IT Auditing & Assurance, 2e, Hall & Singleton. CLASSES OF INPUT CONTROLS 1) Source document controls 2) Data coding controls 3) Batch controls 4) Validation.

IT Auditing & Assurance, 2e, Hall & SingletonIT Auditing & Assurance, 2e, Hall & Singleton

CLASSES OF INPUT CONTROLS

1) Source document controls

2) Data coding controls

3) Batch controls

4) Validation controls

5) Input error correction

6) Generalized data input systems

IT Auditing & Assurance, 2e, Hall & Singleton

SOURCE DOCUMENT CONTROLS

Controls in systems using physical source documents

Source document fraud

To control for exposure, control procedures are needed over source documents to account for each one

Use pre-numbered source documents Use source documents in sequence Periodically audit source documents


DATA CODING CONTROLS Checks on data integrity during processing

Transcription errors Addition errors, extra digits Truncation errors, digit removed Substitution errors, digit replaced

Transposition errors Single transposition: adjacent digits transposed (reversed) Multiple transposition: non-adjacent digits are transposed

Control = Check digits Added to code when created (suffix, prefix,

embedded) Sum of digits (ones): transcription errors only Modulus 11: different weights per column: transposition and

transcription errors Introduces storage and processing inefficiencies


BATCH CONTROLS Method for handling high volumes of

transaction data – esp. paper-fed IS

Controls of batch continues thru all phases of system and all processes (i.e., not JUST an input control)

1) All records in the batch are processed together2) No records are processed more than once3) An audit trail is maintained from input to output

Requires grouping of similar input transactions


VALIDATION CONTROLS Intended to detect errors in data

before processing

Most effective if performed close to the source of the transaction

Some require referencing a master file


VALIDATION CONTROLS Field Interrogation

Missing data checks Numeric-alphabetic data checks Zero-value checks Limit checks Range checks Validity checks Check digit

Record Interrogation Reasonableness checks Sign checks Sequence checks

File Interrogation Internal label checks (tape) Version checks Expiration date check


INPUT ERROR CORRECTION Batch – correct and resubmit Controls to make sure errors dealt with

completely and accurately1) Immediate Correction2) Create an Error File

Reverse the effects of partially processed, resubmit corrected records

Reinsert corrected records in processing stage where error was detected

3) Reject the Entire Batch


GENERALIZED DATA INPUT SYSTEMS (GDIS)

Centralized procedures to manage data input for all transaction processing systems

Eliminates need to create redundant routines for each new application

Advantages: Improves control by having one common

system perform all data validation Ensures each AIS application applies a

consistent standard of data validation Improves systems development efficiency


CLASSES OF PROCESSING CONTROLS

1) Run-to-Run Controls

2) Operator Intervention Controls

3) Audit Trail Controls


RUN-TO-RUN (BATCH) Use batch figures to monitor

the batch as it moves from one process to another

1) Recalculate Control Totals2) Check Transaction Codes3) Sequence Checks


OPERATOR INTERVENTION When operator manually enters

controls into the system

Preference is to derive by logic or provided by system


AUDIT TRAIL CONTROLS Every transaction becomes traceable from

input to output

Each processing step is documented

Preservation is key to auditability of AIS Transaction logs Log of automatic transactions Listing of automatic transactions Unique transaction identifiers [s/n] Error listing


OUTPUT CONTROLS Ensure system output:

1) Not misplaced2) Not misdirected3) Not corrupted4) Privacy policy not violated

Batch systems more susceptible to exposure, require greater controls Controlling Batch Systems Output

Many steps from printer to end user Data control clerk check point Unacceptable printing should be shredded Cost/benefit basis for controls Sensitivity of data drives levels of controls


OUTPUT CONTROLS Output spooling – risks:

Access the output file and change critical data values

Access the file and change the number of copies to be printed

Make a copy of the output file so illegal output can be generated

Destroy the output file before printing take place


OUTPUT CONTROLS Bursting

Supervision

Waste Proper disposal of aborted copies

and carbon copies

Data control Data control group – verify and log

Report distribution Supervision


OUTPUT CONTROLS End user controls

End user detection

Report retention: Statutory requirements (gov’t) Number of copies in existence Existence of softcopies (backups) Destroyed in a manner consistent

with the sensitivity of its contents


TESTING COMPUTER APPLICATION CONTROLS

1) Around the computer1) Rarely appropriate

1) Through the computer1) Supported by continuous

audit techniques


TESTING COMPUTER APPLICATION AROUND THE COMPUTER

Ignore internal logic of application Use functional characteristics

Flowcharts Interview key personnel

Advantages: Do not have to remove application from

operations to test it Appropriately applied:

