i. An integrated test facility (ITF) technique places a small set of fictitious records in the master files. The records might represent a fictitious division, department or branch office or a customer or supplier. Processing test transactions to update these dummy records will not affect the actual records. Because fictitious and actual records are processed together, company employees usually remain unaware that this testing is taking place. The system must distinguish ITF records from actual records, collect information on the effects of the test transactions, and report the results. The auditor compares processing and expected results in order to verify that the system and its controls are operating correctly.
In a batch processing system, the ITF technique eliminates the need to reverse test transactions and is easily concealed from operating employees. ITF is well suited to testing on-line processing systems because test transactions can be submitted on a frequent basis, processed with actual transactions, and traced throughout every processing stage. All this can be accomplished without disrupting regular processing operations. However, care must be taken not to combine dummy and actual records during the reporting process.
ii. The snapshot technique examines the way transactions are processed. Selected transactions are marked with a special code that triggers the snapshot process. Audit modules in the program record these transactions and their master file records before and after processing. Snapshot data are recorded in a special file and reviewed by the auditor to verify that all processing steps have been properly executed.
iii. SCARF (system control audit review file) uses embedded audit modules to continuously monitor transaction activity and collect data on transactions with special audit significance. The data are recorded in a SCARF file or audit log. Transactions that might be recorded in a SCARF file include those exceeding a specified rupee limit, involving inactive accounts, deviating from company policy, or containing write-downs of asset values. Periodically the auditor receives a printout of the SCARF file, examines the information to identify any questionable transactions, and performs any necessary follow-up investigation.
iv. Audit hooks are audit routines that flag suspicious transactions. For example, internal auditors at an insurance Company determined that their policyholder system was vulnerable to fraud
every time a policyholder changed his or her name or address and then subsequently withdrew funds from the policy. They devised a system of audit hooks to tag records with a name or address change. The internal audit department is now notified when a tagged records is associated with a withdrawal and can appropriately investigate the transaction for fraud. When audit hooks are employed, auditors can be informed of questionable transactions as soon as they occur. This approach, known as real-time notification, displays a message on the auditor’s terminal.
v. Continuous and intermittent simulation (CIS) embeds an audit module in a data base management system. The CIS module examines all transactions that update the DBMS using criteria similar to those of SCARF. If a transaction has special audit significance, the module independently processes the data (in a manner similar to parallel simulation), records the results, and compares them with those obtained by the DBMS. If any discrepancies exist, the details are written onto an audit log for subsequent investigation. If serious discrepancies are discovered, the CIS may prevent the DBMS from executing the update process.