CHAPTER 8

SYSTEMS DEVELOPMENT,
PROGRAM CHANGES, AND
APPLICATION CONTROLS
Objectives
 Be familiar with the controls and audit tests
relevant to the systems development process.
 Understand the risks and controls associated
with program change procedures and the role
of the source program library.
 Understand the auditing techniques used to
verify the effective functioning of application
controls.
 Understand the auditing techniques used to
perform substantive tests in an IT
environment.
2
8.1.Systems Development Activities
 Authorizing development of new systems
 Addressing and documenting user needs
 Technical design phases
 Participation of internal auditors
 Testing program modules before implementing
Testing individual modules by a team of users, internal
audit staff, and systems professionals

3
System Development Life Cycle

Figure 14-1

4
Systems Development
Auditing objectives: ensure that...
SDLC activities are applied consistently
and in accordance with management’s
policies
the system as originally implemented
was free from material errors and fraud
the system was judged to be necessary
and justified at various checkpoints
throughout the SDLC
system documentation is sufficiently
accurate and complete to facilitate audit
5
Systems Development IC
 New systems must be authorized.
 Feasibility studies were conducted.
 User needs were analyzed and
addressed.
 Cost-benefit analysis was done.
 Proper documentation was completed.
 All program modules must be thoroughly
tested before they are implemented.
 Checklist of problems was kept.

6
System Maintenance IC
 Last, longest and most costly phase of SDLC
 Up to 80-90% of entire cost of a system
 All maintenance actions should require
Technical specifications
Testing
Documentation updates
Formal authorizations for any changes

7
Program Change
Auditing objectives: detect
unauthorized program maintenance and
determine that...
maintenance procedures protect
applications from unauthorized changes
applications are free from material errors
program libraries are protected from
unauthorized access

8
Source Program Library(SPL)
 Source program library (SPL)
library of applications and software
place where programs are developed and
modified
once compiled into machine language, no
longer vulnerable

9
Uncontrolled Access to the SPL

10
Controlled SPL Environments
 SPL Management Systems (SPLMS) protect the
SPL by controlling the following functions:
storing programs on the SPL
retrieving programs for maintenance
purposes
deleting obsolete programs from the
library
documenting program changes to
provide an audit trail of the changes

11
Source Program Library under the Control of SPL Management Software

Figure 17-3

12
SPL Control Features
 Password control
 Separation of test libraries
 Audit trails
 Reports that enhance management control and
the audit function
 Assigns program version numbers
automatically
 Controlled access to maintenance commands

13
Program Change
 Auditing procedures: verify that programs
were properly maintained, including changes
 Specifically, verify…
identification and correction of unauthorized
program changes
identification and correction of application errors
control of access to systems libraries

14
8.3.Application Controls
 Narrowly focused exposures within a specific
system, for example:
accounts payable
cash disbursements
fixed asset accounting
payroll
sales order processing
cash receipts
general ledger

15
8.2.Application Controls
 Risks within specific applications
 Can affect manual procedures (e.g., entering
data) or embedded (automated) procedures
 Convenient to look at in terms of:
1.Input stage
2.Processing stage
3.Output stage

INPUT PROCESSING OUTPUT

16
1.Application Input Controls
 Goal of input controls - valid, accurate,
and complete input data
 Two common causes of input errors:
transcription errors – wrong character or value
transposition errors – ‘right’ character or value,
but in wrong place

17
1.Application Input Controls
 Check digits – data code is added to produce a
control digit
especially useful for transcription and transposition
errors
 Missing data checks – control for blanks or
incorrect justifications
 Numeric-alphabetic checks – verify that characters
are in correct form

18
1.Application Input Controls
 Limit checks – identify values beyond pre-
set limits
 Range checks – identify values outside upper
and lower bounds
 Reasonableness checks – compare one field to
another to see if relationship is appropriate
 Validity checks – compares values to known or
standard values

19
2.Application Processing Controls
 Programmed processes that transform
input data into information for output
 Three categories:
A. Batch controls
B. Run-to-run controls
C. Audit trail controls

