Presented to the Tallahassee ISACA Chapter

Slides:



Advertisements
Similar presentations
Chapter 6 Computer Assisted Audit Tools and Techniques
Advertisements

Application Security By Prashant Mali.
Audit of Autonomous District Councils (in an IT environment using FAAM)
ITAuditing Using GAS & CAATs
Database Management System MIS 520 – Database Theory Fall 2001 (Day) Lecture 13.
Auditing Computer-Based Information Systems
Group 3 John Gregory John Marsh Gerri Houston Samantha McNeily.
Auditing Computer Systems
Auditing Computer-Based Information Systems
SAE AS9100 Quality Systems - Aerospace Model for Quality Assurance
The Islamic University of Gaza
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.
Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.
1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious.
Computer Assisted Audit Techniques
Principles of Information Systems, Seventh Edition2 An organization’s TPS must support the routine, day-to- day activities that occur in the normal course.
Concurrent Auditing Techniques
Chapter 9 Database Design
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 9 Controlling Information Systems: Process Controls.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.
General Ledger and Reporting System
Chapter 13 Auditing Information Technology
Hall, Accounting Information Systems, 7e ©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
Chapter 9.4 & 11.4 Paper F8 Audit and Assurance (International) ations/student_accountant/archive/sa_aug09_byrn.
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
CHAPTER 6 ELECTRONIC DATA PROCESSING SYSTEMS
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Today’s Lecture application controls audit methodology.
Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
The Islamic University of Gaza
Implications of Information Technology for the Audit Process
1 12 Systems Analysis and Design in a Changing World, 2 nd Edition, Satzinger, Jackson, & Burd Chapter 12 Designing Systems Interfaces, Controls, and Security.
IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.
Copyright © 2007 Pearson Education Canada 1 Chapter 13: Audit of the Sales and Collection Cycle: Tests of Controls.
Information Systems Security Operational Control for Information Security.
Understanding the IT environment of the entity. Session objectives Defining contours of financial accounting in an IT environment and its characteristics.
I.Information Building & Retrieval Learning Objectives: the process of Information building the responsibilities and interaction of each data managing.
S4: Understanding the IT environment of the entity.
 2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood Chapter 10 Electronic Data Processing Systems.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Chapter 9 Controlling Information Systems: Application Controls.
Today’s Lecture Covers
Controls design Controls are “the plan of organization and all the methods and measures to safeguard its assets, check the accuracy and reliability of.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
AUDIT IN COMPUTERIZED ENVIRONMENT
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 13 – 1 Chapter 13 Auditing Information Technology.
APA – Fundamentals of Payroll Chapter 2 – Payroll Systems March 10, 2012.
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Hall, Accounting Information Systems, 8e ©2013 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
Database Systems: Design, Implementation, and Management Eighth Edition Chapter 1 Database Systems.
Chapter 8-1 Chapter 8 Accounting Information Systems Information Technology Auditing Dr. Hisham madi.
Chapter 11 Designing Inputs, Outputs, and Controls.
Auditing Information Technology
TRANSACTION PROCESSING
Processing Integrity and Availability Controls
Managing the IT Function
The Impact of Information Technology on the Audit Process
Batch Processing Application Audit
The Impact of Information Technology on the Audit Process
Effects of IT on Consideration of Internal Control in a Financial Statement Audit Dr. Donald McConnell Jr. 12/1/2018.
Types of CAATs Session 3.
CHAPTER 6 ELECTRONIC DATA PROCESSING SYSTEMS
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Instructor Materials Chapter 5: Ensuring Integrity
Presentation transcript:

Presented to the Tallahassee ISACA Chapter Application Controls Presented to the Tallahassee ISACA Chapter Brown Bag Luncheon By Brenda Shiner June 17, 2014

This presentation will walk you through the common application controls and how to audit them. Input controls Processing controls Output controls Auditing Application Controls Data integrity testing Testing application systems Online auditing techniques 2

Application controls are controls over input, processing, and output functions. Only complete, accurate, and valid data are entered and updated in a computer system Processing accomplishes the correct task Processing results meet expectations Data is maintained 3

Application controls can be automated or manual. Application controls include: Edit tests Totals Reconciliations Identification and reporting of missing or exception data Automated controls combined with manual controls 4

Application controls help ensure data accuracy, completeness, validity, verifiability, and consistency, thus achieving data integrity and reliability. Application controls ensure: System integrity System functions as intended Information in the system is relevant, reliable, secure, and available as needed 5

Input or origination controls ensure that every transaction is entered, processed, and recorded accurately and completely. Types of input controls include: Input authorization Batch controls and balancing Error reporting and handling 6

Input authorization controls verify that all transactions have been authorized and approved by management. Input authorization controls: Signatures on batch forms or source documents Online access controls Unique passwords Terminal or workstation identification Source documents 7

Batch controls combine input transactions into groups or batches to provide control totals that are matched to the source documents to verify that the entire batch was processed. Batch controls include: Total monetary amount Total items Total documents Hash totals 8

Batch balancing controls can be performed through either a manual or automated reconciliation. Batch balancing controls must be combined with adequate follow-up procedures. Batch balancing controls include: Batch registers Control accounts Computer agreement 9

Input error reporting and handling ensures only correct data are accepted into the system and input errors are identified and corrected. Input error reporting and handling can be processed by: Rejecting transactions with errors Rejecting the whole batch Holding batches in suspense Accepting the batch and flagging error transactions 10

