Accounting 503 AUDITING APPLICATION CONTROLS

The IS auditor’s tasks include the following:

 Identifying the significant application components and the flow of information through the system, and gaining
a detailed understanding of the application by reviewing the available documentation and interviewing
appropriate personnel.
 Identifying the application control strengths and evaluating the impact of the control weaknesses to develop a
testing strategy by analyzing the accumulated information
 Reviewing application system documentation to provide an understanding of the functionality of the
application. In many cases- mainly in large systems or packaged software-it is not feasible to review the whole
application documentation. Thus, a selective review should be performed. If an application is vendor supplied,
technical and user manuals should be reviewed. Any changes to applications should be documented properly.

The following documentation should be reviewed to gain an understanding of an application’s development:

 SYSTEM DEVELOPMENT METHODOLOGY DOCUMENTS- these documents include cost-benefit analysis and user
requirements
 FUNCTIONAL DESIGN SPECIFICATIONS- this document provides a detailed explanation of the application. An
understanding of key control points should be noted during review of the design specifications.
 PROGRAM CHANGES- documentation of any program change should be available for review. Any change should
provide evidence of authorization and should be cross referenced to source code.
 USER MANUALS- a review of the user manuals provides the foundation for understanding how the user is
utilizing the application. Often control weaknesses can be noted from the review of this document
 TECHNICAL REFERENCE DOCUMENTATION- this documentation includes any vendor-supplied technical manuals
for purchased applications in addition to any in-house documentation. Access rules and logic usually are
included in these documents.
A. FLOW OF TRANSACTIONS THROUGH THE SYSTEM
A transaction flowchart provides information regarding key processing controls. Points where transactions are
entered, processed and posted should be reviewed for control weaknesses.
B. OBSERVING AND TESTING USER PERFORMING PROCEDURES
Some of the user procedures that should be observed and tested include:
 Segregation of duties- ensures that no individual has the capability of performing more than one of the
following processes: origination, authorization, verification or distribution. Observation and review of
job descriptions and review of authorization levels and procedures may provide information regarding
the existence and enforcement of segregation of duties
 Authorization of Input- Evidence of input authorization can be achieved via written authorization on
input documents or with the use of unique passwords. One may test this by looking through a sampling
of input documents for proper authorization or reviewing computer-access rules.
 Balancing- performed to verify that run0to0run totals and other application totals are reconciled on a
timely basis. This may be tested by an independent balancing or reviewing past reconciliations
 Error Control and Correction- in the form of reports that provide evidence of appropriate review,
research, timely correction and resubmission. Managerial review and authorization of corrections
should be evidenced. Testing of this effort can be achieved by retabulating or reviewing past error
corrections
 Distribution of reports- Critical output reports should be produced and maintained in a secure area and
distributed in authorized manner. The distribution process can be tested by observation and review of
distribution output logs. Access to online output reports should be restricted. Online access mat be
tested through a review of the access rules or by monitoring user output.
 Review and testing of access authorization and capabilities- access control tables provide information
regarding access levels by individuals. Access should be based on job descriptions and should provide for
a segregation of duties. Testing can be performed through the review of the access rules to ensure that
access has been granted as management intended

Page 1
 Accounting 503 AUDITING APPLICATION CONTROLS

 Activity reports- provide details, by user, of activity volume and hours. Activity reports should be
reviewed to ensure that activity occurs only during authorize hours of operation.
 Violation reports- indicate any unsuccessful and unauthorized access attempts. Violation reports should
indicate the terminal location, date and time of attempted review. Repeated unauthorized access
violations may indicate attempts to circumvent access controls. Testing may include review of follow-up
activities.
C. DATA INTEGRITY TESTING
Data integrity testing is a set of substantive tests that examines accuracy, completeness, consistency and
authorization of data presently held in a system. It employs testing similar to that used for input control. Data
integrity tests will indicate failures in input or processing controls. Controls for ensuring the integrity of
accumulated data in a file can be exercised by regularly checking data in the file. When this checking is done
against authorized source documentation, it is common to check only a portion of the file at a time. Since the
whole file is regularly checked in cycles, the control technique is often referred to as cyclical checking.

