You are on page 1of 56

Generic Application Audit/Assurance Program

ISACA

With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a recognized
worldwide leader in IT goernance, control, securit! and assurance" #ounded in 1$6$, ISACA s%onsors international
con&erences, %u'lishes the ISACA Journal

, and deelo%s international in&ormation s!stems auditing and control


standards" It also administers the glo'all! res%ected Certi&ied In&ormation S!stems Auditor( (CISA

) designation,
earned '! more than 60,000 %ro&essionals since 1$)8* the Certi&ied In&ormation Securit! +anager

(CIS+

)
designation, earned '! more than 10,000 %ro&essionals since ,00,* and the new Certi&ied in the -oernance o&
.nter%rise IT( (C-.IT() designation"
Disclaimer
ISACA has designed and created Generic Application Audit/Assurance Program (the /Wor01), %rimaril!
as an in&ormational resource &or audit and assurance %ro&essionals" ISACA ma0es no claim that use o& an! o& the
Wor0 will assure a success&ul outcome" The Wor0 should not 'e considered inclusie o& all %ro%er in&ormation,
%rocedures and tests or e2clusie o& other in&ormation, %rocedures and tests that are reasona'l! directed to o'taining
the same results" In determining the %ro%riet! o& an! s%eci&ic in&ormation, %rocedure or test, audit3assurance
%ro&essionals should a%%l! their own %ro&essional 4udgment to the s%eci&ic circumstances %resented '! the %articular
s!stems or IT enironment"
Reservation of Rights
5 ,00$ ISACA" All rights resered" 6o %art o& this %u'lication ma! 'e used, co%ied, re%roduced, modi&ied,
distri'uted, dis%la!ed, stored in a retrieal s!stem or transmitted in an! &orm '! an! means (electronic, mechanical,
%hotoco%!ing, recording or otherwise) without the %rior written authorization o& ISACA" 7e%roduction and use o&
all or %ortions o& this %u'lication are %ermitted solel! &or academic, internal and noncommercial use, and
consulting3adisor! engagements, and must include &ull attri'ution o& the material8s source" 6o other right or
%ermission is granted with res%ect to this wor0"
ISACA
9)01 Algon:uin 7oad, Suite 1010
7olling +eadows, I; 60008 <SA
=hone> ?1"8@)",A9"1A@A
#a2> ?1"8@)",A9"1@@9
.Bmail> info@isaca.org
We' site> www.isaca.org
ISC6 $)8B1B60@,0B0)6B8
Generic Application Audit/Assurance Program
5 ,00$ ISACA" All rights resered" =age ,
Generic Application Audit/Assurance Program
=rinted in the <nited States o& America
5 ,00$ ISACA" All rights resered" =age 9
Generic Application Audit/Assurance Program
ISACA wishes to recognize:
Author
6orm Delson, CISA, C-.IT, C=A, The Delson -rou%, <SA
Expert Reviewers
7o'ert C" Crenis, CISA, C-.IT, +C=, =+=, S0oda +inotti, <SA
Samuel Chiedozie Isichei, CISA, CIS+, CISS=, =rotiiti, <SA
Sandee% -od'ole, CISA, CIS+, CISS=, S!ntel, India
;arr! +ar0s, CISA, C-.IT, CISS=, CST., =+=, 7esources -lo'al =ro&essionals, <SA
Charath 6alla%u, CISA, =+=, Smith, 6alla%u E Associates ;;=" <nited States
-'adamosi #ola0emi To!in, A+=F+, C=., +CS, #loo0!tee Com%uters, 6igeria
-reet Golders, Go:uals, Celgium
ISACA Board of Directors
;!nn ;awton, CISA, #CCS, #CA, #IIA, D=+- ;;=, <D, International =resident
-eorge Ata!a, CISA, CIS+, C-.IT, CISS=, ICT Control SA, Celgium, Gice =resident
Howard 6icholson, CISA, C-.IT, Cit! o& Salis'ur!, Australia, Gice =resident
Iose Angel =ena I'arra, C-.IT, Consultoria en Comunicaciones e In&o" SA E CG, +e2ico, Gice =resident
7o'ert ." Stroud, CA Inc", <SA, Gice =resident
Denneth ;" Gander Wal, CISA, C=A, .rnst E Joung ;;= (retired), <SA, Gice =resident
#ran0 Jam, CISA, CIA, CC=, C#., C#SA, ##A, #HDCS, #HDIoF, #ocus Strategic -rou% Inc", Hong Dong, Gice
=resident
+arios Famianides, CISA, CIS+, CA, C=A, .rnst E Joung, <SA, =ast International =resident
.erett C" Iohnson Ir", C=A, Feloitte E Touche ;;= (retired), <SA, =ast International =resident
-regor! T" -rochols0i, CISA, The Fow Chemical Com%an!, <SA, Firector
Ton! Ha!es, Kueensland -oernment, Australia, Firector
Io StewartB7attra!, CISA, CIS+, CS.=S, 7S+ Cird Cameron, Australia, Firector
Assurance Committee
-regor! T" -rochols0i, CISA, The Fow Chemical Com%an!, <SA, Chair
=i%%a -" Andrews, CISA, ACA, CIA, Amcor, Australia
7ichard Crise'ois, CISA, C-A, L&&ice o& the Auditor -eneral o& Canada, Canada
Sergio #legins0!, CISA, ICI, <rugua!
7o'ert Iohnson, CISA, CIS+, CISS=, .2ecutie Consultant, <SA
Anthon! =" 6o'le, CISA, CC=, Giacom Inc", <SA
7o'ert -" =ar0er, CISA, CA, C+C, #CA, Feloittte E Touche ;;= (retired), Canada
.ri0 =ols, CISA, CIS+, Shell International B ITCI, 6etherlands
Gatsaraman Gen0ata0rishnan, CISA, CIS+, C-.IT, ACA, .mirates Airlines, <A.
5 ,00$ ISACA" All rights resered" =age @
Generic Application Audit/Assurance Program
Table of Contents
I" Introduction"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" A
II" <sing This Focument""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 6
III" Controls +aturit! Anal!sis""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""$
IG" Assurance and Control #ramewor0""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""10
G" .2ecutie Summar! o& Audit3Assurance #ocus""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""11
GI" Audit3Assurance =rogram"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 1@
Audit3Assurance =rogram Ste%"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 1@
1" =;A66I6- A6F SCL=I6- TH. A<FIT""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""1@
," =;A66I6- TH. A==;ICATIL6 A<FIT""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""16
9" SL<7C. FATA =7.=A7ATIL6 A6F A<THL7IMATIL6""""""""""""""""""""""""""""""""""""""""""""""""""""""""""",,
10" SL<7C. FATA CL;;.CTIL6 A6F .6T7J"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""",6
1$" ACC<7ACJ, CL+=;.T.6.SS A6F A<TH.6TICITJ CH.CDS"""""""""""""""""""""""""""""""""""""""""""""90
,A" =7LC.SSI6- I6T.-7ITJ A6F GA;IFITJ""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""9@
96" Lut%ut 7eiew, 7econciliation and .rror Handling"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""@9
@@" Transaction Authentication And Integrit!"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""@)
GII" +aturit! Assessment"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" A1
GIII" Assessment +aturit! s" Target +aturit!"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""A6
I. Introduction
Overview
ISACA has deelo%ed the IT Assurance Framework
T+
(ITA#
T+
) as a com%rehensie and goodB%racticeB
setting model" ITA# %roides standards that are designed to 'e mandator! and are the guiding %rinci%les
under which the IT audit and assurance %ro&ession o%erates" The guidelines %roide in&ormation and
direction &or the %ractice o& IT audit and assurance" The tools and techni:ues %roide methodologies,
tools and tem%lates to %roide direction in the a%%lication o& IT audit and assurance %rocesses"
Purpose
The audit3assurance %rogram is a tool and tem%late to 'e used as a road ma% &or the com%letion o& a
s%eci&ic assurance %rocess" The ISACA Assurance Committee has commissioned audit3assurance
%rograms to 'e deelo%ed &or use '! IT audit and assurance %ractitioners" This audit3assurance %rogram is
intended to 'e utilized '! IT audit and assurance %ro&essionals with the re:uisite 0nowledge o& the su'4ect
5 ,00$ ISACA" All rights resered" =age A
Generic Application Audit/Assurance Program
matter under reiew, as descri'ed in ITA#, section ,,00N-eneral Standards" The audit3assurance
%rograms are %art o& ITA#* section @000NIT Assurance Tools and Techni:ues"
Control Framework
The audit3assurance %rograms hae 'een deelo%ed in alignment with the IT -oernance Institute
O

(IT-I() &ramewor0 Control Objectives for Information and related Technology (CLCIT
O
)Ns%eci&icall!
CLCIT @"1N using generall! a%%lica'le and acce%ted good %ractices" The! re&lect ITA#, sections 9@00N
IT +anagement =rocesses, 9600NIT Audit and Assurance =rocesses, and 9800NIT Audit and
Assurance +anagement"
+an! organizations hae em'raced seeral &ramewor0s at an enter%rise leel, including the Committee o&
S%onsoring Lrganizations o& the Treadwa! Commission (CLSL) Internal Control #ramewor0" The
im%ortance o& the control &ramewor0 has 'een enhanced due to regulator! re:uirements '! the <S
Securities and .2change Commission (S.C) as directed '! the <S Sar'anesBL2le! Act o& ,00, and
similar legislation in other countries" The! see0 to integrate control &ramewor0 elements used '! the
general audit3assurance team into the IT audit and assurance &ramewor0" Since CLSL is widel! used, it
has 'een selected &or inclusion in this audit3assurance %rogram" The reiewer ma! delete or rename these
columns to align with the enter%rise8s control &ramewor0"
IT overnance! Risk an" Control
IT goernance, ris0 and control are critical in the %er&ormance o& an! assurance management %rocess"
-oernance o& the %rocess under reiew will 'e ealuated as %art o& the %olicies and management
oersight controls" 7is0 %la!s an im%ortant role in ealuating what to audit and how management
a%%roaches and manages ris0" Coth issues will 'e ealuated as ste%s in the audit3assurance %rogram"
Controls are the %rimar! ealuation %oint in the %rocess" The audit3assurance %rogram will identi&! the
control o'4ecties and the ste%s to determine control design and e&&ectieness"
Responsi#ilities of IT Au"it an" Assurance Professionals
IT audit and assurance %ro&essionals are e2%ected to customize this document to the enironment in
which the! are %er&orming an assurance %rocess" This document is to 'e used as a reiew tool and starting
%oint" It ma! 'e modi&ied '! the IT audit and assurance %ro&essional* it is not intended to 'e a chec0list or
:uestionnaire" It is assumed that the IT audit and assurance %ro&essional holds the Certi&ied In&ormation
S!stems Auditor (CISA) designation, or has the necessar! su'4ect matter e2%ertise re:uired to conduct the
wor0 and is su%erised '! a %ro&essional with the CISA designation and necessar! su'4ect matter
e2%ertise to ade:uatel! reiew the wor0 %er&ormed"
II. Using This Document
This audit3assurance %rogram was deelo%ed to assist the audit and assurance %ro&essional in designing
and e2ecuting a reiew" Fetails regarding the &ormat and use o& the document &ollow"
$ork Program Steps
The &irst column o& the %rogram descri'es the ste%s to 'e %er&ormed" The num'ering scheme used
%roides 'uiltBin wor0 %a%er num'ering &or ease o& crossBre&erence to the s%eci&ic wor0 %a%er &or that
section" The %h!sical document was designed in +icroso&t
O
Word" The IT audit and assurance
%ro&essional is encouraged to ma0e modi&ications to this document to re&lect the s%eci&ic enironment
under reiew"
Ste% 1 is %art o& the &act gathering and %reB&ieldwor0 %re%aration" Cecause the %reB&ieldwor0 is essential to
a success&ul and %ro&essional reiew, this ste% has 'een itemized in this %lan" The &irst leel ste%s, e"g",
5 ,00$ ISACA" All rights resered" =age 6
Generic Application Audit/Assurance Program
1"1, are in bold t!%e and %roide the reiewer with a sco%e or highBleel e2%lanation o& the %ur%ose &or
the su'ste%s"
Ceginning in ste% ,, the ste%s associated with the wor0 %rogram are itemized" To sim%li&! the use o& the
%rogram, the audit3assurance %rogram descri'es the audit3assurance o'4ectieNthe reason &or %er&orming
the ste%s in the to%ic area" The s%eci&ic controls &ollow and are shown in blue t!%e" .ach reiew ste% is
listed 'elow the control" These ste%s ma! include assessing the control design '! wal0ing through a
%rocess, interiewing, o'sering or otherwise eri&!ing the %rocess and the controls that address that
%rocess" In man! cases, once the control design has 'een eri&ied, s%eci&ic tests need to 'e %er&ormed to
%roide assurance that the %rocess associated with the control is 'eing &ollowed" The a%%lication audit
re:uires signi&icant customization to include o%erational issues s%eci&ic to the a%%lication under reiew"
<sing the a%%roach descri'ed a'oe, the audit and assurance %ro&essional can modi&! this %rogram to
meet these needs"
The maturit! assessment, which is descri'ed in more detail later in this document, ma0es u% the last
section o& the %rogram"
The audit3assurance %lan wra%Bu%Nthose %rocesses associated with the com%letion and reiew o& wor0
%a%ers, %re%aration o& issues and recommendations, re%ort writing and re%ort clearingNhas 'een
e2cluded &rom this document, since it is standard &or the audit3assurance &unction and should 'e identi&ied
elsewhere in the enter%rise8s standards"
CO%IT Cross&reference
The CLCIT crossBre&erence %roides the audit and assurance %ro&essional with the a'ilit! to re&er to the
s%eci&ic CLCIT control o'4ectie that su%%orts the audit3assurance ste%" The CLCIT control o'4ectie
should 'e identi&ied &or each audit3assurance ste% in the section" +ulti%le crossBre&erences are not
