it controls part iii: systems development, program changes, and application controls
DESCRIPTION
Accounting Information Systems, 6th edition James A. HallTRANSCRIPT
Accounting Information Systems, 6th edition
James A. Hall
COPYRIGHT © 2009 South-Western, a division of Cengage Learning. Cengage Learning and South-Western
are trademarks used herein under license
Objectives for Chapter 17Controls and audit tests relevant to systems
developmentRisks and controls for program changes and
the source program library Auditing techniques (CAATTs) used to verify
application controlsAuditing techniques used to perform
substantive tests in an IT environment
Systems Development ActivitiesAuthorizing development of new systemsAddressing and documenting user needsTechnical design phasesParticipation of internal auditorsTesting program modules before implementing
Testing individual modules by a team of users, internal audit staff, and systems professionals
Systems Development Life Cycle
1. Systems Strategy - Assessment - Develop Strategic Plan
1. Systems Strategy - Assessment - Develop Strategic Plan
2. Project Initiation - Feasibility Study - Analysis - Conceptual Design - Cost/Benefit Analysis
2. Project Initiation - Feasibility Study - Analysis - Conceptual Design - Cost/Benefit Analysis
3. In-house Development - Construct - Deliver
3. In-house Development - Construct - Deliver
4. Commercial Packages - Configure - Test - Roll-out
4. Commercial Packages - Configure - Test - Roll-out
5. Maintenance & Support - User help desk - Configuration Management - Risk Management & Security
5. Maintenance & Support - User help desk - Configuration Management - Risk Management & Security
SSystemystem Interfaces, Architecture Interfaces, Architecture and Uand User ser RRequirementsequirements
BBusiness usiness RRequirementsequirements
High Priority Proposals undergo High Priority Proposals undergo Additional Study and DevelopmentAdditional Study and Development
FeedbackFeedback::User requests for New SystemsUser requests for New Systems
Selected System Proposals Selected System Proposals go forward for Detailed go forward for Detailed
DesignDesign
New and Revised New and Revised Systems Enter into Systems Enter into
ProductionProduction
Business Needs and Strategy
Legacy Situation
FeedbackFeedback::User requests for System User requests for System Improvements and SupportImprovements and Support
Systems Development Auditing objectives: ensure that...
SDLC activities are applied consistently and in accordance with management’s policies
the system as originally implemented was free from material errors and fraud
the system was judged to be necessary and justified at various checkpoints throughout the SDLC
system documentation is sufficiently accurate and complete to facilitate audit and maintenance activities
Systems Development ICNew systems must be authorized.Feasibility studies were conducted.User needs were analyzed and
addressed.Cost-benefit analysis was done.Proper documentation was completed.All program modules must be
thoroughly tested before they are implemented.
Checklist of problems was kept.
System Maintenance ICLast, longest and most costly phase of
SDLC Up to 80-90% of entire cost of a system
All maintenance actions should requireTechnical specificationsTestingDocumentation updatesFormal authorizations for any changes
Program Change Auditing objectives: detect unauthorized program maintenance and determine that...maintenance procedures protect applications from unauthorized changes
applications are free from material errors
program libraries are protected from unauthorized access
Source Program LibrarySource program library (SPL) library of applications and software
place where programs are developed and modified
once compiled into machine language, no longer vulnerable
Uncontrolled Access to the SPL
Controlled SPL EnvironmentsSPL Management Systems (SPLMS)
protect the SPL by controlling the following functions:storing programs on the SPLretrieving programs for maintenance
purposesdeleting obsolete programs from the
librarydocumenting program changes to
provide an audit trail of the changes
Source Program Library under the Control of SPL Management Software
SPL Control FeaturesPassword controlSeparation of test librariesAudit trailsReports that enhance management
control and the audit functionAssigns program version numbers
automaticallyControlled access to maintenance
commands
Program ChangeAuditing procedures: verify that
programs were properly maintained, including changes
Specifically, verify…identification and correction of
unauthorized program changesidentification and correction of
application errorscontrol of access to systems libraries
Application ControlsNarrowly focused exposures within
a specific system, for example: accounts payablecash disbursementsfixed asset accountingpayrollsales order processingcash receiptsgeneral ledger
Risks within specific applicationsCan affect manual procedures (e.g., entering
data) or embedded (automated) proceduresConvenient to look at in terms of:
input stageprocessing stageoutput stage
PROCESSINGINPUT OUTPUT
Application Controls
