SlideShare a Scribd company logo

03.2 application control

Download as PPTX, PDF
Mulyadi Yusuf
Mulyadi Yusuf
Education
1 of 41
The Most Common IT-ACs: 1. Input Control 2. Process Control 3. Output Control Notes: AC akan lebih lanjut dipelajari Materi CAAT
Application controls: “controls that pertain to scope of individual business processes or application system.” Business Process Application Application system AC Objectives: Input data: accurate, complet e, authorized, and correct. Data: processed as intended in an acceptable time period. Data stored: accurate and complete. Outputs: accurate and complete. A record : maintained to track the process of data from input to storage and to the eventual output.
TYPES OF APPLICATION CONTROL Input Controls – Processing Controls – Output Controls – Check the integrity Address what is Provide an of data entered into done with the data automated means a business and should to ensure application, to compare output processing is ensure that is results with the complete, accurate, intended result by remains within and authorized. specified checking the output parameters. against the input. Integrity Controls – Monitor data being processed and in storage to ensure it remains consistent and correct. Management Trail – As an audit trail, enables mgt to identify the trans and event recorded by tracking trans forward / backward. Monitor effectiveness of other control and identify errors.
Application control: control designed to ensure the complete and accurate processing of data, from input through output. Application control regulate the input, processing, and output of an application. Input and output have risks such as loss of data during transmission, duplicate inputs, and manual input errors or incomplete data. Processing risk include incomplete processing, unrecorded transactions caused either by accident or as part of fraud, automated transactions (e.g. raw materials reordering) failing due to complications, or files lost during processing. Outputs risk include files being sent to the wrong place or too late to be of use. These controls are designed to be application-specific. Examples include:  A cash disbursements batch balancing routine that verifies that the total payments to vendors reconciles with the total postings to the A/P subsidiary ledger.  An A/R check digit procedure that validates customer account numbers on sales transactions.  A payroll system limit check that identifies and flags employee time card records with reported hours worked in excess of the predetermined normal limit. 6
• Input control: control data as it manually or electronically enters the system. • Manual IC: require authorization both before the input and after a review, use of concise prenumbered forms, and train for data entry personnel. • Electronic IC: include user-friendly screen formats that prompt user for required information and use of required fields. • A field check: a check to see if information in an entry field is complete. • Drop down menus: allow specific preset input (e.g. list of provinces). • To protect sensitive information, keystroke verification requires data to be entered twice, by different person if possible, and highlights any differences. (e.g. confirmation PW change) • Batch control: accumulate transaction and apply test on the batch (e.g. batch total). • Format check: data is entered in an acceptable formats (e.g. date format). • Reconciliation and balancing: reconciliation analyze variances or test two balances to see if they are equal.
• Edit check: automated test on data fields. Include: Control totals: hash total sum of nonfinancial number that have no meaning. A change in hash total indicates a record change. Range test: allow entry between range of numbers or characters. Numerical test: prevent alphabetic entry in number fields. Sequence check: check for an alphanumeric sequence in a field. Limit check: entries above particular number are prevented or need approval. Check digit: an extra digit is added that has an algorithmic relationship to the remaining digits to show if the number was incorrectly entered by transposition. (e.g. credit card) Record count: tallies the number of records. Historical comparison: measures variance from past records. Overflow checking: places a memory or length limit on a field to prevent larger numbers than maximum being entered.
• Inquiry log: track all read-only access to records. • Automated inputs: automation reduces errors and increase input speeds. Include: Optical character recognition (OCR): convert a scanned image into graphic data, then store, retrieve, and process graphic data. (e.g. scan shipping receipt into a database). Scanners: a device that digitizes graphic images. Radio frequency identification (RFID): use tag in packaging, RFID read tag via radio frequency and identify where the product is. Useful in tracking inventory. (e.g. DHL) Bar codes: a machine-readable representation of data, allowing for rapid reading and processing of associated data (such as price or inventory level). Magnetic ink character recognition (MICR): Included on check (bank transaction), and indicate check no., account no., routing no., and possibly check amount.
• Processing control: automated errors checks built into computer processing as well as segregation of duties, such as controlling programmer’s access to files and records. • Data center operator’s access to applications should be restricted to equipment and software installation and responding to errors, also override file names. • A console log or system control file should track operators interventions. • Access to configuration parameters within application must be controlled. Auditors should reconcile actual versus planned configuration. • Completeness check: reject saving a record until all field are complete. • Control totals: totals are recorded in a system control file when an application generates temporary files; an errors occurs if each control total doesn’t match. • Date and file total check: logs of item and monetary totals with date and time stamps. Exact duplicate entries are flagged as errors. Auditors test for processing controls by inserting known test data and comparing it against expected results (walkthrough-test or round-test?).
Other processing controls, include: • Reasonable checks: verify that amounts fall within predetermined limits • Suspense file: a file used to retain transaction processed with errors. • Activity log: records actions of users by date, time, and access terminal (bedakan dengan ITGC). • Processing logic test (e.g. posting check, zero balance check, cross-footing check): various check that verify if accounts or transactions are at the expected level (e.g. checking that an account actually has a zero balance after payment are processed, other example?) • Run-to-run totals: data control group monitors batch run totals (or verify that amounts fall within predetermined limits). • End-of-file procedures: prevent additional operations from taking place in a file when the end of the file reached. • Primary and secondary key integrity check: verify encryption key security. • Access control list: a list of all valid users. Auditors should verify that the list cannot be altered without proper authorization.
Output controls: detective controls that find errors and verify the accuracy and reasonableness of output data after processing is complete. Output controls, as following: • Error listings: auditors ensure that errors followed up w/o exceeding backlog limits, and corrected reports are resubmitted. • Reference documents: when systems are interrupted, these logs show what was in memory at the time of the interruption. • Spooling controls: a spool is a temporary memory allocation for a system output. These controls regulate data spooling method. • Working documents: legal records, such as checks, invoices, or stock certificates are safeguarded. There are audit evidence that can detect if input really match outputs. • Reports controls: include ensuring that the reports are accurate, simple, timely, and meaningful, and that sensitive data is secured using distribution controls. • Exception reporting: highlight only unusual data, it helps to determine the sources of the error (human error, processing error).
• Encryption uses a mathematical algorithm to scramble data so that it cannot be unscrambled without a numeric key code. • Can be used on stored and physical transmitted data (on CD) and electronically transmitted data (wireless data). • Two basic types of encryption: Private (or symmetric) key encryption. Public (or asymmetric) key encryption. • Variant of public key encryption: Digital signatures. Elliptic curve cryptography (ECC) (y2 = x3 + ax + b) 13