uncommon" =rocesses at lower leels in the wor0 %rogram are too granular to 'e crossBre&erenced to
CLCIT" The audit3assurance %rogram is organized in a manner to &acilitate an ealuation through a
structure %arallel to the deelo%ment %rocess" CLCIT %roides inBde%th control o'4ecties and suggested
control %ractices at each leel" As the %ro&essional reiews each control, he3she should re&er to CLCIT @"1
or the IT Assurance Guide !sing CO"IT &or goodB%ractice control guidance"
COSO Components
As noted in the introduction, CLSL and similar &ramewor0s hae 'ecome increasingl! %o%ular among
audit and assurance %ro&essionals" This ties the assurance wor0 to the enter%rise8s control &ramewor0"
While the IT audit3assurance &unction has CLCIT as a &ramewor0, o%erational audit and assurance
%ro&essionals use the &ramewor0 esta'lished '! the enter%rise" Since CLSL is the most %realent internal
control &ramewor0, it has 'een included in this document and is a 'ridge to align IT audit3assurance with
the rest o& the audit3assurance &unction" +an! audit3assurance organizations include the CLSL control
com%onents within their re%ort and summarize assurance actiities to the audit committee o& the 'oard o&
directors"
#or each control, the audit and assurance %ro&essional should indicate the CLSL com%onent(s) addressed"
It is %ossi'le 'ut generall! not necessar!, to e2tend this anal!sis to the s%eci&ic audit ste% leel"
The original CLSL internal control &ramewor0 contained &ie com%onents" In ,00@, CLSL was reised
as the #nter$rise %isk &anagement '#%&( Integrated Framework and e2tended to eight com%onents" The
%rimar! di&&erence 'etween the two &ramewor0s is the additional &ocus on .7+ and integration into the
'usiness decision model" .7+ is in the %rocess o& 'eing ado%ted '! large enter%rises" The two
&ramewor0s are com%ared in figure 1"
5 ,00$ ISACA" All rights resered" =age )
Generic Application Audit/Assurance Program
Figure 1Com!arison of C"S" Internal Control and #$% Integrated Framewor&s
Internal Control Framewor& #$% Integrated Framewor&
Control #n'ironment> The control enironment sets the tone o& an
organization, in&luencing the control consciousness o& its %eo%le" It is
the &oundation &or all other com%onents o& internal control, %roiding
disci%line and structure" Control enironment &actors include the
integrit!, ethical alues, management8s o%erating st!le, delegation o&
authorit! s!stems, as well as the %rocesses &or managing and
deelo%ing %eo%le in the organization"
Internal #n'ironment> The internal enironment encom%asses the
tone o& an organization, and sets the 'asis &or how ris0 is iewed and
addressed '! an entit!8s %eo%le, including ris0 management
%hiloso%h! and ris0 a%%etite, integrit! and ethical alues, and the
enironment in which the! o%erate"
"b(ecti'e Setting> L'4ecties must e2ist 'e&ore management can
identi&! %otential eents a&&ecting their achieement" .nter%rise ris0
management ensures that management has in %lace a %rocess to set
o'4ecties and that the chosen o'4ecties su%%ort and align with the
entit!8s mission and are consistent with its ris0 a%%etite"
#'ent Identification> Internal and e2ternal eents a&&ecting
achieement o& an entit!8s o'4ecties must 'e identi&ied, distinguishing
'etween ris0s and o%%ortunities" L%%ortunities are channeled 'ac0 to
management8s strateg! or o'4ectieBsetting %rocesses"
$is& Assessment> .er! entit! &aces a ariet! o& ris0s &rom e2ternal
and internal sources that must 'e assessed" A %recondition to ris0
assessment is esta'lishment o& o'4ecties and thus ris0 assessment is
the identi&ication and anal!sis o& releant ris0s to achieement o&
assigned o'4ecties" 7is0 assessment is a %rere:uisite &or determining
how the ris0s should 'e managed"
$is& Assessment> 7is0s are anal!zed, considering the li0elihood and
im%act, as a 'asis &or determining how the! could 'e managed" 7is0
areas are assessed on an inherent and residual 'asis"
$is& $es!onse: +anagement selects ris0 res%onses P aoiding,
acce%ting, reducing, or sharing ris0 P deelo%ing a set o& actions to
align ris0s with the entit!8s ris0 tolerances and ris0 a%%etite"
Control Acti'ities> Control actiities are the %olicies and %rocedures
that hel% ensure management directies are carried out" The! hel%
ensure that necessar! actions are ta0en to address ris0s to achieement
o& the entit!Qs o'4ecties" Control actiities occur throughout the
organization, at all leels and in all &unctions" The! include a range o&
actiities as dierse as a%%roals, authorizations, eri&ications,
reconciliations, reiews o& o%erating %er&ormance, securit! o& assets
and segregation o& duties"
Control Acti'ities: =olicies and %rocedures are esta'lished and
im%lemented to hel% ensure the ris0 res%onses are e&&ectiel! carried
out"
Information and Communication> In&ormation s!stems %la! a 0e!
role in internal control s!stems as the! %roduce re%orts, including
o%erational, &inancial and com%lianceBrelated in&ormation that ma0e it
%ossi'le to run and control the 'usiness" In a 'roader sense, e&&ectie
communication must ensure in&ormation &lows down, across and u%
the organization" .&&ectie communication should also 'e ensured with
e2ternal %arties, such as customers, su%%liers, regulators and
shareholders"
Information and Communication> 7eleant in&ormation is
identi&ied, ca%tured, and communicated in a &orm and time&rame that
ena'le %eo%le to carr! out their res%onsi'ilities" .&&ectie
communication also occurs in a 'roader sense, &lowing down, across,
and u% the entit!"
%onitoring> Internal control s!stems need to 'e monitoredNa
%rocess that assesses the :ualit! o& the s!stem8s %er&ormance oer
time" This is accom%lished through ongoing monitoring actiities or
se%arate ealuations" Internal control de&iciencies detected through
these monitoring actiities should 'e re%orted u%stream and correctie
actions should 'e ta0en to ensure continuous im%roement o& the
s!stem"
%onitoring> The entiret! o& enter%rise ris0 management is monitored
and modi&ications made as necessar!" +onitoring is accom%lished
through ongoing management actiities, se%arate ealuations, or 'oth"
In&ormation &or figure 1 was o'tained &rom the CLSL we' site www.coso.org)aboutus.htm.
The original CLSL internal control &ramewor0 addresses the needs o& the IT audit and assurance
%ro&essional> control enironment, ris0 assessment, control actiities, in&ormation and communication,
and monitoring" As such, ISACA has elected to utilize the &ieBcom%onent model &or these
audit3assurance %rograms" As more enter%rises im%lement the .7+ model, the additional three columns
can 'e added, i& releant" When com%leting the CLSL com%onent columns, consider the de&initions o&
the com%onents as descri'ed in figure 1"
Reference'()perlink
-ood %ractices re:uire the audit and assurance %ro&essional to create a wor0 %a%er &or each line item,
which descri'es the wor0 %er&ormed, issues identi&ied and conclusions" The re&erence3h!%erlin0 is to 'e
used to crossBre&erence the audit3assurance ste% to the wor0 %a%er that su%%orts it" The num'ering s!stem
5 ,00$ ISACA" All rights resered" =age 8
Generic Application Audit/Assurance Program
o& this document %roides a read! num'ering scheme &or the wor0 %a%ers" I& desired, a lin0 to the wor0
%a%er can 'e %asted into this column"
Issue Cross&reference
This column can 'e used to &lag a &inding3issue that the IT audit and assurance %ro&essional wants to
&urther inestigate or esta'lish as a %otential &inding" The %otential &indings should 'e documented in a
wor0 %a%er that indicates the dis%osition o& the &indings (&ormall! re%orted, re%orted as a memo or er'al
&inding, or waied)"
Comments
The comments column can 'e used to indicate the waiing o& a ste% or other notations" It is not to 'e used
in %lace o& a wor0 %a%er descri'ing the wor0 %er&ormed"
III. Controls %aturit) Anal)sis
Lne o& the consistent re:uests o& sta0eholders who hae undergone IT audit3assurance reiews is a desire
to understand how their %er&ormance com%ares to good %ractices" Audit and assurance %ro&essionals must
%roide an o'4ectie 'asis &or the reiew conclusions" +aturit! modeling &or management and control
oer IT %rocesses is 'ased on a method o& ealuating the organization, so it can 'e rated &rom a maturit!
leel o& none2istent (0) to o%timized (A)" This a%%roach is deried &rom the maturit! model that the
So&tware .ngineering Institute (S.I) o& Carnegie +ellon <niersit! de&ined &or the maturit! o& so&tware
deelo%ment"
The IT Assurance Guide !sing CO"IT, A%%endi2 GIIN+aturit! +odel &or Internal Control, in figure *,
%roides a generic maturit! model showing the status o& the internal control enironment and the
esta'lishment o& internal controls in an enter%rise" It shows how the management o& internal control, and
an awareness o& the need to esta'lish 'etter internal controls, t!%icall! deelo%s &rom an ad hoc to an
o%timized leel" The model %roides a highBleel guide to hel% CLCIT users a%%reciate what is re:uired
&or e&&ectie internal controls in IT and to hel% %osition their enter%rise on the maturit! scale"
Figure *%aturit) %odel for Internal Control
%aturit) +e'el Status of the Internal Control #n'ironment #stablishment of Internal Controls
0 6onBe2istent There is no recognition o& the need &or internal control"
Control is not %art o& the organization8s culture or mission"
There is a high ris0 o& control de&iciencies and incidents"
There is no intent to assess the need &or internal control"
Incidents are dealt with as the! arise"
1 Initial3ad hoc There is some recognition o& the need &or internal control"
The a%%roach to ris0 and control re:uirements is ad hoc and
disorganized, without communication or monitoring"
Fe&iciencies are not identi&ied" .m%lo!ees are not aware o&
their res%onsi'ilities"
There is no awareness o& the need &or assessment o& what is
needed in terms o& IT controls" When %er&ormed, it is onl! on
an ad hoc 'asis, at a high leel and in reaction to signi&icant
incidents" Assessment addresses onl! the actual incident"
, 7e%eata'le 'ut
Intuitie
Controls are in %lace 'ut are not documented" Their o%eration
is de%endent on the 0nowledge and motiation o& indiiduals"
.&&ectieness is not ade:uatel! ealuated" +an! control
wea0nesses e2ist and are not ade:uatel! addressed* the
im%act can 'e seere" +anagement actions to resole control
issues are not %rioritized or consistent" .m%lo!ees ma! not
'e aware o& their res%onsi'ilities"
Assessment o& control needs occurs onl! when needed &or
selected IT %rocesses to determine the current leel o& control
maturit!, the target leel that should 'e reached and the ga%s
that e2ist" An in&ormal wor0sho% a%%roach, inoling IT
managers and the team inoled in the %rocess, is used to
de&ine an ade:uate a%%roach to controls &or the %rocess and to
motiate an agreedBu%on action %lan"
9 Fe&ined Controls are in %lace and ade:uatel! documented" L%erating
e&&ectieness is ealuated on a %eriodic 'asis and there is an
aerage num'er o& issues" Howeer, the ealuation %rocess is
not documented" While management is a'le to deal
%redicta'l! with most control issues, some control
wea0nesses %ersist and im%acts could still 'e seere"
.m%lo!ees are aware o& their res%onsi'ilities &or control"
Critical IT %rocesses are identi&ied 'ased on alue and ris0
driers" A detailed anal!sis is %er&ormed to identi&! control
re:uirements and the root cause o& ga%s and to deelo%
im%roement o%%ortunities" In addition to &acilitated
wor0sho%s, tools are used and interiews are %er&ormed to
su%%ort the anal!sis and ensure that an IT %rocess owner
owns and dries the assessment and im%roement %rocess"
@ +anaged and
+easura'le
There is an e&&ectie internal control and ris0 management
enironment" A &ormal, documented ealuation o& controls
occurs &re:uentl!" +an! controls are automated and regularl!
reiewed" +anagement is li0el! to detect most control issues,
'ut not all issues are routinel! identi&ied" There is consistent
IT %rocess criticalit! is regularl! de&ined with &ull su%%ort
and agreement &rom the releant 'usiness %rocess owners"
Assessment o& control re:uirements is 'ased on %olic! and
the actual maturit! o& these %rocesses, &ollowing a thorough
and measured anal!sis inoling 0e! sta0eholders"
5 ,00$ ISACA" All rights resered" =age $
Generic Application Audit/Assurance Program
Figure *%aturit) %odel for Internal Control
%aturit) +e'el Status of the Internal Control #n'ironment #stablishment of Internal Controls
&ollowBu% to address identi&ied control wea0nesses" A
limited, tactical use o& technolog! is a%%lied to automate
controls"
Accounta'ilit! &or these assessments is clear and en&orced"
Im%roement strategies are su%%orted '! 'usiness cases"
=er&ormance in achieing the desired outcomes is
consistentl! monitored" .2ternal control reiews are
organized occasionall!"
