SlideShare a Scribd company logo

05.2 auditing procedure application controls

Download as PPTX, PDF
Mulyadi Yusuf
Mulyadi Yusuf
Education
1 of 38
When identifying risks, auditors may find it useful to employ a top-down RA to determine which applications to include as part of control review and what tests need to be performed. 10-K Example: F/S Financial Statement Risk Analysis Approach Financial Statements Assertion F/S Accounts mapped to processes; Processes mapped BUs Revenue and Receivable s BU 1 BU 2 BU 3 Non Financial Disclosures mapped to processes Mgt and Purchases Financial Payroll and Legal and Treasury Reporting/Acco Benefits Payables Corporat unting BU Corporat Corporat Investor e 1 e e Relation BU 2 BU Risk Identification and Analysis 3 Risk Assessment Documents: • Risk analysis matrix by F/S Accounts and Disclosures • Accounts risk analysis mapped to Business and Critical Applications and Underlying Technology Prepare Risk Control Matrix (Manual and Automated) Complianc e Manufactur ing Environme ntal Define Risk Assessment for IT-GC dan ITAC See Risk Assessment Approach in the
To add value to organization-wide AC risk assessment activities, internal auditors: Define the universe of application, database, and supporting tech that use AC, Summarize risk and control using matrice documented during risk assessment process. Define the risk factors associated with each application control, including: Primary (i.e., key) application controls. The design effectiveness of the application controls. Pre-packaged or developed applications or databases. Effectiveness of GCs residing within application (e.g., change mgt, logical security). Weigh all risk factor to determine which risk need tobe weighed more heavily than other. Determine scale to rank each AC risk by considering qualitative and quantitative scale: Numeric scales based on qualitative information (e.g., 1=low-impact, 5=high-impact). Numeric scales based on quantitative inf (e.g., 1 = < US $50 and 5 = > US $1,000). Conduct the risk assessment and rank all risk areas. Evaluate risk assessment results. Create a risk review plan that is based on the risk assessment and ranked risk areas. Notes: RA approach is different with RA in RM. In RA approach, internal auditor does not decide responds to risks. RA Approach used as input in establishing review plan (e.g.. determining the scope of review application control).
Composite scores = ∑ (risk factor weight x risk scale) and adding the totals. The composite score of 375 = [(20 x 5) + (10 x 1) + (10 x 5 ) +…]. For this example, the auditor may determine that the application control review will include all applications with a score > 200. Risk Factor Weighting 20 10 10 10 10 10 Applica- Application Design PreApp supports Frequency of Complexity tion contains effective- packaded more than one change of change primary ness of the or critical business controls App control developed process 15 Financial impact 15 100 Effective- Composite ness of the scores ITGCs App A 5 1 5 5 3 3 5 2 375 App B 1 1 2 1 1 1 4 2 170 App C 5 2 2 1 5 5 5 2 245 App D 5 3 5 1 5 5 5 2 395 App E 5 1 1 1 1 1 3 2 225
The review’s scope, depth, approach, and frequency depends on the results of the risk assessment and the availability of internal audit resources. Business Process Method (suitable in ERP Environment) A top-down review approach used to evaluate the AC present in all the systems that support a particular business process, due to an increase in ERP application use. In the non-ERP world, review’s scope includes all of applications used that are involved in the business process under review. Best way to approach review is to break down business process using the 4 level model: Mega Process (Level 1): Procure to Pay Major Process (level 2) Receiving Activity (level 4) Requisition processing Procurement Subprocess (level 3) Create, change, and delete PO processing Create, change, and delete, approve, and release Good receive processing Create, change, and delete Good return processing Create, change, and delete Mega Process (Level 1). Vendor management Create, change, and delete Major Process (Level 2). Invoice processing Create, change, and delete Minor / Subprocess (Level 3). Activity (Level 4). Accounts Payable Credit memo processing Create, change, and delete Process payments Create, change, and delete Void payments Create, change, and delete
Access Controls General application security controls are reviewed, including:  The length of the user name or user ID.  The password’s length.  Password character combination  Password aging (change every 90 days).  Password rotation (not use their last 5 PW)  User account lockout after a certain number of unsuccessful login attempts.  Session timeout (e.g., application automatically logs out a user if the user has not interacted with the application within 15 minutes). The latest generation of applications are often created with parameters that can be configured by management. In some cases, however, mgt may forget to activate the parameter(s), or the settings used for each parameter may not be representative of best practice standards.
Planning The first step in developing the detailed review plan is to create a planning memorandum,, that lists the following AC review components:  All review procedures to be performed.  Any computer-assisted tools and techniques used and how they are used.  Sample sizes, if applicable.  Review items to be selected.  Timing of the review. After completing the planning memorandum, auditor needs to prepare detailed review program. When preparing it, meeting should be held w/ mgt to discuss: - Management’s concerns regarding risks. - Previously reported issues. - IA’s risk and control assessment. - Summary of the review’s methodology. - The review’s scope. - How concerns will be communicated. - Which managers will be working on the review team. - Any preliminary inf needed (e.g., reports). - The length of the review.
In addition to the documentation standards used by internal auditors, the following are suggested approaches for documenting each application control Flowcharts Due to the difficulty of fitting the actual control descriptions on the flowchart, it is prudent to instead simply number the controls on the flowchart and have a separate document, such as a risk and controls matrix: procure to pay. Flowcharts may not be practical all of the time, and a process narrative is sometimes more appropriate. This typically happens when an auditor is documenting the areas or work performed within the IT environment. Auditors should create a flowchart with a corresponding process narrative that numbers the controls on the process narrative. Process Narratives These narratives are best used as a documentation tool for relatively non-complex business processes and IT environments. Auditors also should create a separate document, such as a risk and controls matrix.
Process Narratives The following is an example process narrative that covers the procure-to-pay process. 1) Procurement a) Requisitioning i) When employees need to buy good or service, they will create a purchase req in the procurement application (Control C1). The buyer will review the PReq for its appropriateness, completeness, and accuracy. Components of the PReq that are reviewed include, the vendor, item, quantity, and account coding.  If the review does not reveal any errors, buyer will approve the PReq.  If buyer rejects the PReq for any reason, the requisitioner will be notified. ii) All PReq are reviewed on a monthly basis to detect any unauthorized requisitions as well as any excessive order quantities (Controls C2 and C3). b) Purchase Order Processing i) Once the purchase requisition has been approved by the buyer, he will create a PO referencing the requisition in the procurement appl (Control C4). The buyer will then forward a copy of the PO to the supplier. ii) All POs are reviewed on a monthly basis to detect any unauthorized purchase orders as well as any excessive order quantities (Controls C5 and C6).
Process Narratives 2) Receiving - (Control C7) dan (Control C8). 3) Accounts Payable (AP) – (Control C9, 10, 11, 12, 13, dan C14) Control Activities Number Risk and control matrices should capture all relevant inf pertaining to a given business process. Each of the control activities should be numbered, and this number should be linked back to flowcharts or process narratives. Important control activity inf that needs to be captured in the matrix includes: Identified risks. Control objectives. Control activities. Control attributes such as control type (e.g., automated or manual) and frequency (e.g., daily, weekly, monthly, quarterly, annually, etc.). Testing information.
The auditor should assess if AC are working or if they are being circumvented by creative users or management override. Substantive testing on the efficacy of controls is needed rather than a review of control settings. Auditors should also identify the effectiveness of ITGCs and consider if applicationgenerated change control logs, security logs, and adm logs need to be reviewed. The auditor may test AC using several methods that are based on the type of AC. Depending on the nature, timing, and extent of testing, a specific control or report could be tested by:  Inspection of system configurations.  Inspection of user acceptance testing, if conducted in the current year.  Inspection or re-performance of reconciliations with supporting details.  Re-performance of the control activity using system data.  Inspection of user access listings.  Re-performance of the control activity in a test environment (using the same programmed procedures as production) w/ robust testing scripts.
An example of a system configuration test includes:  Reviewing the three-way match system parameters of the tested system by tracing through one transaction.  Querying the underlying programming code of the application report generation process for appropriate logic.  The auditor should observe a re-run of the query to compare the report to the one that mgt generated. The auditor could test edit checks for key fields, which can be verified by stratifying or classifying transactions on the field values. In addition, by using audit software, it might be easy to recalculate and verify calculations made by the system. Example, if the system uses the quantity and unit price fields to calculate the total cost, the auditor could use audit software to perform the same calculation and identify any transactions where his or her calculated values differ from those of the application. Finally, auditors can perform reasonableness checks to examine possible value data ranges for key fields. For example, by calculating the current age based on the date of birth field, auditors can identify ages, including negative values and values over 100 that fall outside of expected ranges.
Computer-assisted audit techniques (CAATs) make use of computer applications, such as ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and Word, to automate and facilitate the audit process. The use of CAATs helps to ensure that appropriate coverage is in place for an AC review, particularly when there are thousands, or perhaps millions, of transactions occurring during a test period. In these situations, it would be impossible to obtain adequate inf in a format that can be reviewed w/o the use of an automated tool. Because CAATs provide the ability to analyze large volumes of data, a well-designed audit supported by CAAT testing can perform a complete review of all transactions and uncover abnormalities (e.g., duplicate vendors or transactions) or a set of predetermined control issues (e.g., segregation of duty conflicts).
Audit specialized software may perform: - Data queries - Data stratification - Sample extractions - Statistical analysis - Calculations - Duplicated transactions - Pivot tables - Cross tabulation - Missing sequence identification Example ACL: Verify duplicate transaction Example ACL: Verify calculations (recomputation)
Domain Control Possible Test Data checks and validation Reasonableness and limit checks on fin values. Format and required field checks; standardized input screens. Sequence checks (e.g., missing items), range checks, and check digits. Cross checks (e.g., certain policies are only valid with certain premium table codes). Validations (e.g., stored table and drop-down menu of valid items). Conduct a sample test of each scenario. Observe attempts to input incorrect data. Determine who can override controls. If table driven, determine who can change edits and tolerance levels. Automated authorization, approval, and override Authorization and approval rights (e.g., of expense or claim payment or credit over threshold) are allocated to user based on their role and need to use appl. Override capability (e.g., approval of unusually large claims) is restricted by the user’s role and need to use the application by management. Conduct tests based on user access rights. Test access privileges for each sensitive function or transaction. Review access rights that set and amend configurable approval and authorization limits. Automated segregation of duties and access rights. Individuals who set up approved vendors cannot initiate purchasing transactions. Individuals who have access to claims processing should not be able to set up or amend a policy. Conduct tests based on user access rights. Review access rights that set and amend configurable roles or menu structures. Pended items Aging reports showing new policy item w/ incomplete processing are reviewed daily/weekly by supervisor. Pending files where there is insufficient information available to process transactions. Review aging results and evidence of supervisor review procedures. Walk through a sample of items to and from the aging report or pending file.
