Professional Documents
Culture Documents
1. Input Control
2. Process Control
3. Output Control
Notes:
AC akan lebih lanjut dipelajari Materi CAAT
Application controls:
controls that pertain to scope of individual business processes or application system.
Applica-
Business tion
Process system
Applica-
tion
AC Objectives:
Management Trail
Input Controls Processing Output Controls Integrity As an audit trail,
Check the integrity
Controls Address what is
Controls enables mgt to
of data entered into Provide an done with the data Monitor data identify the trans
a business automated means and should being processed and event recorded
application, to to ensure compare output and in storage to by tracking trans
ensure that is processing is results with the ensure it remains forward / backward.
remains within complete, accurate, intended result by consistent and Monitor effective-
specified and authorized. checking the output correct. ness of other
parameters. against the input. control and identify
errors.
Application control: control designed to ensure the complete and accurate processing
of data, from input through output.
Application control regulate the input, processing, and output of an application.
Input and output have risks such as loss of data during transmission, duplicate inputs,
and manual input errors or incomplete data.
Processing risk include incomplete processing, unrecorded transactions caused either
by accident or as part of fraud, automated transactions (e.g. raw materials reordering)
failing due to complications, or files lost during processing.
Outputs risk include files being sent to the wrong place or too late to be of use.
These controls are designed to be application-specific. Examples include:
A cash disbursements batch balancing routine that verifies that the total payments
to vendors reconciles with the total postings to the A/P subsidiary ledger.
An A/R check digit procedure that validates customer account numbers on sales
transactions.
A payroll system limit check that identifies and flags employee time card records
with reported hours worked in excess of6 the predetermined normal limit.
Input control: control data as it manually or electronically enters the system.
Manual IC: require authorization both before the input and after a review, use of concise
prenumbered forms, and train for data entry personnel.
Electronic IC: include user-friendly screen formats that prompt user for required
information and use of required fields.
A field check: a check to see if information in an entry field is complete.
Drop down menus: allow specific preset input (e.g. list of provinces).
To protect sensitive information, keystroke verification requires data to be entered
twice, by different person if possible, and highlights any differences. (e.g. confirmation
PW change)
Batch control: accumulate transaction and apply test on the batch (e.g. batch total).
Format check: data is entered in an acceptable formats (e.g. date format).
Reconciliation and balancing: reconciliation analyze variances or test two balances to
see if they are equal.
Edit check: automated test on data fields. Include:
Control totals: hash total sum of nonfinancial number that have no meaning. A
change in hash total indicates a record change.
Range test: allow entry between range of numbers or characters.
Numerical test: prevent alphabetic entry in number fields.
Sequence check: check for an alphanumeric sequence in a field.
Limit check: entries above particular number are prevented or need approval.
Check digit: an extra digit is added that has an algorithmic relationship to the
remaining digits to show if the number was incorrectly entered by transposition.
(e.g. credit card)
Record count: tallies the number of records.
Historical comparison: measures variance from past records.
Overflow checking: places a memory or length limit on a field to prevent larger
numbers than maximum being entered.
Inquiry log: track all read-only access to records.
Automated inputs: automation reduces errors and increase input speeds. Include:
Optical character recognition (OCR): convert a scanned image into graphic data,
then store, retrieve, and process graphic data. (e.g. scan shipping receipt into a
database).
Scanners: a device that digitizes graphic images.
Radio frequency identification (RFID): use tag in packaging, RFID read tag via radio
frequency and identify where the product is. Useful in tracking inventory. (e.g. DHL)
13
1. Sue (aka Sender) selects a key, and then uses that key to encrypt the plaintext to
produce the ciphertext.
2. Sue gives both the key and the ciphertext to you (aka Receiver). (Not together,
obviously, or anyone could intercept the delivery and use the key to decrypt the
ciphertext.)
3. You use that same key to decrypt the ciphertext to regenerate the plaintext.
14
A sender -- Sue --
is using your Pub-
K to produce a
ciphertext for you.
But the process
also works
backwards; you
could encrypt a
plaintext with
your Priv-K and
send the resulting
ciphertext to Sue.
Decrypting the ciphertext w/ your Pub-K proves that the ciphertext had to come from you. This
provides authenticity, w/o privacy. Your Pub-K is public, so anyone could decrypt this ciphertext, not
just Sue. But Pub/Priv-K pairs make digital signatures possible, which provide authentic and integrity
w/o sacrificing privacy.
1. You give Sue (aka Sender) a copy of your public key.
2. Sue uses your public key to encrypt the plaintext to produce a ciphertext for you.
3. She then gives (just) the ciphertext to you, and
4. You use your private key to decrypt the ciphertext to reproduce the plaintext.
16
Other encryption tools:
Quantum (or quantum key) cryptography: uses uncertainty to produce a shared bit
string or key, created randomly and known only to the two communicating parties.
Digital envelope: uses two layers of encryption, 1. messages is encrypted
symmetrically (private), then 2. decipher code is encrypted with public key.
