Chapter 7: Computer-Assisted Audit Techniques [CAATs] - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

Chapter 7: Computer-Assisted Audit Techniques [CAATs]

Description:

IT Auditing & Assurance, 2e, Hall & Singleton IT Auditing & Assurance, 2e, Hall & Singleton * Advantages of Test Data Techniques They employ through the computer ... – PowerPoint PPT presentation

Number of Views:2990
Avg rating:3.0/5.0
Slides: 38
Provided by: TommieSi5
Learn more at: http://www.usfsp.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Chapter 7: Computer-Assisted Audit Techniques [CAATs]


1
Chapter 7 Computer-Assisted Audit Techniques
CAATs
IT Auditing Assurance, 2e, Hall Singleton
2
CLASSES OF INPUT CONTROLS
  1. Source document controls
  2. Data coding controls
  3. Batch controls
  4. Validation controls
  5. Input error correction
  6. Generalized data input systems

3
SOURCE DOCUMENT CONTROLS
  • Controls in systems using physical source
    documents
  • Source document fraud
  • To control for exposure, control procedures are
    needed over source documents to account for each
    one
  • Use pre-numbered source documents
  • Use source documents in sequence
  • Periodically audit source documents

4
DATA CODING CONTROLS
  • Checks on data integrity during processing
  • Transcription errors
  • Addition errors, extra digits
  • Truncation errors, digit removed
  • Substitution errors, digit replaced
  • Transposition errors
  • Single transposition adjacent digits transposed
    (reversed)
  • Multiple transposition non-adjacent digits are
    transposed
  • Control Check digits
  • Added to code when created (suffix, prefix,
    embedded)
  • Sum of digits (ones) transcription errors only
  • Modulus 11 different weights per column
    transposition and transcription errors
  • Introduces storage and processing inefficiencies

5
BATCH CONTROLS
  • Method for handling high volumes of transaction
    data esp. paper-fed IS
  • Controls of batch continues thru all phases of
    system and all processes (i.e., not JUST an input
    control)
  • All records in the batch are processed together
  • No records are processed more than once
  • An audit trail is maintained from input to output
  • Requires grouping of similar input transactions

6
VALIDATION CONTROLS
  • Intended to detect errors in data before
    processing
  • Most effective if performed close to the source
    of the transaction
  • Some require referencing a master file

7
VALIDATION CONTROLS
  • Field Interrogation
  • Missing data checks
  • Numeric-alphabetic data checks
  • Zero-value checks
  • Limit checks
  • Range checks
  • Validity checks
  • Check digit
  • Record Interrogation
  • Reasonableness checks
  • Sign checks
  • Sequence checks
  • File Interrogation
  • Internal label checks (tape)
  • Version checks
  • Expiration date check

8
INPUT ERROR CORRECTION
  • Batch correct and resubmit
  • Controls to make sure errors dealt with
    completely and accurately
  • Immediate Correction
  • Create an Error File
  • Reverse the effects of partially processed,
    resubmit corrected records
  • Reinsert corrected records in processing stage
    where error was detected
  • Reject the Entire Batch

9
GENERALIZED DATA INPUT SYSTEMS (GDIS)
  • Centralized procedures to manage data input for
    all transaction processing systems
  • Eliminates need to create redundant routines for
    each new application
  • Advantages
  • Improves control by having one common system
    perform all data validation
  • Ensures each AIS application applies a consistent
    standard of data validation
  • Improves systems development efficiency

10
CLASSES OF PROCESSING CONTROLS
  1. Run-to-Run Controls
  2. Operator Intervention Controls
  3. Audit Trail Controls

11
RUN-TO-RUN (BATCH)
  • Use batch figures to monitor the batch as it
    moves from one process to another
  • Recalculate Control Totals
  • Check Transaction Codes
  • Sequence Checks

12
OPERATOR INTERVENTION
  • When operator manually enters controls into the
    system
  • Preference is to derive by logic or provided by
    system

13
AUDIT TRAIL CONTROLS
  • Every transaction becomes traceable from input to
    output
  • Each processing step is documented
  • Preservation is key to auditability of AIS
  • Transaction logs
  • Log of automatic transactions
  • Listing of automatic transactions
  • Unique transaction identifiers s/n
  • Error listing

14
OUTPUT CONTROLS
  • Ensure system output
  • Not misplaced
  • Not misdirected
  • Not corrupted
  • Privacy policy not violated
  • Batch systems more susceptible to exposure,
    require greater controls
  • Controlling Batch Systems Output
  • Many steps from printer to end user
  • Data control clerk check point
  • Unacceptable printing should be shredded
  • Cost/benefit basis for controls
  • Sensitivity of data drives levels of controls

15
OUTPUT CONTROLS
  • Output spooling risks
  • Access the output file and change critical data
    values
  • Access the file and change the number of copies
    to be printed
  • Make a copy of the output file so illegal output
    can be generated
  • Destroy the output file before printing take place

16
OUTPUT CONTROLS
  • Bursting
  • Supervision
  • Waste
  • Proper disposal of aborted copies and carbon
    copies
  • Data control
  • Data control group verify and log
  • Report distribution
  • Supervision

17
OUTPUT CONTROLS
  • End user controls
  • End user detection
  • Report retention
  • Statutory requirements (govt)
  • Number of copies in existence
  • Existence of softcopies (backups)
  • Destroyed in a manner consistent with the
    sensitivity of its contents

