7. Processing Integrity Flashcards
What does SPLMS stand for?
Source Program Library Management System.
SPLMS: What is this essential for?
Change control.
SPLMS: what is this?
Software AND instruction for people.
SPLMS: what does it manage?
For new or changed program, it manages migration from application development test environment to production library.
SPLMS: what does it do?
Controls and validates program changes by comparing new to old code.
SPLMS: what are 4 functions?
- Store programs in the SPL (source program library)
- Retrieve program for updating and maintenance
- Detele obsolete programs
- Audit trails: document program changes
SPLMS: is this a part of a system?
May be a part of operating system or purchased separately.
Why must accounting systems be documented?
Required;
- By law: e.g. Foreign Corrupt Practices Act, SOX, SEC regulations
- To build and evaluate complex systems
- For training
- For creating sustainable/survivable systems
- For auditing (internal and external)
- For process (re)engineering
What are 4 types of documentation?
System, program (also called “technical” by programmers), operator, user.
What is system documentation?
Overview of program, data files, processing logic, interactions with other programs and systems.
May include requirements, architecture and design.
What is program documentation?
Detailed description of inputs, logic, and outputs.
Includes program flowcharts, source code listings, record layouts.
What is operator documentation?
Also called “run manual.”
How to load and execute programs and data.
Includes needed equipment, files, supplies, commands, error messages.
What type of control is documentation: general/application? Preventative/corrective?
General and preventative.
Doc retention/destruction: what must an organization have?
Organizational policy and plan that dictate retention and destruction.
Doc retention/destruction: what must an organization follow?
Applicable laws and regulations (health care, criminal, credit check records etc).
Doc retention/destruction: what is control risk?
Failure to properly retain or destroy electronic documents.
What is SPL?
Source program library;
- The library of source code computer programs
- Secure and separate these programs from live programs
- Critical to the internal control system and to change management
Define SPLMS.
Functions include storing, retrieving, and deleting programs and documenting by whom, when, where, and how programs are changed.
What are forms of documentation?
- Questionnaires: ask specifics
- Narratives: describe processes
- Data flow Diagram (DFD): flows of data
- Flowcharts:
- E-R (entity-relationship) diagram: model relationships between entities and data in accounting systems
- Decision tables: logical relationships in a processing system by identifying decision points and alternatives
What do input and origination controls do?
- Ensure reliability of application program data and processes
- Understanding enables auditor to assess risks if absent or weak
- Some may function as input or processing controls (e.g. control totals)
Input and origination controls: what is often the best input control?
To automate data entry (to not have manual input by people) - hence, growing use of term origination to replace input.
Origination: what is growing trend to replace human entry? Goals?
Scanning.
Accuracy, completeness, efficiency.
What are 4 audit (control) input goals (EVAC)?
Validity (V), Completeness (C), Accuracy (A), Efficiency (E).
What is the definition of validity? Examples?
Input data are approved and represent actual economic events and objects.
- Input data represent an actual (not fictitious) transactions
- Only receipts supported by an actual check are input
What is the definition of completeness? Example?
All valid events are entered.
*All customer pmts are input.
What is the definition of accuracy? Example?
Valid events are correctly entered.
*Customer and invoice information are entered correctly.
What is the definition of efficiency? Example?
Input is done using minimal resources.
*Scan instead of hand enter.
What is OLRT (online real-time) systems control? Goals?
Closed loop verification.
- Use entered data to display additional (so that users can confirm data)
- C (all data entered), A (entered data accurate), E
Application controls: Input: Where are examples mostly found in batch system?
- Batch control total: Financial total (add inv amounts), Hash total (totals of a field for which the total has no logical meaning: e.g. add inv numbers. Usually for an account code field)
- Record count: count # of inv - goal = C,A
Application controls: Input: Where are examples mostly found in both Batch and OLRT systems?
- Automated data capture
- Check digit (goal = A)
- Sequence check
- Key verification
- Missing data check
- Field check (data type/data format check)
- Limit test (1. Range tests 2. Sign tests)
- Valid code test (validity test)
- Reasonableness check (logic test)
- Preprinted forms and preformatted screens)
- Default values
Application controls: Input: what is sequence check? Goals?
Confirm numerical sequence (of check or inv #s).
- Usually automated but may be manual
- Goal: C (all valid are included), V (no invalid are included)
Application controls: Input: what is key verification? Goals?
Re-key (re-enter) and compare critical data.
- Ex: require password entry twice
- Goal: Validity
Application controls: Input: what is completeness or missing data check? Goals?
