Deck 17: IT Controls Part III: Systems Development, Program Changes, Application Controls

Tracing is a technique that:
a. reviews interest calculations to identify a salami fraud.
b. allows test data to be merged with production
data and traces the effects in the database.
c. performs an electronic walk through of computed logic.
d. none of the above

What is an embedded audit module?

COMPUTER FRAUD AND CONTROLS
For many organizations, the security threat from external penetration is significant; however, many fraud threats are internal. These include (1) data input alteration, (2) program alteration, (3) file alteration, (4) data theft, and (5) sabotage.
Required
Explain how each of these five types of frauds is committed. Also, identify a method of protection against each without using the same protection method for more than one type of fraud. Use the following format.

RISK IDENTIFICATION AND PLAN OF ACTION
The internal auditors of Brown Electrical Company report to the controller. Because of changes made in the past year to several of the transaction processing programs, the internal auditors created a new test data set. The external auditors requested that the old data set also be run. The internal auditors, embarrassed, explained that they overwrote the original test data set.
Required
Outline any potential risks, and determine the courses of action the external auditor should take.

COMPUTER-ASSISTED AUDIT TOOLS AND TECHNIQUES (CAATTS) Required
a. Explain the advantages of using GAS to assist with IT audits, and give five examples of how it may be used.
b. Describe the audit purpose facilitated and the procedural steps to be followed when using the following CAATTs.
1. ITF
2. EAM
3. parallel simulation

Explain what GAS is and why it is so popular with larger public accounting firms. Discuss the independence issue related to GAS.

Explain how program testing is conducted, and explain the importance of test data.

Give one example of an error that a check digit control detects.

Why should programs undergoing maintenance be renamed?

Name the general categories of IT application control tests that auditors design.

What are user test and acceptance procedures?

Discuss the problem associated with creating test data and how it can be alleviated.

Explain how an embedded audit module works.

What is the purpose of a range check?

AUDIT OF SYSTEMS DEVELOPMENT
The Balcar Company's external auditors are developing an audit plan to review the company's systems development procedures. Their audit objectives are to ensure that
1. the system was judged necessary and justified at various checkpoints throughout the SDLC.
2. systems development activities are applied consistently and in accordance with management's policies to all systems development projects.
3. the system as originally implemented was free from material errors and fraud.
4. system documentation is sufficiently accurate and complete to facilitate audit and maintenance activities.
The following six controllable activities have been identified as sources of audit evidence for meeting these objectives: systems authorization, user specification, technical design, internal audit participation, program testing, and user testing and acceptance.
Required
a. Explain the importance of each of the six activities in promoting effective control.
b. Outline the tests of controls that the auditor would perform in meeting audit objectives.

What is a reasonableness test?

AUDIT PLAN
The CPA firm of True, Blue, and Smith (TBS) has taken on a new audit client. The TBS partner in charge of the audit has concerns in the following areas: system access and security; systems development and program changes; and organization of the IT function.
Required
Outline an audit plan that specifies audit objective and procedures needed to test controls in the areas of concern.

SYSTEMS DEVELOPMENT AND PROGRAM CHANGES
Winston Financial Services (WFS), located in Parsippany, NJ provides financial advice to small and mid-sized businesses. Its primary operations are in portfolio management and financial services for clients in the health care industry. Each client has general business and financial information stored on servers in the main office in Parsippany. Client investment information is stored on a separate server in their Tulsa Oklahoma data center. This includes the total value of the portfolio, type of investments made, the income structure of each client, and associated tax liabilities.
WFS had purchase specialized asset management software called VIEW, which allows the company to run analytics on client portfolios and to run simulations of market trends. The customization and implementation of VIEW was performed by a team of IT professionals from the consulting firm of Cutting Edge Solutions (CES).
The contract with CES required them to train a WFS employee to maintain VIEW after the implementation. For this purpose, WFS selected a programmer from their systems maintenance group who was subsequently trained in VIEW's proprietary language and all of its functionality and controls.
Two years after the implementation of VIEW,WFS management is now considering investing in a significant custom upgrade to the system. Furthermore, since their contract with CES has expired, they have decided to assign the upgrade task to their in-house maintenance programmer who had been trained in VIEW by CES. Once the project is completed, the programmer will be redeployed to the maintenance group. This is viewed by the WFS management team to be the most feasible and economic approach.
Required
a. Discuss the risks associated with systems development approach.
b. What controls weaknesses are apparent in this approach?

