SlideShare a Scribd company logo

audit_it_250759.pdf

M
mabkhoutaliwi1

IT audit manual using cobit

Technology
1 of 32
Download to read offline
IT Audit Dr.Lovepon Savaraj Dr. Nongnuch Laomaneerattanaporn 1
AGENDA • Why do we need to audit IT systems? • Type of IT controls • IT General Controls • Application controls 2
Why do we need to audit IT system? • Highly dependent on IT system • The companies with high overall IT risk assessment tend to have more accounting errors (Grant et al. 2008) • Li et al. (2012) find that IT control deficiencies affect management forecasts. The management forecasts will be less accurate with the existence of material IT control deficiencies. 3
Why DO WE NEED To Audit IT Systems? Impact Impact Business Processes Application systems IT system infrastructure Oracle GFMIS SWIFT Loan App Approve Draw down Interest calculation Payment Customer Order Stock Checking Distribution Invoicing Core Banking SAP Back office system ATM IT Organization IT process System development and program changes Network and security management IT service operation IT Planning and Organization 4
Why DO WE NEED To Audit IT Systems? 5
Types of IT Controls • General controls are controls that relate to the IT environment, especially the environment where application systems are developed, maintained and operated. General controls are implemented to ensure that all automated applications are developed, implemented, and maintained properly, and in addition, that the integrity of program and data files and of computer operations are not compromised (ITGI, 2007) • Application controls are controls that are relevant to transactions and data pertaining to each automated application system and are specific to each such application. These controls are implemented to ensure that transactions and data from both manual and automated processing are valid and completely and accurately recorded (ITGI, 2007). 6
Types of IT Controls • General IT controls are policies and procedures used to control many applications to ensure that applications can operate effectively. These controls also include controls over IT infrastructure and processes, namely data center and network operations; system software and application system acquisition, change, and maintenance; and access security. Usually general IT controls are implemented to maintain the integrity of information and security data and to support the effective functioning of application controls. (ISA315) • Application controls are manual or automated procedures that are specific to each application. These controls focus at the business process level and are deployed on the processing of transactions for each application to improve the integrity of accounting records. Application controls are relevant to procedures that are used to initiate, record, process, and report transactions or other financial data. They can be designed to be both preventive and detective controls. In short, application controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed (ISA315) 7
IT General Controls 8
Minimum areas of ITGC controls to assess • IT entity level control • Application Development & Change management • Information security • Backup and recovery • Third-party IT providers (Singleton, 2010) 9
ITGC audit process Illustrates the steps related to understanding how IT affects the entity’s flows of transactions for significant accounts and disclosures 10 Understand how IT affects flow of transaction/identify relevant technology element Identify and assess risks arising from IT Understand, identify, and test relevant ITGC Conclude on risks arising from IT and determine audit response Evaluate deficiencies in ITGC
ITGC Elements 11 • Application: Interface designed to allow a user to store/retrieve data in a logical and meaningful manner and apply predefined business rules to that data. Examples include SAP, PeopleSoft, JD Edwards, Oracle, Hyperion. • Database: Stores the data used by the applications. Examples include Oracle, Sybase, DB2, and SQL. • Operating System: Responsible for managing communications (input/output) between hardware and applications. User authentication for many applications is dependent on operating system security. Examples include Windows, UNIX, LINUX, OS/400, and OS390. • Network: A network is used to transmit data and to share information, resources and services. The network also typically establishes a layer of logical security for certain computing resources within the organization using physical devices (such as routers, firewalls) in combination with commercial software packages. Examples include Cisco, NetGear, and CheckPoint.
Relevant IT Infrastructure – Example Summary 12
What Can Go Wrong? 13 • Data is inaccurate or incomplete • Recording of unauthorized or non-existent transactions • Potential loss of data or inability to access data as required • System processing is inaccurate (i.e., incorrect calculations) • Report logic is incorrectly applying parameters • Report logic is incorrectly gathering source data • Unauthorized changes to systems or programs Infrastructure Controls (OS, Database, Network) Application (e.g. SAP) Configuration & Security Inventory
Identify ITGC Risks 14 PCAOB Literature The auditor should obtain an understanding of specific risks to a company's internal control over financial reporting resulting from IT. Examples of such risks include: • Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both; • Unauthorized access to data that might result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions (particular risks might arise when multiple users access a common database); • The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down segregation of duties; • Unauthorized changes to data in master files; • Unauthorized changes to systems or programs; • Failure to make necessary changes to systems or programs; • Inappropriate manual intervention; and • Potential loss of data or inability to access data as required. [PCAOB AS 12.B4 ]
Example of ITGC risks and controls 15
ITGC audit scope 16
Access Security 17 Users have access privileges beyond those necessary to perform their assigned duties, which may create improper segregation of duties. User Access Privileges Direct Data Access System Settings Inappropriate changes are made directly to financial data through means other than application transactions. Systems are not adequately configured or updated to restrict system access to properly authorized and appropriate users.