1. Sue (aka Sender) selects a key, and then uses that key to encrypt the plaintext to produce the ciphertext. 2. Sue gives both the key and the ciphertext to you (aka Receiver). (Not together, obviously, or anyone could intercept the delivery and use the key to decrypt the ciphertext.) 3. You use that same key to decrypt the ciphertext to regenerate the plaintext. 14
A sender -- Sue -is using your PubK to produce a ciphertext for you. But the process also works backwards; you could encrypt a plaintext with your Priv-K and send the resulting ciphertext to Sue. Decrypting the ciphertext w/ your Pub-K proves that the ciphertext had to come from you. This provides authenticity, w/o privacy. Your Pub-K is public, so anyone could decrypt this ciphertext, not just Sue. But Pub/Priv-K pairs make digital signatures possible, which provide authentic and integrity w/o sacrificing privacy. 1. You give Sue (aka Sender) a copy of your public key. 2. Sue uses your public key to encrypt the plaintext to produce a ciphertext for you. 3. She then gives (just) the ciphertext to you, and 4. You use your private key to decrypt the ciphertext to reproduce the plaintext.
16
• Other encryption tools: Quantum (or quantum key) cryptography: uses uncertainty to produce a shared bit string or key, created randomly and known only to the two communicating parties. Digital envelope: uses two layers of encryption, 1. messages is encrypted symmetrically (private), then 2. decipher code is encrypted with public key. Cryptographic module or system: is packaged encryption application that is purchased or developed as part of a larger application (Secure Socket Layer) • Auditing Issues: Evaluating encryption includes evaluating physical control over computers that have passwords keys, testing policies to see if they are being followed, and implementing and monitoring logic control. 17
• The choice of networks types will affect IT control design. • Computer network: The sum of all infrastructure and applications required to connect two or more networks nodes, which are computers and devices: Computers (own processing power), servers (powerful computer with high bandwidth), and client (recipient of server function) /server infrastructure (data request server, database server). Mainframe (large, scalable computer to process and store large amount of data) and data terminal (input/output node for a mainframe system) • Data Processing method: Centralized: all data processing is performed by one or more large computers housed at a central site that serves users throughout the organization. Decentralized. Distributed (decentralized processing, but networked together/centralized). 18
The choice of networks types will affect IT control design. Types of networks: • Peer-to-peer network= between two computer • Personal-area networks (PANs)= wireless within a room area • Local-area networks (LANs)= for limited geographical (building) • Wide-area networks (WANs) = networks of LAN (nation/world). • Metropolitan networks (MANs)= metropolitan • Public data networks (PDNs) = allow public access, such as world wide web. Other related terms • Value-added networks (VANs)= provider of networking services. • Consortium networks= group of organization that form networks. Networks Transmission Option: • Wired. • Wireless. • Virtual private networks (VPNs): secure method of connecting two points of the internet (ISP). 19
• Is a method of defining how messages should be sent through a network so that unrelated products can be work together. • OSI model is divided into 7 layers for comm and computer network protocol design. OSI Layer Description Related Controls Layer 1: Physical layer (HW, NW) Mechanical layer transmits digital signals Wiring and other physical protection Layer 2: Data link layer (HW, NW) Synchronizes layer 1 data movements Encryption and compresses data where possible. Layer 3: Network layer Routes and forwards data to the right (SW, NW) places. IP addresses is tracked, Firewalls Layer 4: Transport layer (SW, Comp) Ensures that data transfer are complete by managing end-to-end control and error checking Logical control layer, Firewalls Layer 5: Session layer (SW, Comp) Initiates and terminates conversation between appl. Layer 6: Presentation Is operating system20 (O/S), which O/S Control
Network topology : physical connection points between devices on a LAN or similar network. (1) Bus network, (2) Ring network, and (3) Star network.
1. Ports: physical connection points to a device. 2. Hubs: the center of networks and switch/direct comm. 3. Repeaters: extend the range of network by amplifying or regenerating signals. 4. Switches: connect telecom circuits and may allow network mgt capabilities. 5. Routers: intelligent processors that link networks segments, allowing them to communicate but also remain separate and independent. 6. Bridges: an early software-based device that function similarly to switch and routers, but not as efficient as switches. 7. Gateways: convert protocols between networks with dissimilar networks architectures. 8. Multiplexers: for data combine multiple channels into a single channel, such as multiple phone lines sharing a single physical phone line. Case: The Internet consists of a series of networks that include A. Gateways to allow PC to connect to mainframe computers, B. Bridges to direct messages through the optimum data path, C. Repeaters to physically connect separate local area networks 22 (LANs), D.Routers to strengthen data signals between distant computers.
• Firewall: a HW/SW combination that routes all communication to or from the outside world through itself, blocking unauthorized traffic. • Firewalls can: 1. Improve security by blocking access from certain servers or applications. 2. Reduce vulnerability to external attacks and ensure IT system efficiency by limiting user access to certain sites. 3. Provide a means of monitoring communications and detecting external intrusions, and internal sabotage. 4. Provide encryption internally (within an enterprise). 23
• Layer 3 and 4 firewall types: 1. Packet filtering: comparing source and destination addresses to an allowed list. 2. Gateways: stopping traffic flowing to specific application such as file transfer protocol (FTP), e.g. rules may block outgoing FTPs but permit incoming FTPs. One common gateway is proxy server. • Auditor should work with the network administrator to determine the efficacy (effectiveness) of a firewall, how specific rules are, and whether the list of acceptable users, IP address, and application are kept up-to-date. • Firewall log can be used as legal audit evidence if data was collected, processed, and retained properly. • Firewall has some limitation, such as physical intrusion, incorrect configuration, and trojan horses using IRC (internet relay chat). • Intrusion detection/prevention systems: Intrusion detection system (IDS) combined with application layer firewall (layer 7) is called an intrusion prevention system (IPS). Two types of IPS = HIPS and NIPS. 24
• EFT: the transfer of monetary value and financial data from one bank to another (it cannot involve other parties) • FEDI (EFT and financial EDI) is subset o electronic data interchange (EDI). • FEDI transfer payment information between companies, banks, or others, but settlement through EFT. EFT Risk and controls  More reliable, cost-effective, and efficient than check payment  Control: • Password and physical restriction access to FEDI terminals. • Dual approval (one enters, one release) • Test key or codes for validation • Encryption • Credit monitoring, backup, and continuity plan. 25
EFT Method: • RTGS (such as Fedwire-USA, TARGET-Europe, CHAPS-UK). • ACH (automated clearing house): a. for high volume, b. low-value transfer, c. send payment in batch, and d. prenotification. IA evaluate the adequacy and the effectiveness of IC applied to EFT, such as: • Logic control that restrict unauthorized access to the EFT systems. • Program change management control. • Physical control • System data backup and recovery controls. • Operation control to ensure availability. • Application control to ensure transaction accuracy. Case: Which 1 of following is least likely to be recomm. by auditor when EDI-EFT system is being designed? A. The identity of the individual approving an electronic document should be stored as a data field. B. Disaster recovery plans should be established. C. Data security procedures should be written to prevent changes to data by unauthorized individuals. D. Remote access to electronic data should be denied.
