You are on page 1of 41

The Most Common IT-ACs:

1. Input Control
2. Process Control
3. Output Control

Notes:
AC akan lebih lanjut dipelajari Materi CAAT
Application controls:
controls that pertain to scope of individual business processes or application system.

Applica-
Business tion
Process system
Applica-
tion

AC Objectives:

Input data: Data: Data stored: Outputs: A record :


accurate, processed as accurate accurate maintained to track the
complete, intended in an and and process of data from
authorized, and acceptable time complete. complete. input to storage and to
correct. period. the eventual output.
TYPES OF APPLICATION CONTROL

Management Trail
Input Controls Processing Output Controls Integrity As an audit trail,
Check the integrity
Controls Address what is
Controls enables mgt to
of data entered into Provide an done with the data Monitor data identify the trans
a business automated means and should being processed and event recorded
application, to to ensure compare output and in storage to by tracking trans
ensure that is processing is results with the ensure it remains forward / backward.
remains within complete, accurate, intended result by consistent and Monitor effective-
specified and authorized. checking the output correct. ness of other
parameters. against the input. control and identify
errors.
Application control: control designed to ensure the complete and accurate processing
of data, from input through output.
Application control regulate the input, processing, and output of an application.
Input and output have risks such as loss of data during transmission, duplicate inputs,
and manual input errors or incomplete data.
Processing risk include incomplete processing, unrecorded transactions caused either
by accident or as part of fraud, automated transactions (e.g. raw materials reordering)
failing due to complications, or files lost during processing.
Outputs risk include files being sent to the wrong place or too late to be of use.
These controls are designed to be application-specific. Examples include:
A cash disbursements batch balancing routine that verifies that the total payments
to vendors reconciles with the total postings to the A/P subsidiary ledger.
An A/R check digit procedure that validates customer account numbers on sales
transactions.
A payroll system limit check that identifies and flags employee time card records
with reported hours worked in excess of6 the predetermined normal limit.
Input control: control data as it manually or electronically enters the system.
Manual IC: require authorization both before the input and after a review, use of concise
prenumbered forms, and train for data entry personnel.
Electronic IC: include user-friendly screen formats that prompt user for required
information and use of required fields.
A field check: a check to see if information in an entry field is complete.
Drop down menus: allow specific preset input (e.g. list of provinces).
To protect sensitive information, keystroke verification requires data to be entered
twice, by different person if possible, and highlights any differences. (e.g. confirmation
PW change)
Batch control: accumulate transaction and apply test on the batch (e.g. batch total).
Format check: data is entered in an acceptable formats (e.g. date format).
Reconciliation and balancing: reconciliation analyze variances or test two balances to
see if they are equal.
Edit check: automated test on data fields. Include:
Control totals: hash total sum of nonfinancial number that have no meaning. A
change in hash total indicates a record change.
Range test: allow entry between range of numbers or characters.
Numerical test: prevent alphabetic entry in number fields.
Sequence check: check for an alphanumeric sequence in a field.
Limit check: entries above particular number are prevented or need approval.
Check digit: an extra digit is added that has an algorithmic relationship to the
remaining digits to show if the number was incorrectly entered by transposition.
(e.g. credit card)
Record count: tallies the number of records.
Historical comparison: measures variance from past records.
Overflow checking: places a memory or length limit on a field to prevent larger
numbers than maximum being entered.
Inquiry log: track all read-only access to records.
Automated inputs: automation reduces errors and increase input speeds. Include:
Optical character recognition (OCR): convert a scanned image into graphic data,
then store, retrieve, and process graphic data. (e.g. scan shipping receipt into a
database).
Scanners: a device that digitizes graphic images.
Radio frequency identification (RFID): use tag in packaging, RFID read tag via radio
frequency and identify where the product is. Useful in tracking inventory. (e.g. DHL)