Confirm if al data are entered in field - can’t continue until entered.
Goal: Completeness.
Application controls: Input: what is field check (data type/data format check)? Goals?
*Verify if data is of correct format: e.g. entering State, zip code, etc - if not in the right format, it will not let you enter.
*For both numeric and letters
Goal: Accuracy.
Application controls: Input: what is limit tests? Goals?
Numeric field with specified values: e.g. may not be able to enter if entered the number above 5 etc.
Goals: Validity and accuracy.
Application controls: Input: what is range test? Goals?
*For numeric
*Validate upper and lower limit: e.g. price per gallon of gas $2 < x < $10
Goals: A, V
Application controls: Input: what is sign test? Goals?
# has correct sign (+ or -): e.g. # purchased must be > 0. Goals: A, V.
Application controls: Input: what is valid code test (validity test)? What is this also called in database? Goals?
Verify if the entered account # exist: e.g. can’t enter an order unless the customer has an existing account #.
Called referential integrity.
Goals: V, A
Application controls: Input: what is reasonableness check (logic test)? Goals?
Verify if 2 or more fields agree: e.g. don’t allow pay rate = “$3,500” and pay period = “hourly”
Goals: validity and accuracy.
Application controls: Input: what are goals for preprinted forms and reformatted screens?
Reduce data entry errors, speed data entry.
Goals: A, C, E
Application controls: Input: what is default values? Goals?
Pre-supplied data values for fields: e.g. sales order data = current data.
Goals: A, E.
What are 4 types of application controls?
- Input controls
- Processing controls
- File controls
- Output controls
Application controls: Processing: Goals?
Efficiency:
- Accurate and complete master file updates
- Detect unauthorized transactions
- Maintain data integrity
Application controls: Processing (and Input): what is the control used in Batch processing?
Run-to-run controls: monitor the number of units in a batch as it moves from one programmed procedure (run) to another). Use Batch totals to agree the batch from one procedure (run) to another.
- Batch control total: financial total and hash total
- Record count
Application controls: Processing: what is a control mostly used in OLRT?
Audit trail control.
*Transaction log = electronic audit trail
Application controls: Processing: Transaction logs (processing and output): what may it include? Why is it important?
May include data values, time, terminal number, IP address, user name.
Importance:
*Goals: Accuracy, completeness, validity
*Backup and recovery: essential to checkpoint and restart, and rollback and recovery systems
What are 4 types of files?
- Master files: updated by postings to transaction files
- Standing files: rarely changed master files
- Transaction files: used to update master files
- System control parameter files: determine the workings of system runs
What are 4 examples of hardware controls?
- Check digit (also called parity bit or parity check or self-checking digit)
- Read after write check
- Echo check
- Boundary protection
Hardware controls: What is parity check?
*Designed to detect errors in data transmission
1 or 1 included in byte to indicate if sum bits are odd or even.
Example: parity bit = 0 (added) if sum is odd. parity bit = 1 if sum is even.
7 bits: 0011010 - add 0 as the 8th bit because sum is 3 (odd) and complete byte is 00110100
7 bits: 1011010 - add 1 as the 8th bit because sum is 4 (even) and compete byte is 10110101
Hardware controls: what is read after write check?
- Verifies that data was correctly written to disk by comparing to source
- Mostly used in local file operations
Hardware controls: what is echo check?
Verify transmission by “echoing back” received transmission to sender.
*Primary use = telecommunications systems
Hardware controls: what is boundary protection?
- With multiple programs and/or simultaneous users
* Prevents one program from overwriting data and instructions of another program
Hardware controls: what are internal/external labels?
Internal labels: read by system (for removable storage).
External labels: read by humans.
Hardware controls: what is version controls?
Protocols for ensuring use of the correct file version.
Hardware controls: what is file access and updating controls?
Procedures to restrict file updates and access to authorized users.
Application controls: what kind of control is it? What item is often used?
Output controls.
- Often use transaction logs or printed output (built into most systems).
- Access to sensitive reports through permissions and access controls: e.g. authorization matrix
Application controls: Output: what is spooling (print queue) controls?
Job sent to a printer but can’t be printed immediately (e.g. require user enter his code/password).
For sensitive output (e.g. sensitive product sales data).
What is an electronic audit trail?
Transactions are written to a transaction log as they are processed. The transactions logs are an electronic audit trail.
What is hardware controls?
Controls built into the computer equipment to ensure that data are transmitted and processed accurately.
Define parity check (parity bit).
It’s an example of a check digit. It consists of a 0 or 1 included in a byte of info that makes the sum of bits either odd or even.
