 Source program library – source code form on magnetic disks

 Controlling the SPL requires SPL management system (SPLMS)

 Controls 4 critical functions:
o Storing programs on the SPL
o Retrieving programs for maintenance purposes
o Deleting obsolete programs from the library
o Documenting program changes to provide an audit trail of the changes
 SPL manages program files; DBMS manages data files
 Computer manufacturer may supply SPLMS software as part of the operating system or the software may be
purchased through vendors

CONTROLS

 PASSWORD CONTROL
 SEPARATION OF TESTS LIBRARIES – a strict separation is maintained between the production programs that are
subject to maintenance in the SPL and those being developed; enhancement to this control feature is the
implementation of program-naming conventions
 AUDIT TRAIL AND MANAGEMENT REPORTS – important feature is the creation of reports that enhance
management control and support the audit function; modification reports that describe in detail all program
changes to each module; during audit, reports can be reconciled against program maintenance requests to verify
that only approved changes were implemented
 PROGRAM VERSION NUMBERS – splms assigns a version number automatically to each program stored on the
SPL; when first placed, version number zero; unauthorized change is signaled by a version number on the
production load module that cannot be reconciled to the number of authorized changes;
 CONTROLLING ACCESS TO MAINTENANCE COMMANDS - powerful maintenance commands are available for
most library systems that can be used to alter or eliminate program passwords, alter version number and
temporarily modify a program

Audit objectives relating to systems maintenance

1. Maintenance procedures protect applications from unauthorized changes

2. Applications are free from material errors
3. Program libraries are protected from unauthorized access

AUDIT PROCEDURES FOR IDENTIFYING UNAUTHORIZED PROGRAM CHANGES

1. Reconcile program version numbers – dapat same ung version number and ung number of maintenance change
2. Confirm maintenance authorization – dapat may approval ung maintenance

Audit procedures for identifying application errors

1. Reconcile the source code – permanent file should contain the current program listing and listings of all changes
made to the application
2. Review the tests results – program test procedures should be properly documented
3. Retest the program –

audit procedures to testing access to libraries

1. Review programmer authority tables – specifies the libraries a programmer may access
2. Test authority table – OS should deny any unauthorized attempt

APPLICATION CONTROLS

Input Controls – programmed procedures that perform tests on transaction data to ensure that they are free from errors

1. Check digit – control digit added to the data code when it is originally assigned that allows the integrity of the
code to be established during subsequent processing
a. Transcription errors
i. Addition errors – when an extra digit is added to the code
ii. Truncation errors – when digit is removed from the end of a code
iii. Substitution errors – replacement of one digit with another
b. Transposition errors
i. Single transposition errors – two adjacent digits are reversed
ii. Multiple transposition – non adjacent digits are transposed
2. Missing data check – if data are not properly justified or if a character is missing, tha value in the field will be
improperly processed
3. Numeric – alphabetic – check – identifies when a particular field are in the wrong form
4. Limit check – identify field values that exceed an authorized limit
5. Range check – data have upper and lower limits to their acceptable values
 6. Reasonableness check – has already passed a limit and range check and is reasonable when considered along
with data in other fields of record
7. Validity check – compares actual field against known acceptable values’ if the value does not match one of the
acceptable values, the record is flagged as an error

PROCESSING CONTROLS

1. Batch controls – used to manage the flow of high volumes of transactions through batch processing systems;
objective is to reconcile system output with the input originally entered into the system
2. Run-to-run control – use of batch figures to monitor the batch as it moves from one programmed procedure to
another
a. Four runs
i. Data input
ii. Accounts receivable update
iii. Inventory update
iv. Output
 First: reverse the effects of the partially processed transactions and resubmit the corrected records to
the data input stage
 Second: reinsert corrected records into the processing stage at which the error was detected
 HASH TOTAL : summation of a nonfinancial field to keep track of the records in a batch

AUDIT TRAIL CONTROLS

1. Transaction logs – processes should be recorded on a transaction log, journal ; permanent record of a
transactions. Once processes the records on the input file are erased to make room for the next batch of
transactions. TL contains only of successful transactions
2. Log of automatic transations – automatic transations are recorded
3. Transaction listings – system should produce a hardcopy transaction listings of all successful transations

