Chapter 7:

Computer-Assisted Audit Tools

and Techniques

IT Auditing, Hall, 4e

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Learning Objectives

o Be familiar with the classes of transaction input controls used

by accounting applications.
o Understand the objectives and techniques used to implement
processing controls, including run-to-run, operator inventions,
and audit trail controls.
o Understand the methods used to establish effective output
controls for both batch and real-time systems.
o Know the difference between black-box and white-box
auditing.
o Be familiar with the key features if the five CAATTs discussed
in the chapter.

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Input Controls

o Programmed procedures also known as edits or validation controls.

o Perform tests on transaction data to ensure they are error free before
processing. Three categories:
o Field interrogation involves programmed procedures to examine the
characteristics of the data in the field:
o Common data input errors are (1) transcription (addition truncation or
substitution) and (2) transposition errors. These problems are controlled
with Check digits.
o Missing data checks are used to check for blank spaces.
o Numeric-alphabetic check identify data in the wrong form.
o Limit checks test for amounts that exceed authorized limits.
o Range checks for upper & lower limits of acceptable values.
o Validity checks compare actual against acceptable values.
2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Validation During Data Input

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
Validation in Batch Sequential File
System

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Input Controls

o Record interrogation procedures valid records by examining

the interrelationship of its field values.
o Reasonableness check determines if a value is reasonable
when considered alone with other data fields.
o Sign check verifies the sign of the field is correct.
o Sequence check use to determine if a record is out of order.
o File interrogation is to ensure the correct file is being
processed:
o Internal and external label checks verify the file being
processed is the one being called for.
o Version checks are used to verify the correct version is being
processed.
2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Processing Controls

o Run-to-run controls monitor a batch as it moves from one

run to another and ensures:
o All records are processed, no record processed more than
once.
o A transaction audit trail is created.
o Accomplished through batch control data that includes: unique
batch number, date, transaction code, record count, total
dollar value (control total), and a hash total.

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Processing Controls

o Common error handling techniques:

o Correct immediately: With the direct data validation
approach, error detection and correction can take place during
data entry.
o Create an error file: Individual errors are flagged to prevent
them from being processed, corrected and resubmitted as a
separate batch for reprocessing.
o Reject the batch: Some errors are associated with the entire
batch making the best solution to cease processing.

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Run-to-Run Controls

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Processing Controls

o Operator intervention increases potential for human error.

Systems with operator intervention controls less prone to
processing errors.
o Preservation of audit trail important objective of process control.
o Transaction logs should record every transaction successfully
processed by the system.
o All automatically generated transactions should be included in the log
with the responsible end user receiving a detailed listing.
o Each transaction processed must have a unique identifier.
o A listing of all error records should go to the appropriate user to
support error correction and resubmission.

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Transaction Log to Preserve the
Audit Trail

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Stages in the Output Process

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Output Controls

o Ensure system output is not lost, misplaced or corrupted and

that privacy policy not violated. Controls for batch system
output include:
o Output spooling directs output to a magnetic disk rather
than to the printer. When resources become available output
files are printed.
o Creation of the output file presents an added exposure for a
computer criminal to access, copy or destroy the file.

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Output Controls

o Print program requires operator interventions to print, monitor

and remove the output. Program controls are designed to:
o Prevent unauthorized copies and unauthorized browsing of
sensitive data by employees.
o Printed output reports go through the bursting stage to have
pages separated and collated.
o Primary control is supervision.
o Computer waste represents a potential risk.
o Should be shredded before disposal.

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Output Controls

o Data control group sometimes responsible for verifying accuracy

of output before distribution.
o Report distribution risks include reports being lost, stolen or
misdirected.
o Secure mailboxes, in person pickup or secured delivery.
o End user control include error checking and secure storage until
reports expiration period has expired.
o Real-time output threats include interception, disruption,
destruction or corruption of output.

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Testing Computer Application
Controls

o Black-box approach (auditing around the computer) does not

require a detailed knowledge of internal logic. of application.
o Uses flowchart analysis and interviews of knowledgeable
personnel to understand characteristics of application.
o Advantage is that application doesnt need to be removed
from service and tested directly.
o Appropriate for simple applications but more complex
applications require through-the-computer review.

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Black-Box Approach

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Testing Computer Application
Controls
o White-box approach (auditing through computer) requires in-
depth understanding of internal logic. Tests of controls:
o Access tests include verification of IDs and passwords.
o Validity tests include range, field, limit and reasonableness.
o Accuracy tests include recalculations and reconciliations.
o Completeness tests include field, record sequence and hash and
financial control total recalculation.
o Redundancy tests include reviewing record counts and recalculation
of hash totals and financial control tests.
o Audit trail tests include obtaining evidence that an adequate audit
trail is created.
o Rounding error tests verify rounding procedures.
o Susceptible to salami fraud.
2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Rounding Error Algorithm

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Computer Aided Audit Tools &
Techniques for Testing Controls
o Test data method used to establish the application processing
integrity.
o Results from test run compared to predetermined expectations to
evaluate application logic and controls.
o Test data includes both valid and invalid transactions.
o Base case system evaluation (BCSE) is a variant of test data
method in which comprehensive test data goes through repetitive
testing until a valid base case is obtained.
o When application is modified, subsequent test (new) results can be
compared with previous results (base).

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Test Data Technique

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Computer Aided Audit Tools &
Techniques for Testing
Controls
o Tracing takes step-by-step walk of applications internal logic.
o Advantages of test data technique:
o Provide explicit evidence concerning application function.
o Can be employed with only minimal disruption.
o Require only minimal auditor computer expertise.
o Disadvantages of test data technique:
o Auditors must rely on computer services personnel to obtain a copy
of the application for testing.
o Provides static picture of application integrity and not a convenient
means of gathering evidence about ongoing application functionality.
o Relatively high cost to implement, auditing inefficiency.
2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 The Integrated Test Facility
(ITF)
o Automated technique allows auditors to test logic and controls
during normal operations by setting up a dummy entity within the
application system.
o System discriminates between ITF and routine transactions.
o Auditor analyzes ITF results against expected results.
o Advantages of ITF:
o Supports ongoing monitoring of controls as specified by COSO
control framework.
o Applications can be economically tested without disrupting user
operations and without the intervention of computer service
personnel, improving efficiency and reliability.
o Primary disadvantage of ITF is potential for corrupting data files.
2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 ITF Technique

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Parallel Simulation

o Requires auditor to write program that simulates key features or

processes of application under review.
o Auditor gains a thorough understanding of application under review
and identifies critical processes and controls.
o Auditor creates the simulation using program or Generalized Audit
Software (GAS).
o Auditor runs the simulated program using selected data and files.
o Auditor evaluates results and reconciles differences.
o Auditor must carefully evaluate differences between test results
and production results.

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.
 Parallel Simulation Technique

2016 Cengage Learning. May not be scanned, copied or duplicated or posted to a publicly accessible website, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website or school-approved learning management system for classroom use.