APRevAP.

doc

APPLICATION REVIEW
AUDIT PROGRAM

Contents Page

1. Documentation 1

2. Transaction Origination 2

3. Input Controls 3

4. Processing Controls 5

5. Output Controls 7

6. Reports 7

7. User Understanding & Satisfaction 8

8. Contingency Plan 8
 W/P Done Date
Ref BY

Documentation

Objective: Computer applications are adequately documented.

1. Review and evaluate completeness and currency of general

systems documentation which should include:

2. Cost/benefit analyses.
3. Authorized signatures and signoffs.
4. Data sources, systems files, structures and contents.
5. Output media and distribution.
6. Control points, audit trails and interfaces with other
applications.
7. Backup and retention of records/files.
8. File layouts, identification codes, definitions, etc.
9. List of programs.
10. Edit routines and controls.
11. Verify documentation
12. Clearly and accurately defines logic and processing
performed.
13. Includes input/output layouts with formats, blocking factors,
label specifications, etc.

14. Is maintained in fire proof cabinet or vault which is accessible

only to those personnel with a Òneed to knowÓ.
Is backed up and the backup is current.

15. Review and evaluate user manuals or other written instructions

for completeness and accuracy as to:

16. Input documents and related processing.

17. Work flow and relationships to other workstations.
18. Controls and control points.
19. Reporting and handling of errors.

TRANSACTION ORIGINATION

Objective: Only complete and accurate information , properly

authorized, is submitted to Data Processing for processing.
 W/P Done Date
Ref BY

20. Determine whether written instructions exist governing the

preparation of source documents.

21. Determine the adequacy of user documentation and procedures

which can be used as a guide in:

22. Preparing source documents.

23. Tracing document flow.
24. Meeting cut-off schedules.
25. Coding documents.

26. Evaluate source document design. Determine that:

27. Special purpose forms are being used to prevent omissions,

preprint information such as transaction codes, provide
authorization blocks and allow for accumulating control
totals.
28. Pre-numbered documents are or could be used to assist in
document control.
29. All source documents indicate transaction identification
codes.

30. Determine what procedures exist to evidence authorization of

each transaction.
31. Verify that originating departments initiate and maintain control
totals such as unit count, hash totals, etc. on material sent to Data
Processing.

INPUT CONTROLS

Objective: All approved input, and only input that is approved, is

accepted for computer processing.

32. Determine that input is batched close to the point of

origin and that control totals are created and logged
prior to computer processing. See that the computer is
not creating, initially, control information. Review
Data Control function.

Objective: Only accurate and complete data is input to computer

applications. Ensure thal all transactions input are complete
accurate.

33. Review computer programsÕ edit and validating routines to

 W/P Done Date
Ref BY

ensure they are placed early in the computer processing and

can handle a wide range of possible paths.

34. Evaluate the effectiveness of such routines in detecting

incomplete or erroneous data. Determine that all fields are
edited. Look for items such as a) use of self-checking digits,
b) valid codes, c) limit and reasonableness tests, d) sequence
continuity, e) incorrect or missing data, f) crossfoot tests, and
g) computer recalculation of manually calculated fields.

35. Review and evaluate batch proof and balancing procedures such
as verification of batch control totals in batch header records,
transaction counts; etc.

36. Evaluate the method of error reporting, control and re-

submission. Ensure that:

37. Where possible, errors are held on suspense files until

corrected and that such files are, periodically reviewed.

38. Written instructions explicitly describe procedures to be

followed in correcting and re-entering erroneous data.

39. Error messages clearly explain the field or character in error

and the reason for rejection.

40. Control totals are produced for all rejects and re-
submissions.

41. The length of time taken to reenter corrections is reasonable.

PROCESSING CONTROLS

Objective: Complete and accurate information is processed from

data entry to output.

42. Determine that transactions are verified using master files of

approved customers, vendors, employees, etc., as
appropriate.

43. Determine that programs develop file control totals for each file
that are then verified by each ensuing program that uses the
file.
 W/P Done Date
Ref BY

44. Ensure that all significant master files contain file control totals
and that such totals are balanced either manually or by
computer processing.

45. Ensure that key financial totals produced by the application

system are reconcilable to comparable totals produced by the
financial reporting system.

46. At each point data is entered into the computer, ensure that
formal file label checks or other procedures exist to permit
proper file use such as external and or/internal label checking
or use of a tape library software package.

47. At each point data is handled, moved or transmitted:

48. Ensure that computer generated transaction are identified and

listed for user review and are considered in balancing
routines.

49. Evaluate the adequacy of the audit trail.

50. Review and evaluate of the audit trail.

51. Determine that master file maintenance results in before/after

image reporting for user verification purposes.

52. For on-line systems using destructive updating of random access

files, ensure that there is a log tape of the status of a master
file record prior to updating, the change causing the update
and the status of the record after updating.

53. Review and evaluate error handling and reporting as a result of

processing including:

54. Error reports include all data fields in error and contain
corresponding messages that clearly describe the error
condition.

55. The entire rejected transaction appears on the report.

56. Processing of a transaction is discontinued when an error is

detected. However, all fields should be edited for errors
prior to discontinuance of processing.
 W/P Done Date
Ref BY

57. Procedures, such as the use of an error suspense file, exist to

ensure that all rejects are corrected and resubmitted.

58. Errors are reporting separately from accepted transactions.

Objective: With respect to Data Base Management Systems

(DBMS), all, and only, results of transaction processing are
accurately reflected on the data base.

59. Ensure that the DBMS prevents simultaneous updates to a

record.

60. Determine that an audit trail of changes to the data base is

produced. Obtain Sample.

61. Ensure that the DBMS prevents deletion of shared data by one
user without consent of other users.

62. Determine that an application program, periodically,

sequentially reviews and foot the data base. Verify.

OUTPUT CONTROLS

Objective: Reports and other output accurately reflect the results of

processing.

63. Determine whether a data control function exists and if so,

verify that the function accomplishes itsÕ objectives. (In the
event that there is no data control functions, determine which of
the data control functions are being performed by whom and to
what extent).

CONTINGENCY PLAN

Objective: Adequate backups are performed and adequate

contingency plans have been developed to ensure a complete and
efficient recovery of the system in case of disaster.

64. Verify master files and transaction files are backed up offsite
with appropriate retention and rotation schedules.

65. Assure that user departments have an adequate contingency plan

to aid in the recovery of the application system in case of
disaster.
 W/P Done Date
Ref BY

66. Test Sample of offsite files. Master Transaction.