Output Controls
• Ensure that system output is not lost,
misdirected, or corrupted and that
privacy is not violated.
• Exposures of this sort can cause
serious disruptions to operations and
may result in financial losses to a firm.
• For example, if the checks produced by
a firm’s cash disbursements system are
lost, misdirected, or destroyed, trade
accounts and other bills may go unpaid.
1
Controlling Batch Systems Output
• See Figure 6-12 for an illustration
• Each stage in this process is a point of
potential exposure where the output could
be reviewed, stolen, copied, or misdirected.
2
Output Spooling
• Output from different applications are directed to
disk rather than printer directly to avoid
bottleneck; Later, when printer resources
become available, the output files are printed.
• Exposure: a computer criminal may use this
opportunity to perform any of the unauthorized
acts listed in page 232.
• Auditors should be aware of these exposures
and ensure that proper access control is in place
to protect output files.
3
Print Program Controls
• aims to deal with two types of exposures
– production of unauthorized copies of output
(this can be controlled if output documents
are pre-numbered, otherwise, supervision is
needed)
– employee browsing of sensitive data (can use
multipart paper with the top copy colored
black to prevent the print from being read)
4
Bursting
• When output reports are removed from the
printer, they go to the bursting stage to
have their pages separated and collated.
• The primary control is supervision.
5
Waste
• Computer output waste represents a
potential exposure.
• Passing sensitive output through a paper
shredder is one possible solution.
6
Controlling Real-Time Systems
Output
• Real-time systems direct their output to
the user’s computer screen, terminal, or
printer.
• The primary threat to real-time output is
the interception, disruption, destruction, or
corruption of the output message as it
passes along the communication link.
7
Controlling Real-Time Systems
Output
• Two types of exposures:
– exposures from equipment failure
• Solutions: Parity/ECC (e.g., Hamming code)
– exposures from subversive acts, where by a
computer criminal intercepts the output
message transmitted between the sender and
the receiver
• Solution: encryption/decryption
8
Testing Computer Application
Controls
• Designed to provide information about the
accuracy and completeness of an
application’s processes
• Two general approaches:
– black box approach: do not rely on detailed
knowledge of application’s internal logic
– white box approach: relies on in-depth
understanding of internal logic of application
being tested
9
Black Box Approach
• Seek to understand functional characteristics of
application by analyzing flowcharts and
interviewing knowledgeable personnel in client’s
organization
• Auditors tests application by reconciling
production input transactions processed by the
application with output results
• Output results are analyzed to verify
application’s compliance with its functional
requirements
10
White Box Approach
• These techniques use small number of specially
created test transactions to verify specific
aspects of application’s logic and controls
• Some common types of tests of controls:
– authenticity tests: verify that an individual, a
programmed procedure, or a message attempting to
access a system is authentic
– accuracy tests: ensure that system processes only
data values that conform to specified tolerances, e.g.,
range tests, field tests, and limit tests
11
White Box Approach (cont)
• Some common types of tests of controls:
– completeness tests: identify missing data
within a single record and entire records
missing from a batch, e.g., field tests, record
sequence tests, hash totals, and control totals.
– redundancy test: determine that an
application processes each record only once
– access test: ensure that application prevents
authorized users from unauthorized access to
data
12
White Box Approach (cont)
• Some common types of tests of controls:
– audit trail test: ensure that application creates an
adequate audit trail (this includes evidence that
application records all transactions in a transaction
log)
– rounding error tests: verify the correctness of
rounding procedures (Salami fraud: takes its name
from the analogy of slicing a large salami into many
thin pieces; each victim assumes one of the small
pieces and is unaware of being defrauded.
• See Software testing from Wikipedia in relevant
links
13
Test Data Method
• Used to establish application integrity by
processing specially prepared sets of input
data through production applications that
are under review
• The results of each test are compared to
predetermined expectations to obtain an
objective evaluation of application logic
• See Figures 6-16 and 6-17
14
Creating Test Data
• When creating test data, auditors must prepare
a complete set of both valid and invalid
transactions.
• If test data are incomplete, auditors might fail to
examine critical branches of application logic
and error-checking routines
• Test transactions should test every possible
input error, logical process, and irregularity
15
Tracing
• Walk through application’s logic
• See page 241 for an example
16
Integrated Test Facility (ITF)
• An automatic technique that enables auditor to
test an application’s logic and controls during
normal operation
• ITF is one or more audit modules designed into
the application during system development
• ITF audit modules are designed to discriminate
between ITF transactions and routine production
data.
• See Figure 6-19 on page 243
17