System Change Control Inappropriate changes are made to application systems or programs that contain relevant automated controls and/or report logic. Application Changes Database Changes System Software Changes Inappropriate changes are made to the database structure and relationships between the data. Inappropriate changes are made to system software (e.g., operating system, network, change- management software, access- control software). Data Conversion Data conversion introduces errors if the conversion transfers incomplete, redundant, obsolete, or inaccurate data. 17
Data Center and Network Operations The network does not adequately prevent unauthorized users from gaining inappropriate access to information systems. Network Physical Security Data Backup Individuals gain inappropriate access to equipment in the data center and exploit such access to circumvent logical access controls and gain inappropriate access to systems. Financial data cannot be recovered or accessed in a timely manner when there is a loss of data. Job Scheduling Production systems, programs, and/or jobs result in inaccurate, incomplete, or unauthorized processing of data.
System Interfaces 20 • Our understanding of the flow of transactions includes an understanding of the interfaces between various systems. We consider risks that data is not accurately and completely transferred. • System interface: Data is automatically transferred between two otherwise separate applications, typically via middleware software • Manual interface: Data is manually transferred from one system to another • Identify relevant manual controls, automated interface controls, and/or general IT controls
System Interfaces (Cont’d) 21
Example of ITGC risks and controls 22
Determine If a ITGC Deficiency Exists: Examples 23 Not a Control Deficiency • The system change form for two out of 25 changes did not have documented management authorization. Alternative procedures were performed to validate the changes were authorized (corroborative inquiries and meeting minutes indicating the change was discussed and approved during management change control meeting). Refer to IC 6-15 in the Internal Control Q&As. • We tested 100% of terminated users and identified five out of 532 users that did not have their access removed timely based on the entity’s policies. The deviation rate was 1% and none of the users had administrative privileges or access to modify financial transactions. Refer to IC 6-16 in the Internal Control Q&As. Control Deficiency • Documentary evidence indicating management reviewed access to the root account was not available for two out of five weeks selected for testing. The responsible manager was absent for two weeks and no one at the entity reviewed the access during the respective timeframe. Refer to IC 6-17 in the Internal Control Q&As. • The entity utilized one shared ID for all system changes. The password was known by multiple people within the entity and had not been changed upon initial installation. Refer to IC 6-21 in the Internal Control Q&As.
Deficiency Wording Examples Example Control Deficiency Wording 1. From a sample of 30 users, five users had access to update transactions within the MDOT system that was not commensurate with their job responsibilities. 2. A system patch applied to the Windows infrastructure environment did not have sufficient documentation to evidence approval and testing of the change prior to implementation. 3. During the semi-annual access review for the TATO system, management identified 21 users who required modification of access privileges. The related system access was not modified in a timely manner. 4. Access to bypass transaction code security is inappropriately granted to 13 users out of the total population of 65 users. 5. Certain users have inappropriate access to create or change jobs under another’s user ID. Such access allows users to execute jobs and processes with elevated privileges.
Application Controls • Application controls refer to controls over the processing of transactions and data within an application and are, therefore, specific to each application. • To ensure the accuracy, integrity, reliability and confidentiality of the records and the validity of the entries made therein, resulting from both manual and programmed processing 25
Application Controls Input Process Output 26
Samples of Application Controls 27
Attributes of Application Controls • Business process controls – Control activities performed without the assistance of applications or automated systems e.g. written authorization – a signature on a check • Automated application controls – Controls that can be programmed and embedded within an application e.g.input edit checks that validate order quantities 28
Attributes of Application Controls • Hybrid controls – Controls that consist of a combination of manual and automated activities, all of which must operate for the control to be effective e.g. Shipping manager reviews a report of unshipped ordered. • Shipping manager reviews  Manual • A report of unshipped ordered  automated control • Configurable controls – dependent on the configuration of parameters within the application system 29
Application Control Objectives • Completeness – The application processes all transactions, and the resulting information is complete • Accuracy – All transactions are processed accurately and as intended, and the resulting information is accurate • Validity – Only valid transactions are processed, and the resulting information is valid • Authorization – Only appropriately authorized transactions have been processed • Segregation of duties – The application provides for and supports appropriate segregation of duties and responsibilities as defined by management 30
Example of Application Controls 31
References • ISACA (2014), IT Control Objectives for Sarbanes-Oxley Using COBIT 5 in the Design and Implementation of Internal Controls Over Financial Reporting, 3rd edition • Li, C., et al. (2012). "The consequences of information technology control weaknesses on management information systems: the case of sarbanes-oxley internal control reports." MIS Quarterly 36(1): 179-204 • Grant, G. H., et al. (2008). "The effect of IT controls on financial reporting." Managerial Auditing Journal 23(8): 803-823. • Singleton, T. W. (2010a). "The Minimum IT Controls to Assess in a Financial Audit (Part I)." ISACA Journal 1. • Singleton, T. W. (2010b). "The Minimum IT Controls to Assess in a Financial Audit (Part II)." ISACA Journal 2. • Hall (2011). Information Technology Auditing 32

