Application Controls 62177
This document was ed by and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this report form. Report r6l17
Overview 4q3b3c
& View Application Controls as PDF for free.
More details 26j3b
- Words: 1,965
- Pages: 34
Application Controls Batch Processing Application Audit
Acknowledgments Material is sourced from: CISA® Review Manual 2011, ©2010, ISACA. All rights reserved. Used by permission. CISM® Review Manual 2012, ©2011, ISACA. All rights reserved. Used by permission. Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Contributors: Todd Burri, Megan Reid, Kahili Cheng Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
Objectives Students should be able to: Define and describe batch control, validation, batch balance, reconciliation, standing data, exception report, audit trail, system control parameters Define checks: sequence, limit or range, validity check or table lookup, existence, key verification, check digit, completeness, duplicate, consistency of logical relationship Define and understand testing application techniques: test data, snapshot, integrated testing facilities, parallel operation, parallel simulation, transaction selection program Define online auditing techniques: audit hooks, system control audit review file and embedded audit modules (SCARF/EAM)
Security in Software Development Requirements
Security Requirements
Abuse Cases
Architecture & Design
Risk Analysis Code
Penetration Test
Code Review Test
Security Operation
Risk-Based Security Test Deploy
Input Form No. 12083
Make form easy to read and use Group like fields together Provide predetermined input codes to reduce errors Provide identifier or cross-reference number Indicate field sizes Provide authorization signature if necessary
Sales Order Form Date: 11/09/09
Time: 3:24 PM
Product _____________ _____________ _____________ _____________
Quantity _______ _______ _______ _______
Salesperson: Authorization:
Transaction Validation Sequence Check: Sequence number use causes out-of-sequence and duplicate numbers to be rejected. Limit or Range Check: Valid numbers are below or between a maximum value. E.g., checks should not exceed $3,000 Validity Check or Table Lookup: Only certain values are accepted: Sex=M/F. Reasonableness Check: Values entered are reasonable: A takeout order of 100 pizzas??? Existence Check: Required fields are entered correctly. Key Verification: Input is double checked via second person OR all digits are entered twice. Check Digit: A digit may the correct entry of other digits. Completeness Check: Complete input is provided: zeros or spaces are checked for each required letter or digit Duplicate Check: Duplicate transactions or transactions with duplicate IDs are checked for and rejected. Consistency or Logical Relationship Check: Data is consistent with other known data: An employee’s birth date must be at least 16 years ago.
Batch Processing Input is authorized and collected into a batch Batch controls are automatically calculated and associated with the batch file.
Validation of the transactions occur. Rejected transactions are corrected and resubmitted or otherwise handled. Processing occurs (e.g., orders, payments, storage to DB)
Processing is complete. Batch balancing occurs through manual or automatic reconciliation of batch controls.
Batch Controls # TransType Amount Clerk 01001 054 $54.43 212 01222 054 $89.99 215 02022 033 $10.19 212 02022 036 $999.99 215 ……… 01098 054 $50.00 215 Batch Control: 12242 435
$9544.34 818
A Batch groups transactions to control processing. Batch controls can include totals or hashed values. Totals may include total items, documents, or values.
