1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious disruptions to operations and may result in financial losses to a firm. For example, if the checks produced by a firm’s cash disbursements system are lost, misdirected, or destroyed, trade accounts and other bills may go unpaid.

2 Controlling Batch Systems Output See Figure 6-12 for an illustration Each stage in this process is a point of potential exposure where the output could be reviewed, stolen, copied, or misdirected.

3 Output Spooling Output from different applications are directed to disk rather than printer directly to avoid bottleneck; Later, when printer resources become available, the output files are printed. Exposure: a computer criminal may use this opportunity to perform any of the unauthorized acts listed in page 232. Auditors should be aware of these exposures and ensure that proper access control is in place to protect output files.

4 Print Program Controls aims to deal with two types of exposures –production of unauthorized copies of output (this can be controlled if output documents are pre-numbered, otherwise, supervision is needed) –employee browsing of sensitive data (can use multipart paper with the top copy colored black to prevent the print from being read)

5 Bursting When output reports are removed from the printer, they go to the bursting stage to have their pages separated and collated. The primary control is supervision.

6 Waste Computer output waste represents a potential exposure. Passing sensitive output through a paper shredder is one possible solution.

7 Controlling Real-Time Systems Output Real-time systems direct their output to the user’s computer screen, terminal, or printer. The primary threat to real-time output is the interception, disruption, destruction, or corruption of the output message as it passes along the communication link.

8 Controlling Real-Time Systems Output Two types of exposures: –exposures from equipment failure Solutions: Parity/ECC (e.g., Hamming code) –exposures from subversive acts, where by a computer criminal intercepts the output message transmitted between the sender and the receiver Solution: encryption/decryption

9 Testing Computer Application Controls Designed to provide information about the accuracy and completeness of an application’s processes Two general approaches: –black box approach: do not rely on detailed knowledge of application’s internal logic –white box approach: relies on in-depth understanding of internal logic of application being tested

10 Black Box Approach Seek to understand functional characteristics of application by analyzing flowcharts and interviewing knowledgeable personnel in client’s organization Auditors tests application by reconciling production input transactions processed by the application with output results Output results are analyzed to verify application’s compliance with its functional requirements

11 White Box Approach These techniques use small number of specially created test transactions to verify specific aspects of application’s logic and controls Some common types of tests of controls: –authenticity tests: verify that an individual, a programmed procedure, or a message attempting to access a system is authentic –accuracy tests: ensure that system processes only data values that conform to specified tolerances, e.g., range tests, field tests, and limit tests

12 White Box Approach (cont) Some common types of tests of controls: –completeness tests: identify missing data within a single record and entire records missing from a batch, e.g., field tests, record sequence tests, hash totals, and control totals. –redundancy test: determine that an application processes each record only once –access test: ensure that application prevents authorized users from unauthorized access to data

13 White Box Approach (cont) Some common types of tests of controls: –audit trail test: ensure that application creates an adequate audit trail (this includes evidence that application records all transactions in a transaction log) –rounding error tests: verify the correctness of rounding procedures (Salami fraud: takes its name from the analogy of slicing a large salami into many thin pieces; each victim assumes one of the small pieces and is unaware of being defrauded. See Software testing from Wikipedia in relevant links

14 Test Data Method Used to establish application integrity by processing specially prepared sets of input data through production applications that are under review The results of each test are compared to predetermined expectations to obtain an objective evaluation of application logic See Figures 6-16 and 6-17

15 Creating Test Data When creating test data, auditors must prepare a complete set of both valid and invalid transactions. If test data are incomplete, auditors might fail to examine critical branches of application logic and error-checking routines Test transactions should test every possible input error, logical process, and irregularity

16 Tracing Walk through application’s logic See page 241 for an example

17 Integrated Test Facility (ITF) An automatic technique that enables auditor to test an application’s logic and controls during normal operation ITF is one or more audit modules designed into the application during system development ITF audit modules are designed to discriminate between ITF transactions and routine production data. See Figure 6-19 on page 243