Auditing Application

Controls (GTAG 8)
Steve Hunt – ATC Chair
Senior Manager, Crowe Horwath LLP
May 18, 2010

www.theiia.org
 Webinar Participation
• Submitting
S b itti Q Questions
ti tto th
the P
Presenter:
t
– Type the question into the Q&A panel section.
– Select the “Send” button.
– We will have a dedicated question and answer session at the end
of the presentation to address your questions.

• Technical Assistance
– Type your issue into the Chat panel section to IIA Tech Support.
– Select the “Send” button.
– We will respond to your question privately.

www.theiia.org
 Demographic Polling Questions
1. How many viewers are watching the Webinar at your location?
a) 1 – I am the only viewer
b) 2 to 4 viewers
c) 5 to 7 viewers
d) 8 to 10 viewers
e) More than 10 viewers

2. At what level in yyour internal audit career are you?

y
a) New to internal audit
b) Staff Auditor
c) Sr. Staff Auditor
d) Audit Manager
e) Audit Director
f) Chief Audit Executive

www.theiia.org
 Learning Objectives
• What application controls are and their
benefits
• The role of internal auditors
• Risk assessment considerations
• Application control review scoping
• Application review approaches
• Suggested tests and tools and sample
audit program

www.theiia.org
Definition of Application
pp Controls
• IT controls specific to an application or system
that supports a particular business process
– IInputt data
d t is
i accurate,
t complete,
l t authorized
th i d and d
correct
– Data is p processed as intended in an acceptable
p
time period
– Output and stored data is accurate and
complete
– A record is maintained to track data processing
from input to storage to output

www.theiia.org
Definition of Application
pp Controls
• General computer controls
– Apply
pp y to all organization-wide
g system
y
components, processes and data
• Can be similarities between application
controls and general computer controls
– Accounts and passwords
– System parameters and settings

www.theiia.org
 Application Control Examples
• Logical access controls, i.e. end-user security
• A/P tolerance levels
• Automatic postings
• Hard vs. soft errors
• Document number ranges
• Data integrity checks
• Workflow approvals
• Control accounts

www.theiia.org
 Benefits of Application Controls
– Reliability
• Reduces likelihood of errors due to manual
intervention
• They don’t take vacation, get sick, have a bad
day or temporary forms of amnesia
– Repeatability & Sustainability
• Application controls are not susceptible to
breakdowns or lack of execution
• They work the same way over and over again

www.theiia.org
 Benefits of Application Controls
– Can also be very effective at increasing the
efficiency of business processes
• Reduction of reliance on manual, detective
controls

www.theiia.org
 Benefits of Application
pp Controls
• Cost effective and efficient means to
manage
g risk,, continued
– Benchmarking – conclude application
controls are effective year-to-year IF:
• General computer controls are effective, AND
• No changes have been applied to the
programs or configuration tables that affect how
the application controls operate

www.theiia.org
 Who Audits Application Controls?
Three Pieces of the Control Environment
Application Controls = Hybrid

General Computer Manual controls =

Controls = IT Auditors Financial Auditors

www.theiia.org
 The Role of the Internal Auditor
• Service Provider
– Assurance and compliance
• All internal auditors should possess the necessary
competencies to determine if business process
application controls are correctly designed and
operating effectively
– System implementations
• Independent risk assessment
• Design and testing of controls
– Education

www.theiia.org
 Audit Skills
• In-depth understanding of end-to-end
business
bus ess processes
p ocesses
– Procure to Pay
– Order to Cash

www.theiia.org
 Audit Skills
• Understanding of the application or
modules
– The most common knowledge gap – critical
success factor
– Demonstrated navigation, user module
understanding, configuration basics and
security

www.theiia.org
 Risk Assessment
• Assess Business Risk
– Top-down approach
• What are the main risks associated with the
business process(s) that run through the
pp
application?
• Where are these process(s) operated?
• Who operates the process(s) and transactions?
• Assign
A i quantitative
tit ti and
d qualitative
lit ti values
l with
ith
appropriate weight so as to identify where to
prioritize resources and effort

www.theiia.org
 Risk Assessment
• Application Inherent Risk
– Not a question of if there are risks, but what
are they and how do we address them?

www.theiia.org
 Scoping & Auditing Approaches
• Business Process Method
– Top-down approach that covers one or more
business processes that cut across one or
more applications
• Financial
Fi i l Statement
St t t Close
Cl P
Process
• Order to Cash
– First evaluate business risk
risk, then correlate
application and infrastructure risks

www.theiia.org
 Scoping
p g & Auditing
g Approaches
pp
• Single Application Method
– Focus on a single application or module
• Can be difficult to apply in an ERP environment
• Logical Access Controls
– Included no matter which method is chosen

www.theiia.org
 Suggested
gg Control Tests
• GTAG includes example controls and
suggested tests (Appendix A)
– Input and Access Controls
– File and Data Transmission Controls
– Processing Controls
– Output Controls
– Master Files and Standing Data Controls

www.theiia.org
 Sample Audit Program
(Appendix B)
• Built on 5 control objectives
– Input data is accurate, complete, authorized,
and correct
– Data is processed as intended in an
acceptable time period
– Data stored is accurate and complete
– Outputs are accurate and complete
– A record is maintained that tracks the process
of data input, storage, and output

www.theiia.org
 Sample Audit Program
(Appendix B)
• Each control objective includes example
controls and suggested review activities

www.theiia.org
 Summary
• Conduct reviews to determine how to
better leverage the investment in IT
through application controls
• The GTAG is application agnostic and
should be augmented by application
specific control knowledge

www.theiia.org
 Contact Information
Steve Hunt – Senior Manager
Dallas Texas
Dallas,
steve.hunt@crowehorwath.com
214-534-9555 Mobile

The IIA: technology@theiia.org

GTAG 8: http://www.theiia.org/guidance/standards-and-
p gg
guidance/ippf/practice-guides/gtag/gtag8/

www.theiia.org
 Th k You
Thank Y for
f joining
j i i us!!
• Next Global Guidance in Action Event
Tuesday, June 15th 12:00 – 1:00 p.m. EDT
GTAG 9: Identity and Access Management
Sajay Rai, CPA, CISSP, CISM & CEO, Securely Yours LLC

• This webinar is worth 1 CPE that can be

self-reported for IIA certifications.
– CPE certificates will not be distributed.

www.theiia.org
 Webinar Playback & Survey
IIA members may access this Webinar
playback at:
http://www theiia org/guidance/standards and
http://www.theiia.org/guidance/standards-and-
guidance/practice-guide-series/

We value your feedback. Please take a

moment to complete the survey questions
questions.

www.theiia.org