Chapter 7:

Computer-Aided Audit Tools

and Techniques

IT Auditing, Hall, 3e
2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated,
or posted to a publicly accessible website, in whole or in part.

Introduction to Input Controls

Designed to ensure that the transactions that bring

data into the system are valid, accurate, and
complete

Data input procedures can be either:

Source document-triggered (batch)
Direct input (real-time)

Source document input requires human

involvement and is prone to clerical errors.

Direct input employs real-time editing techniques to

identify and correct errors immediately

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

Classes of Input Controls

1) Source document controls
2) Data coding controls
3) Batch controls
4) Validation controls
5) Input error correction
6) Generalized data input

systems
2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,
copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

#1-Source Document Controls

Controls in systems using physical source

documents
Source document fraud
To control for exposure, control procedures

are needed over source documents to

account for each one

Use pre-numbered source documents

Use source documents in sequence
Periodically audit source documents

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

#2-Data Coding Controls

Checks on data integrity during processing
Transcription errors
Addition errors, extra digits
Truncation errors, digit removed
Substitution errors, digit replaced

Transposition errors
Single transposition: adjacent digits transposed (reversed)
Multiple transposition: non-adjacent digits are transposed

Control = Check digits

Added to code when created (suffix, prefix,
embedded)
Sum of digits (ones): transcription errors only
Modulus 11: different weights per column: transposition and

transcription errors

Introduces storage and processing inefficiencies

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

#3-Batch Controls
Method for handling high volumes of

transaction data esp. paper-fed IS

Controls of batch continues thru all phases of

system and all processes (i.e., not JUST an

input control)
1) All records in the batch are processed together
2) No records are processed more than once
3) An audit trail is maintained from input to output

Requires grouping of similar input transactions

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,
copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

#3-Batch Controls
Requires controlling batch throughout

Batch transmittal sheet (batch control record) Figure

7-1

Unique batch number (serial #)

A batch date
A transaction code
Number of records in the batch
Total dollar value of financial field
Sum of unique non-financial field
Hash total
E.g., customer number

Batch control log Figure 7-3

Hash totals

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

#4-Validation Controls
Intended to detect errors in data

before processing
Most effective if performed close to

the source of the transaction

Some require referencing a master

file
2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,
copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

#4-Validation Controls
Field Interrogation
Missing data checks
Numeric-alphabetic data checks
Zero-value checks
Limit checks
Range checks
Validity checks
Check digit
Record Interrogation
Reasonableness checks
Sign checks
Sequence checks
File Interrogation
Internal label checks (tape)
Version checks
Expiration date check
2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,
copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

#5-Input Error Connection

Batch correct and resubmit
Controls to make sure errors dealt with

completely and accurately

1) Immediate Correction
2) Create an Error File
Reverse the effects of partially

processed, resubmit corrected records

Reinsert corrected records in
processing stage where error was
detected

3) Reject the Entire Batch

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

10

#6-Generalized Data Input Systems

(GDIS)
Centralized procedures to manage data input

for all transaction processing systems

Eliminates need to create redundant routines
for each new application
Advantages:
Improves control by having one common

system perform all data validation

Ensures each AIS application applies a
consistent standard of data validation
Improves systems development efficiency
2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,
copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

11

#6-GDIS
Major components:

1) Generalized Validation Module

2) Validated Data File
3) Error File
4) Error Reports
5) Transaction Log

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

12

Classes of Processing Controls

1) Run-to-Run Controls
2) Operator Intervention

Controls
3) Audit Trail Controls

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

13

#1-Run-to-Run (Batch)

Use batch figures to monitor

the batch as it moves from
one process to another
1) Recalculate Control Totals
2) Check Transaction Codes
3) Sequence Checks

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

14

#2-Operator Intervention

When operator manually enters

controls into the system

Preference is to derive by logic

or provided by system

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

15

#3-Audit Trail Controls

Every transaction becomes traceable from

input to output

Each processing step is documented

Preservation is key to auditability of AIS

Transaction logs
Log of automatic transactions
Listing of automatic transactions
Unique transaction identifiers [s/n]
Error listing

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

16

Output Controls

Ensure system output:

1)
2)
3)
4)

Not misplaced
Not misdirected
Not corrupted
Privacy policy not violated

Batch systems more susceptible to exposure,

require greater controls
Controlling Batch Systems Output

Many steps from printer to end user

Data control clerk check point
Unacceptable printing should be shredded
Cost/benefit basis for controls
Sensitivity of data drives levels of controls

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

17

Output Controls

Output spooling risks:

Access the output file and change
critical data values
Access the file and change the
number of copies to be printed
Make a copy of the output file so
illegal output can be generated
Destroy the output file before printing
take place

