Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls
description
Transcript of Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls
![Page 1: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/1.jpg)
Hall, Accounting Information Systems, 7e
©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Accounting Information Systems, 7eJames A. Hall
Chapter 17IT Controls Part III:
Systems Development, Program Changes, and Application Controls
![Page 2: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/2.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Objectives for Chapter 17 Be familiar with the controls and audit tests
relevant to the systems development process. Understand the risks and controls associated
with program change procedures and the role of the source program library.
Understand the auditing techniques (CAATTs) used to verify the effective functioning of application controls.
Understand the auditing techniques used to perform substantive tests in an IT environment.
2
![Page 3: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/3.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Systems Development Activities
Authorizing development of new systems Addressing and documenting user needs Technical design phases Participation of internal auditors Testing program modules before implementing
Testing individual modules by a team of users, internal audit staff, and systems professionals
3
![Page 4: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/4.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
System Development Life Cycle
4
Figure 14-1
![Page 5: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/5.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Systems Development Auditing objectives: ensure that...
SDLC activities are applied consistently and in accordance with management’s policies
the system as originally implemented was free from material errors and fraud
the system was judged to be necessary and justified at various checkpoints throughout the SDLC
system documentation is sufficiently accurate and complete to facilitate audit and maintenance activities
5
![Page 6: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/6.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Systems Development IC New systems must be authorized. Feasibility studies were conducted. User needs were analyzed and addressed. Cost-benefit analysis was done. Proper documentation was completed. All program modules must be thoroughly
tested before they are implemented. Checklist of problems was kept.
6
![Page 7: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/7.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
System Maintenance IC Last, longest and most costly phase of
SDLC Up to 80-90% of entire cost of a
system All maintenance actions should require
Technical specifications Testing Documentation updates Formal authorizations for any changes
7
![Page 8: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/8.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Program Change Auditing objectives: detect
unauthorized program maintenance and determine that... maintenance procedures protect
applications from unauthorized changes
applications are free from material errors
program libraries are protected from unauthorized access
8
![Page 9: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/9.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Source Program Library
Source program library (SPL) library of applications and software place where programs are
developed and modified once compiled into machine
language, no longer vulnerable
9
![Page 10: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/10.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Uncontrolled Access to the SPL
10
Figure 17-2
![Page 11: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/11.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Controlled SPL Environments SPL Management Systems (SPLMS)
protect the SPL by controlling the following functions: storing programs on the SPL retrieving programs for maintenance
purposes deleting obsolete programs from the
library documenting program changes to
provide an audit trail of the changes11
![Page 12: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/12.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Source Program Library under the Control of SPL Management Software
12
Figure 17-3
![Page 13: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/13.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
SPL Control Features Password control Separation of test libraries Audit trails Reports that enhance management
control and the audit function Assigns program version numbers
automatically Controlled access to maintenance
commands13
![Page 14: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/14.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Program Change Auditing procedures: verify that
programs were properly maintained, including changes
Specifically, verify… identification and correction of
unauthorized program changes identification and correction of application
errors control of access to systems libraries
14
![Page 15: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/15.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Application Controls
Narrowly focused exposures within a specific system, for example: accounts payable cash disbursements fixed asset accounting payroll sales order processing cash receipts general ledger
15
![Page 16: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/16.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Application Controls Risks within specific applications Can affect manual procedures (e.g., entering
data) or embedded (automated) procedures Convenient to look at in terms of:
input stage processing stage output stage
PROCESSINGINPUT OUTPUT
16
![Page 17: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/17.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Application Input Controls Goal of input controls - valid,
accurate, and complete input data Two common causes of input
errors: transcription errors – wrong character
or value transposition errors – ‘right’ character
or value, but in wrong place
17
![Page 18: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/18.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Application Input Controls Check digits – data code is added to produce
a control digit especially useful for transcription and
transposition errors Missing data checks – control for blanks or
incorrect justifications Numeric-alphabetic checks – verify that
characters are in correct form
18
![Page 19: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/19.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Application Input Controls
Limit checks – identify values beyond pre-set limits
Range checks – identify values outside upper and lower bounds
Reasonableness checks – compare one field to another to see if relationship is appropriate
Validity checks – compares values to known or standard values
19
![Page 20: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/20.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Application Processing Controls
Programmed processes that transform input data into information for output
Three categories: Batch controls Run-to-run controls Audit trail controls
20
![Page 21: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/21.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Application Processing Controls Batch controls - reconcile system
output with the input originally entered into the system
Based on different types of batch totals: total number of records total dollar value hash totals – sum of non-financial
numbers21
![Page 22: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/22.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Application Processing Controls Run-to-run controls - use batch
figures to monitor the batch as it moves from one programmed procedure (run) to another
Audit trail controls - numerous logs used so that every transaction can be traced through each stage of processing from its economic source to its presentation in financial statements
22
![Page 23: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/23.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
23
Transaction Log to Preserve the Audit Trail
Figure 17-7
![Page 24: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/24.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Application Output Controls Goal of output controls is to ensure
that system output is not lost, misdirected, or corrupted, and that privacy is not violated.