Bar codes: a machine-readable representation of data,


allowing for rapid reading and processing of associated
data (such as price or inventory level).
Magnetic ink character recognition (MICR): Included on
check (bank transaction), and indicate check no.,
account no., routing no., and possibly check amount.
Processing control: automated errors checks built into computer processing as well as
segregation of duties, such as controlling programmers access to files and records.
Data center operators access to applications should be restricted to equipment and
software installation and responding to errors, also override file names.
A console log or system control file should track operators interventions.
Access to configuration parameters within application must be controlled. Auditors
should reconcile actual versus planned configuration.
Completeness check: reject saving a record until all field are complete.
Control totals: totals are recorded in a system control file when an application
generates temporary files; an errors occurs if each control total doesnt match.
Date and file total check: logs of item and monetary totals with date and time stamps.
Exact duplicate entries are flagged as errors.
Auditors test for processing controls by inserting known test data and comparing it
against expected results (walkthrough-test or round-test?).
Other processing controls, include:
Reasonable checks: verify that amounts fall within predetermined limits
Suspense file: a file used to retain transaction processed with errors.
Activity log: records actions of users by date, time, and access terminal (bedakan
dengan ITGC).
Processing logic test (e.g. posting check, zero balance check, cross-footing check):
various check that verify if accounts or transactions are at the expected level (e.g.
checking that an account actually has a zero balance after payment are processed,
other example?)
Run-to-run totals: data control group monitors batch run totals (or verify that amounts
fall within predetermined limits).
End-of-file procedures: prevent additional operations from taking place in a file when
the end of the file reached.
Primary and secondary key integrity check: verify encryption key security.
Access control list: a list of all valid users. Auditors should verify that the list cannot be
altered without proper authorization.
Output controls: detective controls that find errors and verify the accuracy and
reasonableness of output data after processing is complete. Output controls, as following:
Error listings: auditors ensure that errors followed up w/o exceeding backlog limits, and
corrected reports are resubmitted.
Reference documents: when systems are interrupted, these logs show what was in
memory at the time of the interruption.
Spooling controls: a spool is a temporary memory allocation for a system output. These
controls regulate data spooling method.
Working documents: legal records, such as checks, invoices, or stock certificates are
safeguarded. There are audit evidence that can detect if input really match outputs.
Reports controls: include ensuring that the reports are accurate, simple, timely, and
meaningful, and that sensitive data is secured using distribution controls.
Exception reporting: highlight only unusual data, it helps to determine the sources of the
error (human error, processing error).
Encryption uses a mathematical algorithm to scramble data so that it cannot be
unscrambled without a numeric key code.
Can be used on stored and physical transmitted data (on CD) and electronically
transmitted data (wireless data).
Two basic types of encryption:
Private (or symmetric) key encryption.
Public (or asymmetric) key encryption.
Variant of public key encryption:
Digital signatures.
Elliptic curve cryptography (ECC) (y2 = x3 + ax + b)

13
1. Sue (aka Sender) selects a key, and then uses that key to encrypt the plaintext to
produce the ciphertext.
2. Sue gives both the key and the ciphertext to you (aka Receiver). (Not together,
obviously, or anyone could intercept the delivery and use the key to decrypt the
ciphertext.)
3. You use that same key to decrypt the ciphertext to regenerate the plaintext.

14
A sender -- Sue --
is using your Pub-
K to produce a
ciphertext for you.
But the process
also works
backwards; you
could encrypt a
plaintext with
your Priv-K and
send the resulting
ciphertext to Sue.

Decrypting the ciphertext w/ your Pub-K proves that the ciphertext had to come from you. This
provides authenticity, w/o privacy. Your Pub-K is public, so anyone could decrypt this ciphertext, not
just Sue. But Pub/Priv-K pairs make digital signatures possible, which provide authentic and integrity
w/o sacrificing privacy.
1. You give Sue (aka Sender) a copy of your public key.
2. Sue uses your public key to encrypt the plaintext to produce a ciphertext for you.
3. She then gives (just) the ciphertext to you, and
4. You use your private key to decrypt the ciphertext to reproduce the plaintext.
16
Other encryption tools:
Quantum (or quantum key) cryptography: uses uncertainty to produce a shared bit
string or key, created randomly and known only to the two communicating parties.
Digital envelope: uses two layers of encryption, 1. messages is encrypted
symmetrically (private), then 2. decipher code is encrypted with public key.
Cryptographic module or system: is packaged encryption application that is
purchased or developed as part of a larger application (Secure Socket Layer)
Auditing Issues:
Evaluating encryption includes
evaluating physical control over
computers that have passwords keys,
testing policies to see if they are being
followed, and implementing and
monitoring logic control.

