Mulyadi Yusuf, profile picture
Uploaded byMulyadi Yusuf
PPTX, PDF12,488 views

03.2 application control

The document discusses various types of application controls. It begins by listing the most common types as input control, process control, and output control. It then provides more details on each type of application control, including definitions and examples. It explains that application controls regulate the input, processing, and output of an application in order to ensure complete and accurate processing of data. The risks of input, processing, and outputs are also summarized.

Embed presentation

Downloaded 224 times
The Most Common IT-ACs: 1. Input Control 2. Process Control 3. Output Control Notes: AC akan lebih lanjut dipelajari Materi CAAT
Application controls: “controls that pertain to scope of individual business processes or application system.” Business Process Application Application system AC Objectives: Input data: accurate, complet e, authorized, and correct. Data: processed as intended in an acceptable time period. Data stored: accurate and complete. Outputs: accurate and complete. A record : maintained to track the process of data from input to storage and to the eventual output.
TYPES OF APPLICATION CONTROL Input Controls – Processing Controls – Output Controls – Check the integrity Address what is Provide an of data entered into done with the data automated means a business and should to ensure application, to compare output processing is ensure that is results with the complete, accurate, intended result by remains within and authorized. specified checking the output parameters. against the input. Integrity Controls – Monitor data being processed and in storage to ensure it remains consistent and correct. Management Trail – As an audit trail, enables mgt to identify the trans and event recorded by tracking trans forward / backward. Monitor effectiveness of other control and identify errors.
Application control: control designed to ensure the complete and accurate processing of data, from input through output. Application control regulate the input, processing, and output of an application. Input and output have risks such as loss of data during transmission, duplicate inputs, and manual input errors or incomplete data. Processing risk include incomplete processing, unrecorded transactions caused either by accident or as part of fraud, automated transactions (e.g. raw materials reordering) failing due to complications, or files lost during processing. Outputs risk include files being sent to the wrong place or too late to be of use. These controls are designed to be application-specific. Examples include:  A cash disbursements batch balancing routine that verifies that the total payments to vendors reconciles with the total postings to the A/P subsidiary ledger.  An A/R check digit procedure that validates customer account numbers on sales transactions.  A payroll system limit check that identifies and flags employee time card records with reported hours worked in excess of the predetermined normal limit. 6
• Input control: control data as it manually or electronically enters the system. • Manual IC: require authorization both before the input and after a review, use of concise prenumbered forms, and train for data entry personnel. • Electronic IC: include user-friendly screen formats that prompt user for required information and use of required fields. • A field check: a check to see if information in an entry field is complete. • Drop down menus: allow specific preset input (e.g. list of provinces). • To protect sensitive information, keystroke verification requires data to be entered twice, by different person if possible, and highlights any differences. (e.g. confirmation PW change) • Batch control: accumulate transaction and apply test on the batch (e.g. batch total). • Format check: data is entered in an acceptable formats (e.g. date format). • Reconciliation and balancing: reconciliation analyze variances or test two balances to see if they are equal.
• Edit check: automated test on data fields. Include: Control totals: hash total sum of nonfinancial number that have no meaning. A change in hash total indicates a record change. Range test: allow entry between range of numbers or characters. Numerical test: prevent alphabetic entry in number fields. Sequence check: check for an alphanumeric sequence in a field. Limit check: entries above particular number are prevented or need approval. Check digit: an extra digit is added that has an algorithmic relationship to the remaining digits to show if the number was incorrectly entered by transposition. (e.g. credit card) Record count: tallies the number of records. Historical comparison: measures variance from past records. Overflow checking: places a memory or length limit on a field to prevent larger numbers than maximum being entered.
• Inquiry log: track all read-only access to records. • Automated inputs: automation reduces errors and increase input speeds. Include: Optical character recognition (OCR): convert a scanned image into graphic data, then store, retrieve, and process graphic data. (e.g. scan shipping receipt into a database). Scanners: a device that digitizes graphic images. Radio frequency identification (RFID): use tag in packaging, RFID read tag via radio frequency and identify where the product is. Useful in tracking inventory. (e.g. DHL) Bar codes: a machine-readable representation of data, allowing for rapid reading and processing of associated data (such as price or inventory level). Magnetic ink character recognition (MICR): Included on check (bank transaction), and indicate check no., account no., routing no., and possibly check amount.
• Processing control: automated errors checks built into computer processing as well as segregation of duties, such as controlling programmer’s access to files and records. • Data center operator’s access to applications should be restricted to equipment and software installation and responding to errors, also override file names. • A console log or system control file should track operators interventions. • Access to configuration parameters within application must be controlled. Auditors should reconcile actual versus planned configuration. • Completeness check: reject saving a record until all field are complete. • Control totals: totals are recorded in a system control file when an application generates temporary files; an errors occurs if each control total doesn’t match. • Date and file total check: logs of item and monetary totals with date and time stamps. Exact duplicate entries are flagged as errors. Auditors test for processing controls by inserting known test data and comparing it against expected results (walkthrough-test or round-test?).
Other processing controls, include: • Reasonable checks: verify that amounts fall within predetermined limits • Suspense file: a file used to retain transaction processed with errors. • Activity log: records actions of users by date, time, and access terminal (bedakan dengan ITGC). • Processing logic test (e.g. posting check, zero balance check, cross-footing check): various check that verify if accounts or transactions are at the expected level (e.g. checking that an account actually has a zero balance after payment are processed, other example?) • Run-to-run totals: data control group monitors batch run totals (or verify that amounts fall within predetermined limits). • End-of-file procedures: prevent additional operations from taking place in a file when the end of the file reached. • Primary and secondary key integrity check: verify encryption key security. • Access control list: a list of all valid users. Auditors should verify that the list cannot be altered without proper authorization.
Output controls: detective controls that find errors and verify the accuracy and reasonableness of output data after processing is complete. Output controls, as following: • Error listings: auditors ensure that errors followed up w/o exceeding backlog limits, and corrected reports are resubmitted. • Reference documents: when systems are interrupted, these logs show what was in memory at the time of the interruption. • Spooling controls: a spool is a temporary memory allocation for a system output. These controls regulate data spooling method. • Working documents: legal records, such as checks, invoices, or stock certificates are safeguarded. There are audit evidence that can detect if input really match outputs. • Reports controls: include ensuring that the reports are accurate, simple, timely, and meaningful, and that sensitive data is secured using distribution controls. • Exception reporting: highlight only unusual data, it helps to determine the sources of the error (human error, processing error).