A L%timized An enter%risewide ris0 and control %rogram %roides
continuous and e&&ectie control and ris0 issues resolution"
Internal control and ris0 management are integrated with
enter%rise %ractices, su%%orted with automated realBtime
monitoring with &ull accounta'ilit! &or control monitoring,
ris0 management and com%liance en&orcement" Control
ealuation is continuous, 'ased on sel&Bassessments and ga%
and root cause anal!ses" .m%lo!ees are %roactiel! inoled
in control im%roements"
Cusiness changes consider the criticalit! o& IT %rocesses and
coer an! need to reassess %rocess control ca%a'ilit!" IT
%rocess owners regularl! %er&orm sel&Bassessments to con&irm
that controls are at the right leel o& maturit! to meet 'usiness
needs and the! consider maturit! attri'utes to &ind wa!s to
ma0e controls more e&&icient and e&&ectie" The organization
'enchmar0s to e2ternal 'est %ractices and see0s e2ternal
adice on internal control e&&ectieness" #or critical
%rocesses, inde%endent reiews ta0e %lace to %roide
assurance that the controls are at the desired leel o& maturit!
and wor0ing as %lanned"
The maturit! model ealuation is one o& the &inal ste%s in the ealuation %rocess" The IT audit and
assurance %ro&essional can address the 0e! controls within the sco%e o& the wor0 %rogram and &ormulate
an o'4ectie assessment o& the maturit! leels o& the control %ractices" The maturit! assessment can 'e a
%art o& the audit3assurance re%ort and can 'e used as a metric &rom !ear to !ear to document %rogression
in the enhancement o& controls" Howeer, it must 'e noted that the %erce%tion o& the maturit! leel ma!
ar! 'etween the %rocess3IT asset owner and the auditor" There&ore, an auditor should o'tain the
concerned sta0eholder8s concurrence 'e&ore su'mitting the &inal re%ort to management"
At the conclusion o& the reiew, once all &indings and recommendations are com%leted, the %ro&essional
assesses the current state o& the CLCIT control &ramewor0 and assigns it a maturit! leel using the si2B
leel scale" Some %ractitioners utilize decimals (2",A, 2"A, 2")A) to indicate gradations in the maturit!
model" As a &urther re&erence, CLCIT %roides a de&inition o& the maturit! designations '! control
o'4ectie" While this a%%roach is not mandator!, the %rocess is %roided as a se%arate section at the end o&
the audit3assurance %rogram &or those enter%rises that wish to im%lement it" It is suggested that a maturit!
assessment 'e made at the CLCIT control leel" To %roide &urther alue to the client3customer, the
%ro&essional can also o'tain maturit! targets &rom the client3customer" <sing the assessed and target
maturit! leels, the %ro&essional can create an e&&ectie gra%hic %resentation that descri'es the
achieement or ga%s 'etween the actual and targeted maturit! goals" A gra%hic is %roided on the last
%age o& this document (section GII), 'ased on sam%le assessments"
I,. Assurance and Control Framewor&
ISACA IT Assurance Framework an" Stan"ar"s
ITA# section 96A0NAuditing A%%lication ControlsNis releant to the audit3assurance o& an a%%lication
reiew" In addition, reliance is %laced on section 9690NAuditing IT -eneral Controls"
ISACA has long recognized the s%ecialized nature o& IT assurance and stries to adance glo'all!
a%%lica'le standards" -uidelines and %rocedures %roide detailed guidance on how to &ollow those
standards" IS Auditing Standard S1A IT Controls, IS Auditing -uidelines -1@ A%%lication S!stems
7eiew and -98 Access Controls, and IS Auditing =rocedure =10 Cusiness A%%lication Change Control
are releant to this audit3assurance %rogram"
ISACA Controls Framework
CLCIT is an IT goernance &ramewor0 and su%%orting tool set that allows managers to 'ridge the ga%
among control re:uirements, technical issues and 'usiness ris0s" CLCIT ena'les clear %olic! deelo%ment
and good %ractice &or IT control throughout enter%rises"
5 ,00$ ISACA" All rights resered" =age 10
Generic Application Audit/Assurance Program
<tilizing CLCIT as the control &ramewor0 on which IT audit3assurance actiities are 'ased, aligns IT
audit3assurance with good %ractices as deelo%ed '! the enter%rise"
The CLCIT a%%lication controls (ACs) address good %ractices &or 'usiness a%%lications" The CLCIT areas
&or this ealuation include>
AC1 *ource data $re$aration and authori+ationN.nsure that source documents are %re%ared '!
authorized and :uali&ied %ersonnel &ollowing esta'lished %rocedures, ta0ing into account ade:uate
segregation o& duties regarding the origination and a%%roal o& these documents" .rrors and omissions
can 'e minimized through good in%ut &orm design" Fetect errors and irregularities so the! can 'e
re%orted and corrected"
AC, *ource data collection and entryN.sta'lish that data in%ut is %er&ormed in a timel! manner '!
authorized and :uali&ied sta&&" Correction and resu'mission o& data that were erroneousl! in%ut should
'e %er&ormed without com%romising original transaction authorization leels" Where a%%ro%riate &or
reconstruction, retain original source documents &or the a%%ro%riate amount o& time"
AC9 Accuracy, com$leteness and authenticity checksN.nsure that transactions are accurate,
com%lete and alid" Galidate data that were in%ut, and edit or send 'ac0 &or correction as close to the
%oint o& origination as %ossi'le"
AC@ -rocessing integrity and validityN+aintain the integrit! and alidit! o& data throughout the
%rocessing c!cle" Fetection o& erroneous transactions does not disru%t the %rocessing o& alid
transactions"
ACA Out$ut review, reconciliation and error handlingN.sta'lish %rocedures and associated
res%onsi'ilities to ensure that out%ut is handled in an authorized manner, deliered to the a%%ro%riate
reci%ient and %rotected during transmission* that eri&ication, detection and correction o& the accurac!
o& out%ut occurs* and that in&ormation %roided in the out%ut is used"
AC6 Transaction authentication and integrityNCe&ore %assing transaction data 'etween internal
a%%lications and 'usiness3o%erational &unctions (inside or outside the enter%rise), chec0 it &or %ro%er
addressing, authenticit! o& origin and integrit! o& content" +aintain authenticit! and integrit! during
transmission or trans%ort"
7e&er to the IT -oernance Institute8s CO"IT Control -ractices Guidance to Achieve Control
Objectives for *uccessful IT Governance, .
nd
#dition, %u'lished in ,00), &or the related control %ractice
alue and ris0 driers"
,. #-ecuti'e Summar) of Audit.Assurance Focus
eneric Application
The a%%lication reiew %roides the enter%rise with an assessment o& the design and e&&ectieness o& the
internal controls and o%erating e&&icienc! and e&&ectieness o& an e2isting a%%lication" The de&inition o& an
a%%lication reiew is s%eci&ic to an enter%rise and can encom%ass a 'usiness &unction, 'usiness unit or
'usiness %rocess" /A%%lication1 does not s%eci&icall! re&er to the automated &unctions o& a 'usiness
%rocess"
This audit3assurance %rogram &ocuses on an e2isting a%%lication or 'usiness %rocess" The *ystems
/evelo$ment and -roject &anagement Audit)Assurance -rogram is more suited &or an a%%lication under
deelo%ment"
The a%%lication audit3assurance reiew is, '! de&inition, an /integrated audit"1 The integrated team
ensures that there are no ga%s 'etween automated and manual &unctions* there&ore, the s0ill sets and
%lanning re:uire a %ro4ect team consisting o& 'oth IT and 'usiness3o%erational %ro&essionals"
5 ,00$ ISACA" All rights resered" =age 11
Generic Application Audit/Assurance Program
The audit3assurance %rocess should 'e customized to the indiidual needs o& the 'usiness and a%%lication
under reiew" This generic a%%lication audit3assurance %rogram re:uires customization '! the assurance
team to &it the 'usiness enironment"
%usiness Impact an" Risk
An a%%lication is the %rocedures and %rocesses necessar! to &ul&ill a 'usiness &unction" This ma! 'e
&inancial (general ledger, accounts %a!a'le, accounts receia'le, %a!roll), order entr! (howeer an order
is de&ined, i"e", claims, %roduct orders, 'an0ing transactions), o%erational (inentor! trans&er and
logistics), or inoling intellectual %ro%ert!, human resources and other 'usinessBrelated %rocesses" The
olume o& transactions necessitates the reliance on the &unctionalit! and internal controls o& a 'usiness
a%%lication"
#ailure to im%lement e&&ectie, e&&icient and a%%ro%riate internal controls ma! result in the &ollowing
general ris0s>
;oss or underutilization o& assets
Inalid or incorrectl! %rocessed transactions
;oss o& re%utation due to ina'ilit! to delier serices or disclosure o& internal issues
Costl! com%ensating controls
7educed s!stem aaila'ilit! and :uestiona'le integrit! o& in&ormation
Ina'ilit! to satis&! audit3assurance charter, re:uirements o& regulators or e2ternal auditors
O#*ective an" Scope
"b(ecti'eThe o'4ecties o& the a%%lications reiew are to>
=roide management with an inde%endent assessment o& e&&icienc! and e&&ectieness o& the design
and o%eration o& internal controls and o%erating %rocedures
=roide management with the identi&ication o& a%%licationBrelated issues that re:uire attention
RAdditional o'4ecties customized to the s%eci&ic 'usiness as determined '! the audit and assurance
%ro&essionalS
Sco!eThe reiew will &ocus u%on the Rlist s%eci&ic a%%licationsS" The sco%e o& the reiew will include
the &ollowing>
Identi&ication and ealuation o& the design o& controls
.aluation o& control e&&ectieness
Assessment o& com%liance with regulator! re:uirements
Identi&ication o& issues re:uiring management attention
RAdditional sco%e as determined '! %ro4ect teamS
Cased on the initial ris0 assessment, the sco%e will &ocus on the &ollowing transaction3'usiness %rocesses>
R;ist releant %rocesses"S
The &ollowing will 'e e2cluded &rom the reiew>
R;ist e2clusions"S
+inimum Au"it Skills
The IT audit and assurance %ro&essional should hae an understanding o& the goodB%ractice %rocess and
controls in automated a%%lications, and the o%erational audit %ro&essional should hae an understanding
o& the goodB%ractice control %rocess and controls &or the s%eci&ic 'usiness %rocesses addressed '! the
a%%lication" =ro&essionals who hae achieed CISA certi&ication should hae the a%%ro%riate s0ills &or the
automated sco%e, and %ro&essionals who hae achieed either a Certi&ied Internal Auditor (CIA) or a
5 ,00$ ISACA" All rights resered" =age 1,
Generic Application Audit/Assurance Program
Certi&ied =u'lic Accountant3Certi&ied Accountant (C=A3CA) should hae the necessar! s0ills &or the
o%erational sco%e"
5 ,00$ ISACA" All rights resered" =age 19
Generic Application Audit/Assurance Program
,I. Audit.Assurance /rogram
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
1. /+A33I34 A3D SC"/I34 T2# AUDIT
1.1 Define audit.assurance ob(ecti'es.
The audit3assurance o'4ecties are high leel and descri'e the oerall audit goals"
1.1.1 7eiew the audit3assurance o'4ecties in the introduction to this
audit3assurance %rogram"
1.1.* +odi&! the audit3assurance o'4ecties to align with the audit3assurance
unierse, annual %lan and charter"
1.* Define boundaries of re'iew.
The reiew must hae a de&ined sco%e" The reiewer must understand the o%erating
enironment and %re%are a %ro%osed sco%e, su'4ect to a later ris0 assessment"
1.*.1 L'tain an understanding o& the serices %roided '! the enter%rise, including
the sco%e o& serices and the e&&ect the serices hae on the enter%rise8s
actiities"
1.*.* .sta'lish initial 'oundaries o& the audit3assurance reiew"
1",","1 Identi&! limitations and3or constraints a&&ecting the audit3assurance
reiew"
1.5 Define assurance.
The reiew re:uires two sources o& standards" The cor%orate standards de&ined in %olic!
and %rocedure documentation esta'lish the cor%orate e2%ectations" At minimum, cor%orate
standards should 'e im%lemented" The second source, a goodB%ractice re&erence,
esta'lishes industr! standards" .nhancements should 'e %ro%osed to address ga%s 'etween
the two"
1.5.1 L'tain com%an! s!stems deelo%ment standards, s!stems deelo%ment
methodolog! manual, %ro4ect management standards, %ro4ect methodolog!