Domain Control Possible Test File transmission controls Checks for completeness and validity of content, including date and time, data size, volume of records, and authentication of source. Observe transmission reports and error reports. Observe validity and completeness parameters and settings. Review access to set and amend configurable parameters on file transfers. Data transmission cotrols Application of selected input controls to validate data received (e.g., key fields, reasonableness, etc.). Test samples of each scenario. Observe attempts to input incorrect data. Determine who can override controls. If table driven, determine who can change edits and tolerance levels. Domain Control Possible Test Automated file identification and validation Files for processing are available and complete. Review process for validation and test operation. Automated functionality and calculations Specific calculations conducted on one or more input and stored data element produce further data element Use of existing data tables (e.g., master files or standing data such as rating tables). Compare input values and output values for all scenarios by walkthrough and re-performance. Review table maintenance controls and determine who can change edits and tolerance levels.
Domain Control Possible Test Audit trails and overrides Automated tracking of changes made to data, associating the change with a specific user. Automated tracking and highlighting of overrides to normal processes. Review reports and evidence of reviews. Review access to override normal processes. Data extraction, filtering, and reporting Extract routine outputs are assessed for reasonableness and completeness. Automated allocation of transactions (e.g., for reinsurance purposes, further actuarial processes, or fund allocation). Evaluation of data used to perform estimation for financial reporting purposes. Review design of extract routine against data files used. Review supervisory assess of output fr extract routine for evidence of review and challenge Review sample of allocations for appropriatenes Review process to assess extracted data for completeness and validity. Interface balancing Automated checking of data received from feeder systems (e.g., payroll, claims data, etc.) into data warehouses or ledger systems. Automated checking that balances on both systems match, or if not, an exception report is generated and used. Inspect interface error reports. Inspect validity and completeness parameters and settings. Review access to set and amend configurable parameters on interfaces. Inspect evidence of match reports, checks, and error file processing. Automated functionality and aging File extracts from debtors listing to provide management with data on aged transactions. Test sample of listing transactions to validate appropriateness of aging processing. Duplicate checks Comparison of individual transactions to previously recorded transactions to match fields. Comparison of individual files to expected dates, times, sizes, etc. Review access to set and amend configurable parameters on duplicate transactions or files. Review process for handling rejected files or transactions.
Domain Control Possible Test General ledger posting All individual and summarized transactions posting to general ledger. Sample of input and subledger summary transactions traced to the general ledger. Subledger posting All successful transactions posting to subledger. Sample of input transactions traced to subledger. Domain Update authorization Control Possible Test Access to update allocated rights to senior users based on their roles and need to use the application. Review access to set and amend master files and standing data.
Control Obj Control Review Activities Objective 1: Input data is accurate, complete, authorized, and correct. Input controls are designed and operating effectively to ensure all trans have been authorized and approved prior to entry. Obtain procedures, gain understand of authorization and approval process, and determine whether process exist and communicate to user. Verify that appl / process owner ensures that all data is authorized prior to input, by granting of role and responsibility based on job duty. Obtain a copy of approval levels and determine whether responsibility is assigned for verifying that appropriate approval are applied. Input controls are designed and operating effectively to ensure that all entered transactions will be processed correctly and completely. Obtain data input procedure and verify that individuals responsible for entering was trained on preparation, entry, and control of input. Determine whether edit routine is embedded within appl that check n subsequently rejects input inf that not meet criteria, including incorrect date, incorrect character, invalid field length, missing data, n duplicate trans entries/number. Verify existence and operation of manual data entry control to prevent entry of duplicate records. The entry controls may include the pre-numbering of source documents and the marking of records as “input” after entry. Verify that added data is fr acceptable source n reconciled to source, utilizing control total, record count, include use of independent source report. Determine whether appropriate segregation of duties exists to prevent users from both entering and authorizing transactions. Verify that appr segregation of duty exists b/w data entry person and those responsible for reconcile and verify the output is accurate and complete. Verify that control exist to prevent unauthorized change to system programs.
Control Obj Control Review Activities Objective 1: Input data is accurate, complete, authorized, and correct. Input controls are designed and operating effectively to ensure that all rejected transactions have been identified and reprocessed appropriately and completely. Obtain data input procedure for handling rejected trans and subsequent error correction and whether personnel responsible for error correction and data reentry have been adequately trained. Verify a mechanism is in place for notifying the process owner when trans have been rejected or errors have occurred. Verify rejected item is reprocessed appr in a timely manner in accordance w/ the procedures, and errors are corrected before reentering into the system. Controls are designed and operating effectively to ensure that data automatically posted from another system is processed accurately and completely. Obtain procedure and verify that detailed inf is included on how automated interfaces are authorized and what trigger the automated processing event. Verify that processing schedules are documented and problems are identified and corrected on a timely basis. Determine whether system to system record counts and total dollar values are systematically verified for automated interfaces and rejected items are prevented from posting and are flagged for follow-up and re-processing. Verify that files and data created for use by other appl or that are transferred to other appl are protected from unauthorized modification during the entire transfer process. Controls are designed and operating effectively to ensure that correct data file and databases are used in processing. Validate that the test data and programs are segregated from production.
Control Obj Control Review Activities Objective 2: Data is processed as intended in an acceptable time period. Processing control is designed and operating effectively to ensure all trans are processed in a timely manner and within the correct accounting period. Verify output is reviewed or reconciled against source documents for completeness and accuracy, including verification of control totals. Determine whether routines are embedded within the application that ensure all correctly entered transactions are actually processed and posted as intended in the correct accounting period. Processing controls are designed and operating effectively to ensure that all rejected transactions have been identified and reprocessed in a timely manner. Obtain procedures for handling rejected trans and subsequent error correction and determine whether personnel responsible for error correction and data reentry have been adequately trained. Verify a mechanism is in place for notifying the process owner when transactions have been rejected or errors have occurred. Verify rejected items are processed appropriately in a timely manner in accordance with the procedures, and errors are corrected before reentering into the system.
Control Obj Control Review Activities Objective 3: Data stored is accurate and complete Logical access controls are designed and operating effectively to prevent unauthorized access, modification, or disclosure of system data. Obtain password config. and use policies and determine whether requirements for strong PW, PW resets, account lockout, and PW re-use are present. Verify that the above policy has been applied to the application under review. Verify that remote access controls are designed and operating effectively. Verify that users are restricted to specific functions based on their job/roles. Verify unique user IDs are assigned to all users, and accounts are not shared. Verify proper approval of user account creation and modification is obtained prior to granting or changing access. Verify access is removed immediately upon termination. Verify that appl owner is responsible for ensuring semiannual review occurs, to ensure access to critical data, applications, and OS is correct and current. Controls are designed and operating effectively to ensure that data backups are accurate, complete, and occur in a timely manner. Verify that backups are scheduled and logs are monitored to ensure they occur accurately, completely and timely according to policy. Verify that tests are periodically performed to ensure backups are properly stored and can be effectively restored. Verify that business requirements for backups are validated on a regular basis Control is designed, operating effectively to ensure that data is physically stored in a secured, offsite, controlled location. Verify that mechanisms are in place to store data offsite in a secured and environmentally-controlled location.
Control Obj Control Review Activities Objective 4: Outpus are accurate and complete Output controls are designed and operating effectively to ensure that all transaction outputs are complete and accurate. Obtain data output procedures and gain an understanding of the review process and verify that individuals responsible for data entry have been trained on the review and verification of data output. Verify output is reviewed or reconciled against source document for completeness and accuracy, including verification of control totals. Output controls are designed and operating effectively to ensure that all transaction output has been distributed to appropriate personnel and that sensitive and confidential information is protected during distribution. Review existing data output procedures and determine whether they document which personnel receive the data output and how the data will be protected during distribution. Output controls are designed and operating effectively to ensure that an output report is created at the designated time and covers the designated period. Verify that an output report was created and identify that the date and time on the report is the designated time. Identify that the report covers the designated period via reconciliation against source documents from that period.
Control Obj Control Review Activities Objective 5: A record is maintained that tracks the process of data input, storage, and output. Controls are designed and operating effectively to ensure that an audit trail is generated and maintained for all trans. Verify processing audit trails and logs exist that assure all records have been processed and allow for tracing of the transaction from input to storage and output. Verify audit reports exist that track the identification and reprocessing of rejected transactions. Reports should contain a clear description of the rejected transaction, date, and time identified.
05.2 auditing procedure application controls
05.2 auditing procedure application controls