Cryptographic module or system: is packaged encryption application that is
purchased or developed as part of a larger application (Secure Socket Layer)
Auditing Issues:
Evaluating encryption includes
evaluating physical control over
computers that have passwords keys,
testing policies to see if they are being
followed, and implementing and
monitoring logic control.
17
The choice of networks types will affect IT control design.
Computer network:
The sum of all infrastructure and applications required to connect two or more
networks nodes, which are computers and devices:
Computers (own processing power), servers (powerful computer with high
bandwidth), and client (recipient of server function) /server infrastructure (data
request server, database server).
Mainframe (large, scalable computer to process and store large amount of data)
and data terminal (input/output node for a mainframe system)
Data Processing method:
Centralized: all data processing is performed by one or more large computers
housed at a central site that serves users throughout the organization.
Decentralized.
Distributed (decentralized processing, but networked together/centralized).
18
The choice of networks types will affect IT control design. Types of networks:
Peer-to-peer network= between two computer
Personal-area networks (PANs)= wireless within a room area
Local-area networks (LANs)= for limited geographical (building)
Wide-area networks (WANs) = networks of LAN (nation/world).
Metropolitan networks (MANs)= metropolitan
Public data networks (PDNs) = allow public access, such as world wide web.
Other related terms
Value-added networks (VANs)= provider of networking services.
Consortium networks= group of organization that form networks.
Networks Transmission Option:
Wired.
Wireless.
Virtual private networks (VPNs): secure method of connecting two points of the internet
(ISP).
19
Is a method of defining how messages should be sent through a network so that
unrelated products can be work together.
OSI model is divided into 7 layers for comm and computer network protocol design.
5. Routers: intelligent processors that link networks segments, allowing them to communicate
but also remain separate and independent.
6. Bridges: an early software-based device that function similarly to switch and routers, but not
as efficient as switches.
7. Gateways: convert protocols between networks with dissimilar networks architectures.
8. Multiplexers: for data combine multiple channels into a single channel, such as multiple
phone lines sharing a single physical phone line.
Case:
The Internet consists of a series of networks that include
A. Gateways to allow PC to connect to mainframe computers, B. Bridges to direct messages through
the optimum data path, C. Repeaters to physically connect separate local area networks (LANs),
D.Routers to strengthen data signals between distant22 computers.
Firewall: a HW/SW combination that
routes all communication to or from the
outside world through itself, blocking
unauthorized traffic.
Firewalls can:
1. Improve security by blocking access
from certain servers or applications.
2. Reduce vulnerability to external
attacks and ensure IT system
efficiency by limiting user access to
certain sites.
3. Provide a means of monitoring
communications and detecting
external intrusions, and internal
sabotage.
4. Provide encryption internally (within
an enterprise).
23
Layer 3 and 4 firewall types:
1. Packet filtering: comparing source and destination addresses to an allowed list.
2. Gateways: stopping traffic flowing to specific application such as file transfer
protocol (FTP), e.g. rules may block outgoing FTPs but permit incoming FTPs.
One common gateway is proxy server.
Auditor should work with the network administrator to determine the efficacy
(effectiveness) of a firewall, how specific rules are, and whether the list of acceptable
users, IP address, and application are kept up-to-date.
Firewall log can be used as legal audit evidence if data was collected, processed, and
retained properly.
Firewall has some limitation, such as physical intrusion, incorrect configuration, and
trojan horses using IRC (internet relay chat).
Intrusion detection/prevention systems:
Intrusion detection system (IDS) combined with application layer firewall (layer 7) is
called an intrusion prevention system (IPS). Two types of IPS = HIPS and NIPS.
24
EFT: the transfer of monetary value and financial data from one bank to another (it
cannot involve other parties)
FEDI (EFT and financial EDI) is subset o electronic data interchange (EDI).
FEDI transfer payment information between companies, banks, or others, but
settlement through EFT.
25
EFT Method:
RTGS (such as Fedwire-USA, TARGET-Europe, CHAPS-UK).
ACH (automated clearing house): a. for high volume, b. low-value transfer, c. send
payment in batch, and d. prenotification.
IA evaluate the adequacy and the effectiveness of IC applied to EFT, such as:
Logic control that restrict unauthorized access to the EFT systems.
Program change management control.
Physical control
System data backup and recovery controls.
Operation control to ensure availability.
Application control to ensure transaction accuracy.
Case:
Which 1 of following is least likely to be recomm. by auditor when EDI-EFT system is being designed?
A. The identity of the individual approving an electronic document should be stored as a data field.
B. Disaster recovery plans should be established.
C. Data security procedures should be written to prevent changes to data by unauthorized individuals.
D. Remote access to electronic data should be denied.
E-Commerce:
Defined as conducting commercial activities over
the internet, include:
Business to business (B2B) e-commerce.
Business to consumer(B2C) e-commerce.
Business to employee (B2E) e-commerce.