5 ,00$ ISACA" All rights resered" =age 1@
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
manual, and a%%lication or so&tware manual"
1.5.* Fetermine i& CLCIT and the a%%ro%riate s!stems deelo%ment &ramewor0 will
'e used as a goodB%ractice re&erence"
1.6 Define the change !rocess.
The initial audit a%%roach is 'ased u%on the reiewer8s understanding o& the o%erating
enironment and associated ris0s" As &urther research and anal!sis are %er&ormed, changes
to the sco%e and a%%roach will result"
1.6.1 Identi&! the senior IT audit3assurance resource res%onsi'le &or the reiew"
1.6.* .sta'lish the %rocess &or suggesting and im%lementing changes to the
audit3assurance %rogram, and to the authorizations re:uired"
1.7 Define assignment success.
The success &actors need to 'e identi&ied" Communication among the IT audit3assurance
team, other assurance teams and the enter%rise is essential"
1.7.1 Identi&! the driers &or a success&ul reiew (this should e2ist in the assurance
&unction8s standards and %rocedures)"
1.7.* Communicate success attri'utes to the %rocess owner or sta0eholder, and o'tain
agreement"
1.8 Define audit.assurance resources re9uired.
The resources re:uired are de&ined in the introduction to this audit3assurance %rogram"
1.8.1 Fetermine the audit3assurance s0ills necessar! &or the reiew"
1.8.* Fetermine the estimated total resources (hours) and time &rame (start and end
dates) re:uired &or the reiew"
1.: Define deli'erables
5 ,00$ ISACA" All rights resered" =age 1A
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
The deliera'le is not limited to the &inal re%ort" Communication 'etween the
audit3assurance teams and the %rocess owner is essential to assignment success"
1.:.1 Fetermine the interim deliera'les, including initial &indings, status re%orts,
dra&t re%orts, due dates &or res%onses and the &inal re%ort"
1.; Communications
The audit3assurance %rocess is clearl! communicated to the customer3client"
1"8"1 Conduct an o%ening con&erence to discuss the reiew o'4ecties with the
e2ecutie res%onsi'le &or o%erating s!stems and in&rastructure"
*. /+A33I34 T2# A//+ICATI"3 AUDIT
*.1 /lanning team
*.1.1 .sta'lish the audit3assurance management team to %lan the reiew"
,"1"1"1 Assign an e2%erienced IT audit and assurance %ro&essional and an
o%erational audit and assurance %ro&essional as %ro4ect managers"
,"1"1", Consider 0nowledge o& the 'usiness %rocess area and IT o%erating
enironment when ma0ing assignments"
,"1"1"9 Assign lead sta&& to the %lanning %rocess"
*.* Understand the a!!lication.
*.*.1 L'tain an understanding o& the 'usiness and a%%lication %rocess enironment"
,","1"1 L'tain an understanding o& the a%%lication8s 'usiness enironment"
,","1"1"1 .nsure that audit3assurance engagement managers meet
with the 'usiness and IT e2ecuties res%onsi'le &or the
5 ,00$ ISACA" All rights resered" =age 16
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
a%%lication and 'usiness %rocesses"
,","1"1", Identi&! the 'usiness %rocess and data owners res%onsi'le
&or the a%%lication"
,","1"1"9 L'tain an understanding o& the strategic and o%erational
signi&icance o& the a%%lication"
,","1"1"@ Fetermine i& the a%%lication has 'een deelo%ed inB house
or %urchased, and i& the a%%lication is maintained inBhouse
or has 'een contracted3outsourced"
,","1"1"A L'tain an understanding o& the warranties and su%%ort in
the case o& a %urchased a%%lication"
,","1"1"6 Through discussions and a wal0through o& the general
'usiness %rocess, o'tain an understanding o& the 'usiness
&unctions %er&ormed '! the a%%lication and the inter&aces
with other a%%lications* determine where the controls are
located within the a%%lication and identi&! a%%lication
limitations, where %ossi'le"
,","1"1") Fetermine how the 'usiness %rocess a&&ects the &inancial
statements o& the enter%rise (direct inter&ace to the general
ledger or missionBcritical %rocess that, i& not o%erating
correctl!, could a&&ect the enter%rise8s &inancial
%er&ormance), or o%erational signi&icance to the enter%rise"
,","1"1"8 Fetermine the regulator! re:uirements that im%act the
'usiness %rocess (e2ternal e2aminers, &inancial re%orting
re:uirements, %riac!, data securit!, etc")"
,","1"1"$ Fetermine 0nown issues with the 'usiness %rocess and
5 ,00$ ISACA" All rights resered" =age 1)
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
a%%lication &rom the %ers%ectie o& other e2ecuties"
,","1", L'tain an understanding o& the a%%lication8s &unctionalit!"
,","1","1 Audit3assurance engagement management and lead sta&&
mem'ers meet with the 'usiness and IT managers
res%onsi'le &or the a%%lication and 'usiness %rocesses"
,","1",", Through discussions, %er&orm a wal0through o& the
'usiness %rocess and a%%lication &rom source entr! through
out%ut and reconciliation"
,","1","9 Fetermine how the 'usiness %rocess a&&ects the &inancial
statements o& the enter%rise (direct inter&ace to the general
ledger or missionBcritical %rocess that, i& not o%erating
correctl!, could a&&ect the enter%rise8s &inancial
%er&ormance), or o%erational signi&icance to the enter%rise"
,","1","@ Fetermine the regulator! re:uirements that im%act the
'usiness %rocess (e2ternal e2aminers, &inancial re%orting
re:uirements, %riac!, data securit!, etc")"
,","1","A Fetermine 0nown issues with the 'usiness %rocess and
a%%lication &rom the %ers%ectie o& other e2ecuties"
,","1"9 <nderstand the a%%lication8s technical in&rastructure"
,","1"9"1 Through discussions with senior management res%onsi'le &or
the deelo%ment, im%lementation and o%erations o& the
a%%lication, o'tain an understanding and documentation o&
the &ollowing and how the! im%act the a%%lication>
Technical in&rastructure (host, clientBserer or we'B
'ased)
FSA"9
FSA"@
FSA"8
FSA"10
FSA"11
5 ,00$ ISACA" All rights resered" =age 18
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
6etwor0 (intranet, Internet, or e2tranet), wireless or
wired
Transaction %rocessor (CICS or I+S)
Wor0station (des0to%3handheld3la%to%3s%ecial deices)
L%erating s!stems (IC+ +ain&rame, <6IT3;I6<T,
Windows, %ro%rietar!)
Fata'ase management s!stems (Lracle, FC,, I+S, SK;
Serer, other)
Insourced or outsourced
7ealBtime, store and &orward, and3or 'atch
Test and deelo%ment o& o%erating enironments
,","1"@ <nderstand the olatilit! and leel o& change a&&ecting the a%%lication"
,","1"@"1 Interiew 'usiness management to determine %lanned
changes, histor! o& %ro'lem areas and other 0nown
o%erational issues that would a&&ect the sco%e o& the
reiew"
,","1"@", L'tain recent s!stems re:uests, incident re%orts and
%ro'lem logs" Identi&! issues that were not identi&ied in
meetings with management"
FSA"6
FS8",
,","1"@"9 .aluate how olatilit! and change issues a&&ect the sco%e
o& the reiew, and determine i& there are identi&ia'le trends
&or certain issues"
*.*.* L'tain a detailed understanding o& the a%%lication"
,",","1 <sing the in&ormation o'tained in management interiews and
documentation %roided '! enter%rise and IT, o'tain and document a
detailed understanding o& the a%%lication" Consider the>
Source data
5 ,00$ ISACA" All rights resered" =age 1$
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
+anual in%ut
In%ut inter&aces &rom other a%%lications
=rocessing c!cle
Audit trails
.rror re%orting
Internal controls and edits
#re:uenc! o& a%%lication %rocesses
Fe%endenc! o& a%%lication on %rocessing c!cles and other
a%%lications
S!stem setu% %arameters
Fata edits
Initial edits
Fata correction
+aintenance o& master &iles
Lut%ut
7eiew and reconciliation
7e%orts generated
Lut%ut inter&aces to other a%%lications
7e%ort distri'ution
*.*.5 Cased on the detailed understanding, identi&! the transactions in the a%%lication
and 'usiness &low"
*.5 $is& assessment
*.5.1 =er&orm a ris0 assessment o& the e&&ect the a%%lication has on the 'usiness, the
IT organization and the %otential sco%e o& the reiew"
=L$",
,"9"1"1 Consider the im%ortance o& 'usiness %rocesses and transactions"
,"9"1", Consider &inancial and regulator! re:uirements"
,"9"1"9 =rioritize 'usiness %rocesses and transactions &or ealuation"
5 ,00$ ISACA" All rights resered" =age ,0
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
*.6 Sco!e
*.6.1 6arrow the sco%e to 'usiness %rocesses and transactions to 'e ealuated in
reiew"
*.6.* Fetermine the o%erational audit sco%e and IT audit sco%e"
*.6.5 Fetermine the audit3assurance resources re:uired to %er&orm the reiew"
*.6.6 Fetermine com%uterBassisted audit techni:ues (CAATs) that ma! 'e re:uired"
*.6.7 Identi&! s%eci&ic 'usiness %rocesses and a%%lication transactions to 'e
reiewed"
*.6.8 .sta'lish the %ro%osed sco%e"
*.7 4eneral controls
*.7.1 .aluate general control reiews to determine the leel o& reliance that can 'e
%laced on the installation controls"
,"A"1"1 7eiew the results &rom the &ollowing IT audit3assurance assessments>
=h!sical securit!
Identit! and access management
Incident3%ro'lem management
Change management
L%erating s!stem con&iguration
In&ormation securit!
6etwor0 %erimeter management
Fata'ase management
IT contingenc! and 'usiness contingenc! %lanning
AI6
FS@
FSA
FS8
FS10
,"A"1", I& o%en audit3assurance &indings remain and are considered material in
the conte2t o& the a%%lication audit, consider what e2%anded reiew
5 ,00$ ISACA" All rights resered" =age ,1
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
%rocedures will 'e re:uired"
*.8 Finalize sco!e
*.8.1 Identi&! the 'usiness %rocesses to 'e reiewed"
,"6"1"1 Identi&! the transactions &or the 'usiness %rocess"
,"6"1", Identi&! the control o'4ecties &or each 'usiness %rocess"
,"6"1","1 Identi&! the controls that address each control o'4ectie"
,"6"1",", Customize the wor0 %rogram &or the controls identi&ied and
their control descri%tion"
*.8.* Assign sta&& 'ased on s0ill sets to the arious %rocesses"
*.8.5 Fetermine IT and o%erational audit3assurance roles, and esta'lish %ro4ect
management"
5. S"U$C# DATA /$#/A$ATI"3 A3D AUT2"$I<ATI"3
5.1 Source data !re!aration
Audit3assurance o'4ectie> Source documents should 'e %re%ared '! authorized and
:uali&ied %ersonnel &ollowing esta'lished %rocedures, and should %roide &or ade:uate
segregation o& duties 'etween the origination and a%%roal o& these documents and
accounta'ilit!"
6. Source document design
Control: Source documents are designed in a wa) that the) increase the
accurac) with which data can be recorded= control the wor&flow and
facilitate subse9uent reference chec&ing. >here a!!ro!riate= com!leteness
AC1 T
5 ,00$ ISACA" All rights resered" =age ,,
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
controls in the design of the source documents are included.
@"1"1"1 Assess whether source documents and3or in%ut screens are designed
with %redetermined coding, choices, etc", to encourage timel!
com%letion and minimize the %otential &or error"
7. Source data !rocedures
Control: /rocedures for !re!aring source data entr) are documented= and
are effecti'el) and !ro!erl) communicated to a!!ro!riate and 9ualified
!ersonnel.
1

AC1 T T
A"1"1"1 Fetermine i& the design o& the s!stem %roides &or the identi&ication
and management o& authorization leels"
A"1"1"1"1 Geri&!, through ins%ection o& authorization lists, that
authorization leels are %ro%erl! de&ined &or each grou% o&
transactions" L'sere that authorization leels are %ro%erl!
a%%lied"
A"1"1", Ins%ect and o'sere creation and documentation o& data %re%aration
%rocedures, and in:uire whether and con&irm that %rocedures are
understood and the correct source media are used"
A"1"1"9 In:uire whether and con&irm that the design o& the s!stem %roides &or
the use o& %rea%%roed authorization lists and related signatures &or use
in determining that documents hae 'een a%%ro%riatel! authorized"
1
These %rocedures esta'lish and communicate re:uired authorization leels (in%ut, editing, authorizing, acce%ting and re4ecting source documents)" The %rocedures also identi&! the acce%ta'le source
media &or each t!%e o& transaction"
5 ,00$ ISACA" All rights resered" =age ,9
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
A"1"1"@ In:uire whether and con&irm that the design o& the s!stem encourages
reiew o& the &orms &or com%leteness and authorization, and
identi&ies situations where attem%ts to %rocess incom%lete and3or
unauthorized documents occur"
8. Data entr) authorization
Control: The function res!onsible for data entr) maintains a list of
authorized !ersonnel= including their signatures.
AC1 T
6"1"1"1 Where re:uired '! %rocedures, eri&! that ade:uate segregation o&
duties 'etween originator and a%%roer e2ists"
6"1"1", In:uire whether and con&irm that a list o& authorized %ersonnel and
their signatures is maintained '! the a%%ro%riate de%artments" Where
%ossi'le, use automated eidence collection, including sam%le data,
em'edded audit modules or CAATs, to trace transactions to eri&!
that the list o& authorized %ersonnel is e&&ectiel! designed to
allow3restrict %ersonnel to enter data"
6"1"1"9 Fetermine i& a se%aration o& duties (SLF) ta'le e2ists and reiew &or
ade:uate se%aration o& 0e! duties"
6"1"1"9"1 Ins%ect documents, trace transactions through the %rocess
and, where %ossi'le, use automated eidence collection,
including sam%le data, em'edded audit modules or
CAATs, to trace transactions to eri&! that authorization
access controls are e&&ectie"
8.* Form design
Audit3assurance o'4ectie> -ood in%ut &orm design should 'e used to minimize errors and
omissions"
:. Transaction identifier
AC1 T
5 ,00$ ISACA" All rights resered" =age ,@
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
Control: Uni9ue and se9uential identifiers ?e.g.= inde-= date and time@ are
automaticall) assigned to e'er) transaction.
