Module H - Information Systems Auditing

MODULE H
Information Systems Auditing
LEARNING OBJECI!ES
Review
Checkpoints
Eercises! "ro#lems
and Simulations
$% &ist and descri#e the general and application controls
in a computeri'ed information system%
$! (! )! *! +! ,! -! .!
/! $0! $$! $(! $)
+(! +)! +*! ++! +-! +.! +/!
,0! ,$! ,(! ,,
(% Eplain the difference #etween auditing around the
computer and auditing through the computer%
$*! $+! $, +$! ,+
)% &ist several techni1ues auditors can use to perform
tests of controls in a computeri'ed information
system%
$-! $.! $/! (0! ($ ,*
*% 2escri#e the characteristics and control issues
associated with end-user and other computing
environments%
((! ()! (*! (+ ,)
+% 2efine and descri#e computer fraud and the controls
that an entity can use to prevent it%
(,! (-! (.! (/! )0 +,
M32H-$
Module H - Information Systems Auditing
SOLUIONS "OR RE!IE# CHEC$%OINS
H%$ 4iven its etensive use! auditors must consider clients5 computeri'ed information systems technology% All
auditors should have sufficient familiarity with computers! computeri'ed information systems! and
computer controls to #e a#le to complete the audit of simple systems and to work with information system
auditors% More importantly! auditors must assess the control risk 6and the risk of material misstatement7
regardless of the technology used for preparing the financial statements% In a computeri'ed processing
environment! auditors must study and test information technology general and application controls%
H%( C38I9 6which stands for Control 3#:ectives for Information and Related 9echnology7 represents a set of
#est practices for information technology management that has achieved general acceptance as the internal
control framework for information technology% C38I95s #asic principle is;
9o provide the information the enterprise re1uires to achieve its o#:ectives! the enterprise needs to
invest in and manage and control I9 resources using a structured set of processes to provide the
services that deliver the re1uired enterprise information%
H%) 9he four domains of C38I9 6along with a #rief description of each7 are;
$% Plan and Organize: Summari'es how information and technology can #e used within an entity to
#est achieve its goals and o#:ectives%
(% Acquire and Implement: <ocuses on identifying the related I9 re1uirements! ac1uiring the
necessary technology! and implementing the technology within the entity5s #usiness processes%
)% Delivery and Support: <ocuses on the eecution of applications within the I9 system%
*% Monitor and Evaluate: Considers whether the I9 system continues to meet the entity5s
o#:ectives%
H%* I94C 6information technology general controls7 apply to all applications of a computeri'ed information
system! while I9AC 6information technology application controls7 apply to specific #usiness activities
within a computeri'ed information system% 9hus! I94C operate at an overall entity level and I9AC operate
at a transaction level%
H%+ 9he five ma:or categories of I94C are;
$% Hardware controls: "rovide reasona#le assurance that data are not altered or modified as they are
transmitted within the system%
(% Program development: "rovide reasona#le assurance that 6$7 ac1uisition or development of
programs and software is properly authori'ed! conducted in accordance with entity policies! and
supports the entity5s financial reporting re1uirements= 6(7 appropriate users participate in the
software ac1uisition or program development process= 6)7 programs and software are tested and
validated prior to #eing placed into operation= and 6*7 all software and programs have appropriate
documentation%
)% Program canges: "rovide reasona#le assurance that modifications to eisting programs 6$7 are
properly authori'ed! conducted in accordance with entity policies! and support the entity5s
financial reporting re1uirements= 6(7 involve appropriate users in the program modification
process= 6)7 are tested and validated prior to #eing placed into operation= and! 6*7 have #een
appropriately documented%
M32H-(
Module H - Information Systems Auditing
H%+ 6Continued7
*% !omputer operations: "rovide reasona#le assurance that the processing of transactions through the
computeri'ed information system is in accordance with the entity5s o#:ectives and actions are
taken to facilitate the #ackup and recovery of important data when the need arises%
+% Access to programs and data: "rovide reasona#le assurance that access to programs and data is only
granted to authori'ed users%
H%, Auditors are not epected to #e computer technicians with respect to hardware controls! #ut they should #e
familiar with the terminology and the way these controls operate% 9his will allow auditors to identify
potential issues related to these controls and converse knowledgea#ly with the entity5s computer personnel%
If hardware controls fail! auditors should #e primarily concerned with operator procedures in response to
this failure%
H%- 9he Systems 2evelopment &ife Cycle 6S2&C7 is the process through which the entity plans! develops! and
implements new computeri'ed information systems or data#ases%
9he S2&C includes the following controls related to program development and changes;
Ensuring that software ac1uisition and program development efforts are consistent with the entity5s
needs and o#:ectives%
<ollowing esta#lished entity policies and procedures for ac1uiring or developing software or programs%
Involving users in the design of programs! selection of prepackaged software and programs! and testing
of programs%
9esting and validating new programs and developing proper implementation and >#ack out? plans
prior to placing the programs into operation%
Ensuring that data are converted completely and accurately for use in the new systems%
Ensuring that consistent processes are followed and the most recent version of programs are
implemented%
Considering application controls that should #e incorporated within the system to facilitate the accurate
processing of data and transactions%
"eriodically reviewing entity policies and procedures for ac1uiring and developing software or
programs for continued appropriateness and modifying these policies and procedures! as
necessary%
M32H-)
Module H - Information Systems Auditing
H%. 9he primary duties associated with various functions related to computeri'ed information systems are;
Systems Analyst: Analy'e re1uirements for information! evaluate the eisting system! and design
new or improved computeri'ed information systems%
Programmer: <lowcharts the logic of the computer programs re1uired #y the computeri'ed
information system designed #y the systems analyst%
!omputer Operator: 3perates the computer for each accounting application system according
to written operating procedures found in the computer operation instructions%
Data !onversion Operator: "repares data for machine processing #y converting manual data
into machine-reada#le form or directly entering transactions into the system using remote
terminals%
"i#rarian: Maintains control over 6$7 system and program documentation and 6(7 data files and
programs used in processing transactions%
!ontrol $roup: 9he control group receives input from user departments! logs the input and
transfers it to data conversion! reviews documentation se1uence num#ers! reviews and processes
error messages! monitors actual processing! compares control totals to computer output! and
distri#utes output%
Separation of the duties performed #y systems analysts! programmers! and computer operators is important%
9he general idea is that anyone who designs a computeri'ed information system should not perform the
technical programming work! and anyone who performs either of these tasks should not #e the computer
operator when >live? data are processed% "ersons performing each function should not have access to each
other5s work! and only the computer operators should have access to the e1uipment%