Application Input ControlsGoal of input controls - valid, accurate, and complete input data
Two common causes of input errors:transcription errors – wrong character
or valuetransposition errors – ‘right’ character
or value, but in wrong place
Check digits – data code is added to produce a control digitespecially useful for transcription and
transposition errorsMissing data checks – control for blanks
or incorrect justificationsNumeric-alphabetic checks – verify that
characters are in correct form
Application Input Controls
Limit checks – identify values beyond pre-set limits
Range checks – identify values outside upper and lower bounds
Reasonableness checks – compare one field to another to see if relationship is appropriate
Validity checks – compares values to known or standard values
Application Input Controls
Application Processing ControlsProgrammed procedures the processes that transform input data into information for output
Three categories:Batch controlsRun-to-run controlsAudit trail controls
Batch controls - reconcile system output with the input originally entered into the system
Based on different types of batch totals:total number of recordstotal dollar valuehash totals – sum of non-financial numbers
Application Processing Controls
Run-to-run controls - use batch figures to monitor the batch as it moves from one programmed procedure (run) to another
Audit trail controls - numerous logs used so that every transaction can be traced through each stage of processing from its economic source to its presentation in financial statements
Application Processing Controls
Transaction Log to Preserve the Audit Trail
Application Output ControlsGoal of output controls is to ensure that system output is not lost, misdirected, or corrupted, and that privacy is not violated.
In the following flowchart, there are exposures at every stage.
Output Flowchart
Application Controls OutputOutput spooling – creates a file during the printing process that may be inappropriately accessed
Printing – create two risks:production of unauthorized copies of output
employee browsing of sensitive data
Application Controls OutputWaste – can be stolen if not properly disposed of, e.g., shredding
Report distribution – for sensitive reports, the following are available:use of secure mailboxesrequire the user to sign for reports in person
deliver the reports to the user
Application Controls OutputEnd user controls – end users need to inspect sensitive reports for accuracyshred after used
Controlling digital output – digital output message can be intercepted, disrupted, destroyed, or corrupted as it passes along communications links
Testing Application Controls Techniques for auditing
applications fall into two classes: 1. testing application controls – two
general approaches:– black box – around the computer– white box – through the computer
2. examining transaction details and account balances—substantive testing
Auditing Around the Computer - The Black Box Approach
Auditing through the Computer: The ITF Technique
Black Box Approach – focuses on input procedures and output results
To Gain need understanding… analyze flowcharts review documentation conduct interviews
Testing Application Controls
White Box Approach - focuses on understanding the internal logic of processes between input and output
Common testsAuthenticity tests Accuracy testsCompleteness testsRedundancy testsAccess tests Audit trail testsRounding error tests
Testing Application Controls
White Box Testing TechniquesTest data method: testing for logic or
control problems - good for new systems or systems which have undergone recent maintenancebase case system evaluation (BCSE) - using a
comprehensive set of test transactionstracing - performs an electronic walkthrough of
the application’s internal logicTest data methods are not fool-proof
a snapshot - one point in time examinationhigh-cost of developing adequate test data
White Box Testing TechniquesIntegrated test facility (ITF): an
automated, on-going technique that enables the auditor to test an application’s logic and controls during its normal operation
Parallel simulation: auditor writes simulation programs and runs actual transactions of the client through the system
Auditing through the Computer: The Parallel Simulation Technique
Substantive TestingTechniques to substantiate account
balances. For example:search for unrecorded liabilitiesconfirm accounts receivable to ensure they
are not overstatedRequires first extracting data from the
system. Two technologies commonly used to select, access, and organize data are:embedded audit modulegeneralized audit software
Embedded Audit ModuleAn ongoing module which filters out
non-material transactionsThe chosen, material transactions are
used for sampling in substantive testsRequires additional computing
resources by the clientHard to maintain in systems with
high maintenance
Substantive Testing: Embedded Audit Module
Generalized Audit SoftwareVery popular & widely usedCan access data files & perform
operations on them:screen data statistical sampling methodsfoot & balanceformat reportscompare files and fieldsrecalculate data fields
Substantive Testing: Generalized Audit Software