Transcript CIS-496 / I.S. Auditing - University of South Florida St

Auditing
& Assurance,
Hall & Singleton
IT IT
Auditing
& Assurance,
2e, Hall2e,
& Singleton
CLASSES OF INPUT
CONTROLS
1) Source document controls
2) Data coding controls
3) Batch controls
4) Validation controls
5) Input error correction
6) Generalized data input
systems
IT Auditing & Assurance, 2e, Hall & Singleton
SOURCE DOCUMENT
CONTROLS
 Controls in systems using physical source
documents
 Source document fraud
 To control for exposure, control procedures
are needed over source documents to
account for each one



Use pre-numbered source documents
Use source documents in sequence
Periodically audit source documents
IT Auditing & Assurance, 2e, Hall & Singleton
DATA CODING CONTROLS
 Checks on data integrity during processing
 Transcription errors
 Addition errors, extra digits
 Truncation errors, digit removed
 Substitution errors, digit replaced

Transposition errors
 Single transposition: adjacent digits transposed (reversed)
 Multiple transposition: non-adjacent digits are transposed
 Control = Check digits
 Added to code when created (suffix, prefix,
embedded)
 Sum of digits (ones): transcription errors only
 Modulus 11: different weights per column: transposition and
transcription errors

Introduces storage and processing inefficiencies
IT Auditing & Assurance, 2e, Hall & Singleton
BATCH CONTROLS
 Method for handling high volumes of
transaction data – esp. paper-fed IS
 Controls of batch continues thru all phases of
system and all processes (i.e., not JUST an
input control)
1) All records in the batch are processed together
2) No records are processed more than once
3) An audit trail is maintained from input to output
 Requires grouping of similar input transactions
IT Auditing & Assurance, 2e, Hall & Singleton
VALIDATION CONTROLS
 Intended to detect errors in data
before processing
 Most effective if performed close to
the source of the transaction
 Some require referencing a master
file
IT Auditing & Assurance, 2e, Hall & Singleton
VALIDATION CONTROLS
 Field Interrogation
 Missing data checks
 Numeric-alphabetic data checks
 Zero-value checks
 Limit checks
 Range checks
 Validity checks
 Check digit
 Record Interrogation
 Reasonableness checks
 Sign checks
 Sequence checks
 File Interrogation
 Internal label checks (tape)
 Version checks
 Expiration date check
IT Auditing & Assurance, 2e, Hall & Singleton
INPUT ERROR CORRECTION
Batch – correct and resubmit
 Controls to make sure errors dealt with
completely and accurately
1) Immediate Correction
2) Create an Error File
 Reverse the effects of partially

processed, resubmit corrected records
 Reinsert corrected records in
processing stage where error was
detected
3) Reject the Entire Batch
IT Auditing & Assurance, 2e, Hall & Singleton
GENERALIZED DATA INPUT
SYSTEMS (GDIS)

Centralized procedures to manage data input for all
transaction processing systems
 Eliminates need to create redundant routines for
each new application
 Advantages:
 Improves control by having one common
system perform all data validation
 Ensures each AIS application applies a
consistent standard of data validation
 Improves systems development efficiency
IT Auditing & Assurance, 2e, Hall & Singleton
CLASSES OF PROCESSING
CONTROLS
1) Run-to-Run Controls
2) Operator Intervention
Controls
3) Audit Trail Controls
IT Auditing & Assurance, 2e, Hall & Singleton
RUN-TO-RUN (BATCH)
 Use batch figures to monitor
the batch as it moves from
one process to another
1) Recalculate Control Totals
2) Check Transaction Codes
3) Sequence Checks
IT Auditing & Assurance, 2e, Hall & Singleton
OPERATOR INTERVENTION
 When operator manually enters
controls into the system
 Preference is to derive by logic
or provided by system
IT Auditing & Assurance, 2e, Hall & Singleton
AUDIT TRAIL CONTROLS
 Every transaction becomes traceable from
input to output
 Each processing step is documented
 Preservation is key to auditability of AIS
 Transaction logs
 Log of automatic transactions
 Listing of automatic transactions
 Unique transaction identifiers [s/n]
 Error listing
IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS
 Ensure system output:
1)
2)
3)
4)
Not misplaced
Not misdirected
Not corrupted
Privacy policy not violated
 Batch systems more susceptible to exposure,
require greater controls

Controlling Batch Systems Output





Many steps from printer to end user
Data control clerk check point
Unacceptable printing should be shredded
Cost/benefit basis for controls
Sensitivity of data drives levels of controls
IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS
 Output spooling – risks:
 Access the output file and change
critical data values
 Access the file and change the
number of copies to be printed
 Make a copy of the output file so
illegal output can be generated
 Destroy the output file before printing
take place
IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS
 Bursting
 Supervision
 Waste
 Proper disposal of aborted copies
and carbon copies
 Data control
 Data control group – verify and log
 Report distribution
 Supervision
IT Auditing & Assurance, 2e, Hall & Singleton
OUTPUT CONTROLS
 End user controls
 End user detection
 Report retention:




Statutory requirements (gov’t)
Number of copies in existence
Existence of softcopies (backups)
Destroyed in a manner consistent
with the sensitivity of its contents
IT Auditing & Assurance, 2e, Hall & Singleton
TESTING COMPUTER
APPLICATION CONTROLS
1) Around the computer
1) Rarely appropriate
1) Through the computer
1) Supported by continuous
audit techniques
IT Auditing & Assurance, 2e, Hall & Singleton
TESTING COMPUTER APPLICATION
AROUND THE COMPUTER
 Ignore internal logic of application