• E-Commerce: Defined as “conducting commercial activities over the internet”, include: Business to business (B2B) e-commerce. Business to consumer(B2C) e-commerce. Business to employee (B2E) e-commerce. Mobile e-commerce (using mobile device such as smart cell phones) • Control concerns: Determine how authorization for transactions are handled. End-user can initiate input data directly. Risk analysis include hardware used, transmission methods, firewalls, back-end system, middleware, links to another application. Control over sensitive information. 27
Expected result of e-commerce security policies include: • Authenticity: both parties are able to verify the other’s identity, e.g., passwords, encryption keys, and digital signatures certificates. party’s • Integrity: web site information is unaltered from its original form. • Nonrepudiation: e-commerce participants cannot deny or repudiate their on-line activities, i.e.: e-commerce data is legal evidence. • Confidentiality: only authorized parties can access their data. • Privacy: users are informed of a site’s privacy policy and can decide to provide personal inf. • Availability: the site is available when needed. Redundant systems and reliable partners help ensure availability. Case: Mgt has implemented controls such as firewall, password mgt, independent recon., and audit trail. The controls should be reviewed and evaluated by IAr when doing test for which e-commerce audit area? A. Fraud. B. Corruption of data. 28 C. Business interruptions. D. Authentication.
When conducting audit of e-commerce, IA should look for: 1. Networks security control (e.g.: firewalls, encryption, virus protection, policies, communication of security standards within and outside the enterprises) and intrusion detection system. 2. User identification system (e.g. digital signatures). 3. Privacy and confidential controls. 4. All list of e-commerce application within the enterprises. 5. Maintenance activities to ensure continued operation. 6. Failure detection and automated repairs. 7. Application change management controls. 8. Business continuity plan in case of system interruption. Continuous auditing in e-commerce: • Is a software, include continuous assessment risk assessment, control assessment, and assessment of continuous monitoring tools, able to uncover fictitious sales and returns. 29
• ERP system : modular suites (chain) of business application that share data between modules and store all data in a single repository (database). • Purpose: facilitate the flow of information between all business functions inside the boundaries of the org. and manage the connections to outside. • ERP reduce redundancy of data and creates synergies such as automated forwarding of transactions to the appropriate department. • ERP increase efficiency by keeping inventory levels low, reducing cycle time, and improve the timelines of data for decision making. • Core modules of ERP: (a) finance, manufacturing, sales and distribution, human resource, (b) transaction processing system (TPS) and management information system (MIS), (c) Customer relationship management (CRM) and Supplier relationship mgt (SRM).
• Simplify gathering audit evidence. • Disparate applications, so use different language, so audit of ERP require multiple workarounds (solution) and redundancies. • IA assess that mgt has evaluated the efficiency of ERP relative to competitor ERP. • IA need to be involved in ERP development, monitor the implementation, and personnel training plan, recommend ERP improvements. • Since integrated, there no paper audit trail to follow between departments, approval to be automatic, exacerbating the segregation of control issue. • Therefore, audit must focus on IT controls such as quality of PW and other logic control. • Even the best ERP is unlikely to cover all needs, so the remaining needs can be achieved through customization or configuration. Customization: change the code of the system to provide unavailable process. Configuration: change of preset parameters (cheaper and not impede (disturb) upgrade). • To overcome the problem, ERP should separate business process from controls. 31
• WBEM Used the external networking component of ERP, provide portal access to external vendor and large customer via XML communication. Auditor should focus on controls (especially to protect org’s data). Mgt and IT professional should determine which information will be shared. WBEM provide int’l integration and best-of-breed system (focus on niche). • Continuous auditing for ERP system. Automated control in ERP must be designed and implemented w/ audit involvement. Need exception report to high light unusual data/areas/operational concern.
When identifying risks, auditors may find it useful to employ a top-down RA to determine which applications to include as part of control review and what tests need to be performed. 10-K Example: F/S Financial Statement Risk Analysis Approach Financial Statements Assertion F/S Accounts mapped to processes; Processes mapped BUs Revenue and Receivable s BU 1 BU 2 BU 3 Non Financial Disclosures mapped to processes Mgt and Purchases Financial Payroll and Legal and Treasury Reporting/Acco Benefits Payables Corporat unting BU Corporat Corporat Investor e 1 e e Relation BU 2 BU Risk Identification and Analysis 3 Risk Assessment Documents: • Risk analysis matrix by F/S Accounts and Disclosures • Accounts risk analysis mapped to Business and Critical Applications and Underlying Technology Prepare Risk Control Matrix (Manual and Automated) Complianc e Manufactur ing Environme ntal Define Risk Assessment for Application Control See Risk Assessment Approach in the
To add value to organization-wide AC risk assessment activities, internal auditors: Define the universe of application, database, and supporting tech that use AC, Summarize risk and control using matrice documented during risk assessment process. Define the risk factors associated with each application control, including: Primary (i.e., key) application controls. The design effectiveness of the application controls. Pre-packaged or developed applications or databases. Effectiveness of GCs residing within application (e.g., change mgt, logical security). Weigh all risk factor to determine which risk need tobe weighed more heavily than other. Determine scale to rank each AC risk by considering qualitative and quantitative scale: Numeric scales based on qualitative information (e.g., 1=low-impact, 5=high-impact). Numeric scales based on quantitative inf (e.g., 1 = < US $50 and 5 = > US $1,000). Conduct the risk assessment and rank all risk areas. Evaluate risk assessment results. Create a risk review plan that is based on the risk assessment and ranked risk areas. Notes: RA approach is different with RA in RM. In RA approach, internal auditor does not decide responds to risks. RA Approach used as input in establishing review plan (e.g.. determining the scope of review application control).
Composite scores = ∑ (risk factor weight x risk scale) and adding the totals. The composite score of 375 = [(20 x 5) + (10 x 1) + (10 x 5 ) +…]. For this example, the auditor may determine that the application control review will include all applications with a score > 200. Risk Factor Weighting 20 10 10 10 10 10 Applica- Application Design PreApp supports Frequency of Complexity tion contains effective- packaded more than one change of change primary ness of the or critical business controls App control developed process 15 15 100 Financial Effectivenes Composite impact s of the scores ITGCs App A 5 1 5 5 3 3 5 2 375 App B 1 1 2 1 1 1 4 2 170 App C 5 2 2 1 5 5 5 2 245 App D 5 3 5 1 5 5 5 2 395 App E 5 1 1 1 1 1 3 2 225
Computer-assisted audit techniques (CAATs) make use of computer applications, such as ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and Word, to automate and facilitate the audit process. The use of CAATs helps to ensure that appropriate coverage is in place for an AC review, particularly when there are thousands, or perhaps millions, of transactions occurring during a test period. In these situations, it would be impossible to obtain adequate inf in a format that can be reviewed w/o the use of an automated tool. Because CAATs provide the ability to analyze large volumes of data, a well-designed audit supported by CAAT testing can perform a complete review of all transactions and uncover abnormalities (e.g., duplicate vendors or transactions) or a set of predetermined control issues (e.g., segregation of duty conflicts).
Audit specialized software may perform: - Data queries - Data stratification - Sample extractions - Statistical analysis - Calculations - Duplicated transactions - Pivot tables - Cross tabulation - Missing sequence identification Example ACL: Verify duplicate transaction Example ACL: Verify calculations (recomputation)
03.2 application control
03.2 application control
03.2 application control
03.2 application control