Simple applications Relative low level of risk


TESTING COMPUTER APPLICATION CONTROLS THROUGH THE COMPUTER

Relies on in-depth understanding of the internal logic of the application

Uses small volume of carefully crafted, custom test transactions to verify specific aspects of logic and controls

Allows auditors to conduct precise test with known outcomes, which can be compared objectively to actual results


COMPUTER AIDED AUDIT TOOLS AND TECHNIQUES (CAATTs)

1) Test data method2) Base case system evaluation3) Tracing4) Integrated Test Facility [ITF]5) Parallel simulation6) GAS


TEST DATA Used to establish the application processing

integrity

Uses a “test deck” Valid data Purposefully selected invalid data Every possible:

Input error Logical processes Irregularity

Procedures:1) Predetermined results and expectations2) Run test deck3) Compare


TRACING Test data technique that takes step-by-step

walk through application

1) The trace option must be enabled for the application

2) Specific data or types of transactions are created as test data

3) Test data is “traced” through all processing steps of the application, and a listing is produced of all lines of code as executed (variables, results, etc.)

Excellent means of debugging a faculty program


TEST DATA: ADVANTAGES AND DISADVANTAGES

Advantages of test data

1) They employ white box approach, thus providing explicit evidence

2) Can be employed with minimal disruption to operations3) They require minimal computer expertise on the part of

the auditors

Disadvantages of test data

1) Auditors must rely on IS personnel to obtain a copy of the application for testing

2) Audit evidence is not entirely independent3) Provides static picture of application integrity4) Relatively high cost to implement, auditing inefficiency


Continuous AuditingEmbedded Audit ModuleReal and test transactionsTagged transactionsAudit hooks


INTEGRATED TEST FACILITY ITF is an automated technique that allows auditors to

test logic and controls during normal operations

Set up a dummy entity within the application system

1) Set up a dummy entity within the application system2) System able to discriminate between ITF audit module

transactions and routine transactions3) Auditor analyzes ITF results against expected results


PARALLEL SIMULATION Auditor writes or obtains a copy of the program that

simulates key features or processes to be reviewed / tested

1) Auditor gains a thorough understanding of the application under review

2) Auditor identifies those processes and controls critical to the application

3) Auditor creates the simulation using program or Generalized Audit Software (GAS)

4) Auditor runs the simulated program using selected data and files

5) Auditor evaluates results and reconciles differences6) Out of date approach


Email and IM

28

Sedona ConferenceWG1 Best Practices for E Doc Retention and Production

29

Sedona ESI Framework

30

Sedona Conference - White papers on keyword searches and electronic stored information (ESI)

Keyword list can cut costs substantiallyMost searches turn up small percent of relevant

documents and miss many critical documentsRisks for both under and over inclusive termsSedona framework provides higher quality and

lower costs

Keyword Search and E-Discovery

E-discovery and document review expensive

Cost associated with heavy reliance on human review

Search solutions were not built with e-discovery in mind

Majority of companies do not have an effective retention or archiving plan for electronic documents

31

ESI Retention Policy

Must comply with SOX and be scrutinized by legal

Categorize documents by type and retention period

Use different archival methodsSoftware can provide for efficient retrievalTrain employees to policy

32

E-Mail Retention Policy

Federal Rules of Civil Procedure, industry regulations and internal policies all influence which emails should be archived.

Safe harbor in eDiscovery rests in an organization adhering to its policies and procedures that guide the destruction of its email data.

Not all e-mails are the same: Set archive categories by nature of email.

Adopt a policy and do not vary from it.

Redacted E-mail and PrivacyDeleted information may be recoverable

from electronic documentsPolicy should be specific as to what

information must be deleted before issuing to a third party

Covered by federal laws and regsSoftware available to filter and delete

34

Cost of Poor Retention Policy

The judge could …instruct the jury to infer that the record(s)

destroyed contained information unfavorable to your company.

order your company to pay cost of restoring any archival media on which a lost record is stored plus reasonable litigation expenses incurred by your opponent in filing a motion for discovery and production of the record.

35

Beware the Unmanaged IM and EmailRecipients may retain IMIM immune to firewallsIM may be offensive to employeesTrack IM usageEnable content filtering and blockingLog and audit conversationsDo not allow encrypted IM

36



IT Auditing & Assurance, 2e, Hall & Singleton. CLASSES OF INPUT CONTROLS 1) Source document controls 2) Data coding controls 3) Batch controls 4) Validation.

Documents

data coding controls

hall singleton slide

classes of input controls

auditing assurance

classes of processing

batch controls method

data integrity

operator intervention