Mulyadi Yusuf, profile picture
Uploaded byMulyadi Yusuf
PPTX, PDF2,490 views

05.2 auditing procedure application controls

To summarize: 1) Auditors conduct a top-down risk assessment (RA) to determine which applications and controls to review. They document risks and controls in matrices mapped to processes, accounts, and disclosures. 2) The RA involves weighting risk factors, ranking risks, and prioritizing applications for review based on composite risk scores. Applications above a threshold score are included in the review scope. 3) The review scope, approach, and frequency are based on the RA results and resource availability. A business process method breaks processes into levels to structure the control review.

Embed presentation

Downloaded 100 times
When identifying risks, auditors may find it useful to employ a top-down RA to determine which applications to include as part of control review and what tests need to be performed. 10-K Example: F/S Financial Statement Risk Analysis Approach Financial Statements Assertion F/S Accounts mapped to processes; Processes mapped BUs Revenue and Receivable s BU 1 BU 2 BU 3 Non Financial Disclosures mapped to processes Mgt and Purchases Financial Payroll and Legal and Treasury Reporting/Acco Benefits Payables Corporat unting BU Corporat Corporat Investor e 1 e e Relation BU 2 BU Risk Identification and Analysis 3 Risk Assessment Documents: • Risk analysis matrix by F/S Accounts and Disclosures • Accounts risk analysis mapped to Business and Critical Applications and Underlying Technology Prepare Risk Control Matrix (Manual and Automated) Complianc e Manufactur ing Environme ntal Define Risk Assessment for IT-GC dan ITAC See Risk Assessment Approach in the
To add value to organization-wide AC risk assessment activities, internal auditors: Define the universe of application, database, and supporting tech that use AC, Summarize risk and control using matrice documented during risk assessment process. Define the risk factors associated with each application control, including: Primary (i.e., key) application controls. The design effectiveness of the application controls. Pre-packaged or developed applications or databases. Effectiveness of GCs residing within application (e.g., change mgt, logical security). Weigh all risk factor to determine which risk need tobe weighed more heavily than other. Determine scale to rank each AC risk by considering qualitative and quantitative scale: Numeric scales based on qualitative information (e.g., 1=low-impact, 5=high-impact). Numeric scales based on quantitative inf (e.g., 1 = < US $50 and 5 = > US $1,000). Conduct the risk assessment and rank all risk areas. Evaluate risk assessment results. Create a risk review plan that is based on the risk assessment and ranked risk areas. Notes: RA approach is different with RA in RM. In RA approach, internal auditor does not decide responds to risks. RA Approach used as input in establishing review plan (e.g.. determining the scope of review application control).
Composite scores = ∑ (risk factor weight x risk scale) and adding the totals. The composite score of 375 = [(20 x 5) + (10 x 1) + (10 x 5 ) +…]. For this example, the auditor may determine that the application control review will include all applications with a score > 200. Risk Factor Weighting 20 10 10 10 10 10 Applica- Application Design PreApp supports Frequency of Complexity tion contains effective- packaded more than one change of change primary ness of the or critical business controls App control developed process 15 Financial impact 15 100 Effective- Composite ness of the scores ITGCs App A 5 1 5 5 3 3 5 2 375 App B 1 1 2 1 1 1 4 2 170 App C 5 2 2 1 5 5 5 2 245 App D 5 3 5 1 5 5 5 2 395 App E 5 1 1 1 1 1 3 2 225
The review’s scope, depth, approach, and frequency depends on the results of the risk assessment and the availability of internal audit resources. Business Process Method (suitable in ERP Environment) A top-down review approach used to evaluate the AC present in all the systems that support a particular business process, due to an increase in ERP application use. In the non-ERP world, review’s scope includes all of applications used that are involved in the business process under review. Best way to approach review is to break down business process using the 4 level model: Mega Process (Level 1): Procure to Pay Major Process (level 2) Receiving Activity (level 4) Requisition processing Procurement Subprocess (level 3) Create, change, and delete PO processing Create, change, and delete, approve, and release Good receive processing Create, change, and delete Good return processing Create, change, and delete Mega Process (Level 1). Vendor management Create, change, and delete Major Process (Level 2). Invoice processing Create, change, and delete Minor / Subprocess (Level 3). Activity (Level 4). Accounts Payable Credit memo processing Create, change, and delete Process payments Create, change, and delete Void payments Create, change, and delete
Access Controls General application security controls are reviewed, including:  The length of the user name or user ID.  The password’s length.  Password character combination  Password aging (change every 90 days).  Password rotation (not use their last 5 PW)  User account lockout after a certain number of unsuccessful login attempts.  Session timeout (e.g., application automatically logs out a user if the user has not interacted with the application within 15 minutes). The latest generation of applications are often created with parameters that can be configured by management. In some cases, however, mgt may forget to activate the parameter(s), or the settings used for each parameter may not be representative of best practice standards.
Planning The first step in developing the detailed review plan is to create a planning memorandum,, that lists the following AC review components:  All review procedures to be performed.  Any computer-assisted tools and techniques used and how they are used.  Sample sizes, if applicable.  Review items to be selected.  Timing of the review. After completing the planning memorandum, auditor needs to prepare detailed review program. When preparing it, meeting should be held w/ mgt to discuss: - Management’s concerns regarding risks. - Previously reported issues. - IA’s risk and control assessment. - Summary of the review’s methodology. - The review’s scope. - How concerns will be communicated. - Which managers will be working on the review team. - Any preliminary inf needed (e.g., reports). - The length of the review.
In addition to the documentation standards used by internal auditors, the following are suggested approaches for documenting each application control Flowcharts Due to the difficulty of fitting the actual control descriptions on the flowchart, it is prudent to instead simply number the controls on the flowchart and have a separate document, such as a risk and controls matrix: procure to pay. Flowcharts may not be practical all of the time, and a process narrative is sometimes more appropriate. This typically happens when an auditor is documenting the areas or work performed within the IT environment. Auditors should create a flowchart with a corresponding process narrative that numbers the controls on the process narrative. Process Narratives These narratives are best used as a documentation tool for relatively non-complex business processes and IT environments. Auditors also should create a separate document, such as a risk and controls matrix.
Process Narratives The following is an example process narrative that covers the procure-to-pay process. 1) Procurement a) Requisitioning i) When employees need to buy good or service, they will create a purchase req in the procurement application (Control C1). The buyer will review the PReq for its appropriateness, completeness, and accuracy. Components of the PReq that are reviewed include, the vendor, item, quantity, and account coding.  If the review does not reveal any errors, buyer will approve the PReq.  If buyer rejects the PReq for any reason, the requisitioner will be notified. ii) All PReq are reviewed on a monthly basis to detect any unauthorized requisitions as well as any excessive order quantities (Controls C2 and C3). b) Purchase Order Processing i) Once the purchase requisition has been approved by the buyer, he will create a PO referencing the requisition in the procurement appl (Control C4). The buyer will then forward a copy of the PO to the supplier. ii) All POs are reviewed on a monthly basis to detect any unauthorized purchase orders as well as any excessive order quantities (Controls C5 and C6).