Recommended

03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksTommy Zul Hidayat
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 

Recommended

03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
IT General Controls
IT General ControlsIT General Controls
IT General ControlsCicero Ray Rufino
 
Auditing application controls
Auditing application controlsAuditing application controls
Auditing application controlsCenapSerdarolu
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
Conducting an Information Systems Audit
Conducting an Information Systems Audit Conducting an Information Systems Audit
Conducting an Information Systems Audit Sreekanth Narendran
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksTommy Zul Hidayat
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controljayussuryawan
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it auditkinjalmkothari92
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controlTommy Zul Hidayat
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
James hall ch 8
James hall ch 8James hall ch 8
James hall ch 8David Julian
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Sreekanth Narendran
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsTommy Zul Hidayat
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems AuditRajeswaran Muthu Venkatachalam
 
Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copySaleh Rashid
 
Auditing the expenditure cycle
Auditing the expenditure cycleAuditing the expenditure cycle
Auditing the expenditure cycleAngela Torres
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Sazzad Hossain, ITP, MBA, CSCA™
 
Parallel simulation
Parallel simulationParallel simulation
Parallel simulationkzoe1996
 
CAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesCAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesSaurabh Rai
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 
09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaanMulyadi Yusuf
 
Effects of IT on internal controls
Effects of IT on internal controlsEffects of IT on internal controls
Effects of IT on internal controlsLou Foja
 

More Related Content

What's hot

Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controljayussuryawan
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Dinesh O Bareja
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Yasir Khan
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal controlTommy Zul Hidayat
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Sreekanth Narendran
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsjayussuryawan
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsTommy Zul Hidayat
 
Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copySaleh Rashid
 
Auditing the expenditure cycle
Auditing the expenditure cycleAuditing the expenditure cycle
Auditing the expenditure cycleAngela Torres
 
Parallel simulation
Parallel simulationParallel simulation
Parallel simulationkzoe1996
 
CAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesCAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesSaurabh Rai
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment PresentationEMAC Consulting Group
 

What's hot (20)

Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
 
Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing Basics in IT Audit and Application Control Testing
Basics in IT Audit and Application Control Testing
 
Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1Information System Architecture and Audit Control Lecture 1
Information System Architecture and Audit Control Lecture 1
 
Steps in it audit
Steps in it auditSteps in it audit
Steps in it audit
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
 
James hall ch 8
James hall ch 8James hall ch 8
James hall ch 8
 
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
Information Systems Control and Audit - Chapter 3 - Top Management Controls -...
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
 
3c 2 Information Systems Audit
3c 2 Information Systems Audit3c 2 Information Systems Audit
3c 2 Information Systems Audit
 
Auditing in a computer environment copy
Auditing in a computer environment copyAuditing in a computer environment copy
Auditing in a computer environment copy
 
Auditing the expenditure cycle
Auditing the expenditure cycleAuditing the expenditure cycle
Auditing the expenditure cycle
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
 
Parallel simulation
Parallel simulationParallel simulation
Parallel simulation
 
CAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesCAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit Techniques
 
Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment Presentation
 

Similar to 03.2 application control

09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaanMulyadi Yusuf
 
Effects of IT on internal controls
Effects of IT on internal controlsEffects of IT on internal controls
Effects of IT on internal controlsLou Foja
 
Information system audit
Information system audit Information system audit
Information system audit Jayant Dalvi
 
Icai seminar kolkata
Icai seminar kolkataIcai seminar kolkata
Icai seminar kolkatasunil patro
 
General and Application Control - Security and Control Issues in Informatio...
General and Application Control - Security and Control Issues in Informatio...General and Application Control - Security and Control Issues in Informatio...
General and Application Control - Security and Control Issues in Informatio...Dr. Rosemarie Sibbaluca-Guirre
 
3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdfNehemiah27
 
IT Revision and Auditing
IT Revision and AuditingIT Revision and Auditing
IT Revision and AuditingAmith Reddy
 
Application Security: By Prashant Mali Cyber law Consultant
Application Security: By Prashant Mali Cyber law ConsultantApplication Security: By Prashant Mali Cyber law Consultant
Application Security: By Prashant Mali Cyber law ConsultantShivaami Corporation
 
Information systems application control Framework.ppt
Information systems application control Framework.pptInformation systems application control Framework.ppt
Information systems application control Framework.pptr209777z
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques_supriadi
 
Heuristic Test Strategy Model For "Soda Co"
Heuristic Test Strategy Model For "Soda Co"Heuristic Test Strategy Model For "Soda Co"
Heuristic Test Strategy Model For "Soda Co"eaqa
 
Internal-control-in-the-computer-information-system-chap-27-aud-5-FINAL.pptx
Internal-control-in-the-computer-information-system-chap-27-aud-5-FINAL.pptxInternal-control-in-the-computer-information-system-chap-27-aud-5-FINAL.pptx
Internal-control-in-the-computer-information-system-chap-27-aud-5-FINAL.pptxJayLloyd8
 
Auditing in Computerized Environment
Auditing in Computerized EnvironmentAuditing in Computerized Environment
Auditing in Computerized EnvironmentDr. Sushil Bansode
 
Information system audit
Information system audit Information system audit
Information system audit Jayant Dalvi
 
Core Areas of a CA- Interlinked with computers
Core Areas of a CA- Interlinked with computersCore Areas of a CA- Interlinked with computers
Core Areas of a CA- Interlinked with computersShikha Gupta
 
Test Data Approach
Test Data ApproachTest Data Approach
Test Data Approachkzoe1996
 

Similar to 03.2 application control (20)

09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan
 
Effects of IT on internal controls
Effects of IT on internal controlsEffects of IT on internal controls
Effects of IT on internal controls
 
Information system audit
Information system audit Information system audit
Information system audit
 
Icai seminar kolkata
Icai seminar kolkataIcai seminar kolkata
Icai seminar kolkata
 
General and Application Control - Security and Control Issues in Informatio...
General and Application Control - Security and Control Issues in Informatio...General and Application Control - Security and Control Issues in Informatio...
General and Application Control - Security and Control Issues in Informatio...
 
3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf3.42211- CIS Audit.pdf
3.42211- CIS Audit.pdf
 
Caa ts
Caa tsCaa ts
Caa ts
 
IT Revision and Auditing
IT Revision and AuditingIT Revision and Auditing
IT Revision and Auditing
 
Application Security: By Prashant Mali Cyber law Consultant
Application Security: By Prashant Mali Cyber law ConsultantApplication Security: By Prashant Mali Cyber law Consultant
Application Security: By Prashant Mali Cyber law Consultant
 
Application Security:
Application Security: Application Security:
Application Security:
 
Information systems application control Framework.ppt
Information systems application control Framework.pptInformation systems application control Framework.ppt
Information systems application control Framework.ppt
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 
Heuristic Test Strategy Model For "Soda Co"
Heuristic Test Strategy Model For "Soda Co"Heuristic Test Strategy Model For "Soda Co"
Heuristic Test Strategy Model For "Soda Co"
 
