Académique Documents
Professionnel Documents
Culture Documents
Continuous and intermittent simulation (CIS) has been proposed by Koch (1981) as a
means of collecting audit evidence concurrently with application system processing when
the application system uses a database management system to support updating and
querying of application files.
CIS has two major components. First, like SCARF, the database management system must be
able to trap transactions that are of interest to the auditor. Koch initially proposed that the
database management system be modified to capture transactions. Some current database
management systems, however, provide facilities that allow auditors to write their own software
routines that the database management system will execute on their behalf. Second, auditors
must write software modules that will replicate the application system processing that is of
interest. The database management system then passes the transactions it captures across to these
modules. These modules in turn determine the results that should be produced as a result of the
transaction. The results produced by the audit modules are then compared with the results
produced by the application system. Deviations are written to a file for scrutiny by the auditor.
To illustrate the use of CIS, consider a financial application where auditors are concerned about
the accuracy of the calculations relating to the payout value when a customer of the financial
institution pays out a loan early. The database management system would identify a payout
transaction as being one of the transactions that interest the auditor. It would capture the payout
transaction and pass the transaction across to the audit modules. The modules would then
calculate the payout value. In the meantime, the application system also would have calculated
the payout value. The payout value calculated by the audit modules would then be compared
with the payout value calculated by the application system. If a discrepancy existed between the
two values, an exception would be written to an audit file.
Snapshot
The snapshot technique is straightforward. As the name implies, it involves taking
snapshots or pictures of a transaction as it winds its way through an application
system. In essence, it is an automated version of a manual transaction walkthrough.
Snapshots are taken at material processing points in the application system.
Auditors must first identify these points and then embed audit modules within the application
system at these points. At each of these points, the audit modules typically take a snapshot of the
transaction just prior to processing and a snapshot just after processing. The auditor then has the
before-image of the transaction and the after-image of the transaction as a basis for evaluating
the authenticity, accuracy, and completeness of the application processing carried out. These
snapshots are written away to an audit file for subsequent scrutiny by the auditor.
To illustrate use of snapshot, consider an order that is input to a manufacturers order entry
system. The order may pass through a number of processing points that are of audit significance.
For example: the customer has to be an authorized customer; the amount of the purchase must be
within certain credit limits; a discount might be given depending upon the status of the customer
and the type of product that the customer is wanting to purchase; the order might be exploded
via a bill-of-materials to determine the parts required to make the product ordered; shortages of
parts may invoke a purchase order being placed on a supplier. At some or all of these points,
snapshots might be taken so the auditor can examine the veracity of processing at each point.
Extended Records
Extended records are a simple extension of the snapshot technique. Using conventional
snapshot, individual snapshots are simply written to an audit file. Auditors then must
assemble all the snapshots that pertain to a particular transaction and a particular stream
of processing that the transaction undergoes. If a large number of snapshots are taken,
assembling related snapshots can be onerous.
The extended records technique collects all related snapshots together in a single record. As a
transaction passes through the various snapshot points, the snapshots are appended to a record
that is eventually written to a file for audit scrutiny. Auditors then do not bear the overheads of
sorting related snapshots together. More timely scrutiny of veracity of the transaction and the
application processing stream is possible.
8.
8.1 Concurrent auditing techniques are the techniques developed to collect evidence at the
same time as an application system undertakes processing of its production data. Disappearing
paper-based audit trail, need for monitoring required by advanced systems, increasing difficulty
of performing transaction walk throughs are some of the reasons for deploying concurrent
auditing techniques more extensively. The following are important types of concurrent auditing
techniques:
8.2 Integrated test facility (ITF)
The ITF technique involves establishing a mini company or dummy entity on an
application systems files and processing audit test data against the entity as a means of verifying
processing authenticity, accuracy and completeness. Auditors would then use test data to update
the fictitious entities. This test data would be included with the normal production data used as
input to the application system. The application system must be programmed to treat the tagged
transactions in a special way. The presence of ITF transactions within an application system
affects the output results obtained. The effects of ITF transactions must be removed on
completion of audit.
8.3 Snapshot
The snapshot technique involves having software take "pictures" of a transaction as it
flows through an application system. Typically auditors embed the software in the application
system at those points where they deem material processing occurs. The embedded software then