Scribd Logo
Upload

Welcome to Scribd!

  • Objectives For Chapter 17

    Uploaded by

    Irish Ann Ilustrisimo
    32 views3 pages
    This document discusses controls and auditing techniques related to IT systems. It covers controls for systems development, program changes, and application controls. It describes testing approaches like black box and white box testing that focus on understanding application input, processing, and output controls. It also discusses techniques for substantive testing like using embedded audit modules or generalized audit software to extract and analyze transaction data.

    Original Description:

    Original Title

    CHAPTER 16

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses controls and auditing techniques related to IT systems. It covers controls for systems development, program changes, and application controls. It describes testing approaches like black box and white box testing that focus on understanding application input, processing, and output controls. It also discusses techniques for substantive testing like using embedded audit modules or generalized audit software to extract and analyze transaction data.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    32 views3 pages

    Objectives For Chapter 17

    Uploaded by

    Irish Ann Ilustrisimo
    This document discusses controls and auditing techniques related to IT systems. It covers controls for systems development, program changes, and application controls. It describes testing approaches like black box and white box testing that focus on understanding application input, processing, and output controls. It also discusses techniques for substantive testing like using embedded audit modules or generalized audit software to extract and analyze transaction data.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    1.

    hapter 17IT Controls Part III: Systems Development, Program Changes, and


    Application Controls
    2. Objectives for Chapter 17 Be familiar with the controls and audit tests relevant to the
    systems development process. Understand the risks and controls associated with program
    change procedures and the role of the source program library. Understand the auditing
    techniques (CAATTs) used to verify the effective functioning of application controls.
    Understand the auditing techniques used to perform substantive tests in an IT environment.
    3. Systems Development Activities • Authorizing development of new systems •
    Addressing and documenting user needs • Technical design phases • Participation of internal
    auditors • Testing program modules before implementing • Testing individual modules by a
    team of users, internal audit staff, and systems professionals
    4. System Development Life Cycle Figure 14-1
    5. Systems Development Auditing objectives: ensure that... • SDLC activities are applied
    consistently and in accordance with management’s policies • the system as originally
    implemented was free from material errors and fraud • the system was judged to be necessary
    and justified at various checkpoints throughout the SDLC • system documentation is
    sufficiently accurate and complete to facilitate audit and maintenance activities

