CHAPTER 17
IT CONTROLS PART III: SYSTEMS DEVELOPMENT,
PROGRAM CHANGES, AND APPLICATION
CONTROLS
1. REVIEW QUESTIONS
1. Systems development controls:
a. systems authorization activities
b. user specification activities
2. All program modules must be thoroughly tested before they are
implemented. The test data must be designed such that all modules are
tested. Oftentimes, hypothetical master files and transactions are created
3. Users need to be actively involved in the systems development process. The
technical complexity of the system should not stifle user involvement. Regardless of
the technology involved, the user should create a detailed written description of his
4. The internal auditor can serve as a liaison between users and the systems
professionals to ensure an effective transfer of knowledge. An internal audit group,
astute in computer technology and possessing a solid grasp of the business
problems to be solved, is invaluable to the organization during all phases of the
Chapter 1 Page 2
6. The simplest form of check digit is to sum the digits in the code and use this sum as
7. All program modules must be thoroughly tested before they are implemented. A
program testing procedure involving the creation of hypothetical master files and
8. Source program library (SPL) is a disk repository for storing application
program modules in source code format. To make a program change requires
first changing the logic of the source code on the SPL. This is then recompiled
9. The black box surrounding the SPL signifies the SPLMS, which controls four
critical functions: (1) storing programs on the SPL, (2) retrieving programs for
10. When using program-naming conventions, the name assigned to a program
clearly distinguishes it as being either a test or a production program. When a
program is copied from the production SPL to the programmer’s library, it is
11. The SPLMS assigns a version number automatically to each program stored
on the SPL. When programs are first placed in the libraries (at implementation),
12. a. reconcile program version numbers
13. a. reconcile the source code
Chapter 1 Page 3
14. Auditing around the computer involves black box testing in which the auditors
do not rely on a detailed knowledge of the application’s internal logic. Input is
reconciled with corresponding output. Auditing through the computer involves
15. a. Test data method
16. EAM techniques use one or more specially programmed modules
embedded in a host application to select and record predetermined types
of transactions for subsequent analysis. This method allows material
17. GAS allows auditors to access electronically coded data files of their clients,
both simple and complex structures, and to perform various operations on their
contents. GAS is popular for the following reasons:
19. Many times data have upper and lower limits to their acceptable values.
For example, if the range of pay rates for hourly employees in a firm is
20. The test determines that a value in one field, which has already passed a limit
Chapter 1 Page 4
DISCUSSION QUESTIONS
1. An SPL environment can help to deter unauthorized changes to programs by
implementing password-controlled libraries for each programmer where the
passwords are frequently changed. Program modification reports are a
powerful control for detecting and deterring any unauthorized program
changes. These reports describe in detail all program changes that have been
made. These reports should be reconciled against program maintenance
2. One example would be students’ grades. This information is considered
confidential and private. The student, his/her advisor, and his/her professors
should have access to this data. Other students should NOT have access to
any student’s grade other than their own. Prospective employers or other
universities should not have access to the grades without the permission of the
3. Prior to system implementation, User Test and Acceptance Procedures provide
formal and rigorous testing of the individual modules of the system. The test
team should be composed of user personnel, systems professionals, and
internal auditors. The details of the tests performed and their results need to be
formally documented and analyzed. Once the test team is satisfied that the
Chapter 1 Page 5
4. Financial systems that calculate interest payments on bank accounts or
charges on mortgages and other loans employ special rounding error
applications. Rounding errors occur when the level of precision used in an
interest calculation is greater than that used for reporting. For example, interest
calculations on bank account balances may have a precision of five decimal
places, whereas only two decimal places are reported on balances. If the
5. The salami fraud affects large numbers of victims, but each in a minimal way.
The fraud scheme takes its name from the analogy of slicing a large salami
(the total fraud) into many thin pieces. Each victim gets one of these small
pieces and is unaware of being defrauded. For example, a programmer, or
6. The black box approach (also called auditing around the computer) does not
require the auditor to create test files or to obtain a detailed knowledge of the
application’s internal logic. Instead, auditors analyze flowcharts and interview
knowledgeable personnel in the client’s organization to understand the
functional characteristics of the application. With an understanding of what the
application is supposed to do, the auditor tests the application by reconciling
actual production transactions processed with output results. The output results
Chapter 1 Page 6
7. Test data should consist of a complete set of valid and invalid transactions.
Incomplete test data may fail to explore critical branches of application logic
and error checking routines. Test transactions should be designed to test all
possible input errors, logical processes, and irregularities pertinent to the audit
objective. Gaining knowledge of the application’s internal logic sufficient to
create meaningful test data represents a considerable investment in time. The
8. The primary disadvantage of test data techniques is that auditors rely on the
client’s IT personnel to obtain a copy of the production application under
9. Auditors need to ensure that systems being developed in-house serve the
10. a. Detecting that inadequate segregation of functions exists between programmers
and operators
11. Embedded audit module (EAM) techniques use one or more specially
programmed modules embedded in a host application to select and
record predetermined types of transactions for subsequent analysis. As
the selected transaction is being processed by the host application, a
Chapter 1 Page 7
12. The test data method is used to establish application integrity by processing
specially prepared sets of input data through production applications that are
under review. The results of the test are compared with the expected results.
The base case system evaluation extends the test data method; the test data
13. When auditors rely on client IT personnel to produce flat files from their
databases, they run the risk that database integrity will be compromised. For
example, if the auditor is confirming accounts receivable, certain fraudulent