Internal-control-in-the-computer-information-system-chap-27-aud-5-FINAL.pptx
Internal-control-in-the-computer-information-system-chap-27-aud-5-FINAL.pptxInternal-control-in-the-computer-information-system-chap-27-aud-5-FINAL.pptx
Internal-control-in-the-computer-information-system-chap-27-aud-5-FINAL.pptx
 
Auditing in Computerized Environment
Auditing in Computerized EnvironmentAuditing in Computerized Environment
Auditing in Computerized Environment
 
Information system audit
Information system audit Information system audit
Information system audit
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
hhhh.ppt
hhhh.ppthhhh.ppt
hhhh.ppt
 
Core Areas of a CA- Interlinked with computers
Core Areas of a CA- Interlinked with computersCore Areas of a CA- Interlinked with computers
Core Areas of a CA- Interlinked with computers
 
Test Data Approach
Test Data ApproachTest Data Approach
Test Data Approach
 

More from Mulyadi Yusuf

Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrualPaper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrualMulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)Mulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja kemenpan rb
Paper mssp analisis renstra dan capaian kinerja kemenpan rb Paper mssp analisis renstra dan capaian kinerja kemenpan rb
Paper mssp analisis renstra dan capaian kinerja kemenpan rb Mulyadi Yusuf
 
Paper menstra kemenkes final-sapce
Paper menstra kemenkes final-sapcePaper menstra kemenkes final-sapce
Paper menstra kemenkes final-sapceMulyadi Yusuf
 
Peta strategi kementan
Peta strategi kementanPeta strategi kementan
Peta strategi kementanMulyadi Yusuf
 
Mssp analisis renstra ditjen ppi
Mssp analisis renstra ditjen ppiMssp analisis renstra ditjen ppi
Mssp analisis renstra ditjen ppiMulyadi Yusuf
 
Manstrapem bina upaya kesehatan final
Manstrapem bina upaya kesehatan finalManstrapem bina upaya kesehatan final
Manstrapem bina upaya kesehatan finalMulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udaraPaper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udaraMulyadi Yusuf
 
Balanced scorecard amin subiyakto
Balanced scorecard amin subiyaktoBalanced scorecard amin subiyakto
Balanced scorecard amin subiyaktoMulyadi Yusuf
 
10. kertas kerja it audit
10. kertas kerja it audit10. kertas kerja it audit
10. kertas kerja it auditMulyadi Yusuf
 
09.2 audit siklus pembelian dan pembayaran
09.2 audit siklus pembelian dan pembayaran09.2 audit siklus pembelian dan pembayaran
09.2 audit siklus pembelian dan pembayaranMulyadi Yusuf
 
05.2 auditing procedure application controls
05.2 auditing procedure application controls05.2 auditing procedure application controls
05.2 auditing procedure application controlsMulyadi Yusuf
 
05.1 auditing procedure general controls
05.1 auditing procedure general controls05.1 auditing procedure general controls
05.1 auditing procedure general controlsMulyadi Yusuf
 
02. cobit5 introduction
02. cobit5 introduction02. cobit5 introduction
02. cobit5 introductionMulyadi Yusuf
 
02. cobit 41 dan iso 17799
02. cobit 41 dan iso 1779902. cobit 41 dan iso 17799
02. cobit 41 dan iso 17799Mulyadi Yusuf
 

More from Mulyadi Yusuf (20)

Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrualPaper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
 
Mckinsey kominfo
Mckinsey kominfoMckinsey kominfo
Mckinsey kominfo
 
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
 
Paper mssp analisis renstra dan capaian kinerja kemenpan rb
Paper mssp analisis renstra dan capaian kinerja kemenpan rb Paper mssp analisis renstra dan capaian kinerja kemenpan rb
Paper mssp analisis renstra dan capaian kinerja kemenpan rb
 
Paper menstra kemenkes final-sapce
Paper menstra kemenkes final-sapcePaper menstra kemenkes final-sapce
Paper menstra kemenkes final-sapce
 
Peta strategi kementan
Peta strategi kementanPeta strategi kementan
Peta strategi kementan
 
Mssp analisis renstra ditjen ppi
Mssp analisis renstra ditjen ppiMssp analisis renstra ditjen ppi
Mssp analisis renstra ditjen ppi
 
Manstrapem bina upaya kesehatan final
Manstrapem bina upaya kesehatan finalManstrapem bina upaya kesehatan final
Manstrapem bina upaya kesehatan final
 
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udaraPaper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
 
Balanced scorecard amin subiyakto
Balanced scorecard amin subiyaktoBalanced scorecard amin subiyakto
Balanced scorecard amin subiyakto
 
10. kertas kerja it audit
10. kertas kerja it audit10. kertas kerja it audit
10. kertas kerja it audit
 
09.2 audit siklus pembelian dan pembayaran
09.2 audit siklus pembelian dan pembayaran09.2 audit siklus pembelian dan pembayaran
09.2 audit siklus pembelian dan pembayaran
 
05.2 auditing procedure application controls
05.2 auditing procedure application controls05.2 auditing procedure application controls
05.2 auditing procedure application controls
 
05.1 auditing procedure general controls
05.1 auditing procedure general controls05.1 auditing procedure general controls
05.1 auditing procedure general controls
 
02. cobit5 introduction
02. cobit5 introduction02. cobit5 introduction
02. cobit5 introduction
 
02. cobit 41 dan iso 17799
02. cobit 41 dan iso 1779902. cobit 41 dan iso 17799
02. cobit 41 dan iso 17799
 
Erm tm 12
Erm tm 12Erm tm 12
Erm tm 12
 
Erm tm 11
Erm tm 11Erm tm 11
Erm tm 11
 
Erm tm 10
Erm tm 10Erm tm 10
Erm tm 10
 
Erm tm 9
Erm tm 9Erm tm 9
Erm tm 9
 

Recently uploaded

Planning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptxPlanning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptxLigayaBacuel1
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon AUnboundStockton
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxEyham Joco
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
Romantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxRomantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxsqpmdrvczh
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomnelietumpap1
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationAadityaSharma884161
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxRaymartEstabillo3
 

Recently uploaded (20)

Planning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptxPlanning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptx
 
Crayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon ACrayon Activity Handout For the Crayon A
Crayon Activity Handout For the Crayon A
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
Types of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptxTypes of Journalistic Writing Grade 8.pptx
Types of Journalistic Writing Grade 8.pptx
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
Romantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptxRomantic Opera MUSIC FOR GRADE NINE pptx
Romantic Opera MUSIC FOR GRADE NINE pptx
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
ENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choomENGLISH6-Q4-W3.pptxqurter our high choom
ENGLISH6-Q4-W3.pptxqurter our high choom
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint Presentation
 
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptxEPANDING THE CONTENT OF AN OUTLINE using notes.pptx
EPANDING THE CONTENT OF AN OUTLINE using notes.pptx
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"Rapple "Scholarly Communications and the Sustainable Development Goals"
Rapple "Scholarly Communications and the Sustainable Development Goals"
 