H%/ I94C are important in the auditors5 evaluation of internal control and assessment of control risk 6and the
risk of material misstatement7 #ecause they are pervasive and the effectiveness of application controls
relies heavily on the effectiveness of I94C%
H%$0 9he o#:ective of input controls is to provide reasona#le assurance that data received for processing #y the
computer department have #een properly authori'ed and accurately entered and converted for processing%
H%$$ %ecord counts are tallies of the num#er of transaction documents su#mitted for data conversion% 9hese
counts allow situations in which transactions may not have #een input or may have #een input more than
once to #e identified%
&atc totals are mathematical totals of an important 1uantity or amount! such as the total of sales dollars in
a #atch of invoices% 8atch totals allow the following types of input errors to #e detected; 6$7 input error for
the wrong amount= 6(7 transactions have not #een input= and! 6)7 transactions have #een input more than
once%
Has totals are mathematical totals of a 1uantity or amount that is not meaningful! such as the total of all
invoice num#ers% &ike #atch totals! hash totals allow the following types of input errors to #e detected; 6$7
input error for the wrong amount= 6(7 transactions have not #een input= and! 6)7 transactions have #een
input more than once%
M32H-*
Module H - Information Systems Auditing
H%$( 9he o#:ective of processing controls is to provide reasona#le assurance that data processing has #een
performed accurately! without any omission or duplication of transactions% Eamples of processing controls
include;
%un'to'run totals: 9otals such as record counts! #atch totals! and@or hash totals o#tained at the
end of one processing run are distri#uted to the net run and compared to corresponding totals
produced at the end of the second run%
!ontrol total reports: Control totals! such as record counts! #atch totals! hash totals! and run-to-
run totals! can #e calculated during processing and reconciled to input totals or totals from earlier
processing runs%
(ile and operator controls: Eternal and internal la#els ensure that the proper files are used in
applications%
"imit and reasona#leness tests: 9hese tests should #e programmed to ensure that illogical
conditions do not occur 6for eample! depreciating an asset #elow 'ero or calculating a negative
inventory 1uantity7%
H%$) 9he o#:ective of output controls is to ensure that only authori'ed persons receive output or have access to
files produced #y the system% Some common output controls include;
!ontrol total reports: Compare controls totals to input and run-to-run control totals produced during
transaction processing%
Master )ile canges: Any changes to master file information should #e properly authori'ed #y the
entity and reported in detail to the user department from which the re1uest for change originated%
Output distri#ution: Systems output should only #e distri#uted to persons authori'ed to receive the
output%
H%$* 9he ma:or steps in the auditors5 assessment of control risk in a computeri'ed processing environment
include;
Identify specific control o#:ectives #ased on the types of misstatements that can occur in
significant accounting applications%
Identify the points in the flow of transactions where specific types of misstatements could occur%
Identify specific control procedures designed to prevent or detect these misstatements%
Evaluate the design of control procedures to determine whether the design suggests a low control
risk and whether tests of controls might #e cost-effective%
"erform tests of the operating effectiveness of control procedures designed to prevent or detect
misstatements 6assuming it is cost-effective to do so7%
M32H-+
Module H - Information Systems Auditing
H%$+ 9he following are points in the processing of transactions at which misstatements may #e introduced
#ecause of the use of computeri'ed processing;
$% "reparation of source data for input%
(% Manual summary of data 6preparation of #atch totals and hash totals7%
)% Conversion of source data into computer-reada#le form%
*% Ase of incorrect input files in processing%
+% 9ransfer of information from one computer program to another%
,% Ase of incorrect computer files in processing transactions%
-% Inappropriate initiation of transactions #y the computer%
.% Creation of output files are update of master files%
/% Changes to master files outside the normal flow of transactions within each cycle through file
maintenance procedures%
$0% "roduction of output reports or files%
$$% Correction of errors identified #y control procedures%
H%$, Auditing >though the computer? refers to making use of the computer itself to test the operating
effectiveness of application controls in the program used to process transactions% Bhen auditing >around
the computer?! auditors are only concerned with the correspondence of the input with the output and do not
specifically evaluate the effectiveness of the client5s computer controls%
H%$- Audit oo*s: Client or auditors can select specific transactions of audit@control interest%
+agging transactions: Auditors or client select and >tag? transactions to capture a computer trail of the
transaction%
S!A%( ,systems control audit review )ile-: "rogram that selects transactions according to auditors5 or
client5s criteria 6e%g% reasona#leness limit7%
SA%( ,sample audit review )ile-: "rogram that randomly selects transactions for review%
Snapsot: 9aking a >picture? of main memory of transactions and data#ase elements #efore and after
computeri'ed processing%
Monitoring systems activity: Computeri'ed information system capture of activity records! such as all
passwords used during a period%
E.tended records: Epanding the transaction record itself to include computer trail information! such as
snapshot information #efore and after processing%
H%$. 9he test data techni1ue uses simulated transactions created #y auditors that are processed #y the client5s
actual programs at a different time from the processing of actual client transactions% 9he integrated test
facility techni1ue is an etension of the test data techni1ue! #ut simulated transactions for a >dummy?
department or division are intermingled with the actual client transactions and processed along with actual
client transactions%
H%$/ It is true that fictitious 6fake7 transactions are not used #y auditors when the information processing system
is manual! #ut in a manual system! documentary evidence is availa#le for visual eamination to audit a
client5s control activities% Cew techni1ues are necessary to gather evidence and evaluate controls with
computer programs% 9he client should #e advised of the nature of the test data or integrated test facility and
these procedures must #e carefully controlled to prevent contamination of actual client files%
M32H-,
Module H - Information Systems Auditing
H%(0 8oth test data and parallel simulation are audit procedures that use the computer to test computer controls%
9he #asic difference is that the test data procedure uses the client5s program with auditor-created
transactions! while parallel simulation uses an auditor-created program with actual client transactions% In
the test data procedure! the results from the client program are compared to auditors5 predetermined results
to determine whether the controls operate as intended% In the parallel simulation procedure! the results from
auditors5 program are compared to the results from the client5s program to determine whether the controls
operate as intended%
H%($ Controlled reprocessing is another method of o#taining evidence regarding the operating effectiveness of
the client5s computer controls through parallel simulation% In controlled reprocessing! auditors create the
>simulated system? #y performing a thorough technical audit of the controls in the client5s actual program!
