Page 143 - DCOM509_ADVANCED_AUDITING
P. 143
Advanced Auditing
Notes Auditors can also use high-level languages (such as SQL in a relational database system) to
select data that satisfy certain criteria and format this data for reporting purposes. However,
such high-level languages may not have statistical sampling capabilities. Auditors
overcome such difficulties by using macros, which allow writing programmes to perform
a particular function and then invoke these programmes with a single command.
8.4.3 Concurrent Auditing Techniques
Concurrent auditing techniques were developed in 1960s and 1970s to address problems related
with computer based information systems particularly disappearing paper-based audit trails
and secondly continuous monitoring required by advanced systems. There are four major
concurrent audit techniques:
Integrated Test Facility: This technique involves establishing a dummy entity on application
system files and processing audit test data against the entity to verify processing
authenticity, accuracy and completeness. However, it requires two major design decisions
for the system one, what method will be used to enter data and two what method will be
adopted to remove its effects. For this, one may either tag the dummy (ITF) transaction
and application system may be programmed to recognize this tagged transaction. Then
system may prepare two updates one for their master files record and other for dummy
entity. The second method is designing new test data (with a key field to denote it is ITF
transaction) and entering into the application system. The effects of ITF entries can be
removed either by modifying application system (so that it recognizes such transactions
and ignores them in any processing that may effect users); or submitting additional input
that reverses the effect of ITF transactions or to submit trivial entries so that effect of ITF
transactions on output is minimal (this is simple however, users will have to be advised of
ITF testing.
Snapshot/Extended Record: This technique involves software taking “pictures” (or
snapshots) of a transaction as it flows through application system. For this auditors embed
the software in application where they deem material processing occurs. For this auditors
must decide where to locate snapshot points, when they will capture the snapshots and
regarding reporting of the snapshot data that is captured. The embedded software must
provide sufficient identification and time stamp information of each transaction to enable
auditors to determine the transaction for which it applies and the sequence of changes as
they occur. A reporting system must also be designed and implemented to present data in
a meaningful way. A modification of this technique is extended record technique in which
a single record is constructed built up from the images captured at each point. This has the
advantage of having all information in one place and facilitates audit evaluation. These
techniques can be used in conjunction with ITF technique.
System Control Audit Review File (SCARF): This involves embedding audit software
modules within host application system for continuous monitoring of system’s transactions.
The information is written to a special audit file SCARF master file. Auditors them examine
the information contained on this file to see if some aspects need follow up.
Continuous and intermittent Simulation (CIS): This (CIS) technique can be used whenever
application systems use a database management system (DBMS). CIS uses DBMS to trap
exceptions of interest to auditor and application system is left intact. When application
system invokes services provided by DBMS, DBMS indicates to CIS that a service is required.
CIS then determines whether it wants to examine activities carried out by DBMS on behalf
of application system or not. The main advantage of CIS is that it does not require any
modification to application system.
138 LOVELY PROFESSIONAL UNIVERSITY