Two common types of data integrity tests are relational and referential integrity tests:
 RELATIONAL INTEGRITY TESTS- performed at the data element and record-based levels. Relational
integrity in enforced through data validation routines built into the application or by defining the input
condition constraints and data characteristics at the table definition in the database stage. Sometimes it
is a combination of both.
 REFERENTIAL INTEGRITY TESTS- define existence relationships between entities in different tables of a
database that needs to be maintained by the DBMS. It is required for maintaining interrelation integrity
in the relational data model. Whenever two or more relations are related through referential constraints
(primary and foreign key), it is necessary that references be kept consistent in the event of insertions,
deletions and updates to these relations.
D. TEST APPLICATION SYSTEMS
Testing the effectiveness of application controls involves analyzing computer application programs, testing
computer application program controls, or selecting and monitoring data process transactions. Testing controls
by applying appropriate audit procedures is important to ensure their functionality and effectiveness.

To facilitate the evaluation of application system test, an IS auditor may also want to use generalized audit
software (GAS) also known as Computer-assisted audit tools (CAATs). This is particularly useful when specific
application control weaknesses are discovered that affect, for example, updates to master file records and
certain error conditions on specific transaction records. Additionally, GAS can be used to perform certain
application control tests, such as parallel simulation, in comparing expected outcomes to live data.

Test Data:
Test Data: Test transactions go through real programs
Integrated Testing Facilities: Creates test transactions to include with live data
Embedded Audit Data: Selects random or statistically-distributed input transactions and generates logs during
production
Debugging/Processing:
Mapping: Identifies specific program’s logic that have not been tested
Tracing and tagging: Trace shows trail of instructions executed. Tag places indicators on selected transactions
Snapshot: Records flow of designated transactions through logic paths
Validation Systems:
Parallel Simulation: Uses programs that simulate application program logic
Parallel Operation: Compares new and old production data processing systems and compares results
E. ONLINE AUDITING TECHNIQUES
Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM): Embedding specific written audit
software in organization’s host application system
Snapshots: Pictures of the processes’ path
Audit Hooks: Embedding hooks in applications

Page 2
 Accounting 503 AUDITING APPLICATION CONTROLS

Integrated Test Facility (ITF): Dummy entries are set up and include auditor's production file

F. Continuous Online Auditing enables auditors to test the system without disrupting a company’s regular
operation.

Audit hooks are software logic embedded into the application, which prints error reports of red flags enabling auditors
to act to catch errors early, before they become problems.

TESTING APPLICATION SYSTEMS

Analyzing computer programs
Technique description advantages disadvantages
records flow of designated
requires extensive knowledge
Snapshot transactions through logic verifies program logic
of the IS environment
paths within programs
Identifies specific program
logic that has not been
increases efficiency by
tested, and analyzes
identifying unused code ;
Mapping programs during execution cost of software
identifies potential
to indicate whether program
exposures
statements have been
executed

Tracing shows the trail of

requires extensive amounts of
instructions executed during
provides an exact picture of computer time, an intimate
an application. Tagging
Tracing and sequence of events, and its knowledge of the application
involves placing an indicator
Tagging effective with live and program and additional
on selected transactions at
simulated transactions programming to execute trace
input and using tracing to
routines
track them

may use actual master files

simulates transactions
Test data/deck
through real program
or dummies; source code
review is unnecessary; can
Difficult to ensure that the
be used on a surprise basis;
proper program is checked;
provides objective review
risk of not including all
and verification of program
transactions scenarios;
controls and edits; initial
requires good knowledge of
use can be limited to
applications systems; does
specific program functions
not test master file and
minimizing scope and
master file records.
complexity; requires
minimum knowledge of the
IS environment

uses test data sets

developed as part of a
comprehensive testing of comprehensive testing extensive effort to maintain
Base-case system
programs; verifies correct verification and compliance data sets; close cooperation is
evaluation
system operations before testing required among all parties
acceptance, as well as
periodic revalidation;

Page 3
 Accounting 503 AUDITING APPLICATION CONTROLS

processes actual production

data through existing and
newly developed programs
at the same time and verifies new system before
parallel operation added processing costs
compares results, and used discounting the old one
to verify changed production
prior to replacing existing
procedures

creates a fictitious file in the

periodic testing does not need for careful planning,
Integrated testing database with test
require separate test need to isolate test data from
facilities transactions processed
process production data
simultaneously with live data

processes production data

parallel using computer programs eliminates need to prepare
programs must be developed
simulation that simulate application test data
program logic
independent of production
uses audit software to
Transactions system; controlled by the
screen and select cost of development and
selection auditor; requires no
transactions input to the maintenance
programs modification to production
regular production cycle
systems

Page 4