Recommended

03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Cobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalCobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalEmilio Gratton
 
SAP and Change Management
SAP and Change ManagementSAP and Change Management
SAP and Change ManagementFlevy.com Best Practices
 
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesPECB
 

Recommended

03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologiesSalih Islam
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Cobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalCobit5 owerwiev and implementation proposal
Cobit5 owerwiev and implementation proposalEmilio Gratton
 
SAP and Change Management
SAP and Change ManagementSAP and Change Management
SAP and Change ManagementFlevy.com Best Practices
 
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesPECB
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
COBIT®5 - Assessor
COBIT®5 - AssessorCOBIT®5 - Assessor
COBIT®5 - AssessorMirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker
 
Cobit itil and iso 27001 mapping
Cobit itil and iso 27001 mappingCobit itil and iso 27001 mapping
Cobit itil and iso 27001 mappingMuhammad Aslam
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance FrameworkSherri Booher
 
Structured Approach To Implementing Information And Records Management (Idrm)...
Structured Approach To Implementing Information And Records Management (Idrm)...Structured Approach To Implementing Information And Records Management (Idrm)...
Structured Approach To Implementing Information And Records Management (Idrm)...Alan McSweeney
 
Using ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT togetherUsing ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT togetherRob Akershoek
 
Business Case For IT Asset Management
Business Case For IT Asset ManagementBusiness Case For IT Asset Management
Business Case For IT Asset ManagementSamanage
 
COBIT 4.0
COBIT 4.0COBIT 4.0
COBIT 4.0bluekiu
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties SolutionsAhmed Abdul Hamed
 
Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World Daljit Banger
 
ITIL Change Management - Plan and deploy changes with confidence
ITIL Change Management - Plan and deploy changes with confidence ITIL Change Management - Plan and deploy changes with confidence
ITIL Change Management - Plan and deploy changes with confidence Freshservice
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
IT Service Management Overview
IT Service Management OverviewIT Service Management Overview
IT Service Management OverviewAhmed Al-Hadidi
 
UiPath Automation Cloud - Best Practises session1.pptx
UiPath Automation Cloud - Best Practises session1.pptxUiPath Automation Cloud - Best Practises session1.pptx
UiPath Automation Cloud - Best Practises session1.pptxRohit Radhakrishnan
 
