Chapter 7:

Computer-Assisted Audit
Techniques [CAATs]

IT Auditing & Assurance, 2e, Hall &

IT Auditing & Assurance, 2e, Hall & Singleton
Singleton
 INTRODUCTION TO INPUT
CONTROLS
Designed to ensure that the transactions that bring
data into the system are valid, accurate, and
complete
Data input procedures can be either:
Source document-triggered (batch)
Direct input (real-time)

Source document input requires human

involvement and is prone to clerical errors.

Direct input employs real-time editing techniques to

identify and correct errors immediately
IT Auditing & Assurance, 2e, H
 CLASSES OF INPUT
CONTROLS
1) Source document controls
2) Data coding controls
3) Batch controls
4) Validation controls
5) Input error correction
6) Generalized data input
systems
IT Auditing & Assurance, 2e, H
 #1-SOURCE DOCUMENT
CONTROLS
Controls in systems using physical source
documents
Source document fraud
To control for exposure, control procedures
are needed over source documents to
account for each one
Use pre-numbered source documents
Use source documents in sequence
Periodically audit source documents

IT Auditing & Assurance, 2e, H

 #2-DATA CODING CONTROLS
Checks on data integrity during processing
Transcription errors
Addition errors, extra digits
Truncation errors, digit removed
Substitution errors, digit replaced
Transposition errors
Single transposition: adjacent digits transposed (reversed)
Multiple transposition: non-adjacent digits are transposed
Control = Check digits
Added to code when created (suffix, prefix,
embedded)
Sum of digits (ones): transcription errors only
Modulus 11: different weights per column: transposition and
transcription errors
Introduces storage and processing inefficiencies

IT Auditing & Assurance, 2e, H

 #3-BATCH CONTROLS
Method for handling high volumes of
transaction data esp. paper-fed IS

Controls of batch continues thru all phases of

system and all processes (i.e., not JUST an
input control)

1) All records in the batch are processed together

2) No records are processed more than once
3) An audit trail is maintained from input to output

Requires grouping of similar input transactions

IT Auditing & Assurance, 2e, H

 #3-BATCH CONTROLS
Requires controlling batch throughout
Batch transmittal sheet (batch control record)
Figure 7-1, p. 302
Unique batch number (serial #)
A batch date
A transaction code
Number of records in the batch
Total dollar value of financial field
Sum of unique non-financial field
Hash total
E.g., customer number
Batch control log Figure 7-3, p 303
Hash totals
IT Auditing & Assurance, 2e, H
 #4-VALIDATION CONTROLS
Intended to detect errors in data
before processing

Most effective if performed close to

the source of the transaction

Some require referencing a master

file

IT Auditing & Assurance, 2e, H

#4-VALIDATION CONTROLS
Field Interrogation
Missing data checks
Numeric-alphabetic data checks
Zero-value checks
Limit checks
Range checks
Validity checks
Check digit
Record Interrogation
Reasonableness checks
Sign checks
Sequence checks
File Interrogation
Internal label checks (tape)
Version checks
Expiration date check
IT Auditing & Assurance, 2e, H
#5-INPUT ERROR CORRECTION
Batch correct and resubmit
Controls to make sure errors dealt with
completely and accurately
1) Immediate Correction
2) Create an Error File
Reverse the effects of partially
processed, resubmit corrected records
Reinsert corrected records in
processing stage where error was
detected
3) Reject the Entire Batch

IT Auditing & Assurance, 2e, H

#6-GENERALIZED DATA INPUT
SYSTEMS (GDIS)
Centralized procedures to manage data
input for all transaction processing
systems
Eliminates need to create redundant
routines for each new application
Advantages:
Improves control by having one common
system perform all data validation
Ensures each AIS application applies a
consistent standard of data validation
Improves systems development efficiency
IT Auditing & Assurance, 2e, H
 #6-GDIS
Major components:
1) Generalized Validation Module
2) Validated Data File
3) Error File
4) Error Reports
5) Transaction Log

IT Auditing & Assurance, 2e, H

CLASSES OF PROCESSING
CONTROLS
1) Run-to-Run Controls

2) Operator Intervention
Controls

3) Audit Trail Controls

IT Auditing & Assurance, 2e, H

#1-RUN-TO-RUN (BATCH)
Use batch figures to monitor
the batch as it moves from
one process to another
1) Recalculate Control Totals
2) Check Transaction Codes
3) Sequence Checks

IT Auditing & Assurance, 2e, H

#2-OPERATOR INTERVENTION
When operator manually enters
controls into the system

Preference is to derive by logic

or provided by system

IT Auditing & Assurance, 2e, H

#3-AUDIT TRAIL CONTROLS
Every transaction becomes traceable
from input to output
Each processing step is documented
Preservation is key to auditability of
AIS
Transaction logs
Log of automatic transactions
Listing of automatic transactions
Unique transaction identifiers [s/n]
Error listing
IT Auditing & Assurance, 2e, H
 OUTPUT CONTROLS
Ensure system output:
1) Not misplaced
2) Not misdirected
3) Not corrupted
4) Privacy policy not violated
Batch systems more susceptible to exposure,
require greater controls
Controlling Batch Systems Output
Many steps from printer to end user
Data control clerk check point
Unacceptable printing should be shredded
Cost/benefit basis for controls
Sensitivity of data drives levels of controls
IT Auditing & Assurance, 2e, H
 OUTPUT CONTROLS
Output spooling risks:
Access the output file and change
critical data values
Access the file and change the
number of copies to be printed
Make a copy of the output file so
illegal output can be generated
Destroy the output file before printing
take place

