CHAPTER 5

SYSTEMS DEVELOPMENT LIFE CYCLE

A. PARTICIPANTS
1. Systems professionals
2. End users
3. Stakeholder have interest but not end users
4. Accountants or auditors
Purpose
- Systems are expensive
- Accounting info systems
Involvement
- As users
- As developers (with limited auditor
participation)
- As auditors
B. IS ACQUISITION (Not mutually exclusive)
1. In house development
- Customized system
- Full time system staff and programmers
2. Commercial systems
- low cost
- industry specific vendors
- small businesses
- downsizing units
- distributed data processing
a.) Turnkey
- Completely finished
- General purpose/ customized to a specific
industry
- Sold as compiled program modules
- Limited customizability
- Examples
a.1) General wide variety of needs,
standard system, low cost, designed in
modules
a.2) Special-Purpose target select
segments of economy (unique accounting
systems)
a.3) Office Automation improve
productivity of office workers (word
processing, database management,
spreadsheets)
b.) Backbone
- Basic system structure
- Primary processing modules are
programmed and vendor customizes the
user interface
c.) Vendor-supported
- Hybrid of custom and commercial
- Vendor develops and maintains custom
system for its clients

System (custom) but system development

(commercial)
- Health care and legal
- Common modules for different clients to
reduce development costs
Advantages
Disadvantages
Implementation time
Independence to
is reduced
vendor
Development cost
Need for customized
spread among clients
systems
Reliability and
Maintenance (hard to
thoroughly tested
modify)
C. SLDC
- Pertains to specific applications
New Systems Developments
1. Systems Planning
- Link systems projects to strategic objectives
- System plan is based on the business plan/ IT
strategic plan
- Done by the systems steering committee
(CFO, CIO, Senior Management of Users,
Internal Auditor, Senior Management of
Computer Services + External Parties
Management Consultants and External
Auditors)
*Role of Steering Committee
- resolve system conflicts
- review projects and assign priorities
- budget funds
- review project statuses
- determine checkpoints
a.) Strategic Systems Planning
- allocation of system resources at MACRO level
(employees, hardware, software and telecomm)
- 3-5 years avoiding excessive detail
- despite volatility its importance are
1.) planning is always better
2.) reduces crisis component
(preventive rather than curative)
3.) provides authorization control
4.) manages costs
b.) Project Planning
- allocation of resources to individual
applications/ specific projects
- OUTPUT: Project Proposal (summarizes
findings and outlines links in objectives
approve/disapprove a project) and Project
Schedule (represents managements
commitment through a budget of time and
costs of all phases of SDLC)
*Auditors routinely examine efficiency

2. System Analysis
- Purpose : identify needs and specify
requirements for the new system, formal
contract for the goals and objectives of the
system
- OUTPUT: System analysis report (findings,
problems, needs identified, analysis and
recommendations)
a.) Survey step
- Gather facts and understand problem
deeper
- Develop preliminary questions
- Create an assessment of current system
Disadvantages
Advantages
Bogged down by
Identifying aspects
surveying
worth keeping
Stifles new ideas
Forced to fully
understand system
Isolating root cause
- System Facts
1.) Data sources internal and external
2.) Users
3.) Data stores files, databases, source
documents
4.) Processes
5.) Data flows
6.) Controls
7.) Transaction volumes
8.) Error rates
9.) Resource costs + escapable costs
10.) Bottlenecks and redundant operations
- Fact Gathering Techniques
1.) Observation passively watching
physical procedures
2.) Task Participation experience firsthand like a user
3.) Personal Interview open ended (users
can elaborate on the problem and offer
suggestions or recommendations) +
questionnaires (specific detailed
questions that restrict responses)
4.) Review of Key Documents Org charts,
job descriptions, accounting records,
chart of accounts, policy statements, FS,
system flowcharts, budgets, forecasts
etc.
b.) Analysis step
- Simultaneously comingled with fact
gathering
* Auditors are stakeholders in the proposed system

