UNIVERSITY OF LUZON

COLLEGE OF ACCOUNTANCY
SY 2017-2018

Auditing IT Controls Part III:

Systems Development, Program Changes And

Application Auditing

Group 3:
Leonora Jane C. Pinlac
Nerys Sophia Quinto
Jonnadelle B. Valenzuela
Charis Faith Daroy
Princess Eve E. Ocado
Michaella Ariane Ferrer
Samantha Grace Bueno
Iris Manansala
Rodecca Velasco
Jingo Glenn Diaz

Instructor:
Prof. Jharam A. Tolentino , CPA
 Auditing IT Controls Part III:

Systems Development, Program Changes And Application Auditing

System Development

Systems development is the process of defining, designing, testing, and

implementing a new software application or program. it could include the
internal development of customized systems, the creation of database systems, or
the acquisition of third party developed software

MOST METHODOLOGIES SHARE SOME COMBINATION OF THE FOLLOWING

STAGES OF SOFTWARE DEVELOPMENT:
Analyzing the problem
Market research
Gathering requirements for the proposed business solution
Devising a plan or design for the software-based solution
Implementation (coding) of the software
Testing the software
Deployment
SYSTEM DEVELOPMENT CONTROLS
SYSTEM DEVELOPMENT LIFE CYCLE
A multi process by which organization satisfy their formal information needs. the sdlc
steps will vary firm to firm from which controllable activities are common to all system.
Systems development life cycle (SDLC), also referred to as the
application development life-cycle, is a term used in systems engineering,
information systems and software engineering to describe a process for planning,
creating, testing, and deploying an information system.

CONTROL SYSTEM DEVELOPMENT ACTIVITIES

this section and the one that follows examine several controllable activities that
distinguish an effective system development process.

SYSTEM AUTHORIZATION ACTIVITIES

All system should be properly authorizes to ensure their economic and
justification and feasibility
USER SPECIFICATION ACTIVITIES
Users need to actively involved,the technical complexity of the system
Users should create a detailed description of his or her needs
Users specification document involves the joint efforts of the user and system
professional(USERS VIEW

Technical design activities

1. System analysis

2. Feasibilty analysis

3. Detailed system analysis

INTERNATIONAL AUDIT PARTICIPATION

an organizations internal audit environment needs to be independent , objective
and technically qualified
PROGRAM TESTING
A procedure involving the creation of hypothetical master files and transactions
files.The results of the tests are then compared againts predetermined results to identify
programming and logic errors.
USER TEST AND ACCEPTANCE PROCEDURE
A test wherein all documents are analyzed and satisfied that the system meets
its stated requirement to be able to transfer to users.This is the last point at which the
user can determined the systems acceptability prior to it going to service
Audit objective relating tto system deveelopment

AUDITORS OBJECTIVE TO ENSURE THAT:

1. System Development activities are appplied consistently and in accordance with
management policies to all system management projects
2. The system as originally implemented was free from material errors and fraud
3. The system was judged necessary and justified at various check points
throughout SDLC,and
4. System documentation is sufficiently accurate and complete to facilitate audit and
maintannce activities
Audit Objectives Relating to Systems Development
1. Systems development activities are applied consistently and in accordance with
managements policies to all systems development projects
2. The system as originally implemented was free from material errors and fraud
3. The system was judged necessary.
4. system documentation is sufficiently accurate and complete to facilitate audit and
maintenance activities.
Tests of Systems Development Controls
User and computer services management properly authorized the project.
A preliminary feasibility study showed that the project had merit.
A detailed analysis of user needs was conducted that resulted in alternative
conceptual designs.
A cost-benefit analysis was conducted using reasonably accurate figures.
The detailed design was an appropriate and accurate solution to the users problem.
 Test results show that the system was thoroughly tested at both the individual module
and the total system level before implementation. (To confirm these test results, the
auditor may decide to retest selected elements of the application.)
There is a checklist of specific problems detected during the conversion period, along
with evidence that they were corrected in the maintenance phase.
Systems documentation complies with organizational requirements and standards.
CONTROLLING PROGRAM CHANGE ACTIVITIES
Upon implementation, the information system enters the maintenance phase of
the SDLC. This is the longest period in the SDLC, often spanning several years. Most
systems do not remain static throughout this period. Rather, they undergo substantial
changes that often constitute, in dollars, an amount many times their original
implementation cost.
SOURCE PROGRAM LIBRARY CONTROLS