What is a program version number?

Why are user specification activities important?

Why are program change procedures important to auditors?

Compare and contrast the following techniques based on costs and benefits:
• test data method
• base case system evaluation
• tracing
• integrated test facility
• parallel simulation

What are rounding error routines, and why are they used?

Why is reliance on the client IT staff to provide a copy of the production application a potential risk?

PAYROLL APPLICATION CONTROL
Using this supplemental information, analyze the flowchart in the diagram for Problem 12. • The personnel department determines the wage rate of all employees. To start the process, the personnel department sends the payroll coordinator, George Jones, an authorization form to add an employee to the payroll. After Jones enters this information into the system, the computer automatically determines the overtime and shift differential rates for the individual, updating the payroll master files.
• Employees use a time clock to record the hours worked. Every Monday morning, George Jones collects the previous week's timecards and begins the computerized processing of payroll information to produce paychecks the following Friday. Jones then reviews the timecards to ensure that the hours worked are correctly totaled; the system determines overtime and/or any shift differential.
• Jones performs all other processes displayed on the flowchart. The system automatically assigns a sequential number to each payroll check produced. The check stocks are stored in a box next to the computer printer to provide immediate access. After the checks are printed, an automatic check signing machine signs them with an authorized signature plate that Jones keeps locked in a safe.

After the check processing is completed, Jones distributes the checks to the employees, leaving the checks for the second- and third-shift employees with the appropriate shift supervisor. Jones then notifies the data processing department that he is finished with his weekly processing, and data processing makes a backup of the payroll master for storage in the computer room.
Required Identify and describe:
a. areas in the payroll processing system in which the internal controls are inadequate.
b. two areas in the payroll system in which the system controls are satisfactory.

What tests may be conducted for identifying unauthorized program changes?

AUDIT PLAN
The auditors for Golden Gate Company have a gut feeling that liabilities may be unrecorded. Their initial suspicions stem from a radical decline in accrued liabilities from last year. Golden Gate's records are all computerized.
Required
Devise a plan to search the data files to perform a substantive test for identifying unrecorded liabilities.

AUDIT OBJECTIVES AND PROCEDURES
You are conducting substantive tests on the accounts receivable file to verify its accuracy. The file is large, and you decide to sample test the records in it. Because of the complexity of the database structure, you cannot access it directly. The client's systems programmer writes a special application that produces a flat file, which he provides for testing purposes.
Required
Discuss any concerns you would have as an auditor and any actions you would take.

What risks, if any, are associated with reliance on client IT personnel to provide the auditor with flat files from complex data structures?

What is the role of the internal auditor in systems development?

What is the importance of the SPL?

ANNOUNCING A NEW INFORMATION SYSTEM
The AJAX Company is considering implementing a new accounting system, which will automate sales processing, cash receipts, accounts payable, and cash disbursement procedures. Roger Moore, AJAX's CIO sent an announcement letter to the AJAX community. In the letter Moore said: "I have contracted with Spartan Consulting Group to do the needs analysis, system selection, and design work. The programming and implementation will be performed in-house using existing IT department staff. The development process will be unobtrusive to user departments because Spartan knows what needs to be done. They will work independently, in the background, and will not disrupt departmental and internal audit work flow with time-consuming interviews, surveys, and questionnaires. This promises to be an efficient process that will produce a system appreciated by all users."
Required
Draft a memo from George Jones, Director of Internal Audits in response to Moore's letter.

How does the salami fraud get its name, and how does it work?