    6. Systems Development IC New systems must be authorized. Feasibility studies were


    conducted. User needs were analyzed and addressed. Cost-benefit analysis was done.
    Proper documentation was completed. All program modules must be thoroughly tested before
    they are implemented. Checklist of problems was kept.
    7. System Maintenance IC • Last, longest and most costly phase of SDLC • Up to 80-90%
    of entire cost of a system • All maintenance actions should require • Technical specifications •
    Testing • Documentation updates • Formal authorizations for any changes
    8. Program Change Auditing objectives: detect unauthorized program maintenance and
    determine that... • maintenance procedures protect applications from unauthorized changes •
    applications are free from material errors • program libraries are protected from unauthorized
    access
    9. Source Program Library • Source program library (SPL) • library of applications and
    software • place where programs are developed and modified • once compiled into machine
    language, no longer vulnerable
    10. Uncontrolled Access to the SPL Figure 17-2
    11. Controlled SPL Environments • SPL Management Systems (SPLMS) protect the SPL
    by controlling the following functions: • storing programs on the SPL • retrieving programs for
    maintenance purposes • deleting obsolete programs from the library • documenting program
    changes to provide an audit trail of the changes
    12. Source Program Library under the Control of SPL Management Software Figure 17-3
    13. SPL Control Features Password control Separation of test libraries Audit trails Reports
    that enhance management control and the audit function Assigns program version numbers
    automatically Controlled access to maintenance commands
    14. Program Change • Auditing procedures: verify that programs were properly maintained,
    including changes • Specifically, verify… • identification and correction of unauthorized
    program changes • identification and correction of application errors • control of access to
    systems libraries
    15. Application Controls • Narrowly focused exposures within a specific system, for
    example: • accounts payable • cash disbursements • fixed asset accounting • payroll • sales
    order processing • cash receipts • general ledger
    16. Application Controls PROCESSING INPUT OUTPUT • Risks within specific
    applications • Can affect manual procedures (e.g., entering data) or embedded (automated)
    procedures • Convenient to look at in terms of: • input stage • processing stage • output stage
    17. Application Input Controls • Goal of input controls - valid, accurate, and complete input
    data • Two common causes of input errors: • transcription errors – wrong character or value •
    transposition errors – ‘right’ character or value, but in wrong place
    18. Application Input Controls • Check digits – data code is added to produce a control digit
    • especially useful for transcription and transposition errors • Missing data checks – control for
    blanks or incorrect justifications • Numeric-alphabetic checks – verify that characters are in
    correct form
    19. Application Input Controls Limit checks – identify values beyond pre-set limits Range
    checks – identify values outside upper and lower bounds Reasonableness checks – compare
    one field to another to see if relationship is appropriate Validity checks – compares values to
    known or standard values
    20. Application Processing Controls • Programmed processes that transform input data
    into information for output • Three categories: • Batch controls • Run-to-run controls • Audit
    trail controls
    21. Application Processing Controls • Batch controls - reconcile system output with the
    input originally entered into the system • Based on different types of batch totals: • total
    number of records • total dollar value • hash totals – sum of non-financial numbers
    22. Application Processing Controls Run-to-run controls - use batch figures to monitor the
    batch as it moves from one programmed procedure (run) to another Audit trail controls -
    numerous logs used so that every transaction can be traced through each stage of processing
    from its economic source to its presentation in financial statements
    23. Transaction Log to Preserve the Audit Trail Figure 17-7
    24. Application Output Controls Goal of output controls is to ensure that system output is
    not lost, misdirected, or corrupted, and that privacy is not violated. In the following flowchart,
    there are exposures at every stage.
    25. Stages in the Output Process Figure 17-8
    26. Application Controls Output • Output spooling – creates a file during the printing
    process that may be inappropriately accessed • Printing – create two risks: • production of
    unauthorized copies of output • employee browsing of sensitive data
    27. Application Controls Output • Waste – can be stolen if not properly disposed of, e.g.,
    shredding • Report distribution – for sensitive reports, the following are available: • use of
    secure mailboxes • require the user to sign for reports in person • deliver the reports to the
    user
    28. Application Controls Output • End user controls – end users need to inspect sensitive
    reports for accuracy • shred after used • Controlling digital output – digital output message can
    be intercepted, disrupted, destroyed, or corrupted as it passes along communications links
    29. Testing Application Controls • Techniques for auditing applications fall into two classes:
    • testing application controls – two general approaches: • black box – around the computer •
    white box – through the computer • examining transaction details and account balances—
    substantive testing
    30. Auditing Around the Computer - The Black Box Approach Figure 17-9
    31. Auditing through the Computer: The ITF Technique Figure 17-14
    32. Testing Application Controls • Black Box Approach – focuses on input procedures and
    output results • To Gain need understanding… • analyze flowcharts • review documentation •
    conduct interviews
    33. Testing Application Controls • White Box Approach - focuses on understanding the
    internal logic of processes between input and output • Common tests • Authenticity tests •
    Accuracy tests • Completeness tests • Redundancy tests • Access tests • Audit trail tests •
    Rounding error tests
    34. White Box Testing Techniques • Test data method: testing for logic or control problems
    - good for new systems or systems which have undergone recent maintenance • base case
    system evaluation (BCSE) - using a comprehensive set of test transactions • tracing -
    performs an electronic walkthrough of the application’s internal logic • Test data methods are
    not fool-proof • a snapshot - one point in time examination • high-cost of developing adequate
    test data
    35. White Box Testing Techniques Integrated test facility (ITF): an automated, on-going
    technique that enables the auditor to test an application’s logic and controls during its normal
    operation Parallel simulation:auditor writes simulation programs and runs actual transactions
    of the client through the system
    36. The Parallel Simulation Technique Figure 17-15
    37. Substantive Testing • Techniques to substantiate account balances. For example: •
    search for unrecorded liabilities • confirm accounts receivable to ensure they are not
    overstated • Requires first extracting data from the system. Two technologies commonly used
    to select, access, and organize data are: • embedded audit module • generalized audit
    software
    38. Embedded Audit Module An ongoing module which filters out non-material transactions
    The chosen, material transactions are used for sampling in substantive tests Requires
    additional computing resources by the client Hard to maintain in systems with high
    maintenance
    39. Embedded Audit Module Technique Figure 17-16
    40. Generalized Audit Software • Very popular & widely used • Can access data files &
    perform operations on them: • screen data • statistical sampling methods • foot & balance •
    format reports • compare files and fields • recalculate data fields
    41. Using GAS to Access Complex File Structure Figure 17-18

    You might also like