17
The choice of networks types will affect IT control design.
Computer network:
The sum of all infrastructure and applications required to connect two or more
networks nodes, which are computers and devices:
Computers (own processing power), servers (powerful computer with high
bandwidth), and client (recipient of server function) /server infrastructure (data
request server, database server).
Mainframe (large, scalable computer to process and store large amount of data)
and data terminal (input/output node for a mainframe system)
Data Processing method:
Centralized: all data processing is performed by one or more large computers
housed at a central site that serves users throughout the organization.
Decentralized.
Distributed (decentralized processing, but networked together/centralized).
18
The choice of networks types will affect IT control design. Types of networks:
Peer-to-peer network= between two computer
Personal-area networks (PANs)= wireless within a room area
Local-area networks (LANs)= for limited geographical (building)
Wide-area networks (WANs) = networks of LAN (nation/world).
Metropolitan networks (MANs)= metropolitan
Public data networks (PDNs) = allow public access, such as world wide web.
Other related terms
Value-added networks (VANs)= provider of networking services.
Consortium networks= group of organization that form networks.
Networks Transmission Option:
Wired.
Wireless.
Virtual private networks (VPNs): secure method of connecting two points of the internet
(ISP).
19
Is a method of defining how messages should be sent through a network so that
unrelated products can be work together.
OSI model is divided into 7 layers for comm and computer network protocol design.

OSI Layer Description Related Controls


Layer 1: Physical layer (HW, NW) Mechanical layer transmits digital signals Wiring and other physical protection
Layer 2: Data link layer (HW, NW) Synchronizes layer 1 data movements and compresses Encryption
data where possible.
Layer 3: Network layer (SW, NW) Routes and forwards data to the right places. IP addresses is tracked, Firewalls
Layer 4: Transport layer (SW, Ensures that data transfer are complete by managing Logical control layer, Firewalls
Comp) end-to-end control and error checking
Layer 5: Session layer (SW, Comp) Initiates and terminates conversation between appl.
Layer 6: Presentation layer (SW, Is operating system (O/S), which apply syntax and O/S Control
Comp) formatting.
Layer 7: Application layer (SW, The constraint of data, such as user and Configurable data constraint and
Comp, Closes to user) communication partner authentication and privacy authentication, Intrusion detection.
20
Network topology : physical connection points between devices on a LAN or similar
network.
(1) Bus network, (2) Ring network, and (3) Star network.
1. Ports: physical connection points to a device.
2. Hubs: the center of networks and switch/direct
comm.
3. Repeaters: extend the range of network by
amplifying or regenerating signals.
4. Switches: connect telecom circuits and may allow
network mgt capabilities.

5. Routers: intelligent processors that link networks segments, allowing them to communicate
but also remain separate and independent.
6. Bridges: an early software-based device that function similarly to switch and routers, but not
as efficient as switches.
7. Gateways: convert protocols between networks with dissimilar networks architectures.
8. Multiplexers: for data combine multiple channels into a single channel, such as multiple
phone lines sharing a single physical phone line.
Case:
The Internet consists of a series of networks that include
A. Gateways to allow PC to connect to mainframe computers, B. Bridges to direct messages through
the optimum data path, C. Repeaters to physically connect separate local area networks (LANs),
D.Routers to strengthen data signals between distant22 computers.
Firewall: a HW/SW combination that
routes all communication to or from the
outside world through itself, blocking
unauthorized traffic.
Firewalls can:
1. Improve security by blocking access
from certain servers or applications.
2. Reduce vulnerability to external
attacks and ensure IT system
efficiency by limiting user access to
certain sites.
3. Provide a means of monitoring
communications and detecting
external intrusions, and internal
sabotage.
4. Provide encryption internally (within
an enterprise).

23
Layer 3 and 4 firewall types:
1. Packet filtering: comparing source and destination addresses to an allowed list.
2. Gateways: stopping traffic flowing to specific application such as file transfer
protocol (FTP), e.g. rules may block outgoing FTPs but permit incoming FTPs.
One common gateway is proxy server.
Auditor should work with the network administrator to determine the efficacy
(effectiveness) of a firewall, how specific rules are, and whether the list of acceptable
users, IP address, and application are kept up-to-date.
Firewall log can be used as legal audit evidence if data was collected, processed, and
retained properly.
Firewall has some limitation, such as physical intrusion, incorrect configuration, and
trojan horses using IRC (internet relay chat).
Intrusion detection/prevention systems:
Intrusion detection system (IDS) combined with application layer firewall (layer 7) is
called an intrusion prevention system (IPS). Two types of IPS = HIPS and NIPS.

24
EFT: the transfer of monetary value and financial data from one bank to another (it
cannot involve other parties)
FEDI (EFT and financial EDI) is subset o electronic data interchange (EDI).
FEDI transfer payment information between companies, banks, or others, but
settlement through EFT.

