Chapter VIII.

Information System Controls for system reliability – Part 3- Processing Integrity and Availability

Learning Objective

 Be familiar with the controls and audit tests relevant to the systems development process.

 Understand the risks and controls associated with program change procedures and the role
of the source program library.

 Understand the auditing techniques (CAATTs) used to verify the effective functioning of
application controls.

 Understand the auditing techniques used to perform substantive tests in an IT environment.

A. System Development Activities

a. Authorizing development of new systems
b. Addressing and documenting user needs
c. Technical design phases
d. Participation of internal auditors
e. Testing program modules before implementing
i. Testing individual modules by a team of users, internal audit staff, and
systems professionals

Picture 21. SDLC

Auditing objectives: ensure that...
 SDLC activities are applied consistently and in accordance with management’s
policies
 the system as originally implemented was free from material errors and fraud
  the system was judged to be necessary and justified at various checkpoints
throughout the SDLC
 system documentation is sufficiently accurate and complete to facilitate audit and
maintenance activities

System Development IC

 New systems must be authorized.

 Feasibility studies were conducted.
 User needs were analyzed and addressed.
 Cost-benefit analysis was done.
 Proper documentation was completed.
 All program modules must be thoroughly tested before they are implemented.
 Checklist of problems was kept.

B. Application Control
Narrowly focused exposures within a specific system, for example:
a. accounts payable
b. cash disbursements
c. fixed asset accounting
d. payroll
e. sales order processing
f. cash receipts
g. general ledger

Risks within specific applications

Can affect manual procedures (e.g., entering data) or embedded (automated) procedures

Convenient to look at in terms of:

i. input stage
1. Goal of input controls - valid, accurate, and complete input data
2. Two common causes of input errors:
a. transcription errors – wrong character or value
b. transposition errors – ‘right’ character or value, but in
wrong place

3. Check digits – data code is added to produce a control digit

a. especially useful for transcription and transposition errors

4. Missing data checks – control for blanks or incorrect justifications

5. Numeric-alphabetic checks – verify that characters are in correct

form

6. Limit checks – identify values beyond pre-set limits

 7. Range checks – identify values outside upper and lower bounds

8. Reasonableness checks – compare one field to another to see if

relationship is appropriate

9. Validity checks – compares values to known or standard values

ii. processing stage

1. Programmed processes that transform input data into information
for output
2. Three categories:
a. Batch controls
b. Run-to-run controls
c. Audit trail controls

3. Batch controls - reconcile system output with the input originally

entered into the system

4. Based on different types of batch totals:

a. total number of records

b. total dollar value

c. hash totals – sum of non-financial numbers

5. Run-to-run controls - use batch figures to monitor the batch as it

moves from one programmed procedure (run) to another

6. Audit trail controls - numerous logs used so that every transaction

can be traced through each stage of processing from its economic
source to its presentation in financial statements

Picture 22. Transaction Log to Preserve Audit Trail

iii. output stage
1. Goal of output controls is to ensure that system output is not lost,
misdirected, or corrupted, and that privacy is not violated.
2. In the following flowchart, there are exposures at every stage.

Picture 23. Stage of Output Process

3. Output spooling – creates a file during the printing process that

may be inappropriately accessed
4. Printing – create two risks:

a. production of unauthorized copies of output

b. employee browsing of sensitive data

5. Waste – can be stolen if not properly disposed of, e.g., shredding

6. Report distribution – for sensitive reports, the following are
available:
a. use of secure mailboxes
b. require the user to sign for reports in person
c. deliver the reports to the user
7. End user controls – end users need to inspect sensitive reports for
accuracy
a. shred after used
8. Controlling digital output – digital output message can be
intercepted, disrupted, destroyed, or corrupted as it passes along
communications links
9. Techniques for auditing applications fall into two classes:
10. testing application controls – two general approaches:
a. black box – around the computer
b. white box – through the computer
 11. examining transaction details and account balances—substantive
testing

Picture 24. Auditing Around Computer – Black Box

Picture 25. Auditing Through Computer: The ITF Technique

Assignment

We were learned about interna control system. Now i ask you to illustrate how to make the system
that can be reliable in every conditions. I give you one weeks to explain about it and make your
video presentation to explain it!

Assume you are the auditor internal of information system with in manufacture company