Process Narratives 2) Receiving - (Control C7) dan (Control C8). 3) Accounts Payable (AP) – (Control C9, 10, 11, 12, 13, dan C14) Control Activities Number Risk and control matrices should capture all relevant inf pertaining to a given business process. Each of the control activities should be numbered, and this number should be linked back to flowcharts or process narratives. Important control activity inf that needs to be captured in the matrix includes: Identified risks. Control objectives. Control activities. Control attributes such as control type (e.g., automated or manual) and frequency (e.g., daily, weekly, monthly, quarterly, annually, etc.). Testing information.
The auditor should assess if AC are working or if they are being circumvented by creative users or management override. Substantive testing on the efficacy of controls is needed rather than a review of control settings. Auditors should also identify the effectiveness of ITGCs and consider if applicationgenerated change control logs, security logs, and adm logs need to be reviewed. The auditor may test AC using several methods that are based on the type of AC. Depending on the nature, timing, and extent of testing, a specific control or report could be tested by:  Inspection of system configurations.  Inspection of user acceptance testing, if conducted in the current year.  Inspection or re-performance of reconciliations with supporting details.  Re-performance of the control activity using system data.  Inspection of user access listings.  Re-performance of the control activity in a test environment (using the same programmed procedures as production) w/ robust testing scripts.
An example of a system configuration test includes:  Reviewing the three-way match system parameters of the tested system by tracing through one transaction.  Querying the underlying programming code of the application report generation process for appropriate logic.  The auditor should observe a re-run of the query to compare the report to the one that mgt generated. The auditor could test edit checks for key fields, which can be verified by stratifying or classifying transactions on the field values. In addition, by using audit software, it might be easy to recalculate and verify calculations made by the system. Example, if the system uses the quantity and unit price fields to calculate the total cost, the auditor could use audit software to perform the same calculation and identify any transactions where his or her calculated values differ from those of the application. Finally, auditors can perform reasonableness checks to examine possible value data ranges for key fields. For example, by calculating the current age based on the date of birth field, auditors can identify ages, including negative values and values over 100 that fall outside of expected ranges.
Computer-assisted audit techniques (CAATs) make use of computer applications, such as ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and Word, to automate and facilitate the audit process. The use of CAATs helps to ensure that appropriate coverage is in place for an AC review, particularly when there are thousands, or perhaps millions, of transactions occurring during a test period. In these situations, it would be impossible to obtain adequate inf in a format that can be reviewed w/o the use of an automated tool. Because CAATs provide the ability to analyze large volumes of data, a well-designed audit supported by CAAT testing can perform a complete review of all transactions and uncover abnormalities (e.g., duplicate vendors or transactions) or a set of predetermined control issues (e.g., segregation of duty conflicts).
Audit specialized software may perform: - Data queries - Data stratification - Sample extractions - Statistical analysis - Calculations - Duplicated transactions - Pivot tables - Cross tabulation - Missing sequence identification Example ACL: Verify duplicate transaction Example ACL: Verify calculations (recomputation)
Domain Control Possible Test Data checks and validation Reasonableness and limit checks on fin values. Format and required field checks; standardized input screens. Sequence checks (e.g., missing items), range checks, and check digits. Cross checks (e.g., certain policies are only valid with certain premium table codes). Validations (e.g., stored table and drop-down menu of valid items). Conduct a sample test of each scenario. Observe attempts to input incorrect data. Determine who can override controls. If table driven, determine who can change edits and tolerance levels. Automated authorization, approval, and override Authorization and approval rights (e.g., of expense or claim payment or credit over threshold) are allocated to user based on their role and need to use appl. Override capability (e.g., approval of unusually large claims) is restricted by the user’s role and need to use the application by management. Conduct tests based on user access rights. Test access privileges for each sensitive function or transaction. Review access rights that set and amend configurable approval and authorization limits. Automated segregation of duties and access rights. Individuals who set up approved vendors cannot initiate purchasing transactions. Individuals who have access to claims processing should not be able to set up or amend a policy. Conduct tests based on user access rights. Review access rights that set and amend configurable roles or menu structures. Pended items Aging reports showing new policy item w/ incomplete processing are reviewed daily/weekly by supervisor. Pending files where there is insufficient information available to process transactions. Review aging results and evidence of supervisor review procedures. Walk through a sample of items to and from the aging report or pending file.
Domain Control Possible Test File transmission controls Checks for completeness and validity of content, including date and time, data size, volume of records, and authentication of source. Observe transmission reports and error reports. Observe validity and completeness parameters and settings. Review access to set and amend configurable parameters on file transfers. Data transmission cotrols Application of selected input controls to validate data received (e.g., key fields, reasonableness, etc.). Test samples of each scenario. Observe attempts to input incorrect data. Determine who can override controls. If table driven, determine who can change edits and tolerance levels. Domain Control Possible Test Automated file identification and validation Files for processing are available and complete. Review process for validation and test operation. Automated functionality and calculations Specific calculations conducted on one or more input and stored data element produce further data element Use of existing data tables (e.g., master files or standing data such as rating tables). Compare input values and output values for all scenarios by walkthrough and re-performance. Review table maintenance controls and determine who can change edits and tolerance levels.
Domain Control Possible Test Audit trails and overrides Automated tracking of changes made to data, associating the change with a specific user. Automated tracking and highlighting of overrides to normal processes. Review reports and evidence of reviews. Review access to override normal processes. Data extraction, filtering, and reporting Extract routine outputs are assessed for reasonableness and completeness. Automated allocation of transactions (e.g., for reinsurance purposes, further actuarial processes, or fund allocation). Evaluation of data used to perform estimation for financial reporting purposes. Review design of extract routine against data files used. Review supervisory assess of output fr extract routine for evidence of review and challenge Review sample of allocations for appropriatenes Review process to assess extracted data for completeness and validity. Interface balancing Automated checking of data received from feeder systems (e.g., payroll, claims data, etc.) into data warehouses or ledger systems. Automated checking that balances on both systems match, or if not, an exception report is generated and used. Inspect interface error reports. Inspect validity and completeness parameters and settings. Review access to set and amend configurable parameters on interfaces. Inspect evidence of match reports, checks, and error file processing. Automated functionality and aging File extracts from debtors listing to provide management with data on aged transactions. Test sample of listing transactions to validate appropriateness of aging processing. Duplicate checks Comparison of individual transactions to previously recorded transactions to match fields. Comparison of individual files to expected dates, times, sizes, etc. Review access to set and amend configurable parameters on duplicate transactions or files. Review process for handling rejected files or transactions.
