Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
37 Cards in this Set
- Front
- Back
|
Input Controls
|
Designed to ensure that the transactions that bring data into the system are valid, accurate, and complete
|
|
|
Data input procedures
|
-Source document triggered (batch)
+Require human involvement and is prone to clerical errors -Direct input (real-time) +Employs real-time editing techniques to identify and correct errors immediately |
|
|
Classes of input controls
|
1. Source document controls
2. Data coding controls 3. Batch controls 4. Validation controls 5. Input error correction 6. Generalized data input systems |
|
|
Source Document controls
|
-Controls in systems using physical source documents
-Source document fraud -To control for exposure, control procedures are needed over source documents to account for each one. +Use pre-numbered source documents +Use source documents in sequence +Periodically audit source documents |
|
|
Data Coding Controls
|
-Checks on data integrity during processing
+Transcription errors +Audition errors (extra digits) +Truncation errors (digits removed) +Substitution errors (digits replaced) +Single Transposition errors (adjacent digits transposed) +Multiple Transposition errors (non-adjacent digits are transposed) -Control = check digits +Added to code when created +Introduces storage and processing inefficiencies |
|
|
Batch Controls
|
-Method for handling high volumes of transaction data - especially paper-fed IS
-Controls of batch continues through all phases of the system and all processes (it is not just an input control) -Requires grouping of similar input transactions -Requires controlling the batch throughout |
|
|
Validation Controls
|
-Intended to detect errors in data before processing
-Most effective if performed close to the source of the transaction -Some require referencing a master file |
|
|
Validation Controls - Field Interrogation
|
-Missing data checks
-Numeric/Alphabetic data checks -Zero-value checks -Limit Checks -Range checks -Validity checks -Check digit |
|
|
Validation Controls - Record Interrogation
|
-Reasonableness checks
-Sign checks -Sequence checks |
|
|
Validation Controls - File Interrogation
|
Are you using the correct files?
-Internal label checks (tape) -Version checks -Expiration date check |
|
|
Input Error Correction
|
-Batch: correct and resubmit
-Controls to make sure errors are dealt with completely and accurately +Immediate correction +Create an error file +Reject the entire batch |
|
|
Generalized Data Input Systems (GDIS)
|
-Centralized procedures to manage data input for all transaction processing systems
-Eliminates the need to create redundant routines for each new application |
|
|
GDIS Major Components
|
1. Generalized validation module
2. Validated data file 3. Error file 4. Error reports 5. Transaction log |
|
|
GDIS Advantages
|
-Improves control by having one common system perform all data validation
-Ensures each AIS application applies a consistent standard of data validation -Improves systems development efficiency |
|
|
Classes of Processing Controls
|
1. Run-to-run controls
2. Operator Intervention Controls 3. Audit trail controls |
|
|
Run-to-Run Controls
|
Use batch figures to monitor the batch as it moves from one process to another
-Recalculate control totals -Check transaction codes -Sequence checks |
|
|
Operator Intervention Controls
|
-When operator manually enters controls into the system
-Preference is to derive by logic or provided by system |
|
|
Audit Trail Controls
|
-Every transaction becomes traceable from input to output
-Each processing step is documented -Preservation is key to auditability of AIS +Transaction logs +Log of automatic transactions +Listing of automatic transactions +Unique transaction identifiers +Error listing |
|
|
Output Controls
|
Ensure the system output is:
1. Not misplaced 2. Not misdirected 3. Not corrupted 4. Privacy policy not violated |
|
|
Output Controls - Batch Systems
|
Batch systems are more susceptible to exposure, requiring greater controls
-Controlling batch systems output +Many steps from printer to end user +Data control clerk check point +Unacceptable printing should be shredded +Cost/benefit basis for controls +Sensitivity of data drives levels of controls |
|
|
Output Spooling - Risks
|
-Access the output file and change critical data values
-Access the file and change the number of copies to be printed -Make a copy of the output file so illegal output can be generated -Destroy the output file before printing takes place |
|
|
Operator Intervention
|
1. Pausing the print program to load ouput paper
2. Entering parameters needed by the print run 3. Restarting the print run at a prescribed checkpoint after a printer malfunction 4. Removing printer output from the printer for review and distribution |
|
|
Print Program Controls
|
-Production of unauthorized copies
+Employ output document controls similar to source document controls -Unauthorized browsing of sensitive data by employees +Special multi-part paper that blocks certain fields |
|
|
End-User Controls
|
-End user detection
-Report retention |
|
|
Testing Computer Application Controls
|
-Black Box (around)
-White Box (through) |
|
|
Black Box
|
-Ignore internal logic of the application
-Use functional characteristics -Most appropriate on: +Simple applications +Relative low level of risk |
|
|
Black Box Advantages
|
Do not have to remove application from operations to test it
|
|
|
White Box
|
-Relies on in-depth understanding of the internal logic of the application
-Uses small volume of carefully crafted, custom test transactions to verify specific aspects of logic and controls -Allows auditors to conduct precise test with known outcomes, which can be compared objectively to actual results |
|
|
White Box Test Methods
|
1. Authenticity Tests
-Individuals/users -Programmed procedure -Message to access system 2. Accuracy tests -System only processes data values that conform to specified tolerances 3. Completeness Tests -Identify missing data 4. Redundancy tests -Process each record exactly once 5. Audit trail tests -Ensure application and/or system creates an adequate audit trail 6. Rounding error tests |
|
|
Computer Aided Audit Tools and Controls (CAATTS)
|
1. Test Data Method
2. Base Case System Evaluation 3. Tracing 4. Integrated Test Facility 5. Parallel Simulation |
|
|
Test Data Method
|
-Used to establish the application processing integrity
-Uses a "test-deck" +Valid data +Purposefully selected invalid data +Every possible input error, logical processes, irregularity -Procedures 1. Predetermined results and expectations 2. Run test deck 3. Compare results to expectations |
|
|
Base-Case System Evaluation
|
-Variant of test data method
-Comprehensive test data -Repetitive testing through the system development life cycle -When application is modified, subsequent test results can be compared with previous results |
|
|
Tracing
|
Test data technique that takes a step-by-step walk through application
1. The trace option must be enabled for the application 2. Specific data or types of transactions are created as test data 3. Test data is "traced' through all processing steps of the application, and a listing is produced of all lines of code as executed -Excellent means of debugging a faulty program |
|
|
Advantages to the Test Data Method
|
-They can employ the white box approach, thus providing explicit evidence
-Can be employed with minimal disruption to operations -Requires minimal computer expertise on the part of the auditors |
|
|
Disadvantages to the Test Data Method
|
-Auditors must rely on IS personnel to obtain a copy of the application for testing
-Audit evidence is not entirely independent -Provide static picture of application integrity -Relatively high cost to implement, producing an auditing inefficiency |
|
|
Integrated Test Facility
|
An automated technique that allows auditors to test logic and controls during normal operations
-Set up a dummy entity within the application system 1. Set up a dummy entity within the application system 2. System able to discriminate between ITF audit module transactions and routine transactions 3. Auditor analyzes ITF results against expected results |
|
|
Parallel Simulation
|
Auditor writes or obtains a copy of the program that simulates key features or processes to be reviewed/tested
-Auditor gains a thorough understanding of the application under review -Auditor identifies those processes and controls critical to the application -Auditor creates the simulation using program or Generalized Audit Software (GAS) -Auditor runs the simulated program using selected data and files -Auditor evaluates results and reconciles differences. |