• Encryption uses a mathematical algorithm to scramble data so that it cannot be unscrambled without a numeric key code. • Can be used on stored and physical transmitted data (on CD) and electronically transmitted data (wireless data). • Two basic types of encryption: Private (or symmetric) key encryption. Public (or asymmetric) key encryption. • Variant of public key encryption: Digital signatures. Elliptic curve cryptography (ECC) (y2 = x3 + ax + b) 13
1. Sue (aka Sender) selects a key, and then uses that key to encrypt the plaintext to produce the ciphertext. 2. Sue gives both the key and the ciphertext to you (aka Receiver). (Not together, obviously, or anyone could intercept the delivery and use the key to decrypt the ciphertext.) 3. You use that same key to decrypt the ciphertext to regenerate the plaintext. 14
A sender -- Sue -is using your PubK to produce a ciphertext for you. But the process also works backwards; you could encrypt a plaintext with your Priv-K and send the resulting ciphertext to Sue. Decrypting the ciphertext w/ your Pub-K proves that the ciphertext had to come from you. This provides authenticity, w/o privacy. Your Pub-K is public, so anyone could decrypt this ciphertext, not just Sue. But Pub/Priv-K pairs make digital signatures possible, which provide authentic and integrity w/o sacrificing privacy. 1. You give Sue (aka Sender) a copy of your public key. 2. Sue uses your public key to encrypt the plaintext to produce a ciphertext for you. 3. She then gives (just) the ciphertext to you, and 4. You use your private key to decrypt the ciphertext to reproduce the plaintext.
16
• Other encryption tools: Quantum (or quantum key) cryptography: uses uncertainty to produce a shared bit string or key, created randomly and known only to the two communicating parties. Digital envelope: uses two layers of encryption, 1. messages is encrypted symmetrically (private), then 2. decipher code is encrypted with public key. Cryptographic module or system: is packaged encryption application that is purchased or developed as part of a larger application (Secure Socket Layer) • Auditing Issues: Evaluating encryption includes evaluating physical control over computers that have passwords keys, testing policies to see if they are being followed, and implementing and monitoring logic control. 17
• The choice of networks types will affect IT control design. • Computer network: The sum of all infrastructure and applications required to connect two or more networks nodes, which are computers and devices: Computers (own processing power), servers (powerful computer with high bandwidth), and client (recipient of server function) /server infrastructure (data request server, database server). Mainframe (large, scalable computer to process and store large amount of data) and data terminal (input/output node for a mainframe system) • Data Processing method: Centralized: all data processing is performed by one or more large computers housed at a central site that serves users throughout the organization. Decentralized. Distributed (decentralized processing, but networked together/centralized). 18
The choice of networks types will affect IT control design. Types of networks: • Peer-to-peer network= between two computer • Personal-area networks (PANs)= wireless within a room area • Local-area networks (LANs)= for limited geographical (building) • Wide-area networks (WANs) = networks of LAN (nation/world). • Metropolitan networks (MANs)= metropolitan • Public data networks (PDNs) = allow public access, such as world wide web. Other related terms • Value-added networks (VANs)= provider of networking services. • Consortium networks= group of organization that form networks. Networks Transmission Option: • Wired. • Wireless. • Virtual private networks (VPNs): secure method of connecting two points of the internet (ISP). 19
• Is a method of defining how messages should be sent through a network so that unrelated products can be work together. • OSI model is divided into 7 layers for comm and computer network protocol design. OSI Layer Description Related Controls Layer 1: Physical layer (HW, NW) Mechanical layer transmits digital signals Wiring and other physical protection Layer 2: Data link layer (HW, NW) Synchronizes layer 1 data movements Encryption and compresses data where possible. Layer 3: Network layer Routes and forwards data to the right (SW, NW) places. IP addresses is tracked, Firewalls Layer 4: Transport layer (SW, Comp) Ensures that data transfer are complete by managing end-to-end control and error checking Logical control layer, Firewalls Layer 5: Session layer (SW, Comp) Initiates and terminates conversation between appl. Layer 6: Presentation Is operating system20 (O/S), which O/S Control
Network topology : physical connection points between devices on a LAN or similar network. (1) Bus network, (2) Ring network, and (3) Star network.
1. Ports: physical connection points to a device. 2. Hubs: the center of networks and switch/direct comm. 3. Repeaters: extend the range of network by amplifying or regenerating signals. 4. Switches: connect telecom circuits and may allow network mgt capabilities. 5. Routers: intelligent processors that link networks segments, allowing them to communicate but also remain separate and independent. 6. Bridges: an early software-based device that function similarly to switch and routers, but not as efficient as switches. 7. Gateways: convert protocols between networks with dissimilar networks architectures. 8. Multiplexers: for data combine multiple channels into a single channel, such as multiple phone lines sharing a single physical phone line. Case: The Internet consists of a series of networks that include A. Gateways to allow PC to connect to mainframe computers, B. Bridges to direct messages through the optimum data path, C. Repeaters to physically connect separate local area networks 22 (LANs), D.Routers to strengthen data signals between distant computers.
• Firewall: a HW/SW combination that routes all communication to or from the outside world through itself, blocking unauthorized traffic. • Firewalls can: 1. Improve security by blocking access from certain servers or applications. 2. Reduce vulnerability to external attacks and ensure IT system efficiency by limiting user access to certain sites. 3. Provide a means of monitoring communications and detecting external intrusions, and internal sabotage. 4. Provide encryption internally (within an enterprise). 23
• Layer 3 and 4 firewall types: 1. Packet filtering: comparing source and destination addresses to an allowed list. 2. Gateways: stopping traffic flowing to specific application such as file transfer protocol (FTP), e.g. rules may block outgoing FTPs but permit incoming FTPs. One common gateway is proxy server. • Auditor should work with the network administrator to determine the efficacy (effectiveness) of a firewall, how specific rules are, and whether the list of acceptable users, IP address, and application are kept up-to-date. • Firewall log can be used as legal audit evidence if data was collected, processed, and retained properly. • Firewall has some limitation, such as physical intrusion, incorrect configuration, and trojan horses using IRC (internet relay chat). • Intrusion detection/prevention systems: Intrusion detection system (IDS) combined with application layer firewall (layer 7) is called an intrusion prevention system (IPS). Two types of IPS = HIPS and NIPS. 24
• EFT: the transfer of monetary value and financial data from one bank to another (it cannot involve other parties) • FEDI (EFT and financial EDI) is subset o electronic data interchange (EDI). • FEDI transfer payment information between companies, banks, or others, but settlement through EFT. EFT Risk and controls  More reliable, cost-effective, and efficient than check payment  Control: • Password and physical restriction access to FEDI terminals. • Dual approval (one enters, one release) • Test key or codes for validation • Encryption • Credit monitoring, backup, and continuity plan. 25
EFT Method: • RTGS (such as Fedwire-USA, TARGET-Europe, CHAPS-UK). • ACH (automated clearing house): a. for high volume, b. low-value transfer, c. send payment in batch, and d. prenotification. IA evaluate the adequacy and the effectiveness of IC applied to EFT, such as: • Logic control that restrict unauthorized access to the EFT systems. • Program change management control. • Physical control • System data backup and recovery controls. • Operation control to ensure availability. • Application control to ensure transaction accuracy. Case: Which 1 of following is least likely to be recomm. by auditor when EDI-EFT system is being designed? A. The identity of the individual approving an electronic document should be stored as a data field. B. Disaster recovery plans should be established. C. Data security procedures should be written to prevent changes to data by unauthorized individuals. D. Remote access to electronic data should be denied.