Transaction Authorization
Manual: Obtain
signature from management on batch forms or source documents Forms or Source Documents record data
Pre-number for control preferably
Automatic: Online
access control via or terminal identification
Error Handling Alternatives Reject transaction(s) with errors but process remaining batch Reject batch with error transactions Hold the batch in suspense: hold batch until error transactions are fixed Accept the full batch but flag the error transactions for later correction
Data Processing System Control Parameters
Controls processing: e.g., specify limit maximums
Transaction File (for today) Processing
Standing Data (Permanent Files)
Exception Report Master Data/Balance Data Reports errors in transactions
Audit Trail (or transaction log)
Records running balances and totals updated by transactions
Processing Controls Per-Transaction Basis Editing: program tests the accuracy, completeness and validity of data Checks on Calculated Amounts: Calculated values are checked to be reasonable or not exceed maximum Programmed Control: Software to detect, log, and initiate corrective action for errors Exception Report: Reports error transactions with their error types Per-Batch Basis Batch : Batch totals are recorded manually to be compared with system totals Run-to-Run Totals: Each processing stage reports its calculated batch controls Reconciliation: Supervisor should review that *all* data was properly recorded and processed
Data File Control Procedures Prerecorded Input: Certain information fields are preprinted on a blank input form to reduce input errors. Data File Security: Ensures authorized access only Version usage: The correct version of a file is always accessed Transaction Logs: An audit trail records date/time of input, ID and terminal location, and input transactions Before and After Image Reporting: File data is recorded before and after processing, enabling traces to occur based on transactions Parity Checking: When data is transmitted, check codes are added to ensure data is transmitted without error. Batch Processing Error reporting & handing: All error reports are properly reconciled and authorizations/corrections are submitted in a timely manner. One-for-One Checking: Source Documents correctly describe the processing that has occurred Source document retention: Source documents are retained as necessary for error handling and audits. Internal & External Labeling: Removable storage media is labeled to ensure correct processing
Question
1. 2. 3. 4.
A hash total of customer numbers is one input to the sales program. This program generates its own total to compare against this input parameter. What is the purpose of this procedure? Validate customer numbers are accurate Detect lost or changed transaction(s) Detect error(s) in sales transactions Validate that each sales transaction is complete
Question 1.
2. 3. 4.
Batch balancing is used to? Ensure that test data accurately matches real data when considering transaction types Detect lost or changed transaction(s) during processing Detect error(s) in sales transactions batch total is reasonable
Question
1. 2. 3. 4.
Batch totals may not match when error transactions are removed. The process that verifies full processing did occur correctly, while ing for errors is called: Audit trail Validation Batch balancing Reconciliation
Application Audit
Auditor Tasks Identify significant application components and flow of transactions Identify controls and evaluate their effectiveness Test the controls Analyze the test results to determine whether controls work as expected
Testing Applications: Test Data
Test Data
Pgm1
Pgm2
Pgm3
Processes test data through real programs.
Testing Applications: Snapshot
Pgm1
Pgm2
Pgm3
Displays ‘snapshots’ of how transactions are processed, as they are processed. Certain transactions are designated for recording.
Integrated Testing Facilities Real Data Pgm1
Pgm2
Pgm3
Test Data
Test data and real data are merged. Must be careful to isolate test results.
Parallel Operation or Parallel Simulation New System or System under Test Pgm1
Pgm2
Pgm3
Pgm1*
Pgm2*
Pgm3*
Real Data
Stable System or Simulated System Data is processed through two systems and results are compared. Useful to new system. Parallel Operation: Compare new system with older stable system Parallel Simulation: Compare actual and simulated system
Transaction Selection Program Transaction Selection Program
Test Data
Pgm1
Pgm2
Pgm3
A tool helps to select transactions to build a test deck..
Embedded Audit Data Collection Regular Data
Pgm1
Pgm2
Pgm3
Embedded Audit Modules (EAM): Audit software is embedded directly into the application programs to monitor specific types of transactions. Systems Control Audit Review File (SCARF): Provides statistical information about the normal input data file, to determine if the file is sufficiently varied for the auditor. Sample Audit Review File (SARF): Selects random transactions for analysis.
