Professional Documents
Culture Documents
an integrated audit
Learning objectives
Describe types of controls
Describe application
pp
controls and classifications
Discuss the nature, timing and extent of application control testing
Identify when benchmarking of application controls is appropriate
Identify
y application
pp
control testing
g scoping
p g considerations
Identify factors impacting reliance on application controls
Describe electronic audit evidence
Types of controls
Entity level
Process/transaction level
Type of ccontrol
Manual
Manual controls
IT-dependent
p
manual control
Automated
IT general
controls
Application controls
Prevent
Detect
Objective of control
Application
pp
controls vs. ITGCs
Application controls
IT general controls
Examples
p
include:
Edit checks
Validations
Calculations
Interfaces
Authorizations
Examples
p
include:
Manage Change
Logical Access
IT Operations
Logical access
IT operations
Edit
checks
Billing system
A/P application
Electronic
audit
evidence
Rate
Calculations
Ad hoc
reports
Tolerances
Payroll system
Program changes
General ledger
Logical access
IT operations
IT
T general conttrols
IT-dependent
manual
controls
IT gen
neral controls
Spread
sheets
Application
controls
Automated
controls
IT-dependent
manual controls
Application
controls
level controls
Embedded controls
configurable controls
Operating systems
Databases
ERP
Company-
Embedded control is
programmed within an
application to be performed
Configurable control is
performed depending on an
applications setup
Manual
controls
Segregation of dutiess
Controls
Validations
Calculations
Description
Examples
Interfaces
Authorizations
Required fields
Specific data format on input
Three-way
Three
way match
Tolerance limits
Accounts receivable aging
Pricing calculations
Transfer of data between systems
Error reporting during batch runs
Approval to post journal entries
Two approvals
pp
for check p
printing
g
Validation
Limit risk of inappropriate input,
processing, or output of data due to the
confirmation of a test
Validation example
Validation control:
the system prevents
the entry of
incorrect product
numbers on sales
orders
Embedded (System is
programmed to perform
the control as a result of
either custom coding or
packaged delivery of that
functionality.)
Nature of
Application
Control
Re-performance
via walkthrough
Validation
Calculation
Interface
Test of 1
Test of 1
Test of 1
Test of 1
Inspection of
authorization
Inspected
Configurable (System has
the capability to perform
Re-performance
the control depending on
via
i walkthrough
lkth
h
its setup, but may have
been configured differently
Inspection of
authorization
Authorization
Sample Selected
Test of 1
Test of 1
Test of 1
Test of 1
Test of 1
Test of 1
Test of 1
Test of 1
Sample Selected
Benchmarking
Overview
Benchmarking
Considerations
The extent to which the application control can be matched to defined programs within an
application;
The extent to which the application is stable (i.e., there are few changes from period to period);
Whether a report of the compilation dates (or other evidence of changes to the programs) of all
programs placed in production is available and is reliable.
E id
Evidence
considerations:
id
ti
Testing schedule
Combined meetings vs. IT specific meetings
Testing methodology
Nature, timing, and extent
Determine if ITGCs are effective
Segregation of duties
Application level
Functional task level
ITGC deficiencies
Change management deficiencies
can lead to incorrect system
processing
p
g and calculations
Logical access deficiencies
controls can lead to electronic data
manipulation
Factors
impacting
application
controls
Operations
Which controls are affected by
batch processing?
How are batch jobs monitored?
Dependencies
Some application controls depend
upon others. For example, the
three-way match depends on:
The
Th application
li i b
being
i
configured to force the match
Adequate segregation of
duties existing within the
application
Master file access
How are master files secured?
How are changes to master data
controlled?
Interfaces
te aces
What is the flow of data?
What controls monitor the timely
and effective operation of
interfaces?
Reliance on EAE
Establishing a basis for relying on electronic data includes:
Determining the source of the electronic data (i.e., which
application produces the data)
Determining, through the identification and evaluation of internal
controls or through substantive procedures, whether the
electronic data is complete and accurate
Testt procedures
T
d
are based
b
d on controls
t l ttesting
ti (e.g.,
(
review
i
off
clients test documentation) or substantive testing (e.g., reperforming the report, proving footings)
Questions?