Recommended

3 Way Match for Purchasing Professionals
3 Way Match for Purchasing Professionals3 Way Match for Purchasing Professionals
3 Way Match for Purchasing ProfessionalsBill Kohnen
 
Slide PMK 66 2023 Natura.pdf
Slide PMK 66 2023 Natura.pdfSlide PMK 66 2023 Natura.pdf
Slide PMK 66 2023 Natura.pdfssuser996aee1
 
Newgen Accounts Payable Solution with SAP
Newgen Accounts Payable Solution with SAPNewgen Accounts Payable Solution with SAP
Newgen Accounts Payable Solution with SAPqbitra
 
Procure to Pay Process
Procure to Pay Process Procure to Pay Process
Procure to Pay Process Sameer Mittal
 
3.10 Modul SPIP Akuntabilitas terhadap Sumber Daya dan Pencatatannya
3.10 Modul SPIP Akuntabilitas terhadap Sumber Daya dan Pencatatannya3.10 Modul SPIP Akuntabilitas terhadap Sumber Daya dan Pencatatannya
3.10 Modul SPIP Akuntabilitas terhadap Sumber Daya dan PencatatannyaSutikno Tumingan
 
The procure to pay process
The procure to pay process The procure to pay process
The procure to pay process Jaures Magloire N. Ambe
 
Analisis korupsi pengadaan al quran 2011-2012 klmpk 6
Analisis korupsi pengadaan al quran 2011-2012 klmpk 6Analisis korupsi pengadaan al quran 2011-2012 klmpk 6
Analisis korupsi pengadaan al quran 2011-2012 klmpk 6heninur2
 
P2P cycle made easy
P2P cycle made easyP2P cycle made easy
P2P cycle made easyketulp
 

Recommended

3 Way Match for Purchasing Professionals
3 Way Match for Purchasing Professionals3 Way Match for Purchasing Professionals
3 Way Match for Purchasing ProfessionalsBill Kohnen
 
Slide PMK 66 2023 Natura.pdf
Slide PMK 66 2023 Natura.pdfSlide PMK 66 2023 Natura.pdf
Slide PMK 66 2023 Natura.pdfssuser996aee1
 
Newgen Accounts Payable Solution with SAP
Newgen Accounts Payable Solution with SAPNewgen Accounts Payable Solution with SAP
Newgen Accounts Payable Solution with SAPqbitra
 
Procure to Pay Process
Procure to Pay Process Procure to Pay Process
Procure to Pay Process Sameer Mittal
 
3.10 Modul SPIP Akuntabilitas terhadap Sumber Daya dan Pencatatannya
3.10 Modul SPIP Akuntabilitas terhadap Sumber Daya dan Pencatatannya3.10 Modul SPIP Akuntabilitas terhadap Sumber Daya dan Pencatatannya
3.10 Modul SPIP Akuntabilitas terhadap Sumber Daya dan PencatatannyaSutikno Tumingan
 
The procure to pay process
The procure to pay process The procure to pay process
The procure to pay process Jaures Magloire N. Ambe
 
Analisis korupsi pengadaan al quran 2011-2012 klmpk 6
Analisis korupsi pengadaan al quran 2011-2012 klmpk 6Analisis korupsi pengadaan al quran 2011-2012 klmpk 6
Analisis korupsi pengadaan al quran 2011-2012 klmpk 6heninur2
 
P2P cycle made easy
P2P cycle made easyP2P cycle made easy
P2P cycle made easyketulp
 
Tugas wewenang pejabat dlm pengel keuda
Tugas wewenang pejabat dlm pengel keudaTugas wewenang pejabat dlm pengel keuda
Tugas wewenang pejabat dlm pengel keudaInspektorat
 
ERP Procure to Pay Workflow
ERP Procure to Pay WorkflowERP Procure to Pay Workflow
ERP Procure to Pay WorkflowSodtech
 
Order to Cash - The #1 Business Process to Know!
Order to Cash - The #1 Business Process to Know!Order to Cash - The #1 Business Process to Know!
Order to Cash - The #1 Business Process to Know!Global Business Solutions SME
 
Introducing procure to pay
Introducing procure to payIntroducing procure to pay
Introducing procure to paysbcwebdev
 
Tax Planning atas PPN
Tax Planning atas PPNTax Planning atas PPN
Tax Planning atas PPNpuspa
 
sisdur akuntansi penerimaan kas
sisdur akuntansi penerimaan kas sisdur akuntansi penerimaan kas
sisdur akuntansi penerimaan kasKementerian Dalam Negeri
 
5 KPIs That Drive Accounts Payable Performance
5 KPIs That Drive Accounts Payable Performance5 KPIs That Drive Accounts Payable Performance
5 KPIs That Drive Accounts Payable PerformanceAavenir
 
White paper on ICFR/IFC with implementation approach
White paper on ICFR/IFC with implementation approachWhite paper on ICFR/IFC with implementation approach
White paper on ICFR/IFC with implementation approachChandan Goyal
 
Resources-Training-Procure-To-Pay.pdf
Resources-Training-Procure-To-Pay.pdfResources-Training-Procure-To-Pay.pdf
Resources-Training-Procure-To-Pay.pdfSuresh426721
 
Accounts Payable Processing Presentation
Accounts Payable Processing PresentationAccounts Payable Processing Presentation
Accounts Payable Processing Presentationrdpigott
 
Procure-to-Pay Process Framework
Procure-to-Pay Process FrameworkProcure-to-Pay Process Framework
Procure-to-Pay Process FrameworkScottMadden, Inc.
 