then maintain a copy of this program% Actual client data can later #e processed using this copy of the
client5s program%
H%(( In an end-user environment! limited resources may result in a lack of separation of duties in the accounting
function 6initiate and authori'e source documents! enter data! operate the computer! and distri#ute output7
and computer functions 6programming and computer operations7%
H%() Ma:or characteristics in end-user computing environments include;
9erminals are used for transaction data entry! in1uiry! and other interactive functions%
"urchased software packages are used etensively%
"orta#le storage devices 6compact disks 6C2s7 and Aniversal Serial 8us 6AS87 drives7 are used for file
storage%
Availa#le system! program! operation! and user documentation is often limited or does not eist%
Control pro#lems in end-user computing environments include;
&ack of separation of duties! #oth in accounting functions and computer functions%
&ack of physical security over computer hardware! programs! and data files%
&ack of documentation and testing%
&imited computer knowledge%
H%(* Control procedures an entity can use to achieve control over computer operations in an end-user computing
environment include;
Restricting access to input devices
Standard screens and computer prompting
3n-line editing and sight verification
H%(+ Control procedures an entity can use to achieve control over computeri'ed in an end-user computing
environment include;
9ransaction logs
Control totals
8alancing input to output
Audit trail
H%(, <ive things used to facilitate computer fraud are 6$7 the computer! 6(7 data files! 6)7 computer programs! 6*7
system information 6documentation7! and 6+7 time and opportunity to convert the assets to personal use%
M32H--
Module H - Information Systems Auditing
H%(- "hysical controls that can #e used to protect computeri'ed information systems from fraud include;
Inconspicuous location
Controlled access
Computer room guard 6after hours7
Computer room entry log record
"reprinted limits on documents
2ata #ackup storage
H%(. 9echnical controls that can #e used to protect computeri'ed information systems from fraud include;
2ata encryption
Access control software and passwords
9ransaction logging reports
Control totals 6#oth #atch totals and hash totals7
"rogram source comparison
Range checks on permitted transaction amounts
Reasona#leness check on permitted transaction amounts
H%(/ Administrative controls that can #e used to protect computeri'ed information systems from fraud include;
Security checks on personnel
Separation of duties
"roper review of access and eecution log records
"rogram testing after modification
Rotation of computer duties
9ransaction limit amounts
H%)0 Methods of limiting damages resulting from computer fraud 6through damage-limiting controls7 include;
Rotation of computer duties
9ransaction limit amounts
Range checks on permitted transaction amounts
"reprinted limits on documents 6e%g%! checks7
2ata #ackup storage
Reasona#leness check on permitted transaction amounts
SOLUIONS "OR MULI%LE&CHOICE 'UESIONS
H%)$ a% Incorrect 9his is a software function%
#% Incorrect 9his is a programmer function%
c% Incorrect 9his is an input control function%
d% Correct 9his is an automated hardware function%
H%)( a% Correct A payroll processing program is an eample of user software%
#% Incorrect 9he operating system program is an eample of a system program%
c% Incorrect 2ata management system software is an eample of a system program%
d% Incorrect Atility programs are eamples of system programs%
M32H-.
Module H - Information Systems Auditing
H%)) a% Incorrect 9he computer li#rarian is the appropriate person to maintain these files! since
this individual has no access to the computer%
#% Correct Computer operators should not have access to instructions and detailed program
lists! since they have would have enough knowledge to alter programs and run
those programs%
c% Incorrect 9he control group is appropriate for distri#uting output! since they do not have
access to programs and computer%
d% Incorrect "rogrammers are the appropriate individuals to write and de#ug programs! since
they have no access to data%
H%)* a% Incorrect Employee intelligence is not necessarily greater in a computeri'ed environment%
#% Incorrect 2ue to the limitations of computer evidence 6it may only eist for a very #rief
time7! auditors should audit the computeri'ed information system throughout the
year%
c% Incorrect &arge dollar amounts are not uni1ue to a computeri'ed environment%
d% Correct 2ue to the accessi#ility of large num#er of computer terminals! employees have
greater access to computeri'ed information systems and computer resources in a
computeri'ed environment%
H%)+ a% Incorrect Control totals detect input and processing errors%
#% Incorrect Record counts are used to ensure that all transactions are entered once! and only
once%
c% Incorrect &imit tests identify items larger than epected during input or processing%
d% Correct Eternal la#els reduce the likelihood that operators will not use the incorrect
file%
H%), a% Incorrect Copies of client data files for controlled reprocessing should #e o#tained from
the client! #ut not etracted using CAA9s%
#% Correct CAA9s can #e used to create a parallel simulation to test the client5s computer
controls%
c% Incorrect CAA9s are not designed to perform tests of a client5s hardware controls%
d% Incorrect Attempting to enter false passwords is the #est way to test the operating
effectiveness of a client5s password access control! not the use of CAA9s%
H%)- a% Correct It may #e appropriate to audit simple systems without testing computer
programs= essentially! the client is using this system in a manner similar to a
calculator%
#% Incorrect 9he impact of computeri'ed processing on master files would re1uire the
computer programs to #e tested%
c% Incorrect Auditors cannot audit >around the computer? when limited output is availa#le%
d% Incorrect See 6b7 and 6c7%
H%). a% Incorrect Condensing data would not necessarily result in a more efficient audit%
#% Correct A#normal conditions inform auditors of potential issues and allow them to focus
their efforts on these issues%
c% Incorrect Reduced tests of controls would depend upon the content of the eemption
reports 6i%e%! num#er of eceptions7! not the eistence of these reports%
d% Incorrect Eception reporting is an eample of an output control! not an input control%
M32H-/
Module H - Information Systems Auditing
H%)/ a% Incorrect 9he use of test data evaluates computer controls! not input data%
#% Incorrect Machine capacity can #e evaluated #y reference to the manufacturer5s
specifications%
c% Correct 9est data are used to eamine the operating effectiveness of computer control
procedures%
d% Incorrect 9est data provide evidence on specific application control procedures! not
information technology general controls%
H%*0 d% Correct In a computeri'ed processing environment! a sample of one transaction is
sufficient #ecause the computer handles all transactions identically%
H%*$ NOTE TO INSTRUCTOR: Since this question asks students to identify the statement that is not true, the
response labeled correct is not true and those labeled correct are true.

a% Incorrect 9he test data approach does test the client5s computer programs%
#% Incorrect 9est data need to include only the transactions that test control procedures
auditors #elieve to #e important%
c% Correct 9est data need to include only the transactions that test control procedures
auditors #elieve to #e important%
d% Incorrect 3ne of each deviation condition is sufficient! #ecause the computer handles each
transaction in an identical manner%
H%*( a% Incorrect Auditors may su#mit test data at several different times to gain additional
assurance on the processing of transactions%
#% Incorrect Manually comparing detail transactions to the program5s actual error messages
is a way of verifying the operation of computer control procedures%
c% Incorrect Comparing transactions processed through a separate program to those
processed through the client5s program is a form of parallel simulation and will
test the operation of computer controls%
d% Correct 9his is an eample of auditing >around the computer? and will not test the
operation of computer control procedures%
H%*) a% Incorrect Briting a computer program that simulates the logic of a good password control
system does not test the actual system%
#% Incorrect A test of proper authori'ation is not a test of actual access to the system%
c% Correct Attempting to sign onto the computer system with a false password is similar to
a test data approach% Several different types of false passwords might need to #e
used%
d% Incorrect Britten representations are not direct or relia#le form of evidence on a detailed
matter such as password controls%
H%** a% Incorrect In1uiries produce a relatively weak form of evidence%
#% Incorrect 3#servation is not relevant to the performance of computer controls%
c% Correct 9his method will test computer controls since it compares known input with
computer output%
d% Incorrect 9he run manual provides information to the computer operator and does not
allow auditors to test computer controls%
M32H-$0
Module H - Information Systems Auditing
H%*+ a% Incorrect Computers do not make mathematical errors%
#% Correct Bhen personal computers are used! it is easier for unauthori'ed persons to
access the computer and alter data files%
c% Incorrect 9ransaction coding prior to computeri'ed processing is necessary and an
advantage to an entity%
d% Incorrect 9he rarity of random errors in report printing is an advantage! not a
disadvantage%
H%*, a% Incorrect 8atch processing involves delays in processing transactions%
#% Correct Real-time processing handles transactions as they occur and does not have the
delays associated with #atch processing%
c% Incorrect Integrated data processing refers to situations in which multiple users access
elements in a data #ase and is not involved with the timeliness of processing
transactions%
d% Incorrect Random access processing refers to the use of disk files versus tape files and is
not involved with the timeliness of processing transactions%
H%*- NOTE TO INSTRUCTOR: Since this question asks students to identify the statement that is not a
characteristic of a batch processing system, the response labeled correct is not a characteristic of a
batch processing system and those labeled correct are examples of a batch processing system.
