More Related Content
Similar to Pp 17-new (20)
More from Sri Apriyanti Husain
More from Sri Apriyanti Husain (20)
Pp 17-new
- 1. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Accounting Information Systems, 8e
James A. Hall
Chapter 17
IT Controls Part III:
Systems Development,
Program Changes, and
Application Controls
- 2. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Objectives for Chapter 17
Be familiar with the controls and audit tests
relevant to the systems development process.
Understand the risks and controls associated
with program change procedures and the role
of the source program library.
Understand the auditing techniques (CAATTs)
used to verify the effective functioning of
application controls.
Understand the auditing techniques used to
perform substantive tests in an IT
environment.
2
- 3. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Systems Development Controls
Controllable activities that distinguish an effective
systems development process include:
Systems authorization
User specification
Technical design
Internal audit participation
Program testing
User test and acceptance procedures
3
- 4. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Auditor’s objectives
The auditor’s objectives are to ensure that
all systems development activities are
applied consistently and follow
management’s policies
system as originally implemented was free
from material errors and fraud
system was judged necessary and justified
at checkpoints throughout the SDLC, and
system documentation is sufficiently
accurate and complete to facilitate audit
and maintenance activities.
4
- 5. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Tests of Systems Development
Controls
New systems must be authorized.
Feasibility studies were conducted.
User needs were analyzed and addressed.
Cost-benefit analysis was done.
Proper documentation was completed.
All program modules must be thoroughly
tested before they are implemented.
Checklist of problems was kept.
5
- 6. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
System Maintenance Controls
Last, longest and most costly phase of
systems development
Up to 80-90% of entire cost of a
system
All maintenance actions should require
Technical specifications
Testing
Documentation updates
Formal authorizations for any changes
6
- 7. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Program Change
Audit objectives: detect unauthorized
program maintenance and determine
that...
maintenance procedures protect
applications from unauthorized changes
applications are free from material errors
program libraries are protected from
unauthorized access
7
- 8. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Source Program Library
Source program library (SPL)
library of applications and software
place where programs are
developed and modified
once compiled into machine
language, no longer vulnerable
8
- 9. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Uncontrolled Access to the SPL
9
Figure 17-2
- 10. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Controlled SPL Environments
SPL Management Systems (SPLMS)
protect the SPL by controlling the
following functions:
storing programs on the SPL
retrieving programs for maintenance
purposes
deleting obsolete programs from the
library
documenting program changes to
provide an audit trail of the changes
10
- 11. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Source Program Library under the
Control of SPL Management Software
11
Figure 17-3
- 12. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
SPL Control Features
Password control
Separation of test libraries
Audit trails
Reports that enhance management
control and the audit function
Assigns program version numbers
automatically
Controlled access to maintenance
commands 12
- 13. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Program Change
Auditing procedures: verify that
programs were properly maintained,
including changes
Specifically, verify…
identification and correction of
unauthorized program changes
identification and correction of application
errors
control of access to systems libraries
13
- 14. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Testing Application Controls
Techniques for auditing applications
fall into two classes:
1. testing application controls – two
general approaches:
– black box – around the computer
– white box – through the computer
2. examining transaction details and
account balances—substantive
testing
14
- 15. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Auditing Around the Computer -
The Black Box Approach
15
Figure 17-9
- 16. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Auditing through the Computer:
The ITF Technique
16Figure 17-14
- 17. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Testing Application Controls
Black Box Approach – focuses on
input procedures and output results
To Gain need understanding…
analyze flowcharts
review documentation
conduct interviews
17
- 18. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Testing Application Controls
Auditing through-the-computer
focuses on understanding the internal logic
of processes between input and output
Common tests
• Authenticity tests
• Accuracy tests
• Completeness tests
• Redundancy tests
• Access tests
• Audit trail tests
• Rounding error tests
18
- 19. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Audit Testing Techniques
Test data method: testing for logic or control
problems - good for new systems or systems
which have undergone recent maintenance
base case system evaluation (BCSE) - using a
comprehensive set of test transactions
tracing - performs an electronic walkthrough of
the application’s internal logic
Test data methods are not fool-proof
a snapshot - one point in time examination
high-cost of developing adequate test data
19
- 20. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Audit Testing Techniques
Integrated test facility (ITF): an
automated, on-going technique that
enables the auditor to test an
application’s logic and controls during
its normal operation
Parallel simulation: auditor writes
simulation programs and runs actual
transactions of the client through the
system
20
- 21. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
The Parallel Simulation Technique
21
Figure 17-11
- 22. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Substantive Testing
Techniques to substantiate account balances.
For example:
search for unrecorded liabilities
confirm accounts receivable to ensure they are
not overstated
Requires first extracting data from the system.
Two technologies commonly used to select,
access, and organize data are:
embedded audit module
generalized audit software
22
- 23. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Embedded Audit Module
An ongoing module which filters out non-
material transactions
The chosen, material transactions are
used for sampling in substantive tests
Requires additional computing resources
by the client
Hard to maintain in systems with high
maintenance
23
- 24. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Embedded Audit Module Technique
24Figure 17-12
- 25. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Generalized Audit Software
Very popular & widely used
Can access data files & perform
operations on them:
screen data
statistical sampling methods
foot & balance
format reports
compare files and fields
recalculate data fields
25
- 26. Hall, Accounting Information Systems, 8e
©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website,in whole or in part.
Using GAS to Access
Complex File Structure
26
Figure 17-14