Domain Control Possible Test General ledger posting All individual and summarized transactions posting to general ledger. Sample of input and subledger summary transactions traced to the general ledger. Subledger posting All successful transactions posting to subledger. Sample of input transactions traced to subledger. Domain Update authorization Control Possible Test Access to update allocated rights to senior users based on their roles and need to use the application. Review access to set and amend master files and standing data.
Control Obj Control Review Activities Objective 1: Input data is accurate, complete, authorized, and correct. Input controls are designed and operating effectively to ensure all trans have been authorized and approved prior to entry. Obtain procedures, gain understand of authorization and approval process, and determine whether process exist and communicate to user. Verify that appl / process owner ensures that all data is authorized prior to input, by granting of role and responsibility based on job duty. Obtain a copy of approval levels and determine whether responsibility is assigned for verifying that appropriate approval are applied. Input controls are designed and operating effectively to ensure that all entered transactions will be processed correctly and completely. Obtain data input procedure and verify that individuals responsible for entering was trained on preparation, entry, and control of input. Determine whether edit routine is embedded within appl that check n subsequently rejects input inf that not meet criteria, including incorrect date, incorrect character, invalid field length, missing data, n duplicate trans entries/number. Verify existence and operation of manual data entry control to prevent entry of duplicate records. The entry controls may include the pre-numbering of source documents and the marking of records as “input” after entry. Verify that added data is fr acceptable source n reconciled to source, utilizing control total, record count, include use of independent source report. Determine whether appropriate segregation of duties exists to prevent users from both entering and authorizing transactions. Verify that appr segregation of duty exists b/w data entry person and those responsible for reconcile and verify the output is accurate and complete. Verify that control exist to prevent unauthorized change to system programs.
Control Obj Control Review Activities Objective 1: Input data is accurate, complete, authorized, and correct. Input controls are designed and operating effectively to ensure that all rejected transactions have been identified and reprocessed appropriately and completely. Obtain data input procedure for handling rejected trans and subsequent error correction and whether personnel responsible for error correction and data reentry have been adequately trained. Verify a mechanism is in place for notifying the process owner when trans have been rejected or errors have occurred. Verify rejected item is reprocessed appr in a timely manner in accordance w/ the procedures, and errors are corrected before reentering into the system. Controls are designed and operating effectively to ensure that data automatically posted from another system is processed accurately and completely. Obtain procedure and verify that detailed inf is included on how automated interfaces are authorized and what trigger the automated processing event. Verify that processing schedules are documented and problems are identified and corrected on a timely basis. Determine whether system to system record counts and total dollar values are systematically verified for automated interfaces and rejected items are prevented from posting and are flagged for follow-up and re-processing. Verify that files and data created for use by other appl or that are transferred to other appl are protected from unauthorized modification during the entire transfer process. Controls are designed and operating effectively to ensure that correct data file and databases are used in processing. Validate that the test data and programs are segregated from production.
Control Obj Control Review Activities Objective 2: Data is processed as intended in an acceptable time period. Processing control is designed and operating effectively to ensure all trans are processed in a timely manner and within the correct accounting period. Verify output is reviewed or reconciled against source documents for completeness and accuracy, including verification of control totals. Determine whether routines are embedded within the application that ensure all correctly entered transactions are actually processed and posted as intended in the correct accounting period. Processing controls are designed and operating effectively to ensure that all rejected transactions have been identified and reprocessed in a timely manner. Obtain procedures for handling rejected trans and subsequent error correction and determine whether personnel responsible for error correction and data reentry have been adequately trained. Verify a mechanism is in place for notifying the process owner when transactions have been rejected or errors have occurred. Verify rejected items are processed appropriately in a timely manner in accordance with the procedures, and errors are corrected before reentering into the system.
Control Obj Control Review Activities Objective 3: Data stored is accurate and complete Logical access controls are designed and operating effectively to prevent unauthorized access, modification, or disclosure of system data. Obtain password config. and use policies and determine whether requirements for strong PW, PW resets, account lockout, and PW re-use are present. Verify that the above policy has been applied to the application under review. Verify that remote access controls are designed and operating effectively. Verify that users are restricted to specific functions based on their job/roles. Verify unique user IDs are assigned to all users, and accounts are not shared. Verify proper approval of user account creation and modification is obtained prior to granting or changing access. Verify access is removed immediately upon termination. Verify that appl owner is responsible for ensuring semiannual review occurs, to ensure access to critical data, applications, and OS is correct and current. Controls are designed and operating effectively to ensure that data backups are accurate, complete, and occur in a timely manner. Verify that backups are scheduled and logs are monitored to ensure they occur accurately, completely and timely according to policy. Verify that tests are periodically performed to ensure backups are properly stored and can be effectively restored. Verify that business requirements for backups are validated on a regular basis Control is designed, operating effectively to ensure that data is physically stored in a secured, offsite, controlled location. Verify that mechanisms are in place to store data offsite in a secured and environmentally-controlled location.
Control Obj Control Review Activities Objective 4: Outpus are accurate and complete Output controls are designed and operating effectively to ensure that all transaction outputs are complete and accurate. Obtain data output procedures and gain an understanding of the review process and verify that individuals responsible for data entry have been trained on the review and verification of data output. Verify output is reviewed or reconciled against source document for completeness and accuracy, including verification of control totals. Output controls are designed and operating effectively to ensure that all transaction output has been distributed to appropriate personnel and that sensitive and confidential information is protected during distribution. Review existing data output procedures and determine whether they document which personnel receive the data output and how the data will be protected during distribution. Output controls are designed and operating effectively to ensure that an output report is created at the designated time and covers the designated period. Verify that an output report was created and identify that the date and time on the report is the designated time. Identify that the report covers the designated period via reconciliation against source documents from that period.
Control Obj Control Review Activities Objective 5: A record is maintained that tracks the process of data input, storage, and output. Controls are designed and operating effectively to ensure that an audit trail is generated and maintained for all trans. Verify processing audit trails and logs exist that assure all records have been processed and allow for tracing of the transaction from input to storage and output. Verify audit reports exist that track the identification and reprocessing of rejected transactions. Reports should contain a clear description of the rejected transaction, date, and time identified.
05.2 auditing procedure application controls
05.2 auditing procedure application controls