• E-Commerce: Defined as “conducting commercial activities over the internet”, include: Business to business (B2B) e-commerce. Business to consumer(B2C) e-commerce. Business to employee (B2E) e-commerce. Mobile e-commerce (using mobile device such as smart cell phones) • Control concerns: Determine how authorization for transactions are handled. End-user can initiate input data directly. Risk analysis include hardware used, transmission methods, firewalls, back-end system, middleware, links to another application. Control over sensitive information. 27
Expected result of e-commerce security policies include: • Authenticity: both parties are able to verify the other’s identity, e.g., passwords, encryption keys, and digital signatures certificates. party’s • Integrity: web site information is unaltered from its original form. • Nonrepudiation: e-commerce participants cannot deny or repudiate their on-line activities, i.e.: e-commerce data is legal evidence. • Confidentiality: only authorized parties can access their data. • Privacy: users are informed of a site’s privacy policy and can decide to provide personal inf. • Availability: the site is available when needed. Redundant systems and reliable partners help ensure availability. Case: Mgt has implemented controls such as firewall, password mgt, independent recon., and audit trail. The controls should be reviewed and evaluated by IAr when doing test for which e-commerce audit area? A. Fraud. B. Corruption of data. 28 C. Business interruptions. D. Authentication.
When conducting audit of e-commerce, IA should look for: 1. Networks security control (e.g.: firewalls, encryption, virus protection, policies, communication of security standards within and outside the enterprises) and intrusion detection system. 2. User identification system (e.g. digital signatures). 3. Privacy and confidential controls. 4. All list of e-commerce application within the enterprises. 5. Maintenance activities to ensure continued operation. 6. Failure detection and automated repairs. 7. Application change management controls. 8. Business continuity plan in case of system interruption. Continuous auditing in e-commerce: • Is a software, include continuous assessment risk assessment, control assessment, and assessment of continuous monitoring tools, able to uncover fictitious sales and returns. 29
• ERP system : modular suites (chain) of business application that share data between modules and store all data in a single repository (database). • Purpose: facilitate the flow of information between all business functions inside the boundaries of the org. and manage the connections to outside. • ERP reduce redundancy of data and creates synergies such as automated forwarding of transactions to the appropriate department. • ERP increase efficiency by keeping inventory levels low, reducing cycle time, and improve the timelines of data for decision making. • Core modules of ERP: (a) finance, manufacturing, sales and distribution, human resource, (b) transaction processing system (TPS) and management information system (MIS), (c) Customer relationship management (CRM) and Supplier relationship mgt (SRM).
• Simplify gathering audit evidence. • Disparate applications, so use different language, so audit of ERP require multiple workarounds (solution) and redundancies. • IA assess that mgt has evaluated the efficiency of ERP relative to competitor ERP. • IA need to be involved in ERP development, monitor the implementation, and personnel training plan, recommend ERP improvements. • Since integrated, there no paper audit trail to follow between departments, approval to be automatic, exacerbating the segregation of control issue. • Therefore, audit must focus on IT controls such as quality of PW and other logic control. • Even the best ERP is unlikely to cover all needs, so the remaining needs can be achieved through customization or configuration. Customization: change the code of the system to provide unavailable process. Configuration: change of preset parameters (cheaper and not impede (disturb) upgrade). • To overcome the problem, ERP should separate business process from controls. 31
• WBEM Used the external networking component of ERP, provide portal access to external vendor and large customer via XML communication. Auditor should focus on controls (especially to protect org’s data). Mgt and IT professional should determine which information will be shared. WBEM provide int’l integration and best-of-breed system (focus on niche). • Continuous auditing for ERP system. Automated control in ERP must be designed and implemented w/ audit involvement. Need exception report to high light unusual data/areas/operational concern.
When identifying risks, auditors may find it useful to employ a top-down RA to determine which applications to include as part of control review and what tests need to be performed. 10-K Example: F/S Financial Statement Risk Analysis Approach Financial Statements Assertion F/S Accounts mapped to processes; Processes mapped BUs Revenue and Receivable s BU 1 BU 2 BU 3 Non Financial Disclosures mapped to processes Mgt and Purchases Financial Payroll and Legal and Treasury Reporting/Acco Benefits Payables Corporat unting BU Corporat Corporat Investor e 1 e e Relation BU 2 BU Risk Identification and Analysis 3 Risk Assessment Documents: • Risk analysis matrix by F/S Accounts and Disclosures • Accounts risk analysis mapped to Business and Critical Applications and Underlying Technology Prepare Risk Control Matrix (Manual and Automated) Complianc e Manufactur ing Environme ntal Define Risk Assessment for Application Control See Risk Assessment Approach in the
To add value to organization-wide AC risk assessment activities, internal auditors: Define the universe of application, database, and supporting tech that use AC, Summarize risk and control using matrice documented during risk assessment process. Define the risk factors associated with each application control, including: Primary (i.e., key) application controls. The design effectiveness of the application controls. Pre-packaged or developed applications or databases. Effectiveness of GCs residing within application (e.g., change mgt, logical security). Weigh all risk factor to determine which risk need tobe weighed more heavily than other. Determine scale to rank each AC risk by considering qualitative and quantitative scale: Numeric scales based on qualitative information (e.g., 1=low-impact, 5=high-impact). Numeric scales based on quantitative inf (e.g., 1 = < US $50 and 5 = > US $1,000). Conduct the risk assessment and rank all risk areas. Evaluate risk assessment results. Create a risk review plan that is based on the risk assessment and ranked risk areas. Notes: RA approach is different with RA in RM. In RA approach, internal auditor does not decide responds to risks. RA Approach used as input in establishing review plan (e.g.. determining the scope of review application control).
Composite scores = ∑ (risk factor weight x risk scale) and adding the totals. The composite score of 375 = [(20 x 5) + (10 x 1) + (10 x 5 ) +…]. For this example, the auditor may determine that the application control review will include all applications with a score > 200. Risk Factor Weighting 20 10 10 10 10 10 Applica- Application Design PreApp supports Frequency of Complexity tion contains effective- packaded more than one change of change primary ness of the or critical business controls App control developed process 15 15 100 Financial Effectivenes Composite impact s of the scores ITGCs App A 5 1 5 5 3 3 5 2 375 App B 1 1 2 1 1 1 4 2 170 App C 5 2 2 1 5 5 5 2 245 App D 5 3 5 1 5 5 5 2 395 App E 5 1 1 1 1 1 3 2 225
Computer-assisted audit techniques (CAATs) make use of computer applications, such as ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and Word, to automate and facilitate the audit process. The use of CAATs helps to ensure that appropriate coverage is in place for an AC review, particularly when there are thousands, or perhaps millions, of transactions occurring during a test period. In these situations, it would be impossible to obtain adequate inf in a format that can be reviewed w/o the use of an automated tool. Because CAATs provide the ability to analyze large volumes of data, a well-designed audit supported by CAAT testing can perform a complete review of all transactions and uncover abnormalities (e.g., duplicate vendors or transactions) or a set of predetermined control issues (e.g., segregation of duty conflicts).
Audit specialized software may perform: - Data queries - Data stratification - Sample extractions - Statistical analysis - Calculations - Duplicated transactions - Pivot tables - Cross tabulation - Missing sequence identification Example ACL: Verify duplicate transaction Example ACL: Verify calculations (recomputation)
03.2 application control
03.2 application control
03.2 application control
03.2 application control

