Auditing Application Controls

Auditing IT Application
Controls
Application Controls
To ensure that the data
Data is processed as Output of the stored
input into the system are
intended in an data is accurate (e.g:
accurate, complete,
acceptable time. Reports)
authorized and correct
A record is maintained
Cost effective way of
to keep track to the data
managing the risk
in the system
© 2021 KPMG, a Sri Lankan Partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG
© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.
International Limited,
All rights reserved. a 560688
NDPPS private English company limited by guarantee. All rights reserved. 2
Types of Controls
PROCESS LEVEL CONTROLS
APPLICATION CONTROLS
MANUAL WITH AUTOMATED

COMPONENT CONTROLS
(MWAC)
MANUAL CONTROLS FULLY AUTOMATED

AUTOMATED
CONTROLS
MANUAL
COMPONENT COMPONENT
IPE
AUTOMATED COMPONENT OF APPLICATION

CONTROLS (AUTOMATED CONTROLS)
Types of Application Controls
Exception/Edit Reports
System Configuration/Account Mapping
Interface Controls
System Access
Exception/edit reports
— Reports are generally treated as IPE
— Must obtain comfort over Completeness & Accuracy of the report
— Forms the basis of a management review control
System configuration/
account mapping
— Switches in the system which can turn controls on or off or modify their behavior
— Usually controlled by the end users (for example: finance department)
— Focus on the system applying the settings as implemented
Interface control
— Controls the transfer of data from one system to another
— There is often more than one control over the same interface
— Must obtain comfort over C&A of the interface
— May be a manual or application control
System access
— Includes system enforced Segregation of Duties
— Controls must be specific. E.g., The tasks of creating and approving POs are segregated
— Focus on the system applying the settings as implemented
Benefits of Application Controls
 Reliability
Reduces the likelihood of errors due to manual intervention
 Benchmarking
Reliance on General IT Controls can enable the conclusion of application
controls as effective.
 Time and Cost Saving

Application control requires detailed testing only when general IT Controls are
ineffective. If GITC controls are concluded effective the previous testing can be
used to conclude application controls as effective
Role of an IT Auditor
Perform procedures on a test basis to
determine whether:
 The entity’s system of internal control
is free from material weakness
IT Auditor Should have the following
knowledge :
 Knowledge of key IT Risks
 Knowledge on common
application controls
 Knowledge on audit techniques
 Knowledge on Business Process and
Government Regulations
Application Review Approaches
Planning
Specialized Resources (Eg: Data Analytics)
Testing approaches
Computer Assisted Audit Techniques
Determine Audit Objectives
The objectives are somewhat tied to the consideration of pre/postimplementation. As
stated previously, the objectives tend to be proprietary for pre-implementation applications.
The same could be true for certain purposes. For others, the objective tends to be one of
those that are typical for audits:
 Efficiency (related to development cost, operational performance, etc.)

 Effectiveness (related to meeting information requirements/functionality, the original
authorization purpose, integration with other IT, operational performance, etc.)
 Compliance (laws and regulations, contractual, etc.)
 Alerts (if alerts are involved with the application)
 Financial reporting implications
Identifying Application Controls
Understand why we are considering the control:
 Identify what could go wrong in relevant business processes related to
significant accounts and disclosure and relevant assertions
Understand controls and evaluate design and implementation:

 Inquire key people responsible for using/monitoring automated control
 Inspect relevant system documentation
 Inspect/observe flow of transactions through system
 Identify if control is customized or application standard
Evaluating controls: Design and Implementation
Inquiry Inspection
Procedures performed to
evaluate design and
implementation include
Tracing
Observation
transactions
Purpose of a Walkthrough
— Understand the flow of transactions
— Confirm our understanding of the
entity’s processes, including the
identification of what could go wrongs
— Identify controls that management has
implemented to address these what could
go wrongs
Map Systems and Data Flows
Mapping is one of the most effectual tools that the IT auditor has for any IT audit. In auditing
applications, it is important to properly scope other IT that either affects or is affected by the
application. Experts believe that mapping can assist the IT auditor in gaining a thorough
understanding of the relevant technologies, the process, the controls and how they all fit
together. It also empowers the IT auditor to best perform the steps in this framework from
planning to reporting—that is, it has a comprehensive impact on the quality of the IT audit.
 Relevant IT components (description)