)"1"1"1 In:uire whether and con&irm that uni:ue and se:uential num'ers are
assigned to each transaction"
;. Source document design
Control: Source documents include standard com!onents= contain !ro!er
instructions for com!letion and are a!!ro'ed b) management.
AC1 T
8"1"1"1 Geri&! that all source documents include standard com%onents,
contain %ro%er documentation (e"g", timeliness, %redetermined in%ut
codes, de&ault alues) and are authorized '! management"
;.* #rror detection
Audit3assurance o'4ectie> .rrors and irregularities should 'e detected so the! can 'e
re%orted and corrected"
A. Document error detection
Control: Documents that are not !ro!erl) authorized or are incom!lete
are returned to the submitting originators for correction and recorded in a
log to document their return. +ogs are re'iewed !eriodicall) to 'erif) that
corrected documents are returned b) originators in a timel) fashion= and to
enable !attern anal)sis and root cause re'iew.
AC1 T T T
$"1"1"1 In:uire whether and con&irm that, once identi&ied, the s!stem is
designed to trac0 and re%ort u%on incom%lete and3or unauthorized
documents that are re4ected and returned to the owner &or correction"
$"1"1", In:uire and con&irm whether logs are reiewed %eriodicall!, reasons
&or returned documents are anal!zed and correctie action is initiated"
$"1"1"9 Fetermine i& the correctie action is monitored &or its e&&ectieness"
5 ,00$ ISACA" All rights resered" =age ,A
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
1B. S"U$C# DATA C"++#CTI"3 A3D #3T$C
1B.1 Data in!ut !re!aration in!ut
Audit3assurance o'4ectie> Fata in%ut should 'e %er&ormed in a timel! manner '!
authorized and :uali&ied sta&&"
AC,
11. Source document criteria
Control: Criteria for defining and communicating for timeliness=
com!leteness and accurac) of source documents are documented.
T T
11"1"1"1 In:uire whether and con&irm that criteria &or timeliness,
com%leteness and accurac! o& source documents are de&ined and
communicated"
1*. Source document !re!aration
Control: /rocedures ensure that data in!ut is !erformed in accordance
with the timeliness= accurac) and com!leteness criteria.
AC, T
1,"1"1"1 Ins%ect documentation o& %olicies and %rocedures to ensure that
criteria &or timeliness, com%leteness and accurac! are a%%ro%riatel!
re%resented"
1*.* Correction and reentr) of erroneous data
Audit3assurance o'4ectie> Correction and resu'mission o& data that were erroneousl!
in%ut should 'e %er&ormed without com%romising original transaction authorization leels"
15. "ut1of1se9uence and missing source documents
Control: Use onl) !renumbered source documents for critical transactions.
If !ro!er se9uence is a transaction re9uirement= identif) and correct out1
of1se9uence source documents. If com!leteness is an a!!lication
re9uirement= identif) and account for missing source documents.
AC, T
19"1"1"1 In:uire whether and con&irm that %olicies and %rocesses are
esta'lished to esta'lish criteria &or the identi&ication o& classes o&
5 ,00$ ISACA" All rights resered" =age ,6
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
critical transactions that re:uire %renum'ered source documents or
other uni:ue methods o& identi&!ing source data"
19"1"1", In:uire and con&irm whether critical source documents are
%renum'ered and outBo&Bse:uence num'ers are identi&ied and ta0en into
account"
19"1"1"9 Identi&! and reiew outBo&Bse:uence num'ers, ga%s and du%licates
using automated tools (CAATs)"
16. Data editing
Control: Access rules define and communicate who can in!ut= edit=
authorize= acce!t and re(ect transactions= and o'erride errors.
Accountabilit) is established through access controls and documented
su!!orting e'idence to establish accountabilit) in line with role and
res!onsibilit) definitions.
AC, T
1@"1"1"1 #or each ma4or grou% o& transactions, in:uire whether and con&irm
that there is documentation o& criteria to de&ine authorization &or
in%ut, editing, acce%tance, re4ection and oerride"
1@"1"1", Ins%ect documents, trace transactions through the %rocess and, where
%ossi'le, use automated eidence collection, including sam%le data,
em'edded audit modules or CAATs, to trace transactions to eri&! that
authorization controls are e&&ectie and that su&&icient eidence is
relia'l! recorded and reiewed"
1@"1"1"9 Identi&! critical transactions" #rom that %o%ulation, select a set o&
critical transactions" =er&orm the &ollowing ste%s"
1@"1"1"9"1 Com%are the actual state o& access controls oer
transaction in%ut, editing, acce%tance, etc" with esta'lished
5 ,00$ ISACA" All rights resered" =age ,)
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
criteria, %olicies or %rocedures"
1@"1"1"9", Ins%ect whether critical source documents are %renum'ered
or other uni:ue methods o& identi&!ing source data are used"
1@"1"1"9"9 Ins%ect documentation or wal0 through transactions to
identi&! %ersonnel who can in%ut, edit, authorize, acce%t
and re4ect transactions, and oerride errors"
1@"1"1"9"@ Ta0e a sam%le o& transactions within this set &or a s%eci&ic
%eriod, and ins%ect the source documents &or those
transactions" Geri&! that all a%%ro%riate source documents
are aaila'le"
17. #rror correction
Control: /rocedures are formall) established and documented to correct
errors= o'erride errors and handle out1of1balance conditions and to follow
u! on= correct= a!!ro'e and resubmit source documents and transactions in
a timel) manner. These !rocedures should consider things such as error
message descri!tions= o'erride mechanisms and escalation le'els.
AC, T
1A"1"1"1 In:uire and con&irm whether documented %rocedures &or the correction
o& errors, outBo&B'alance conditions and entr! o& oerrides e2ist"
1A"1"1", Fetermine that the %rocedures include mechanisms &or timel!
&ollowBu%, correction, a%%roal and resu'mission"
1A"1"1"9 .aluate the ade:uac! o& %rocedures addressing error message
descri%tions and resolution, and oerride mechanisms"
18. #rror correction monitoring
Control: #rror messages are generated in a timel) manner as close to the
!oint of origin as !ossible. The transactions are not !rocessed unless errors
are corrected or a!!ro!riatel) o'erridden or b)!assed. #rrors that cannot
AC, T T
5 ,00$ ISACA" All rights resered" =age ,8
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
be corrected immediatel) are logged in an automated sus!ense log= and
'alid transaction !rocessing continues. #rror logs are re'iewed and acted
u!on within a s!ecified and reasonable !eriod of time.
16"1"1"1 In:uire whether and con&irm that error messages are generated and
communicated in a timel! manner, transactions are not %rocessed
unless errors are corrected or a%%ro%riatel! oerridden, errors that
cannot 'e corrected immediatel! are logged and alid transaction
%rocessing continues, and error logs are reiewed and acted u%on
within a s%eci&ied and reasona'le %eriod o& time"
1:. #rror condition monitoring
Control: #rrors and out1of1balance re!orts are re'iewed b) a!!ro!riate
!ersonnel= followed u! on and corrected within a reasonable !eriod of time=
and= where necessar)= incidents are escalated for attention b) a senior1le'el
staff member. Automated monitoring tools ma) be used to identif)= monitor
and manage errors.
AC, T T T
1)"1"1"1 In:uire whether and con&irm that re%orts on errors and outBo&B
'alance conditions are reiewed '! a%%ro%riate %ersonnel* all errors
are identi&ied, corrected and chec0ed within a reasona'le %eriod o&
time* and errors are re%orted until corrected"
1)"1"1", Fetermine i& error re%orts are distri'uted to someone other than the
originating %erson"
1)"1"1"9 Ins%ect error and outBo&B'alance re%orts, error corrections, and other
documents to eri&! that errors and outBo&B'alance conditions are
e&&ectiel! reiewed, corrected, chec0ed and re%orted until corrected"
1:.* Source document retention
Audit3assurance o'4ectie> Where a%%ro%riate &or reconstruction, original source
documents should 'e retained &or an a%%ro%riate amount o& time"
5 ,00$ ISACA" All rights resered" =age ,$
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
1;. Source document retention
Control: Source documents are safe1stored ?either b) the enter!rise or b)
IT@ for a sufficient !eriod of time in line with legal= regulator) or business
re9uirements.
AC, T
18"1"1"1 In:uire whether and con&irm that there are %olicies and %rocedures in
%lace to determine document retention %olicies" #actors to consider in
assessing the document retention %olic! include>
Criticalit! o& the transaction
#orm o& the source data
+ethod o& retention
;ocation o& retention
Time %eriod &or retention
.ase o& and aaila'ilit! o& document retreial
Com%liance and regulator! re:uirements
18"1"1", #or a sam%le o& transaction &lows, in:uire whether and con&irm that
retention o& source documents is de&ined and a%%lied in relation to
esta'lished criteria &or source document retention"
1A. ACCU$ACC= C"%/+#T#3#SS A3D AUT2#3TICITC C2#CDS
1A.1 Accurac) of transactions
Audit3assurance o'4ectie> .ntered transactions should 'e accurate, com%lete and alid"
In%ut data should 'e alidated and edited* edit &ailures should 'e corrected interactiel! or
sent 'ac0 &or correction as close to the %oint o& origination as %ossi'le"
*B. Transaction edits
Control: Transaction data are 'erified as close to the data entr) !oint as
!ossible and interacti'el) during online sessions. Transaction data= whether
!eo!le1generated= s)stem1generated or interfaced in!uts= are sub(ect to a
'ariet) of controls to chec& for accurac)= com!leteness and 'alidit).
AC9 T
5 ,00$ ISACA" All rights resered" =age 90
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
>here'er !ossible= transaction 'alidation continues after the first error is
found. Understandable error messages are immediatel) generated to enable
efficient remediation.
,0"1"1"1 In:uire whether and con&irm that alidation criteria and %arameters
on in%ut data are %eriodicall! reiewed, con&irmed and u%dated in a
timel!, a%%ro%riate and authorized manner"
,0"1"1", L'tain &unctional descri%tion and design in&ormation on transaction
data entr!" Ins%ect the &unctionalit! and design &or the %resence o&
timel! and com%lete chec0s and error messages" I& %ossi'le, o'sere
transaction data entr!"
,0"1"1"9 Select a sam%le o& source data in%ut %rocesses" In:uire whether and
con&irm that mechanisms are in %lace to ensure that the source data
in%ut %rocesses hae 'een %er&ormed in line with esta'lished criteria
&or timeliness, com%leteness and accurac!"
*1. Transaction accurac) com!leteness and 'alidit)
Control: Controls ensure accurac)= com!leteness= 'alidit) and com!liance
with regulator) re9uirements of data in!ut. Controls ma) include se9uence=
limit= range= 'alidit)= reasonableness= table loo&1u!s= e-istence= &e)
'erification= chec& digit= com!leteness ?e.g.= total monetar) amount= total
items= total documents= hash totals@= du!licate and logical relationshi!
chec&s= and time edits. ,alidation criteria and !arameters are sub(ect to
!eriodic re'iews and confirmation.
AC9 T
,1"1"1"1 L'tain &unctional descri%tion and design in&ormation on data in%ut
controls" Ins%ect the &unctionalit! and design &or a%%ro%riate controls"
.2am%les o& controls include the %resence o& se:uence, limit, range,
alidit!, reasona'leness, ta'le loo0Bu%s, e2istence, 0e! eri&ication,
chec0 digit, com%leteness (e"g", total monetar! amount, total items,
total documents, hash totals), du%lication, logical relationshi% chec0s
5 ,00$ ISACA" All rights resered" =age 91
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
and time edits, and transaction cuto&&s"
,1"1"1", L'tain &unctional descri%tion and design in&ormation on transaction
data alidation"
,1"1"1"9 Select a sam%le o& in%ut source data o& source documents" <sing
ins%ection, CAATs, or other automated eidence collection and
assessment tools, alidate that in%ut data are a com%lete and accurate
re%resentation o& underl!ing source documents"
*1.* Transaction access control
Audit3assurance o'4ectie> Access control and role and res%onsi'ilit! mechanisms should
'e im%lemented so that onl! authorized %ersons whose duties are a%%ro%riatel! segregated
&rom con&licting &unctions ma! in%ut, modi&! and authorize data"
**. Transaction access control
Control: Access controls are im!lemented to assign access based on (ob
function.
AC9 T
,,"1"1"1 L'tain the results &rom the latest identit! management reiew, and
determine i& reliance can 'e %laced on the reiews %er&ormed
%reiousl!"
,,"1"1", Fetermine i& re:uirements &or segregation o& duties &or entr!,
modi&ication and authorization o& transaction data as well as &or
alidation rules hae 'een esta'lished"
,,"1"1","1 L'tain se%aration o& duties ta'les that de&ine 4o' &unction
and %ermitted transactions" Fetermine that no controls or
asset %rotection %rinci%les will 'e iolated due to the
transaction access assignments"
5 ,00$ ISACA" All rights resered" =age 9,
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
,,"1"1",", In:uire whether and con&irm that %rocesses and
%rocedures are esta'lished &or the segregation o& duties &or
entr!, modi&ication and a%%roal o& transaction data as well
as &or alidation rules" #actors to consider in the
assessment o& segregation o& duties %olicies include
criticalit! o& the transaction s!stem and methods &or the
en&orcement o& segregation o& duties"
,,"1"1","9 #or im%ortant or critical s!stems, ins%ect the data in%ut
design to ensure that the authorization controls allow onl!
a%%ro%riatel! authorized %ersons to in%ut or modi&! data"
**.* Transaction error re!orting
Audit3assurance o'4ectie> Transactions &ailing edit and alidation routines should 'e
su'4ect to &ollowBu% %rocedures to ensure that the! are ultimatel! remediated" An! root
cause should 'e identi&ied and %rocedures should 'e modi&ied"
*5. Sus!ending and re!orting erroneous transactions
Control: Transactions failing 'alidation are identified and !osted to a
sus!ense file in a timel) fashion= and 'alid transactions are not dela)ed
from !rocessing.
