Previous Table of Contents Next


Section 26
Test Data Integrity

Testing the integrity of the computer-produced data is an important procedure. Such testing can be used to:

  Determine the magnitude of a potential system and control vulnerability
  Evaluate the functioning of the control
  Analyze transactions to identify potential problem conditions
  Substantiate the correctness of financial statements

Much of testing data integrity involves computer programs written and executed under the control of the IT auditor.

CONDUCT A DATA FILE SURVEY

Conducting a data file survey familiarizes the IT auditor with the types and attributes of data in a data file. Documentation of data file contents is not always up to date, and the IT auditor may encounter problems caused by misinterpretation of data content. The survey also provides the IT auditor with demographic statistics about the file that can be helpful in determining the sample size or the type of data to examine. Although the objectives are the same, the methods of conducting manual and computer file surveys differ. The IT auditor can examine the material in the manual file visually, whereas the computer file requires translation. Because of the time required to compile manual file statistics, IT auditors rarely accumulate statistics about the entire file. The manual file survey is therefore conducted primarily through interviews. The computer file survey is handled through program analysis of the file. Generalized audit software often includes such powerful survey facilities as stratification, automatic totaling, and automatic statistical analysis (e.g., producing mean, median, mode, and standard deviation). Information to be collected about a file includes:

  Organizational structure: the sequencing and retrieval methods for information.
  Record formats: the type and content of data in records (usually documented, in computer records).
  Size: the number of records and the amount of space allocated to the file.
  Distribution: an analysis of how the records are distributed (e.g., in an accounts receivable file, the number of records in different dollar values: $0 to $100, $101 to $200).
  Statistical analysis: an overview of demographic statistical information that aids in understanding file attributes.
  Dollar value analysis: information describing dollar characteristics of the population of records in the file.
  Suspense items: accounts or records in the file for which the proper distribution is unknown. It is helpful to know how long such records have been in the file.

Because statistical analysis is economical and usually easy to perform when records are in an electronic form, more statistical information can be acquired from the computer file than from a manual file. By the end of the file survey, the IT auditor often has already made some initial audit findings; for example:

  A large number of small values on the file (it may be uneconomical to carry small items)
  A large number of negative items on the file
  A large number of suspense items on the file
  Records on the file for long periods of time without appropriate action

The results of the survey are used for planning data tests, and the information can dictate the test approach. When the stratification of records in the file is known, for example, the IT auditor can develop a sampling program that will easily accommodate all the large values and provide a statistical sample of the smaller values. To complete this task successfully, the IT auditor must be prepared to deal with the possibility that the software to produce statistical information about the computer file may not be readily available or that the people maintaining a manual file might not know its characteristics. In addition, audit calendar time must be available to perform the survey.

CREATE DATA TEST PLAN

The IT auditor must identify and describe the data tests needed to accomplish the stated measurable audit objectives. The test plan should be based on the results of the file survey. The IT auditor is testing data to substantiate the financial values in the organization’s financial statements, to determine (or estimate) the magnitude of a detected control vulnerability, or to accomplish one or more of the measurable audit objectives.

The test plan should clearly state the condition or objective the IT auditor hopes to accomplish by the test and how that objective is to be accomplished. The plan should indicate the type of evidence that will be examined, who is to be responsible for conducting the test, and the start and stop dates of the test. In developing the plan, the IT auditor must:

  Create a correctness proof for the data test: a hypothesis such that proving or disproving it accomplishes the audit objective. For example, if the audit objective is to confirm accounts receivable to prove correctness within 1%, the IT auditor could develop a correctness proof statement as follows: “The actual value of accounts receivable as of 9/30/xx is within l% of $1,386,275.” The dollar value from the organization’s financial records as of that date is taken.
  Create a test that meets the following conditions:
—It can be performed on the available audit evidence.
—It can be performed using tools available to the IT auditor.
—It can be performed within the skill level of the audit team.
—It can be performed within the time available.
—It will prove the integrity of the computer file.
—It will produce reliable results for use in developing findings and recommendations.

DEVELOP TEST TOOLS

Testing a computer file requires developing an appropriate test tool; manual testing (using manual procedures) can usually omit this task, except when statistical samples or other sophisticated manual review processes are used. The objective of this task is to specify the data to be used, the processing to be performed on it, and the types of output reports to be produced. Completing the task should provide sufficient detail to develop or customize a tool (e.g., audit software) for performing the specified test. It is helpful for the IT auditor designing a test tool to know the tools already available and their capabilities and limitations. Although in most instances, the primary tool available is the audit software package, the IT auditor may also want to consider other utility programs that might be available in the IT department.

Test tool specifications should be developed from the perspective of the desired audit output. The IT auditor should first specify the information wanted for audit purposes, identify the available input, and then specify the processing; this is usually the fastest method of designing a computerized test tool. The output specification should include:

  The proposed name of the report
  The period the report will cover (this will determine the input to be used)
  All data elements to be included in the report
  Any editing to be performed on the data elements
  Totals and subtotals to be prepared
  Any special paper to be used
  The number of copies of the report to be produced
  Any special security that must be observed during output production or distribution

After the output reports have been specified, the IT auditor documents the available input records or data elements, usually by acquiring a record format or file description of the data, but sometimes by obtaining the needed information from the data dictionary. The IT auditor needs the following information about the input:

  Data element definitions that will be used in processing
  Attributes of each data element; expected range of value and codes
  Any important file characteristic uncovered during the file survey
  Volume of records
  Time period covered by each file and the number of files to be analyzed


Previous Table of Contents Next