Hall
COPYRIGHT 2009 South-Western, a division of Cengage Learning. Cengage Learning and South-Western are trademarks used herein under license
development y Risks and controls for program changes and the source program library y Auditing techniques (CAATTs) used to verify application controls y Auditing techniques used to perform substantive tests in an IT environment
1. Systems Strategy
- Assessment - Develop Strategic Plan
2. Project Initiation
- Feasibility Study - Analysis - Conceptual Design - Cost/Benefit Analysis
3. In-house Development
- Construct - Deliver
4. Commercial Packages
- Configure - Test - Roll-out
Systems Development
Auditing objectives: ensure that...
y SDLC activities are applied consistently and in
accordance with management s policies y the system as originally implemented was free from material errors and fraud y the system was judged to be necessary and justified at various checkpoints throughout the SDLC y system documentation is sufficiently accurate and complete to facilitate audit and maintenance activities
Systems Development IC
y New systems must be authorized. y Feasibility studies were conducted. y User needs were analyzed and addressed. y Cost-benefit analysis was done. y Proper documentation was completed. y All program modules must be thoroughly tested before they are implemented. y Checklist of problems was kept.
System Maintenance IC
y Last, longest and most costly phase of
SDLC
y Up to 80-90% of entire cost of a system
y All maintenance actions should require y Technical specifications y Testing y Documentation updates y Formal authorizations for any changes
Program Change
Auditing objectives: detect unauthorized program maintenance and determine that...
y maintenance procedures protect
applications from unauthorized changes y applications are free from material errors y program libraries are protected from unauthorized access
and the audit function y Assigns program version numbers automatically y Controlled access to maintenance commands
Program Change
y Auditing procedures: verify that programs
program changes y identification and correction of application errors y control of access to systems libraries
Application Controls
y Narrowly focused exposures within a specific system, for example: y accounts payable y cash disbursements y fixed asset accounting y payroll y sales order processing y cash receipts y general ledger
Application Controls
y Risks within specific applications y Can affect manual procedures (e.g., entering data) or
INPUT
PROCESSING
OUTPUT
wrong character or
control digit
y especially useful for transcription and
transposition errors
incorrect justifications y Numeric-alphabetic checks verify that characters are in correct form
output with the input originally entered into the system y Based on different types of batch totals:
y total number of records y total dollar value y hash totals sum of non-financial
numbers
to monitor the batch as it moves from one programmed procedure (run) to another y Audit trail controls - numerous logs used so that every transaction can be traced through each stage of processing from its economic source to its presentation in financial statements
Output Flowchart
y Controlling digital output digital output message can be intercepted, disrupted, destroyed, or corrupted as it passes along communications links
approaches:
black box around the computer white box through the computer
Authenticity tests Accuracy tests Completeness tests Redundancy tests Access tests Audit trail tests Rounding error tests
problems - good for new systems or systems which have undergone recent maintenance
y base case system evaluation (BCSE) - using a
comprehensive set of test transactions y tracing - performs an electronic walkthrough of the application s internal logic
automated, on-going technique that enables the auditor to test an application s logic and controls during its normal operation y Parallel simulation: auditor writes simulation programs and runs actual transactions of the client through the system
Substantive Testing
y Techniques to substantiate account balances. For
example:
y search for unrecorded liabilities y confirm accounts receivable to ensure they are not
overstated