More Related Content

PDF
Presentation 5, System based audit approach - what is it about?, Workshop on ...
bySupport for Improvement in Governance and Management SIGMA
 
DOCX
Audit Checklist for Information Systems
byAhmad Tariq Bhatti
 
PDF
Presentation 11, Test of controls of the system, Workshop on System-based aud...
bySupport for Improvement in Governance and Management SIGMA
 
PPTX
New approaches in internal audit
bySalih Islam
 
PPTX
Compliance
byPriyank Hada
 
PDF
Kelis king - a storehouse of vast knowledge on software testing and quality ...
byKelisKing
 
PDF
Presentation 6, Steps of system based auditing, Workshop on System-based audi...
bySupport for Improvement in Governance and Management SIGMA
 
PDF
Electronic Batch Records
byJason Corder
 
Presentation 5, System based audit approach - what is it about?, Workshop on ...
bySupport for Improvement in Governance and Management SIGMA
 
Audit Checklist for Information Systems
byAhmad Tariq Bhatti
 
Presentation 11, Test of controls of the system, Workshop on System-based aud...
bySupport for Improvement in Governance and Management SIGMA
 
New approaches in internal audit
bySalih Islam
 
Compliance
byPriyank Hada
 
Kelis king - a storehouse of vast knowledge on software testing and quality ...
byKelisKing
 
Presentation 6, Steps of system based auditing, Workshop on System-based audi...
bySupport for Improvement in Governance and Management SIGMA
 
Electronic Batch Records
byJason Corder
 

What's hot

PPT
Quality audit- Quality audit is the process of systematic examination of a qu...
bySanchit Dhankhar
 
PPT
Computerized Environment
byVadivelM9
 
PDF
Mobile EHS and Quality Auditing - Lessons Learned
byNimonik
 
PDF
Checklist
bydygmasnah65
 
PPTX
CISA exam 100 practice question
byArshad A Javed
 
DOC
Test scenario preparation_approach_document & estimates
byvishalbali0
 
PPT
Internal Process Audit
byintellisenseit
 
PPTX
Pharmacovigilance Surge Resource Calculator
byTimothy Roe
 
PPT
Internal audit
byShoab Malek (Certified Quality Auditor)
 
PDF
2016-06-08 FDA Inspection Readiness - Mikael Yde
bymikaelyde
 
PDF
Addressing the High Cost of Quality
byEase Inc.
 
PPT
Qa
byRapunzall
 
PPTX
Process Audit and ISO
bySadafhazel
 
PPTX
Introduction asme pcc3 inspection planning using risk based methods
byjohnfletcher1957
 
PPTX
Internal audit and document retention
bySanchita Mahale
 
PDF
Quality-Management-System-Procedure
byJ Pauli?in
 
PPTX
Quality audit
byPradeepDake
 
PPTX
Internal Audit Best Practices for Safety, Environment, and Quality Audits
byNimonik
 
PPTX
Internal Audit effectiveness
byKaran Puri
 
PPTX
Internal audit mechanism
bySaurabh Sawhney
 
Quality audit- Quality audit is the process of systematic examination of a qu...
bySanchit Dhankhar
 
Computerized Environment
byVadivelM9
 
Mobile EHS and Quality Auditing - Lessons Learned
byNimonik
 
Checklist
bydygmasnah65
 
CISA exam 100 practice question
byArshad A Javed
 
Test scenario preparation_approach_document & estimates
byvishalbali0
 
Internal Process Audit
byintellisenseit
 
Pharmacovigilance Surge Resource Calculator
byTimothy Roe
 
Internal audit
byShoab Malek (Certified Quality Auditor)
 
2016-06-08 FDA Inspection Readiness - Mikael Yde
bymikaelyde
 
Addressing the High Cost of Quality
byEase Inc.
 
Qa
byRapunzall
 
Process Audit and ISO
bySadafhazel
 
Introduction asme pcc3 inspection planning using risk based methods
byjohnfletcher1957
 
Internal audit and document retention
bySanchita Mahale
 
Quality-Management-System-Procedure
byJ Pauli?in
 
Quality audit
byPradeepDake
 
Internal Audit Best Practices for Safety, Environment, and Quality Audits
byNimonik
 
Internal Audit effectiveness
byKaran Puri
 
Internal audit mechanism
bySaurabh Sawhney
 

Viewers also liked

PPTX
03.2 application control
byMulyadi Yusuf
 
PPT
03 chapter 4 deductions from gross estate part 03
byFlab Villasencio
 
PPT
03 chapter 4 deductions from gross estate part 02
byFlab Villasencio
 
PPT
03 chapter 4 deductions from gross estate part 01
byFlab Villasencio
 
PPT
02 Chapter 3 01 Gross Estate Taxation 2
byFlab Villasencio
 
PPT
04 chapter 5 estate tax
byFlab Villasencio
 
03.2 application control
byMulyadi Yusuf
 
03 chapter 4 deductions from gross estate part 03
byFlab Villasencio
 
03 chapter 4 deductions from gross estate part 02
byFlab Villasencio
 
03 chapter 4 deductions from gross estate part 01
byFlab Villasencio
 
02 Chapter 3 01 Gross Estate Taxation 2
byFlab Villasencio
 
04 chapter 5 estate tax
byFlab Villasencio
 

Similar to 05.2 auditing procedure application controls

PPT
Security audit
byRosaria Dee
 
PDF
Chapter 7
byEasyStudy3
 
PDF
Chapter 7
byEasyStudy3
 
PDF
250250902-141-ISACA-NACACS-Auditing-IT-Projects-Audit-Program.pdf
byAddisu15
 
PDF
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
byAndris Soroka
 
PPTX
Continous Audit and Controls with Brainwave GRC
byGraeme Hein
 
PPTX
09.1 audit siklus penjualan dan penerimaan
byMulyadi Yusuf
 
PDF
Auditing information systems
byKenya Allmond
 
PDF
Internal control
bySALIH AHMED ISLAM
 
PDF
Brainwave GRC - Continuous Audit and Controls at ISACA event
byBrainwave GRC
 
PPTX
Risk-Assessment-.pptx
bySiraj332397
 
PPTX
Risk-Assessment-.pptx
bySiraj332397
 
PPTX
IA PRESENTATION-4.pptx
byaxmedxasancali1
 
PPT
IT System & Security Audit
byMufaddal Nullwala
 
PDF
Internal Controls
byNational Pork Board
 
PDF
IT Control Objectives for SOX
byMahesh Patwardhan
 
PPTX
Continous auditing vs traditional slide share
byBob Sahm
 
PDF
Internal Audit planning _250409_002252.pdf
byArmansyahHeni
 
PDF
Continuous Auditing D.French
byDan French
 
PPTX
Internal controls (2).pptx
byRaafayDogar
 
Security audit
byRosaria Dee
 
Chapter 7
byEasyStudy3
 
Chapter 7
byEasyStudy3
 
250250902-141-ISACA-NACACS-Auditing-IT-Projects-Audit-Program.pdf
byAddisu15
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
byAndris Soroka
 