18
TESTING COMPUTER APPLICATION CONTROLS
  • Around the computer
  • Rarely appropriate
  • Through the computer
  • Supported by continuous audit techniques

19
TESTING COMPUTER APPLICATION AROUND THE COMPUTER
  • Ignore internal logic of application
  • Use functional characteristics
  • Flowcharts
  • Interview key personnel
  • Advantages
  • Do not have to remove application from operations
    to test it
  • Appropriately applied
  • Simple applications
  • Relative low level of risk

20
TESTING COMPUTER APPLICATION CONTROLS THROUGH THE
COMPUTER
  • Relies on in-depth understanding of the internal
    logic of the application
  • Uses small volume of carefully crafted, custom
    test transactions to verify specific aspects of
    logic and controls
  • Allows auditors to conduct precise test with
    known outcomes, which can be compared objectively
    to actual results

21
COMPUTER AIDED AUDIT TOOLS AND TECHNIQUES (CAATTs)
  1. Test data method
  2. Base case system evaluation
  3. Tracing
  4. Integrated Test Facility ITF
  5. Parallel simulation
  6. GAS

22
TEST DATA
  • Used to establish the application processing
    integrity
  • Uses a test deck
  • Valid data
  • Purposefully selected invalid data
  • Every possible
  • Input error
  • Logical processes
  • Irregularity
  • Procedures
  • Predetermined results and expectations
  • Run test deck
  • Compare

23
TRACING
  • Test data technique that takes step-by-step walk
    through application
  • The trace option must be enabled for the
    application
  • Specific data or types of transactions are
    created as test data
  • Test data is traced through all processing
    steps of the application, and a listing is
    produced of all lines of code as executed
    (variables, results, etc.)
  • Excellent means of debugging a faculty program

24
TEST DATA ADVANTAGES AND DISADVANTAGES
  • Advantages of test data
  • They employ white box approach, thus providing
    explicit evidence
  • Can be employed with minimal disruption to
    operations
  • They require minimal computer expertise on the
    part of the auditors
  • Disadvantages of test data
  • Auditors must rely on IS personnel to obtain a
    copy of the application for testing
  • Audit evidence is not entirely independent
  • Provides static picture of application integrity
  • Relatively high cost to implement, auditing
    inefficiency

25
Continuous Auditing
  • Embedded Audit Module
  • Real and test transactions
  • Tagged transactions
  • Audit hooks

26
INTEGRATED TEST FACILITY
  • ITF is an automated technique that allows
    auditors to test logic and controls during normal
    operations
  • Set up a dummy entity within the application
    system
  • Set up a dummy entity within the application
    system
  • System able to discriminate between ITF audit
    module transactions and routine transactions
  • Auditor analyzes ITF results against expected
    results

27
PARALLEL SIMULATION
  • Auditor writes or obtains a copy of the program
    that simulates key features or processes to be
    reviewed / tested
  • Auditor gains a thorough understanding of the
    application under review
  • Auditor identifies those processes and controls
    critical to the application
  • Auditor creates the simulation using program or
    Generalized Audit Software (GAS)
  • Auditor runs the simulated program using selected
    data and files
  • Auditor evaluates results and reconciles
    differences
  • Out of date approach

28
Email and IM
28
29
Sedona ConferenceWG1 Best Practices for E Doc
Retention and Production
30
Sedona ESI Framework
  • Sedona Conference - White papers on keyword
    searches and electronic stored information (ESI)
  • Keyword list can cut costs substantially
  • Most searches turn up small percent of relevant
    documents and miss many critical documents
  • Risks for both under and over inclusive terms
  • Sedona framework provides higher quality and
    lower costs

31
Keyword Search and E-Discovery
  • E-discovery and document review expensive
  • Cost associated with heavy reliance on human
    review
  • Search solutions were not built with e-discovery
    in mind
  • Majority of companies do not have an effective
    retention or archiving plan for electronic
    documents

32
ESI Retention Policy
  • Must comply with SOX and be scrutinized by legal
  • Categorize documents by type and retention period
  • Use different archival methods
  • Software can provide for efficient retrieval
  • Train employees to policy

33
E-Mail Retention Policy
  • Federal Rules of Civil Procedure, industry
    regulations and internal policies all influence
    which emails should be archived.
  • Safe harbor in eDiscovery rests in an
    organization adhering to its policies and
    procedures that guide the destruction of its
    email data.
  • Not all e-mails are the same Set archive
    categories by nature of email.
  • Adopt a policy and do not vary from it.

34
Redacted E-mail and Privacy
  • Deleted information may be recoverable from
    electronic documents
  • Policy should be specific as to what information
    must be deleted before issuing to a third party
  • Covered by federal laws and regs
  • Software available to filter and delete

35
Cost of Poor Retention Policy
  • The judge could
  • instruct the jury to infer that the record(s)
    destroyed contained information unfavorable to
    your company.
  • order your company to pay cost of restoring any
    archival media on which a lost record is stored
    plus reasonable litigation expenses incurred by
    your opponent in filing a motion for discovery
    and production of the record.

36
Beware the Unmanaged IM and Email
  • Recipients may retain IM
  • IM immune to firewalls
  • IM may be offensive to employees
  • Track IM usage
  • Enable content filtering and blocking
  • Log and audit conversations
  • Do not allow encrypted IM

36
37
Chapter 7 Computer-Assisted Audit Techniques
CAATs
  • IT Auditing Assurance, 2e, Hall Singleton
About PowerShow.com