a% Incorrect In a #atch processing system! all transactions are processed at a single time%
#% Incorrect 9his is a characteristic of #atch processing systems%
c% Incorrect 8atch processing systems produce printouts and reports as the transactions are
processed through the system%
d% Correct 9his characteristic descri#es a real-time processing system%
H%*. a% Correct Check digits are im#edded algorithms that prevent incorrect characters from
#eing input%
#% Incorrect Record counts involve totaling the num#er of items input% In this case! the
correct num#er of transactions would #e input! so a record count would not
detect the error
c% Incorrect Hash totals involve a num#er of transactions! not single transactions%
d% Incorrect A redundant data check is a hardware control to make sure that computers
properly communicate with each other%
H%*/ a% Incorrect Se1uence checking test the input data for numerical se1uence of documents
when se1uence is important for processing! as in #atch processing% 9his control
does little to address transaction accuracy%
#% Correct 8atch totals sum dollar amounts of items that have numerical significance 6such
as inventory data7% 9hese totals will address the completeness and accuracy of
data input%
c% Incorrect &imit checks are input controls that prevent num#ers outside of a specified range
from #eing incorrectly input% 9hese controls might address accuracy! #ut not
completeness%
d% Incorrect Check digits are im#edded algorithms that prevent incorrect characters from
#eing input! #ut provide little assurance that data are completely entered%
H%+0 a% Incorrect "rogrammers code the logic in the computer program%
#% Incorrect 2ata conversion operators prepare data for computeri'ed processing%
c% Correct 9he li#rarian controls access to systems documentation and access to program
and data files%
d% Incorrect Computer operators operate the computer for each application according to
written operating procedures found in the computer operation instructions%
M32H-$$
Module H - Information Systems Auditing
SOLUIONS "OR E(ERCISES) %ROBLEMS AND SIMULAIONS
H%+$ Auditing /around0 versus Auditing /troug0 !omputers
a% Auditing >around? the computer generally refers to auditors reconciling inputs to processing
results% &ittle or no attempt is made to audit the computer controls! programs! or procedures
employed #y the computer to process the data% 9his audit approach is #ased on the premise that
the method of processing data is irrelevant as long as the results can #e traced #ack to the input of
data and the input can #e validated% If the sample of transactions has #een handled correctly! then
the system outputs can #e considered to #e correct within a satisfactory degree of confidence%
#% Auditors would decide to audit >through? the computer instead of >around? the computer when 6$7
the computer applications are comple or 6(7 audit trails #ecome partly o#scured and eternal
evidence is not availa#le% Auditing >around? the computer would #e inappropriate and inefficient
when the ma:or portion of the client5s internal controls are em#odied in the computer system and
when accounting information is intermied with operation information in a computer program that
is too comple to permit the ready identification of data inputs and outputs% Auditing >around? the
computer will also #e ineffective if the sample of transactions selected does not include unusual
transactions that re1uire special treatment%
c% 6$7 9est data are a set of data representing a full range of simulated transactions! some of
which may #e erroneous! to test the effectiveness of the computer controls and to
ascertain how transactions would #e handled 6accepted or re:ected7 and if accepted! the
effect they would have on the accumulated accounting data%
6(7 Auditors may use test data to gain a #etter understanding of what the computeri'ed
information system does! and to check its conformity to desired o#:ectives% 9est data may
#e used to test the processing accuracy #y comparing computer results with results
predetermined manually% 9est data may also #e used to determine whether errors can
occur without o#servation and thus test the system5s a#ility to detect noncompliance with
prescri#ed procedures and methods%
d% 9o ensure that the auditors are using the client5s actual computer programs! they can either re1uest
the program from the li#rarian on a surprise #asis or re1uest access to the program immediately
following the client5s use of the program to process transactions%
H%+( !omputer Internal !ontrol 1uestionnaire Evaluation
Does access to online )iles require speci)ic passwords to #e entered to identi)y and validate te
terminal user2 Anauthori'ed access may #e o#tained to programs or data resulting in the loss of assets or
other entity resources through theft or fraud%
Does te user esta#lis control totals prior to su#mitting data )or processing2 Sales transactions may
#e lost in data conversion or processing! or errors made in data conversion or processing%
Are input totals reconciled to output control totals2 Control totals are not useful unless they are
reconciled to e1uivalent totals determined following processing% As a result! auditors would fail to detect
errors made in the input or processing of data%
M32H-$(
Module H - Information Systems Auditing
H%+) &atc versus %eal'+ime Processing
a% Bhen using #atch processing! a group of similar transactions is processed simultaneously! using the
same program% In contrast! real-time processing involves processing transactions as they occur
without delay%
8atch processing is more likely to #e used in situations where transactions occur at periodic and
infre1uent intervals 6such as payroll transactions7% Real-time processing is more likely to #e used
in situations where transactions occur fre1uently and more immediate processing is necessary
6such as sales made to the entity5s customers7%
#% Bith respect to input controls! #oth methods of processing allow for controls related to individual
transactions to #e implemented! such as the use of check digits! valid character tests! valid sign
tests! se1uence tests! limit and reasona#leness tests! and error correction and resu#mission%
However! #ecause transactions are not collected 6or >#atched?7 in a real-time processing
environment! the use of record counts! #atch totals! and hash totals is not possi#le% 9he collection
of transactions in a #atch processing system allows these types of controls to #e used%
H%+* (ile %etention and &ac*up
a% A grandfather-father-son file retention policy involves retaining two predecessor master and
transaction files as #ackup for the current file% 9his provides a method for reconstructing the files
in the event of accidental destruction of a file used during processing%

#% Retaining two generations of #ackup files generally provides ade1uate protection% An additional
generation might #e maintained if the file is crucial or if there is a high rate of file destruction%
Since all files are stored together! they are vulnera#le to loss through a common catastrophe! such
as fire! theft or a malicious act% <or this reason it is desira#le that at least one generation of
#ackup files #e maintained in a separate location that is well protected from environmental ha'ards
such as fire or magnetic interference% Access to #oth storage areas should #e limited! and the
li#rarian function should #e specifically assigned%
H%++ Separation o) Duties and $eneral !ontrol Procedures
a% 9he primary internal control o#:ectives in separating the programming and operating functions are