Testing Application Techniques Test Data: Test Data: Test transactions go through real programs Integrated Testing Facilities: Creates test transactions to include with live data Transaction Selection Programs: Screen and selects transaction input to regular production cycle Embedded Audit Data: Selects random or statistically-distributed input transactions and generates logs during production Debugging/Processing: Mapping: Identifies specific program’s logic that have not been tested Tracing and tagging: Trace shows trail of instructions executed. Tag places indicators on selected transactions Snapshot: Records flow of designated transactions through logic paths Validation Systems: Base-case system evaluation: Uses test data for testing programs and verifies correct system operations before accepting. Parallel Simulation: Uses programs that simulate application program logic Parallel Operation: Compares new and old production data processing systems and compares results
Online Auditing Techniques
Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM): Embedding specific written audit software in organization’s host application system Snapshots: Pictures of the processes’ path Audit Hooks: Embedding hooks in applications Integrated Test Facility (ITF): Dummy entries are set up and include auditor's production file Continuous & Intermittent Simulation (CIS): Simulates the instructions executed of the application
Concurrent Audit Tools Online Audit Techniques: Complexity:
SCARF/ EAM Very High
Useful when: Regular processing cannot be interrupted
Integrated Test Facilities
Snapshots
Continuous Intermittent Simulation
Audit Hooks
High
Medium
Medium
Low
Its not beneficial to use test data
An audit trail is required
Transactions meeting certain criteria need to be examined
Only select transactions or processes need to be examined
Continuous Online Auditing: Audit Hooks Regular Data
Pgm1
Pgm2
Pgm3
Continuous Online Auditing enables auditors to test the system without disrupting a company’s regular operation. Audit hooks are software logic embedded into the application, which prints error reports of red flags enabling auditors to act to catch errors early, before they become problems..
Question
1. 2. 3. 4.
Embedded audit modules is associated mostly clearly with: Audit hooks Snapshots Batch processing Parallel operation
Question
1. 2. 3. 4.
This technique provides statistical information about the normal input data file, to determine if the file is sufficiently varied for the auditor. Test data Snapshots Systems Control Audit and Review File Transaction Selection Program
Question
1. 2. 3. 4.
Combining real and test data during an audit is known as: Parallel operation Integrated testing facilities Batch processing Embedded audit modules
Match Definitions
Sequence number use causes out-of-sequence and duplicate numbers to be rejected. Valid numbers are below a maximum value. Values entered are plausible Required fields are entered correctly. Input is double checked via second person OR all digits are entered twice. Transactions with duplicate IDs are checked for and rejected.
Duplicate Check Existence Check Reasonableness Check Limit Check Key Verification Sequence Check
Match Definitions
Sequence number use causes out-of-sequence and duplicate numbers to be rejected. Valid numbers are below a maximum value. Values entered are plausible Required fields are entered correctly. Input is double checked via second person OR all digits are entered twice. Transactions with duplicate IDs are checked for and rejected.
Duplicate Check Existence Check Reasonableness Check Limit Check Key Verification Sequence Check
Reference Slide #
Slide Title
Source of Information
6
Transaction Validation
CISA: page 225 Exhibit 3.30
7
Batch Processing
CISA: page 223, 224, 393
8
Batch Control
CISA: page 223, 224
9
Transaction Authorization
CISA: page 223
10
Error Handling Alternatives
CISA: page 224
12
Processing Controls
CISA: page 224, 225
13
Data File Control Procedures
CISA: page 225, 226
19
Testing Application: Test Data
CISA: page 229 Exhibit 3.32
20
Testing Application: Snapshot
CISA: page 229 Exhibit 3.32
21
Integrated Testing Facilities
CISA: page 230 Exhibit 3.32
22
Parallel Operation or Parallel Simulation
CISA: page 230 Exhibit 3.32
23
Transaction Selection Program
CISA: page 230 Exhibit 3.32
24
Embedded Audit Data Collection
CISA: page 230 Exhibit 3.32
25
Testing Application Techniques
CISA: page 229, 230 Exhibit 3.32
26
Online Auditing Techniques
CISA: page 230, 231
27
Concurrent Audit Tools
CISA: page 231 Exhibit 3.33
28
Continuous Online Auditing: Audit Hooks
CISA: page 230, 231
Acknowledgments Material is sourced from: CISA® Review Manual 2011, ©2010, ISACA. All rights reserved. Used by permission. CISM® Review Manual 2012, ©2011, ISACA. All rights reserved. Used by permission. Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Contributors: Todd Burri, Megan Reid, Kahili Cheng Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