Use functional characteristics


Flowcharts
Interview key personnel
 Advantages:
 Do not have to remove application from
operations to test it

Appropriately applied:


Simple applications
Relative low level of risk
IT Auditing & Assurance, 2e, Hall & Singleton
TESTING COMPUTER APPLICATION
CONTROLS THROUGH THE COMPUTER

Relies on in-depth understanding of the
internal logic of the application
 Uses small volume of carefully crafted,
custom test transactions to verify specific
aspects of logic and controls
 Allows auditors to conduct precise test with
known outcomes, which can be compared
objectively to actual results
IT Auditing & Assurance, 2e, Hall & Singleton
COMPUTER AIDED AUDIT TOOLS
AND TECHNIQUES (CAATTs)
1) Test data method
2) Base case system evaluation
3) Tracing
4) Integrated Test Facility [ITF]
5) Parallel simulation
6) GAS
IT Auditing & Assurance, 2e, Hall & Singleton
TEST DATA
 Used to establish the application processing
integrity
 Uses a “test deck”
 Valid data
 Purposefully selected invalid data
 Every possible:
 Input error
 Logical processes
 Irregularity
 Procedures:
1) Predetermined results and expectations
2) Run test deck
3) Compare
IT Auditing & Assurance, 2e, Hall & Singleton
TRACING
 Test data technique that takes step-by-step
walk through application
1) The trace option must be enabled for the application
2) Specific data or types of transactions are created as
test data
3) Test data is “traced” through all processing steps of
the application, and a listing is produced of all lines of
code as executed (variables, results, etc.)
 Excellent means of debugging a faculty
program
IT Auditing & Assurance, 2e, Hall & Singleton
TEST DATA: ADVANTAGES AND
DISADVANTAGES
 Advantages of test data
1) They employ white box approach, thus providing explicit
evidence
2) Can be employed with minimal disruption to operations
3) They require minimal computer expertise on the part of
the auditors
 Disadvantages of test data
1) Auditors must rely on IS personnel to obtain a copy of
the application for testing
2) Audit evidence is not entirely independent
3) Provides static picture of application integrity
4) Relatively high cost to implement, auditing inefficiency
IT Auditing & Assurance, 2e, Hall & Singleton
Continuous Auditing
 Embedded Audit Module
 Real and test transactions
 Tagged transactions
 Audit hooks
IT Auditing & Assurance, 2e, Hall & Singleton
INTEGRATED TEST FACILITY

ITF is an automated technique that allows auditors to
test logic and controls during normal operations

Set up a dummy entity within the application system
1) Set up a dummy entity within the application system
2) System able to discriminate between ITF audit module
transactions and routine transactions
3) Auditor analyzes ITF results against expected results
IT Auditing & Assurance, 2e, Hall & Singleton
PARALLEL SIMULATION

Auditor writes or obtains a copy of the program that
simulates key features or processes to be reviewed /
tested
1) Auditor gains a thorough understanding of the
2)
3)
4)
5)
6)
application under review
Auditor identifies those processes and controls critical
to the application
Auditor creates the simulation using program or
Generalized Audit Software (GAS)
Auditor runs the simulated program using selected data
and files
Auditor evaluates results and reconciles differences
Out of date approach
IT Auditing & Assurance, 2e, Hall & Singleton
Email and IM
28
Sedona ConferenceWG1 Best
Practices for E Doc Retention and
Production
29
Sedona ESI Framework
 Sedona Conference - White papers on keyword
searches and electronic stored information (ESI)
 Keyword list can cut costs substantially
 Most searches turn up small percent of relevant
documents and miss many critical documents
 Risks for both under and over inclusive terms
 Sedona framework provides higher quality and lower
costs
30
Keyword Search and
E-Discovery
 E-discovery and document review expensive
 Cost associated with heavy reliance on human
review
 Search solutions were not built with e-discovery
in mind
 Majority of companies do not have an effective
retention or archiving plan for electronic
documents
31
ESI Retention Policy
 Must comply with SOX and be scrutinized by legal
 Categorize documents by type and retention period
 Use different archival methods
 Software can provide for efficient retrieval
 Train employees to policy
32
E-Mail Retention Policy
 Federal Rules of Civil Procedure, industry
regulations and internal policies all influence which
emails should be archived.
 Safe harbor in eDiscovery rests in an organization
adhering to its policies and procedures that guide
the destruction of its email data.
 Not all e-mails are the same: Set archive categories
by nature of email.
 Adopt a policy and do not vary from it.
Redacted E-mail and Privacy
 Deleted information may be recoverable from
electronic documents
 Policy should be specific as to what information
must be deleted before issuing to a third party
 Covered by federal laws and regs
 Software available to filter and delete
34
Cost of Poor Retention Policy
The judge could …
 instruct the jury to infer that the record(s) destroyed
contained information unfavorable to your company.
 order your company to pay cost of restoring any
archival media on which a lost record is stored plus
reasonable litigation expenses incurred by your
opponent in filing a motion for discovery and
production of the record.
35
Beware the
Unmanaged IM and Email
 Recipients may retain IM
 IM immune to firewalls
 IM may be offensive to employees
 Track IM usage
 Enable content filtering and blocking
 Log and audit conversations
 Do not allow encrypted IM
36
IT Auditing & Assurance, 2e, Hall & Singleton
IT Auditing & Assurance, 2e, Hall & Singleton