Scribd Logo
Upload

Welcome to Scribd!

  • Review Area (Ibusiness Application and Automated Controls

    Uploaded by

    Haemlet
    4 views9 pages
    This document outlines test procedures to evaluate controls over a business application. It identifies key areas like input validation, credit checks, authorization controls, segregation of duties, access management and system integration. The procedures involve reviewing configurations, policies, access privileges and performing tests like inputting invalid data, checking for duplicates and comparing reports to source systems. The overall goal is to ensure appropriate controls are in place over critical processes performed on the application.

    Original Description:

    Original Title

    Untitled

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines test procedures to evaluate controls over a business application. It identifies key areas like input validation, credit checks, authorization controls, segregation of duties, access management and system integration. The procedures involve reviewing configurations, policies, access privileges and performing tests like inputting invalid data, checking for duplicates and comparing reports to source systems. The overall goal is to ensure appropriate controls are in place over critical processes performed on the application.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views9 pages

    Review Area (Ibusiness Application and Automated Controls

    Uploaded by

    Haemlet
    This document outlines test procedures to evaluate controls over a business application. It identifies key areas like input validation, credit checks, authorization controls, segregation of duties, access management and system integration. The procedures involve reviewing configurations, policies, access privileges and performing tests like inputting invalid data, checking for duplicates and comparing reports to source systems. The overall goal is to ensure appropriate controls are in place over critical processes performed on the application.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    [PERIOD]

    [CYCLE]
    Prepared: [insert name of Preparer]
    Reviewed: [insert name of Reviewer]

    Review Area [IBusiness Application and Automated Controls

    Sub Area Control Questions


    I1 System Configuration
    Input Validation
    I1-1 Perform front-end tests on relevant modules of the applications in
    scope to ascertain that relevant edit controls have been
    implemented on important fields. Tests include:
    - Appropriate date format
    - Negative amounts
    - Compulsory fields
    - Acceptable rate values
    - Data validation in numeric fields
    - Calendar controls
    - Drop-down menus

    I1-2 Perform checks on relevant modules to ascertain that credit limit


    checks have been implemented

    I1-3 Perform checks on relevant modules to ascertain appropriate


    authorization was gotten and used as a basis to perform operations

    I1-4 Perform duplicate/sequence checks on key fields on the


    application to ascertain adequacy

    Segregation of Duties Configurations


    I1-5 Do relevant policies exist to guide segregation of duties?

    I1-6 Does a management-approved user access matrix exist for the


    applications?

    I1-7 Is the user access matrix periodically reviewed for adequacy?


    I1-8 Are menu options pre-configured?

    I1-9 Review sample user profiles to ascertain that appropriate access


    privileges have been assigned in line with users' job function

    I1-10 Has the responsibility for maintenance of end-user profiles on the


    application been adequately assigned

    I1-11 Ascertain the adequacy of maker-checker controls on the


    application

    I1-12 Ascertain that master data maintenance on key applications


    (customer, vendor, rates, price, products) is adequate

    I1-13 Identify critical system transactions and ascertain that only


    authorized personnel have access to perform such transactions

    Processing and Calculation


    I1-14 Gain an understanding of the business process to review the
    accuracy of system computations

    I2 System Integration
    Interface Controls
    I2-1 Review controls in place to ascertain completeness and accuracy of
    data transfer between interfacing systems

    I2-2 In case of semi-automated or manual interface, review sample data


    to ascertain adequacy and accuracy of data transferred between
    systems
    I3 System Generated Reports
    I3-1 Perform procedures to ascertain accuracy of system-generated
    reports by reviewing information on reports against source data.