Objectives Students should be able to: Define and describe batch control, validation, batch balance, reconciliation, standing data, exception report, audit trail, system control parameters Define checks: sequence, limit or range, validity check or table lookup, existence, key verification, check digit, completeness, duplicate, consistency of logical relationship Define and understand testing application techniques: test data, snapshot, integrated testing facilities, parallel operation, parallel simulation, transaction selection program Define online auditing techniques: audit hooks, system control audit review file and embedded audit modules (SCARF/EAM)
Security in Software Development Requirements
Security Requirements
Abuse Cases
Architecture & Design
Risk Analysis Code
Penetration Test
Code Review Test
Security Operation
Risk-Based Security Test Deploy
Input Form No. 12083
Make form easy to read and use Group like fields together Provide predetermined input codes to reduce errors Provide identifier or cross-reference number Indicate field sizes Provide authorization signature if necessary
Sales Order Form Date: 11/09/09
Time: 3:24 PM
Product _____________ _____________ _____________ _____________
Quantity _______ _______ _______ _______
Salesperson: Authorization:
Transaction Validation Sequence Check: Sequence number use causes out-of-sequence and duplicate numbers to be rejected. Limit or Range Check: Valid numbers are below or between a maximum value. E.g., checks should not exceed $3,000 Validity Check or Table Lookup: Only certain values are accepted: Sex=M/F. Reasonableness Check: Values entered are reasonable: A takeout order of 100 pizzas??? Existence Check: Required fields are entered correctly. Key Verification: Input is double checked via second person OR all digits are entered twice. Check Digit: A digit may the correct entry of other digits. Completeness Check: Complete input is provided: zeros or spaces are checked for each required letter or digit Duplicate Check: Duplicate transactions or transactions with duplicate IDs are checked for and rejected. Consistency or Logical Relationship Check: Data is consistent with other known data: An employee’s birth date must be at least 16 years ago.
Batch Processing Input is authorized and collected into a batch Batch controls are automatically calculated and associated with the batch file.
Validation of the transactions occur. Rejected transactions are corrected and resubmitted or otherwise handled. Processing occurs (e.g., orders, payments, storage to DB)
Processing is complete. Batch balancing occurs through manual or automatic reconciliation of batch controls.
Batch Controls # TransType Amount Clerk 01001 054 $54.43 212 01222 054 $89.99 215 02022 033 $10.19 212 02022 036 $999.99 215 ……… 01098 054 $50.00 215 Batch Control: 12242 435
$9544.34 818
A Batch groups transactions to control processing. Batch controls can include totals or hashed values. Totals may include total items, documents, or values.
Transaction Authorization
Manual: Obtain
signature from management on batch forms or source documents Forms or Source Documents record data
Pre-number for control preferably
Automatic: Online
access control via or terminal identification
Error Handling Alternatives Reject transaction(s) with errors but process remaining batch Reject batch with error transactions Hold the batch in suspense: hold batch until error transactions are fixed Accept the full batch but flag the error transactions for later correction
Data Processing System Control Parameters
Controls processing: e.g., specify limit maximums
Transaction File (for today) Processing
Standing Data (Permanent Files)
Exception Report Master Data/Balance Data Reports errors in transactions
Audit Trail (or transaction log)
Records running balances and totals updated by transactions
Processing Controls Per-Transaction Basis Editing: program tests the accuracy, completeness and validity of data Checks on Calculated Amounts: Calculated values are checked to be reasonable or not exceed maximum Programmed Control: Software to detect, log, and initiate corrective action for errors Exception Report: Reports error transactions with their error types Per-Batch Basis Batch : Batch totals are recorded manually to be compared with system totals Run-to-Run Totals: Each processing stage reports its calculated batch controls Reconciliation: Supervisor should review that *all* data was properly recorded and processed
Data File Control Procedures Prerecorded Input: Certain information fields are preprinted on a blank input form to reduce input errors. Data File Security: Ensures authorized access only Version usage: The correct version of a file is always accessed Transaction Logs: An audit trail records date/time of input, ID and terminal location, and input transactions Before and After Image Reporting: File data is recorded before and after processing, enabling traces to occur based on transactions Parity Checking: When data is transmitted, check codes are added to ensure data is transmitted without error. Batch Processing Error reporting & handing: All error reports are properly reconciled and authorizations/corrections are submitted in a timely manner. One-for-One Checking: Source Documents correctly describe the processing that has occurred Source document retention: Source documents are retained as necessary for error handling and audits. Internal & External Labeling: Removable storage media is labeled to ensure correct processing
Question
1. 2. 3. 4.
