GROUP IV: ENRIQUEZ, Jayson ESCOBEDO, Xybelle NARVAEZ. Juana Marie PAZ, Gene Kelly RED, Sunshine RENIVA, Leandra ROMANA, Fatima Bianca ULAYE, Vanessa
Learning objectives:
Be familiar with the classes of transaction input controls used by accounting applications. Understand the objectives and techniques used to implement processing controls, including run-torun, operator intervention, and audit trail controls. Understand the methods used to establish effective output controls for both batch and realtime systems. Know the difference between black box and white box auditing. Be familiar with the key features of the five CAATTs discussed in the chapter.
APPLICATION CONTROL
Programmed
procedures designed to deal with potential exposures that threaten specific applications. Fall into three broad categories: Input controls; Processing controls; and Output controls
to ensure that the transactions that bring data into the system are valid, accurate, and complete input procedures can be either:
Data
Source
document input requires human involvement and is prone to clerical errors. input employs real-time editing techniques to identify and correct errors immediately
Direct
systems
documents
Source document fraud To control for exposure, control procedures
Use pre-numbered source documents Use source documents in sequence Periodically audit source documents
Transposition errors
Single transposition: adjacent digits transposed (reversed) Multiple transposition: non-adjacent digits are transposed
Control = Check digits Added to code when created (suffix, prefix, embedded)
Sum of digits (ones): transcription errors only Modulus 11: different weights per column: transposition and
transcription errors
#3-BATCH CONTROLS
Method for handling high volumes of
#3-BATCH CONTROLS
Unique batch number (serial #) A batch date A transaction code Number of records in the batch Total dollar value of financial field Sum of unique non-financial field
#4-VALIDATION CONTROLS
Intended to detect errors in data
before processing
Most effective if performed close to
file
#4-VALIDATION CONTROLS
Field Interrogation Missing data checks Numeric-alphabetic data checks Zero-value checks Limit checks Range checks Validity checks Check digit Record Interrogation Reasonableness checks Sign checks Sequence checks File Interrogation Internal label checks (tape) Version checks Expiration date check
processed, resubmit corrected records Reinsert corrected records in processing stage where error was detected
3)
Centralized procedures to manage data input for all transaction processing systems Eliminates need to create redundant routines for each new application Advantages:
system perform all data validation Ensures each AIS application applies a consistent standard of data validation Improves systems development efficiency
#6-GDIS
Major components:
Controls
3) Audit Trail Controls
#1-RUN-TO-RUN (BATCH)
Use batch figures to monitor the batch as it moves from one process to another
1) Recalculate Control Totals 2) Check Transaction Codes 3) Sequence Checks
#2-OPERATOR INTERVENTION When operator manually enters controls into the system
Every transaction becomes traceable from input to output Each processing step is documented Preservation is key to auditability of AIS
Transaction logs Log of automatic transactions Listing of automatic transactions Unique transaction identifiers [s/n] Error listing
OUTPUT CONTROLS
Not misplaced Not misdirected Not corrupted Privacy policy not violated
Many steps from printer to end user Data control clerk check point Unacceptable printing should be shredded Cost/benefit basis for controls Sensitivity of data drives levels of controls
OUTPUT CONTROLS
Access the output file and change critical data values Access the file and change the number of copies to be printed Make a copy of the output file so illegal output can be generated Destroy the output file before printing take place
OUTPUT CONTROLS
OUTPUT CONTROLS
Bursting
Supervision Proper disposal of aborted copies and carbon copies Data control group verify and log Supervision
Waste
Data control
Report distribution
OUTPUT CONTROLS
Report retention:
Statutory requirements (govt) Number of copies in existence Existence of softcopies (backups) Destroyed in a manner consistent with the sensitivity of its contents
OUTPUT CONTROLS
Threats:
Exposures:
Flowcharts Interview key personnel Do not have to remove application from operations to test it Simple applications Relative low level of risk
Advantages:
Appropriately applied:
Relies on in-depth understanding of the internal logic of the application Uses small volume of carefully crafted, custom test transactions to verify specific aspects of logic and controls
Allows auditors to conduct precise test with known outcomes, which can be compared objectively to actual results
Authenticity tests:
logon *
2)
Accuracy tests:
3)
Completeness tests:
Redundancy tests:
Process each record exactly once Ensure application and/or system creates an adequate audit trail
Transactions listing Error files or reports for all exceptions
5)
6)
Salami slicing Monitor activities excessive ones are serious exceptions; e.g, rounding and thousands of entries into a single account for $1 or 1
COMPUTER AIDED AUDIT TOOLS AND TECHNIQUES (CAATTs) 1) Test data method 2) Base case system evaluation 3) Tracing 4) Integrated Test Facility [ITF] 5) Parallel simulation 6) GAS
#1 TEST DATA
Used to establish the application processing
integrity
Uses a test deck Valid data Purposefully selected invalid data Every possible:
Input error Logical processes Irregularity
Variant of Test Data method Comprehensive test data Repetitive testing throughout SDLC When application is modified, subsequent test (new) results can be compared with previous results (base)
#3 TRACING
Test data technique that takes step-by-step
test data
3) Test data is traced through all processing steps of
the application, and a listing is produced of all lines of code as executed (variables, results, etc.)
program
evidence 2) Can be employed with minimal disruption to operations 3) They require minimal computer expertise on the part of the auditors
the application for testing 2) Audit evidence is not entirely independent 3) Provides static picture of application integrity 4) Relatively high cost to implement, auditing inefficiency
ITF is an automated technique that allows auditors to test logic and controls during normal operations Set up a dummy entity within the application system
1) Set up a dummy entity within the application system 2) System able to discriminate between ITF audit module
transactions and routine transactions 3) Auditor analyzes ITF results against expected results
Disadvantages of ITF
1) Potential for corrupting the data files of the organization
#5 PARALLEL SIMULATION
Auditor writes or obtains a copy of the program that simulates key features or processes to be reviewed / tested
1) Auditor gains a thorough understanding of the application 2)
3)
4)
5)
under review Auditor identifies those processes and controls critical to the application Auditor creates the simulation using program or Generalized Audit Software (GAS) Auditor runs the simulated program using selected data and files Auditor evaluates results and reconciles differences
End of Report