20
2.Application Processing Controls
A. Batch controls - reconcile system output
with the input originally entered into the
system
 Based on different types of batch totals:
total number of records
total dollar value
hash totals – sum of non-financial numbers

21
2.Application Processing Controls
B. Run-to-run controls - use batch figures to
monitor the batch as it moves from one
programmed procedure (run) to another
C. Audit trail controls - numerous logs used so
that every transaction can be traced through
each stage of processing from its economic
source to its presentation in financial
statements

22
Transaction Log to Preserve the Audit Trail

Figure 17-7

23
3.Application Output Controls
 Goal of output controls is to ensure that
system output is not lost, misdirected, or
corrupted, and that privacy is not violated.
 In the following flowchart, there are
exposures at every stage.

24
Stages in the Output Process

Figure 17-8

25
3.Application Controls Output
 Output spooling – creates a file during
the printing process that may be
inappropriately accessed
 Printing – create two risks:
production of unauthorized copies of output
employee browsing of sensitive data

26
3.Application Controls Output
 Waste – can be stolen if not properly disposed
of, e.g., shredding
 Report distribution – for sensitive reports, the
following are available:
use of secure mailboxes
require the user to sign for reports in person
deliver the reports to the user

27
3.Application Controls Output
 End user controls – end users need to
inspect sensitive reports for accuracy
shred after used
 Controlling digital output – digital output
message can be intercepted, disrupted,
destroyed, or corrupted as it passes along
communications links

28
8.3.Testing Application Controls
 Techniques for auditing applications fall
into two classes:
1. Testing application controls – two general
approaches:
– black box – around the computer
– white box – through the computer
2. Examining transaction details and account
balances—substantive testing

29
Auditing Around the Computer - The Black Box
Approach

Figure 17-9

30
Auditing through the Computer: The ITF
Technique

Figure 17-14

31
8.3.Testing computer Application Controls
 Black Box Approach – focuses on input
procedures and output results
 To Gain need understanding…
analyze flowcharts
review documentation
conduct interviews

32
8.3 Testing computer Application Controls
 White Box Approach - focuses on understanding
the internal logic of processes between input and
output
 Common tests
Authenticity tests
Accuracy tests
Completeness tests
Redundancy tests
Access tests
Audit trail tests
Rounding error tests

33
White Box Testing Techniques
 Test data method: testing for logic or control
problems - good for new systems or systems which
have undergone recent maintenance
base case system evaluation (BCSE) - using a
comprehensive set of test transactions
tracing - performs an electronic walkthrough of the
application’s internal logic
 Test data methods are not fool-proof
a snapshot - one point in time examination
high-cost of developing adequate test data

34
White Box Testing Techniques
 Integrated test facility (ITF): an automated,
on-going technique that enables the auditor to
test an application’s logic and controls during
its normal operation
 Parallel simulation: auditor writes simulation
programs and runs actual transactions of the
client through the system

35
The Parallel Simulation Technique

Figure 17-15

36
8.4.Substantive Testing Techniques
 Techniques to substantiate account balances. For
example:
search for unrecorded liabilities
confirm accounts receivable to ensure they are not
overstated
 Requires first extracting data from the system.
Two technologies commonly used to select,
access, and organize data are:
1.Embedded audit module(EAM)
2.Generalized audit software(GAS)

37
1. Embedded Audit Module(EAM)
 An ongoing module which filters out non-material
transactions
 The chosen, material transactions are used for
sampling in substantive tests
 Requires additional computing resources by the
client
 Hard to maintain in systems with high
maintenance

38
Embedded Audit Module Technique

Figure 17-16

39
2.Generalized Audit Software(GAS)
 Very popular & widely used
 Can access data files & perform operations on
them:
screen data
statistical sampling methods
foot & balance
format reports
compare files and fields
recalculate data fields

40
Using GAS to Access Complex File Structure

Figure 17-18

41
THANK YOU!

42