16a.sapd simulasi-skpd
16a.sapd simulasi-skpd16a.sapd simulasi-skpd
16a.sapd simulasi-skpdAnwar Maulana
 
Contoh Format laporan polmas
Contoh Format laporan polmasContoh Format laporan polmas
Contoh Format laporan polmasSei Enim
 
Contoh Surat tugas
Contoh Surat tugasContoh Surat tugas
Contoh Surat tugasRizkaawalia Mustakim
 
KAS KECIL.pptx
KAS KECIL.pptxKAS KECIL.pptx
KAS KECIL.pptxRosmawatiUmar
 
Fraud dalam Sistem Koding & Pembiayaan_ Training "SISTEM CASEMIX"
Fraud dalam Sistem Koding & Pembiayaan_ Training "SISTEM CASEMIX"Fraud dalam Sistem Koding & Pembiayaan_ Training "SISTEM CASEMIX"
Fraud dalam Sistem Koding & Pembiayaan_ Training "SISTEM CASEMIX"Kanaidi ken
 
Pertemuan7 kas dan setara kas 2
Pertemuan7 kas dan setara kas 2Pertemuan7 kas dan setara kas 2
Pertemuan7 kas dan setara kas 2Shariah Economics and Banking Institute
 
Ch 10. documentation
Ch 10. documentationCh 10. documentation
Ch 10. documentationSazzad Hossain, ITP, MBA, CSCA™
 
P2p
P2pP2p
P2pAravelli Ramesh
 
Unit 1. Introduction of audit.pptx
Unit 1. Introduction of audit.pptxUnit 1. Introduction of audit.pptx
Unit 1. Introduction of audit.pptxMinalBhandari2
 
03.2 application control
03.2 application control03.2 application control
03.2 application controlMulyadi Yusuf
 
03 chapter 4 deductions from gross estate part 03
03 chapter 4 deductions from gross estate part 0303 chapter 4 deductions from gross estate part 03
03 chapter 4 deductions from gross estate part 03Flab Villasencio
 

More Related Content

What's hot

Tugas wewenang pejabat dlm pengel keuda
Tugas wewenang pejabat dlm pengel keudaTugas wewenang pejabat dlm pengel keuda
Tugas wewenang pejabat dlm pengel keudaInspektorat
 
ERP Procure to Pay Workflow
ERP Procure to Pay WorkflowERP Procure to Pay Workflow
ERP Procure to Pay WorkflowSodtech
 
Introducing procure to pay
Introducing procure to payIntroducing procure to pay
Introducing procure to paysbcwebdev
 
Tax Planning atas PPN
Tax Planning atas PPNTax Planning atas PPN
Tax Planning atas PPNpuspa
 
5 KPIs That Drive Accounts Payable Performance
5 KPIs That Drive Accounts Payable Performance5 KPIs That Drive Accounts Payable Performance
5 KPIs That Drive Accounts Payable PerformanceAavenir
 
White paper on ICFR/IFC with implementation approach
White paper on ICFR/IFC with implementation approachWhite paper on ICFR/IFC with implementation approach
White paper on ICFR/IFC with implementation approachChandan Goyal
 
Resources-Training-Procure-To-Pay.pdf
Resources-Training-Procure-To-Pay.pdfResources-Training-Procure-To-Pay.pdf
Resources-Training-Procure-To-Pay.pdfSuresh426721
 
Accounts Payable Processing Presentation
Accounts Payable Processing PresentationAccounts Payable Processing Presentation
Accounts Payable Processing Presentationrdpigott
 
Procure-to-Pay Process Framework
Procure-to-Pay Process FrameworkProcure-to-Pay Process Framework
Procure-to-Pay Process FrameworkScottMadden, Inc.
 
16a.sapd simulasi-skpd
16a.sapd simulasi-skpd16a.sapd simulasi-skpd
16a.sapd simulasi-skpdAnwar Maulana
 
Contoh Format laporan polmas
Contoh Format laporan polmasContoh Format laporan polmas
Contoh Format laporan polmasSei Enim
 
Fraud dalam Sistem Koding & Pembiayaan_ Training "SISTEM CASEMIX"
Fraud dalam Sistem Koding & Pembiayaan_ Training "SISTEM CASEMIX"Fraud dalam Sistem Koding & Pembiayaan_ Training "SISTEM CASEMIX"
Fraud dalam Sistem Koding & Pembiayaan_ Training "SISTEM CASEMIX"Kanaidi ken
 
Unit 1. Introduction of audit.pptx
Unit 1. Introduction of audit.pptxUnit 1. Introduction of audit.pptx
Unit 1. Introduction of audit.pptxMinalBhandari2
 

What's hot (20)

Tugas wewenang pejabat dlm pengel keuda
Tugas wewenang pejabat dlm pengel keudaTugas wewenang pejabat dlm pengel keuda
Tugas wewenang pejabat dlm pengel keuda
 
ERP Procure to Pay Workflow
ERP Procure to Pay WorkflowERP Procure to Pay Workflow
ERP Procure to Pay Workflow
 
Order to Cash - The #1 Business Process to Know!
Order to Cash - The #1 Business Process to Know!Order to Cash - The #1 Business Process to Know!
Order to Cash - The #1 Business Process to Know!
 
Introducing procure to pay
Introducing procure to payIntroducing procure to pay
Introducing procure to pay
 
Tax Planning atas PPN
Tax Planning atas PPNTax Planning atas PPN
Tax Planning atas PPN
 
sisdur akuntansi penerimaan kas
sisdur akuntansi penerimaan kas sisdur akuntansi penerimaan kas
sisdur akuntansi penerimaan kas
 
5 KPIs That Drive Accounts Payable Performance
5 KPIs That Drive Accounts Payable Performance5 KPIs That Drive Accounts Payable Performance
5 KPIs That Drive Accounts Payable Performance
 
White paper on ICFR/IFC with implementation approach
White paper on ICFR/IFC with implementation approachWhite paper on ICFR/IFC with implementation approach
White paper on ICFR/IFC with implementation approach
 
Resources-Training-Procure-To-Pay.pdf
Resources-Training-Procure-To-Pay.pdfResources-Training-Procure-To-Pay.pdf
Resources-Training-Procure-To-Pay.pdf
 
Accounts Payable Processing Presentation
Accounts Payable Processing PresentationAccounts Payable Processing Presentation
Accounts Payable Processing Presentation
 
Procure-to-Pay Process Framework
Procure-to-Pay Process FrameworkProcure-to-Pay Process Framework
Procure-to-Pay Process Framework
 
16a.sapd simulasi-skpd
16a.sapd simulasi-skpd16a.sapd simulasi-skpd
16a.sapd simulasi-skpd
 
Contoh Format laporan polmas
Contoh Format laporan polmasContoh Format laporan polmas
Contoh Format laporan polmas
 
Contoh Surat tugas
Contoh Surat tugasContoh Surat tugas
Contoh Surat tugas
 
KAS KECIL.pptx
KAS KECIL.pptxKAS KECIL.pptx
KAS KECIL.pptx
 
Fraud dalam Sistem Koding & Pembiayaan_ Training "SISTEM CASEMIX"
Fraud dalam Sistem Koding & Pembiayaan_ Training "SISTEM CASEMIX"Fraud dalam Sistem Koding & Pembiayaan_ Training "SISTEM CASEMIX"
Fraud dalam Sistem Koding & Pembiayaan_ Training "SISTEM CASEMIX"
 