More Related Content

PPTX
Information system audit
byJayant Dalvi
 
PDF
IT General Controls Presentation at IIA Vadodara Audit Club
byKaushal Trivedi
 
PDF
13 information system audit of banks
byspandane
 
PPTX
03.1 general control
byMulyadi Yusuf
 
PPTX
IT General Controls
byCicero Ray Rufino
 
PDF
Basics in IT Audit and Application Control Testing
byDinesh O Bareja
 
PPTX
Presentations on audit charter
byrajusnarayananfcid
 
PDF
It Security Audit Process
byRam Srivastava
 
Information system audit
byJayant Dalvi
 
IT General Controls Presentation at IIA Vadodara Audit Club
byKaushal Trivedi
 
13 information system audit of banks
byspandane
 
03.1 general control
byMulyadi Yusuf
 
IT General Controls
byCicero Ray Rufino
 
Basics in IT Audit and Application Control Testing
byDinesh O Bareja
 
Presentations on audit charter
byrajusnarayananfcid
 
It Security Audit Process
byRam Srivastava
 

What's hot

PDF
Auditing application controls
byCenapSerdarolu
 
PPTX
Auditing SOX ITGC Compliance
byseanpizzy
 
PDF
Audit Sample Report
byRandy James
 
PPT
IT System & Security Audit
byMufaddal Nullwala
 
PDF
IT Control Objectives for SOX
byMahesh Patwardhan
 
PPT
3c 2 Information Systems Audit
byRajeswaran Muthu Venkatachalam
 
PDF
Control and audit of information System (hendri eka saputra)
byHendri Eka Saputra
 
PPTX
Pp 17-new
bySri Apriyanti Husain
 
PPT
Incident Management
byiicecollege
 
PDF
ITGCs.pdf
byssuser918e9d1
 
PPTX
Government and SOX Compliance for ERP Systems
byDan Aldridge, ERP Software Evangelist, LION
 
PPT
Audit of it infrastructure
bypramod_kmr73
 
PDF
Segregation of Duties Solutions
byAhmed Abdul Hamed
 
PPT
IT Audit methodologies
bygenetics
 
PPTX
ITGC audit of ERPs
byJayesh Daga
 
PPTX
It audit methodologies
bySalih Islam
 
PPTX
Conducting an Information Systems Audit
bySreekanth Narendran
 
PPT
Security audit
byRosaria Dee
 
PPSX
Introduction to system development
byJaipal Dhobale
 
DOCX
Capa form-template
bySheraShahira
 
Auditing application controls
byCenapSerdarolu
 
Auditing SOX ITGC Compliance
byseanpizzy
 
Audit Sample Report
byRandy James
 
IT System & Security Audit
byMufaddal Nullwala
 
IT Control Objectives for SOX
byMahesh Patwardhan
 
3c 2 Information Systems Audit
byRajeswaran Muthu Venkatachalam
 
Control and audit of information System (hendri eka saputra)
byHendri Eka Saputra
 
Pp 17-new
bySri Apriyanti Husain
 
Incident Management
byiicecollege
 
ITGCs.pdf
byssuser918e9d1
 
Government and SOX Compliance for ERP Systems
byDan Aldridge, ERP Software Evangelist, LION
 
Audit of it infrastructure
bypramod_kmr73
 
Segregation of Duties Solutions
byAhmed Abdul Hamed
 
IT Audit methodologies
bygenetics
 
ITGC audit of ERPs
byJayesh Daga
 
It audit methodologies
bySalih Islam
 
Conducting an Information Systems Audit
bySreekanth Narendran
 
Security audit
byRosaria Dee
 
Introduction to system development
byJaipal Dhobale
 
Capa form-template
bySheraShahira
 

Similar to 03.2 application control

PPTX
Computer-Assisted Audit Tools and Techniques
by_supriadi
 
PDF
IT Revision and Auditing
byAmith Reddy
 
PPTX
Computer-Assisted Audit Tools and Techniques
by_supriadi
 
PDF
Caa ts
byChris Nicole Apat-Orcullo, CPA
 
PPTX
09.1 audit siklus penjualan dan penerimaan
byMulyadi Yusuf
 
PPTX
Internal-control-in-the-computer-information-system-chap-27-aud-5-FINAL.pptx
byJayLloyd8
 
PPT
CH7 Computer assissted audit technique ppt
byfilesyern10
 
PPT
CH7-ACISE-Computer-Assisted Audit Techniques.ppt
byKenzellawas
 
PPTX
General and Application Control - Security and Control Issues in Informatio...
byDr. Rosemarie Sibbaluca-Guirre
 
DOCX
Effects of IT on internal controls
byLou Foja
 
PPT
Application Security:
byShivaami Corporation
 
PDF
All chapter download Accounting Information Systems 13th Edition Romney Test ...
byfaizeekiong
 
PDF
Accounting Information Systems 13th Edition Romney Test Bank
byhrimchfaryas
 
PPTX
Accounting System Design and Development-Internal Controls
byHelpWithAssignment.com
 
PDF
Accounting Information Systems 13th Edition Romney Test Bank
bymaelenkutnik
 
PDF
Week_10_Critical_PerspectivesFFFFFFFFFFFF
byahmadawartaniacc
 
PPTX
Icai seminar kolkata
bysunil patro
 
PPT
Application Security: By Prashant Mali Cyber law Consultant
byShivaami Corporation
 
PPT
hhhh.ppt
byjack952975
 
PPT
Chapter 2.ppt
byAccounting Guru
 
Computer-Assisted Audit Tools and Techniques
by_supriadi
 
IT Revision and Auditing
byAmith Reddy
 
Computer-Assisted Audit Tools and Techniques
by_supriadi
 
Caa ts
byChris Nicole Apat-Orcullo, CPA
 
09.1 audit siklus penjualan dan penerimaan
byMulyadi Yusuf
 
Internal-control-in-the-computer-information-system-chap-27-aud-5-FINAL.pptx
byJayLloyd8
 
CH7 Computer assissted audit technique ppt
byfilesyern10
 
CH7-ACISE-Computer-Assisted Audit Techniques.ppt
byKenzellawas
 
General and Application Control - Security and Control Issues in Informatio...
byDr. Rosemarie Sibbaluca-Guirre
 
Effects of IT on internal controls
byLou Foja
 
Application Security:
byShivaami Corporation
 
All chapter download Accounting Information Systems 13th Edition Romney Test ...
byfaizeekiong
 
Accounting Information Systems 13th Edition Romney Test Bank
byhrimchfaryas
 
Accounting System Design and Development-Internal Controls
byHelpWithAssignment.com
 
