Transcript Chapter 6 Computer Assisted Audit Tools and Techniques

Chapter 6
Computer Assisted Audit Tools
and Techniques
LihChyun Shu
1
Contents
• Application controls
– Input controls
– Processing controls
– Output controls
• Testing computer application controls
– Black box approach
– White box approach
• Computer aided audit tools and techniques for
testing controls
2
Application Controls
• Programmed procedures designed to deal
with potential exposures that threaten
specific applications, such as payroll,
purchases, and cash disbursements systems.
• Three categories:
– Input controls
– Processing controls
– Output controls
3
Input Controls
• Designed to ensure that transactions are valid,
accurate, and complete.
• Broad classes:
–
–
–
–
–
–
Source document controls
Data coding controls
Batch controls
Validation controls
Input error correction
Generalized data input systems
4
Source document controls
• Techniques to prevent source document
fraud (for example, an individual with
access to purchase orders and receiving
reports could fabricate a purchase
transaction to a non-existent supplier)
– Use pre-numbered source documents
– Use source documents in sequence
– Periodically audit source documents
5
Data Coding Controls
• Checks on integrity of data codes used in
processing.
• A customer’s account number, an inventory
item number, and a chart of accounts
number are all examples of data codes.
6
Data Coding Controls
• Three types of errors that can corrupt data
codes and cause processing errors:
– Transcription errors
– Single transposition errors
– Multiple transposition errors
7
Transcription Errors
• Addition errors: e.g., inventory item number
83276 recorded as 832766
• Truncation errors: e.g., the inventory item
above recorded as 8327
• Substitution errors: e.g., the inventory item
above recorded as 83266
8
Transposition Errors
• Single transposition errors: occur when two
adjacent digits are reversed.
• Multiple transposition errors: occur when
nonadjacent digits are transposed. For
example, 83276 is recorded as 87236.
9
Check Digits
• A method to detect data coding errors.
• A check digit is a control digit added to the
code that allows the integrity of the code to
be established during subsequent processing.
• The simplest form of check digit is to sum
the digits in the code and use this sum as the
check digit.
10
Check Digits
• For example, the calculated check digit for
customer account code 5327 would be 7
(5+3+7+2=17, then drop the tens column)
• This technique can detect some transcription
errors, but not transposition errors.
• Another technique in page 217 can be used to
detect transposition errors.
• See ‘Check digit’ from Wikipedia in relevant links
11
Batch Controls
• A method used to manage high volumes of
transaction data through a system.
• Provide assurance that
– All records in batch are processed
– No records are processed more than once
– An audit trail of transactions is created
12
Steps in Batch Controls
• Grouping similar types of transactions (such as
sales order) together in batches
• For each batch of documents, prepare a batch
transmittal sheet that contains (see page 218)
–
–
–
–
–
A unique batch number
A batch date
A transaction code (type of transactions)
Number of records in batch (record count)
Total dollar value of a financial field (batch control
total)
– Total of a unique non-financial field (hash total)
13
Steps in Batch Controls
• Batch transmittal sheet is used to assess the
integrity of the batch during processing as
shown in Figure 6-2 (page 219).
– Batch control total can be used to make sure the
batch is in balance
– Hash total can be used to detect the fraud that
someone replaced one of the sales orders in the
batch with a fictitious record of the same dollar
amount (see page 220)
14
Validation Controls
• Intended to detect errors in transaction data
before the data are processed.
• Three levels of input validation controls:
– Field interrogation
– Record interrogation
– File interrogation
15
Field Interrogation
•
•
•
•
•
•
Missing data checks
Numeric-alphabetic data checks
Zero-value checks
Limit checks
Range checks
Validity checks (compare actual values
against known acceptable values)
16
Record Interrogation
• Validate entire record by examining interrelationship of its field values.
• Reasonableness checks: e.g., an employee’s
pay rate of 18 dollars per hour is excessive,
when compared to the employee’s job skill
code of 693 (employees in this skill class
never earn more than 12 dollars per hour)
17
Record Interrogation
• Sign check: e.g., dollar amount field must
be positive for sales but negative for sales
return transactions.
• Sequence check: determine if a record is out
of order
18
File Interrogation
• Ensure that correct file is being processed by the
system.
• Internal label checks verify that the file processed
is the one the program is actually calling for.
– Files usually have external labels that identify them to
librarian and operator. But wrong labels may be affixed
to files.
– Operating system can create internal label that is placed
at the beginning of the file (Figure 6-6 in page 224)
19
File Interrogation
• Version checks are used to verify that the
version of the file being processed is correct.
• Expiration date check prevents a file from
being deleted before it expires.
20
Input Error Correction
• 3 common error handling techniques
– Immediate correction
– Create an error file
– Reject entire batch
21
Generalized Data Input Systems
• To achieve a high degree of control and
standardization over input validation
procedures.
• This technique includes centralized
procedures to manage the data input for all
of the organization’s transaction processing
systems. (see Figure 6-9)
22
Processing Controls
• Run-to-run controls
• Operator intervention controls
• Audit trail controls
23
Run-to-run Controls
• Use batch control figures to monitor the
batch as it moves from one run to another.
• Specific uses of run-to-run control figures:
– Recalculate control totals (dollar amount fields,
hash totals, record counts)
– Transaction codes: ensure only correct type of
transaction is being processed.
– Sequence checks ensure the proper order of
transactions being processed
24
Operator Intervention Controls
• Operator intervention increases the potential
for human errors.
• Systems that limit operator intervention thru
operator intervention controls are thus less
prone to errors.
25
Audit Trail Controls
• Techniques to preserve audit trails:
– Transaction logs: every transaction successfully
processed by the system should be recorded on
a transaction log, which servers as a journal.
– Log of automatic transactions
– Listing of automatic transactions
– Error listing
26