 The business owners or business lines
 Change management policies and procedures
 The role and impact of vendors
 Business processes
 Controls
 Access and security administration
Preventative vs. Detective
Preventative Detective
Control Start Control Finish
Preventative controls – We cannot order Detective controls – At the end of every

the laptop unless its been approved week, we review all self-approved orders
Laptop transactions
Segregation of Duties (SoD)
System access controls are the configuration controls to manage
SoD in an automated environment
SoD is tested by IT Audit as part of Application Controls and GITCs.
No single individual has control over two or more conflicting phases

of a transaction or operation
Which business functions would typically be segregated?
Assigning different people, the responsibility for authorizing

transactions, recording transactions, and maintaining custody of
assets is intended to reduce the opportunities for any one person to
be in a position to both perpetrate and conceal errors or fraud in the
normal course of his or her duties
What is a WCGW?
2
Request Requests Modify Order Receive
laptop laptop Request Laptop Laptop
No
1 Yes
Review
Approved?
Request
1 Appl.  System is configured to require a different user to authorize the P.O.
Manual: On a weekly basis, invoices received are reviewed for that week to confirms 2 diff. people
2
creating & authorizing the PON
WCGW
Manual: The disbursement team will not pay an invoice
1
unless an approved P.O. is provided applic: 1 As of SO Duties in review
2 An order cannot be placed unless the P.O. has been authorized 2 No approval of PO
Process Workflow
? 
What
happens David needs a David asks Tara for Tara approves David receives a
laptop a laptop David’s request laptop
Purchase to Raise Approve

Identify Receive Item/
pay cycle Purchase Purchase
Requirement Make Payment
Order Order
Flow of Prepare Record Record

Initiate
information accounting Purchase in Purchase in
Transaction
entries Ledger (A/P) stock cash a/cs
Segregation of Journal Posting

Duties Controls Controls
(Manual or Application Controls)
General Considerations to Keep in Mind throughout the
Audit
Changes
in the entity’s industry,
market position, and
market pressures
Importance of
professional
Changes in skepticism Use of
the entity’s service organizations
business, systems, or third parties
processes, performing work on
or controls behalf of the entity
Key points to Remember!
— Controls are the actions taken by
management to prevent or detect and correct
material misstatement.
— Preventative controls prevent misstatements
from occurring
— Effective controls may enable us to reduce
the amount of substantive procedures that
we need to perform
— Detective controls detect and correct
misstatements that have occurred
Questions?
Thank you

Auditing Application Controls

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Auditing Application Controls

Uploaded by

Copyright:

Available Formats

Auditing IT Application

MANUAL WITH AUTOMATED

MANUAL CONTROLS FULLY AUTOMATED

AUTOMATED COMPONENT OF APPLICATION

System Configuration/Account Mapping

 Time and Cost Saving

Specialized Resources (Eg: Data Analytics)

Computer Assisted Audit Techniques

 Efficiency (related to development cost, operational performance, etc.)

Understand controls and evaluate design and implementation:

 Relevant IT components (description)

Control Start Control Finish

Preventative controls – We cannot order Detective controls – At the end of every

SoD is tested by IT Audit as part of Application Controls and GITCs.

No single individual has control over two or more conflicting phases

Which business functions would typically be segregated?

Assigning different people, the responsibility for authorizing

1 Appl.  System is configured to require a different user to authorize the P.O.

Purchase to Raise Approve

Flow of Prepare Record Record

Segregation of Journal Posting

(Manual or Application Controls)

You might also like