Chapter 17

Code Review, Test Data, and Code Comparison

Audit Evidence Collection and Evaluation

What was expected to happen / not happen?

What did happen?/not happen? What type of evidence do we have? Is the evidence reliable? What is the exposure and $ of risk

Evidence Collection Techniques

Program Code Review obtain program source-code listings

to evaluate the quality of the program code

Test Data design a sample of data to be

executed by the program Code Comparison

compare two versions of a program’s source or object code to determine if attributes are common

Where Do Program Defects Occur?

Tentative Conclusions a small number of program modules

will have a large number of faults Requirement specifications and

design errors are as prominent as coding errors

Design errors relate to interface problems with users

Objectives of Code Review

Identify erroneous code Identify unauthorized code Identify ineffective code Identify inefficient code Identify nonstandard code

Source-Code Review Methodology

1. Source Code Selection2. Review Programming Standards3. Understand the Program

Specifications4. Obtain Source Code5. Review Programming Language Used6. Review Source Code7. Formulate Flaw Hypotheses

Review Source Code

COBOL Reserved WordsSelect IfRedefines Go ToOpen/Close Go To…

Depending OnFile Status Perform…UntilInvalid Key Search/Search AllAccept InspectDisplay Evaluate…WhenCopy Call

Benefits & Costs of Code Review

Primary Benefit provides a level of detailed knowledge

about a program that auditors will find difficult to acquire using other evidence-collection techniques

Primary Disadvantage Cost

Black-Box Test-Data Design Methods

user interface errors errors in interfacing w/

external systems or databases efficiency problems initialization errors termination errors

Equivalence Partitioning The objective during test-data design

is to select a test-data design element that falls within the class and one that falls outside the class.

Decision Tree for Test-Data Design

White-Box Test-Data Design Methods

Focus is on whether defective execution paths exist in a program

Primary goal is to identify the control structure underlying the code full statement coverage full branch coverage full path coverage

Fig 17-8

Loop Testing Tested as part of a basis path testing

strategy Types of Loops

Simple loops have no other loops embedded within their control structure

Nested loops have other loops embedded within their control structure

Automated Aids Test data/file generators Test capture/playback tools Test coverage/execution path

monitor tools Test drivers/harnesses Test output comparators Static analyzers

Benefits & Costs of Test Data Major Benefit

allows auditors to examine the quality of program code directly

Major Disadvantage often time-consuming and costly

Program Code Comparison Provides some assurance that the

correct version of software is being audited

Provides some assurance that any software used as an audit tool is the correct version of the software

Types of Code Comparison Source-code Comparison

software provides meaningful listing of any discrepancies between two versions of source code

Object-code Comparison software provides listing of any

discrepancies between two versions of source code (does not identify nature and cause of discrepancies)

Benefits & Costs of Code Comparison

Primary Benefit easy was of identifying changes made

to programs neither costly to purchase nor to

execute Primary Cost

does not provide any evidence directly on the quality of the code being compared