3. Conceptual Systems Design

- Purpose: produce alternative conceptual
systems that satisfy system requirements
- by keeping things conceptual, costs are
avoided
- highlight differences between critical features
of competing systems
- system designs are general but should identify
all factors that distinguish one alternative from
another
a.) Structured Approach
- develops each new system TOP DOWN
- starts with the big picture or abstract view
of the system
- uses DFDs and structure diagrams
b. ) Object-Oriented Approach
- builds systems BOTTOM UP through assembly
of reusable modules/ standard components or
objects reusable in other designs
- reduces costs for development maintenance
and testing
- associated with the iterative approach where
small modules cycle throughout SDLC phases
*Auditors ensure auditability of the system
4. Systems Selection Phase
- Chosen alternatives costs and benefits are
compared and a single optimum design is
chosen
- Optimization process that identifies the best
system
- OUTPUT: Systems Selection Report (revised
feasib, cost-benefit analysis, list of intangible
benefits)
a.) Detailed Feasibility Study
Technical sufficiency, desire and ability to
apply existing technology
Economic availability of funds and
managements financial commitment
Legal
Operational compatibility with existing and
new system
Schedule
b.) Cost-Benefit Analysis
b.1.) Identify Costs One Time (initial costs
to develop and implement costs) and
Recurring (operating and maintenance costs)
One Time
Recurring
Hardware Acquisition
Hardware Maintenance
Programming and
Software Maintenance
Testing
Contracts
Software Acquisition
Insurance

Site Preparation (PPE)

Supplies
Systems Design
Personnel
Data Conversion
Personnel Training
b.2.) Identify Benefits Tangible (increase
revenue and reduce escapable costs) and
Intangible (customer/employee satisfaction,
currency of information, faster decisions,
efficient operations etc)
b.3.) Compare Costs and Benefits NPV and
Payback Speed(variation of breakeven)
*Total costs/benefits curve
* Auditors assess economic feasibility of proposed
system (escapable costs, interest rates, correct
reporting of costs, realistic useful lives, intangible
benefits are monetized)
5. Detailed Design
- Purpose: produce a detailed description of
the proposed system that satisfies
requirements and coincides with conceptual
design
- All system components are meticulously
specified
- OUTPUT: Detailed Design Report (set of
blueprints input screen formats, output
layouts, database structures and process
logic)
System Design Walkthrough ensures
design is free from conceptual errors
conducted by a QA group (programmers,
analysts, users, internal auditors) through a
simulation of the system
- Most errors are from design and not the
programming
6. Application Programming and Testing
- Selection of programming language based on
in-house standards, architecture and user
needs
- Programming the system follow the
MODULAR approach which increases
programming and maintenance efficiency
and control
- Results of testing is compared with
predetermined results
- Testing must be done offline before online
deployment
- Create meaningful test data to be retained
for reuse in future audit tests
- Programming Languages
a.) Procedural (third generation languages)

- requires programmer to specify precise

order of program logic
- COBOL (dominant for years but wordy),
FORTRAN, C, PL1
b.) Event Driven program code not
executed in predefined sequence but are
indicated by the user
- Visual Basic (simple yet powerful for
real time and batch applications with
GUIs)
c.) Object Oriented
- steep learning curve leading to the
creation of Hybrids (Object COBOL,
Object Pascal, C++)
- Java and Smalltalk
7. System Implementation
- System goes live and costs are expended and
personnel-hours are consumed the most
a.) Test the entire system (formal
acceptance document)
b.) Document the system
b.1) designer and programmer
b.2) operator run manual (name of
system, run schedule, required
hardware, run-timtime, list of users)
*separate programmer and operator docs.
b.3) user user handbook classify
according to skill (novice, occasional,
frequent light, frequent power)
containing an overview, step by step,
error messages, glossary of key terms,
manual of commands
- Others (Tutorials, Help Features)
c.) Converting databases (validation,
reconciliation, back-up)
d.) Converting to the new system
d.1) Cold Turkey Cutover
- Big bang approach
- Switch to new and terminate old
simultaneously
- Best for simple systems but riskiest for
complex
d.2) Phased Cutover
- operating the new system in modules
reducing the risk of a devastating system
failure but can created incompatibilities
between the new and the old
d.3) Parallel Operation
- running old and new system
simultaneously for a while