THE WORST-CASE SITUATION: NO CONTROLS

Figure 17-2 shows the SPL without controls. In this situation, access to application
programs is completely unrestricted. Legitimate maintenance programmers or others
may access any programs stored in the library, which has no provision for detecting an
unauthorized intrusion.
A Controlled SPL Environment
To control SPL, protective features and procedures must be explicitly addressed,
and this requires the implementation of an SPL Management System (SPLMS).
SPL Management System (SPLMS)
Black box surrounding the SPL.
Used to control four routine but critical functions:
1) Storing programs on the SPL.
2) Retrieving Programs for maintenance purposes.
3) Deleting obsolete programs from the library.
4) Documenting program changes to provide an audit trail of the changes.
The following are control techniques to ensure program integrity address only
the vulnerable areas and should be considered minimum control:
a) Password Control
b) Separate Test Libraries
c) Audit Trail and Management Reports
d) Program Version Numbers
e) Controlling Access to Maintenance Control
Audit Objective relating to System Maintenance
1. Maintenance procedures protect applications from unauthorized changes.
2. Applications are free from material errors, and
3. Program libraries are protected from unauthorized access
1. Audit procedures for Identifying Unauthorized Program Changes.
Reconcile program version numbers- The permanent file of the application
should contain program change authorization documents that correspond to the
current version number of the production application
Confirm maintenance authorization- The program maintenance authorization
should indicate the nature of the change requested and the date of the change.
2. Audit Procedures for Identifying Apllications Errors
Reconcile the source code- Each application's permanent file should the contain
current program listing and listings of all changes made to the application.
Review the test results- Every program change should be thoroughly tested
before implemented.
Retest the program- The auditor can retest the application to confirm its integrity.
3. Audit Procedures for Testing Access to Libraries.

Review programmer authority tables- The auditor can select a sample of

programmers and review their access authority.
Test authority tables- To test the programmer's access privileges, the auditor
may violate the authorization rules in an attempt to access authorized libraries.
IT Application Control Testing and Substantive Testing

Objectives of Application Control:

Input data is accurate, complete, authorized and correct.
Data is processed in an acceptable time period.
Data stored is accurate and complete.
Outputs are accurate and complete.
A record is maintained to track the process of data from input to storage and the
eventual output.

TYPES of APPLICATION CONTROLS

INPUT CONTROLS
- check the integrity of data entered into a business application.
PROCESSING CONTROLS
- ensure processing is complete, accurate and authorized.
OUTPUT CONTROLS
- compare output results with expected results by checking the output against
input.

Designing Test of Application Controls

 FALL INTO SIX CATEGORIES:
1. ACCESS TESTS
2. VALIDITY TESTS
3. ACCURACY TESTS
4. COMPLETENESS TESTS
5. REDUNDANCY TESTS
6. AUDIT TRAIL TESTS

ACCESS TESTS
Verify that individuals, programmed procedures, or
messages attempting to access a system
are AUTHENTIC and VALID.

VALIDITY TESTS
Ensure that the system processes
only data values that conform to specified tolerances.

ACCURACY TESTS
Ensure that the mathematical calculations are accurate and posted to the correct
amounts.

COMPLETENESS TESTS
Identifying missing data within a single record and entire record missing from a
batch.

REDUNDANCY TESTS
Determine that an application processes each record ONLY ONCE.
 AUDIT TRAIL TESTS
Ensure that the application creates an adequate audit trail.

EXAMPLES OF TESTS OF IT APPLICATION CONTROLS

TESTING CUSTOMER CREDIT APPROVALS

- The auditor must create a master file or customers records (AR) with set credit
limits.

TESTING ACCURACY OF POSTINGS TO CUSTOMER ACCOUNTS

- The auditor would verify their accuracy by reviewing account balance reports
produced by sales order application and reconcile them with the predetermine results.

TESTING THE THREE-WAY MATCH

-Involves creating two master files:

* PURCHASE ORDER FILE

* RECEIVING REPORT FILE

TESTING MULTILEVEL SECURITY AND ACCES PRIVILEGES IN THE

PURCHASES/AP SYSTEMS
This test would involve creating several master file: purchase order file; inventory file;
receiving report file; and general ledger accounts for cash, inventory control and AP
control. The auditor would then log into the system under different roles and attempt to
perform tasks and access data that are not authorized by the various roles. Failure to
detect or prevent such attempts indicates a control in the system.