The systems development life cycle is a methodology. Why are auditors responsible for evaluating the controls in this process?

What tests may be conducted for identifying application errors?

Discuss how a controlled SPL environment can help to deter unauthorized changes to programs. Can the use of maintenance commands mitigate these controls?

PROBLEMS VS SYMPTOMS
Being able to distinguish between a symptom and a problem is an important analysis skill. Classify each of the following as a problem or a symptom. If it is a symptom, give two examples of a possible underlying problem. If it is a problem, give two examples of a possible symptom that may be detected.
a. declining profits
b. defective production process
c. low-quality raw materials
d. shortfall in cash balance
e. declining market share
f. shortage of employees in the accounts payable department
g. shortage of raw material due to a drought in the Midwest
h. inadequately trained workers
i. decreasing customer satisfaction

RISK IDENTIFICATION AND PLAN OF ACTION
Two years ago, an external auditing firm supervised the programming of embedded audit modules for Pre-vits Office Equipment Company. During the audit process this year, the external auditors requested that a transaction log of all transactions be copied to the audit file. The external auditors noticed large gaps in dates and times for transactions being copied to the audit file. When they inquired about this, they were informed that increased processing of transactions had been burdening the Mainframe system and that operators frequently had to turn off the EAM to allow the processing of important transactions in a timely fashion. In addition, much maintenance had been performed during the past year on the application programs.
Required
Outline any potential exposures, and determine the courses of action the external auditors should use to proceed.

RISK IDENTIFICATION AND PLAN OF ACTION
As the manager of the external audit team, you realize that the embedded audit module writes material invoices only to the audit file for the accounts receivable confirmation process. You are immediately concerned that the accounts receivable account may be substantially overstated this year and for the prior years in which this EAM was used.
Required
Explain why you are concerned because all "material" invoices are candidates for confirmation by the customer. Outline a plan for determining if the accounts receivable are overstated.

What does auditing around the computer mean versus auditing through the computer? Why is this so important?

DESIGN TESTS OF APPLICATION CONTROLS
Required
Describe the test data (transaction files and master files) the auditor would create, and the tests that an auditor would perform, to evaluate the accuracy of inventory receipts in the receiving department. Assume the following:
• The receiving clerk records receipts from a terminal in the receiving department.
• Inventory is automatically updated by an integrated system.
• The auditor has a current copy of the application and documentation.
Use the examples of tests of IT controls in this chapter as a basis for your responses.

What is the purpose of program testing in the SDLC?

What functions does the SPLMS control?

SPL RISKS AND CONTROLS
Orben Manufacturing Company has an in-house IT department that incurs a high volume of new development and program maintenance projects. To efficiently manage the workload, the director of IT has combined the systems development and maintenance functions into a single department. This allows the programmers of new applications to also maintain those applications. The immediate effect has been an increase in the work flow by reducing the startup time needed by programmers to become familiar with the systems being modified. It also reduces the time spent on system documentation. Since the designer and the maintenance programmer are the same person, highly detailed and standardized documentation is not needed. To achieve cross training, programmers also maintain applications programmed by other IT personnel. This has resulted in an "open" library policy that allows programmers to access any program stored in the SPL. Programmers download the application undergoing maintenance to their personal computers, perform the necessary maintenance, and then restore the application to the SPL under its original name.
Required
a. Comment on the trade-off between efficiency and control as it pertains in this situation.
b. Discuss the risk potential related to Orben Manufacturing's program change procedures.
c. Discuss the controls that would reduce the risks described in (b) above.

List the six systems development controls the chapter addresses. List the two systems maintenance controls.

Discuss the black box approach, and explain how it is different from through-the-computer approaches to testing application controls.

What factors do you think might cause an auditing team to spend more time than average on tests to identify application errors? For unauthorized program changes?

What are the through-the-computer techniques?

What types of output would be considered extremely sensitive in a university setting? Give three examples, and explain why the information would be considered sensitive. Discuss who should and should not have access to each type of information.