- most time consuming and costly but

reduces risk because user can reconcile
outputs to identify errors
e.) Post-implementation review
- conducted by an independent team to
measure success in terms of system design
adequacy and accuracy of time/cost/benefit
estimates
*Auditors are prohibited to be directly involved in
systems implementation but they may provide
technical expertise, specify documentation
standards, verify control adequacy and compliance
with SOX
8. Systems Maintenance
- Applications undergo changes to
accommodate changes in user needs

*** Continue from here***

Controlling New Systems Development
1.) System Authorization Activities
2.) User Specification Activities
3.) Technical Design Activities
4.) Internal Audit Participation
5.) User Test and Acceptance Procedures
6.) Maintenance Authorization, Testing and
Documentation
7.) Source Program Library Control
CHAPTER 6
TRANSACTION PROCESSING AND FINANCIAL
REPORTING SYSTEMS OVERVIEW
Transaction Cycles
1.) Expenditure
- Based on a credit relationship
- Physical component (acquisition of goods)
financial component (cash disbursement)
- AP, Cash Disbursement, Payroll and Fixed
Asset systems
2.) Conversion
- Production and cost accounting system (flow
of cost info for inventory valuation,
budgeting, cost control, performance
reporting, management decisions)
3.) Revenue
- Sales order processing and cash receipts
systems
MANUAL SYSTEMS
Documents

1.) Source Documents

- Capture and formalize data needed for
processing
- Ie. Sales Order
2.) Product Documents
- Result of transaction processing other than
the triggering mechanism for the process
- Ie. Payroll check, customers bill
3.) Turn Around Documents
- Documents of one system that become
source documents for another system
- Ie. Remmittance
- documents are the primary source of data for journals
Journals
-

Record of chronological entry

Complete record of transactions and basis
for posting to accounts
1.) Special Journals
Specific class of transactions in high volume
- Register (special type of journals that
functions as a log)
2.) General Journals
- Non recurring infrequent and dissimilar
transactions
- Periodic depreciation and closing entries
- Journal vouchers

Ledgers
-

Book of accounts that reflect financial effects

of transactions after they are posted from
various journals
- Shows activities by account type indicating
increases and decreases in each account
1.) General
- Firms account information in highly
summarized control accounts providing a
single value
- Summarizes each activity for each of the
organization accounts
2.) Subsidiary
- Contain details of individual accounts
constituting a control account
- Kept in various accounting departments to
provide better support and control
operations

Audit Trail
- Important for yearend audits
COMPUTER BASED SYSTEMS
Magnetic Files
1.) Master File

Generally contains account data

Ie. General and subsidiary ledger
2.) Transaction File
- Temporary file of transactions to update
data in master file
- Ie. Sales orders, inventory receipts, cash
receipts
3.) Reference File
- Stores data used as standards for processing
transactions
- Ie. Tax tables, price lists, employee rosters
and customer credit files
4.) Archive
- Records of past transactions retained for
future reference
- Ie. Journals, prior-period payroll, former
employees, written off accounts etc
Digital Audit Trail
1.) Capture of economic event
2.) (Data Input Stage) Convert source documents to
digital form
3.) Update master files and control accounts
DOCUMENTATION TECHNIQUES
1.) Data Flow Diagrams
- Commonly used
- Uses symbols to represent entities,
processes, data flows and data stores
- Entities (external objects that are sources
and destinations of data - NOUNS) Data
Stores (accounting records used in each
process) Data Flows (labelled arrows)
- Processes (descriptive VERBS)
- Depicts logical and not the physical system
2.) Entity Relationship Diagrams
- Represents relationships between entities
- Entities (physical resources, events and
agents that entity wishes to capture data)
- Cardinality (numerical mapping between
entity instances 1:M M:M, maximum
number of records in one file related to
another file)
- Data Model (blueprint of what will become
the physical database)
3.) System Flowcharts
- Graphical representation of physical
relationships among key elements of a
system (manual activities, computer
programs, hard-copy accounting records and
digital records)