Enterprise Architecture, Project Management & Digital Transformation
Enterprise Architecture, Project Management & Digital TransformationEnterprise Architecture, Project Management & Digital Transformation
Enterprise Architecture, Project Management & Digital TransformationRiaz A. Khan, OpenCA, TOGAF
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 

More Related Content

What's hot

Cobit itil and iso 27001 mapping
Cobit itil and iso 27001 mappingCobit itil and iso 27001 mapping
Cobit itil and iso 27001 mappingMuhammad Aslam
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseDesmond Devendran
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance FrameworkSherri Booher
 
Structured Approach To Implementing Information And Records Management (Idrm)...
Structured Approach To Implementing Information And Records Management (Idrm)...Structured Approach To Implementing Information And Records Management (Idrm)...
Structured Approach To Implementing Information And Records Management (Idrm)...Alan McSweeney
 
Using ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT togetherUsing ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT togetherRob Akershoek
 
Business Case For IT Asset Management
Business Case For IT Asset ManagementBusiness Case For IT Asset Management
Business Case For IT Asset ManagementSamanage
 
COBIT 4.0
COBIT 4.0COBIT 4.0
COBIT 4.0bluekiu
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties SolutionsAhmed Abdul Hamed
 
Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World Daljit Banger
 
ITIL Change Management - Plan and deploy changes with confidence
ITIL Change Management - Plan and deploy changes with confidence ITIL Change Management - Plan and deploy changes with confidence
ITIL Change Management - Plan and deploy changes with confidence Freshservice
 
IT Service Management Overview
IT Service Management OverviewIT Service Management Overview
IT Service Management OverviewAhmed Al-Hadidi
 
UiPath Automation Cloud - Best Practises session1.pptx
UiPath Automation Cloud - Best Practises session1.pptxUiPath Automation Cloud - Best Practises session1.pptx
UiPath Automation Cloud - Best Practises session1.pptxRohit Radhakrishnan
 
Enterprise Architecture, Project Management & Digital Transformation
Enterprise Architecture, Project Management & Digital TransformationEnterprise Architecture, Project Management & Digital Transformation
Enterprise Architecture, Project Management & Digital TransformationRiaz A. Khan, OpenCA, TOGAF
 

What's hot (20)

IT General Controls
IT General ControlsIT General Controls
IT General Controls
 
COBIT®5 - Assessor
COBIT®5 - AssessorCOBIT®5 - Assessor
COBIT®5 - Assessor
 
Cobit itil and iso 27001 mapping
Cobit itil and iso 27001 mappingCobit itil and iso 27001 mapping
Cobit itil and iso 27001 mapping
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review Course
 
IT Governance Framework
IT Governance FrameworkIT Governance Framework
IT Governance Framework
 
Structured Approach To Implementing Information And Records Management (Idrm)...
Structured Approach To Implementing Information And Records Management (Idrm)...Structured Approach To Implementing Information And Records Management (Idrm)...
Structured Approach To Implementing Information And Records Management (Idrm)...
 
Using ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT togetherUsing ITIL 4 and IT4IT together
Using ITIL 4 and IT4IT together
 
Business Case For IT Asset Management
Business Case For IT Asset ManagementBusiness Case For IT Asset Management
Business Case For IT Asset Management
 
COBIT 4.0
COBIT 4.0COBIT 4.0
COBIT 4.0
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
Segregation of Duties Solutions
Segregation of Duties SolutionsSegregation of Duties Solutions
Segregation of Duties Solutions
 
Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World Enterprise Architecture - An Introduction from the Real World
Enterprise Architecture - An Introduction from the Real World
 
ITIL Change Management - Plan and deploy changes with confidence
ITIL Change Management - Plan and deploy changes with confidence ITIL Change Management - Plan and deploy changes with confidence
ITIL Change Management - Plan and deploy changes with confidence
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 
IT Service Management Overview
IT Service Management OverviewIT Service Management Overview
IT Service Management Overview
 
UiPath Automation Cloud - Best Practises session1.pptx
UiPath Automation Cloud - Best Practises session1.pptxUiPath Automation Cloud - Best Practises session1.pptx
UiPath Automation Cloud - Best Practises session1.pptx
 