achieved #y; 6$7 preventing operator access to the computer or to input or output documents= 6(7
preventing operator access to operating programs and operating program documentation= and! 6)7
preventing operators from developing or modifying programs%
"rogrammers should not #e allowed in the computer room during processing% 9hey should su#mit
their tests to #e scheduled and run #y the operators as any other :o#%
3perators should not #e allowed to interfere with the running of any program% If an application
fails! the operators should not #e allowed to attempt to fi the programs% 9he failed application
should #e returned to the programmers for correction%
#% In a small computer installation where there are few employees! separation of the programming
and operating functions may not #e possi#le 6as in an end-user computing environment7%
Important compensating controls for the lack of segregation of duties include;
M32H-$)
Module H - Information Systems Auditing
Comparison of manual control totals with totals from computer output%
Careful inspection of output for accuracy%
Doint operation #y two or more operators%
Rotation of assigned duties among individuals%%
Comparison of computer use time to averages or norms and investigation of ecess usage%
"roper supervision of all computer operations%
Re1uired vacations for all employees%
H%+, !omputer (rauds and Missing !ontrol Procedures
a% 9he following control procedures were either not esta#lished or not operating properly;
Authori'ation and data entry 6recordkeeping7 functions are not appropriately separated%
Receipt 6receiving report7 not matched or independently coded%
Co approved master file of authori'ed vendors for matching payees to authori'ed vendors%
Co range checks or limit or reasona#leness tests if the check amounts were large 6average of
E)$!000 in the entity7%
#% 9he following control procedures were either not esta#lished or not operating properly;
&ack of separation of employee accounts from investors5 accounts for control group review of
activity%
<ailure to log employee-investor transfer transactions that would detect this type of
manipulation%
c% In this case! password access controls were not esta#lished or operating properly%
d% In this case! the time in the system was not checked against the actual time%
H%+- In)ormation +ecnology $eneral !ontrols
9ype of I94C 3#:ective 9est of control
a% Hardware 9he entity5s computer
e1uipment functions effectively
and according to esta#lished
specifications%
Either in1uire of the entity5s
management as to the maintenance
or inspect documentary evidence
that the maintenance was
performed%
#% Access to programs and
data
3nly authori'ed individuals
have the a#ility to access the
entity5s computer files and
programs%
Attempt to >log in? using a
fictitious password%
Ferify 6through in1uiry or
documentary evidence7 that
passwords are modified every
three months%
M32H-$*
Module H - Information Systems Auditing
c% "rogram change All >emergency? change
re1uests are properly authori'ed
#y the entity and consistent
with the entity5s o#:ectives%
Inspect documentary evidence
showing authori'ation of
>emergency? change re1uests%
d% Computer operations 9he entity is protected from
losses or destruction of files%
Inspect the #ackup and storage of
files in safe! off-site locations%
e% "rogram development "rograms and prepackaged
software will meet the entity5s
users5 needs%
In1uire of the entity5s
management or inspect
documentary evidence that users
are involved in the design of
programs and selection of
prepackaged software%
f% Computer operations Significant delays in processing
transactions will not occur%
Inspect documentary evidence of
how processing failures are
resolved! paying particular
attention to the timeliness of the
resolution%
g% "rogram development "rograms developed #y the
entity will meet their processing
needs%
Inspect documentary evidence that
the entity5s needs and o#:ectives
were considered in the program
development process%
h% "rogram change Individuals within the entity
can identify the reasons for the
modification and all
modifications are done for
legitimate purposes%
Inspect documentary evidence that
program modifications are
properly documented%
H%+- In)ormation +ecnology $eneral !ontrols ,!ontinued-
i% Computer operations Individuals within the entity are
not in position to engage in a
fraudulent defalcation scheme%
In1uire as to the separation of
duties or! through direct
o#servation! verify that
incompati#le functions are not
#eing performed #y certain
individual6s7%
:% Access to programs and
data
"rograms are not #eing
accessed #y unauthori'ed
individuals and users%
Inspect documentary evidence of
comparisons #etween the user
listing and record of user access%
k% Hardware 2ata will #e correctly
transmitted #y the computer as
it moves through the
computeri'ed information
system%
Inspect hardware specifications
from the computer vendors%
M32H-$+
Module H - Information Systems Auditing
H%+. In)ormation +ecnology Application !ontrols: Input !ontrols
NOTE TO INSTRUCTOR: Below is one possible response for each control. thers are possible,
depending upon the data item selected by the student.
a% A check digit can #e calculated and appended to the employee num#er to ensure accurate input of
the employee num#er% Check digits are most appropriate for this data item! since it is entirely
numeric 6unlike the entity division7 and will remain constant over time 6unlike the hours worked7%
#% 8rady can count the total num#er of employee attendance records su#mitted and compare this to
the total num#er of records entered into the computeri'ed information processing system%
c% 9he total hours worked can #e determined prior to input and compared to the total entered into the
computeri'ed information processing system%
d% 9he total of the employee num#ers can #e determined prior to input and compared to the total
entered into the computeri'ed information processing system 6the entity division is an
alphanumeric field! so a hash total on this field would not #e possi#le7%
e% Controls can #e implemented to ensure that only numeric information is entered for employee
num#ers and hours worked! while permitting alpha#etic entries in the first two fields of the entity
division and numeric entries in the last three fields of the entity division%
f% Controls can #e implemented to ensure that negative entries are not permitted for employee
num#er! entity division! and hours worked%
g% Controls can #e implemented to identify entries for a large num#er of hours worked 6for eample!
greater than $00 hours per week7% &imit or reasona#leness tests would generally not #e appropriate
for either employee num#er or entity division%
h% Controls should allow personnel to correct any errors identified #y the input controls noted in 6a7
through 6g7 a#ove and promptly resu#mit the transaction for processing%
H%+/ Audit Simulation: Identi)y !omputer !ontrol 3ea*nesses
a%
Beaknesses Recommendations
&ack of separation of duties Computer operations! program changes! and
maintenance of computer logs should #e performed
#y different people%
&i#rarian function does not eist Custody and control over data#ases and system
documentation should #e under a li#rarian function
and not rotated among computer operators%
Computer programmers have access to
computer room
Modify access procedures to restrict access to the
computer room to computer operators only%
2eficient documentation 2ocumentation of flowcharts! program changes!