Describes the type of computer media used

in the system (magnetic tape/disk and
terminals)
- TIPS (layout the physical areas of activity,
transcribe the written facts into visual
format)
- SYMBOL SET
4.) Program Flowcharts
- Provides operational details
- Supports system flowchart by showing its
logic
- Connector Lines (establish logical order of
execution)
- SYMBOL SET
5.) Record Layout Diagrams
- Reveal internal structure of records
constituting a file or database table
- Shows name, data type, length of each
attribute
Batch Processing
- Batch (group of similar transactions
accumulated over time and then processed
together
- ADVANTAGES (organizations improve
operational efficiency, reduce costs and
provides control over the transaction
process)
- DISADVANTAGES (finding errors in a batch
maybe difficult)
Data Processing Methods
Batch
Info
Lags between
Timeframe economic event
and recording
Resources
Fewer resources
required
- Uses sequential
files
*systems
development
(programming)
and computer
operations
- shorter
development
periods and easier
to maintain
Operational Records are
Efficiency
processed after
the event
- batch processing

Real Time
Processing occurs
when economic
event occurs
More resources
requires
- uses direct access
files

Records are
processed
immediately

of noncritical
accounts
*Balance between efficiency and effectiveness
ALTERNATIVE DATA PROCESSING APPROACHES
1.) Legacy Systems
- Mainframe based
- Batch oriented
- Use flatfiles for data storage
- Inflexible but efficient in data processing
- Single user environment
2.) Modern Systems
- Client server network based
- Process transactions real time
- Store data in relational database tables
- Allows process integration and data sharing
Updating Master Files
Database Backup Procedures
- destructive update leaves no backup copy of
the original master file
REAL TIME PROCESSING
- advantages (improved productivity, reduced
inventory, increased ITO, decreased lags in
billing and reduction in physical documents)
- best for systems with lower transaction
volumes and those that do not share
common records
- makes use of extensive LAN and WAN
CODING SCHEMES
1.) Sequential Codes
- Represent items in sequential order
- Ie. Pre numbering of source documents
Advantages
Disadvantages
Supports
Sequential codes
reconciliation of
carry no other
batches
information beyond
their sequence and
are hard to change
2.) Numeric Block Codes
- Represent whole classes of items
- Chart of accounts
Advantages
Disadvantages
Allows for insertion
Information content
of new codes within is not readily
a block
apparent
3.) Group
- Represent complex items involving two or
more pieces of related data

Consist of zones or fields with different

meaning
Advantages
Disadvantages
Facilitate
Overused
representation of
classifications
large amounts of
diverse data in an
easy and hierarchical
form
Permit detailed
Higher storage costs,
analysis and
promote clerical
reporting
errors and
inefficiency

4.) Alphabetic
- Sequential/ block/ group
Advantages
Disadvantages
Represent large
Difficult to rationalize
numbers through
and sort records
alpha-numeric codes
5.) Mnemonic
- Alphabetic in the form of acronyms with
meaning
Advantages
Disadvantages
Does not require
Limited ability to
memorization
represent items
because it conveys a within a class
high degree of
information
General Ledger Systems
a.) Journal Voucher
- Identifies financial amounts and affected
general ledger accounts
b.) GLS Database
1.) GL Masterfile
2.) GL history file
3.) JV file
4.) JV history file
5.) Responsibility center file
6.) Budget master file
XBRL (Extensible Business Reporting Language)
- Facilitate publication, exchange and
processing of financial business information
- Derivative of XML (Extensible Markup
Language)
- XBRL taxonomy
XML
- Meta language describing mark up language

