a live a p p lic a tio n a d m in is tra tiv e co ntro l.
sy s te m to s e e w h e th e r it is p ro p e rly h a n d le d . M ic ro fic h e is a te c h n iq u e w h ic h c o m p a c ts
T h e d a ta is in tro d u c e d as th o u g h it w e re live info rm atio n for d e n s e s to ra g e a n d uses the latest
d a ta a n d m u st b e re m o v e d at s o m e p o in t d u rin g in m ic ro film , m a g n e tic e n c o d in g , a n d v is u a l
th e a p p lic a t io n ’s o p e ra tio n . s c re e n te c h n o lo g y fo r re fe re n c in g a n d d is p la y
In te rn a l c o n tro l in a b ro a d s e n s e h as tw o access.
e le m e n ts . O p e ra tin g s y s te m is an o rg a n iz e d c o lle c tio n
1. A d m in is tra tiv e c o n tro l in c lu d e s , but is not of p ro g r a m m e d ro u tin e s an d p ro c e d u re s for
lim ite d to, th e p la n o f o rg a n iz a tio n a n d th e o p e ra tin g a c o m p u te r. T h e s e ro u tin es an d
p ro c e d u re s a n d re c o rd s th a t a re c o n c e rn e d p ro c e d u re s n o rm a lly p e rfo rm s o m e or a ll o f th e
w ith th e d e c is io n p ro c e s s e s le a d in g fo llo w in g fu n c tio n s : (1 ) s c h e d u lin g , lo a d in g ,
to m a n a g e m e n t’s a u th o riz a tio n of in itia tin g , a n d s u p e rv is in g th e e x e c u tio n of
tr a n s a c tio n s .1 S u ch a u th o riz a tio n is a p ro g ra m s ; (2 ) a llo c a tin g s to ra g e , in p u t/o u tp u t
m a n a g e m e n t fu n c tio n d ire c tly a s s o c ia te d units, a n d o th e r fa c ilitie s of th e c o m p u te r system ;
w ith th e re s p o n s ib ility for a c h ie v in g th e (3 ) in itia tin g a n d c o n tro llin g in p u t/o u tp u t
o b je c tiv e s of th e o rg a n iz a tio n a n d is th e o p e ra tio n s ; (4 ) h a n d lin g errors a n d restarts; (5 )
startin g p o in t for e s ta b lis h in g a c c o u n tin g c o o rd in a tin g c o m m u n ic a tio n s b e tw e e n th e
co n tro l o f tra n s a c tio n s . h u m a n o p e ra to r a n d th e c o m p u te r system ; (6 )
2. A c c o u n tin g c o n tro l c o m p ris e s th e p la n of m a in ta in in g a log of s y s te m s o p e ra tio n s ; a n d (7 )
o rg a n iz a tio n a n d th e p ro c e d u re s a n d c o n tro llin g o p e ra tio n s in a m u ltip ro g ra m m in g ,
re c o rd s th a t a re c o n c e r n e d w ith th e m u ltip ro c e s s in g , or tim e s h a rin g m o d e . A m o n g
s a fe g u a rd in g of a s s e ts a n d th e re lia b ility of th e fa c ilitie s fre q u e n tly in c lu d e d w ith in an
fin a n c ia l re c o rd s a n d c o n s e q u e n tly a re o p e ra tin g s ystem a re an e x e c u tiv e rou tin e, a
d e s ig n e d to p ro v id e re a s o n a b le a s s u ra n c e s c h e d u le r, in p u t/o u tp u t rou tin es, u tility rou tin es,
that: a n d m o n ito r ro u tin es.
S yste m a d m in is tra to r is an e m p lo y e e
a. T ra n s a c tio n s a re e x e c u te d in a c c o r d a n c e
re s p o n s ib le fo r e n s u rin g th a t in fo rm a tio n
w ith m a n a g e m e n t’s g e n e ra l or s p e c ific
p ro c e s s in g s e rv ic e s a re c o n s is te n t w ith th e
a u th o riz a tio n .
n e e d s of th e o rg a n iz a tio n a n d th a t th e in teg rity,
b. T ra n s a c tio n s a re re c o rd e d as n e c e s s a ry
se c u rity , a n d a u d ita b ility of th e system m e e ts
(1 ) to p e rm it p re p a ra tio n of fin a n c ia l
c o rp o ra te s ta n d a rd s .
s ta te m e n ts in c o n fo rm ity w ith g e n e r a lly
S yste m p ro g ra m m e r is a p ro g ra m m e r
a c c e p te d a c c o u n tin g p rin c ip le s o r an y
re s p o n s ib le fo r im p le m e n tin g u p g ra d e s to
o th e r c rite ria a p p lic a b le to su ch
o p e ra tin g s y s te m s a n d o th e r g e n e ra l sys te m s
s ta te m e n ts a n d (2 ) to m a in ta in
s o ftw a re a n d m a in ta in in g re v is io n s or
a c c o u n ta b ility for a ssets.
m o d ific a tio n s to s u c h s ystem s.
c. A c c e s s to a s s e ts is p e rm itte d o n ly in
1This definition is intended only to provide a point of departure for distinguishing accounting control and, consequently,
is not necessarily definitive for other purposes.
37

Management Control and Audit of Advanced EDP Systems

Uploaded by

Copyright:

Available Formats

You might also like

Management Control and Audit of Advanced EDP Systems

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Management Control and Audit of Advanced EDP Systems

Uploaded by

Copyright:

Available Formats

University of Mississippi

Management, control, and audit of advanced EDP systems;

Follow this and additional works at: https://egrove.olemiss.edu/aicpa_indev

Part of the Accounting Commons, and the Taxation Commons

American Institute of Certified Public Accountants AICPA

Computer services guidelines are published to assist members in

NATURE OF THE AUDIT PROCESS

CHARACTERISTICS AND IMPLICATIONS OF ADVANCED SYSTEMS

EFFECTIVE CONTROL AND AUDIT OF ADVANCED EDP SYSTEMS

AUDIT APPROACHES FOR ADVANCED EDP SYSTEMS

SUMMARY, CONCLUSIONS, AND RECOMMENDATIONS

APPENDIX 1— ULTIMATE CORPORATION— A FUTURE

APPENDIX 2—AUTHORIZATION CONCEPTS FOR

APPENDIX 3— SUGGESTED PROCEDURES FOR AUDITORS

Objectives and Concerns

Organization of the Report

Nature of the Audit Process

Study and Evaluation of Internal Control

3SAS no. 1, Sec. 320.71.

Characteristics and Implications

Characteristics of Advanced Systems

Management Implications of Advanced

Effective Control and Audit of

Control and Auditability Objectives

□ T ra n s a c tio n s a re in itia te d in a c c o rd a n c e □ A u d it c o n tro l s h o u ld resu lt from a c h ie v in g

EXHIBIT 4 — 1 INFORMATION SYSTEM SCHEMATIC

System Software1 User

1Includes the following routines:

Audit Approaches fa Advanced

Auditing Advanced EDP Systems— Some

Auditing Approaches to Advanced Systems

Summary Conclusions, and

Ultimate Corporation—A Future Advanced

Authorization Concepts for Information

Authorization Table Concept

A u th o rized to A uth o rized

D ata In ter­ H istory D ecision A pp lica tion G en eral S ystem s S ys te m s A u th o rizatio n

Suggested Procedures for Auditors to

You might also like

D ata In ter H istory D ecision A pp lica tion G en eral S ystem s S ys te m s A u th o rizatio n