Chapter 7

Computer-Assisted Audit Tools and Techniques

Review Questions

1. What are the broad classes of input controls?

Response:
a. source document controls
b. data coding controls
c. batch controls
d. validation controls
e. input error correction controls
f. generalized data input systems

2. Explain the importance of source documents and associated control techniques.

Response: Because physical source documents can be used to remove assets
from the organization by creating unauthorized transactions, careful control must
be evercised over these documents. These documents can be pre-numbered, so
that every blank form is tracked, and used in sequence to aid the tracking process.
Source documents should be securely locked up when they are not being used. The
tracking process should include the investigation of any missing documents by
management and periodica audit to identify any missing documents.

3. Give one example of an error that is detected by a check digit control.

Response: Check digits can effectively be used to determine that all of the
numbers in a numeric data stream were entered. This method involves adding up
the numbers in the data stream in order to determine the check digit. Consider the
following number, 789. The check digit would be: 7 + 8 + 9 = 24 = 6. If a 7, an 8, and
a 9 are not entered, then chances are that the check digit will be incorrect. This
method will not detect a transposition error. For example, if 879 were entered, the
check digit would still be 6.

4. What are the primary objectives of a batch control?

Response: The objective of batch control is to reconcile output
produced by the system with the input originally entered into the system. This
provides assurance that
a. All records in the batch are processed.
b. No records are processed more than once.
c. An audit trail of transactions is created from input through processing to
the output stage of the system.

5. Classify each of the following as a field, record, or file interrogation:

a. Limit check
b. Validity check
c. Version check
d. Missing data check
 e. Sign checks
f. Expiration date check
g. Numeric-alphabetic data check
h. Sequence check
i. Zero-value check
j. Header label check
k. Range check
l. Reasonableness check

Response
a. field
b. field
c. file
dfield
e. record
f. file
g. field
h. record
i. field
j. file
k. field
l. record

6. Compare the three common error-handling techniques discussed in the text.

Response:
Three common error handling techniques are (1) correct immediately, (2) create an
error file, and (3) reject the entire batch. (1) Correct Immediately. If the system is
using the direct data validation approach, error detection and correction can take
place during data entry. Upon detecting a keystroke error or an illogical
relationship, the system should halt the data entry procedure until the user corrects
the error. (2) Create an Error File. When delayed validation is being used, such as in
batch systems with sequential files, individual errors should be flagged to prevent
them from being processed. At the end of the validation procedure, the records
flagged as errors are removed from the batch and placed in a temporary error
holding file until the errors can be investigated. (3) Reject the Batch. Some forms of
errors are associated with the entire batch and are not clearly attributable to
individual records. The most effective solution in this case is to cease processing and
return the entire batch to data control to evaluate, correct, and resubmit.

7. What are the five major components of a GDIS?

Response:
a. generalized validation module
b. validated data file
c. error file
d. error reports
e. transaction log
8. What are the three categories of processing controls?
Response:
a. run-to-run controls
b. operator intervention controls
c. audit trail controls

9. If all of the inputs have been validated before processing, then what purpose do
run-to-run controls serve?
Response: The run-to-run control is a control device to ensure that no
records are lost, unprocessed, or processed more than once for each of the
computer runs (processes) that the records must flow through.

10. What is the objective of a transaction log?

Response: One of the objectives of a transaction log is to create a separate,
permanent record of all transactions that have changed account balances.

11. How can spooling present an added exposure?

Response: The creation of an output file as an intermediate step in the
printing process presents an added exposure. A computer criminal may access the
file and change it, copy it, delete or use the information in it, or destroy it.

Discussion Questions

1. The field calls for an “M” for married or an “S” for single. The entry is a “2.” What
control will detect this error?
Response: Numeric/alphabetic data checks or validity check

2. The firm allows no more than 10 hours of overtime a week. An employee entered
“15” in the field. Which control will detect this error?
Response: Limit check

3. The password was “CANARY”; the employee entered “CAANARY.” Which control
will detect this error?
Response: Validity check

4. The inventory item number was omitted on the purchase order. Which control
will detect this error?
Response: Missing data check

5. The order entry system will allow a 10 percent variation in list price. For example,
an item with a list price of $1 could be sold for 90 cents or $1.10 without any system
interference. The cost of the item is $3, but the cashier entered $2. Which control
would detect this error?
Response: Range check
6. How does privacy relate to output control?
Response: If the privacy of certain types of output is violated, for example,
sensitive information about clients or customers, a firm could be legally exposed.