03.2 application control

  • 1.
  • 2.
  • 3. The Most Common IT-ACs: 1. Input Control 2. Process Control 3. Output Control Notes: AC akan lebih lanjut dipelajari Materi CAAT
  • 4. Application controls: “controls that pertain to scope of individual business processes or application system.” Business Process Application Application system AC Objectives: Input data: accurate, complet e, authorized, and correct. Data: processed as intended in an acceptable time period. Data stored: accurate and complete. Outputs: accurate and complete. A record : maintained to track the process of data from input to storage and to the eventual output.
  • 5. TYPES OF APPLICATION CONTROL Input Controls – Processing Controls – Output Controls – Check the integrity Address what is Provide an of data entered into done with the data automated means a business and should to ensure application, to compare output processing is ensure that is results with the complete, accurate, intended result by remains within and authorized. specified checking the output parameters. against the input. Integrity Controls – Monitor data being processed and in storage to ensure it remains consistent and correct. Management Trail – As an audit trail, enables mgt to identify the trans and event recorded by tracking trans forward / backward. Monitor effectiveness of other control and identify errors.
  • 6. Application control: control designed to ensure the complete and accurate processing of data, from input through output. Application control regulate the input, processing, and output of an application. Input and output have risks such as loss of data during transmission, duplicate inputs, and manual input errors or incomplete data. Processing risk include incomplete processing, unrecorded transactions caused either by accident or as part of fraud, automated transactions (e.g. raw materials reordering) failing due to complications, or files lost during processing. Outputs risk include files being sent to the wrong place or too late to be of use. These controls are designed to be application-specific. Examples include:  A cash disbursements batch balancing routine that verifies that the total payments to vendors reconciles with the total postings to the A/P subsidiary ledger.  An A/R check digit procedure that validates customer account numbers on sales transactions.  A payroll system limit check that identifies and flags employee time card records with reported hours worked in excess of the predetermined normal limit. 6
  • 7. • Input control: control data as it manually or electronically enters the system. • Manual IC: require authorization both before the input and after a review, use of concise prenumbered forms, and train for data entry personnel. • Electronic IC: include user-friendly screen formats that prompt user for required information and use of required fields. • A field check: a check to see if information in an entry field is complete. • Drop down menus: allow specific preset input (e.g. list of provinces). • To protect sensitive information, keystroke verification requires data to be entered twice, by different person if possible, and highlights any differences. (e.g. confirmation PW change) • Batch control: accumulate transaction and apply test on the batch (e.g. batch total). • Format check: data is entered in an acceptable formats (e.g. date format). • Reconciliation and balancing: reconciliation analyze variances or test two balances to see if they are equal.
  • 8. • Edit check: automated test on data fields. Include: Control totals: hash total sum of nonfinancial number that have no meaning. A change in hash total indicates a record change. Range test: allow entry between range of numbers or characters. Numerical test: prevent alphabetic entry in number fields. Sequence check: check for an alphanumeric sequence in a field. Limit check: entries above particular number are prevented or need approval. Check digit: an extra digit is added that has an algorithmic relationship to the remaining digits to show if the number was incorrectly entered by transposition. (e.g. credit card) Record count: tallies the number of records. Historical comparison: measures variance from past records. Overflow checking: places a memory or length limit on a field to prevent larger numbers than maximum being entered.
  • 9. • Inquiry log: track all read-only access to records. • Automated inputs: automation reduces errors and increase input speeds. Include: Optical character recognition (OCR): convert a scanned image into graphic data, then store, retrieve, and process graphic data. (e.g. scan shipping receipt into a database). Scanners: a device that digitizes graphic images. Radio frequency identification (RFID): use tag in packaging, RFID read tag via radio frequency and identify where the product is. Useful in tracking inventory. (e.g. DHL) Bar codes: a machine-readable representation of data, allowing for rapid reading and processing of associated data (such as price or inventory level). Magnetic ink character recognition (MICR): Included on check (bank transaction), and indicate check no., account no., routing no., and possibly check amount.
  • 10. • Processing control: automated errors checks built into computer processing as well as segregation of duties, such as controlling programmer’s access to files and records. • Data center operator’s access to applications should be restricted to equipment and software installation and responding to errors, also override file names. • A console log or system control file should track operators interventions. • Access to configuration parameters within application must be controlled. Auditors should reconcile actual versus planned configuration. • Completeness check: reject saving a record until all field are complete. • Control totals: totals are recorded in a system control file when an application generates temporary files; an errors occurs if each control total doesn’t match. • Date and file total check: logs of item and monetary totals with date and time stamps. Exact duplicate entries are flagged as errors. Auditors test for processing controls by inserting known test data and comparing it against expected results (walkthrough-test or round-test?).
  • 11. Other processing controls, include: • Reasonable checks: verify that amounts fall within predetermined limits • Suspense file: a file used to retain transaction processed with errors. • Activity log: records actions of users by date, time, and access terminal (bedakan dengan ITGC). • Processing logic test (e.g. posting check, zero balance check, cross-footing check): various check that verify if accounts or transactions are at the expected level (e.g. checking that an account actually has a zero balance after payment are processed, other example?) • Run-to-run totals: data control group monitors batch run totals (or verify that amounts fall within predetermined limits). • End-of-file procedures: prevent additional operations from taking place in a file when the end of the file reached. • Primary and secondary key integrity check: verify encryption key security. • Access control list: a list of all valid users. Auditors should verify that the list cannot be altered without proper authorization.
  • 12. Output controls: detective controls that find errors and verify the accuracy and reasonableness of output data after processing is complete. Output controls, as following: • Error listings: auditors ensure that errors followed up w/o exceeding backlog limits, and corrected reports are resubmitted. • Reference documents: when systems are interrupted, these logs show what was in memory at the time of the interruption. • Spooling controls: a spool is a temporary memory allocation for a system output. These controls regulate data spooling method. • Working documents: legal records, such as checks, invoices, or stock certificates are safeguarded. There are audit evidence that can detect if input really match outputs. • Reports controls: include ensuring that the reports are accurate, simple, timely, and meaningful, and that sensitive data is secured using distribution controls. • Exception reporting: highlight only unusual data, it helps to determine the sources of the error (human error, processing error).
  • 13. • Encryption uses a mathematical algorithm to scramble data so that it cannot be unscrambled without a numeric key code. • Can be used on stored and physical transmitted data (on CD) and electronically transmitted data (wireless data). • Two basic types of encryption: Private (or symmetric) key encryption. Public (or asymmetric) key encryption. • Variant of public key encryption: Digital signatures. Elliptic curve cryptography (ECC) (y2 = x3 + ax + b) 13