AC9 T
,9"1"1"1 In:uire whether and con&irm that %olicies and %rocedures e2ist &or
the handling o& transactions that &ail edit and alidation chec0s"
,9"1"1", Ins%ect error corrections, outBo&B'alance conditions, entr! oerrides
and other documents to eri&! that the %rocedures are &ollowed"
*6. Sus!ended transaction follow1u!
Control: Transactions failing edit and 'alidation routines are sub(ect to
a!!ro!riate follow1u! until errors are remediated. Follow1u! includes aging
transactions to ensure follow1u! and conducting root cause anal)sis to hel!
AC9 T T
5 ,00$ ISACA" All rights resered" =age 99
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
ad(ust !rocedures and automated controls.
,@"1"1"1 Ins%ect error and outBo&B'alance re%orts, error corrections, and other
documents to eri&! that errors and outBo&B'alance conditions are
e&&ectiel! reiewed, corrected, chec0ed and re%orted until corrected"
,@"1"1", In:uire whether and con&irm that transactions &ailing edit and
alidation routines are su'4ect to a%%ro%riate &ollowBu% until the! are
remediated"
*7. /$"C#SSI34 I3T#4$ITC A3D ,A+IDITC
*7.1 Data integrit) and 'alidit)
Audit3assurance o'4ectie> The integrit! and alidit! o& data should 'e maintained
throughout the %rocessing c!cle and the detection o& erroneous transactions should not
disru%t %rocessing o& alid transactions"
*8. Transaction authorization
Control: %echanisms are established and im!lemented to authorize the
initiation of transaction !rocessing and to enforce that onl) a!!ro!riate
and authorized a!!lications and tools are used.
AC@ T
,6"1"1"1 In:uire whether and con&irm that transaction %rocessing ta0es %lace
onl! a&ter a%%ro%riate authorization is gien"
,6"1"1", #or a sam%le a%%lication, in:uire whether and con&irm that
segregation o& duties is in %lace" Geri&! whether segregation o& duties
is im%lemented &or entr!, modi&ication and a%%roal o& transaction
data as well as &or alidation rules"
,6"1"1"9 #or a sam%le o& critical transactions %rocesses, test whether access
controls %reent unauthorized data entr!" With searching tools,
5 ,00$ ISACA" All rights resered" =age 9@
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
identi&! cases where unauthorized %ersonnel are a'le to in%ut or
modi&! data"
,6"1"1"@ #or a sam%le o& critical transactions %rocesses, test whether access
controls %reent unauthorized data entr!" With searching tools,
identi&! cases where unauthorized %ersonnel are a'le to in%ut or
modi&! data"
*:. /rocessing integrit)
Control: /rocessing is com!letel) and accuratel) !erformed routinel) with
automated controls= where a!!ro!riate. Controls ma) include chec&ing for
se9uence and du!lication errors= transaction.record counts= referential
integrit) chec&s= control and hash totals= range chec&s= and buffer o'erflow.
AC@ T
,)"1"1"1 In:uire whether and con&irm that ad4ustments, oerrides and highB
alue transactions are %rom%tl! reiewed in detail &or a%%ro%riateness
'! a su%erisor who does not %er&orm data entr!" Ins%ect the audit
trail, other documents, %lans, %olicies and %rocedures to eri&! that
ad4ustments, oerrides and highBalue transactions are designed
e&&ectiel! to 'e %rom%tl! reiewed in detail"
,)"1"1", Ins%ect the audit trail, other documents, %lans, %olicies and
%rocedures to eri&! that ad4ustments, oerrides and highBalue
transactions are designed e&&ectiel! to 'e %rom%tl! reiewed in
detail" Ins%ect the audit trail, transactions (or 'atches), reiews and
other documents* trace transactions through the %rocess* and, where
%ossi'le, use automated eidence collection, including sam%le data,
em'edded audit modules or CAATS, to eri&! that su%erisor reiews
are e&&ectie to ensure the alidit! o& ad4ustments, oerrides and highB
alue transactions in a timel! manner"
,)"1"1"9 7eiew the documentation o& the tools and a%%lications to eri&! that
5 ,00$ ISACA" All rights resered" =age 9A
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
the! are a%%lica'le and suita'le &or the tas0" Where a%%ro%riate &or
critical transactions, reiew the code to con&irm that controls in the
tools and a%%lications o%erate as designed" 7e%rocess a re%resentatie
sam%le to eri&! that automated tools o%erate as intended"
,)"1"1"@ #or highl! critical transactions, set u% a test s!stem that o%erates li0e
the lie s!stem" =rocess transactions in the test s!stem to ensure that
alid transactions are %rocessed a%%ro%riatel! and in a timel! &ashion"
,)"1"1"A Ins%ect error messages u%on data entr! or online %rocessing"
,)"1"1"6 <se automated eidence collection, including sam%le data,
em'edded audit modules or CAATS, to eri&! that alid transactions
are %rocessed without interru%tion" Ins%ect whether and con&irm that
inalid transactions are re%orted in a timel! manner"
*;. Transaction error !rocessing
Control: Transactions failing 'alidation routines are re!orted and !osted
to a sus!ense file. >here a file contains 'alid and in'alid transactions= the
!rocessing of 'alid transactions is not dela)ed and all errors are re!orted in
a timel) fashion. Information on !rocessing failures is &e!t to allow for root
cause anal)sis and hel! ad(ust !rocedures and automated controls.
AC@ T T T
,8"1"1"1 In:uire whether and con&irm that reconciliation o& &ile totals is
%er&ormed on a routine 'asis and that outBo&B'alance conditions are
re%orted"
,8"1"1"1"1 Ins%ect reconciliations and other documents, and trace
transactions through the %rocess to eri&! that
reconciliations e&&ectiel! determine whether &ile totals
match or the outBo&B'alance condition is re%orted to the
a%%ro%riate %ersonnel"
5 ,00$ ISACA" All rights resered" =age 96
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
,8"1"1", Ins%ect the &unctional descri%tion and design in&ormation on
transaction data entr! to eri&! whether transactions &ailing edit and
alidation routines are %osted to sus%ense &iles"
,8"1"1","1 Geri&! that sus%ense &iles are correctl! and consistentl!
%roduced and that users are in&ormed o& transactions
%osted to sus%ense accounts"
,8"1"1",", Geri&! that the %rocessing o& transactions is not dela!ed
'! data entr! or transaction authorization errors" <se
automated eidence collection, including sam%le data,
'ase cases (%re%ared transactions with an e2%ected
outcome), em'edded audit modules or CAATS to trace
transactions to eri&! that transactions are %rocessed
e&&ectiel!, alid transactions are %rocessed without
interru%tion &rom inalid transactions and erroneous
transactions are re%orted"
,8"1"1"9 #or a sam%le o& transaction s!stems, eri&! that sus%ense accounts
and sus%ense &iles &or transactions &ailing edit and alidation routines
contain onl! recent errors" Con&irm that older &ailing transactions hae
'een a%%ro%riatel! remediated"
,8"1"1"@ #or a sam%le o& transactions, eri&! that data entr! is not dela!ed '!
inalid transactions"
,8"1"1"A #or highl! critical transactions, set u% a test s!stem that o%erates li0e
the lie s!stem" .nter di&&erent t!%es o& errors"
,8"1"1"6 Fetermine i& transactions &ailing edit and alidation routines are
%osted to sus%ense &iles"
,8"1"1") Geri&! that sus%ense &iles are correctl! and consistentl! %roduced"
5 ,00$ ISACA" All rights resered" =age 9)
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
,8"1"1"8 Geri&! that the user is in&ormed o& transactions %osted to sus%ense
accounts"
*A. #rror monitoring and follow1u!
Control: Transactions failing 'alidation routines are sub(ect to a!!ro!riate
follow1u! until errors are remediated or the transaction is canceled.
AC@ T T
,$"1"1"1 Anal!ze a re%resentatie sam%le o& error transactions on sus%ense
accounts and &iles, and eri&! that transactions &ailing alidation
routines are chec0ed until remediation"
,$"1"1", Geri&! that sus%ense accounts and &iles &or transactions &ailing
alidation routines contain onl! recent errors, con&irming that older
ones hae 'een a%%ro%riatel! remediated"
,$"1"1"9 Geri&! that error detection and re%orting are timel! and com%lete and
that the! %roide su&&icient in&ormation to correct the transaction"
,$"1"1"@ .nsure that errors are re%orted a%%ro%riatel! and in a timel! &ashion"
,$"1"1"A Ta0e a sam%le o& data in%ut transactions" <se a%%ro%riate automated
anal!sis and search tools to identi&! cases where errors were identi&ied
erroneousl! and cases where errors were not detected"
,$"1"1"6 .nsure that error messages are a%%ro%riate &or the transaction &low"
.2am%les o& a%%ro%riate attri'utes o& messages include
understanda'ilit!, immediac! and isi'ilit!"
5B. /rocess flow
Control: The correct se9uence of (obs is documented and communicated to
IT o!erations. Eob out!ut includes sufficient information regarding
AC@ T
5 ,00$ ISACA" All rights resered" =age 98
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
subse9uent (obs to ensure that data are not ina!!ro!riatel) added= changed
or lost during !rocessing.
90"1"1"1 L'tain &unctional descri%tion and design in&ormation on data in%ut
controls"
90"1"1"1"1 Ins%ect the &unctionalit! and design &or the %resence o&
se:uence and du%lication errors, re&erential integrit!
chec0s, control, and hash totals"
90"1"1"1", With searching tools, identi&! cases where errors were
identi&ied erroneousl! and cases where errors were not
detected"
90"1"1", Fetermine whether and con&irm that 4o's se:uence is indicated to IT
o%erations"
90"1"1","1 In:uire whether and con&irm that 4o's %roide ade:uate
instructions to the 4o' scheduling s!stem so data are not
ina%%ro%riatel! added, changed or lost during %rocessing"
Ins%ect source documents* trace transactions through the
%rocess* and, where %ossi'le, use automated eidence
collection, including sam%le data, em'edded audit modules
or CAATS to trace transactions to eri&! that %roduction
4o' scheduling so&tware is used e&&ectiel! so that 4o's run
in the correct se:uence and %roide ade:uate instructions to
the s!stems"
90"1"1",", Ins%ect source documents* trace transactions through the
%rocess* and, where %ossi'le, use automated eidence
collection, including sam%le data, em'edded audit modules
or CAATS to trace transactions to eri&! that %roduction
4o' scheduling so&tware is used e&&ectiel! so that 4o's run
5 ,00$ ISACA" All rights resered" =age 9$
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
in the correct se:uence and %roide ade:uate instructions to
the s!stems"
51. Uni9ue transaction identifier
Control: #ach transaction has a uni9ue and se9uential identifier ?e.g.=
inde-= date and time@.
AC@ T
91"1"1"1 In:uire whether and con&irm that eer! transaction is assigned a
uni:ue and se:uential num'er or identi&ier (e"g", inde2, date, time)"
91"1"1"1"1 Ins%ect source documents* trace transactions through the
%rocess* and, where %ossi'le, use automated eidence
collection, including sam%le data, em'edded audit modules
or CAATS to trace transactions to eri&! that %roduction
4o' scheduling so&tware is used e&&ectiel! so that 4o's run
in the correct se:uence and %roide ade:uate instructions to
the s!stems"
5*. Audit trails
Control: The audit trail of transactions !rocessed is maintained. Include
date and time of in!ut and user identification for each online or batch
transaction. For sensiti'e data= the listing should contain before1and1after
images and should be chec&ed b) the business owner for accurac) and
authorization of changes made.
AC@ T
9,"1"1"1 In:uire whether and con&irm that the audit trail o& transactions
%rocessed is maintained, including who can disa'le or delete the audit
trails"
9,"1"1"1"1 Ins%ect the audit trail and other documents to eri&! that
the audit trail is designed e&&ectiel!" <se automated
eidence collection, including sam%le data, em'edded audit
modules or CAATS, to trace transactions to eri&! that the
5 ,00$ ISACA" All rights resered" =age @0
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
audit trail is maintained e&&ectiel!"
9,"1"1"1", Geri&! that 'e&oreBandBa&ter images are maintained and
%eriodicall! reiewed '! a%%ro%riate %ersonnel"
9,"1"1", In:uire whether and con&irm that the transaction audit trail is
maintained and %eriodicall! reiewed &or unusual actiit!"
9,"1"1","1 Geri&! that the reiew is done '! a su%erisor who does
not %er&orm data entr!" Ins%ect the audit trail, transactions
(or 'atches), reiews and other documents* trace
transactions through the %rocess* and, where %ossi'le, use
automated eidence collection, including sam%le data,
em'edded audit modules or CAATS, to eri&! that
%eriodic reiew and maintenance o& the audit trail
e&&ectiel! detects unusual actiit! and su%erisor reiews
are e&&ectie to eri&! the alidit! o& ad4ustments,
oerrides and highBalue transactions in a timel! manner"
9,"1"1"9 Fetermine that access to sensitie audit trails is restricted to
authorized %ersonnel and that access is monitored"
55. Data integrit) during s)stem interru!tions
Control: The integrit) of data during une-!ected interru!tions in data
!rocessing is maintained.