Mobile e-commerce (using mobile device such
as smart cell phones)
Control concerns:
Determine how authorization for transactions are handled.
End-user can initiate input data directly.
Risk analysis include hardware used, transmission methods, firewalls, back-end
system, middleware, links to another application.
Control over sensitive information.
27
Expected result of e-commerce security policies include:
Authenticity: both parties are able to verify the others partys identity, e.g., passwords,
encryption keys, and digital signatures certificates.
Integrity: web site information is unaltered from its original form.
Nonrepudiation: e-commerce participants cannot deny or repudiate their on-line
activities, i.e.: e-commerce data is legal evidence.
Confidentiality: only authorized parties can access their data.
Privacy: users are informed of a sites privacy policy and can decide to provide
personal inf.
Availability: the site is available when needed. Redundant systems and reliable partners
help ensure availability.
Case:
Mgt has implemented controls such as firewall, password mgt, independent recon., and audit trail. The
controls should be reviewed and evaluated by IAr when doing test for which e-commerce audit area?
A. Fraud. B. Corruption of data.
C. Business interruptions. 28
D. Authentication.
When conducting audit of e-commerce, IA should look for:
1. Networks security control (e.g.: firewalls, encryption, virus protection, policies,
communication of security standards within and outside the enterprises) and intrusion
detection system.
2. User identification system (e.g. digital signatures).
3. Privacy and confidential controls.
4. All list of e-commerce application within the enterprises.
5. Maintenance activities to ensure continued operation.
6. Failure detection and automated repairs.
7. Application change management controls.
8. Business continuity plan in case of system interruption.
Continuous auditing in e-commerce:
Is a software, include continuous assessment risk assessment, control assessment,
and assessment of continuous monitoring tools, able to uncover fictitious sales and
returns.
29
ERP system : modular suites (chain) of business
application that share data between modules and
store all data in a single repository (database).
Purpose: facilitate the flow of information
between all business functions inside the
boundaries of the org. and manage the
connections to outside.
ERP reduce redundancy of data and creates
synergies such as automated forwarding of
transactions to the appropriate department.
ERP increase efficiency by keeping inventory
levels low, reducing cycle time, and improve the
timelines of data for decision making.
Core modules of ERP: (a) finance, manufacturing, sales and distribution, human
resource, (b) transaction processing system (TPS) and management information
system (MIS), (c) Customer relationship management (CRM) and Supplier relationship
mgt (SRM).
Simplify gathering audit evidence.
Disparate applications, so use different language, so audit of ERP require multiple
workarounds (solution) and redundancies.
IA assess that mgt has evaluated the efficiency of ERP relative to competitor ERP.
IA need to be involved in ERP development, monitor the implementation, and personnel
training plan, recommend ERP improvements.
Since integrated, there no paper audit trail to follow between departments, approval to
be automatic, exacerbating the segregation of control issue.
Therefore, audit must focus on IT controls such as quality of PW and other logic
control.
Even the best ERP is unlikely to cover all needs, so the remaining needs can be
achieved through customization or configuration.
Customization: change the code of the system to provide unavailable process.
Configuration: change of preset parameters (cheaper and not impede (disturb)
upgrade).
To overcome the problem, ERP should separate business process from controls.
31
WBEM
Used the external networking
component of ERP, provide portal
access to external vendor and
large customer via XML
communication.
Auditor should focus on controls
(especially to protect orgs data).
Revenue and Purchases and Mgt and Financial Payroll and Legal Compliance Manufacturing
Treasury
Receivables Payables Reporting/Accounting Benefits
BU 1 Corporate BU 1 Corporate Corporate
Investor Relation Environmental
BU 2 BU 2
BU 3 BU 3
Applica- Application Design Pre- App supports Frequency of Complexity Financial Effectivenes Composite
tion contains effective- packaded more than one change of change impact s of the scores
primary ness of the or critical business ITGCs
controls App control developed process
App A 5 1 5 5 3 3 5 2 375
App B 1 1 2 1 1 1 4 2 170
App C 5 2 2 1 5 5 5 2 245
App D 5 3 5 1 5 5 5 2 395
App E 5 1 1 1 1 1 3 2 225
Computer-assisted audit techniques (CAATs) make use of computer applications, such
as ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and
Word, to automate and facilitate the audit process.
The use of CAATs helps to ensure that appropriate coverage is in place for an AC
review, particularly when there are thousands, or perhaps millions, of transactions
occurring during a test period. In these situations, it would be impossible to obtain
adequate inf in a format that can be reviewed w/o the use of an automated tool.
Because CAATs provide the ability to analyze large volumes of data, a well-designed
audit supported by CAAT testing can perform a complete review of all transactions and
uncover abnormalities (e.g., duplicate vendors or transactions) or a set of
predetermined control issues (e.g., segregation of duty conflicts).
Audit specialized software may perform:
- Data queries - Data stratification
- Sample extractions - Statistical analysis
- Calculations - Duplicated transactions
- Pivot tables - Cross tabulation
- Missing sequence identification