TESTING ROUNDING ERROR ROUTINES IN FINANCIAL SYSTEMS

A rounding error is a mistake made when rounding a number up or down.
Salami Fraud/Salami Slicing
In the salami technique, cyber criminals steal money or resources a bit at a time. a bank
employee inserts a program, into the banks servers, that deducts a small amount of
money from the account of every customer. no account holder will probably notice this
unauthorized debit, but the cyber criminal will make a sizable amount of money every
month.
 Internal Control Testing Techniques
BLACK BOX APPROACH
(also called auditing around the computer) does not require the auditor to create test
files or obtain a detailed knowledge of the applications internal logic. Instead, auditors
analyze flowcharts and interview knowledgeable personnel in the clients organization to
understand the functional characteristics of the application.
THROUGH-THE-COMPUTER APPROACHES
Through the computer testing employs computer-assisted audit tools and
techniques (CAATTs) and requires an in-depth understanding of the internal logic of
the application of the application under review.
Key features of five CAATTs:
The test data method
Base case system evaluation
Tracing
Integrated test facility
Parallel simulation
TEST DATA METHOD
To employ this approach, the auditor requires detailed and current systems
documentation:
Program flowcharts that describe the applications internal logic and allow the auditor to
determine which logic branches to test
Record layout diagrams that describe the structure of transactions and master files,
which will allow the auditor to create the test data.
BASE CASE SYSTEM EVALUATION
BSCE tests are conducted with a set of test transactions containing all possible
transaction types. These are processed through repeated iterations during systems
development testing until consistent and valid results are obtained. These validated
results become the base case. When subsequent changes to the application occur
during maintenance, their effects are evaluated by comparing current results with base
case results.
TRACING
Performs an electronic walk-through of the applications internal logic.
The tracing procedure involves three steps:
The application under review first undergoes a special process to activate the
trace feature.
Test data transactions are created.
The test data transactions are traced through all processing stages of the
program, and a listing is produced of all programmed instructions that were
executed during the test.
Advantages of Test Data Techniques
Helps the auditor learn how the system operates.
Usually fairly simple to operate.
Requires limited technical knowledge.
Disadvantages of Test Data Techniques
Auditors rely on the clients IT personnel to obtain a copy of the production
application under review.
Produces a static picture of application integrity at a single point in time.
High cost of implementation.

THE INTEGRATED TEST FACILITY (ITF)

The integrated test facility (ITF) approach is an automated, on-going technique that
enables the auditor to test an applications logic and controls during its normal
operations.
- To audit AIS in an operational setting is its purpose.

Advantages of ITF
Supports continuous monitoring of controls.
Economically tested without disrupting the users operations and without the
intervention of computer services personnel.
It provides prima facie evidence of correct program functions.
Disadvantages of ITF
The potential for corrupting corporate databases with test data that may end up
in the financial reporting process.
PARALLEL SIMULATION
Involves creating a program that simulates key feature or processes of the
application under review. The simulated application is then used to reprocess the same
transaction that the production application previously processed. The results obtained
from the simulation are reconciled with the results of the original production run to
determine if application processes and controls are functioning correctly.
Generalized Audit Software
 an off-the-shelf package that can provide a means to gain access to and
interrogate data maintained on computer storage media.
one of the tools IT Auditors utilize to obtain evidence directly on the quality of the
records produced and obtained by application systems.

Creating a Simulation Program

1. The auditor must first gain a thorough understanding if the application under
review. Constructing an accurate simulation requires complete and current
documentation.
2. The auditor must then identify those processes and controls in the application
that pertain to the audit objective. These are the processes to be simulated.
3. The auditor creates the simulation using special-purpose commercial software.
4. The auditor runs the simulation program using production transaction and
master files to produce a set of results.
5. Finally, the auditor reconciles the test with the previously created production
results.
Substantive Testing Techniques
is an audit procedure that examines the financial statements and supporting
documentation to see if they contain errors.

It include but not limited to:

1. Determine the correct value of inventory.

2. Determine the accuracy of prepayments and accruals.
3. Confirming accounts receivable with customers.
4. Searching for unrecorded liabilities.

Embedded Audit Module

Techniques use one or more programmed modules embedded in the host application to
select transaction that meet predetermined conditions.
 programmed routines incorporated into an application program that are designed to
perform an audit function such as a calculation, or logging activity.

Disadvantage of EAM
Operational efficiency
- EAM decrease operational performance.

Verifying EAM Integrity

- The integrity of EAM directly affects the quality of the audit process.
Generalized Audit Software
Widely used CAATT for IT auditing
Allows auditors to access digital data files and perform various operations on the
contents.
ACL and IDEA

AUDIT TASKS CAN BE PERFORMED USING GAS

1. Footing and balancing entire files or selected data items.
2. Selecting and reporting detailed data contained on files.
3. Selecting stratified statistical samples from the data files.
4. Formatting results of tests into reports.
5. Printing confirmations in either standardized or special wording.
6. Screening data and selectively including or excluding items.
7. Comparing two files and identifying any differences.
8. Recalculating data files.

4 Factors
GAS language are easy to use and require little background on the part of the
auditor
GAS may be used on any type of computer because it is hardware independent
Auditors can perform their test on data independent of client IT professionals
GAS can be used to audit the data files of many different applications.

USING GAS TO ACCESS SIMPLE STRUCTURES

USING GAS TO ACCESSS COMPLEX
STRUCTURE