Accounting Information Systems 13th Edition Romney Test Bank
bymaelenkutnik
 
Week_10_Critical_PerspectivesFFFFFFFFFFFF
byahmadawartaniacc
 
Icai seminar kolkata
bysunil patro
 
Application Security: By Prashant Mali Cyber law Consultant
byShivaami Corporation
 
hhhh.ppt
byjack952975
 
Chapter 2.ppt
byAccounting Guru
 

More from Mulyadi Yusuf

PPTX
10. kertas kerja it audit
byMulyadi Yusuf
 
PPTX
09.2 audit siklus pembelian dan pembayaran
byMulyadi Yusuf
 
PPTX
05.2 auditing procedure application controls
byMulyadi Yusuf
 
PPT
Balanced scorecard amin subiyakto
byMulyadi Yusuf
 
PDF
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
byMulyadi Yusuf
 
DOC
Paper mssp analisis renstra dan capaian kinerja kemenpan rb
byMulyadi Yusuf
 
PDF
Erm tm 9
byMulyadi Yusuf
 
DOC
Paper menstra kemenkes final-sapce
byMulyadi Yusuf
 
DOCX
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
byMulyadi Yusuf
 
DOC
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
byMulyadi Yusuf
 
DOCX
Mckinsey kominfo
byMulyadi Yusuf
 
DOCX
Peta strategi kementan
byMulyadi Yusuf
 
PPTX
05.1 auditing procedure general controls
byMulyadi Yusuf
 
PPTX
02. cobit 41 dan iso 17799
byMulyadi Yusuf
 
PDF
Erm tm 10
byMulyadi Yusuf
 
PPT
02. cobit5 introduction
byMulyadi Yusuf
 
PDF
Erm tm 11
byMulyadi Yusuf
 
PDF
Erm tm 12
byMulyadi Yusuf
 
DOC
Manstrapem bina upaya kesehatan final
byMulyadi Yusuf
 
DOCX
Mssp analisis renstra ditjen ppi
byMulyadi Yusuf
 
10. kertas kerja it audit
byMulyadi Yusuf
 
09.2 audit siklus pembelian dan pembayaran
byMulyadi Yusuf
 
05.2 auditing procedure application controls
byMulyadi Yusuf
 
Balanced scorecard amin subiyakto
byMulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
byMulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja kemenpan rb
byMulyadi Yusuf
 
Erm tm 9
byMulyadi Yusuf
 
Paper menstra kemenkes final-sapce
byMulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
byMulyadi Yusuf
 
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
byMulyadi Yusuf
 
Mckinsey kominfo
byMulyadi Yusuf
 
Peta strategi kementan
byMulyadi Yusuf
 
05.1 auditing procedure general controls
byMulyadi Yusuf
 
02. cobit 41 dan iso 17799
byMulyadi Yusuf
 
Erm tm 10
byMulyadi Yusuf
 
02. cobit5 introduction
byMulyadi Yusuf
 
Erm tm 11
byMulyadi Yusuf
 
Erm tm 12
byMulyadi Yusuf
 
Manstrapem bina upaya kesehatan final
byMulyadi Yusuf
 
Mssp analisis renstra ditjen ppi
byMulyadi Yusuf
 

Recently uploaded

PPTX
Java Programming_BJD_Slideshare-Introduction.pptx
byBapusahebDange
 
PDF
Digital Transformation, AI, and ML in Pharma R&D and Manufacturing Workflows ...
byAjaz Hussain
 
PPTX
Prepositions of Place : English Grammar Presentation
byPintoo Dhillon
 
PDF
Application of ICT Lecture 2 Basic ICT Productivity Tools.pdf
byKhalil Khan Marwat
 
PDF
Error-Analysis-in-Analytical-Chemistry-and-statistics ppt.pdf/by k sandeep swamy
bySandeep Swamy
 
PPTX
SPECIAL STSAINS USED IN HISTOPATHOLOGY.pptx
byKISMAT ALI
 
PDF
Application of ICT Lecture 7 Ethical Considerations in Use of ICT Platforms a...
byKhalil Khan Marwat
 
PPTX
DIGITAL TRANSFORMATION MODULE KEY POINTS
byLisa Harris
 
PDF
First Semester BCA Exam 2025 – Constitution Values – 1 Solved Answers.pdf
byKuvempu University
 
PPTX
How to use filtered() method in Odoo 18
byCeline George
 
PPTX
How to Create a Search Panel in Odoo 18
byCeline George
 
PPTX
Shipping Policies & Picking Policies in Odoo 18 Inventory
byCeline George
 
PPTX
Prenatal Development of Cranium, Jaw and Face
byHarshita Dhanrajani
 
PDF
1. AI for E-content Development: What and Why, 2. E- content Development thro...
byProf. Vinod Kumar Kanvaria
 
PPTX
How to Manage Credit Limits in Odoo 18 Accounting
byCeline George
 
PPTX
How to use sorted() method in Odoo 18
byCeline George
 
PPTX
CHAPTER NO. 05 DIURETICS PHARMACOGNOSY.pptx
byGanu Gavade
 
PPTX
Road Safety as a shared responsibility, 2026
bySougata Pal
 
PPTX
How to Manage Sorting Cart by Category in Odoo 18 POS
byCeline George
 
PPTX
English 8 Q3 Wk8.pptx opinion editorial article( Writing , Revising, Editing...
byjacquelyncastre03
 
Java Programming_BJD_Slideshare-Introduction.pptx
byBapusahebDange
 
Digital Transformation, AI, and ML in Pharma R&D and Manufacturing Workflows ...
byAjaz Hussain
 
Prepositions of Place : English Grammar Presentation
byPintoo Dhillon
 
Application of ICT Lecture 2 Basic ICT Productivity Tools.pdf
byKhalil Khan Marwat
 
Error-Analysis-in-Analytical-Chemistry-and-statistics ppt.pdf/by k sandeep swamy
bySandeep Swamy
 
SPECIAL STSAINS USED IN HISTOPATHOLOGY.pptx
byKISMAT ALI
 
Application of ICT Lecture 7 Ethical Considerations in Use of ICT Platforms a...
byKhalil Khan Marwat
 
DIGITAL TRANSFORMATION MODULE KEY POINTS
byLisa Harris
 
First Semester BCA Exam 2025 – Constitution Values – 1 Solved Answers.pdf
byKuvempu University
 
How to use filtered() method in Odoo 18
byCeline George
 
How to Create a Search Panel in Odoo 18
byCeline George
 
Shipping Policies & Picking Policies in Odoo 18 Inventory
byCeline George
 
Prenatal Development of Cranium, Jaw and Face
byHarshita Dhanrajani
 
1. AI for E-content Development: What and Why, 2. E- content Development thro...
byProf. Vinod Kumar Kanvaria
 
How to Manage Credit Limits in Odoo 18 Accounting
byCeline George
 
How to use sorted() method in Odoo 18
byCeline George
 
CHAPTER NO. 05 DIURETICS PHARMACOGNOSY.pptx
byGanu Gavade
 
Road Safety as a shared responsibility, 2026
bySougata Pal
 
How to Manage Sorting Cart by Category in Odoo 18 POS
byCeline George
 
English 8 Q3 Wk8.pptx opinion editorial article( Writing , Revising, Editing...
byjacquelyncastre03
 