Pertemuan7 kas dan setara kas 2
Pertemuan7 kas dan setara kas 2Pertemuan7 kas dan setara kas 2
Pertemuan7 kas dan setara kas 2
 
Ch 10. documentation
Ch 10. documentationCh 10. documentation
Ch 10. documentation
 
P2p
P2pP2p
P2p
 
Unit 1. Introduction of audit.pptx
Unit 1. Introduction of audit.pptxUnit 1. Introduction of audit.pptx
Unit 1. Introduction of audit.pptx
 

Viewers also liked

03.2 application control
03.2 application control03.2 application control
03.2 application controlMulyadi Yusuf
 
03 chapter 4 deductions from gross estate part 03
03 chapter 4 deductions from gross estate part 0303 chapter 4 deductions from gross estate part 03
03 chapter 4 deductions from gross estate part 03Flab Villasencio
 
03 chapter 4 deductions from gross estate part 02
03 chapter 4 deductions from gross estate part 0203 chapter 4 deductions from gross estate part 02
03 chapter 4 deductions from gross estate part 02Flab Villasencio
 
03 chapter 4 deductions from gross estate part 01
03 chapter 4 deductions from gross estate part 0103 chapter 4 deductions from gross estate part 01
03 chapter 4 deductions from gross estate part 01Flab Villasencio
 
02 Chapter 3 01 Gross Estate Taxation 2
02 Chapter 3 01 Gross Estate Taxation 202 Chapter 3 01 Gross Estate Taxation 2
02 Chapter 3 01 Gross Estate Taxation 2Flab Villasencio
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information SystemsAhmad Tariq Bhatti
 

Viewers also liked (7)

03.2 application control
03.2 application control03.2 application control
03.2 application control
 
03 chapter 4 deductions from gross estate part 03
03 chapter 4 deductions from gross estate part 0303 chapter 4 deductions from gross estate part 03
03 chapter 4 deductions from gross estate part 03
 
03 chapter 4 deductions from gross estate part 02
03 chapter 4 deductions from gross estate part 0203 chapter 4 deductions from gross estate part 02
03 chapter 4 deductions from gross estate part 02
 
03 chapter 4 deductions from gross estate part 01
03 chapter 4 deductions from gross estate part 0103 chapter 4 deductions from gross estate part 01
03 chapter 4 deductions from gross estate part 01
 
02 Chapter 3 01 Gross Estate Taxation 2
02 Chapter 3 01 Gross Estate Taxation 202 Chapter 3 01 Gross Estate Taxation 2
02 Chapter 3 01 Gross Estate Taxation 2
 
04 chapter 5 estate tax
04 chapter 5 estate tax04 chapter 5 estate tax
04 chapter 5 estate tax
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
 

Similar to 05.2 auditing procedure application controls

Computerized Environment
Computerized EnvironmentComputerized Environment
Computerized EnvironmentVadivelM9
 
Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Thinksoft Global
 
Auditing in computerized environment.pptx
Auditing in computerized environment.pptxAuditing in computerized environment.pptx
Auditing in computerized environment.pptxinfantemiliya18
 
09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaanMulyadi Yusuf
 
Parallel simulation
Parallel simulationParallel simulation
Parallel simulationkzoe1996
 
Icai seminar kolkata
Icai seminar kolkataIcai seminar kolkata
Icai seminar kolkatasunil patro
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditingMarc Vael
 
CAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesCAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesSaurabh Rai
 
Measuring and Improving MP1.ppt
Measuring and Improving MP1.pptMeasuring and Improving MP1.ppt
Measuring and Improving MP1.pptssuserf2880f
 
SafepaaS AuditPaaS
SafepaaS AuditPaaSSafepaaS AuditPaaS
SafepaaS AuditPaaSJane Jones
 
SafePaaS AuditPaaS
SafePaaS AuditPaaS SafePaaS AuditPaaS
SafePaaS AuditPaaS Jane Jones
 
AuditPaas by SafePaaS
AuditPaas by SafePaaSAuditPaas by SafePaaS
AuditPaas by SafePaaSJane Jones
 
AuditPaaS SafePaaS
AuditPaaS SafePaaSAuditPaaS SafePaaS
AuditPaaS SafePaaSEmma Kelly
 
Best Practices: Planning Data Analytic into Your Audits
Best Practices: Planning Data Analytic into Your AuditsBest Practices: Planning Data Analytic into Your Audits
Best Practices: Planning Data Analytic into Your AuditsFraudBusters
 

Similar to 05.2 auditing procedure application controls (20)

Computerized Environment
Computerized EnvironmentComputerized Environment
Computerized Environment
 
Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)Cards Performance Testing (Whitepaper)
Cards Performance Testing (Whitepaper)
 
Chapter 11, Tests of Controls
Chapter 11, Tests of ControlsChapter 11, Tests of Controls
Chapter 11, Tests of Controls
 
Auditing in computerized environment.pptx
Auditing in computerized environment.pptxAuditing in computerized environment.pptx
Auditing in computerized environment.pptx
 
09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan09.1 audit siklus penjualan dan penerimaan
09.1 audit siklus penjualan dan penerimaan
 
Parallel simulation
Parallel simulationParallel simulation
Parallel simulation
 
Icai seminar kolkata
Icai seminar kolkataIcai seminar kolkata
Icai seminar kolkata
 
Internal Controls
Internal ControlsInternal Controls
Internal Controls
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditing
 
CAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit TechniquesCAAT - Data Analysis and Audit Techniques
CAAT - Data Analysis and Audit Techniques
 
Measuring and Improving MP1.ppt
Measuring and Improving MP1.pptMeasuring and Improving MP1.ppt
Measuring and Improving MP1.ppt
 
Spc assignment
Spc assignmentSpc assignment
Spc assignment
 
SafepaaS AuditPaaS
SafepaaS AuditPaaSSafepaaS AuditPaaS
SafepaaS AuditPaaS
 
SafePaaS AuditPaaS
SafePaaS AuditPaaS SafePaaS AuditPaaS
SafePaaS AuditPaaS
 
AuditPaas by SafePaaS
AuditPaas by SafePaaSAuditPaas by SafePaaS
AuditPaas by SafePaaS
 
AuditPaaS SafePaaS
AuditPaaS SafePaaSAuditPaaS SafePaaS
AuditPaaS SafePaaS
 
Introduction to caat
Introduction to caatIntroduction to caat
Introduction to caat
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
Best Practices: Planning Data Analytic into Your Audits
Best Practices: Planning Data Analytic into Your AuditsBest Practices: Planning Data Analytic into Your Audits
Best Practices: Planning Data Analytic into Your Audits
 
hhhh.ppt
hhhh.ppthhhh.ppt
hhhh.ppt
 

More from Mulyadi Yusuf

Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrualPaper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrualMulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)Mulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja kemenpan rb
Paper mssp analisis renstra dan capaian kinerja kemenpan rb Paper mssp analisis renstra dan capaian kinerja kemenpan rb
Paper mssp analisis renstra dan capaian kinerja kemenpan rb Mulyadi Yusuf
 
Paper menstra kemenkes final-sapce
Paper menstra kemenkes final-sapcePaper menstra kemenkes final-sapce
Paper menstra kemenkes final-sapceMulyadi Yusuf
 
Peta strategi kementan
Peta strategi kementanPeta strategi kementan
Peta strategi kementanMulyadi Yusuf
 
Mssp analisis renstra ditjen ppi
Mssp analisis renstra ditjen ppiMssp analisis renstra ditjen ppi
Mssp analisis renstra ditjen ppiMulyadi Yusuf
 
Manstrapem bina upaya kesehatan final
Manstrapem bina upaya kesehatan finalManstrapem bina upaya kesehatan final
Manstrapem bina upaya kesehatan finalMulyadi Yusuf
 