7. What are some typical problems with passwords?

Response: Users failing to remember passwords, failure to change
passwords frequently, displaying passwords where others can see them, and using
simple, easy to guess passwords

8. What are the three categories of processing control?

Response: Run-to-run controls, operator intervention controls, and audit
trail controls

9. Output controls ensure that output is not lost, misdirected, or corrupted and that
privacy is not violated. What are some output exposures, or situations where output
is at risk?
Response: Output is removed from the printer by the computer operator,
separated into sheets and separated from other reports, reviewed for correctness by
the data control clerk, and then sent through interoffice mail to the end user. Each
stage in this process is a point of potential exposure where the output could be
reviewed, stolen, copied, or misdirected. An additional exposure exists when
processing or printing goes wrong and produces output that is unacceptable to the
end user. These corrupted or partially damaged reports are often discarded in waste
cans. Computer criminals have successfully used such waste to achieve their illicit
objectives.
10. Input validation includes field interrogation that examines the data in individual
fields. List four validation tests and indicate what is checked in each.
Response: Numeric-alphabetic checks look for the correct content in a field,
numbers, or letters; zero-value checks determine if necessary zeros are present;
limit checks verify that values are within preset limits; range checks verify the
values fall within an acceptable range. Other acceptable responses include missing
data checks that look for blank spaces, validity checks that compare actual values in
a field against known acceptable values, and check digit controls that identify
keystroke errors in key fields.

11. What is record interrogation? Give two examples.

Response: Record interrogation examines the combination of fields in a
record to determine consistency. Record interrogation tests include reasonableness
checks, sign checks, sequence checks. Examples of record interrogation include:
checking that pay rate and job class agree, and checking that the balance in accounts
payable is a credit, etc.
Multiple Choice

1. B 17. C
2. B 18. A
3. D 19. D
4. C 20. A
5. C 21. D
6. D 22. C
7. B 23. B
8. C 24. C
9. D 25. C
10. D 26. A
11. C 27. C
12. C 28. B
13. C 29. A
14. D 30. C
15. C 31. B
16. D 32. C

Problems

1. Input Validation
Identify the types of input validation techniques for the following inputs to the
payroll system. Explain the controls provided by each of these techniques.
a. Operator access number to payroll file
b. New employee
c. Employee name
d. Employee number
e. Social Security number
f. Rate per hour or salary
g. Marital status
h. Number of dependents
i. Cost center
j. Regular hours worked
k. Overtime hours worked
l. Total employees this payroll period

Response:
a. File Interrogation. Verify internal label to ensure the correct file is being accessed.
b. Record Interrogation. Reasonableness and sequence checks to verify the entire
record. Field checks on pay rate and personal information to be entered: Validity
check, missing data check, sign checks, numeric-alphabetic data check.
c. Alphabetic check validates that letters are entered where only letters are required
to be entered, e.g., employee name.
d. Check digit to verify that the number is correct .
e. Missing data check, numeric check, validity check.
f. Range check, reasonableness check sign check
g. Missing data check ensures that no blank fields are entered where data should be
present, e.g., marital status, validity check
h. Reasonableness check, limit check. Missing data check.
i, Validity check.
j. limit check, missing data check
k. Reasonableness checks validate that only data within a pre-specified range is
entered, e.g., number of hours worked greater than zero and less than 70.
l. Batch control totals

2. Processing Controls (CMA adapted 691 4-2)

Unless adequate controls are implemented, the rapid advance of computer
technology can reduce a firm’s ability to detect errors and fraud. Therefore, one of
the critical responsibilities of the management team in firms where computers are
used is the security and control of information service activities.
During the design stage of a system, information system controls are planned
to ensure the reliability of data. A well-designed system can prevent both intentional
and unintentional alteration or destruction of data. These data controls can be
classified as (a) input controls, (b) processing controls, and (c) output controls.

Required:
For each of the three data control categories listed, provide two specific controls
and explain how each control contributes to ensuring the reliability of data. Use the
following format for your answer.
Control Specific Contribution to
Category Controls Data Reliability

Response:
Presented below are the three data control categories, two specific controls, and
how each control contributes to ensuring the data reliability.

Control Category Specific Controls Contribution to Data

Input Controls Segregation of duties with
access by authorized
personnel only.
Verification controls that
include the visual view of
source documents and
verification of computer
input by the data entry
clerk. An online system
may verify information
Reliability
This control avoids
collusion.
These controls will allow
for an intelligent review of
information and verify
multiple aspects of the
data.
 with the existing database.
Processing Controls Computer software
programs include system
security and passwords,
and checks of the internal
file labels with secondary
storage media.
Computer program
controls include table-
lookups, conditional
statements, and
reasonableness checks.
Output Controls Output totals to input
totals.
Authorization of receivers
of reports.
The objective program
compares information, as
well as highlights
specified limits.
The objective program
compares information, as
well as highlights
specified limits.
Verification to input totals
minimizes errors.
This control limits access
to computerized
information by the users.