IT Auditing & Assurance, 2e, H

 OUTPUT CONTROLS
Print Programs
Operator Intervention:
1) Pausing the print program to load output paper
2) Entering parameters needed by the print run
3) Restarting the print run at a prescribed checkpoint
after a printer malfunction
4) Removing printer output from the printer for review and
distribution
Print Program Controls
Production of unauthorized copies
Employ output document controls similar to source document
controls
Unauthorized browsing of sensitive data by employees
Special multi-part paper that blocks certain fields

IT Auditing & Assurance, 2e, H

 OUTPUT CONTROLS
Bursting
Supervision
Waste
Proper disposal of aborted copies
and carbon copies
Data control
Data control group verify and log
Report distribution
Supervision
IT Auditing & Assurance, 2e, H
 OUTPUT CONTROLS
End user controls
End user detection

Report retention:
Statutory requirements (govt)
Number of copies in existence
Existence of softcopies (backups)
Destroyed in a manner consistent
with the sensitivity of its contents

IT Auditing & Assurance, 2e, H

 OUTPUT CONTROLS
Controlling real-time systems output
Eliminates intermediaries
Threats:
Interception
Disruption
Destruction
Corruption
Exposures:
Equipment failure
Subversive acts
Systems performance controls (Ch. 2)
Chain of custody controls (Ch. 5)
IT Auditing & Assurance, 2e, H
 TESTING COMPUTER
APPLICATION CONTROLS
1) Black box (around)

2) White box (through)

IT Auditing & Assurance, 2e, H

TESTING COMPUTER APPLICATION
CONTROLS-BLACK BOX
Ignore internal logic of application
Use functional characteristics
Flowcharts
Interview key personnel
Advantages:
Do not have to remove application from
operations to test it
Appropriately applied:
Simple applications
Relative low level of risk

IT Auditing & Assurance, 2e, H

TESTING COMPUTER APPLICATION
CONTROLS-WHITE BOX
Relies on in-depth understanding of
the internal logic of the application
Uses small volume of carefully
crafted, custom test transactions to
verify specific aspects of logic and
controls
Allows auditors to conduct precise
test with known outcomes, which
can be compared objectively to
actual results
IT Auditing & Assurance, 2e, H
WHITE BOX TEST METHODS
1) Authenticity tests:
Individuals / users
Programmed procedure
Messages to access system (e.g.,
logons)
All-American University, student lab: logon,
reboot, logon *
2) Accuracy tests:
System only processes data values that
conform to specified tolerances
3) Completeness tests:
Identify missing data (field, records,
files)
IT Auditing & Assurance, 2e, H
WHITE BOX TEST METHODS
4) Redundancy tests:
Process each record exactly once
5) Audit trail tests:
Ensure application and/or system
creates an adequate audit trail
Transactions listing
Error files or reports for all exceptions

6) Rounding error tests:

Salami slicing
Monitor activities excessive ones are
serious exceptions; e.g, rounding and
thousands of entries into a single
account for $1 or 1
IT Auditing & Assurance, 2e, H
COMPUTER AIDED AUDIT TOOLS
AND TECHNIQUES (CAATTs)
1) Test data method
2) Base case system evaluation
3) Tracing
4) Integrated Test Facility [ITF]
5) Parallel simulation
6) GAS

IT Auditing & Assurance, 2e, H

 #1 TEST DATA
Used to establish the application processing
integrity
Uses a test deck
Valid data
Purposefully selected invalid data
Every possible:
Input error
Logical processes
Irregularity

Procedures:
1) Predetermined results and expectations
2) Run test deck
3) Compare

IT Auditing & Assurance, 2e, H

 #2 BASE CASE SYSTEM
EVALUATION (BCSE)
Variant of Test Data method

Comprehensive test data

Repetitive testing throughout SDLC

When application is modified,

subsequent test (new) results can be
compared with previous results (base)
IT Auditing & Assurance, 2e, H
 #3 TRACING
Test data technique that takes step-by-step
walk through application

1) The trace option must be enabled for the application

2) Specific data or types of transactions are created as
test data
3) Test data is traced through all processing steps of
the application, and a listing is produced of all lines of
code as executed (variables, results, etc.)

Excellent means of debugging a faculty

program

IT Auditing & Assurance, 2e, H

TEST DATA: ADVANTAGES AND
DISADVANTAGES
Advantages of test data
1) They employ white box approach, thus providing explicit
evidence
2) Can be employed with minimal disruption to operations
3) They require minimal computer expertise on the part of
the auditors
Disadvantages of test data
1) Auditors must rely on IS personnel to obtain a copy of
the application for testing
2) Audit evidence is not entirely independent
3) Provides static picture of application integrity
4) Relatively high cost to implement, auditing inefficiency
IT Auditing & Assurance, 2e, H
 #4 INTEGRATED TEST
FACILITY
ITF is an automated technique that allows
auditors to test logic and controls during
normal operations
Set up a dummy entity within the application
system
1) Set up a dummy entity within the application
system
2) System able to discriminate between ITF audit
module transactions and routine transactions
3) Auditor analyzes ITF results against expected
results
IT Auditing & Assurance, 2e, H
 #5 PARALLEL SIMULATION
Auditor writes or obtains a copy of the
program that simulates key features or
processes to be reviewed / tested
1) Auditor gains a thorough understanding of the
application under review
2) Auditor identifies those processes and controls
critical to the application
3) Auditor creates the simulation using program or
Generalized Audit Software (GAS)
4) Auditor runs the simulated program using
selected data and files
5) Auditor evaluates results and reconciles
differences IT Auditing & Assurance, 2e, H
 Chapter 7:
Computer-Assisted Audit
Techniques [CAATs]

IT Auditing
IT Auditing & Assurance,
& Assurance, 2e, Hall
2e, Hall &
& Singleton
Singleton