Enterprise Architecture, Project Management & Digital Transformation
Enterprise Architecture, Project Management & Digital TransformationEnterprise Architecture, Project Management & Digital Transformation
Enterprise Architecture, Project Management & Digital Transformation
 

Similar to audit_it_250759.pdf

IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDITRos Dina
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for SecurityTripwire
 
Auditing information systems
Auditing information systemsAuditing information systems
Auditing information systemsKenya Allmond
 
Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lessonAnne ndolo
 
CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07Thomas Danford
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.gueste080564
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.renetta
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computingguestc1bca2
 
How important is IT auditing
How important is IT auditingHow important is IT auditing
How important is IT auditingLepide USA Inc
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptxdotco
 

Similar to audit_it_250759.pdf (20)

IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
CONTROL AND AUDIT
CONTROL AND AUDITCONTROL AND AUDIT
CONTROL AND AUDIT
 
auditing-190520092523.pdf
auditing-190520092523.pdfauditing-190520092523.pdf
auditing-190520092523.pdf
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
Leveraging Change Control for Security
Leveraging Change Control for SecurityLeveraging Change Control for Security
Leveraging Change Control for Security
 
ITGCs.pdf
ITGCs.pdfITGCs.pdf
ITGCs.pdf
 
Auditing information systems
Auditing information systemsAuditing information systems
Auditing information systems
 
Information 2nd lesson
Information 2nd lessonInformation 2nd lesson
Information 2nd lesson
 
CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07CIO IT Audit Survival TNS07
CIO IT Audit Survival TNS07
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
The Use of Spreadsheets: As it relates to Section 404 of the Sarbanes-Oxley Act.
 
Technology Controls in Business - End User Computing
Technology Controls in Business - End User ComputingTechnology Controls in Business - End User Computing
Technology Controls in Business - End User Computing
 
How important is IT auditing
How important is IT auditingHow important is IT auditing
How important is IT auditing
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
 
