Transcript Application Controls - University of Wisconsin–Parkside

Application Controls
Batch Processing
Application Audit
Acknowledgments
Material is sourced from:
 CISA® Review Manual 2011, ©2010, ISACA. All rights reserved. Used by
permission.
 CISM® Review Manual 2012, ©2011, ISACA. All rights reserved. Used by
permission.
Author: Susan J Lincke, PhD
Univ. of Wisconsin-Parkside
Contributors: Todd Burri, Megan Reid, Kahili Cheng
Funded by National Science Foundation (NSF) Course, Curriculum and
Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit,
Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this
material are those of the author(s) and/or source(s) and do not necessarily
reflect the views of the National Science Foundation.
Objectives
Students should be able to:
 Define and describe batch control, validation, batch balance, reconciliation,
standing data, exception report, audit trail, system control parameters
 Define checks: sequence, limit or range, validity check or table lookup,
existence, key verification, check digit, completeness, duplicate,
consistency of logical relationship
 Define and understand testing application techniques: test data, snapshot,
integrated testing facilities, parallel operation, parallel simulation,
transaction selection program
 Define online auditing techniques: audit hooks, system control audit review
file and embedded audit modules (SCARF/EAM)
Security in
Software Development
Requirements
Security
Requirements
Abuse
Cases
Architecture
& Design
Risk
Analysis
Code
Penetration
Test
Code
Review
Test
Security
Operation
Risk-Based
Security Test
Deploy
Input Form
No. 12083






Make form easy to read
and use
Group like fields together
Provide predetermined
input codes to reduce
errors
Provide identifier or
cross-reference number
Indicate field sizes
Provide authorization
signature if necessary
Sales Order Form
Date: 11/09/09
Time: 3:24 PM
Product
_____________
_____________
_____________
_____________
Quantity
_______
_______
_______
_______
Salesperson:
Authorization:
Transaction Validation
Sequence Check: Sequence number use causes out-of-sequence and
duplicate numbers to be rejected.
Limit or Range Check: Valid numbers are below or between a maximum
value. E.g., checks should not exceed $3,000
Validity Check or Table Lookup: Only certain values are accepted: Sex=M/F.
Reasonableness Check: Values entered are reasonable: A takeout order of
100 pizzas???
Existence Check: Required fields are entered correctly.
Key Verification: Input is double checked via second person OR all digits are
entered twice.
Check Digit: A digit may verify the correct entry of other digits.
Completeness Check: Complete input is provided: zeros or spaces are
checked for each required letter or digit
Duplicate Check: Duplicate transactions or transactions with duplicate IDs are
checked for and rejected.
Consistency or Logical Relationship Check: Data is consistent with other
known data: An employee’s birth date must be at least 16 years ago.
Batch Processing
Input is authorized and collected into a batch
Batch controls are automatically calculated and associated
with the batch file.
Validation of the transactions occur. Rejected transactions
are corrected and resubmitted or otherwise handled.
Processing occurs (e.g., orders, payments, storage to DB)
Processing is complete. Batch balancing occurs through
manual or automatic reconciliation of batch controls.
Batch Controls
Account# TransType Amount Clerk
01001
054
$54.43 212
01222
054
$89.99 215
02022
033
$10.19 212
02022
036
$999.99 215
………
01098
054
$50.00 215
Batch Control:
12242
435
$9544.34 818
A Batch groups transactions to control processing.
Batch controls can include totals or hashed values.
Totals may include total items, documents, or values.
Transaction Authorization

Manual:
 Obtain
signature from management on batch
forms or source documents
 Forms or Source Documents record data


Pre-number for control preferably
Automatic:
 Online
access control via password or
terminal identification
Error Handling Alternatives
Reject transaction(s) with errors but
process remaining batch
 Reject batch with error transactions
 Hold the batch in suspense: hold batch
until error transactions are fixed
 Accept the full batch but flag the error
transactions for later correction

