Chapter 16 Slides

Chapter 16
Auditing IT
Controls Part III:
Systems
Development,
Program
Changes, and
Application
Auditing
James A. Hall, Accounting Information Systems, 10th Edition. © 2019

Cengage. All Rights Reserved. May not be scanned, copied or duplicated,
or posted to a publicly accessible website, in whole or in part.
Learning Objectives
• Be familiar with the controls and audit tests relevant to the
systems development process.
• Understand the risks and controls associated with program
change procedures and the role of the source program
library.
• Understand the auditing techniques (CAATTs) used to verify
the effective functioning of application controls.
• Understand the auditing techniques used to perform
substantive tests in an IT environment.
James A. Hall, Accounting Information Systems, 10th Edition. © 2019 Cengage. All Rights Reserved.
May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part. 2
1
Systems Development Controls
• In reviewing the effectiveness of a particular systems
development methodology, the accountant should focus
on the controllable activities that are common to all
systems development approaches.
CONTROLLING SYSTEMS DEVELOPMENT

ACTIVITIES
• Systems Authorization Activities
• User Specification Activities
• Technical Design Activities
• Internal Audit Participation
• Program Testing
• User Test and Acceptance Procedures
• Audit Objectives Relating to Systems Development
• Tests of Systems Development Controls
2
Program Testing Procedures
CONTROLLING PROGRAM CHANGE

ACTIVITIES
• Upon implementation, the information system enters the
maintenance phase of the SDLC.
• Little is served by designing and implementing controls
over systems development activities if control is not
continued into the maintenance phase.
3
SOURCE PROGRAM LIBRARY CONTROLS
• Even with formal maintenance procedures in place,

individuals who gain unauthorized access to programs
threaten application integrity.
• In larger computer systems, application program modules
are stored in source code format on a disk repository
called the source program library (SPL).
• Executing a production application requires that the
source code be compiled and linked to a load module,
which the computer can process.
Uncontrolled Access to the Source Program

Libra
4
THE WORST-CASE SITUATION: NO
CONTROLS
• Legitimate maintenance programmers and others may
access any programs stored in the library, which has no
provision for detecting an unauthorized intrusion.
• Because these programs are open to unauthorized
changes, no basis exists for relying on the effectiveness of
controls designed into them.
• With no control over access to the SPL, a program’s
integrity during the period of review cannot be
established.
A CONTROLLED SPL ENVIRONMENT
• Password Control
• Separation of Test Libraries
• Audit Trail and Management Reports
• Program Version Numbers
• Controlling Access to Maintenance Commands
• Audit Objectives Relating to Systems Maintenance
• Tests of controls are tests that establish whether internal
controls are functioning properly.
10
5
A CONTROLLED SPL ENVIRONMENT
(continued)
• Audit Procedures for Identifying Unauthorized Program

Changes
• RECONCILE PROGRAM VERSION NUMBERS
• CONFIRM MAINTENANCE AUTHORIZATION
• Audit Procedures for Identifying Application Errors
• RECONCILE THE SOURCE CODE
• REVIEW THE TEST RESULTS
• RETEST THE PROGRAM
• Audit Procedures for Testing Access to Libraries
• REVIEW PROGRAMMER AUTHORITY TABLES
• TEST AUTHORITY TABLE
11
Source Program Library under the Control of

SPL Management Software
12
6
Auditing SPL Software System
13
IT Application Control Testing and

Substantive Testing
• In addition to general IT controls, SOX requires
management and auditors to consider application controls
relevant to financial reporting.
• These controls fall into three broad categories:
1. Input controls
2. Processing controls
3. Output controls
14
7
DESIGNING TESTS OF APPLICATION
CONTROLS
• Tests for IT control fall into these general categories:
1. Access tests are tests that ensure that the application
prevents authorized users from unauthorized access to data.
2. Validity tests ensure that the system processes only data
values that conform to specified tolerances.
3. Accuracy tests are tests that ensure that the system
processes only data values that conform to specified
tolerances.
4. Completeness tests are tests identifying missing data within a
single record and entire records missing from a batch.
5. Redundancy tests are tests that determine that an application
processes each record only once.
6. Audit trail tests ensure that the application creates an
adequate audit trail.
15
The Test Data Technique
16
8
DESIGNING TESTS OF APPLICATION
CONTROLS (continued)
• Examples of Tests of IT Application Controls
• TESTING CUSTOMER CREDIT APPROVALS
• TESTING ACCURACY OF POSTINGS TO CUSTOMER
ACCOUNTS
• TESTING THE THREE-WAY MATCH
• TESTING MULTILEVEL SECURITY AND ACCESS
PRIVILEGES IN THE PURCHASES/AP SYSTEM
• TESTING ROUNDING ERROR ROUTINES IN FINANCIAL
SYSTEMS
• Salami fraud is fraud in which each of multiple victims is
defrauded out of a very small amount, but the fraud in total
constitutes a large sum.
17
Rounding Error Algorithm
18
9
Sample Data
19
Internal Control Testing Techniques