Chapter 6
Chapter 6Chapter 6
Chapter 6
 
CISA_WK_1.pptx
CISA_WK_1.pptxCISA_WK_1.pptx
CISA_WK_1.pptx
 

Recently uploaded

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

audit_it_250759.pdf

  • 1. IT Audit Dr.Lovepon Savaraj Dr. Nongnuch Laomaneerattanaporn 1
  • 2. AGENDA • Why do we need to audit IT systems? • Type of IT controls • IT General Controls • Application controls 2
  • 3. Why do we need to audit IT system? • Highly dependent on IT system • The companies with high overall IT risk assessment tend to have more accounting errors (Grant et al. 2008) • Li et al. (2012) find that IT control deficiencies affect management forecasts. The management forecasts will be less accurate with the existence of material IT control deficiencies. 3
  • 4. Why DO WE NEED To Audit IT Systems? Impact Impact Business Processes Application systems IT system infrastructure Oracle GFMIS SWIFT Loan App Approve Draw down Interest calculation Payment Customer Order Stock Checking Distribution Invoicing Core Banking SAP Back office system ATM IT Organization IT process System development and program changes Network and security management IT service operation IT Planning and Organization 4
  • 5. Why DO WE NEED To Audit IT Systems? 5
  • 6. Types of IT Controls • General controls are controls that relate to the IT environment, especially the environment where application systems are developed, maintained and operated. General controls are implemented to ensure that all automated applications are developed, implemented, and maintained properly, and in addition, that the integrity of program and data files and of computer operations are not compromised (ITGI, 2007) • Application controls are controls that are relevant to transactions and data pertaining to each automated application system and are specific to each such application. These controls are implemented to ensure that transactions and data from both manual and automated processing are valid and completely and accurately recorded (ITGI, 2007). 6
  • 7. Types of IT Controls • General IT controls are policies and procedures used to control many applications to ensure that applications can operate effectively. These controls also include controls over IT infrastructure and processes, namely data center and network operations; system software and application system acquisition, change, and maintenance; and access security. Usually general IT controls are implemented to maintain the integrity of information and security data and to support the effective functioning of application controls. (ISA315) • Application controls are manual or automated procedures that are specific to each application. These controls focus at the business process level and are deployed on the processing of transactions for each application to improve the integrity of accounting records. Application controls are relevant to procedures that are used to initiate, record, process, and report transactions or other financial data. They can be designed to be both preventive and detective controls. In short, application controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed (ISA315) 7
  • 9. Minimum areas of ITGC controls to assess • IT entity level control • Application Development & Change management • Information security • Backup and recovery • Third-party IT providers (Singleton, 2010) 9
  • 10. ITGC audit process Illustrates the steps related to understanding how IT affects the entity’s flows of transactions for significant accounts and disclosures 10 Understand how IT affects flow of transaction/identify relevant technology element Identify and assess risks arising from IT Understand, identify, and test relevant ITGC Conclude on risks arising from IT and determine audit response Evaluate deficiencies in ITGC
  • 11. ITGC Elements 11 • Application: Interface designed to allow a user to store/retrieve data in a logical and meaningful manner and apply predefined business rules to that data. Examples include SAP, PeopleSoft, JD Edwards, Oracle, Hyperion. • Database: Stores the data used by the applications. Examples include Oracle, Sybase, DB2, and SQL. • Operating System: Responsible for managing communications (input/output) between hardware and applications. User authentication for many applications is dependent on operating system security. Examples include Windows, UNIX, LINUX, OS/400, and OS390. • Network: A network is used to transmit data and to share information, resources and services. The network also typically establishes a layer of logical security for certain computing resources within the organization using physical devices (such as routers, firewalls) in combination with commercial software packages. Examples include Cisco, NetGear, and CheckPoint.
  • 12. Relevant IT Infrastructure – Example Summary 12
  • 13. What Can Go Wrong? 13 • Data is inaccurate or incomplete • Recording of unauthorized or non-existent transactions • Potential loss of data or inability to access data as required • System processing is inaccurate (i.e., incorrect calculations) • Report logic is incorrectly applying parameters • Report logic is incorrectly gathering source data • Unauthorized changes to systems or programs Infrastructure Controls (OS, Database, Network) Application (e.g. SAP) Configuration & Security Inventory
  • 14. Identify ITGC Risks 14 PCAOB Literature The auditor should obtain an understanding of specific risks to a company's internal control over financial reporting resulting from IT. Examples of such risks include: • Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both; • Unauthorized access to data that might result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions (particular risks might arise when multiple users access a common database); • The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down segregation of duties; • Unauthorized changes to data in master files; • Unauthorized changes to systems or programs; • Failure to make necessary changes to systems or programs; • Inappropriate manual intervention; and • Potential loss of data or inability to access data as required. [PCAOB AS 12.B4 ]
  • 15. Example of ITGC risks and controls 15
  • 17. Access Security 17 Users have access privileges beyond those necessary to perform their assigned duties, which may create improper segregation of duties. User Access Privileges Direct Data Access System Settings Inappropriate changes are made directly to financial data through means other than application transactions. Systems are not adequately configured or updated to restrict system access to properly authorized and appropriate users.