AC@ T
99"1"1"1 In:uire whether and con&irm that utilities are used, where %ossi'le,
to automaticall! maintain the integrit! o& data during une2%ected
interru%tions in data %rocessing"
99"1"1"1"1 Ins%ect the audit trail and other documents, %lans, %olicies
and %rocedures to eri&! that s!stem ca%a'ilities are
e&&ectiel! designed to automaticall! maintain data
5 ,00$ ISACA" All rights resered" =age @1
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
integrit!"
99"1"1"1", 7eiew the records o& actual interru%tions inoling data
integrit! issues, and eri&! that a%%ro%riate tools were used
e&&ectiel!"
56. %onitoring of high1'alue and ad(ustment transactions
Control: Ad(ustments= o'errides and high1'alue transactions are re'iewed
!rom!tl) in detail for a!!ro!riateness b) a su!er'isor who does not
!erform data entr).
AC@ T T
9@"1"1"1 In:uire whether and con&irm that a%%ro%riate tools are used and
maintenance o& thresholds com%lies with the securit! re:uirements"
9@"1"1", In:uire whether and con&irm that a su%erisor %eriodicall! reiews
s!stem out%ut and thresholds"
9@"1"1"9 <se automated eidence collection, including sam%le data,
em'edded audit modules or CAATS, to trace transactions to eri&!
that the tools wor0 as designed"
57. $econcile file totals
Control: A !arallel control file that records transaction counts or
monetar) 'alue as data is !rocessed and then com!ared to master file data
once transactions are !osted. $e!orts are generated to identif) out1of1
balance conditions.
AC@ T T
9A"1"1"1 In:uire whether and con&irm that control &iles are used to record
transaction counts and monetar! alues, and that the alues are
com%ared a&ter %osting"
9A"1"1", Fetermine i& other &ile total controls are in use"
5 ,00$ ISACA" All rights resered" =age @,
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
9A"1"1"9 Geri&! that re%orts are generated identi&!ing outBo&B'alance
conditions and that the re%orts are reiewed, a%%roed and distri'uted
to the a%%ro%riate %ersonnel"
58. "UT/UT $#,I#>= $#C"3CI+IATI"3 A3D #$$"$ 2A3D+I34
58.1 "ut!ut re'iew= reconciliation and error handling
Audit3assurance o'4ectie> =rocedures and associated res%onsi'ilities to ensure that out%ut
is handled in an authorized manner, deliered to the a%%ro%riate reci%ient and %rotected
during transmission should 'e esta'lished and im%lemented* eri&ication, detection and
correction o& the accurac! o& out%ut should occur* and in&ormation %roided in the out%ut
should 'e used"
5:. "ut!ut retention and handling !rocedures
Control: Defined !rocedures for the handling and retaining of out!ut from
IT a!!lications are im!lemented and communicated= follow defined
!rocedures= and consider !ri'ac) and securit) re9uirements.
ACA T
9)"1"1"1 7eiew out%ut handling and retention %rocedures &or %riac! and
securit!"
5;. Data retrie'al interfaces
Control: Data retrie'al !rocesses utilize access control securit) to !re'ent
unauthorized access to data.
ACA T
98"1"1"1 Fetermine i& data retrieal tools including data e2tract generators, o%en
data'ase connectiit! inter&aces (to +icroso&t
O
Access and .2cel) are
restricted to data '! 4o' &unction"
98"1"1", Geri&! that data retrieal securit! tools are e&&ectie '! %er&orming
a%%ro%riate tests o& the controls"
5A. Sensiti'e out!ut monitoring
ACA T
5 ,00$ ISACA" All rights resered" =age @9
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
Control: /h)sical in'entories of all sensiti'e out!ut= such as negotiable
instruments= are routinel) !erformed and com!ared with in'entor)
records. /rocedures with audit trails to account for all e-ce!tions and
re(ections of sensiti'e out!ut documents ha'e been created.
9$"1"1"1 7eiew the documentation and ensure that %rocedures s%eci&! that
%eriodic inentories should 'e ta0en o& 0e! sensitie documents and
di&&erences should 'e inestigated"
9$"1"1", In:uire whether and con&irm that %h!sical inentories o& sensitie
out%uts are ta0en at a%%ro%riate interals"
9$"1"1"9 Geri&! that %h!sical inentories o& sensitie out%uts are com%ared to
inentor! records and that an! di&&erences are acted u%on"
9$"1"1"@ Con&irm that audit trails are created to account &or all e2ce%tions and
re4ections o& sensitie out%ut documents"
9$"1"1"A Ins%ect a re%resentatie sam%le o& audit trails using automated
eidence collection, i& %ossi'le, to identi&! e2ce%tions* eri&! whether
the! hae 'een detected and action has 'een ta0en"
9$"1"1"6 Ta0e a %h!sical inentor! sam%le, and com%are it to the associated
audit trails to eri&! that detection o%erates e&&ectiel!"
6B. Distribution of sensiti'e out!ut
Control: If the a!!lication !roduces sensiti'e out!ut= the reci!ients who
ma) recei'e it are defined and the out!ut is clearl) labeled so it is
recognizable b) !eo!le and machines= and is distributed accordingl).
>here necessar)= the sensiti'e data are sent it to s!ecial access1controlled
out!ut de'ices.
ACA T
@0"1"1"1 In:uire whether and con&irm that sensitie in&ormation is de&ined,
5 ,00$ ISACA" All rights resered" =age @@
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
agreed u%on '! the %rocess owner and treated a%%ro%riatel!" This ma!
include la'eling sensitie a%%lication out%ut and, where re:uired,
sending sensitie out%ut to s%ecial accessBcontrolled out%ut deices"
@0"1"1", #or a sam%le o& sensitie data, search out%ut &iles and con&irm that
the! are %ro%erl! la'eled"
@0"1"1"9 7eiew the distri'ution methods o& sensitie in&ormation and the
access control mechanisms o& sensitie out%ut deices"
@0"1"1"@ Geri&! that the mechanisms correctl! en&orce %reesta'lished access
rights"
61. Control total reconciliation
Control: Control totals in the header and.or trailer records of the out!ut
are balanced to the control totals !roduced b) the s)stem at data entr) to
ensure com!leteness and accurac) of !rocessing. If out1of1balance control
totals e-ist= the) are re!orted to the a!!ro!riate le'el of management.
ACA T T
@1"1"1"1 7eiew design criteria and con&irm that the! re:uire the use o&
integrit!B'ased control %rocesses, such as the use o& control totals in
header and3or trailer records and the 'alancing o& out%ut 'ac0 to
control totals %roduced '! the s!stem"
@1"1"1", In:uire whether and con&irm that %rocedures re:uire that outBo&B
'alance conditions and other a'normalities re:uire %rom%t
inestigation and re%orting"
@1"1"1"9 In:uire whether and con&irm that control totals are %ro%erl!
im%lemented in header and3or trailer records o& out%ut to 'alance 'ac0
to control totals %roduced '! the s!stem"
@1"1"1"@ In:uire whether and con&irm that detected outBo&B'alance conditions
5 ,00$ ISACA" All rights resered" =age @A
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
are re%orted to the a%%ro%riate leel o& management" Ins%ect outBo&B
'alance re%orts" Where %ossi'le, use automated eidence collection to
loo0 &or control total errors, and eri&! that the! were acted u%on
correctl! and in a timel! manner"
6*. /rocess 'alidation
Control: ,alidation of com!leteness and accurac) of !rocessing is
!erformed before other o!erations are e-ecuted. If electronic out!ut is
reused= 'alidation is !erformed !rior to subse9uent !rocessing.
ACA T
@,"1"1"1 In:uire whether and con&irm that %rocedures hae 'een deelo%ed to
ensure that out%ut is reiewed &or reasona'leness, accurac! or other
criteria esta'lished '! the %rocess owner %rior to use"
@,"1"1", In:uire whether and con&irm that %rocedures hae 'een designed to
ensure that the com%leteness and accurac! o& a%%lication out%ut are
alidated %rior to the out%ut 'eing used &or su'se:uent %rocessing,
including use in endBuser %rocessing"
@,"1"1"9 L'tain a list o& all electronic out%uts that are reused in endBuser
a%%lications" Geri&! that the electronic out%ut is tested &or
com%leteness and accurac! 'e&ore the out%ut is reused and
re%rocessed"
@,"1"1"@ Select a re%resentatie sam%le o& electronic out%ut, and trace selected
documents through the %rocess to ensure that com%leteness and
accurac! are eri&ied 'e&ore other o%erations are %er&ormed"
@,"1"1"A 7e%er&orm com%leteness and accurac! tests to alidate that the! are
e&&ectie"
5 ,00$ ISACA" All rights resered" =age @6
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
65. 0usiness owner out!ut re'iew
Control: /rocedures to ensure that the business owners re'iew the final
out!ut for reasonableness= accurac) and com!leteness are defined and
im!lemented= and out!ut is handled in line with the a!!licable
confidentialit) classification. /otential errors are re!orted and logged in an
automated= centralized logging facilit)= and errors are addressed in a timel)
manner.
ACA T T T
@9"1"1"1 In:uire whether and con&irm that detected outBo&B'alance conditions
are re%orted, re%orts hae 'een designed into the s!stem and
%rocedures hae 'een deelo%ed to ensure that re%orts are %roided to
the a%%ro%riate leel o& management"
@9"1"1", Assess whether %rocedures hae 'een de&ined that re:uire the logging
o& %otential errors and their resolution %rior to distri'ution o& the re%orts"
@9"1"1"9 In:uire whether and con&irm that out%ut is reiewed &or
reasona'leness and accurac!"
@9"1"1"@ Select a re%resentatie sam%le o& out%ut re%orts, and test the
reasona'leness and accurac! o& the out%ut" Geri&! that %otential errors
are re%orted and centrall! logged"
@9"1"1"A Select a sam%le o& re%resentatie transactions, and eri&! that errors
are identi&ied and addressed in a timel! manner"
@9"1"1"6 Ins%ect error logs to eri&! that errors are e&&ectiel! addressed in a
timel! manner"
66. T$A3SACTI"3 AUT2#3TICATI"3 A3D I3T#4$ITC
66.1 Transaction authentication and integrit)
Audit3assurance o'4ectie> Ce&ore %assing transaction data 'etween internal a%%lications
5 ,00$ ISACA" All rights resered" =age @)
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
and 'usiness3o%erational &unctions (inside or outside the enter%rise), transactions should 'e
chec0ed &or %ro%er addressing, authenticit! o& origin and integrit! o& content" Authenticit!
and integrit! should 'e maintained during transmission or trans%ort"
67. Data e-change standards
Control: >here transactions are e-changed electronicall)= an agreed1u!on
standard of communication and mechanisms necessar) for mutual
authentication is established= including how transactions will be
re!resented= the res!onsibilities of both !arties and how e-ce!tion
conditions will be handled.
AC6 T
@A"1"1"1 In:uire whether and con&irm that a %rocess has 'een designed to
ensure that, &or critical transactions, a%%ro%riate agreements hae 'een
made with counter%arties that include communication and transaction
%resentation standards, res%onsi'ilities, authentication, and securit!
re:uirements"
@A"1"1", Select a sam%le o& counter%art! agreements &or critical transactions
and eri&! that the! are com%lete"
@A"1"1"9 In:uire whether and con&irm that s!stems are designed to incor%orate
a%%ro%riate mechanisms &or integrit!, authenticit! and nonre%udiation,
such as ado%tion o& a secure standard or one that is inde%endentl!
eri&ied"
@A"1"1"@ 7eiew documentation and %er&orm a wal0through to identi&!
a%%lications that are critical &or transaction authenticit!, integrit! and
nonre%udiation" #or these a%%lications, in:uire whether and con&irm
that an a%%ro%riate mechanism &or integrit!, authenticit! and
nonre%udiation is ado%ted (i"e", a secure standard or one that is
inde%endentl! eri&ied)"
@A"1"1"A =er&orm a wal0through o& the code o& a sam%le o& a%%lications to
5 ,00$ ISACA" All rights resered" =age @8
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
con&irm that this s%eci&ication and design are a%%lied" Geri&! that these
s%eci&ications hae 'een tested with good results"
@A"1"1"6 7eiew error logs &or transactions that &ailed authentication, and
eri&! the cause"
@A"1"1") =er&orm a wal0through o& the code o& a sam%le o& a%%lications to
con&irm that s%eci&ications &or authenticit! hae 'een a%%lied" Geri&!
that these s%eci&ications hae 'een tested with good results"
68. Tag out!ut
Control: Tag out!ut from transaction1!rocessing a!!lications in
accordance with industr) standards to facilitate counter!art)
authentication= !ro'ide e'idence of nonre!udiation and allow for content
integrit) 'erification u!on recei!t b) the downstream a!!lication.