03.2 application control

  • 3.
    The Most CommonIT-ACs: 1. Input Control 2. Process Control 3. Output Control Notes: AC akan lebih lanjut dipelajari Materi CAAT
  • 4.
    Application controls: “controls thatpertain to scope of individual business processes or application system.” Business Process Application Application system AC Objectives: Input data: accurate, complet e, authorized, and correct. Data: processed as intended in an acceptable time period. Data stored: accurate and complete. Outputs: accurate and complete. A record : maintained to track the process of data from input to storage and to the eventual output.
  • 5.
    TYPES OF APPLICATIONCONTROL Input Controls – Processing Controls – Output Controls – Check the integrity Address what is Provide an of data entered into done with the data automated means a business and should to ensure application, to compare output processing is ensure that is results with the complete, accurate, intended result by remains within and authorized. specified checking the output parameters. against the input. Integrity Controls – Monitor data being processed and in storage to ensure it remains consistent and correct. Management Trail – As an audit trail, enables mgt to identify the trans and event recorded by tracking trans forward / backward. Monitor effectiveness of other control and identify errors.
  • 6.
    Application control: controldesigned to ensure the complete and accurate processing of data, from input through output. Application control regulate the input, processing, and output of an application. Input and output have risks such as loss of data during transmission, duplicate inputs, and manual input errors or incomplete data. Processing risk include incomplete processing, unrecorded transactions caused either by accident or as part of fraud, automated transactions (e.g. raw materials reordering) failing due to complications, or files lost during processing. Outputs risk include files being sent to the wrong place or too late to be of use. These controls are designed to be application-specific. Examples include:  A cash disbursements batch balancing routine that verifies that the total payments to vendors reconciles with the total postings to the A/P subsidiary ledger.  An A/R check digit procedure that validates customer account numbers on sales transactions.  A payroll system limit check that identifies and flags employee time card records with reported hours worked in excess of the predetermined normal limit. 6
  • 7.
    • Input control:control data as it manually or electronically enters the system. • Manual IC: require authorization both before the input and after a review, use of concise prenumbered forms, and train for data entry personnel. • Electronic IC: include user-friendly screen formats that prompt user for required information and use of required fields. • A field check: a check to see if information in an entry field is complete. • Drop down menus: allow specific preset input (e.g. list of provinces). • To protect sensitive information, keystroke verification requires data to be entered twice, by different person if possible, and highlights any differences. (e.g. confirmation PW change) • Batch control: accumulate transaction and apply test on the batch (e.g. batch total). • Format check: data is entered in an acceptable formats (e.g. date format). • Reconciliation and balancing: reconciliation analyze variances or test two balances to see if they are equal.
  • 8.
    • Edit check:automated test on data fields. Include: Control totals: hash total sum of nonfinancial number that have no meaning. A change in hash total indicates a record change. Range test: allow entry between range of numbers or characters. Numerical test: prevent alphabetic entry in number fields. Sequence check: check for an alphanumeric sequence in a field. Limit check: entries above particular number are prevented or need approval. Check digit: an extra digit is added that has an algorithmic relationship to the remaining digits to show if the number was incorrectly entered by transposition. (e.g. credit card) Record count: tallies the number of records. Historical comparison: measures variance from past records. Overflow checking: places a memory or length limit on a field to prevent larger numbers than maximum being entered.
  • 9.
    • Inquiry log:track all read-only access to records. • Automated inputs: automation reduces errors and increase input speeds. Include: Optical character recognition (OCR): convert a scanned image into graphic data, then store, retrieve, and process graphic data. (e.g. scan shipping receipt into a database). Scanners: a device that digitizes graphic images. Radio frequency identification (RFID): use tag in packaging, RFID read tag via radio frequency and identify where the product is. Useful in tracking inventory. (e.g. DHL) Bar codes: a machine-readable representation of data, allowing for rapid reading and processing of associated data (such as price or inventory level). Magnetic ink character recognition (MICR): Included on check (bank transaction), and indicate check no., account no., routing no., and possibly check amount.
  • 10.
    • Processing control:automated errors checks built into computer processing as well as segregation of duties, such as controlling programmer’s access to files and records. • Data center operator’s access to applications should be restricted to equipment and software installation and responding to errors, also override file names. • A console log or system control file should track operators interventions. • Access to configuration parameters within application must be controlled. Auditors should reconcile actual versus planned configuration. • Completeness check: reject saving a record until all field are complete. • Control totals: totals are recorded in a system control file when an application generates temporary files; an errors occurs if each control total doesn’t match. • Date and file total check: logs of item and monetary totals with date and time stamps. Exact duplicate entries are flagged as errors. Auditors test for processing controls by inserting known test data and comparing it against expected results (walkthrough-test or round-test?).
  • 11.
    Other processing controls,include: • Reasonable checks: verify that amounts fall within predetermined limits • Suspense file: a file used to retain transaction processed with errors. • Activity log: records actions of users by date, time, and access terminal (bedakan dengan ITGC). • Processing logic test (e.g. posting check, zero balance check, cross-footing check): various check that verify if accounts or transactions are at the expected level (e.g. checking that an account actually has a zero balance after payment are processed, other example?) • Run-to-run totals: data control group monitors batch run totals (or verify that amounts fall within predetermined limits). • End-of-file procedures: prevent additional operations from taking place in a file when the end of the file reached. • Primary and secondary key integrity check: verify encryption key security. • Access control list: a list of all valid users. Auditors should verify that the list cannot be altered without proper authorization.
  • 12.
    Output controls: detectivecontrols that find errors and verify the accuracy and reasonableness of output data after processing is complete. Output controls, as following: • Error listings: auditors ensure that errors followed up w/o exceeding backlog limits, and corrected reports are resubmitted. • Reference documents: when systems are interrupted, these logs show what was in memory at the time of the interruption. • Spooling controls: a spool is a temporary memory allocation for a system output. These controls regulate data spooling method. • Working documents: legal records, such as checks, invoices, or stock certificates are safeguarded. There are audit evidence that can detect if input really match outputs. • Reports controls: include ensuring that the reports are accurate, simple, timely, and meaningful, and that sensitive data is secured using distribution controls. • Exception reporting: highlight only unusual data, it helps to determine the sources of the error (human error, processing error).
  • 13.
    • Encryption usesa mathematical algorithm to scramble data so that it cannot be unscrambled without a numeric key code. • Can be used on stored and physical transmitted data (on CD) and electronically transmitted data (wireless data). • Two basic types of encryption: Private (or symmetric) key encryption. Public (or asymmetric) key encryption. • Variant of public key encryption: Digital signatures. Elliptic curve cryptography (ECC) (y2 = x3 + ax + b) 13
  • 14.