In the following flowchart, there are exposures at every stage.
24
![Page 25: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/25.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Stages in the Output Process
25Figure 17-8
![Page 26: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/26.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Application Controls Output
Output spooling – creates a file during the printing process that may be inappropriately accessed
Printing – create two risks: production of unauthorized copies of
output employee browsing of sensitive data
26
![Page 27: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/27.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Application Controls Output Waste – can be stolen if not
properly disposed of, e.g., shredding Report distribution – for sensitive
reports, the following are available: use of secure mailboxes require the user to sign for reports
in person deliver the reports to the user
27
![Page 28: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/28.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Application Controls Output End user controls – end users need to
inspect sensitive reports for accuracy shred after used
Controlling digital output – digital output message can be intercepted, disrupted, destroyed, or corrupted as it passes along communications links
28
![Page 29: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/29.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Testing Application Controls Techniques for auditing
applications fall into two classes:
1. testing application controls – two general approaches:– black box – around the computer– white box – through the computer
2. examining transaction details and account balances—substantive testing 29
![Page 30: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/30.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Auditing Around the Computer - The Black Box Approach
30
Figure 17-9
![Page 31: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/31.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Auditing through the Computer: The ITF Technique
31Figure 17-14
![Page 32: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/32.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Testing Application Controls
Black Box Approach – focuses on input procedures and output results
To Gain need understanding… analyze flowcharts review documentation conduct interviews
32
![Page 33: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/33.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Testing Application Controls White Box Approach - focuses on
understanding the internal logic of processes between input and output
Common tests Authenticity tests Accuracy tests Completeness tests Redundancy tests Access tests Audit trail tests Rounding error tests
33
![Page 34: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/34.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
White Box Testing Techniques Test data method: testing for logic or control
problems - good for new systems or systems which have undergone recent maintenance base case system evaluation (BCSE) - using a
comprehensive set of test transactions tracing - performs an electronic walkthrough of
the application’s internal logic Test data methods are not fool-proof
a snapshot - one point in time examination high-cost of developing adequate test data
34
![Page 35: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/35.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
White Box Testing Techniques Integrated test facility (ITF): an
automated, on-going technique that enables the auditor to test an application’s logic and controls during its normal operation
Parallel simulation: auditor writes simulation programs and runs actual transactions of the client through the system
35
![Page 36: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/36.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
The Parallel Simulation Technique
36
Figure 17-15
![Page 37: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/37.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Substantive Testing Techniques to substantiate account balances.
For example: search for unrecorded liabilities confirm accounts receivable to ensure they are
not overstated Requires first extracting data from the system.
Two technologies commonly used to select, access, and organize data are: embedded audit module generalized audit software
37
![Page 38: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/38.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Embedded Audit Module
An ongoing module which filters out non-material transactions
The chosen, material transactions are used for sampling in substantive tests
Requires additional computing resources by the client
Hard to maintain in systems with high maintenance
38
![Page 39: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/39.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Embedded Audit ModuleTechnique
39Figure 17-16
![Page 40: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/40.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Generalized Audit Software
Very popular & widely used Can access data files & perform
operations on them: screen data statistical sampling methods foot & balance format reports compare files and fields recalculate data fields
40
![Page 41: Chapter 17 IT Controls Part III: Systems Development, Program Changes, and Application Controls](https://reader034.fdocuments.in/reader034/viewer/2022050623/56815cea550346895dcaf363/html5/thumbnails/41.jpg)
Hall, Accounting Information Systems, 7e©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
Using GAS to Access Complex File Structure
41
Figure 17-18