1

Chapter 6Computer Assisted Audit Tools

and Techniques

LihChyun Shu

2

Contents

• Application controls– Input controls– Processing controls– Output controls

• Testing computer application controls– Black box approach– White box approach

• Computer aided audit tools and techniques for testing controls

3

Application Controls

• Programmed procedures designed to deal with potential exposures that threaten specific applications, such as payroll, purchases, and cash disbursements systems.

• Three categories:– Input controls– Processing controls– Output controls

4

Input Controls

• Designed to ensure that transactions are valid, accurate, and complete.

• Broad classes:– Source document controls

– Data coding controls

– Batch controls

– Validation controls

– Input error correction

– Generalized data input systems

5

Source document controls

• Techniques to prevent source document fraud (for example, an individual with access to purchase orders and receiving reports could fabricate a purchase transaction to a non-existent supplier)– Use pre-numbered source documents – Use source documents in sequence– Periodically audit source documents

6

Data Coding Controls

• Checks on integrity of data codes used in processing.

• A customer’s account number, an inventory item number, and a chart of accounts number are all examples of data codes.

7

Data Coding Controls

• Three types of errors that can corrupt data codes and cause processing errors:– Transcription errors– Single transposition errors– Multiple transposition errors

8

Transcription Errors

• Addition errors: e.g., inventory item number 83276 recorded as 832766

• Truncation errors: e.g., the inventory item above recorded as 8327

• Substitution errors: e.g., the inventory item above recorded as 83266

9

Transposition Errors

• Single transposition errors: occur when two adjacent digits are reversed.

• Multiple transposition errors: occur when nonadjacent digits are transposed. For example, 83276 is recorded as 87236.

10

Check Digits

• A method to detect data coding errors.

• A check digit is a control digit added to the code that allows the integrity of the code to be established during subsequent processing.

• The simplest form of check digit is to sum the digits in the code and use this sum as the check digit.

11

Check Digits

• For example, the calculated check digit for customer account code 5327 would be 7 (5+3+7+2=17, then drop the tens column)

• This technique can detect some transcription errors, but not transposition errors.

• Another technique in page 217 can be used to detect transposition errors.

• See ‘Check digit’ from Wikipedia in relevant links

12

Batch Controls

• A method used to manage high volumes of transaction data through a system.

• Provide assurance that– All records in batch are processed– No records are processed more than once– An audit trail of transactions is created

13

Steps in Batch Controls

• Grouping similar types of transactions (such as sales order) together in batches

• For each batch of documents, prepare a batch transmittal sheet that contains (see page 218)– A unique batch number– A batch date– A transaction code (type of transactions)– Number of records in batch (record count)– Total dollar value of a financial field (batch control total)– Total of a unique non-financial field (hash total)

14

Steps in Batch Controls

• Batch transmittal sheet is used to assess the integrity of the batch during processing as shown in Figure 6-2 (page 219).– Batch control total can be used to make sure the

batch is in balance– Hash total can be used to detect the fraud that

someone replaced one of the sales orders in the batch with a fictitious record of the same dollar amount (see page 220)

15

Validation Controls

• Intended to detect errors in transaction data before the data are processed.

• Three levels of input validation controls:– Field interrogation– Record interrogation– File interrogation

16

Filed Interrogation

• Missing data checks

• Numeric-alphabetic data checks

• Zero-value checks

• Limit checks

• Range checks

• Validity checks (compare actual values against known acceptable values)

17

Record Interrogation

• Validate entire record by examining inter-relationship of its field values.

• Reasonableness checks: e.g., an employee’s pay rate of 18 dollars per hour is excessive, when compared to the employee’s job skill code of 693 (employees in this skill class never earn more than 12 dollars per hour)

18

Record Interrogation

• Sign check: e.g., dollar amount field must be positive for sales but negative for sales return transactions.

• Sequence check: determine if a record is out of order

19

File Interrogation

• Ensure that correct file is being processed by the system.

• Internal label checks verify that the file processed is the one the program is actually calling for.– Files usually have external labels that identify them to

librarian and operator. But wrong labels may be affixed to files.

– Operating system can create internal label that is placed at the beginning of the file (Figure 6-6 in page 224)

20

File Interrogation

• Version checks are used to verify that the version of the file being processed is correct.

• Expiration date check prevents a file from being deleted before it expires.

21

Input Error Correction

• 3 common error handling techniques– Immediate correction– Create an error file– Reject entire batch

22

Generalized Data Input Systems

• To achieve a high degree of control and standardization over input validation procedures.

• This technique includes centralized procedures to manage the data input for all of the organization’s transaction processing systems. (see Figure 6-9)

23

Processing Controls

• Run-to-run controls

• Operator intervention controls

• Audit trail controls

24

Run-to-run Controls

• Use batch control figures to monitor the batch as it moves from one run to another.

• Specific uses of run-to-run control figures:– Recalculate control totals (dollar amount fields,

hash totals, record counts)– Transaction codes: ensure only correct type of

transaction is being processed.– Sequence checks ensure the proper order of

transactions being processed

25

Operator Intervention Controls

• Operator intervention increases the potential for human errors.

• Systems that limit operator intervention thru operator intervention controls are thus less prone to errors.

26

Audit Trail Controls

• Techniques to preserve audit trails:– Transaction logs: every transaction successfully

processed by the system should be recorded on a transaction log, which servers as a journal.

– Log of automatic transactions– Listing of automatic transactions– Error listing