Data Processing
System
Control
Parameters
Controls processing: e.g., specify
limit maximums
Transaction
File
(for today)
Processing
Standing Data
(Permanent Files)
Exception
Report
Master Data/Balance Data
Reports errors in
transactions
Audit Trail
(or transaction log)
Records running balances and
totals updated by transactions
Processing Controls
Per-Transaction Basis
 Editing: program tests the accuracy, completeness and validity of
data
 Checks on Calculated Amounts: Calculated values are checked to
be reasonable or not exceed maximum
 Programmed Control: Software to detect, log, and initiate corrective
action for errors
 Exception Report: Reports error transactions with their error types
Per-Batch Basis
 Batch Register: Batch totals are recorded manually to be compared
with system totals
 Run-to-Run Totals: Each processing stage reports its calculated
batch controls
 Reconciliation: Supervisor should review that *all* data was properly
recorded and processed
Data File Control Procedures
Prerecorded Input: Certain information fields are preprinted on a blank input
form to reduce input errors.
 Data File Security: Ensures authorized access only
 Version usage: The correct version of a file is always accessed
 Transaction Logs: An audit trail records date/time of input, user ID and terminal
location, and input transactions
 Before and After Image Reporting: File data is recorded before and after
processing, enabling traces to occur based on transactions
 Parity Checking: When data is transmitted, check codes are added to ensure
data is transmitted without error.
Batch Processing
 Error reporting & handing: All error reports are properly reconciled and
authorizations/corrections are submitted in a timely manner.
 One-for-One Checking: Source Documents correctly describe the processing
that has occurred
 Source document retention: Source documents are retained as necessary for
error handling and audits.
 Internal & External Labeling: Removable storage media is labeled to ensure
correct processing

Question
1.
2.
3.
4.
A hash total of customer numbers is one input to the
sales program. This program generates its own total to
compare against this input parameter. What is the
purpose of this procedure?
Validate customer numbers are accurate
Detect lost or changed transaction(s)
Detect error(s) in sales transactions
Validate that each sales transaction is complete
Question
1.
2.
3.
4.
Batch balancing is used to?
Ensure that test data accurately matches real data
when considering transaction types
Detect lost or changed transaction(s) during processing
Detect error(s) in sales transactions
Verify batch total is reasonable
Question
1.
2.
3.
4.
Batch totals may not match when error transactions are
removed. The process that verifies full processing did
occur correctly, while accounting for errors is called:
Audit trail
Validation
Batch balancing
Reconciliation
Application Audit
Auditor Tasks
Identify significant application components
and flow of transactions
 Identify controls and evaluate their
effectiveness
 Test the controls
 Analyze the test results to determine
whether controls work as expected

Testing Applications: Test Data
Test
Data
Pgm1
Pgm2
Pgm3
Processes test data through real programs.
Testing Applications: Snapshot
Pgm1
Pgm2
Pgm3
Displays ‘snapshots’ of how transactions are processed,
as they are processed. Certain transactions are designated
for recording.
Integrated Testing Facilities
Real
Data
Pgm1
Pgm2
Pgm3
Test
Data
Test data and real data are merged. Must be careful to
isolate test results.
Parallel Operation or
Parallel Simulation
New System or System under Test
Pgm1
Pgm2
Pgm3
Pgm1*
Pgm2*
Pgm3*
Real
Data
Stable System or Simulated System
Data is processed through two systems and results are compared.
Useful to verify new system.
Parallel Operation: Compare new system with older stable system
Parallel Simulation: Compare actual and simulated system
Transaction Selection Program
Transaction
Selection
Program
Test
Data
Pgm1
Pgm2
Pgm3
A tool helps to select transactions to build a test deck..
Embedded Audit Data Collection
Regular
Data
Pgm1
Pgm2
Pgm3
Embedded Audit Modules (EAM): Audit software is embedded directly
into the application programs to monitor specific types of transactions.
Systems Control Audit Review File (SCARF): Provides statistical information
about the normal input data file, to determine if the file is
sufficiently varied for the auditor.
Sample Audit Review File (SARF): Selects random transactions for analysis.
Testing Application Techniques
Test Data:

Test Data: Test transactions go through real programs
 Integrated Testing Facilities: Creates test transactions to include with live data

Transaction Selection Programs: Screen and selects transaction input to regular
production cycle

Embedded Audit Data: Selects random or statistically-distributed input transactions
and generates logs during production
Debugging/Processing:

Mapping: Identifies specific program’s logic that have not been tested

Tracing and tagging: Trace shows trail of instructions executed. Tag places
indicators on selected transactions

Snapshot: Records flow of designated transactions through logic paths
Validation Systems:

Base-case system evaluation: Uses test data for testing programs and verifies
correct system operations before accepting.