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udaraPaper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udaraMulyadi Yusuf
 
Balanced scorecard amin subiyakto
Balanced scorecard amin subiyaktoBalanced scorecard amin subiyakto
Balanced scorecard amin subiyaktoMulyadi Yusuf
 
10. kertas kerja it audit
10. kertas kerja it audit10. kertas kerja it audit
10. kertas kerja it auditMulyadi Yusuf
 
09.2 audit siklus pembelian dan pembayaran
09.2 audit siklus pembelian dan pembayaran09.2 audit siklus pembelian dan pembayaran
09.2 audit siklus pembelian dan pembayaranMulyadi Yusuf
 
05.1 auditing procedure general controls
05.1 auditing procedure general controls05.1 auditing procedure general controls
05.1 auditing procedure general controlsMulyadi Yusuf
 
03.1 general control
03.1 general control03.1 general control
03.1 general controlMulyadi Yusuf
 
02. cobit5 introduction
02. cobit5 introduction02. cobit5 introduction
02. cobit5 introductionMulyadi Yusuf
 
02. cobit 41 dan iso 17799
02. cobit 41 dan iso 1779902. cobit 41 dan iso 17799
02. cobit 41 dan iso 17799Mulyadi Yusuf
 

More from Mulyadi Yusuf (20)

Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrualPaper seminar akuntansi pemerintah kel 1--sap berbasis akrual
Paper seminar akuntansi pemerintah kel 1--sap berbasis akrual
 
Mckinsey kominfo
Mckinsey kominfoMckinsey kominfo
Mckinsey kominfo
 
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
Paper mssp analisis renstra dan capaian kinerja kemenhub (1)
 
Paper mssp analisis renstra dan capaian kinerja kemenpan rb
Paper mssp analisis renstra dan capaian kinerja kemenpan rb Paper mssp analisis renstra dan capaian kinerja kemenpan rb
Paper mssp analisis renstra dan capaian kinerja kemenpan rb
 
Paper menstra kemenkes final-sapce
Paper menstra kemenkes final-sapcePaper menstra kemenkes final-sapce
Paper menstra kemenkes final-sapce
 
Peta strategi kementan
Peta strategi kementanPeta strategi kementan
Peta strategi kementan
 
Mssp analisis renstra ditjen ppi
Mssp analisis renstra ditjen ppiMssp analisis renstra ditjen ppi
Mssp analisis renstra ditjen ppi
 
Manstrapem bina upaya kesehatan final
Manstrapem bina upaya kesehatan finalManstrapem bina upaya kesehatan final
Manstrapem bina upaya kesehatan final
 
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udaraPaper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
Paper mssp analisis renstra dan capaian kinerja ditjen perhubungan udara
 
Balanced scorecard amin subiyakto
Balanced scorecard amin subiyaktoBalanced scorecard amin subiyakto
Balanced scorecard amin subiyakto
 
10. kertas kerja it audit
10. kertas kerja it audit10. kertas kerja it audit
10. kertas kerja it audit
 
09.2 audit siklus pembelian dan pembayaran
09.2 audit siklus pembelian dan pembayaran09.2 audit siklus pembelian dan pembayaran
09.2 audit siklus pembelian dan pembayaran
 
05.1 auditing procedure general controls
05.1 auditing procedure general controls05.1 auditing procedure general controls
05.1 auditing procedure general controls
 
03.1 general control
03.1 general control03.1 general control
03.1 general control
 
02. cobit5 introduction
02. cobit5 introduction02. cobit5 introduction
02. cobit5 introduction
 
02. cobit 41 dan iso 17799
02. cobit 41 dan iso 1779902. cobit 41 dan iso 17799
02. cobit 41 dan iso 17799
 
Erm tm 12
Erm tm 12Erm tm 12
Erm tm 12
 
Erm tm 11
Erm tm 11Erm tm 11
Erm tm 11
 
Erm tm 10
Erm tm 10Erm tm 10
Erm tm 10
 
Erm tm 9
Erm tm 9Erm tm 9
Erm tm 9
 

Recently uploaded

Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfakmcokerachita
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfUmakantAnnand
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docxPoojaSen20
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 

Recently uploaded (20)

TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Class 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdfClass 11 Legal Studies Ch-1 Concept of State .pdf
Class 11 Legal Studies Ch-1 Concept of State .pdf
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
Concept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.CompdfConcept of Vouching. B.Com(Hons) /B.Compdf
Concept of Vouching. B.Com(Hons) /B.Compdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
mini mental status format.docx
mini mental status format.docxmini mental status format.docx
mini mental status format.docx
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 