systems software! and testing should #e re1uired%
M32H-$,
Module H - Information Systems Auditing
Co computer price list <or manual entry process! clerk should not need to
manually enter the sales price% 9his information
should #e accessed from a computer file%
Cumerical se1uence of shipping notices is
manually checked #y the #illing clerk
9he computer should #e used to check numerical
se1uence of shipping notices%
Control totals determined #y the #illing clerk
do not appear to #e used appropriately%
9he #illing clerk5s control total of sales should #e
used to compare to total sales processed #y the
computer%
3pen invoice file serves as a detail accounts
receiva#le record%
9he computeri'ed information system should #e
programmed to maintain customer accounts
receiva#le records%
#% Shipping clerks could enter the date! customer identification num#er! shipment 1uantities! and
product identification num#ers in a terminal% 9hen the computer system could automatically
produce a sales invoice%
Controls include;
Autoclock date checking
Check digits for customer identification num#ers and product identification num#ers%
Hash total of customer identification num#ers
Automatic num#ering of sales invoices
Ase of authori'ed price list through reference to computer files%
Control total comparison of hash totals of identification num#ers in run-to-run totals
H%,0 Audit Simulation: Identi)y !ontrol 3ea*nesses and %ecommendations
Beakness Recommended Improvements
$% Computer department functions have not #een
appropriately separated! since one
employee completely controls
programming and operations%
9he functions of systems analysis and design
programming and computer operations should #e
separated%
(% Records of computer operations have not #een
maintained%
In order to properly control usage of the
computer! a usage log should #e kept and
reconciled #y the supervisor%
)% "hysical control over computer operations
is not ade1uate% All computer department
employees have access to the computer%
3nly operating employees should have access to
the computer room% "rogrammers5 usage should
#e limited to program testing and de#ugging%
*% System operations have not #een
ade1uately documented% Co record has
#een kept of adaptations made #y the
programmer or new programs%
9he entity should maintain current system and
program flowcharts! record layouts! program
listings and operator instructions% All changes in
the system should #e documented%
M32H-$-
Module H - Information Systems Auditing
+% "hysical control over files and system
documentation is not ade1uate% Materials
are unguarded and readily availa#le in the
computer department%
"rograms and file li#raries should #e carefully
controlled in a separate location! prefera#ly #y a
li#rarian who does not have access to the
computer%
,% 9he entity has not made use of computer
controls% Some of the procedures and
controls used in the ta#ulating system may
#e unnecessary or ineffective in the
computeri'ed information system%
Computer controls should #e used to supplement
eisting manual controls! and an independent
review should #e made of manual controls and
ta#ulating system procedures to determine their
applica#ility% Eamples of computer controls that
might #e programmed include data relia#ility
tests! check digits! limit and reasona#leness tests!
se1uence checks and error routines for unmatched
items! erroneous data and violations of limits%
-% Manual insertion of prices on shipping
notices #y the #illing clerk in inefficient
and su#:ect to error%
9he entity5s price list should #e included in a
master file and matched with product num#ers on
the shipping notices to o#tain appropriate prices%
.% Manual checking of the numerical
se1uence of shipping notices #y the #illing
clerk is inefficient and su#:ect to error%
9he computer should #e programmed to check the
numerical se1uence of shipping notices and
provide a report with any missing num#er6s7%
/% Control over computer input is not
effective% 9he computer operator has #een
given responsi#ility for checking
agreement of output with the control tapes%
9his is not an independent check%
9he #illing clerk 6or another designated control
clerk7 should retain the control tapes and check
them against the daily sales register% 9his
independent check should #e supplemented #y
programming the computer to check control totals
and print error messages where appropriate%
H%,0 Audit Simulation: Identi)y !ontrol 3ea*nesses and %ecommendations ,!ontinued-
Beakness Recommended Improvement
$0% 9he #illing clerk should not maintain
accounts receiva#le detail records%
If receiva#le records are to #e maintained
manually! a receiva#le clerk who is independent
of #illing and cash collections should #e
designated% If the records are updated #y the
computer department! as recommended #elow!
there still should #e an independent check #y the
general accounting department%
$$% Accounts receiva#le records are maintained
manually in an open invoice file%
9hese records could #e maintained more
efficiently in a computer file%
$(% 9he #illing clerk should not receive or mail
invoices%
Copies of invoices should #e forwarded #y the
computer department to the customer 6or to the
mailroom7 and distri#uted to other recipients in
accordance with esta#lished procedures%
$)% Maintaining a chronological file of
invoices appears to #e unnecessary%
2iscontinue practice of maintaining a
chronological file of invoices% 9his file5s purpose
may #e fulfilled #y the daily sales register%
M32H-$.
Module H - Information Systems Auditing
$*% Sending duplicate copies of invoices to the
warehouse is inefficient%
9he computer can #e programmed to print a daily
listing of invoices applica#le to individual
warehouses% 9his will eliminate the sorting of
invoices%
H%,$ Audit Simulation: In)ormation +ecnology Application !ontrols
$% 9he use of a login protocol appears to #e an effective control! since the #eginning and ending times of
an employee5s workday cannot #e altered or manipulated #y that employee% As with any process
of this type! the possi#ility eists that employees may log in! leave the premises! and return to log
out at a later time without actually performing work responsi#ilities% However! this #ehavior
would undou#tedly #e identified #y that employee5s supervisor at some later time%
(% Re1uiring Merriman5s employees to approve their own attendance records prior to su#mission allows
unusual situations to #e identified 6for eample! an employee forgetting to log in or log out on a
particular workday7% Authori'ation of these records also provides the entity with appropriate
evidence of intent in cases where employees attempt to engage in fraudulent activities with respect
to su#mitting false attendance information! since employees cannot indicate they were unaware of
the hours they su#mitted%
)% Supervisory approval is an effective control as it serves as the first line of defense in detecting
fraudulent employee activities with respect to attendance information% 9his control may #e
effective for Merriman in identifying situations where a terminated employee has not #een
removed from the payroll% <inally! it may identify situations where salaried employees are not
working sufficient hours%
H%,$ Audit Simulation: In)ormation +ecnology Application !ontrols ,!ontinued-
*% In data conversion! a num#er of input controls should #e considered% Some eamples follow;
A check digit can #e calculated for each employee num#er and appended to that num#er%
!ecord counts of the num#er of employee records can #e made prior to input and compared to
totals generated #y the computer program following data conversion%
Batch totals 6using hours worked7 and hash totals 6using attendance record num#ers and
employee num#ers7 can #e calculated prior to input and compared to totals generated #y
the computer program following data conversion%
"alid character tests can re:ect any entry that includes an alpha#etic character 6assuming that
the reference num#er and employee num#er are comprised eclusively of numeric
characters7%
"alid sign tests will ensure that no negative amounts are entered for hours worked%
#issing data tests can re:ect any entry that does not include #oth the employee num#er and
the hours worked%
Sequence tests can identify any missing payroll attendance records%
M32H-$/
Module H - Information Systems Auditing
$imit or reasonableness tests can #e used to identify any hours worked that eceed some
reasona#le threshold 6for eample! greater than $+0 hours in any two-week payroll
period7%
+% "rior to processing! it is important that any errors in data conversion which may #e detected #y the
input controls noted in 6*7 are corrected and resu#mitted prior to processing% 9his correction
should allow any data conversion errors to #e resolved in a timely fashion and not unnecessarily
delay the processing of other employee records within the #atch%
At this point! the following processing controls could #e considered;
%ontrol total reports could #e generated and summari'ed for attendance record num#ers
6hash total7! employee num#ers 6hash total&! and hours worked 'batch total7%
9he num#er of records processed can #e identified and compared to the num#er of attendance
reports su#mitted 6record count7%
9he use of file labels 6either internal or eternal7 provides reasona#le assurance that the most
recent version of the payroll master file was used in processing payroll transactions%
$imit and reasonableness tests can #e used to identify processing errors 6for eample!