Parallel Simulation: Uses programs that simulate application program logic

Parallel Operation: Compares new and old production data processing systems and
compares results
Online Auditing Techniques





Systems Control Audit Review File and
Embedded Audit Modules (SCARF/EAM):
Embedding specific written audit software in
organization’s host application system
Snapshots: Pictures of the processes’ path
Audit Hooks: Embedding hooks in applications
Integrated Test Facility (ITF): Dummy entries
are set up and include auditor's production file
Continuous & Intermittent Simulation (CIS):
Simulates the instructions executed of the
application
Concurrent Audit Tools
Online
Audit
Techniques:
Complexity:
SCARF/
EAM
Very High
Useful when: Regular
processing
cannot be
interrupted
Integrated
Test
Facilities
Snapshots
Continuous
Intermittent
Simulation
Audit
Hooks
High
Medium
Medium
Low
Its not
beneficial
to use test
data
An audit
trail is
required
Transactions
meeting
certain
criteria need
to be
examined
Only select
transactions
or
processes
need to be
examined
Continuous Online Auditing:
Audit Hooks
Regular
Data
Pgm1
Pgm2
Pgm3
Continuous Online Auditing enables auditors to test the system
without disrupting a company’s regular operation.
Audit hooks are software logic embedded into the application, which
prints error reports of red flags enabling auditors to act to catch
errors early, before they become problems..
Question
1.
2.
3.
4.
Embedded audit modules is associated mostly
clearly with:
Audit hooks
Snapshots
Batch processing
Parallel operation
Question
1.
2.
3.
4.
This technique provides statistical information
about the normal input data file, to determine if
the file is sufficiently varied for the auditor.
Test data
Snapshots
Systems Control Audit and Review File
Transaction Selection Program
Question
1.
2.
3.
4.
Combining real and test data during an audit is
known as:
Parallel operation
Integrated testing facilities
Batch processing
Embedded audit modules
Match Definitions
Sequence number use causes
out-of-sequence and
duplicate numbers to be
rejected.
Valid numbers are below a
maximum value.
Values entered are plausible
Required fields are entered
correctly.
Input is double checked via
second person OR all digits
are entered twice.
Transactions with duplicate IDs
are checked for and rejected.
Duplicate Check
Existence Check
Reasonableness
Check
Limit Check
Key Verification
Sequence Check
Match Definitions
Sequence number use causes
out-of-sequence and
duplicate numbers to be
rejected.
Valid numbers are below a
maximum value.
Values entered are plausible
Required fields are entered
correctly.
Input is double checked via
second person OR all digits
are entered twice.
Transactions with duplicate IDs
are checked for and rejected.
Duplicate Check
Existence Check
Reasonableness
Check
Limit Check
Key Verification
Sequence Check
Reference
Slide #
Slide Title
Source of Information
6
Transaction Validation
CISA: page 225 Exhibit 3.30
7
Batch Processing
CISA: page 223, 224, 393
8
Batch Control
CISA: page 223, 224
9
Transaction Authorization
CISA: page 223
10
Error Handling Alternatives
CISA: page 224
12
Processing Controls
CISA: page 224, 225
13
Data File Control Procedures
CISA: page 225, 226
19
Testing Application: Test Data
CISA: page 229 Exhibit 3.32
20
Testing Application: Snapshot
CISA: page 229 Exhibit 3.32
21
Integrated Testing Facilities
CISA: page 230 Exhibit 3.32
22
Parallel Operation or Parallel Simulation
CISA: page 230 Exhibit 3.32
23
Transaction Selection Program
CISA: page 230 Exhibit 3.32
24
Embedded Audit Data Collection
CISA: page 230 Exhibit 3.32
25
Testing Application Techniques
CISA: page 229, 230 Exhibit 3.32
26
Online Auditing Techniques
CISA: page 230, 231
27
Concurrent Audit Tools
CISA: page 231 Exhibit 3.33
28
Continuous Online Auditing: Audit Hooks
CISA: page 230, 231