EFT Risk and controls


More reliable, cost-effective, and efficient than check
payment
Control:
Password and physical restriction access to FEDI
terminals.
Dual approval (one enters, one release)
Test key or codes for validation
Encryption
Credit monitoring, backup, and continuity plan.

25
EFT Method:
RTGS (such as Fedwire-USA, TARGET-Europe, CHAPS-UK).
ACH (automated clearing house): a. for high volume, b. low-value transfer, c. send
payment in batch, and d. prenotification.
IA evaluate the adequacy and the effectiveness of IC applied to EFT, such as:
Logic control that restrict unauthorized access to the EFT systems.
Program change management control.
Physical control
System data backup and recovery controls.
Operation control to ensure availability.
Application control to ensure transaction accuracy.

Case:
Which 1 of following is least likely to be recomm. by auditor when EDI-EFT system is being designed?
A. The identity of the individual approving an electronic document should be stored as a data field.
B. Disaster recovery plans should be established.
C. Data security procedures should be written to prevent changes to data by unauthorized individuals.
D. Remote access to electronic data should be denied.
E-Commerce:
Defined as conducting commercial activities over
the internet, include:
Business to business (B2B) e-commerce.
Business to consumer(B2C) e-commerce.
Business to employee (B2E) e-commerce.
Mobile e-commerce (using mobile device such
as smart cell phones)
Control concerns:
Determine how authorization for transactions are handled.
End-user can initiate input data directly.
Risk analysis include hardware used, transmission methods, firewalls, back-end
system, middleware, links to another application.
Control over sensitive information.

27
Expected result of e-commerce security policies include:
Authenticity: both parties are able to verify the others partys identity, e.g., passwords,
encryption keys, and digital signatures certificates.
Integrity: web site information is unaltered from its original form.
Nonrepudiation: e-commerce participants cannot deny or repudiate their on-line
activities, i.e.: e-commerce data is legal evidence.
Confidentiality: only authorized parties can access their data.
Privacy: users are informed of a sites privacy policy and can decide to provide
personal inf.
Availability: the site is available when needed. Redundant systems and reliable partners
help ensure availability.

Case:
Mgt has implemented controls such as firewall, password mgt, independent recon., and audit trail. The
controls should be reviewed and evaluated by IAr when doing test for which e-commerce audit area?
A. Fraud. B. Corruption of data.
C. Business interruptions. 28
D. Authentication.
When conducting audit of e-commerce, IA should look for:
1. Networks security control (e.g.: firewalls, encryption, virus protection, policies,
communication of security standards within and outside the enterprises) and intrusion
detection system.
2. User identification system (e.g. digital signatures).
3. Privacy and confidential controls.
4. All list of e-commerce application within the enterprises.
5. Maintenance activities to ensure continued operation.
6. Failure detection and automated repairs.
7. Application change management controls.
8. Business continuity plan in case of system interruption.
Continuous auditing in e-commerce:
Is a software, include continuous assessment risk assessment, control assessment,
and assessment of continuous monitoring tools, able to uncover fictitious sales and
returns.

29
ERP system : modular suites (chain) of business
application that share data between modules and
store all data in a single repository (database).
Purpose: facilitate the flow of information
between all business functions inside the
boundaries of the org. and manage the
connections to outside.
ERP reduce redundancy of data and creates
synergies such as automated forwarding of
transactions to the appropriate department.
ERP increase efficiency by keeping inventory
levels low, reducing cycle time, and improve the
timelines of data for decision making.
Core modules of ERP: (a) finance, manufacturing, sales and distribution, human
resource, (b) transaction processing system (TPS) and management information
system (MIS), (c) Customer relationship management (CRM) and Supplier relationship
mgt (SRM).
Simplify gathering audit evidence.
Disparate applications, so use different language, so audit of ERP require multiple
workarounds (solution) and redundancies.
IA assess that mgt has evaluated the efficiency of ERP relative to competitor ERP.
IA need to be involved in ERP development, monitor the implementation, and personnel
training plan, recommend ERP improvements.
Since integrated, there no paper audit trail to follow between departments, approval to
be automatic, exacerbating the segregation of control issue.
Therefore, audit must focus on IT controls such as quality of PW and other logic
control.
Even the best ERP is unlikely to cover all needs, so the remaining needs can be
achieved through customization or configuration.
Customization: change the code of the system to provide unavailable process.
Configuration: change of preset parameters (cheaper and not impede (disturb)
upgrade).
To overcome the problem, ERP should separate business process from controls.