identifying any employee with a #i-weekly gross pay in ecess of E+00!000 or less than
E+007%
H%,$ Audit Simulation: In)ormation +ecnology Application !ontrols ,part 45 !ontinued-
3n additional issue relates to the hours worked #y salaried employees% A limit or reasonableness
test could identify situations where salaried employees are not working sufficient hours to :ustify
their level of compensation% 9his test could identify situations where the hours worked #y salaried
employees are less than some predetermined threshold 6for eample! (0 hours per week7%
<inally! Merriman could modify their system to eliminate the data conversion process in 6*7 and
use the computer records su#mitted #y employees without the intermediate step of data
conversion% If so! run(to(run totals could #e used to provide reasona#le assurance that all records
have #een received for processing and no records were processed more than once%
,% 9he calculation of deductions is! in some sense! an etension of the calculation of gross pay% Assuming
that the controls in 6+7 are implemented! similar controls would #e effective in determining
deductions and net pay 6particularly limit and reasonableness tests&. 3ther controls related to this
step include;
9he use of standardi'ed income ta and <ICA withholding ta#les provides reasona#le
assurance that these deductions are accurately determined using the employees5
withholding information%
9he use of file labels 6either internal or eternal7 provides reasona#le assurance that the most
recent version of the payroll master file was used in calculating deductions% Employee
withholding information 6num#er of eemptions! contri#ution levels to *0$6k7 plans! etc%7
is likely to change more fre1uently than their pay information 6wage rate or salary7!
making this control particularly important for withholdings%
M32H-(0
Module H - Information Systems Auditing
-% Review of the payroll register provides reasona#le assurance that >o#vious? processing errors
6etraordinarily high or low levels of gross pay! deductions! or net pay7 are identified% 3ther
controls that could #e considered #y Merriman are;
9he data control group should reconcile control totals calculated through processing to the
corresponding totals that are produced as output #y the data control group%
Any changes to the employees5 master file records should #e reported to the re1uesting
department%
9he distri#ution of the payroll register should #e limited to specific individuals%
.% <or funds electronically transferred! Merriman should periodically verify appropriate account
information for employees as well as verify that the designated employees are still employed #y
Merriman% <or paychecks! Merriman should keep these in a safe place! under the control of
individuals who are otherwise not involved in the processing of payroll transactions% In addition!
Merriman should verify that employees are still employed #y Merriman and re1uest proper
identification prior to distri#uting paychecks to employees%
H%,( (lowcart !ontrol Points
$% Control over issuance and retirement of #adges%
(% Control totals developed from input card punch operation with comparison to detail records to
ensure that all cards are processed accurately%
)% Control over authority for master file changes and over custody of the master file%
*% Controls to ensure that eceptions are resolved #y the foreman 6e%g%! review procedures or a
surprise audit! if necessary%7
+% Control over authority to issue special and indirect la#or charges to maintain integrity of cost
accounting system%
,% Control totals developed for input :o# transaction cards and output error listing to ensure that all
cards are processed and reprocessed accurately% Controls to ensure that all re:ected and erroneous
transactions are cleared promptly 6e%g%! review procedures and a surprise audit! if necessary7%
H%,) Audit Simulation: Internal !ontrol !onsiderations in an End'6ser !omputing Environments
Although the addition of personal computers may well prove #eneficial to Chicago Appliance! a num#er of
apparent internal control weaknesses eist that could have serious ramifications%
$% 9he diskettes are stored near the computer! and employees are >encouraged? to eperiment with
the computer% 9hus! many employees appear to have access to the accounts receiva#le and fied
asset diskettes% Such access could result in improper alteration to the related data or programs%
(% 9he accounts receiva#le program was partially reprogrammed #y the controller and thus appears
readily suscepti#le to change% 9ampering with a >live? program could result in the improper
processing of data%
M32H-($
Module H - Information Systems Auditing
)% 9he accounts receiva#le program does not leave an audit trail% Account #alances are updated! #ut
no transaction record of the individual #illings and payments is made 6only invoice or check
amounts are entered into the system! and not invoice num#ers! dates! etc%7% As a result! it would #e
very time consuming to investigate any differences that might arise #etween the accounts
receiva#le detail and general ledger #alance or #etween Chicago Appliance5s and customer5s
records%
*% Co mention was made of whether the fied asset program was ade1uately tested% Although it is
supposedly >state-of-the-art?! it may not compute depreciation and net #ook value on a #asis
consistent with Chicago Appliance5s policies%
+% 9he fied asset clerk5s reluctance to use the computer implies that proper training may not have
taken place% In addition! ade1uate systems or application documentation may not eist%
Accordingly! improper use of the fied asset program is not an unreasona#le possi#ility%
,% 9he fied asset processing appears to lack separation of duties% 9he fied asset clerk will #e
responsi#le for processing future fied asset transactions and generating general ledger entries%
H%,) Audit Simulation: Internal !ontrol !onsiderations in an End'6ser !omputing Environments
,!ontinued-
-% It is relatively simple to use a personal computer to access data files in a minicomputer% Co
mention was made as to whether any controls were esta#lished to prevent this from occurring! and
thus it may #e possi#le for the minicomputer data files or programs to #e improperly altered #y
using the personal computer as a terminal%
Implications for the Audit "lan
Auditors would need to make in1uiries to confirm whether some of the potential internal control
weaknesses mentioned a#ove could affect the audit or are mitigated #y other controls and procedures%
However! #ased on the availa#le information! the apparent weaknesses are significant enough to cause
serious concern as to whether controls surrounding the end-user applications are sufficiently relia#le to
produce proper financial statement information%
If auditors determine that the internal control weaknesses are not mitigated #y other controls and
procedures! the audit approach in the fied asset and accounts receiva#le areas would pro#a#ly #e #ased
largely on su#stantive procedures% <or eample! auditors might perform the confirmation of accounts
receiva#le at year end rather than interim in order to make certain that the detailed trial #alance can #e used
to support the general ledger #alance and to assess the reserve for #ad de#ts%
Auditors must #e aware that many of the control features that apply in larger minicomputers or
>mainframe? installations typically will not #e present in the end-user environment% Bhen personal
computers are used in applications or situations similar to the Chicago Appliance case! control over
accounting applications may #e :eopardi'ed #y insufficient separation of duties! fewer processing controls!
and a casual operating environment% Bhen these circumstances are encountered! auditors should in1uire
regarding other controls! such as; 6$7 management involvement in the review and approval of transactions
and reports and 6(7 clear and distinct audit trails over transaction processing! to determine whether reliance
on controls in end-user computing environments is warranted%
M32H-((
Module H - Information Systems Auditing
H%,* +est Data +ransactions in a Payroll Processing Program
93; Audit "artner
<R3M; Auditor
2A9E;
SA8DEC9; Control deficiencies in payroll calculation program
I tested the program for controls the client asserted were present and for controls that should eist in the
program% Each is descri#ed #elow% 62etail audit documentation showing the test transactions can #e
attached%7
$% "rogram check for valid employee identification
9he program does not actually check for valid employee identification as the client asserted% I
studied the program code itself and saw that it checked for some valid social security num#ers #y
disallowing num#ers lower than the lowest num#er issued 600$-0$-000$7 and num#ers higher than
the highest num#er currently issued 6,(,-0$-////7% It also disallowed num#ers in the -00G series
for people with railroad retirement se1uence num#ers% I entered some fictitious num#ers known
not to #e issued! and the system calculated gross and net pay%
(% "rogram test of pay rate for reasona#leness
9he program does not test for pay rates less than the minimum wage% I tested transactions with pay
rates #elow minimum wage and they were processed% 9he program does test for unrealistically
high pay rates 6varia#le setting at E(+ per hour or more7! and this control works properly%
9here are no controls to verify that employees are paid at their approved rate% Employees can #e
epected to complain a#out #eing paid less than the rate authori'ed and get additional
error-correction pay% Employees may or may not report #eing paid too much%

3verpayments! if any! are epensed in the normal course of accounting! so net income will not #e
misstated% However! we can consider making a control recommendation to management a#out the
possi#ility of overpayments that have a negative effect on net income%
)% &imit test on regular hours of *0 or more
9he limit and reasona#leness controls for disallowing regular pay for any hours in ecess of *0
hours works properly% 9est transactions with more than *0 regular hours returned the >'ero pay?
