Learning Objectives

 Be familiar with the classes of transaction

input controls used by accounting
applications.
 Understand the objectives and techniques
used to implement processing controls
including run-to-run, operator intervention
and audit trail controls.
Learning Objectives
 Understand the method used to
establish effective output controls for
both batch and real-time sytems.
 Know the difference between black-box
and white-box auditing
 Be familiar with the key features of the
five CAATs discussed in the chapter
IT APPLICATION CONTROLS

 INPUT CONTROLS

 PROCESSING CONTROLS

 OUTPUT CONTROLS
INPUT CONTROLS
 Designed to ensure that the transactions that bring
data into the system are valid, accurate, and
complete
 Data input procedures can be either:
 Source document-triggered (batch)
 Direct input (real-time)

 Source document input requires human

involvement and is prone to clerical errors.

 Direct input employs real-time editing techniques

to identify and correct errors immediately
 Figure 7.1
 Figure 7.2
THREE CATEGORIES OF INPUT
CONTROLS
1) Field Interrogation

2) Record Interrogation

3) File Interrogation
#1-Field Interrogation
 Involves programmed procedures that examine
the characteristics of the data in the field.

1. Check Digit
2. Missing Data Check
3. Numeric-Alphabetic Check
4. Limit Check
5. Range Check
6. Validity Check
Check digit
Transcription Errors
Addition errors
ex. 83276 recorded as 832766

Truncation Errors
ex. 83276 recorded as 8327

Substitution Errors
ex. 83276 recorded as 83266
Check digit
Transposition Errors
Single transposition errors
ex. 83276 recorded as 38276

Multiple Transposition Errors

ex. 83276 recorded as 87236
Missing Data Check
Used to examine the contents of a field for the
presence of blank spaces.

When the validation program detects a blank where it

expects to see a data value, this will be
interpreted as an error.
Numeric-Alphabetic Check
This edit identifies when data in a particular field are
in the wrong form.

Ex. Aparicio is recorded as Aparici0

09059377619 is recorded as 09059B776I9

Both of these examples will flag as an error.

Limit Check
Limit checks determine if the value in the field
exceeds an authorized limit.

Ex. Employees work maximum of 44 hours per week.

Any record that exceeds 44 hours is flagged as
an error.
Range Check
Data have upper and lower limits to their acceptable
values.
Detects if data encoded falls within a given range.
ex. 18-30
Validity Check
A check that compares actual field values against
known acceptable values.
Frequently used control in cash disbursement
systems.

ex. Establishing a list of valid vendors

If the code does not match, payment is denied
and management will review the transaction.
#2-Record Interrogation
 Validates the entire record by examining the
interrelationship of its field values.

1. Reasonableness Check

2. Sign Check

3. Sequence Check
Reasonableness Check
This control check determines if a value in one field,
which has already passed a limit check and a
range check, is reasonable when considered
along with other data fields in the record.

ex. Employee pay rate of 18 dollars per hour

falls within acceptable range but such employee
type should not earn more than 12 dollars per
hour.
Sign Check
It verifies that the sign of a field is correct for the type
of record being processed.

ex. Sales order must be positive while Sales return is negative.

Sequence Check
Is used to determine if a record is out of order.
This control is used in batch systems that use
sequential master files.

Ex. If data is by supplier name, by date of transaction,

by alphabetical order and etc.
#3 File Interrogation
 The purpose is to ensure that the correct file is
being processed by the system.

1. Internal and External label checks

2. Version Checks
Internal and External Label Check
Verify that the file being processed is
the one the program is actually
calling for.

Figure 7.3
Version Check
Are used to verify that the version of the file being
processed is the correct one. The version check
compares the version number of the file being
processed with the program’s requirements.

Expiration Date Check

prevents a file from being deleted before it
expires.

Figure 7.4
PROCESSING CONTROLS
After input data have been edited the transactions
enter the processing stage of the application.
Processing controls are programmed procedures
designed to ensure that an application’s logic is
functioning properly.

Classes
1) Run-to-Run Controls

2) Operator Intervention Controls

3) Audit Trail Controls

RUN-TO-RUN (BATCH)
 Use batch figures to monitor the
batch as it moves from one
process to another
1) Recalculate Control Totals
2) Check Transaction Codes
3) Sequence Checks

Figure 7.5,
7.6,
COMMON ERROR HANDLING
TECHNIQUES
1. CORRECT IMMEDIATELY
Upon detecting a keystroke error or an illogical
relationship, the system should halt the data
entry procedure until the user corrects the error
2. CREATE AN ERROR FILE
individual errors should be flagged to prevent
them from being processed. At the end of the
validation procedure, the records flagged as
errors are removed from the batch and placed in
a temporary error holding file until the errors can
be investigated. Figure 7.9.
COMMON ERROR HANDLING
TECHNIQUES
3. REJECT THE BATCH
Some forms of errors are associated with the
entire batch and are not clearly attributable to
individual records. The most effective solution
in this case is to cease processing and return
the entire batch to data control to evaluate,
correct, and resubmit.
HASH TOTALS
Refers to a simple control technique that uses
non financial data to keep track of the records
in a batch.
OPERATOR INTERVENTION
 When operator manually enters
controls into the system