Continous Audit and Controls with Brainwave GRC
byGraeme Hein
 
09.1 audit siklus penjualan dan penerimaan
byMulyadi Yusuf
 
Auditing information systems
byKenya Allmond
 
Internal control
bySALIH AHMED ISLAM
 
Brainwave GRC - Continuous Audit and Controls at ISACA event
byBrainwave GRC
 
Risk-Assessment-.pptx
bySiraj332397
 
Risk-Assessment-.pptx
bySiraj332397
 
IA PRESENTATION-4.pptx
byaxmedxasancali1
 
IT System & Security Audit
byMufaddal Nullwala
 
Internal Controls
byNational Pork Board
 
IT Control Objectives for SOX
byMahesh Patwardhan
 
Continous auditing vs traditional slide share
byBob Sahm
 
Internal Audit planning _250409_002252.pdf
byArmansyahHeni
 
Continuous Auditing D.French
byDan French
 
Internal controls (2).pptx
byRaafayDogar
 

More from Mulyadi Yusuf

DOC
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
byMulyadi Yusuf
 
DOCX
Mckinsey kominfo
byMulyadi Yusuf
 
DOCX
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
byMulyadi Yusuf
 
DOC
Paper mssp analisis renstra dan capaian kinerja kemenpan rb
byMulyadi Yusuf
 
DOC
Paper menstra kemenkes final-sapce
byMulyadi Yusuf
 
DOCX
Peta strategi kementan
byMulyadi Yusuf
 
DOCX
Mssp analisis renstra ditjen ppi
byMulyadi Yusuf
 
DOC
Manstrapem bina upaya kesehatan final
byMulyadi Yusuf
 
PDF
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
byMulyadi Yusuf
 
PPT
Balanced scorecard amin subiyakto
byMulyadi Yusuf
 
PPTX
10. kertas kerja it audit
byMulyadi Yusuf
 
PPTX
09.2 audit siklus pembelian dan pembayaran
byMulyadi Yusuf
 
PPTX
05.1 auditing procedure general controls
byMulyadi Yusuf
 
PPTX
03.1 general control
byMulyadi Yusuf
 
PPT
02. cobit5 introduction
byMulyadi Yusuf
 
PPTX
02. cobit 41 dan iso 17799
byMulyadi Yusuf
 
PDF
Erm tm 12
byMulyadi Yusuf
 
PDF
Erm tm 11
byMulyadi Yusuf
 
PDF
Erm tm 10
byMulyadi Yusuf
 
PDF
Erm tm 9
byMulyadi Yusuf
 
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
byMulyadi Yusuf
 
Mckinsey kominfo
byMulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
byMulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja kemenpan rb
byMulyadi Yusuf
 
Paper menstra kemenkes final-sapce
byMulyadi Yusuf
 
Peta strategi kementan
byMulyadi Yusuf
 
Mssp analisis renstra ditjen ppi
byMulyadi Yusuf
 
Manstrapem bina upaya kesehatan final
byMulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
byMulyadi Yusuf
 
Balanced scorecard amin subiyakto
byMulyadi Yusuf
 
10. kertas kerja it audit
byMulyadi Yusuf
 
09.2 audit siklus pembelian dan pembayaran
byMulyadi Yusuf
 
05.1 auditing procedure general controls
byMulyadi Yusuf
 
03.1 general control
byMulyadi Yusuf
 
02. cobit5 introduction
byMulyadi Yusuf
 
02. cobit 41 dan iso 17799
byMulyadi Yusuf
 
Erm tm 12
byMulyadi Yusuf
 
Erm tm 11
byMulyadi Yusuf
 
Erm tm 10
byMulyadi Yusuf
 
Erm tm 9
byMulyadi Yusuf
 

Recently uploaded

PDF
Information about the author Shashi Deshpande
bydarshanaparmar6522
 
PPTX
Definition of communication skills and it's process.
bypurvrajsinhsarvaiya0
 
PDF
Information about Presentation strategies
bymansivaja18126
 
PPTX
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 
PPTX
That long silence - Novel by Shashi Deshapande
bysanjanavaghela65
 
PPTX
West Hatch High School: Year 9 Art Course
byWestHatch
 
PPTX
The night at deoli - Ruskin bond's story of first love
byrajibhammar4
 
PPTX
Drug Distribution in Pharmacology: Mechanisms, Barriers, Factors & Volume of ...
byamrin3379
 
PDF
West Hatch High School - GCSE French Specification
byWestHatch
 
PPTX
West Hatch High School -- GCSE Geography
byWestHatch
 
PDF
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
PPTX
How to Create & Configure Rewards in Odoo 18 Referrals
byCeline George
 
PDF
Sharad Bisen_Irrigation Systems and Methods in Horticultural Crops.pdf
bybisensharad
 
PDF
TỔNG HỢP 156 ĐỀ CHÍNH THỨC KỲ THI CHỌN HỌC SINH GIỎI TIẾNG ANH LỚP 12 CÁC TỈN...
byNguyen Thanh Tu Collection
 
PDF
Bishan_Singh_Presentation - Toba tek Singh
bygopalsinhchauhan9313
 
PDF
Types of Foot & Foot Modifications in Birds
byDr. Ramzan Virani
 
PPTX
Appreciations - Jan 26 01.pptxkkkmmkmkmkmkm
bypreetheshparmar
 
PDF
Sharad Bisen_Soil Sterilization_Objectives_ICAR Course, Sixth Dean Committee.pdf
bybisensharad
 
PDF
Chapter 05 Drug Acting on CNS Sedatives & Hypnotics | Antipsychotics.pdf
bySandeshSul
 
PPTX
" Jaya : Silence as Resistance " - That long silence
bydharabhandari35
 
Information about the author Shashi Deshpande
bydarshanaparmar6522
 
Definition of communication skills and it's process.
bypurvrajsinhsarvaiya0
 
Information about Presentation strategies
bymansivaja18126
 
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 
That long silence - Novel by Shashi Deshapande
bysanjanavaghela65
 
West Hatch High School: Year 9 Art Course
byWestHatch
 
The night at deoli - Ruskin bond's story of first love
byrajibhammar4
 
Drug Distribution in Pharmacology: Mechanisms, Barriers, Factors & Volume of ...
byamrin3379
 
West Hatch High School - GCSE French Specification
byWestHatch
 
West Hatch High School -- GCSE Geography
byWestHatch
 
Pratishta Educational Society., Courses & Opportunities
byGanapathiVankudoth
 
How to Create & Configure Rewards in Odoo 18 Referrals
byCeline George
 
Sharad Bisen_Irrigation Systems and Methods in Horticultural Crops.pdf
bybisensharad
 
TỔNG HỢP 156 ĐỀ CHÍNH THỨC KỲ THI CHỌN HỌC SINH GIỎI TIẾNG ANH LỚP 12 CÁC TỈN...
byNguyen Thanh Tu Collection
 