• Techniques for performing tests
• Black box approach
• Through-the-computer techniques
20
10
BLACK BOX APPROACH
• The black box approach is an approach that does not

require the auditor to create test files or to obtain a
detailed knowledge of the application’s internal logic.
Instead, auditors can analyze flowcharts and interview
knowledgeable personnel in the client’s organization to
understand the functional characteristics of the
application.
21
Auditing around the Computer – The Black

Box Approach
22
11
THROUGH-THE-COMPUTER
APPROACHES
• Computer-assisted audit tools and techniques
(CAATTs) is the use of computers to illustrate how
application controls are tested and to verify the effective
functioning of application controls.
• Test Data Method
• The test data method is a technique used to establish
application integrity by processing specially prepared sets of
input data through production applications that are under
review.
• CREATING TEST DATA
• Base Case System Evaluation
• Base case system evaluation (BCSE) is a variant of the test
data technique in which comprehensive test data are used.
23
Example of Test Data and Test Results
24
12
THROUGH-THE-COMPUTER
APPROACHES (continued)
• Tracing
• Tracing is a test data technique that performs an electronic
walkthrough of the application’s internal logic.
• Advantages of Test Data Techniques
• Disadvantages of Test Data Techniques
25
Tracing
26
13
THE INTEGRATED TEST FACILITY
• Integrated test facility (ITF) is an automated technique

that enables the auditor to test an application’s logic and
controls during its normal operation.
• Advantages of ITF
• Disadvantages of ITF
27
The ITF Technique
28
14
PARALLEL SIMULATION
• Parallel simulation is a technique that requires the

auditor to write a program that simulates key features of
processes of the application under review.
• Creating a Simulation Program
• Generalized audit software (GAS) is software that allows
auditors to access electronically coded data files and perform
various operations on their contents.
29
Parallel Simulation Technique
30
15
Substantive Testing Techniques
• Substantive tests are tests that determine whether
database contents fairly reflect the organization’s
transactions.
• Substantive tests include, but are not limited to, the
following:
1. Determining the correct value of inventory.
2. Determining the accuracy of prepayments and accruals.
3. Confirming accounts receivable with customers.
4. Searching for unrecorded liabilities.
31
THE EMBEDDED AUDIT MODULE
• Embedded audit module (EAM) is a technique in which

one or more specially programmed modules embedded in
a host application select and record predetermined types
of transactions for subsequent analysis.
• Disadvantages of EAMs
• OPERATIONAL EFFICIENCY
• VERIFYING EAM INTEGRITY
32
16
Embedded Audit Model Technique
33
GENERALIZED AUDIT SOFTWARE
• Using GAS to Access Simple Structures

• Using GAS to Access Complex Structures
• Audit Issue Pertaining to the Creation of Flat Files
34
17
Using GAS to Access Simple File Structure
35
Using GAS to Access Complex File Structure
36
18
Complex Database Structure
37
Flat Version of a Complex File Structure
38
19

Chapter 16 Slides

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 16 Slides

Uploaded by

Copyright:

Available Formats

Chapter 16

James A. Hall, Accounting Information Systems, 10th Edition. © 2019

CONTROLLING SYSTEMS DEVELOPMENT

CONTROLLING PROGRAM CHANGE

• Even with formal maintenance procedures in place,

Uncontrolled Access to the Source Program

A CONTROLLED SPL ENVIRONMENT

• Audit Procedures for Identifying Unauthorized Program

Source Program Library under the Control of

IT Application Control Testing and

The Test Data Technique

Rounding Error Algorithm

Internal Control Testing Techniques

• The black box approach is an approach that does not

Auditing around the Computer – The Black

Example of Test Data and Test Results

• Integrated test facility (ITF) is an automated technique

The ITF Technique

• Parallel simulation is a technique that requires the

Parallel Simulation Technique

THE EMBEDDED AUDIT MODULE

• Embedded audit module (EAM) is a technique in which

GENERALIZED AUDIT SOFTWARE

• Using GAS to Access Simple Structures

Using GAS to Access Complex File Structure

Flat Version of a Complex File Structure

You might also like