information systems course

Substantive Testing Techniques Substantive tests are so named because they are used to substantiate dollar amounts in account balances. Substantive tests include but are not limited to the following: 1. Determining the correct value of inventory. 2. Determining the accuracy of prepayments and accruals. 3. Confirming accounts receivable with customers. 4. Searching for unrecorded liabilities. Before substantive tests can be performed, these data must first be extracted from their host media and presented to the auditor in usable form. The two CAATTs examined in this section assist the auditor in selecting, accessing, and organizing data used for performing substantive tests. THE EMBEDDED AUDIT MODULE Embedded audit module (EAM) techniques use one or more programmed modules embedded in a host application to select, for subsequent analysis, transactions that meet predetermined conditions. This approach is illustrated in Figure 17-16. As the host application pro

Problems 1. INPUT VALIDATION Describe the types of application control used for the contributes to ensuring the reliability of data. Use the following format. following data in a payroll system. a. Employee name b. Employee number c. Social Security number d. Rate per hour or salary e. Marital status f. Number of dependents g. Cost center h. Regular hours worked i. Overtime hours worked j. Total employees this payroll period 2. COMPUTER FRAUD AND CONTROLS Although the threat to security via external penetration is often seen as the greatest threat, many threats are internal. Computer frauds include (1) input manipulation, (1) program alteration, (3) file alteration, (4) data theft, and (5) sabotage. Required Explain how each of these five types of fraud is com- mitted. Also, identify a method of protection against each without using the same protection method for more than one type of fraud. Use the following format.

Summary SOX legislation requires management to design, implement, and certify controls over financial reporting. Similarly, external auditors are required to attest to management’s assessment of controls. This chapter dealt with the business risks, IT controls, and test of controls pertaining to three areas of specific concern to SOX: systems development, program change procedures, and computer applications. The integrity of financial data is directly dependent on the accuracy of the applications that process them. Likewise, the integrity of those applications depends on the quality of the systems development process that produced them and on the program change procedures through which they were modi fied. Lack of control over these areas, or inconsistency in their function, can result in unintentional application errors and program fraud. The systems development and maintenance controls and the test of controls described in this chapter apply both to management’s SOX-compliance

Testing Computer Application Controls The appendix to Chapter 15 described how audit objectives are derived from management assertions such as existence or occurrence, completeness, accuracy, rights and obligations, valuation or allocation, and presentation and disclosure. Depending on the type of account being considered, a particular management assertion has different implications for the audit objective to be developed. Once developed, achieving the audit objectives requires designing audit procedures to gather evidence that either corroborates or refutes the underlying management assertions. Generally, this involves a combination of tests of application controls and substantive tests of transaction details and account balances. This section deals essentially with the tests of application controls, but at the end we will briefly review techniques for performing substantive tests. Tests of computer application controls follow two general approaches: (1) the black box (around the

Application Controls In addition to IT general controls, SOX requires management and auditors to consider application controls relevant to financial reporting. Application controls are associated with specific applications, such as payroll, purchases, and cash disbursements systems. These fall into three broad categories: input controls, processing controls, and output controls. INPUT CONTROLS Input controls are programmed procedures (routines) that perform tests on transaction data to ensure that they are free from errors. Input control routines should be designed into the system at different points, depending on whether transaction processing is real time or batch. Input controls in real-time systems are placed at the data collection stage to monitor data as they are entered from terminals. Batch systems often collect data in transaction files, where they are temporarily held for subsequent processing. In this case, input control tests are performed as a separate procedure (or

Systems Development Controls Chapters 13 and 14 presented the systems development life cycle (SDLC) as a multiphase process by which organizations satisfy their formal information needs. An important point at this juncture is that specific SDLC steps will vary from firm to firm. In reviewing the effectiveness of a particular systems development methodology, the accountant should focus on the controllable activities common to all systems development approaches. These are outlined in the following section. CONTROLLING SYSTEMS DEVELOPMENT ACTIVITIES This section and the one that follows examine several controllable activities that distinguish an effective systems development process. The six activities discussed deal with the authorization, development, and implementation of new systems. Controls over systems maintenance are presented in the next section. Systems Authorization Activities All systems should be properly authorized to ensure their economic justification and feasibi