Bishan_Singh_Presentation - Toba tek Singh
bygopalsinhchauhan9313
 
Types of Foot & Foot Modifications in Birds
byDr. Ramzan Virani
 
Appreciations - Jan 26 01.pptxkkkmmkmkmkmkm
bypreetheshparmar
 
Sharad Bisen_Soil Sterilization_Objectives_ICAR Course, Sixth Dean Committee.pdf
bybisensharad
 
Chapter 05 Drug Acting on CNS Sedatives & Hypnotics | Antipsychotics.pdf
bySandeshSul
 
" Jaya : Silence as Resistance " - That long silence
bydharabhandari35
 

05.2 auditing procedure application controls

  • 2.
    When identifying risks,auditors may find it useful to employ a top-down RA to determine which applications to include as part of control review and what tests need to be performed. 10-K Example: F/S Financial Statement Risk Analysis Approach Financial Statements Assertion F/S Accounts mapped to processes; Processes mapped BUs Revenue and Receivable s BU 1 BU 2 BU 3 Non Financial Disclosures mapped to processes Mgt and Purchases Financial Payroll and Legal and Treasury Reporting/Acco Benefits Payables Corporat unting BU Corporat Corporat Investor e 1 e e Relation BU 2 BU Risk Identification and Analysis 3 Risk Assessment Documents: • Risk analysis matrix by F/S Accounts and Disclosures • Accounts risk analysis mapped to Business and Critical Applications and Underlying Technology Prepare Risk Control Matrix (Manual and Automated) Complianc e Manufactur ing Environme ntal Define Risk Assessment for IT-GC dan ITAC See Risk Assessment Approach in the
  • 3.
    To add valueto organization-wide AC risk assessment activities, internal auditors: Define the universe of application, database, and supporting tech that use AC, Summarize risk and control using matrice documented during risk assessment process. Define the risk factors associated with each application control, including: Primary (i.e., key) application controls. The design effectiveness of the application controls. Pre-packaged or developed applications or databases. Effectiveness of GCs residing within application (e.g., change mgt, logical security). Weigh all risk factor to determine which risk need tobe weighed more heavily than other. Determine scale to rank each AC risk by considering qualitative and quantitative scale: Numeric scales based on qualitative information (e.g., 1=low-impact, 5=high-impact). Numeric scales based on quantitative inf (e.g., 1 = < US $50 and 5 = > US $1,000). Conduct the risk assessment and rank all risk areas. Evaluate risk assessment results. Create a risk review plan that is based on the risk assessment and ranked risk areas. Notes: RA approach is different with RA in RM. In RA approach, internal auditor does not decide responds to risks. RA Approach used as input in establishing review plan (e.g.. determining the scope of review application control).
  • 4.
    Composite scores =∑ (risk factor weight x risk scale) and adding the totals. The composite score of 375 = [(20 x 5) + (10 x 1) + (10 x 5 ) +…]. For this example, the auditor may determine that the application control review will include all applications with a score > 200. Risk Factor Weighting 20 10 10 10 10 10 Applica- Application Design PreApp supports Frequency of Complexity tion contains effective- packaded more than one change of change primary ness of the or critical business controls App control developed process 15 Financial impact 15 100 Effective- Composite ness of the scores ITGCs App A 5 1 5 5 3 3 5 2 375 App B 1 1 2 1 1 1 4 2 170 App C 5 2 2 1 5 5 5 2 245 App D 5 3 5 1 5 5 5 2 395 App E 5 1 1 1 1 1 3 2 225
  • 5.
    The review’s scope,depth, approach, and frequency depends on the results of the risk assessment and the availability of internal audit resources. Business Process Method (suitable in ERP Environment) A top-down review approach used to evaluate the AC present in all the systems that support a particular business process, due to an increase in ERP application use. In the non-ERP world, review’s scope includes all of applications used that are involved in the business process under review. Best way to approach review is to break down business process using the 4 level model: Mega Process (Level 1): Procure to Pay Major Process (level 2) Receiving Activity (level 4) Requisition processing Procurement Subprocess (level 3) Create, change, and delete PO processing Create, change, and delete, approve, and release Good receive processing Create, change, and delete Good return processing Create, change, and delete Mega Process (Level 1). Vendor management Create, change, and delete Major Process (Level 2). Invoice processing Create, change, and delete Minor / Subprocess (Level 3). Activity (Level 4). Accounts Payable Credit memo processing Create, change, and delete Process payments Create, change, and delete Void payments Create, change, and delete
  • 6.
    Access Controls General applicationsecurity controls are reviewed, including:  The length of the user name or user ID.  The password’s length.  Password character combination  Password aging (change every 90 days).  Password rotation (not use their last 5 PW)  User account lockout after a certain number of unsuccessful login attempts.  Session timeout (e.g., application automatically logs out a user if the user has not interacted with the application within 15 minutes). The latest generation of applications are often created with parameters that can be configured by management. In some cases, however, mgt may forget to activate the parameter(s), or the settings used for each parameter may not be representative of best practice standards.
  • 7.
    Planning The first stepin developing the detailed review plan is to create a planning memorandum,, that lists the following AC review components:  All review procedures to be performed.  Any computer-assisted tools and techniques used and how they are used.  Sample sizes, if applicable.  Review items to be selected.  Timing of the review. After completing the planning memorandum, auditor needs to prepare detailed review program. When preparing it, meeting should be held w/ mgt to discuss: - Management’s concerns regarding risks. - Previously reported issues. - IA’s risk and control assessment. - Summary of the review’s methodology. - The review’s scope. - How concerns will be communicated. - Which managers will be working on the review team. - Any preliminary inf needed (e.g., reports). - The length of the review.
  • 9.
    In addition tothe documentation standards used by internal auditors, the following are suggested approaches for documenting each application control Flowcharts Due to the difficulty of fitting the actual control descriptions on the flowchart, it is prudent to instead simply number the controls on the flowchart and have a separate document, such as a risk and controls matrix: procure to pay. Flowcharts may not be practical all of the time, and a process narrative is sometimes more appropriate. This typically happens when an auditor is documenting the areas or work performed within the IT environment. Auditors should create a flowchart with a corresponding process narrative that numbers the controls on the process narrative. Process Narratives These narratives are best used as a documentation tool for relatively non-complex business processes and IT environments. Auditors also should create a separate document, such as a risk and controls matrix.
  • 11.
    Process Narratives The followingis an example process narrative that covers the procure-to-pay process. 1) Procurement a) Requisitioning i) When employees need to buy good or service, they will create a purchase req in the procurement application (Control C1). The buyer will review the PReq for its appropriateness, completeness, and accuracy. Components of the PReq that are reviewed include, the vendor, item, quantity, and account coding.  If the review does not reveal any errors, buyer will approve the PReq.  If buyer rejects the PReq for any reason, the requisitioner will be notified. ii) All PReq are reviewed on a monthly basis to detect any unauthorized requisitions as well as any excessive order quantities (Controls C2 and C3). b) Purchase Order Processing i) Once the purchase requisition has been approved by the buyer, he will create a PO referencing the requisition in the procurement appl (Control C4). The buyer will then forward a copy of the PO to the supplier. ii) All POs are reviewed on a monthly basis to detect any unauthorized purchase orders as well as any excessive order quantities (Controls C5 and C6).
  • 12.
    Process Narratives 2) Receiving- (Control C7) dan (Control C8). 3) Accounts Payable (AP) – (Control C9, 10, 11, 12, 13, dan C14) Control Activities Number Risk and control matrices should capture all relevant inf pertaining to a given business process. Each of the control activities should be numbered, and this number should be linked back to flowcharts or process narratives. Important control activity inf that needs to be captured in the matrix includes: Identified risks. Control objectives. Control activities. Control attributes such as control type (e.g., automated or manual) and frequency (e.g., daily, weekly, monthly, quarterly, annually, etc.). Testing information.