3. Input Controls and Data Processing

You have been hired by a catalog company to computerize its sales order entry
forms. Approximately 60 percent of all orders are received over the telephone, with
the remainder either mailed or faxed in. The company wants the phone orders to be
input as they are received. The mail and fax orders can be batched together in
groups of fifty and submitted for data entry as they become ready. The following
information is collected for each order:
 Customer number (if a customer does not have one, one needs to be assigned)
 Customer name
 Address
 Payment method (credit card or money order)
 Credit card number and expiration date (if necessary)
 Items ordered and quantity
 Unit price

Required:
Determine control techniques to make sure that all orders are entered accurately
into the system. Also, discuss any differences in control measures between the batch
and the real-time processing.

Response: For the phone orders, if a customer has a customer number, it should be
verified against a master file. If a customer needs to establish a customer number,
one should be assigned, and the customer’s name should be entered. A missing data
check should be used to verify that a first name, last name, and street address have
been entered. If the firm has a U.S. zip code database, the zip code can be entered
and the city and town should appear.
 The payment method should be a menu choice of credit cards that are
accepted. The credit card number should be entered into an alpha-numeric field as
well as the expiration date—a numeric field. Once the order is totaled, authorization
with the credit card company will be provided online. The item ordered should be
entered and verified against an inventory master file. The description should appear
and be read to the customer and verified as accurate. The unit price should
automatically appear. The quantity should be entered, and a range check performed
to see if the order is reasonable.
For the batch processed data, customers without customer numbers should be
placed into a batch for adding and receiving customer numbers before the order can
be processed. For those orders with customer numbers, the data will be grouped
into batches. Check digits will be calculated for the customer numbers and the
inventory items. Any records that have an invalid customer number, invalid
inventory item, check digits that do not match, or an unreasonable quantity ordered
will be written to an error file, and the rest of the orders will be processed. The
clean transactions should be sorted according to charge type and the credit card
numbers verified. Any rejected transactions will be sent to a special file from which
letters will be sent to the customer. The doubly-clean transactions will then be
processed. The real-time processing technique is more efficient because any errors
can be resolved easily and immediately.

4. Write an essay explaining the following three methods of correcting errors

in data entry: immediate correction, creation of an error file, and rejection of
the batch

Response:
Key Points
a. Immediate Correction: In the direct data validation approach, error detection
and correction take place during data entry. When an error or illogical relationship
is entered, the system should halt the data entry procedure until the error is
corrected.
b. Creation of an Error File: In the delayed data validation approach, errors are
flagged and placed in an error file. Records with errors will not be processed until
the error is investigated and corrected.
c. Rejection of the Batch: Some errors are associated with the entire batch and are
not attributable to individual records. An example of this is a control total that does
not balance. The entire batch is placed in the error file and will be reprocessed when
the error is corrected.

5. Many techniques can be used to control the input effort. Write a one-page
essay discussing three techniques.

Response:
Key Points
a. Source document controls are designed to control the documents used to initiate
transactions with pre-numbered source documents, used in sequence, and
periodically accounted for.
b. Data coding controls are designed to check on the integrity of data by preventing
transcription errors and transposition errors.
c. Batch controls are designed to manage large volumes of data by repeatedly
verifying totals of specific fields, some financial and others nonfinancial.

6. The presence of an audit trail is critical to the integrity of the accounting

information system. Write a one-page essay discussing three of the
techniques used to preserve the audit trail.

Response:
Key Points
a. Transaction logs list all transactions successfully processed by the system and
serve as journals, and permanent records. Transactions that were not processed
successfully should be recorded in an error file.
b. After processing transactions, a paper transaction listing should be produced and
used by appropriate users to reconcile input.
c. Logs and listings of automatic transactions should be produced for transactions
initiated internally by the system.
d. Error listing should document all errors and be sent to appropriate users to
support error correction.

7. Write an essay comparing and contrasting the following audit techniques

based on costs and benefits:
 test data method
 base case system evaluation
 tracing
 integrated test facility
 parallel simulation

Response:
Key Points
The test data method is used to establish application integrity by processing
specially prepared sets of input data through production applications that are under
review. The results of the test are compared with the expected results. The base
case system evaluation tests extend the test data method; the test data set
constrains all possible transaction types. Tracing is an electronic walk-through of
the application’s internal logic and analysis of the execution of each program
command line for a specific transaction. An integrated test facility is an automated
technique that enables the auditor to test an application’s logic and controls during
its normal operations by creating dummy transactions and files. This method
promotes ongoing application auditing. Parallel simulation involves creating a
simulation of the transaction processing system and then using actual transactions
to determine if the results of processing reconcile with the organization’s
transaction processing system.