 Preference is to derive by logic

or provided by system
AUDIT TRAIL CONTROLS
 Every transaction becomes traceable
from input to output
 Each processing step is documented
 Preservation is key to auditability of AIS
 Transaction logs: Figure 7.10
 Log of automatic transactions
 Listing of automatic transactions
 Unique transaction identifiers [s/n]
 Error listing
OUTPUT CONTROLS
 Ensure system output:
1) Not misplaced
2) Not misdirected
3) Not corrupted
4) Privacy policy not violated
 Batch systems more susceptible to exposure,
require greater controls
 Controlling Batch Systems Output
 Many steps from printer to end user
 Data control clerk check point
 Unacceptable printing should be shredded
 Cost/benefit basis for controls
 Sensitivity of data drives levels of controls
Figure 7.11
OUTPUT CONTROLS
 Output spooling – risks:
 Access the output file and change
critical data values
 Access the file and change the
number of copies to be printed
 Make a copy of the output file so
illegal output can be generated
 Destroy the output file before printing
take place
 OUTPUT CONTROLS
 Print Programs
 Operator Intervention:
1) Pausing the print program to load output paper
2) Entering parameters needed by the print run
3) Restarting the print run at a prescribed checkpoint
after a printer malfunction
4) Removing printer output from the printer for review
and distribution
 Print Program Controls
 Production of unauthorized copies
 Employ output document controls similar to source document
controls
 Unauthorized browsing of sensitive data by
employees
 Special multi-part paper that blocks certain fields
OUTPUT CONTROLS
 Bursting
 Supervision
 Waste
 Proper disposal of aborted copies
and carbon copies
 Data control
 Data control group – verify and log
 Report distribution
 Supervision
OUTPUT CONTROLS
 End user controls
 End user detection

 Report retention:
 Statutory requirements (gov’t)
 Number of copies in existence
 Existence of softcopies (backups)
 Destroyed in a manner consistent
with the sensitivity of its contents
OUTPUT CONTROLS
 Controlling real-time systems output
 Eliminates intermediaries
 Threats:
 Interception
 Disruption
 Destruction
 Corruption
 Exposures:
 Equipment failure
 Subversive acts
 Systems performance controls (Ch. 2)
 Chain of custody controls (Ch. 5)
TESTING COMPUTER
APPLICATION CONTROLS
1) Black box (around)

2) White box (through)

TESTING COMPUTER APPLICATION
CONTROLS-BLACK BOX
 Ignore internal logic of application
 Use functional characteristics
 Flowcharts
 Interview key personnel
 Advantages:
 Do not have to remove application from
operations to test it
 Appropriately applied:
 Simple applications
 Relative low level of risk
TESTING COMPUTER APPLICATION
CONTROLS-WHITE BOX
 Relies on in-depth understanding of the
internal logic of the application
 Uses small volume of carefully crafted,
custom test transactions to verify
specific aspects of logic and controls
 Allows auditors to conduct precise test
with known outcomes, which can be
compared objectively to actual results
WHITE BOX TEST METHODS
1) Access tests:
 Individuals / users
 Programmed procedure
 Messages to access system (e.g., logons)
 All-American University, student lab: logon,
reboot, logon *
2) Validity check
If conforms to specified tolerances
3) Accuracy tests:
 System only processes data values that
conform to specified tolerances
4) Completeness tests:
 Identify missing data (field, records, files)
WHITE BOX TEST METHODS
4) Redundancy tests:
 Process each record exactly once
5) Audit trail tests:
 Ensure application and/or system creates
an adequate audit trail
 Transactions listing
 Error files or reports for all exceptions
6) Rounding error tests:
 “Salami slicing” or Salami Fraud
 Monitor activities – excessive ones are
serious exceptions; e.g, rounding and
thousands of entries into a single account
for $1 or 1¢.
Figure 7.14
COMPUTER AIDED AUDIT TOOLS
AND TECHNIQUES (CAATTs)
1) Test data method
2) Integrated Test Facility [ITF]
3) Parallel simulation
TEST DATA
 Used to establish the application processing
integrity
 Uses a “test deck”
 Valid data
 Purposefully selected invalid data
 Every possible:
 Input error
 Logical processes
 Irregularity

 Procedures:
1) Predetermined results and expectations
2) Run test deck
3) Compare
Figure 7.15
BASE CASE SYSTEM
EVALUATION (BCSE)
 Variant of Test Data method

 Comprehensive test data

 Repetitive testing throughout SDLC

 When application is modified, subsequent

test (new) results can be compared with
previous results (base)
TRACING
 Test data technique that takes step-by-step
walk through application

1) The trace option must be enabled for the application

2) Specific data or types of transactions are created as
test data
3) Test data is “traced” through all processing steps of
the application, and a listing is produced of all lines of
code as executed (variables, results, etc.)

 Excellent means of debugging a faculty

program
TEST DATA: ADVANTAGES AND
DISADVANTAGES
 Advantages of test data
1) They employ white box approach, thus providing explicit
evidence
2) Can be employed with minimal disruption to operations
3) They require minimal computer expertise on the part of
the auditors
 Disadvantages of test data
1) Auditors must rely on IS personnel to obtain a copy of
the application for testing
2) Audit evidence is not entirely independent
3) Provides static picture of application integrity
4) Relatively high cost to implement, auditing inefficiency
INTEGRATED TEST FACILITY
 ITF is an automated technique that allows
auditors to test logic and controls during
normal operations
 Set up a dummy entity within the application
system
1) Set up a dummy entity within the application
system
2) System able to discriminate between ITF audit
module transactions and routine transactions
3) Auditor analyzes ITF results against expected
results
 PARALLEL SIMULATION
 Auditor writes or obtains a copy of the program
that simulates key features or processes to be
reviewed / tested
1) Auditor gains a thorough understanding of the
application under review
2) Auditor identifies those processes and controls
critical to the application
3) Auditor creates the simulation using program or
Generalized Audit Software (GAS)
4) Auditor runs the simulated program using selected
data and files
5) Auditor evaluates results and reconciles
differences
The End….