A hash total of customer numbers is one input to the sales program. This program generates its own total to compare against this input parameter. What is the purpose of this procedure? Validate customer numbers are accurate Detect lost or changed transaction(s) Detect error(s) in sales transactions Validate that each sales transaction is complete
Question 1.
2. 3. 4.
Batch balancing is used to? Ensure that test data accurately matches real data when considering transaction types Detect lost or changed transaction(s) during processing Detect error(s) in sales transactions batch total is reasonable
Question
1. 2. 3. 4.
Batch totals may not match when error transactions are removed. The process that verifies full processing did occur correctly, while ing for errors is called: Audit trail Validation Batch balancing Reconciliation
Application Audit
Auditor Tasks Identify significant application components and flow of transactions Identify controls and evaluate their effectiveness Test the controls Analyze the test results to determine whether controls work as expected
Testing Applications: Test Data
Test Data
Pgm1
Pgm2
Pgm3
Processes test data through real programs.
Testing Applications: Snapshot
Pgm1
Pgm2
Pgm3
Displays ‘snapshots’ of how transactions are processed, as they are processed. Certain transactions are designated for recording.
Integrated Testing Facilities Real Data Pgm1
Pgm2
Pgm3
Test Data
Test data and real data are merged. Must be careful to isolate test results.
Parallel Operation or Parallel Simulation New System or System under Test Pgm1
Pgm2
Pgm3
Pgm1*
Pgm2*
Pgm3*
Real Data
Stable System or Simulated System Data is processed through two systems and results are compared. Useful to new system. Parallel Operation: Compare new system with older stable system Parallel Simulation: Compare actual and simulated system
Transaction Selection Program Transaction Selection Program
Test Data
Pgm1
Pgm2
Pgm3
A tool helps to select transactions to build a test deck..
Embedded Audit Data Collection Regular Data
Pgm1
Pgm2
Pgm3
Embedded Audit Modules (EAM): Audit software is embedded directly into the application programs to monitor specific types of transactions. Systems Control Audit Review File (SCARF): Provides statistical information about the normal input data file, to determine if the file is sufficiently varied for the auditor. Sample Audit Review File (SARF): Selects random transactions for analysis.
