Previous Table of Contents Next


CONDUCT DATA TEST

The data test program is executed after the validity of the test tool has been verified; it provides the information for use during the audit. The task includes steps to ensure that the operational aspect of the program is correct (the correctness of the test tool was verified in the previous task). In many organizations, conducting the data test merely involves preparing a run request; in online systems, the IT auditor may be able to do this through a terminal. In either case, the time required is minimal. This task involves gathering all the needed data before executing the audit program and then verifying that the program was executed correctly.

Procedures for executing an audit program vary from organization to organization, and the method of execution depends on the operational strategy and the type of equipment. Processing in a highly secure centralized computer complex, for example, is significantly different from activating programs from a remote terminal. The installation may require charge numbers and job request forms before executing the job. Work may need to be scheduled and operator instructions prepared, programs may have to be cataloged before execution, or passwords may be needed.

The IT auditor should consult the operations group as early in the audit as possible regarding the organization’s procedural requirements. The IT auditor should also have reasonable confidence that the program and data will not be modified before, during, or after execution. If checking the operational controls does not provide such assurance, the IT auditor should arrange to run the program in another computer center. The IT auditor should ensure that neither the wrong program or version of the program nor the wrong file or version of the file is used. It is also important to ascertain that the output is completely and correctly printed and that the correct number of copies is produced.

REVIEW DATA TEST RESULTS

A computer can be considered an assistant to the IT auditor, and the computer program can be considered the instructions covering the work that assistant is to produce. As is true with the work of any subordinate, a supervisor should review the results. The IT auditor must review the results produced by the computer application. The IT auditor should examine this data with the following questions in mind:

  Is this the information wanted?
  Is it of the expected value, quantity, and format?
  Does it appear to be complete?

In conducting the review, the IT auditor should determine whether the output data appears to be logical on the basis of reasonable values for the printed fields. The IT auditor’s familiarity with the data will aid in detecting obviously incorrect material, especially if the same IT auditor performed the data file survey. Results should also tally with expectations: if the IT auditor expected to confirm about 80% of a total value, the totals produced by the run should be approximately 80% of the value. If 500 confirmations are expected, the IT auditor should look for about that number of confirmations. If the actual results vary significantly from what is expected, the IT auditor should determine whether there was a misunderstanding about the data file or a problem in producing the report. To complete this task successfully, the IT auditor must ensure that serious flaws in a report, incomplete data, or incomplete reports are not overlooked. It is important that the results be evaluated for reasonableness to avoid missing potential audit findings or making findings that are incorrect.


Previous Table of Contents Next