    1. Sue (akaSender) selects a key, and then uses that key to encrypt the plaintext to produce the ciphertext. 2. Sue gives both the key and the ciphertext to you (aka Receiver). (Not together, obviously, or anyone could intercept the delivery and use the key to decrypt the ciphertext.) 3. You use that same key to decrypt the ciphertext to regenerate the plaintext. 14
  • 15.
    A sender --Sue -is using your PubK to produce a ciphertext for you. But the process also works backwards; you could encrypt a plaintext with your Priv-K and send the resulting ciphertext to Sue. Decrypting the ciphertext w/ your Pub-K proves that the ciphertext had to come from you. This provides authenticity, w/o privacy. Your Pub-K is public, so anyone could decrypt this ciphertext, not just Sue. But Pub/Priv-K pairs make digital signatures possible, which provide authentic and integrity w/o sacrificing privacy. 1. You give Sue (aka Sender) a copy of your public key. 2. Sue uses your public key to encrypt the plaintext to produce a ciphertext for you. 3. She then gives (just) the ciphertext to you, and 4. You use your private key to decrypt the ciphertext to reproduce the plaintext.
  • 16.
  • 17.
    • Other encryptiontools: Quantum (or quantum key) cryptography: uses uncertainty to produce a shared bit string or key, created randomly and known only to the two communicating parties. Digital envelope: uses two layers of encryption, 1. messages is encrypted symmetrically (private), then 2. decipher code is encrypted with public key. Cryptographic module or system: is packaged encryption application that is purchased or developed as part of a larger application (Secure Socket Layer) • Auditing Issues: Evaluating encryption includes evaluating physical control over computers that have passwords keys, testing policies to see if they are being followed, and implementing and monitoring logic control. 17
  • 18.
    • The choiceof networks types will affect IT control design. • Computer network: The sum of all infrastructure and applications required to connect two or more networks nodes, which are computers and devices: Computers (own processing power), servers (powerful computer with high bandwidth), and client (recipient of server function) /server infrastructure (data request server, database server). Mainframe (large, scalable computer to process and store large amount of data) and data terminal (input/output node for a mainframe system) • Data Processing method: Centralized: all data processing is performed by one or more large computers housed at a central site that serves users throughout the organization. Decentralized. Distributed (decentralized processing, but networked together/centralized). 18
  • 19.
    The choice ofnetworks types will affect IT control design. Types of networks: • Peer-to-peer network= between two computer • Personal-area networks (PANs)= wireless within a room area • Local-area networks (LANs)= for limited geographical (building) • Wide-area networks (WANs) = networks of LAN (nation/world). • Metropolitan networks (MANs)= metropolitan • Public data networks (PDNs) = allow public access, such as world wide web. Other related terms • Value-added networks (VANs)= provider of networking services. • Consortium networks= group of organization that form networks. Networks Transmission Option: • Wired. • Wireless. • Virtual private networks (VPNs): secure method of connecting two points of the internet (ISP). 19
  • 20.
    • Is amethod of defining how messages should be sent through a network so that unrelated products can be work together. • OSI model is divided into 7 layers for comm and computer network protocol design. OSI Layer Description Related Controls Layer 1: Physical layer (HW, NW) Mechanical layer transmits digital signals Wiring and other physical protection Layer 2: Data link layer (HW, NW) Synchronizes layer 1 data movements Encryption and compresses data where possible. Layer 3: Network layer Routes and forwards data to the right (SW, NW) places. IP addresses is tracked, Firewalls Layer 4: Transport layer (SW, Comp) Ensures that data transfer are complete by managing end-to-end control and error checking Logical control layer, Firewalls Layer 5: Session layer (SW, Comp) Initiates and terminates conversation between appl. Layer 6: Presentation Is operating system20 (O/S), which O/S Control
  • 21.
    Network topology :physical connection points between devices on a LAN or similar network. (1) Bus network, (2) Ring network, and (3) Star network.
  • 22.
    1. Ports: physicalconnection points to a device. 2. Hubs: the center of networks and switch/direct comm. 3. Repeaters: extend the range of network by amplifying or regenerating signals. 4. Switches: connect telecom circuits and may allow network mgt capabilities. 5. Routers: intelligent processors that link networks segments, allowing them to communicate but also remain separate and independent. 6. Bridges: an early software-based device that function similarly to switch and routers, but not as efficient as switches. 7. Gateways: convert protocols between networks with dissimilar networks architectures. 8. Multiplexers: for data combine multiple channels into a single channel, such as multiple phone lines sharing a single physical phone line. Case: The Internet consists of a series of networks that include A. Gateways to allow PC to connect to mainframe computers, B. Bridges to direct messages through the optimum data path, C. Repeaters to physically connect separate local area networks 22 (LANs), D.Routers to strengthen data signals between distant computers.
  • 23.
    • Firewall: aHW/SW combination that routes all communication to or from the outside world through itself, blocking unauthorized traffic. • Firewalls can: 1. Improve security by blocking access from certain servers or applications. 2. Reduce vulnerability to external attacks and ensure IT system efficiency by limiting user access to certain sites. 3. Provide a means of monitoring communications and detecting external intrusions, and internal sabotage. 4. Provide encryption internally (within an enterprise). 23
  • 24.
    • Layer 3and 4 firewall types: 1. Packet filtering: comparing source and destination addresses to an allowed list. 2. Gateways: stopping traffic flowing to specific application such as file transfer protocol (FTP), e.g. rules may block outgoing FTPs but permit incoming FTPs. One common gateway is proxy server. • Auditor should work with the network administrator to determine the efficacy (effectiveness) of a firewall, how specific rules are, and whether the list of acceptable users, IP address, and application are kept up-to-date. • Firewall log can be used as legal audit evidence if data was collected, processed, and retained properly. • Firewall has some limitation, such as physical intrusion, incorrect configuration, and trojan horses using IRC (internet relay chat). • Intrusion detection/prevention systems: Intrusion detection system (IDS) combined with application layer firewall (layer 7) is called an intrusion prevention system (IPS). Two types of IPS = HIPS and NIPS. 24
  • 25.
    • EFT: thetransfer of monetary value and financial data from one bank to another (it cannot involve other parties) • FEDI (EFT and financial EDI) is subset o electronic data interchange (EDI). • FEDI transfer payment information between companies, banks, or others, but settlement through EFT. EFT Risk and controls  More reliable, cost-effective, and efficient than check payment  Control: • Password and physical restriction access to FEDI terminals. • Dual approval (one enters, one release) • Test key or codes for validation • Encryption • Credit monitoring, backup, and continuity plan. 25
  • 26.
    EFT Method: • RTGS(such as Fedwire-USA, TARGET-Europe, CHAPS-UK). • ACH (automated clearing house): a. for high volume, b. low-value transfer, c. send payment in batch, and d. prenotification. IA evaluate the adequacy and the effectiveness of IC applied to EFT, such as: • Logic control that restrict unauthorized access to the EFT systems. • Program change management control. • Physical control • System data backup and recovery controls. • Operation control to ensure availability. • Application control to ensure transaction accuracy. Case: Which 1 of following is least likely to be recomm. by auditor when EDI-EFT system is being designed? A. The identity of the individual approving an electronic document should be stored as a data field. B. Disaster recovery plans should be established. C. Data security procedures should be written to prevent changes to data by unauthorized individuals. D. Remote access to electronic data should be denied.
  • 27.