AC6 T
@6"1"1"1 L'tain and ins%ect agreements made with counter%arties &or critical
transactions, and ensure that the agreements s%eci&! re:uirements &or
communication and transaction %resentation standards,
res%onsi'ilities, and authentication and securit! re:uirements"
@6"1"1", In:uire whether and con&irm that s!stems are designed to incor%orate
industr! standard out%ut tagging to identi&! authenticated in&ormation"
@6"1"1"9 Ins%ect a%%lication manuals and documentation &or critical
a%%lications to con&irm that te2t regarding s%eci&ications and design
states that out%ut is a%%ro%riatel! tagged with authentication
in&ormation"
@6"1"1"@ Select a re%resentatie sam%le o& transactions, and eri&! that
authenticit! and integrit! in&ormation is correctl! carried &orward
throughout the %rocessing c!cle"
5 ,00$ ISACA" All rights resered" =age @$
Generic Application Audit/Assurance Program
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eferenc
e
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
@6"1"1"A Select a sam%le o& authentication &ailures to eri&! that the
counter%art! agreements o%erate e&&ectiel!"
6:. Transaction integration with interfacing a!!lications
Control: In!ut recei'ed from other transaction1!rocessing a!!lications is
anal)zed to determine authenticit) of origin and the maintenance of the
integrit) of content during transmission.
AC6 T
@)"1"1"1 Ins%ect manuals and documentation &or critical a%%lications to
con&irm that design s%eci&ications re:uire that in%ut 'e a%%ro%riatel!
eri&ied &or authenticit!"
@)"1"1", In:uire whether and con&irm that s!stems are designed to identi&!
transactions receied &rom other %rocessing a%%lications, and anal!ze
that in&ormation to determine authenticit! o& origin o& the in&ormation
and whether integrit! o& content was maintained during transmission"
@)"1"1"9 7eiew error logs &or transactions that &ailed authentication and
eri&! the cause"
5 ,00$ ISACA" All rights resered" =age A0
Generic Application Audit/Assurance Program
,II. %aturit) Assessment
The maturit! assessment is an o%%ortunit! &or the reiewer to assess the maturit! o& the %rocesses reiewed" Cased on the results o& audit3assurance reiew, and the
reiewer8s o'serations, assign a maturit! leel to each o& the &ollowing CLCIT control %ractices"
C"0IT Control /ractice
Assessed
%aturit)
Target
%aturit)
$eferenc
e
2)!er1
lin&
Comments
AC1 Source Data /re!aration and Authorization
1" Fesign source documents in a wa! that the! increase accurac! with which data can 'e
recorded, control the wor0&low and &acilitate su'se:uent re&erence chec0ing" Where
a%%ro%riate, include com%leteness controls in the design o& the source documents"
," Create and document %rocedures &or %re%aring source data entr!, and ensure that the! are
e&&ectiel! and %ro%erl! communicated to a%%ro%riate and :uali&ied %ersonnel" These
%rocedures should esta'lish and communicate re:uired authorisation leels (in%ut, editing,
authorising, acce%ting and re4ecting source documents)" The %rocedures should also identi&!
the acce%ta'le source media &or each t!%e o& transaction"
9" .nsure that the &unction res%onsi'le &or data entr! maintains a list o& authorised %ersonnel,
including their signatures"
@" .nsure that all source documents include standard com%onents and contain %ro%er
documentation (e"g", timeliness, %redetermined in%ut codes, de&ault alues) and are
authorised '! management"
A" Automaticall! assign a uni:ue and se:uential identi&ier (e"g", inde2, date and time) to eer!
transaction"
6" 7eturn documents that are not %ro%erl! authorised or are incom%lete to the su'mitting
originators &or correction, and log the &act that the! hae 'een returned" 7eiew logs
%eriodicall! to eri&! that corrected documents are returned '! originators in a timel!
&ashion, and to ena'le %attern anal!sis and root cause reiew"
5 ,00$ ISACA" All rights resered" =age A1
Generic Application Audit/Assurance Program
C"0IT Control /ractice
Assessed
%aturit)
Target
%aturit)
$eferenc
e
2)!er1
lin&
Comments
AC* Source Data Collection and #ntr)
1" Fe&ine and communicate criteria &or timeliness, com%leteness and accurac! o& source
documents" .sta'lish mechanisms to ensure that data in%ut is %er&ormed in accordance with
the timeliness, accurac! and com%leteness criteria"
," <se onl! %renum'ered source documents &or critical transactions" I& %ro%er se:uence is a
transaction re:uirement, identi&! and correct outBo&Bse:uence source documents" I&
com%leteness is an a%%lication re:uirement, identi&! and account &or missing source
documents"
9" Fe&ine and communicate who can in%ut, edit, authorise, acce%t and re4ect transactions, and
oerride errors" Im%lement access controls and record su%%orting eidence to esta'lish
accounta'ilit! in line with role and res%onsi'ilit! de&initions"
@" Fe&ine %rocedures to correct errors, oerride errors and handle outBo&B'alance conditions, as
well as to &ollow u%, correct, a%%roe and resu'mit source documents andtransactions in
timel! manner" These %rocedures should consider things such as error message descri%tions,
oerride mechanisms and escalation leels"
A" -enerate error messages in a timel! manner as close to the %oint o& origin as %ossi'le" The
transactions should not 'e %rocessed unless errors are corrected or a%%ro%riatel! oerridden
or '!%assed" .rrors that cannot 'e corrected immediatel! should 'e logged in an automated
sus%ense log, and alid transaction %rocessingshould continue" .rror logs should 'e reiewed
and acted u%on within a s%eci&ied and reasona'le %eriod o& time"
6" .nsure that errors and outBo&B'alance re%orts are reiewed '! a%%ro%riate %ersonnel, &ollowed
u% and corrected within a reasona'le %eriod o& time, and that, where necessar!, incidents are
raised &or more senior attention" Automated monitoring tools should 'e used to identi&!,
monitor and manage errors"
)" .nsure that source documents are sa&eBstored (either '! the 'usiness or '! IT) &or a su&&icient
%eriod o& time in line with legal, regulator! or 'usiness re:uirements"
5 ,00$ ISACA" All rights resered" =age A,
Generic Application Audit/Assurance Program
C"0IT Control /ractice
Assessed
%aturit)
Target
%aturit)
$eferenc
e
2)!er1
lin&
Comments
AC5 Accurac)= Com!leteness and Authenticit) Chec&s
1" .nsure that transaction data are eri&ied as close to the data entr! %oint as %ossi'le and
interactiel! during online sessions" .nsure that transaction data, whether %eo%leBgenerated,
s!stemBgenerated or inter&aced in%uts, are su'4ect to a ariet! o& controls to chec0 &or
accurac!, com%leteness and alidit!" Whereer %ossi'le, do not sto% transaction alidation
a&ter the &irst error is &ound" =roide understanda'le error messages immediatel! such that
the! ena'le e&&icient remediation"
," Im%lement controls to ensure accurac!, com%leteness, alidit! and com%lianc! to regulator!
re:uirements o& data in%ut" Controls ma! include se:uence, limit, range, alidit!,
reasona'leness, ta'le loo0Bu%s, e2istence, 0e! eri&ication, chec0 digit, com%leteness (e"g",
total monetar! amount, total items, total documents, hash totals), du%licate and logical
relationshi% chec0s, and time edits" Galidation criteria and %arameters should 'e su'4ect to
%eriodic reiews and con&irmation"
9" .sta'lish access control and role and res%onsi'ilit! mechanisms so that onl! authorised
%ersons in%ut, modi&! and authorise data"
@" Fe&ine re:uirements &or segregation o& duties &or entr!, modi&ication and authorisation o&
transaction data as well as &or alidation rules" Im%lement automated controls and role and
res%onsi'ilit! re:uirements"
A" 7e%ort transactions &ailing alidation and %ost them to a sus%ense &ile" 7e%ort all errors in a
timel! &ashion, and do not dela! %rocessing o& alid transactions"
6" .nsure that transactions &ailing edit and alidation routines are su'4ect to a%%ro%riate
&ollowBu% until errors are remediated" .nsure that in&ormation on %rocessing &ailures is
maintained to allow &or root cause anal!sis and hel% ad4ust %rocedures and automated
controls"
5 ,00$ ISACA" All rights resered" =age A9
Generic Application Audit/Assurance Program
C"0IT Control /ractice
Assessed
%aturit)
Target
%aturit)
$eferenc
e
2)!er1
lin&
Comments
AC6 /rocessing Integrit) and ,alidit)
1" .sta'lish and im%lement mechanisms to authorise the initiation o& transaction %rocessing and
to en&orce that onl! a%%ro%riate and authorised a%%lications and tools are used"
," 7outinel! eri&! that %rocessing is com%letel! and accuratel! %er&ormed with automated
controls, where a%%ro%riate" Controls ma! include chec0ing &or se:uence and du%lication
errors, transaction3record counts, re&erential integrit! chec0s, control and hash totals, range
chec0s, and 'u&&er oer&low"
9" .nsure that transactions &ailing alidation routines are re%orted and %osted to a sus%ense &ile"
Where a &ile contains alid and inalid transactions, ensure that the %rocessing o& alid
transactions is not dela!ed and that all errors are re%orted in a timel! &ashion" .nsure that
in&ormation on %rocessing &ailures is 0e%t to allow &or root cause anal!sis and hel% ad4ust
%rocedures and automated controls, to ensure earl! detection or to %reent errors"
@" .nsure that transactions &ailing alidation routines are su'4ect to a%%ro%riate &ollowBu% until
errors are remediated or the transaction is cancelled"
A" .nsure that the correct se:uence o& 4o's has 'een documented and communicated to IT
o%erations" Io' out%ut should include su&&icient in&ormation regarding su'se:uent 4o's to
ensure that data are not ina%%ro%riatel! added, changed or lost during %rocessing"
6" Geri&! the uni:ue and se:uential identi&ier to eer! transaction (e"g", inde2, date and time)"
)" +aintain the audit trail o& transactions %rocessed" Include date and time o& in%ut and user
identi&ication &or each online or 'atch transaction" #or sensitie data, the listing should
contain 'e&ore and a&ter images and should 'e chec0ed '! the 'usiness owner &or accurac!
and authorisation o& changes made"
8" +aintain the integrit! o& data during une2%ected interru%tions in data %rocessing with s!stem
and data'ase utilities" .nsure that controls are in %lace to con&irm data integrit! a&ter
%rocessing &ailures or a&ter use o& s!stem or data'ase utilities to resole o%erational
%ro'lems" An! changes made should 'e re%orted and a%%roed '! the 'usiness owner 'e&ore
the! are %rocessed"
$" .nsure that ad4ustments, oerrides and highBalue transactions are reiewed %rom%tl! in
detail &or a%%ro%riateness '! a su%erisor who does not %er&orm data entr!"
10" 7econcile &ile totals" #or e2am%le, a %arallel control &ile that records transaction counts or
monetar! alue as data should 'e %rocessed and then com%ared to master &ile data once
transactions are %osted" Identi&!, re%ort and act u%on outBo&B'alance conditions"
5 ,00$ ISACA" All rights resered" =age A@
Generic Application Audit/Assurance Program
C"0IT Control /ractice
Assessed
%aturit)
Target
%aturit)
$eferenc
e
2)!er1
lin&
Comments
AC7 "ut!ut $e'iew= $econciliation and #rror 2andling
1" When handling and retaining out%ut &rom IT a%%lications, &ollow de&ined %rocedures and
consider %riac! and securit! re:uirements" Fe&ine, communicate and &ollow %rocedures &or
the distri'ution o& out%ut"
," At a%%ro%riate interals, ta0e a %h!sical inentor! o& all sensitie out%ut, such as negotia'le
instruments, and com%are it with inentor! records" Create %rocedures with audit trails to
account &or all e2ce%tions and re4ections o& sensitie out%ut documents"
9" +atch control totals in the header and3or trailer records o& the out%ut to 'alance with the
control totals %roduced '! the s!stem at data entr! to ensure com%leteness and accurac! o&
%rocessing" I& outBo&B'alance control totals e2ist, re%ort them to the a%%ro%riate leel o&
management"
@" Galidate com%leteness and accurac! o& %rocessing 'e&ore other o%erations are %er&ormed" I&
electronic out%ut is reused, ensure that alidation has occurred %rior to su'se:uent uses"
A" Fe&ine and im%lement %rocedures to ensure that the 'usiness owners reiew the &inal out%ut
&or reasona'leness, accurac! and com%leteness, and that out%ut is handled in line with the
a%%lica'le con&identialit! classi&ication" 7e%ort %otential errors, log them in an automated,
centralised logging &acilit!, and address errors in a timel! manner"
6" I& the a%%lication %roduces sensitie out%ut, de&ine who can receie it, la'el the out%ut so it is
recognisa'le '! %eo%le and machines, and im%lement distri'ution accordingl!" Where
necessar!, send it to s%ecial accessBcontrolled out%ut deices"
AC8 Transaction Authentication and Integrit)
1" Where transactions are e2changed electronicall!, esta'lish an agreedBu%on standard o&
communication and mechanisms necessar! &or mutual authentication, including how
transactions will 'e re%resented, the res%onsi'ilities o& 'oth %arties and how e2ce%tion
conditions will 'e handled"
," Tag out%ut &rom transaction %rocessing a%%lications in accordance with industr! standards to
&acilitate counter%art! authentication, %roide eidence o& nonBre%udiation, and allow &or
content integrit! eri&ication u%on recei%t '! the downstream a%%lication"
9" Anal!se in%ut receied &rom other transaction %rocessing a%%lications to determine
authenticit! o& origin and the maintenance o& the integrit! o& content during transmission"
5 ,00$ ISACA" All rights resered" =age AA
Generic Application Audit/Assurance Program
,III. Assessment %aturit) 's. Target %aturit)
5 ,00$ ISACA" All rights resered" =age A6