05.2 auditing procedure application controls

  • 1.
  • 2. When identifying risks, auditors may find it useful to employ a top-down RA to determine which applications to include as part of control review and what tests need to be performed. 10-K Example: F/S Financial Statement Risk Analysis Approach Financial Statements Assertion F/S Accounts mapped to processes; Processes mapped BUs Revenue and Receivable s BU 1 BU 2 BU 3 Non Financial Disclosures mapped to processes Mgt and Purchases Financial Payroll and Legal and Treasury Reporting/Acco Benefits Payables Corporat unting BU Corporat Corporat Investor e 1 e e Relation BU 2 BU Risk Identification and Analysis 3 Risk Assessment Documents: • Risk analysis matrix by F/S Accounts and Disclosures • Accounts risk analysis mapped to Business and Critical Applications and Underlying Technology Prepare Risk Control Matrix (Manual and Automated) Complianc e Manufactur ing Environme ntal Define Risk Assessment for IT-GC dan ITAC See Risk Assessment Approach in the
  • 3. To add value to organization-wide AC risk assessment activities, internal auditors: Define the universe of application, database, and supporting tech that use AC, Summarize risk and control using matrice documented during risk assessment process. Define the risk factors associated with each application control, including: Primary (i.e., key) application controls. The design effectiveness of the application controls. Pre-packaged or developed applications or databases. Effectiveness of GCs residing within application (e.g., change mgt, logical security). Weigh all risk factor to determine which risk need tobe weighed more heavily than other. Determine scale to rank each AC risk by considering qualitative and quantitative scale: Numeric scales based on qualitative information (e.g., 1=low-impact, 5=high-impact). Numeric scales based on quantitative inf (e.g., 1 = < US $50 and 5 = > US $1,000). Conduct the risk assessment and rank all risk areas. Evaluate risk assessment results. Create a risk review plan that is based on the risk assessment and ranked risk areas. Notes: RA approach is different with RA in RM. In RA approach, internal auditor does not decide responds to risks. RA Approach used as input in establishing review plan (e.g.. determining the scope of review application control).
  • 4. Composite scores = ∑ (risk factor weight x risk scale) and adding the totals. The composite score of 375 = [(20 x 5) + (10 x 1) + (10 x 5 ) +…]. For this example, the auditor may determine that the application control review will include all applications with a score > 200. Risk Factor Weighting 20 10 10 10 10 10 Applica- Application Design PreApp supports Frequency of Complexity tion contains effective- packaded more than one change of change primary ness of the or critical business controls App control developed process 15 Financial impact 15 100 Effective- Composite ness of the scores ITGCs App A 5 1 5 5 3 3 5 2 375 App B 1 1 2 1 1 1 4 2 170 App C 5 2 2 1 5 5 5 2 245 App D 5 3 5 1 5 5 5 2 395 App E 5 1 1 1 1 1 3 2 225
  • 5. The review’s scope, depth, approach, and frequency depends on the results of the risk assessment and the availability of internal audit resources. Business Process Method (suitable in ERP Environment) A top-down review approach used to evaluate the AC present in all the systems that support a particular business process, due to an increase in ERP application use. In the non-ERP world, review’s scope includes all of applications used that are involved in the business process under review. Best way to approach review is to break down business process using the 4 level model: Mega Process (Level 1): Procure to Pay Major Process (level 2) Receiving Activity (level 4) Requisition processing Procurement Subprocess (level 3) Create, change, and delete PO processing Create, change, and delete, approve, and release Good receive processing Create, change, and delete Good return processing Create, change, and delete Mega Process (Level 1). Vendor management Create, change, and delete Major Process (Level 2). Invoice processing Create, change, and delete Minor / Subprocess (Level 3). Activity (Level 4). Accounts Payable Credit memo processing Create, change, and delete Process payments Create, change, and delete Void payments Create, change, and delete
  • 6. Access Controls General application security controls are reviewed, including:  The length of the user name or user ID.  The password’s length.  Password character combination  Password aging (change every 90 days).  Password rotation (not use their last 5 PW)  User account lockout after a certain number of unsuccessful login attempts.  Session timeout (e.g., application automatically logs out a user if the user has not interacted with the application within 15 minutes). The latest generation of applications are often created with parameters that can be configured by management. In some cases, however, mgt may forget to activate the parameter(s), or the settings used for each parameter may not be representative of best practice standards.
  • 7. Planning The first step in developing the detailed review plan is to create a planning memorandum,, that lists the following AC review components:  All review procedures to be performed.  Any computer-assisted tools and techniques used and how they are used.  Sample sizes, if applicable.  Review items to be selected.  Timing of the review. After completing the planning memorandum, auditor needs to prepare detailed review program. When preparing it, meeting should be held w/ mgt to discuss: - Management’s concerns regarding risks. - Previously reported issues. - IA’s risk and control assessment. - Summary of the review’s methodology. - The review’s scope. - How concerns will be communicated. - Which managers will be working on the review team. - Any preliminary inf needed (e.g., reports). - The length of the review.
  • 8.
  • 9. In addition to the documentation standards used by internal auditors, the following are suggested approaches for documenting each application control Flowcharts Due to the difficulty of fitting the actual control descriptions on the flowchart, it is prudent to instead simply number the controls on the flowchart and have a separate document, such as a risk and controls matrix: procure to pay. Flowcharts may not be practical all of the time, and a process narrative is sometimes more appropriate. This typically happens when an auditor is documenting the areas or work performed within the IT environment. Auditors should create a flowchart with a corresponding process narrative that numbers the controls on the process narrative. Process Narratives These narratives are best used as a documentation tool for relatively non-complex business processes and IT environments. Auditors also should create a separate document, such as a risk and controls matrix.
  • 10.
  • 11. Process Narratives The following is an example process narrative that covers the procure-to-pay process. 1) Procurement a) Requisitioning i) When employees need to buy good or service, they will create a purchase req in the procurement application (Control C1). The buyer will review the PReq for its appropriateness, completeness, and accuracy. Components of the PReq that are reviewed include, the vendor, item, quantity, and account coding.  If the review does not reveal any errors, buyer will approve the PReq.  If buyer rejects the PReq for any reason, the requisitioner will be notified. ii) All PReq are reviewed on a monthly basis to detect any unauthorized requisitions as well as any excessive order quantities (Controls C2 and C3). b) Purchase Order Processing i) Once the purchase requisition has been approved by the buyer, he will create a PO referencing the requisition in the procurement appl (Control C4). The buyer will then forward a copy of the PO to the supplier. ii) All POs are reviewed on a monthly basis to detect any unauthorized purchase orders as well as any excessive order quantities (Controls C5 and C6).
  • 12. Process Narratives 2) Receiving - (Control C7) dan (Control C8). 3) Accounts Payable (AP) – (Control C9, 10, 11, 12, 13, dan C14) Control Activities Number Risk and control matrices should capture all relevant inf pertaining to a given business process. Each of the control activities should be numbered, and this number should be linked back to flowcharts or process narratives. Important control activity inf that needs to be captured in the matrix includes: Identified risks. Control objectives. Control activities. Control attributes such as control type (e.g., automated or manual) and frequency (e.g., daily, weekly, monthly, quarterly, annually, etc.). Testing information.
  • 13. The auditor should assess if AC are working or if they are being circumvented by creative users or management override. Substantive testing on the efficacy of controls is needed rather than a review of control settings. Auditors should also identify the effectiveness of ITGCs and consider if applicationgenerated change control logs, security logs, and adm logs need to be reviewed. The auditor may test AC using several methods that are based on the type of AC. Depending on the nature, timing, and extent of testing, a specific control or report could be tested by:  Inspection of system configurations.  Inspection of user acceptance testing, if conducted in the current year.  Inspection or re-performance of reconciliations with supporting details.  Re-performance of the control activity using system data.  Inspection of user access listings.  Re-performance of the control activity in a test environment (using the same programmed procedures as production) w/ robust testing scripts.
  • 14. An example of a system configuration test includes:  Reviewing the three-way match system parameters of the tested system by tracing through one transaction.  Querying the underlying programming code of the application report generation process for appropriate logic.  The auditor should observe a re-run of the query to compare the report to the one that mgt generated. The auditor could test edit checks for key fields, which can be verified by stratifying or classifying transactions on the field values. In addition, by using audit software, it might be easy to recalculate and verify calculations made by the system. Example, if the system uses the quantity and unit price fields to calculate the total cost, the auditor could use audit software to perform the same calculation and identify any transactions where his or her calculated values differ from those of the application. Finally, auditors can perform reasonableness checks to examine possible value data ranges for key fields. For example, by calculating the current age based on the date of birth field, auditors can identify ages, including negative values and values over 100 that fall outside of expected ranges.
  • 15. Computer-assisted audit techniques (CAATs) make use of computer applications, such as ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and Word, to automate and facilitate the audit process. The use of CAATs helps to ensure that appropriate coverage is in place for an AC review, particularly when there are thousands, or perhaps millions, of transactions occurring during a test period. In these situations, it would be impossible to obtain adequate inf in a format that can be reviewed w/o the use of an automated tool. Because CAATs provide the ability to analyze large volumes of data, a well-designed audit supported by CAAT testing can perform a complete review of all transactions and uncover abnormalities (e.g., duplicate vendors or transactions) or a set of predetermined control issues (e.g., segregation of duty conflicts).
  • 16. Audit specialized software may perform: - Data queries - Data stratification - Sample extractions - Statistical analysis - Calculations - Duplicated transactions - Pivot tables - Cross tabulation - Missing sequence identification Example ACL: Verify duplicate transaction Example ACL: Verify calculations (recomputation)
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22. Domain Control Possible Test Data checks and validation Reasonableness and limit checks on fin values. Format and required field checks; standardized input screens. Sequence checks (e.g., missing items), range checks, and check digits. Cross checks (e.g., certain policies are only valid with certain premium table codes). Validations (e.g., stored table and drop-down menu of valid items). Conduct a sample test of each scenario. Observe attempts to input incorrect data. Determine who can override controls. If table driven, determine who can change edits and tolerance levels. Automated authorization, approval, and override Authorization and approval rights (e.g., of expense or claim payment or credit over threshold) are allocated to user based on their role and need to use appl. Override capability (e.g., approval of unusually large claims) is restricted by the user’s role and need to use the application by management. Conduct tests based on user access rights. Test access privileges for each sensitive function or transaction. Review access rights that set and amend configurable approval and authorization limits. Automated segregation of duties and access rights. Individuals who set up approved vendors cannot initiate purchasing transactions. Individuals who have access to claims processing should not be able to set up or amend a policy. Conduct tests based on user access rights. Review access rights that set and amend configurable roles or menu structures. Pended items Aging reports showing new policy item w/ incomplete processing are reviewed daily/weekly by supervisor. Pending files where there is insufficient information available to process transactions. Review aging results and evidence of supervisor review procedures. Walk through a sample of items to and from the aging report or pending file.
