Testing Concept-Online Auditing

Techniques

Hemang Doshi

CISA, ACA,DISA,FIII
Details about this E-Book:

The objective of this e-book is to ensure that CISA candidate get adequate knowledge of
various online auditing techniques. Following techniques are covered in this book:

-ITF
-SCARF
-Snapshot
-Audit hook
-CIS

Question Answer and Explanation (QAE) are designed in accordance with CISA exam
pattern. This small e-book will help CISA candidate to attempt questions on these
techniques more confidently and correctly.

Concepts have been simplified for easy reference of CISA candidates.

Integrated Test Facility (ITF)

- Fictitious entity is created in LIVE environment.

-This technique allows auditor to open a dummy account.

-Auditor can enter dummy or test transactions and verify the processing and results of
these transactions for correctness.

-Processed results and expected results are compared to verify that systems are operating
correctly.
-Example: A dummy asset of $ 100000/- is entered into system to verify whether same is
being capitalized under correct head and depreciation is calculated properly as per correct
rate. Subsequently this dummy transaction is removed after verification of system
controls.

System Control Audit Review File (SCARF)

-SCARF stands for System Control Audit Review File.

-In this technique an embedded (inbuilt) audit module is used to continuously monitor
transactions.

-This technique is used to collect data for special audit purpose.

-SCARF files records only those transactions which are of special audit significance such
transactions above specified limit or transactions related to deviation/exception.

-On regular basis, auditor gets a printout of the SCARF file for examination and
verification.

Snapshot Technique
-In this technique, snaps (pictures) are taken of the transactions as transaction moves
through various stages in the application system.

-Both before -processing and after -processing images of the transactions are captured.

-Auditor can verify the correctness of the processing by checking before-processing and
after-processing images of the transactions.

-In this technique, three important considerations are (i)location where snaps to be taken
(ii)time of capturing snaps and (iii) reporting of snapshot data captured.
Audit Hook
-These are audit software that captures suspicious transactions.

-Criteria for suspicious transactions are designed by auditors as per their requirement.

-For example, in most of the organizations, cash transactions are monitored closely.
Criteria can be designed to capture cash transaction exceeding $ 50000/- All such captured
transaction are subsequently verified by auditor to identify fraud, if any.

-Audit hook is useful when early detection of error or fraud is required.

Continuous and Intermittent Simulation (CIS)

-This technique is variation of SCARF technique.

-This technique can be used whenever the application system uses the database
management system (DBMS).

-DBMS reads the transaction which is passed to CIS. If transaction is as per selected
criteria, then CIS examines the transaction for correctness.

-CIS determines whether any discrepancies exist between the results it produces and those
the application system produces.

-Such discrepancies are written to exception log file.

-Thus, CIS replicates or simulates the application system processing.

-As high complex criteria can be set in CIS, it is the best technique to identify transactions
as per pre-defined criteria.

Point to remember for CISA Exam:

When audit trail is required- answer has to be snapshot.

When early detection of error or irregularities is required- answer has to be audit hook.
Best technique to identify transactions as per pre-defined criteria-answer has to be CIS.

When fictitious entity is created in live production-answer has to be ITF.

Question, Answer & Explanation:

Below QAE are solely on the concept of audit techniques. They resemble to the
type/nature of questions that are actually asked in CISA exams. Candidates are advised to
attempt below questions multiple times. More emphasis to be given on explanation part
for better understanding.

(1)Management of an organisation is evaluating automated audit tool for its critical

business processes. Which of the following audit tools is MOST useful when an audit trail is
required?

A. Integrated test facility (ITF)

B. Continuous and intermittent simulation (CIS)
C. Audit hooks
D. Snapshots

The correct answer is: D. Snapshots

Explanation: -In snapshot technique, snaps (pictures) are taken of the transactions as
transaction moves through various stages in the application system.

-Both before -processing and after -processing images of the transactions are captured.

-Auditor can verify the correctness of the processing by checking before-processing and
after-processing images of the transactions.

(2)Integrated test facility (ITF) has advantage over other automated audit tools because of
its following characteristics:

A. Creation of dummies/fictitious entity is not required as testing is done on actual master

files.
B. ITF does not require setting up separate test environment/test processes.
C. ITF is continuous audit tool and validates the ongoing operation of the system.
D. ITF eliminates the need to prepare test data.
The correct answer is: B. ITF does not require setting up separate test environment/test
processes.

Explanation: Fictitious entity is created in LIVE environment. As live environment is used,

there is no need to create separate test processes. However, careful planning is necessary,
and test data must be isolated from production data.

(3)Characteristics that BEST describes an integrated test facility:

A. Technique to verify system processing.

B. Technique to verify system integration.
C. Technique to generate test data.
D. Technique to validate the ongoing operation of the system.

The correct answer is: A. Technique to verify system processing.

Explanation: In ITF, fictitious entity is created in LIVE environment. Auditor can enter
dummy or test transactions and verify the processing and results of these transactions for
correctness. Processed results and expected results are compared to verify that systems are
operating correctly. ITF does not verify system integration neither it is used to generate test
data. ITF does not validate the ongoing operation of the system.

(4) Management of an organisation is evaluating automated audit tool for its critical
business processes. Which of the following audit tools is MOST useful for the early
detection of errors or irregularities?

A. Embedded audit module

B. Integrated test facility
C. Snapshots
D. Audit hooks

The correct answer is: D. Audit hooks

Explanation: The audit hook technique involves embedding code in application systems
for the examination of selected transactions. This helps the IS auditor to act before an error
or an irregularity gets out of hand. Audit hooks have very low complexity in designing
criteria and hence most useful tool when early detection is warranted.

(5)Which of the below online auditing tool would best identify transactions as per pre-
defined criteria?

A. Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM)
B. Continuous and Intermittent Simulation (CIS)
C. Integrated Test Facilities (ITF)
D. Audit hooks

Answer: B. Continuous and Intermittent Simulation (CIS)

Explanation:
As high complex criteria can be set in CIS, it is the best technique to identify transactions
as per pre-defined criteria. Continuous and Intermittent Simulation (CIS) is a moderately
complex set of programs that during a process run of a transaction, simulates the
instruction execution of its application. As each transaction is entered, the simulator
decides whether the transaction meets certain predetermined criteria and if so, audits the
transaction. If not, the simulator waits until it encounters the next transaction that meets
the criteria. Audits hooks which are of low complexity focus on specific conditions instead
of detailed criteria in identifying transactions for review. ITF is incorrect because its focus
is on test versus live data.

(6)Characteristics that BEST describes an integrated test facility:

A. actual transactions are validated on ongoing basis.

B. enables the IS auditors to generate test data.
C. pre-determined results are compared with processing output to ascertain correctness of
system processing.
D. enables the IS auditors to analyse large range of information.

Answer: C. pre-determined results are compared with processing output to ascertain

correctness of system processing.
Explanation:

In ITF technique, auditor can enter dummy or test transactions and verify the processing
and results of these transactions for correctness. Processed results and expected results are
compared to verify that systems are operating correctly. Other options are not correct in
view of ITF characteristics.

(7) To identify excess inventory for the previous year, which online auditing technique can
be used?

A. Test data
B. Generalized audit software
C. Integrated test facility
D. Embedded audit module

The correct answer is: B. Generalized audit software

Explanation: The IS auditor, using generalized audit software, could design appropriate
tests to identify excess inventory. Test data would not be relevant here as audit will be
required on actual data. ITF and EAM cannot detect errors for a previous period.