  • 13.
    The auditor shouldassess if AC are working or if they are being circumvented by creative users or management override. Substantive testing on the efficacy of controls is needed rather than a review of control settings. Auditors should also identify the effectiveness of ITGCs and consider if applicationgenerated change control logs, security logs, and adm logs need to be reviewed. The auditor may test AC using several methods that are based on the type of AC. Depending on the nature, timing, and extent of testing, a specific control or report could be tested by:  Inspection of system configurations.  Inspection of user acceptance testing, if conducted in the current year.  Inspection or re-performance of reconciliations with supporting details.  Re-performance of the control activity using system data.  Inspection of user access listings.  Re-performance of the control activity in a test environment (using the same programmed procedures as production) w/ robust testing scripts.
  • 14.
    An example ofa system configuration test includes:  Reviewing the three-way match system parameters of the tested system by tracing through one transaction.  Querying the underlying programming code of the application report generation process for appropriate logic.  The auditor should observe a re-run of the query to compare the report to the one that mgt generated. The auditor could test edit checks for key fields, which can be verified by stratifying or classifying transactions on the field values. In addition, by using audit software, it might be easy to recalculate and verify calculations made by the system. Example, if the system uses the quantity and unit price fields to calculate the total cost, the auditor could use audit software to perform the same calculation and identify any transactions where his or her calculated values differ from those of the application. Finally, auditors can perform reasonableness checks to examine possible value data ranges for key fields. For example, by calculating the current age based on the date of birth field, auditors can identify ages, including negative values and values over 100 that fall outside of expected ranges.
  • 15.
    Computer-assisted audit techniques(CAATs) make use of computer applications, such as ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and Word, to automate and facilitate the audit process. The use of CAATs helps to ensure that appropriate coverage is in place for an AC review, particularly when there are thousands, or perhaps millions, of transactions occurring during a test period. In these situations, it would be impossible to obtain adequate inf in a format that can be reviewed w/o the use of an automated tool. Because CAATs provide the ability to analyze large volumes of data, a well-designed audit supported by CAAT testing can perform a complete review of all transactions and uncover abnormalities (e.g., duplicate vendors or transactions) or a set of predetermined control issues (e.g., segregation of duty conflicts).
  • 16.
    Audit specialized softwaremay perform: - Data queries - Data stratification - Sample extractions - Statistical analysis - Calculations - Duplicated transactions - Pivot tables - Cross tabulation - Missing sequence identification Example ACL: Verify duplicate transaction Example ACL: Verify calculations (recomputation)
  • 22.
    Domain Control Possible Test Data checksand validation Reasonableness and limit checks on fin values. Format and required field checks; standardized input screens. Sequence checks (e.g., missing items), range checks, and check digits. Cross checks (e.g., certain policies are only valid with certain premium table codes). Validations (e.g., stored table and drop-down menu of valid items). Conduct a sample test of each scenario. Observe attempts to input incorrect data. Determine who can override controls. If table driven, determine who can change edits and tolerance levels. Automated authorization, approval, and override Authorization and approval rights (e.g., of expense or claim payment or credit over threshold) are allocated to user based on their role and need to use appl. Override capability (e.g., approval of unusually large claims) is restricted by the user’s role and need to use the application by management. Conduct tests based on user access rights. Test access privileges for each sensitive function or transaction. Review access rights that set and amend configurable approval and authorization limits. Automated segregation of duties and access rights. Individuals who set up approved vendors cannot initiate purchasing transactions. Individuals who have access to claims processing should not be able to set up or amend a policy. Conduct tests based on user access rights. Review access rights that set and amend configurable roles or menu structures. Pended items Aging reports showing new policy item w/ incomplete processing are reviewed daily/weekly by supervisor. Pending files where there is insufficient information available to process transactions. Review aging results and evidence of supervisor review procedures. Walk through a sample of items to and from the aging report or pending file.
  • 25.
    Domain Control Possible Test File transmission controls Checksfor completeness and validity of content, including date and time, data size, volume of records, and authentication of source. Observe transmission reports and error reports. Observe validity and completeness parameters and settings. Review access to set and amend configurable parameters on file transfers. Data transmission cotrols Application of selected input controls to validate data received (e.g., key fields, reasonableness, etc.). Test samples of each scenario. Observe attempts to input incorrect data. Determine who can override controls. If table driven, determine who can change edits and tolerance levels. Domain Control Possible Test Automated file identification and validation Files for processing are available and complete. Review process for validation and test operation. Automated functionality and calculations Specific calculations conducted on one or more input and stored data element produce further data element Use of existing data tables (e.g., master files or standing data such as rating tables). Compare input values and output values for all scenarios by walkthrough and re-performance. Review table maintenance controls and determine who can change edits and tolerance levels.
  • 26.
    Domain Control Possible Test Audit trailsand overrides Automated tracking of changes made to data, associating the change with a specific user. Automated tracking and highlighting of overrides to normal processes. Review reports and evidence of reviews. Review access to override normal processes. Data extraction, filtering, and reporting Extract routine outputs are assessed for reasonableness and completeness. Automated allocation of transactions (e.g., for reinsurance purposes, further actuarial processes, or fund allocation). Evaluation of data used to perform estimation for financial reporting purposes. Review design of extract routine against data files used. Review supervisory assess of output fr extract routine for evidence of review and challenge Review sample of allocations for appropriatenes Review process to assess extracted data for completeness and validity. Interface balancing Automated checking of data received from feeder systems (e.g., payroll, claims data, etc.) into data warehouses or ledger systems. Automated checking that balances on both systems match, or if not, an exception report is generated and used. Inspect interface error reports. Inspect validity and completeness parameters and settings. Review access to set and amend configurable parameters on interfaces. Inspect evidence of match reports, checks, and error file processing. Automated functionality and aging File extracts from debtors listing to provide management with data on aged transactions. Test sample of listing transactions to validate appropriateness of aging processing. Duplicate checks Comparison of individual transactions to previously recorded transactions to match fields. Comparison of individual files to expected dates, times, sizes, etc. Review access to set and amend configurable parameters on duplicate transactions or files. Review process for handling rejected files or transactions.
  • 27.