OUTPUT CONTROLS – combination of programmed routines and other rocedures t ensure that system outout is not lost,
misdirected, or corrupted and that privay is not violated

1. Controlling hard copy output – PROCESS:

a. Output spooling - applications are often designed to direct their output to a magnetic disks file rather
than print it directly
b. Print programs –
c. Waste – paper shredder
d. Report distribution –
e. End-user

2. Controlling digital output

a. Exposures from equipment failure
b. Exposures from subversive acts

TESTING COMPUTER APPLICATION CONTROLS

A. Black box approach – around the computer; analyze flowcharts and interview knowledgeable personnel in the
client’s organization to understand the functional characteristics of the application; auditor tests the application
by reconciling production input transactions processed by the application with output results
B. White box approach – through the computer ; relies on an indepth understanding of the internal logic of the
application being tested
a. Authenticity tests – verify that an individual, a programmed procedure or a message attempting to
access a system is authentic
b. Accuracy tests – ensure that the system processes only data values that cinform to specified tolerances
c. Completeness tests – identify missing data within a single record and entire records missing from a batch
d. Redundancy tests – application processes each record only once
e. Access test – ensure that the application prevents authorized users from unauthorized access to data
f. Audit trail tests – ensure that the application creates an adequate audit trail
g. Rounding error tests – verify correctness of rounding procedures
 SALAMI FRAUD – fraud; rounding programs
WHITE BIX TESTING TECHNIQUES (computer assisted audit tools and techniques CAATTs)
1. Test data method - used to establish application integrity by processing specially prepared
sets of input data through production applications that are under review. The results of each
test are compared to predetermined expectations to obtain an objective assessment of
application logic and control effectiveness
2. Base case system evaluation – a variant of the test data approach ; tests are conducted with a
set of test transactions containing all possible transactions types.
3. Tracing – performs an electronic walk-through of the application internal logic

THE INTEGRATED TEST FACILITY – approach is an automated technique that enables the auditor to test an application’s
logic and controls during its normal operation
PARALLEL SIMULATION – involves creating a program that simulates key features or processes of the application under
review. The simulated application is then used to reprocess transactions that the production application previously
processed. The results obtained from the simulation are reconciled with the results of the original production run to
determine if application processes and controls are functioning correctly

Generalized audit software (GAS) – simulation program

CAATTs

1. The embedded audit module – techniques use one or more programmed modules embedded in a host
application to select transactions that meet predetermined conditions. The eam approach allows material
transactions to be captured throughout the audit period.
2. Generalized audit software – allows auditors to access electronically coded data files and perform various
operations on their contents

Audit trail controls: Ensures that every transaction can be traced through each stage of processing from its economic
source to its presentation in financial statements

Audit trail test: Ensures that the application creates an adequate audit trail

Authenticity tests: Tests verifying that an individual, a programmed procedure, or a message attempting to access a
system is authentic.

Base case system evaluation (BCSE): Variant of the test data technique in which comprehensive test data are used. (1

Batch controls: Effective method of managing high volumes of transaction data through a system. (1

Check digit: Method for detecting data coding errors in which a control digit is added to the code when it is originally
designed to allow the integrity of the code to be established during subsequent processing. (1

Computer-assisted audit tools and techniques (CAATTs): Use of computers to illustrate how application controls are
tested and to verify the effective functioning of application controls. (17)

Embedded audit module (EAM): Technique in which one or more specially programmed modules embedded in a host
application select and record predetermined types of transactions for subsequent analysis

Generalized audit software (GAS): Software that allows auditors to access electronically coded data files and perform
various operations on their contents

Hash total: Control technique that uses nonfinancial data to keep track of the records in a batch.

Integrated test facility (ITF): Automated technique that enables the auditor to test an application’s logic and controls
during its normal operation

Parallel simulation: Technique that requires the auditor to write a program that simulates key features of processes of
the application under review.

Redundancy tests: Tests that determine that an application processes each record only once. (1

Run-to-run controls: Controls that use batch figures to monitor the batch as it moves from one programmed procedure
to another. (1

Salami fraud: Fraud in which each of multiple victims is defrauded out of a very small amount, but the fraud in total
constitutes a large sum.

Spooling: Direction of an application’s output to a magnetic disk file rather than to the printer directly. (

Spooling: Direction of an application’s output to a magnetic disk file rather than to the printer directly. (