  • 14. 1. Sue (aka Sender) selects a key, and then uses that key to encrypt the plaintext to produce the ciphertext. 2. Sue gives both the key and the ciphertext to you (aka Receiver). (Not together, obviously, or anyone could intercept the delivery and use the key to decrypt the ciphertext.) 3. You use that same key to decrypt the ciphertext to regenerate the plaintext. 14
  • 15. A sender -- Sue -is using your PubK to produce a ciphertext for you. But the process also works backwards; you could encrypt a plaintext with your Priv-K and send the resulting ciphertext to Sue. Decrypting the ciphertext w/ your Pub-K proves that the ciphertext had to come from you. This provides authenticity, w/o privacy. Your Pub-K is public, so anyone could decrypt this ciphertext, not just Sue. But Pub/Priv-K pairs make digital signatures possible, which provide authentic and integrity w/o sacrificing privacy. 1. You give Sue (aka Sender) a copy of your public key. 2. Sue uses your public key to encrypt the plaintext to produce a ciphertext for you. 3. She then gives (just) the ciphertext to you, and 4. You use your private key to decrypt the ciphertext to reproduce the plaintext.
  • 16. 16
  • 17. • Other encryption tools: Quantum (or quantum key) cryptography: uses uncertainty to produce a shared bit string or key, created randomly and known only to the two communicating parties. Digital envelope: uses two layers of encryption, 1. messages is encrypted symmetrically (private), then 2. decipher code is encrypted with public key. Cryptographic module or system: is packaged encryption application that is purchased or developed as part of a larger application (Secure Socket Layer) • Auditing Issues: Evaluating encryption includes evaluating physical control over computers that have passwords keys, testing policies to see if they are being followed, and implementing and monitoring logic control. 17
  • 18. • The choice of networks types will affect IT control design. • Computer network: The sum of all infrastructure and applications required to connect two or more networks nodes, which are computers and devices: Computers (own processing power), servers (powerful computer with high bandwidth), and client (recipient of server function) /server infrastructure (data request server, database server). Mainframe (large, scalable computer to process and store large amount of data) and data terminal (input/output node for a mainframe system) • Data Processing method: Centralized: all data processing is performed by one or more large computers housed at a central site that serves users throughout the organization. Decentralized. Distributed (decentralized processing, but networked together/centralized). 18
  • 19. The choice of networks types will affect IT control design. Types of networks: • Peer-to-peer network= between two computer • Personal-area networks (PANs)= wireless within a room area • Local-area networks (LANs)= for limited geographical (building) • Wide-area networks (WANs) = networks of LAN (nation/world). • Metropolitan networks (MANs)= metropolitan • Public data networks (PDNs) = allow public access, such as world wide web. Other related terms • Value-added networks (VANs)= provider of networking services. • Consortium networks= group of organization that form networks. Networks Transmission Option: • Wired. • Wireless. • Virtual private networks (VPNs): secure method of connecting two points of the internet (ISP). 19
  • 20. • Is a method of defining how messages should be sent through a network so that unrelated products can be work together. • OSI model is divided into 7 layers for comm and computer network protocol design. OSI Layer Description Related Controls Layer 1: Physical layer (HW, NW) Mechanical layer transmits digital signals Wiring and other physical protection Layer 2: Data link layer (HW, NW) Synchronizes layer 1 data movements Encryption and compresses data where possible. Layer 3: Network layer Routes and forwards data to the right (SW, NW) places. IP addresses is tracked, Firewalls Layer 4: Transport layer (SW, Comp) Ensures that data transfer are complete by managing end-to-end control and error checking Logical control layer, Firewalls Layer 5: Session layer (SW, Comp) Initiates and terminates conversation between appl. Layer 6: Presentation Is operating system20 (O/S), which O/S Control
  • 21. Network topology : physical connection points between devices on a LAN or similar network. (1) Bus network, (2) Ring network, and (3) Star network.
  • 22. 1. Ports: physical connection points to a device. 2. Hubs: the center of networks and switch/direct comm. 3. Repeaters: extend the range of network by amplifying or regenerating signals. 4. Switches: connect telecom circuits and may allow network mgt capabilities. 5. Routers: intelligent processors that link networks segments, allowing them to communicate but also remain separate and independent. 6. Bridges: an early software-based device that function similarly to switch and routers, but not as efficient as switches. 7. Gateways: convert protocols between networks with dissimilar networks architectures. 8. Multiplexers: for data combine multiple channels into a single channel, such as multiple phone lines sharing a single physical phone line. Case: The Internet consists of a series of networks that include A. Gateways to allow PC to connect to mainframe computers, B. Bridges to direct messages through the optimum data path, C. Repeaters to physically connect separate local area networks 22 (LANs), D.Routers to strengthen data signals between distant computers.
  • 23. • Firewall: a HW/SW combination that routes all communication to or from the outside world through itself, blocking unauthorized traffic. • Firewalls can: 1. Improve security by blocking access from certain servers or applications. 2. Reduce vulnerability to external attacks and ensure IT system efficiency by limiting user access to certain sites. 3. Provide a means of monitoring communications and detecting external intrusions, and internal sabotage. 4. Provide encryption internally (within an enterprise). 23
  • 24. • Layer 3 and 4 firewall types: 1. Packet filtering: comparing source and destination addresses to an allowed list. 2. Gateways: stopping traffic flowing to specific application such as file transfer protocol (FTP), e.g. rules may block outgoing FTPs but permit incoming FTPs. One common gateway is proxy server. • Auditor should work with the network administrator to determine the efficacy (effectiveness) of a firewall, how specific rules are, and whether the list of acceptable users, IP address, and application are kept up-to-date. • Firewall log can be used as legal audit evidence if data was collected, processed, and retained properly. • Firewall has some limitation, such as physical intrusion, incorrect configuration, and trojan horses using IRC (internet relay chat). • Intrusion detection/prevention systems: Intrusion detection system (IDS) combined with application layer firewall (layer 7) is called an intrusion prevention system (IPS). Two types of IPS = HIPS and NIPS. 24
  • 25. • EFT: the transfer of monetary value and financial data from one bank to another (it cannot involve other parties) • FEDI (EFT and financial EDI) is subset o electronic data interchange (EDI). • FEDI transfer payment information between companies, banks, or others, but settlement through EFT. EFT Risk and controls  More reliable, cost-effective, and efficient than check payment  Control: • Password and physical restriction access to FEDI terminals. • Dual approval (one enters, one release) • Test key or codes for validation • Encryption • Credit monitoring, backup, and continuity plan. 25
  • 26. EFT Method: • RTGS (such as Fedwire-USA, TARGET-Europe, CHAPS-UK). • ACH (automated clearing house): a. for high volume, b. low-value transfer, c. send payment in batch, and d. prenotification. IA evaluate the adequacy and the effectiveness of IC applied to EFT, such as: • Logic control that restrict unauthorized access to the EFT systems. • Program change management control. • Physical control • System data backup and recovery controls. • Operation control to ensure availability. • Application control to ensure transaction accuracy. Case: Which 1 of following is least likely to be recomm. by auditor when EDI-EFT system is being designed? A. The identity of the individual approving an electronic document should be stored as a data field. B. Disaster recovery plans should be established. C. Data security procedures should be written to prevent changes to data by unauthorized individuals. D. Remote access to electronic data should be denied.