31
WBEM
Used the external networking
component of ERP, provide portal
access to external vendor and
large customer via XML
communication.
Auditor should focus on controls
(especially to protect orgs data).

Mgt and IT professional should determine which information will be shared.


WBEM provide intl integration and best-of-breed system (focus on niche).
Continuous auditing for ERP system.
Automated control in ERP must be designed and implemented w/ audit
involvement.
Need exception report to high light unusual data/areas/operational concern.
When identifying risks, auditors may find it useful to employ a top-down RA to determine
which applications to include as part of control review and what tests need to be performed.
Example: 10-K
Financial Statement Risk Analysis Approach F/S

Financial Statements Assertion


F/S Accounts mapped to Non Financial Disclosures
processes; Processes mapped BUs mapped to processes

Revenue and Purchases and Mgt and Financial Payroll and Legal Compliance Manufacturing
Treasury
Receivables Payables Reporting/Accounting Benefits
BU 1 Corporate BU 1 Corporate Corporate
Investor Relation Environmental
BU 2 BU 2
BU 3 BU 3

Risk Identification and Analysis

Risk Assessment Documents: Prepare Risk Control Define Risk


Risk analysis matrix by F/S Accounts and Matrix (Manual and Assessment for
Disclosures Automated) Application Control
Accounts risk analysis mapped to Business
and Critical Applications and Underlying
Technology
See Risk Assessment Approach in the Following Section
To add value to organization-wide AC risk assessment activities, internal auditors:
Define the universe of application, database, and supporting tech that use AC,
Summarize risk and control using matrice documented during risk assessment process.
Define the risk factors associated with each application control, including:
Primary (i.e., key) application controls.
The design effectiveness of the application controls.
Pre-packaged or developed applications or databases.
Effectiveness of GCs residing within application (e.g., change mgt, logical security).
Weigh all risk factor to determine which risk need tobe weighed more heavily than other.
Determine scale to rank each AC risk by considering qualitative and quantitative scale:
Numeric scales based on qualitative information (e.g., 1=low-impact, 5=high-impact).
Numeric scales based on quantitative inf (e.g., 1 = < US $50 and 5 = > US $1,000).
Conduct the risk assessment and rank all risk areas.
Evaluate risk assessment results.
Create a risk review plan that is based on the risk assessment and ranked risk areas.
Notes: RA approach is different with RA in RM. In RA approach, internal auditor does not decide responds to risks. RA
Approach used as input in establishing review plan (e.g.. determining the scope of review application control).
Composite scores = (risk factor weight x risk scale) and adding the totals.
The composite score of 375 = [(20 x 5) + (10 x 1) + (10 x 5 ) +].
For this example, the auditor may determine that the application control review will
include all applications with a score > 200.
Risk Factor Weighting
20 10 10 10 10 10 15 15 100

Applica- Application Design Pre- App supports Frequency of Complexity Financial Effectivenes Composite
tion contains effective- packaded more than one change of change impact s of the scores
primary ness of the or critical business ITGCs
controls App control developed process
App A 5 1 5 5 3 3 5 2 375
App B 1 1 2 1 1 1 4 2 170
App C 5 2 2 1 5 5 5 2 245
App D 5 3 5 1 5 5 5 2 395

App E 5 1 1 1 1 1 3 2 225
Computer-assisted audit techniques (CAATs) make use of computer applications, such
as ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and
Word, to automate and facilitate the audit process.
The use of CAATs helps to ensure that appropriate coverage is in place for an AC
review, particularly when there are thousands, or perhaps millions, of transactions
occurring during a test period. In these situations, it would be impossible to obtain
adequate inf in a format that can be reviewed w/o the use of an automated tool.
Because CAATs provide the ability to analyze large volumes of data, a well-designed
audit supported by CAAT testing can perform a complete review of all transactions and
uncover abnormalities (e.g., duplicate vendors or transactions) or a set of
predetermined control issues (e.g., segregation of duty conflicts).
Audit specialized software may perform:
- Data queries - Data stratification
- Sample extractions - Statistical analysis
- Calculations - Duplicated transactions
- Pivot tables - Cross tabulation
- Missing sequence identification

Example ACL: Verify duplicate transaction

Example ACL: Verify calculations (recomputation)

You might also like