    • E-Commerce: Defined as“conducting commercial activities over the internet”, include: Business to business (B2B) e-commerce. Business to consumer(B2C) e-commerce. Business to employee (B2E) e-commerce. Mobile e-commerce (using mobile device such as smart cell phones) • Control concerns: Determine how authorization for transactions are handled. End-user can initiate input data directly. Risk analysis include hardware used, transmission methods, firewalls, back-end system, middleware, links to another application. Control over sensitive information. 27
  • 28.
    Expected result ofe-commerce security policies include: • Authenticity: both parties are able to verify the other’s identity, e.g., passwords, encryption keys, and digital signatures certificates. party’s • Integrity: web site information is unaltered from its original form. • Nonrepudiation: e-commerce participants cannot deny or repudiate their on-line activities, i.e.: e-commerce data is legal evidence. • Confidentiality: only authorized parties can access their data. • Privacy: users are informed of a site’s privacy policy and can decide to provide personal inf. • Availability: the site is available when needed. Redundant systems and reliable partners help ensure availability. Case: Mgt has implemented controls such as firewall, password mgt, independent recon., and audit trail. The controls should be reviewed and evaluated by IAr when doing test for which e-commerce audit area? A. Fraud. B. Corruption of data. 28 C. Business interruptions. D. Authentication.
  • 29.
    When conducting auditof e-commerce, IA should look for: 1. Networks security control (e.g.: firewalls, encryption, virus protection, policies, communication of security standards within and outside the enterprises) and intrusion detection system. 2. User identification system (e.g. digital signatures). 3. Privacy and confidential controls. 4. All list of e-commerce application within the enterprises. 5. Maintenance activities to ensure continued operation. 6. Failure detection and automated repairs. 7. Application change management controls. 8. Business continuity plan in case of system interruption. Continuous auditing in e-commerce: • Is a software, include continuous assessment risk assessment, control assessment, and assessment of continuous monitoring tools, able to uncover fictitious sales and returns. 29
  • 30.
    • ERP system: modular suites (chain) of business application that share data between modules and store all data in a single repository (database). • Purpose: facilitate the flow of information between all business functions inside the boundaries of the org. and manage the connections to outside. • ERP reduce redundancy of data and creates synergies such as automated forwarding of transactions to the appropriate department. • ERP increase efficiency by keeping inventory levels low, reducing cycle time, and improve the timelines of data for decision making. • Core modules of ERP: (a) finance, manufacturing, sales and distribution, human resource, (b) transaction processing system (TPS) and management information system (MIS), (c) Customer relationship management (CRM) and Supplier relationship mgt (SRM).
  • 31.
    • Simplify gatheringaudit evidence. • Disparate applications, so use different language, so audit of ERP require multiple workarounds (solution) and redundancies. • IA assess that mgt has evaluated the efficiency of ERP relative to competitor ERP. • IA need to be involved in ERP development, monitor the implementation, and personnel training plan, recommend ERP improvements. • Since integrated, there no paper audit trail to follow between departments, approval to be automatic, exacerbating the segregation of control issue. • Therefore, audit must focus on IT controls such as quality of PW and other logic control. • Even the best ERP is unlikely to cover all needs, so the remaining needs can be achieved through customization or configuration. Customization: change the code of the system to provide unavailable process. Configuration: change of preset parameters (cheaper and not impede (disturb) upgrade). • To overcome the problem, ERP should separate business process from controls. 31
  • 32.
    • WBEM Used theexternal networking component of ERP, provide portal access to external vendor and large customer via XML communication. Auditor should focus on controls (especially to protect org’s data). Mgt and IT professional should determine which information will be shared. WBEM provide int’l integration and best-of-breed system (focus on niche). • Continuous auditing for ERP system. Automated control in ERP must be designed and implemented w/ audit involvement. Need exception report to high light unusual data/areas/operational concern.
  • 33.
    When identifying risks,auditors may find it useful to employ a top-down RA to determine which applications to include as part of control review and what tests need to be performed. 10-K Example: F/S Financial Statement Risk Analysis Approach Financial Statements Assertion F/S Accounts mapped to processes; Processes mapped BUs Revenue and Receivable s BU 1 BU 2 BU 3 Non Financial Disclosures mapped to processes Mgt and Purchases Financial Payroll and Legal and Treasury Reporting/Acco Benefits Payables Corporat unting BU Corporat Corporat Investor e 1 e e Relation BU 2 BU Risk Identification and Analysis 3 Risk Assessment Documents: • Risk analysis matrix by F/S Accounts and Disclosures • Accounts risk analysis mapped to Business and Critical Applications and Underlying Technology Prepare Risk Control Matrix (Manual and Automated) Complianc e Manufactur ing Environme ntal Define Risk Assessment for Application Control See Risk Assessment Approach in the
  • 34.
    To add valueto organization-wide AC risk assessment activities, internal auditors: Define the universe of application, database, and supporting tech that use AC, Summarize risk and control using matrice documented during risk assessment process. Define the risk factors associated with each application control, including: Primary (i.e., key) application controls. The design effectiveness of the application controls. Pre-packaged or developed applications or databases. Effectiveness of GCs residing within application (e.g., change mgt, logical security). Weigh all risk factor to determine which risk need tobe weighed more heavily than other. Determine scale to rank each AC risk by considering qualitative and quantitative scale: Numeric scales based on qualitative information (e.g., 1=low-impact, 5=high-impact). Numeric scales based on quantitative inf (e.g., 1 = < US $50 and 5 = > US $1,000). Conduct the risk assessment and rank all risk areas. Evaluate risk assessment results. Create a risk review plan that is based on the risk assessment and ranked risk areas. Notes: RA approach is different with RA in RM. In RA approach, internal auditor does not decide responds to risks. RA Approach used as input in establishing review plan (e.g.. determining the scope of review application control).
  • 35.
    Composite scores =∑ (risk factor weight x risk scale) and adding the totals. The composite score of 375 = [(20 x 5) + (10 x 1) + (10 x 5 ) +…]. For this example, the auditor may determine that the application control review will include all applications with a score > 200. Risk Factor Weighting 20 10 10 10 10 10 Applica- Application Design PreApp supports Frequency of Complexity tion contains effective- packaded more than one change of change primary ness of the or critical business controls App control developed process 15 15 100 Financial Effectivenes Composite impact s of the scores ITGCs App A 5 1 5 5 3 3 5 2 375 App B 1 1 2 1 1 1 4 2 170 App C 5 2 2 1 5 5 5 2 245 App D 5 3 5 1 5 5 5 2 395 App E 5 1 1 1 1 1 3 2 225
  • 36.
    Computer-assisted audit techniques(CAATs) make use of computer applications, such as ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and Word, to automate and facilitate the audit process. The use of CAATs helps to ensure that appropriate coverage is in place for an AC review, particularly when there are thousands, or perhaps millions, of transactions occurring during a test period. In these situations, it would be impossible to obtain adequate inf in a format that can be reviewed w/o the use of an automated tool. Because CAATs provide the ability to analyze large volumes of data, a well-designed audit supported by CAAT testing can perform a complete review of all transactions and uncover abnormalities (e.g., duplicate vendors or transactions) or a set of predetermined control issues (e.g., segregation of duty conflicts).
  • 37.
    Audit specialized softwaremay perform: - Data queries - Data stratification - Sample extractions - Statistical analysis - Calculations - Duplicated transactions - Pivot tables - Cross tabulation - Missing sequence identification Example ACL: Verify duplicate transaction Example ACL: Verify calculations (recomputation)