  • 23.
  • 24.
  • 25. Domain Control Possible Test File transmission controls Checks for completeness and validity of content, including date and time, data size, volume of records, and authentication of source. Observe transmission reports and error reports. Observe validity and completeness parameters and settings. Review access to set and amend configurable parameters on file transfers. Data transmission cotrols Application of selected input controls to validate data received (e.g., key fields, reasonableness, etc.). Test samples of each scenario. Observe attempts to input incorrect data. Determine who can override controls. If table driven, determine who can change edits and tolerance levels. Domain Control Possible Test Automated file identification and validation Files for processing are available and complete. Review process for validation and test operation. Automated functionality and calculations Specific calculations conducted on one or more input and stored data element produce further data element Use of existing data tables (e.g., master files or standing data such as rating tables). Compare input values and output values for all scenarios by walkthrough and re-performance. Review table maintenance controls and determine who can change edits and tolerance levels.
  • 26. Domain Control Possible Test Audit trails and overrides Automated tracking of changes made to data, associating the change with a specific user. Automated tracking and highlighting of overrides to normal processes. Review reports and evidence of reviews. Review access to override normal processes. Data extraction, filtering, and reporting Extract routine outputs are assessed for reasonableness and completeness. Automated allocation of transactions (e.g., for reinsurance purposes, further actuarial processes, or fund allocation). Evaluation of data used to perform estimation for financial reporting purposes. Review design of extract routine against data files used. Review supervisory assess of output fr extract routine for evidence of review and challenge Review sample of allocations for appropriatenes Review process to assess extracted data for completeness and validity. Interface balancing Automated checking of data received from feeder systems (e.g., payroll, claims data, etc.) into data warehouses or ledger systems. Automated checking that balances on both systems match, or if not, an exception report is generated and used. Inspect interface error reports. Inspect validity and completeness parameters and settings. Review access to set and amend configurable parameters on interfaces. Inspect evidence of match reports, checks, and error file processing. Automated functionality and aging File extracts from debtors listing to provide management with data on aged transactions. Test sample of listing transactions to validate appropriateness of aging processing. Duplicate checks Comparison of individual transactions to previously recorded transactions to match fields. Comparison of individual files to expected dates, times, sizes, etc. Review access to set and amend configurable parameters on duplicate transactions or files. Review process for handling rejected files or transactions.
  • 27. Domain Control Possible Test General ledger posting All individual and summarized transactions posting to general ledger. Sample of input and subledger summary transactions traced to the general ledger. Subledger posting All successful transactions posting to subledger. Sample of input transactions traced to subledger. Domain Update authorization Control Possible Test Access to update allocated rights to senior users based on their roles and need to use the application. Review access to set and amend master files and standing data.
  • 28. Control Obj Control Review Activities Objective 1: Input data is accurate, complete, authorized, and correct. Input controls are designed and operating effectively to ensure all trans have been authorized and approved prior to entry. Obtain procedures, gain understand of authorization and approval process, and determine whether process exist and communicate to user. Verify that appl / process owner ensures that all data is authorized prior to input, by granting of role and responsibility based on job duty. Obtain a copy of approval levels and determine whether responsibility is assigned for verifying that appropriate approval are applied. Input controls are designed and operating effectively to ensure that all entered transactions will be processed correctly and completely. Obtain data input procedure and verify that individuals responsible for entering was trained on preparation, entry, and control of input. Determine whether edit routine is embedded within appl that check n subsequently rejects input inf that not meet criteria, including incorrect date, incorrect character, invalid field length, missing data, n duplicate trans entries/number. Verify existence and operation of manual data entry control to prevent entry of duplicate records. The entry controls may include the pre-numbering of source documents and the marking of records as “input” after entry. Verify that added data is fr acceptable source n reconciled to source, utilizing control total, record count, include use of independent source report. Determine whether appropriate segregation of duties exists to prevent users from both entering and authorizing transactions. Verify that appr segregation of duty exists b/w data entry person and those responsible for reconcile and verify the output is accurate and complete. Verify that control exist to prevent unauthorized change to system programs.
  • 29. Control Obj Control Review Activities Objective 1: Input data is accurate, complete, authorized, and correct. Input controls are designed and operating effectively to ensure that all rejected transactions have been identified and reprocessed appropriately and completely. Obtain data input procedure for handling rejected trans and subsequent error correction and whether personnel responsible for error correction and data reentry have been adequately trained. Verify a mechanism is in place for notifying the process owner when trans have been rejected or errors have occurred. Verify rejected item is reprocessed appr in a timely manner in accordance w/ the procedures, and errors are corrected before reentering into the system. Controls are designed and operating effectively to ensure that data automatically posted from another system is processed accurately and completely. Obtain procedure and verify that detailed inf is included on how automated interfaces are authorized and what trigger the automated processing event. Verify that processing schedules are documented and problems are identified and corrected on a timely basis. Determine whether system to system record counts and total dollar values are systematically verified for automated interfaces and rejected items are prevented from posting and are flagged for follow-up and re-processing. Verify that files and data created for use by other appl or that are transferred to other appl are protected from unauthorized modification during the entire transfer process. Controls are designed and operating effectively to ensure that correct data file and databases are used in processing. Validate that the test data and programs are segregated from production.
  • 30.
  • 31. Control Obj Control Review Activities Objective 2: Data is processed as intended in an acceptable time period. Processing control is designed and operating effectively to ensure all trans are processed in a timely manner and within the correct accounting period. Verify output is reviewed or reconciled against source documents for completeness and accuracy, including verification of control totals. Determine whether routines are embedded within the application that ensure all correctly entered transactions are actually processed and posted as intended in the correct accounting period. Processing controls are designed and operating effectively to ensure that all rejected transactions have been identified and reprocessed in a timely manner. Obtain procedures for handling rejected trans and subsequent error correction and determine whether personnel responsible for error correction and data reentry have been adequately trained. Verify a mechanism is in place for notifying the process owner when transactions have been rejected or errors have occurred. Verify rejected items are processed appropriately in a timely manner in accordance with the procedures, and errors are corrected before reentering into the system.
  • 32. Control Obj Control Review Activities Objective 3: Data stored is accurate and complete Logical access controls are designed and operating effectively to prevent unauthorized access, modification, or disclosure of system data. Obtain password config. and use policies and determine whether requirements for strong PW, PW resets, account lockout, and PW re-use are present. Verify that the above policy has been applied to the application under review. Verify that remote access controls are designed and operating effectively. Verify that users are restricted to specific functions based on their job/roles. Verify unique user IDs are assigned to all users, and accounts are not shared. Verify proper approval of user account creation and modification is obtained prior to granting or changing access. Verify access is removed immediately upon termination. Verify that appl owner is responsible for ensuring semiannual review occurs, to ensure access to critical data, applications, and OS is correct and current. Controls are designed and operating effectively to ensure that data backups are accurate, complete, and occur in a timely manner. Verify that backups are scheduled and logs are monitored to ensure they occur accurately, completely and timely according to policy. Verify that tests are periodically performed to ensure backups are properly stored and can be effectively restored. Verify that business requirements for backups are validated on a regular basis Control is designed, operating effectively to ensure that data is physically stored in a secured, offsite, controlled location. Verify that mechanisms are in place to store data offsite in a secured and environmentally-controlled location.
  • 33.
  • 34. Control Obj Control Review Activities Objective 4: Outpus are accurate and complete Output controls are designed and operating effectively to ensure that all transaction outputs are complete and accurate. Obtain data output procedures and gain an understanding of the review process and verify that individuals responsible for data entry have been trained on the review and verification of data output. Verify output is reviewed or reconciled against source document for completeness and accuracy, including verification of control totals. Output controls are designed and operating effectively to ensure that all transaction output has been distributed to appropriate personnel and that sensitive and confidential information is protected during distribution. Review existing data output procedures and determine whether they document which personnel receive the data output and how the data will be protected during distribution. Output controls are designed and operating effectively to ensure that an output report is created at the designated time and covers the designated period. Verify that an output report was created and identify that the date and time on the report is the designated time. Identify that the report covers the designated period via reconciliation against source documents from that period.
  • 35.
  • 36. Control Obj Control Review Activities Objective 5: A record is maintained that tracks the process of data input, storage, and output. Controls are designed and operating effectively to ensure that an audit trail is generated and maintained for all trans. Verify processing audit trails and logs exist that assure all records have been processed and allow for tracing of the transaction from input to storage and output. Verify audit reports exist that track the identification and reprocessing of rejected transactions. Reports should contain a clear description of the rejected transaction, date, and time identified.