error message% However! the program has no valid sign test% 9est transactions with a negative
num#er of regular hours calculated a negative amount of gross and net pay% Be should scan the
payroll register computer files to determine whether any >negative pay? was calculated during the
year%
*% 3vertime paid at the rate of $+0 percent of regular pay rate
9he program is properly set up to calculate overtime pay at $+0 percent of the regular pay rate
#ased on the num#er of overtime hours input% 9est transactions proved the program calculations% I
also found the specification of $+0 percent of the regular rate in the program code%
9he client has an additional limit and reasona#leness control on overtime pay% 9he program
returns >'ero pay? for overtime greater than a maimum num#er of hours% However! at the time of
test! the maimum was -( hours! indicating a potential allowa#le $,-hour workday! - days per
week% Regular pay and deductions are calculated accurately% 9his could #e a good limit test to
prevent overreporting and input error on overtime pay if the limit were lower%
M32H-()
Module H - Information Systems Auditing
H%,* +est Data +ransactions in a Payroll Processing Program ,!ontinued-
+% "roper calculation of ta withholdings
9est transactions show that the social security! Medicare! and income ta deductions are calculated
at the proper rates 6,%(H for social security! $%*+H for Medicare! and ()H for income ta7%
However! the wage limit for the social security is improperly specified% It should #e E/-!*00! #ut it
is in the payroll program at E/*!(00! the wage limits in effect from previous years% 9esting
transactions for employees with earnings to date greater than E/*!(00 showed that no social
security ta was deducted%

Also! the program tests the year-to-date wages for the social security wage limits! #ut it does not
account for the increment when the current pay causes the total to eceed the limit% Bhen the
current pay results in year-to-date wages eceeding the limit! the deduction is still calculated on
the full amount of the current pay% 9he result is over withholding these taes the first time the limit
is reached during a pay period%
9he client needs to recalculate the social security for all persons with earnings over the prior-year
limits and calculate the amount of ta due 6#oth employee and employer portion7% Amended
payroll ta returns should #e filed immediately to minimi'e IRS penalties%
,% 3vertime hour control when regular time is less than *0 hours
Having found the limit and reasona#leness test for regular hours of *0 or more! I noticed that the
program will calculate and pay overtime hours even when the regular time is less than *0 hours%
9his is illogical% Employees cannot #oth work fewer than *0 regular hours and overtime hours
6more than *07% 9esting transactions with fewer than *0 regular hours and some overtime hours
resulted in the preparation of a paycheck for the regular hours at the regular rate and the overtime
hours at the overtime rate%
Be should consider a recommendation to management to institute the control of >no overtime
unless regular time eceeds *0 hours?% 9his may save the client from paying the overtime rate for
regular working hours%
-% Iear -9o -2ate "ay
9he program has no control over the amount of year-to-date pay% Any num#er within the limits of
the field will #e accepted and processed%
)hese NOTES TO INSTRUCTOR might help you clarify this assignment to your students. )hey are not
included in the body of the solution because it is intended to be a memo of the students* test data results.
)hey are cross(referenced to the numbered items in the memo.
$% Students will need to know enough a#out EJCE& to recogni'e range names 6SSC&3 K lowest
social security num#er and SSCHI K highest social security num#er7! then ask for @Range Came
Create to find the location of the range% 9hat will lead them to the undisclosed parameter
specification section of the worksheet% 9here they will see the low and high social security
num#ers%
(% Students will need to find the parameter specification section to see the maimum regular pay rate
range name RRA9E! set at E(+ in the program% 9he program has nothing to test for a wage rate
less than E-%(+ 6minimum wage assumed7 or an approved pay rate%
)% Students will need to find the parameter specification section to see the *0 hour limit test for
regular hours worked in the range named RE4% 9here is no sign test to prevent processing of
negative time worked%
M32H-(*
Module H - Information Systems Auditing
H%,* +est Data +ransactions in a Payroll Processing Program ,!ontinued-
*% Students can find the $+0 percent in the range named 39R in the parameter specification section%
9hey will also find the specification for the limit test on overtime hours in the range named 39M%
If students do not find the parameter specification range! their a#ility to find the limit test on
overtime hours depends on whether they entered overtime hours greater than -(%
+% 9he outdated wage limits are easy to find if the student finds the parameter specification section
and sees the incorrect wage limits in the ranges named SSB 6for social security7% 69hese are the
wage limits in effect for (00-%7 9hey are harder to find with test transactions= the student would
have to use a test transaction with earnings-to-date that fall #etween the (00, and (00- limits to
detect the mistaken ta wages limits%
,% Students might identify the issue that overtime pay can #e calculated when regular time is less
than *0 hours #y inference from reading the calculation formula% 3therwise! they will have to have
the imagination to enter regular hours fewer than *0 and overtime hours to see that the program
will produce a paycheck%
-% 9he year-to-date amount is not intended to represent a program deficiency% It is a simplification so
the worksheet will not need to produce some fictitious year-to-date num#er% However! students
may notice that a large unrealistic num#er can #e entered without #eing noticed #y the program%
H%,+ 7aplan !PA E.am Simulation: +e E))ect o) !omputers on te Audit
9wo correct responses appear #elow;
9raditional paper transactions are replaced #y electronic transactions! there#y o#scuring audit trails%
)he abo+e excerpt is from ,lectronic %ommerce.
3R
Source documents may eist only for a short time and in electronic form only%
)he abo+e excerpt is from #ethods of -rocessing and .ata /iles.
M32H-(+
Module H - Information Systems Auditing
H%,, 7aplan !PA E.am Simulation: Internal !ontrol and +ecnology
An upper #oundary esta#lished for processing purposes%
69ransactions over a certain dollar limit re1uire further verification! for
eample%7
limit test ,!-
An internal reconciliation of data within the computer to make certain that it
is legitimate%
6Checks are issued only to actual employees! for eample% 9his could #e
done #y cross-referencing the master employee file%7
validity test ,A-
A total of the num#er of transactions to #e processed% item count ,D-
6record count7
A total derived from some element of the data #eing processed% 9otal would
have some meaning or importance%
69otal sales! for eample%7
#atch total ,E-
A total derived from some element of the data #eing processed that would
not normally #e totaled% 9otal is only computed for control purposes and is
not necessarily meaningful%
69otal of employee social security num#ers! for eample%7
hash total ,&-
M32H-(,