  • 27. • E-Commerce: Defined as “conducting commercial activities over the internet”, include: Business to business (B2B) e-commerce. Business to consumer(B2C) e-commerce. Business to employee (B2E) e-commerce. Mobile e-commerce (using mobile device such as smart cell phones) • Control concerns: Determine how authorization for transactions are handled. End-user can initiate input data directly. Risk analysis include hardware used, transmission methods, firewalls, back-end system, middleware, links to another application. Control over sensitive information. 27
  • 28. Expected result of e-commerce security policies include: • Authenticity: both parties are able to verify the other’s identity, e.g., passwords, encryption keys, and digital signatures certificates. party’s • Integrity: web site information is unaltered from its original form. • Nonrepudiation: e-commerce participants cannot deny or repudiate their on-line activities, i.e.: e-commerce data is legal evidence. • Confidentiality: only authorized parties can access their data. • Privacy: users are informed of a site’s privacy policy and can decide to provide personal inf. • Availability: the site is available when needed. Redundant systems and reliable partners help ensure availability. Case: Mgt has implemented controls such as firewall, password mgt, independent recon., and audit trail. The controls should be reviewed and evaluated by IAr when doing test for which e-commerce audit area? A. Fraud. B. Corruption of data. 28 C. Business interruptions. D. Authentication.
  • 29. When conducting audit of e-commerce, IA should look for: 1. Networks security control (e.g.: firewalls, encryption, virus protection, policies, communication of security standards within and outside the enterprises) and intrusion detection system. 2. User identification system (e.g. digital signatures). 3. Privacy and confidential controls. 4. All list of e-commerce application within the enterprises. 5. Maintenance activities to ensure continued operation. 6. Failure detection and automated repairs. 7. Application change management controls. 8. Business continuity plan in case of system interruption. Continuous auditing in e-commerce: • Is a software, include continuous assessment risk assessment, control assessment, and assessment of continuous monitoring tools, able to uncover fictitious sales and returns. 29
  • 30. • ERP system : modular suites (chain) of business application that share data between modules and store all data in a single repository (database). • Purpose: facilitate the flow of information between all business functions inside the boundaries of the org. and manage the connections to outside. • ERP reduce redundancy of data and creates synergies such as automated forwarding of transactions to the appropriate department. • ERP increase efficiency by keeping inventory levels low, reducing cycle time, and improve the timelines of data for decision making. • Core modules of ERP: (a) finance, manufacturing, sales and distribution, human resource, (b) transaction processing system (TPS) and management information system (MIS), (c) Customer relationship management (CRM) and Supplier relationship mgt (SRM).
  • 31. • Simplify gathering audit evidence. • Disparate applications, so use different language, so audit of ERP require multiple workarounds (solution) and redundancies. • IA assess that mgt has evaluated the efficiency of ERP relative to competitor ERP. • IA need to be involved in ERP development, monitor the implementation, and personnel training plan, recommend ERP improvements. • Since integrated, there no paper audit trail to follow between departments, approval to be automatic, exacerbating the segregation of control issue. • Therefore, audit must focus on IT controls such as quality of PW and other logic control. • Even the best ERP is unlikely to cover all needs, so the remaining needs can be achieved through customization or configuration. Customization: change the code of the system to provide unavailable process. Configuration: change of preset parameters (cheaper and not impede (disturb) upgrade). • To overcome the problem, ERP should separate business process from controls. 31
  • 32. • WBEM Used the external networking component of ERP, provide portal access to external vendor and large customer via XML communication. Auditor should focus on controls (especially to protect org’s data). Mgt and IT professional should determine which information will be shared. WBEM provide int’l integration and best-of-breed system (focus on niche). • Continuous auditing for ERP system. Automated control in ERP must be designed and implemented w/ audit involvement. Need exception report to high light unusual data/areas/operational concern.
  • 33. When identifying risks, auditors may find it useful to employ a top-down RA to determine which applications to include as part of control review and what tests need to be performed. 10-K Example: F/S Financial Statement Risk Analysis Approach Financial Statements Assertion F/S Accounts mapped to processes; Processes mapped BUs Revenue and Receivable s BU 1 BU 2 BU 3 Non Financial Disclosures mapped to processes Mgt and Purchases Financial Payroll and Legal and Treasury Reporting/Acco Benefits Payables Corporat unting BU Corporat Corporat Investor e 1 e e Relation BU 2 BU Risk Identification and Analysis 3 Risk Assessment Documents: • Risk analysis matrix by F/S Accounts and Disclosures • Accounts risk analysis mapped to Business and Critical Applications and Underlying Technology Prepare Risk Control Matrix (Manual and Automated) Complianc e Manufactur ing Environme ntal Define Risk Assessment for Application Control See Risk Assessment Approach in the
  • 34. To add value to organization-wide AC risk assessment activities, internal auditors: Define the universe of application, database, and supporting tech that use AC, Summarize risk and control using matrice documented during risk assessment process. Define the risk factors associated with each application control, including: Primary (i.e., key) application controls. The design effectiveness of the application controls. Pre-packaged or developed applications or databases. Effectiveness of GCs residing within application (e.g., change mgt, logical security). Weigh all risk factor to determine which risk need tobe weighed more heavily than other. Determine scale to rank each AC risk by considering qualitative and quantitative scale: Numeric scales based on qualitative information (e.g., 1=low-impact, 5=high-impact). Numeric scales based on quantitative inf (e.g., 1 = < US $50 and 5 = > US $1,000). Conduct the risk assessment and rank all risk areas. Evaluate risk assessment results. Create a risk review plan that is based on the risk assessment and ranked risk areas. Notes: RA approach is different with RA in RM. In RA approach, internal auditor does not decide responds to risks. RA Approach used as input in establishing review plan (e.g.. determining the scope of review application control).
  • 35. Composite scores = ∑ (risk factor weight x risk scale) and adding the totals. The composite score of 375 = [(20 x 5) + (10 x 1) + (10 x 5 ) +…]. For this example, the auditor may determine that the application control review will include all applications with a score > 200. Risk Factor Weighting 20 10 10 10 10 10 Applica- Application Design PreApp supports Frequency of Complexity tion contains effective- packaded more than one change of change primary ness of the or critical business controls App control developed process 15 15 100 Financial Effectivenes Composite impact s of the scores ITGCs App A 5 1 5 5 3 3 5 2 375 App B 1 1 2 1 1 1 4 2 170 App C 5 2 2 1 5 5 5 2 245 App D 5 3 5 1 5 5 5 2 395 App E 5 1 1 1 1 1 3 2 225
  • 36. Computer-assisted audit techniques (CAATs) make use of computer applications, such as ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and Word, to automate and facilitate the audit process. The use of CAATs helps to ensure that appropriate coverage is in place for an AC review, particularly when there are thousands, or perhaps millions, of transactions occurring during a test period. In these situations, it would be impossible to obtain adequate inf in a format that can be reviewed w/o the use of an automated tool. Because CAATs provide the ability to analyze large volumes of data, a well-designed audit supported by CAAT testing can perform a complete review of all transactions and uncover abnormalities (e.g., duplicate vendors or transactions) or a set of predetermined control issues (e.g., segregation of duty conflicts).
  • 37. Audit specialized software may perform: - Data queries - Data stratification - Sample extractions - Statistical analysis - Calculations - Duplicated transactions - Pivot tables - Cross tabulation - Missing sequence identification Example ACL: Verify duplicate transaction Example ACL: Verify calculations (recomputation)