    I3-2 Ascertain that issues noted from at least one system-generated


    report was followed up and resolved in a timely manner.
    Test Procedures

    1] Identify the critical processes performed on the business application under review
    2] Walkthrough the process with the process initiator and perform input validation tests.
    3] Identify important date, numeric and text fields and perform the following tests to
    ensure the accuracy of data inputted on the application:
    - Attempt to input a date format other than the appropriate date format
    - Attempt to input negative amounts in fields that shouldn't accept negatives
    - Attempt to submit a form without inputs in the compulsory fields
    - Attempt to input rate values not within the defined acceptable range
    - Attempt to input text or inaccurate values in numeric fields
    - Ascertain that calendar controls implemented are adequate
    - Ascertain that drop down options are available for fields with multiple options to
    minimize the risk of erroneous entries

    1] Identify processes in which credit limits are initially granted to customers (i.e. sales of
    cement) as well as updated.
    2] Review the customer's credit limit as implemented on the application
    3] Attempt to post a transaction using an amount higher than the credit limit (The
    expectation is that the application declines the entry)
    1] Identify processes that require authorizations outside the application.
    2] Review all the postings on the module against the authorization document to ascertain
    that appropriate authorization was gotten prior to posting and the postings are in line
    with what was authorized
    1] Identify fields on the application that should be unique per the process defined by
    business
    2] Obtain a spool of all transactions and review for duplicates
    3] Follow up with noted exceptions

    1] Review IT policies on user's access to business applications to ensure that:


    - Access to roles is on a least privilege basis
    -Access to data is on a need to know basis
    - Segregation of duties is enforced
    1] Obtain and review the approved segregation of duties matrix defined for users on the
    applications
    2] Ascertain that the segregation of duties was developed and approved by business
    owners and vetted by internal controls
    3] Discuss with the business process owners to ascertain that there are no conflicting
    roles
    1] Review the user access matrix to ascertain that last review date
    2] Discuss with IT personnel and business process owners to gain an understanding of
    new modules, functions and roles that have ben configured on the application
    4] Ascertain that the user access matrix is updated to reflect the new changes
    1] Review the application to ascertain that there are preconfigured user menus and groups
    2] If preconfigured menus are not available, discuss with relevant personnel to gain an
    understanding of the alternative procedures in place and ascertain its adequacy

    1] Review the access privileges of sample user profiles on the application against their job
    functions
    2] Discuss noted exceptions with business process owners and follow up to resolution
    1] Review the access privileges of the personnel responsible for managing user profiles
    (i.e. profile modification, profile creation)
    2] Ascertain that the responsible personnel is not required to carry out
    business/operational processes on the application to avoid the risk of collusion and
    possible fraud
    1] Identify processes that require an initiator and authorizer (i.e. the same transaction
    should not be completed by one user)
    2] Perform walkthroughs of the process on the application to ascertain that the same
    person cannot initiate and authorize same transaction
    3] Review the roles and privileges of the initiator and authorizer to ascertain that the
    initiator cannot complete the transaction
    1] Discuss with the business process owners to gain an understanding of how master data
    is maintained on the application
    2] Ascertain that appropriate levels of management approvals are gotten before updates
    are made
    3] Review the master data changes on the system against the relevant authorization
    document to ascertain that the update was done as authorized
    4] Review the roles and privileges assigned to personnel responsible for maintaining
    master data and ascertain that it is in line with their job function
    5] Review the roles and privileges of all users on the application to ascertain that only
    authorized personnel have access to maintain master data

    1] Discuss with business process owners to gain an understanding of other critical


    business processes carried out on the application
    2] Review the roles and privileges of all users on the application to ascertain that only
    authorized personnel can perform such transactions

    1] Identify processes on the application in which the system automatically computes


    certain fields
    2] Discuss with business process owners to gain an understanding of the logic behind the
    computation
    3] Recompute the results of the system computed field and compare with system
    generated values.
    4] Follow up with noted differences if any

    1] Identify processes in which data is transferred between two or more applications


    2] Discuss with business process owners and IT personnel to gain an understanding of
    how information is transferred between the applications
    3] Ascertain that notifications are generated for failed exceptions and these are resolved
    by the system administrators
    3] Obtain the spool of data from both applications and compare for exceptions
    4] Follow up with noted exceptions
    1] Obtain the spool of data from both applications and compare for exceptions
    2] Follow up with noted exceptions
    1] For the application under review, identify critical reports used for business processing
    2] Spool the reports and compare the results against source data
    3] Obtain explanations for noted differences

    1] For the application under review, review a sample of system-generated reports utilized
    during the review period to ascertain that errors were logged, reviewed and remediated in
    a timely manner
    Review Status
    Completed

    TABLE OF CONTENT

    Support Comments Assessment


    Not Assessed
    Not Assessed
    Not Assessed

    You might also like