Computer-Aided Audit Tools

and Techniques
Input Controls
Designed to ensure that the transactions that bring
data into the system are valid, accurate, and
complete

Data input procedures can be either:

Source document-triggered (batch)
Direct input (real-time)
Classes of Input Controls
1) Source document controls
2) Data coding controls
3) Batch controls
4) Validation controls
5) Input error correction
6) Generalized data input systems
Classes of Input Controls
1. Source document controls
-Controls in systems using physical source documents
2. Data coding controls
-Checks on data integrity during processing
Transcription errors (Addition errors, Truncation errors,
Substitution errors)
Transposition errors (Single transposition, Multiple
transposition)
-Check digits: is a control digit (or digits) added to the
code when it is originally assigned that allows the integrity
of the code to be established during subsequent
processing
Classes of Input Controls
3. Batch controls
-Method for handling high volumes of transaction
data
-It requires the grouping of similar types of input
transactions together in batches and then
controlling the batches throughout data
processing.
-Requires grouping of similar input transactions
Classes of Input Controls
4. Validation controls
-Intended to detect errors in data before processing
-Most effective if performed close to the source of the
transaction
-Some require referencing a master file
Levels of Input Validation Control
Field Interrogation Reasonableness
Missing data checks checks
Numeric-alphabetic Sign checks
data checks Sequence checks
Zero-value checks
Limit checks File Interrogation
Range checks Internal label checks
Validity checks (tape)
Check digit Version checks
Expiration date check

Record Interrogation
Classes of Input Controls

5. Input Error Connection

-Controls to make sure errors dealt with
completely and accurately

Handling Techniques:
1) Immediate Correction
2) Create an Error File
3) Reject the Entire Batch
Classes of Input Controls
6. Generalized Data Input Systems (GDIS)
-Centralized procedures to manage data input for all
transaction processing systems
-Eliminates need to create redundant routines for each
new application

Major components
1) Generalized Validation Module
2) Validated Data File
3) Error File
4) Error Reports
5) Transaction Log
Classes of Processing Controls
1) Run-to-Run Controls

2) Operator Intervention Controls

3) Audit Trail Controls

Run-to-Run (Batch)
Use batch figures to monitor the
batch as it moves from one process
to another
1) Recalculate Control Totals
2) Check Transaction Codes
3) Sequence Checks
Operator Intervention
When operator manually enters controls into
the system

Preference is to derive by logic or provided by

system
Audit Trail Controls
Every transaction becomes traceable from input to
output
Each processing step is documented
Preservation is key to auditability of AIS
Transaction logs
Log of automatic transactions
Listing of automatic transactions
Unique transaction identifiers [s/n]
Error listing
Output Controls
Ensure system output:
1) Not misplaced
2) Not misdirected
3) Not corrupted
4) Privacy policy not violated
Output Controls
Controlling Batch Systems Output
Many steps from printer to end user
Data control clerk check point
Unacceptable printing should be shredded
Cost/benefit basis for controls
Sensitivity of data drives levels of controls
Output Controls
Output spooling risks:
Access the output file and change critical
data values
Access the file and change the number
of copies to be printed
Make a copy of the output file so illegal
output can be generated
Destroy the output file before printing
take place
Output Controls
Print Programs
Operator Intervention:
1) Pausing the print program to load output paper
2) Entering parameters needed by the print run
3) Restarting the print run at a prescribed checkpoint
after a printer malfunction
4) Removing printer output from the printer for review
and distribution
Print Program Controls
Production of unauthorized copies
Unauthorized browsing of sensitive data by employees
Output Controls
Bursting
Supervision
Waste
Proper disposal of aborted copies and
carbon copies
Data control
Data control group verify and log
Report distribution
Supervision
Output Controls
End user controls
End user detection

Report retention:
Statutory requirements (govt)
Number of copies in existence
Existence of softcopies (backups)
Destroyed in a manner consistent with
the sensitivity of its contents
Output Controls
Controlling real-time systems output
Eliminates intermediaries
Threats:
Interception
Disruption
Destruction
Corruption
Exposures:
Equipment failure
Subversive acts
 Testing Computer
Application Controls
General Approaches
Black Box Approach
-The auditor tests the application by reconciling
production input transactions processed by the
application with output results
White Box Approach
-The white box approach relies on an in-depth
understanding of the internal logic of the application
being tested.
White Box Approach
Common Types of TOC:
1. Authenticity tests, which verify that an
individual, a programmed procedure, or a
message attempting to access a system is
authentic.
2. Accuracy tests which ensure that the system
processes only data values that conform to
specified tolerances.
3. Completeness tests, which identify missing data
within a single record and entire records missing
from a batch.
White Box Approach
Common Types of TOC:
4. Access tests, which ensure that the application
prevents authorized users from unauthorized access
to data.
5. Audit trail tests, which ensure that the application
creates an adequate audit trail.
6. Rounding error tests, which verify the correctness
of rounding procedures.
Five CAATT Approaches to Test
Application Controls
1. Test Data Method
2. Base Case System Evaluation
3. Tracing
4. Integrated Test Facility
5. Parallel Simulation
Test Data Method
The test data method is used to establish application
integrity by processing specially prepared sets of
input data through production applications that are
under review. The results of each test are compared
to predetermined expectations to obtain an
objective evaluation of application logic and control
effectiveness.
Test Data Procedures
1. Obtain a copy of the current version of the
application
2. Create test transaction files and test master files
3. Review the updated master files to determine
that account balances have been correctly
updated
4. Compare test results with the auditors expected
results
Base Case System Evaluation
When the set of test data in use is comprehensive,
the technique is called the base case system
evaluation (BSCE).
Tracing
Performs an electronic walkthrough of the applications
internal logic.
Procedures:
1. The application under review must undergo a special
compilation to activate the trace option.
2. Specific transactions or types of transactions are
created as test data.
3. The test data transactions are traced through all
processing stages of the program, and a listing is
produced of all programmed instructions that were
executed during the test.
Integrated Test Facility
The integrated test facility (ITF) approach is an
automated technique that enables the auditor to test
an applications logic and controls during its normal
operation.
ITF databases contain dummy or test master file
records integrated with legitimate records.
Parallel Simulation
Parallel simulation requires the auditor to write a
program that simulates key features or processes of
the application under review.
The simulated application is then used to reprocess
transactions that were previously processed by the
production application.