  • 18. System Change Control Inappropriate changes are made to application systems or programs that contain relevant automated controls and/or report logic. Application Changes Database Changes System Software Changes Inappropriate changes are made to the database structure and relationships between the data. Inappropriate changes are made to system software (e.g., operating system, network, change- management software, access- control software). Data Conversion Data conversion introduces errors if the conversion transfers incomplete, redundant, obsolete, or inaccurate data. 17
  • 19. Data Center and Network Operations The network does not adequately prevent unauthorized users from gaining inappropriate access to information systems. Network Physical Security Data Backup Individuals gain inappropriate access to equipment in the data center and exploit such access to circumvent logical access controls and gain inappropriate access to systems. Financial data cannot be recovered or accessed in a timely manner when there is a loss of data. Job Scheduling Production systems, programs, and/or jobs result in inaccurate, incomplete, or unauthorized processing of data.
  • 20. System Interfaces 20 • Our understanding of the flow of transactions includes an understanding of the interfaces between various systems. We consider risks that data is not accurately and completely transferred. • System interface: Data is automatically transferred between two otherwise separate applications, typically via middleware software • Manual interface: Data is manually transferred from one system to another • Identify relevant manual controls, automated interface controls, and/or general IT controls
  • 22. Example of ITGC risks and controls 22
  • 23. Determine If a ITGC Deficiency Exists: Examples 23 Not a Control Deficiency • The system change form for two out of 25 changes did not have documented management authorization. Alternative procedures were performed to validate the changes were authorized (corroborative inquiries and meeting minutes indicating the change was discussed and approved during management change control meeting). Refer to IC 6-15 in the Internal Control Q&As. • We tested 100% of terminated users and identified five out of 532 users that did not have their access removed timely based on the entity’s policies. The deviation rate was 1% and none of the users had administrative privileges or access to modify financial transactions. Refer to IC 6-16 in the Internal Control Q&As. Control Deficiency • Documentary evidence indicating management reviewed access to the root account was not available for two out of five weeks selected for testing. The responsible manager was absent for two weeks and no one at the entity reviewed the access during the respective timeframe. Refer to IC 6-17 in the Internal Control Q&As. • The entity utilized one shared ID for all system changes. The password was known by multiple people within the entity and had not been changed upon initial installation. Refer to IC 6-21 in the Internal Control Q&As.
  • 24. Deficiency Wording Examples Example Control Deficiency Wording 1. From a sample of 30 users, five users had access to update transactions within the MDOT system that was not commensurate with their job responsibilities. 2. A system patch applied to the Windows infrastructure environment did not have sufficient documentation to evidence approval and testing of the change prior to implementation. 3. During the semi-annual access review for the TATO system, management identified 21 users who required modification of access privileges. The related system access was not modified in a timely manner. 4. Access to bypass transaction code security is inappropriately granted to 13 users out of the total population of 65 users. 5. Certain users have inappropriate access to create or change jobs under another’s user ID. Such access allows users to execute jobs and processes with elevated privileges.
  • 25. Application Controls • Application controls refer to controls over the processing of transactions and data within an application and are, therefore, specific to each application. • To ensure the accuracy, integrity, reliability and confidentiality of the records and the validity of the entries made therein, resulting from both manual and programmed processing 25
  • 27. Samples of Application Controls 27
  • 28. Attributes of Application Controls • Business process controls – Control activities performed without the assistance of applications or automated systems e.g. written authorization – a signature on a check • Automated application controls – Controls that can be programmed and embedded within an application e.g.input edit checks that validate order quantities 28
  • 29. Attributes of Application Controls • Hybrid controls – Controls that consist of a combination of manual and automated activities, all of which must operate for the control to be effective e.g. Shipping manager reviews a report of unshipped ordered. • Shipping manager reviews  Manual • A report of unshipped ordered  automated control • Configurable controls – dependent on the configuration of parameters within the application system 29
  • 30. Application Control Objectives • Completeness – The application processes all transactions, and the resulting information is complete • Accuracy – All transactions are processed accurately and as intended, and the resulting information is accurate • Validity – Only valid transactions are processed, and the resulting information is valid • Authorization – Only appropriately authorized transactions have been processed • Segregation of duties – The application provides for and supports appropriate segregation of duties and responsibilities as defined by management 30
  • 31. Example of Application Controls 31
  • 32. References • ISACA (2014), IT Control Objectives for Sarbanes-Oxley Using COBIT 5 in the Design and Implementation of Internal Controls Over Financial Reporting, 3rd edition • Li, C., et al. (2012). "The consequences of information technology control weaknesses on management information systems: the case of sarbanes-oxley internal control reports." MIS Quarterly 36(1): 179-204 • Grant, G. H., et al. (2008). "The effect of IT controls on financial reporting." Managerial Auditing Journal 23(8): 803-823. • Singleton, T. W. (2010a). "The Minimum IT Controls to Assess in a Financial Audit (Part I)." ISACA Journal 1. • Singleton, T. W. (2010b). "The Minimum IT Controls to Assess in a Financial Audit (Part II)." ISACA Journal 2. • Hall (2011). Information Technology Auditing 32