    Domain Control Possible Test General ledger posting Allindividual and summarized transactions posting to general ledger. Sample of input and subledger summary transactions traced to the general ledger. Subledger posting All successful transactions posting to subledger. Sample of input transactions traced to subledger. Domain Update authorization Control Possible Test Access to update allocated rights to senior users based on their roles and need to use the application. Review access to set and amend master files and standing data.
  • 28.
    Control Obj Control Review Activities Objective 1:Input data is accurate, complete, authorized, and correct. Input controls are designed and operating effectively to ensure all trans have been authorized and approved prior to entry. Obtain procedures, gain understand of authorization and approval process, and determine whether process exist and communicate to user. Verify that appl / process owner ensures that all data is authorized prior to input, by granting of role and responsibility based on job duty. Obtain a copy of approval levels and determine whether responsibility is assigned for verifying that appropriate approval are applied. Input controls are designed and operating effectively to ensure that all entered transactions will be processed correctly and completely. Obtain data input procedure and verify that individuals responsible for entering was trained on preparation, entry, and control of input. Determine whether edit routine is embedded within appl that check n subsequently rejects input inf that not meet criteria, including incorrect date, incorrect character, invalid field length, missing data, n duplicate trans entries/number. Verify existence and operation of manual data entry control to prevent entry of duplicate records. The entry controls may include the pre-numbering of source documents and the marking of records as “input” after entry. Verify that added data is fr acceptable source n reconciled to source, utilizing control total, record count, include use of independent source report. Determine whether appropriate segregation of duties exists to prevent users from both entering and authorizing transactions. Verify that appr segregation of duty exists b/w data entry person and those responsible for reconcile and verify the output is accurate and complete. Verify that control exist to prevent unauthorized change to system programs.
  • 29.
    Control Obj Control Review Activities Objective 1:Input data is accurate, complete, authorized, and correct. Input controls are designed and operating effectively to ensure that all rejected transactions have been identified and reprocessed appropriately and completely. Obtain data input procedure for handling rejected trans and subsequent error correction and whether personnel responsible for error correction and data reentry have been adequately trained. Verify a mechanism is in place for notifying the process owner when trans have been rejected or errors have occurred. Verify rejected item is reprocessed appr in a timely manner in accordance w/ the procedures, and errors are corrected before reentering into the system. Controls are designed and operating effectively to ensure that data automatically posted from another system is processed accurately and completely. Obtain procedure and verify that detailed inf is included on how automated interfaces are authorized and what trigger the automated processing event. Verify that processing schedules are documented and problems are identified and corrected on a timely basis. Determine whether system to system record counts and total dollar values are systematically verified for automated interfaces and rejected items are prevented from posting and are flagged for follow-up and re-processing. Verify that files and data created for use by other appl or that are transferred to other appl are protected from unauthorized modification during the entire transfer process. Controls are designed and operating effectively to ensure that correct data file and databases are used in processing. Validate that the test data and programs are segregated from production.
  • 31.
    Control Obj Control Review Activities Objective 2:Data is processed as intended in an acceptable time period. Processing control is designed and operating effectively to ensure all trans are processed in a timely manner and within the correct accounting period. Verify output is reviewed or reconciled against source documents for completeness and accuracy, including verification of control totals. Determine whether routines are embedded within the application that ensure all correctly entered transactions are actually processed and posted as intended in the correct accounting period. Processing controls are designed and operating effectively to ensure that all rejected transactions have been identified and reprocessed in a timely manner. Obtain procedures for handling rejected trans and subsequent error correction and determine whether personnel responsible for error correction and data reentry have been adequately trained. Verify a mechanism is in place for notifying the process owner when transactions have been rejected or errors have occurred. Verify rejected items are processed appropriately in a timely manner in accordance with the procedures, and errors are corrected before reentering into the system.
  • 32.
    Control Obj Control Review Activities Objective 3:Data stored is accurate and complete Logical access controls are designed and operating effectively to prevent unauthorized access, modification, or disclosure of system data. Obtain password config. and use policies and determine whether requirements for strong PW, PW resets, account lockout, and PW re-use are present. Verify that the above policy has been applied to the application under review. Verify that remote access controls are designed and operating effectively. Verify that users are restricted to specific functions based on their job/roles. Verify unique user IDs are assigned to all users, and accounts are not shared. Verify proper approval of user account creation and modification is obtained prior to granting or changing access. Verify access is removed immediately upon termination. Verify that appl owner is responsible for ensuring semiannual review occurs, to ensure access to critical data, applications, and OS is correct and current. Controls are designed and operating effectively to ensure that data backups are accurate, complete, and occur in a timely manner. Verify that backups are scheduled and logs are monitored to ensure they occur accurately, completely and timely according to policy. Verify that tests are periodically performed to ensure backups are properly stored and can be effectively restored. Verify that business requirements for backups are validated on a regular basis Control is designed, operating effectively to ensure that data is physically stored in a secured, offsite, controlled location. Verify that mechanisms are in place to store data offsite in a secured and environmentally-controlled location.
  • 34.
    Control Obj Control Review Activities Objective 4:Outpus are accurate and complete Output controls are designed and operating effectively to ensure that all transaction outputs are complete and accurate. Obtain data output procedures and gain an understanding of the review process and verify that individuals responsible for data entry have been trained on the review and verification of data output. Verify output is reviewed or reconciled against source document for completeness and accuracy, including verification of control totals. Output controls are designed and operating effectively to ensure that all transaction output has been distributed to appropriate personnel and that sensitive and confidential information is protected during distribution. Review existing data output procedures and determine whether they document which personnel receive the data output and how the data will be protected during distribution. Output controls are designed and operating effectively to ensure that an output report is created at the designated time and covers the designated period. Verify that an output report was created and identify that the date and time on the report is the designated time. Identify that the report covers the designated period via reconciliation against source documents from that period.
  • 36.
    Control Obj Control Review Activities Objective 5:A record is maintained that tracks the process of data input, storage, and output. Controls are designed and operating effectively to ensure that an audit trail is generated and maintained for all trans. Verify processing audit trails and logs exist that assure all records have been processed and allow for tracing of the transaction from input to storage and output. Verify audit reports exist that track the identification and reprocessing of rejected transactions. Reports should contain a clear description of the rejected transaction, date, and time identified.