Professional Documents
Culture Documents
Auditing IT
Controls Part III:
Systems
Development,
Program
Changes, and
Application
Auditing
Learning Objectives
• Be familiar with the controls and audit tests relevant to the
systems development process.
• Understand the risks and controls associated with program
change procedures and the role of the source program
library.
• Understand the auditing techniques (CAATTs) used to verify
the effective functioning of application controls.
• Understand the auditing techniques used to perform
substantive tests in an IT environment.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
1
Systems Development Controls
• In reviewing the effectiveness of a particular systems
development methodology, the accountant should focus
on the controllable activities that are common to all
systems development approaches.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 3
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 4
2
Program Testing Procedures
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 5
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 6
3
SOURCE PROGRAM LIBRARY CONTROLS
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 7
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 8
4
THE WORST-CASE SITUATION: NO
CONTROLS
• Legitimate maintenance programmers and others may
access any programs stored in the library, which has no
provision for detecting an unauthorized intrusion.
• Because these programs are open to unauthorized
changes, no basis exists for relying on the effectiveness of
controls designed into them.
• With no control over access to the SPL, a program’s
integrity during the period of review cannot be
established.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 9
• Password Control
• Separation of Test Libraries
• Audit Trail and Management Reports
• Program Version Numbers
• Controlling Access to Maintenance Commands
• Audit Objectives Relating to Systems Maintenance
• Tests of controls are tests that establish whether internal
controls are functioning properly.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 10
10
5
A CONTROLLED SPL ENVIRONMENT
(continued)
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 11
11
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 12
12
6
Auditing SPL Software System
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 13
13
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 14
14
7
DESIGNING TESTS OF APPLICATION
CONTROLS
• Tests for IT control fall into these general categories:
1. Access tests are tests that ensure that the application
prevents authorized users from unauthorized access to data.
2. Validity tests ensure that the system processes only data
values that conform to specified tolerances.
3. Accuracy tests are tests that ensure that the system
processes only data values that conform to specified
tolerances.
4. Completeness tests are tests identifying missing data within a
single record and entire records missing from a batch.
5. Redundancy tests are tests that determine that an application
processes each record only once.
6. Audit trail tests ensure that the application creates an
adequate audit trail.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 15
15
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 16
16
8
DESIGNING TESTS OF APPLICATION
CONTROLS (continued)
• Examples of Tests of IT Application Controls
• TESTING CUSTOMER CREDIT APPROVALS
• TESTING ACCURACY OF POSTINGS TO CUSTOMER
ACCOUNTS
• TESTING THE THREE-WAY MATCH
• TESTING MULTILEVEL SECURITY AND ACCESS
PRIVILEGES IN THE PURCHASES/AP SYSTEM
• TESTING ROUNDING ERROR ROUTINES IN FINANCIAL
SYSTEMS
• Salami fraud is fraud in which each of multiple victims is
defrauded out of a very small amount, but the fraud in total
constitutes a large sum.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 17
17
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 18
18
9
Sample Data
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 19
19
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 20
20
10
BLACK BOX APPROACH
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 21
21
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 22
22
11
THROUGH-THE-COMPUTER
APPROACHES
• Computer-assisted audit tools and techniques
(CAATTs) is the use of computers to illustrate how
application controls are tested and to verify the effective
functioning of application controls.
• Test Data Method
• The test data method is a technique used to establish
application integrity by processing specially prepared sets of
input data through production applications that are under
review.
• CREATING TEST DATA
• Base Case System Evaluation
• Base case system evaluation (BCSE) is a variant of the test
data technique in which comprehensive test data are used.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 23
23
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 24
24
12
THROUGH-THE-COMPUTER
APPROACHES (continued)
• Tracing
• Tracing is a test data technique that performs an electronic
walkthrough of the application’s internal logic.
• Advantages of Test Data Techniques
• Disadvantages of Test Data Techniques
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 25
25
Tracing
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 26
26
13
THE INTEGRATED TEST FACILITY
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 27
27
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 28
28
14
PARALLEL SIMULATION
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 29
29
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 30
30
15
Substantive Testing Techniques
• Substantive tests are tests that determine whether
database contents fairly reflect the organization’s
transactions.
• Substantive tests include, but are not limited to, the
following:
1. Determining the correct value of inventory.
2. Determining the accuracy of prepayments and accruals.
3. Confirming accounts receivable with customers.
4. Searching for unrecorded liabilities.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 31
31
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 32
32
16
Embedded Audit Model Technique
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 33
33
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 34
34
17
Using GAS to Access Simple File Structure
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 35
35
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 36
36
18
Complex Database Structure
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 37
37
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 38
38
19