Creation of markup languages capable of

storing data in relational form where tags
are mapped to data values

CHAPTER 7 COMPUTER ASSISTED AUDIT TOOLS AND

TECHNIQUES
Application Controls deal with potential exposures
that threaten applications
1.) Input controls
- Ensure that data in the data collection stage
are valid accurate and complete
a.) Batch (Document Triggered)
- Prone to clerical errors which may require
tracing to the data input stage
b.) Real Time (Direct Input)
- Employs real time error detection
- CLASSES of INPUT CONTROLS
a.) Source Document Controls
- can be used to remove assets
- Ie. Prenumber, use source documents in
sequence, periodical audit of source
documents
b.) Data Coding Controls
- checks on the integrity of data codes
- TYPES Transription (Addition, truncation
and substitution errors), Single (adjacent)
and Multiple (nonadjacent) Transposition
- Ie. Check Digits (control digit added to the
code to detect transcription errors
Modulus 11) this introduces storage and
processing inefficiencies restricted to
essential data
c.) Batch Controls
- manages high volume of transaction data
- reconcile output with input (assures
complete batch processing, no records are
processed more than once, creation of audit
trail
- batch transmittal sheet (unique batch
number, batch date, transaction code,
record count, control total, hash total - uses
nonfinancial data to keep track of records in
a batch sums up all numerical numbers
within a field)
d.) Validation Controls
- detect errors before the data is processed
- most effective when performed as close to
the transaction as possible but may occur at
various points in the system
- a transaction may be partially processed
before errors are detected

- LEVELS of INTERROGATION - FIELD (missing

data checks blank spaces/justification,
alpha-numeric data checks, zero-value
checks, limit checks, range checks detects
keystroke errors, validity checks actual vs
acceptable values and check digits
checking internal validity), RECORD
(examines interrelationship of field values,
reasonableness checks, sign checks and
sequence checks) FILE (ensures correct file is
being processed particularly for master files,
internal label checks, version checks,
expiration date check)
e.) Input Error Correction
- correction of errors are detected in a batch
before being resubmitted for reprocessing
- TYPES Correct Immediately (upon
detecting an error during data validation
system immediately halts the data entry),
Create an Error File (flag errors and place
htem in a temporary error holding file) and
Reject the Batch (errors are associatd with
the entire batch)
f.) Generalized Data Input System
- achieves high degree of control and
standardization over input validation
procedures
- includes centralized procedures to
managedate input for all transaction
processing systems
Advantages
Improves control with one system
performing all the validation
Ensures each AIS applies a consistent
standard
Improves systems development
efficiency by eliminateing the need to
recreate redundant routines
- MAJOR COMPONENTS Generalized
Validation Module (standard validation of
common routines), Validated Data File
(temporary holding files through which
validated transactions flow to their
respective application), Error File (storage of
detected errors corrected and resubmitted),
Error Reports (facilitates error correction),
Transaction Log (permanent record of all
validated transactions)
2.) Processing controls
a.) Run to Run
- uses batch figures to monitor the batch as
it moves from one run to another

- batch control figures may be contained in

a separate record or an internal label
- USES Recalculate Control Totals (after
each run dollar amounts, hash totals and
record counts are recalculated),
Transaction Code Check (ensures that only
the correct type of transaction is being
processed and Sequence Checks (compares
sequence of each record with previous
record to ensure proper sorting took place)
b.) Operation Intervention
- sometimes required before transactions
are initiated to reduce risk of processing
errors and involvement of operators
c.) Audit Trail
- Transaction Logs (record of all successfully
processed transactions to sort them from
unsuccessfully processed transactions
contained in the error file) Log of
Automatic Transactions (log of all internally
generated transactions) Listing of
Automatic Transactions (maintains control
over automatic transactions) Unique
Transaction Identifiers (each transaction
processed in the system is identified with a
transaction number) Error Listing (log of all
records to support correction and resubmissing)
3.) Output controls
- ensures that system output is not lost,
misdirected or corrupted and privacy is not
violated
a.) Batch Systems
- usually produce output in hard copies
- EXAMPLES Output Spooling (applications are
designed to direct output to a magnetic disk file
before going to the printer) Print Programs
(designed to deal with production of
unauthorized copies by reconciling output file
with actual output and employee browsing of
sensitive data by printing a black top copy)
Bursting (after printing pages go to bursting
where they are separated and collated but must
be under supervision or performed by the end
user) Data Control (verify output before
distribution to the user if data is sensitive this
may be performed by the end user) Report
Distribution (reduce the risk of the reports
being stolen, lost or miscredited in transit to the
user by specifying address of the user or
recipients, using a secure mailbox, personal
distribution or use of special courier) End User