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

18

Output Controls

Print Programs
Operator Intervention:
1) Pausing the print program to load output paper
2) Entering parameters needed by the print run
3) Restarting the print run at a prescribed checkpoint after a
printer malfunction
4) Removing printer output from the printer for review and
distribution

Print Program Controls

Production of unauthorized copies

Employ output document controls similar to source document

controls

Unauthorized browsing of sensitive data by employees

Special multi-part paper that blocks certain fields

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

19

Output Controls

Bursting
Supervision

Waste
Proper disposal of aborted copies
and carbon copies

Data control
Data control group verify and log

Report distribution
Supervision

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

20

Output Controls

End user controls

End user detection

Report retention:

Statutory requirements (govt)

Number of copies in existence
Existence of softcopies (backups)
Destroyed in a manner consistent
with the sensitivity of its contents

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

21

Output Controls

Controlling real-time systems output

Eliminates intermediaries

Threats:

Interception
Disruption
Destruction
Corruption

Exposures:

Equipment failure
Subversive acts

Systems performance controls (Ch. 2)

Chain of custody controls (Ch. 5)

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

22

Testing Computer Application

Controls
1) Black box (around)
2) White box (through)

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

23

Testing Computer Application

Controls Black Box
Ignore internal logic of application
Use functional characteristics

Flowcharts
Interview key personnel

Advantages:

Do not have to remove application from

operations to test it

Appropriately applied:

Simple applications
Relative low level of risk

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

24

Testing Computer Application

Controls White Box
Relies on in-depth understanding of the

internal logic of the application

Uses small volume of carefully crafted,
custom test transactions to verify specific
aspects of logic and controls
Allows auditors to conduct precise test with
known outcomes, which can be compared
objectively to actual results

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

25

White Box Test Methods

1) Authenticity tests:

Individuals / users
Programmed procedure
Messages to access system (e.g., logons)

All-American University, student lab: logon, reboot,

logon *

2) Accuracy tests:

System only processes data values that conform

to specified tolerances

3) Completeness tests:

Identify missing data (field, records, files)

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

26

White Box Test Methods

4) Redundancy tests:

Process each record exactly once

5) Audit trail tests:

Ensure application and/or system creates an

adequate audit trail
Transactions listing
Error files or reports for all exceptions

6) Rounding error tests:

Salami slicing
Monitor activities excessive ones are serious
exceptions; e.g, rounding and thousands of
entries into a single account for $1 or 1

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

27

Computer Aided Audit Tools and

Controls(CAATTs)
1) Test data method
2) Base case system evaluation
3) Tracing
4) Integrated Test Facility [ITF]
5) Parallel simulation
6) GAS
2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,
copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

28

#1 Test Data
Used to establish the application processing

integrity
Uses a test deck
Valid data
Purposefully selected invalid data
Every possible:
Input error
Logical processes
Irregularity

Procedures:
1) Predetermined results and expectations
2) Run test deck
3) Compare
2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,
copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

29

#2 Base Case System

Evaluation (BCSE)
Variant of Test Data method
Comprehensive test data
Repetitive testing throughout SDLC
When application is modified, subsequent test

(new) results can be compared with previous

results (base)

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

30

#3 Tracing
Test data technique that takes step-by-step

walk through application

1) The trace option must be enabled for the application
2) Specific data or types of transactions are created as

test data
3) Test data is traced through all processing steps of

the application, and a listing is produced of all lines of

code as executed (variables, results, etc.)

Excellent means of debugging a faculty

program

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

31

Test Data: Advantages and Disadvantages

Advantages of test data
1) They employ white box approach, thus providing explicit

evidence
2) Can be employed with minimal disruption to operations
3) They require minimal computer expertise on the part of
the auditors

Disadvantages of test data

1) Auditors must rely on IS personnel to obtain a copy of

the application for testing

2) Audit evidence is not entirely independent
3) Provides static picture of application integrity
4) Relatively high cost to implement,
auditing inefficiency
2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,
copied
3e or duplicated,
32
or posted to a publicly accessible website, in whole or in part.

#4 Integrated Test Facility

ITF is an automated technique that allows auditors

to test logic and controls during normal operations

Set up a dummy entity within the application system
1) Set up a dummy entity within the application system
2) System able to discriminate between ITF audit module

transactions and routine transactions

3) Auditor analyzes ITF results against expected results

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

33

#5 Parallel Simulation
Auditor writes or obtains a copy of the program that

simulates key features or processes to be reviewed

/ tested

1) Auditor gains a thorough understanding of the application

under review

2) Auditor identifies those processes and controls critical to

the application

3) Auditor creates the simulation using program or

Generalized Audit Software (GAS)

4) Auditor runs the simulated program using selected data

and files

5) Auditor evaluates results and reconciles differences

2011 Cengage Learning. All Rights Reserved. May not be scanned,Hall,

copied
3e or duplicated,
or posted to a publicly accessible website, in whole or in part.

34