Testing Application Techniques Test Data: Test Data: Test transactions go through real programs Integrated Testing Facilities: Creates test transactions to include with live data Transaction Selection Programs: Screen and selects transaction input to regular production cycle Embedded Audit Data: Selects random or statistically-distributed input transactions and generates logs during production Debugging/Processing: Mapping: Identifies specific program’s logic that have not been tested Tracing and tagging: Trace shows trail of instructions executed. Tag places indicators on selected transactions Snapshot: Records flow of designated transactions through logic paths Validation Systems: Base-case system evaluation: Uses test data for testing programs and verifies correct system operations before accepting. Parallel Simulation: Uses programs that simulate application program logic Parallel Operation: Compares new and old production data processing systems and compares results
Online Auditing Techniques
Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM): Embedding specific written audit software in organization’s host application system Snapshots: Pictures of the processes’ path Audit Hooks: Embedding hooks in applications Integrated Test Facility (ITF): Dummy entries are set up and include auditor's production file Continuous & Intermittent Simulation (CIS): Simulates the instructions executed of the application
Concurrent Audit Tools Online Audit Techniques: Complexity:
SCARF/ EAM Very High
Useful when: Regular processing cannot be interrupted
Integrated Test Facilities
Snapshots
Continuous Intermittent Simulation
Audit Hooks
High
Medium
Medium
Low
Its not beneficial to use test data
An audit trail is required
Transactions meeting certain criteria need to be examined
Only select transactions or processes need to be examined
Continuous Online Auditing: Audit Hooks Regular Data
Pgm1
Pgm2
Pgm3
Continuous Online Auditing enables auditors to test the system without disrupting a company’s regular operation. Audit hooks are software logic embedded into the application, which prints error reports of red flags enabling auditors to act to catch errors early, before they become problems..
Question
1. 2. 3. 4.
Embedded audit modules is associated mostly clearly with: Audit hooks Snapshots Batch processing Parallel operation
Question
1. 2. 3. 4.
This technique provides statistical information about the normal input data file, to determine if the file is sufficiently varied for the auditor. Test data Snapshots Systems Control Audit and Review File Transaction Selection Program
Question
1. 2. 3. 4.
Combining real and test data during an audit is known as: Parallel operation Integrated testing facilities Batch processing Embedded audit modules
Match Definitions
Sequence number use causes out-of-sequence and duplicate numbers to be rejected. Valid numbers are below a maximum value. Values entered are plausible Required fields are entered correctly. Input is double checked via second person OR all digits are entered twice. Transactions with duplicate IDs are checked for and rejected.
Duplicate Check Existence Check Reasonableness Check Limit Check Key Verification Sequence Check
Match Definitions
Sequence number use causes out-of-sequence and duplicate numbers to be rejected. Valid numbers are below a maximum value. Values entered are plausible Required fields are entered correctly. Input is double checked via second person OR all digits are entered twice. Transactions with duplicate IDs are checked for and rejected.
Duplicate Check Existence Check Reasonableness Check Limit Check Key Verification Sequence Check
Reference Slide #
Slide Title
Source of Information
6
Transaction Validation
CISA: page 225 Exhibit 3.30
7
Batch Processing
CISA: page 223, 224, 393
8
Batch Control
CISA: page 223, 224
9
Transaction Authorization
CISA: page 223
10
Error Handling Alternatives
CISA: page 224
12
Processing Controls
CISA: page 224, 225
13
Data File Control Procedures
CISA: page 225, 226
19
Testing Application: Test Data
CISA: page 229 Exhibit 3.32
20
Testing Application: Snapshot
CISA: page 229 Exhibit 3.32
21
Integrated Testing Facilities
CISA: page 230 Exhibit 3.32
22
Parallel Operation or Parallel Simulation
CISA: page 230 Exhibit 3.32
23
Transaction Selection Program
CISA: page 230 Exhibit 3.32
24
Embedded Audit Data Collection
CISA: page 230 Exhibit 3.32
25
Testing Application Techniques
CISA: page 229, 230 Exhibit 3.32
26
Online Auditing Techniques
CISA: page 230, 231
27
Concurrent Audit Tools
CISA: page 231 Exhibit 3.33
28
Continuous Online Auditing: Audit Hooks
CISA: page 230, 231
Related Documents 171j1w
Application Controls 62177
November 2019 47
Gtag 8 - Auditing Application Controls 6c2934
January 2022 0
Controls 6z2lb
September 2022 0
Application Of Laplace Transform In Controls 5j536m
November 2019 88
Msa 516 Application Controls Powerpoint Presentation 4a1841
March 2021 0