(reexamine for errors missed by the data

control clerk, store in a secure location until
retention period expires length of which is
affected by statutory requirements, number of
copies/images in existence)
b.) Real Time Systems
- directs output to the users screen, terminal or
printer eliminates intermediaries between the
computer center and user
- primary threat (interception, disruption and
destruction of output message)
- Exposures from equipment failure and
subversive acts
TESTING COMPUTER APPLICATION CONTROLS
A.) Black Box Approach (around the computer)
- do not rely on a detailed knowledge of the
applications internal logic but seeks to
understand the functional characteristics of the
application
- analyzing flowcharts and interviewing
knowledgeable personnel
- reconciling input transactions with output
results
- application need not be removed from service
and tested directly
- suitable for simple applications
B.) White Box Approach (through the computer)
- relies on an in depth understanding of the
internal logic
- use small numbers of specially created test
transactions to verify specific aspects of the
logic
a.) Authenticity Tests user IDs, passwords,
vendor codes and authority tables
b.) Accuracy Tests data values conform to
tolerances (range fields, field and limit tests)
c.) Completeness Tests identify missing data
(field and record sequence tests + hash and
control totals)
d.) Redundancy Tests application processes
each record only once (recon of batch totals,
record counts, hash and financial control totals)
e.) Access Tests ensure that application
prevents authorized users from unauthorized
acces (passwords, authority tables, user-defined
procedures, data encryption and inference
controls)
f.) Audit Trail Tests - ensure creation of an
adequate audit trail (transactions logs and
listings, error files and exception reports)
g.) Rounding Error Tests occur when precision
in calculation is greater than in reporting (sign

and absolute value determines the effect of

rounding)
- Salami Fraud - affect larger number of victims
with minimal harm to each (may be prevented
by OS audit trails and audit software that can
detect excessive file activity)
Computer Aided Audit Tools and Techniques for
Testing Controls (CAATT)
A.) Test Data Method
- establishes application integrity by
processing specially prepared sets of input
data through production applications under
review
- results of each test is compared to
predetermined expectations
- creating test data by preparing both valid
and invalid transactions with test data
testing every possible input error, logical
process and irregularity
B.) Base Case System Evaluation
- set of test data is comprehensive
- conducted with a set of test transaction
containing all possible transaction types
processed through repeated iterations
during system development testing until
consistent and valid results are obtained
called the base case
C.) Tracing
- electronic walk through of applications
internal logic
- 3 STEPS - Special Compilation, Creation of
Test Data and Tracing through All
Processing Stages
- requires detailed understanding of
internal logic
Advantages
Employ throughthe-computer
testing
Minimal disruption
of operations

Minimal computer
expertise required
from auditors

Disadvantages
Reliance on computer
services personnel to
obtain copies
Static picture of
application integrity
at a single point in
time
High cost of
implementations
resulting to audit
inefficiency

D.) Integrated Test Facility

- enables auditor to test logic and controls
during its normal operation

- designed into the application during the

systems development process
- contains dummy or test Masterfile
records integrated with legitimate records
- discriminates between ITF transactions
and routine production data through
assignment of unique range of key values
Advantages
Disadvantages
Supports on going
Potential for
monitoring of
corrupting data files
controls
can be prevented
by using adjusting
entries and scanning
of data files
Applications can be
tested without
disrupting
operations and
intervention of
computer services
personnel
E.) Parallel Simulation
- requires auditors to write a program that
simulates key features or processes of the
application under review which is then used
to reprocess previous transactions
1.) Creating a Simulation Program
- candidate of fourth generation language
STEPS Gain a thorough understanding,
identify processes and controls critical to
the audit, create simulation using general
audit software, run the simulation, evaluate
and reconcile results
- simulations are less complex and auditor
must carefully examine differences in
output results of the simulation and the
actual program (maybe due to crudeness of
the simulation or real deficiencies)