Input processing requires that controls be identified to verify that only correct data are accepted into the system. Input processing control techniques include: Transaction logs – detailed listings of all updates which can be manually maintained or automatically generated through computer logs Reconciliation of data – ensures all data are properly recorded and processed Documentation – written evidence of control procedures Anticipation – user groups anticipate the receipt of data Transmittal log – documents the transmission or receipt of data Cancellation of source documents – prevents duplicate entry 11

Input processing also requires that controls be identified to ensure that input errors are recognized and corrected. Error correction procedures include: Logging of errors Timely corrections Upstream resubmission Approval of corrections Suspense file Error file Validity of corrections 12

Processing procedures and controls are meant to ensure the reliability of application program processing. Processing procedures and controls include: Data validation and edits Processing controls Data file control procedures 13

Data validation and edit procedures ensure input data is validated as close to the point of origination as possible. Limit check – benefits check should not exceed a certain amount Range check – students registering for a certain grade should be in a certain age range Validity check – the zip code matches the state in the address Sequence check – the check number being paid matches the range of issued checks 14

Data validation and edit procedures identify errors, incomplete or missing data, and inconsistencies among related data items and ensures only accurate data are processed. Existence check – a product number matches a product being sold Completeness check – all required fields are required to be filled in Duplicate check – a duplicate purchase order is identified Logical relationship check – the credit card number has been provided if the payment is by credit card 15

Processing controls are meant to ensure the completeness and accuracy of accumulated processed data. Edit checks – most of the data validation examples would also work as edit checks Manual recalculation – perform a recalculation of a sample of transactions to verify the accuracy of calculations, for example, sales tax Run-to-Run totals – control totals are maintained through various states of processing to verify the completeness of the records Exception Reports – reports programmatically identify transactions or data that fall outside a predetermined range or do not match other specified criteria 16

Data file control procedures ensure that only authorized processing occurs in stored data. Data file security – ensures only authorized users have access to alter the data through either access to the application or direct access to the database Source documentation retention – source documents retained for an adequate time period to enable retrieval, reconstruction, and verification of data if necessary Version usage – make sure that the correct, current version of a file is being used Internal and external labels – use on removable media and files to ensure the correct data is being used File updating and maintenance authorizations – ensures that maintenance follows an approved and documented process Transaction logs – useful in tracking down which transactions were processed in the event of an error and investigating the cause Before and after image reporting – useful as a monitoring tool while not as granular as the transaction log 17

Output controls are meant to provide assurance that the data delivered to users will be presented, formatted, and delivered in an accurate, consistent, and secure manner. Tracking of sensitive output: Negotiable instruments Confidential information Etc. Report distribution control Output error handling Reconciliation of control counts/totals 18

The starting point for auditing application controls is identifying significant application components and the flow of information through the system. Understand transaction flow Assess application risks Test user controls Test data integrity The impact of control weaknesses can be evaluated by reviewing available documentation and interviewing appropriate personnel. 19

An analysis of the transaction flow will allow for an understanding of potential weak points where the controls should be reviewed. Points where transactions and data are entered Points where transaction calculations are performed Points where data transformations occur Points where transactions are posted Points where databases are updated Points where reports are generated Points where data are transmitted 20

A risk assessment can be based on a variety of factors and can assist in focusing your audit on the inherent risks of an application. Recent application changes Time elapsed since last audit Complexity of operations Changes in operations/environment Transaction volume Monetary value of transactions Sensitivity of transactions Impact of application failure 21

Key user controls may be directly tested to determine if they are performing as intended. Review and testing of access authorizations and capabilities Separation of duties Error control and correction Activity and violation reporting Distribution of reports 22

Data integrity tests examine the accuracy, completeness, consistency, and authorization of data presently held in a system. Determine if data validation routines are functioning correctly Determine if database tables are properly defined and applying appropriate input constraints and data characteristics Ensure referential integrity for primary and foreign keys in tables Data integrity tests will indicate failures in input or processing controls. 23

Data integrity testing is a set of substantive tests that examines accuracy, completeness, consistency, and authorization of data presently held in a system. Relational integrity tests - performed at the data element and record-based levels and enforced through data validation routines built into the application or by defining the input condition constraints and data characteristics at the table definition in the database stage Referential integrity tests - define existence of relationships between entities in different tables of a database that need to be maintained by the Database Management System (DBMS) 24

In multi-user transaction systems, it is necessary to manage parallel user access to stored data typically controlled by a DBMS and deliver fault tolerance. Of particular importance are four online data integrity requirements known collectively as the ACID principle: Atomicity - from a user perspective, a transaction is either completed in its entirety (i.e., all relevant database tables are updated) or not at all Consistency - all integrity conditions in the database are maintained with each transaction, taking the database from one consistent state into another consistent state Isolation - each transaction is isolated from other transactions and hence each transaction only accesses data that are part of a consistent database state Durability - if a transaction has been reported back to a user as complete, the resulting changes to the database survive subsequent hardware or software failures 25

Testing the effectiveness of application controls involves analyzing computer application programs, testing computer program controls, and selecting and monitoring transactions. Methods and techniques for testing application systems include: Snapshot Mapping Tracing and tagging Test data/deck Base-case system evaluation Parallel operation Integrated testing facility Parallel simulation Transaction selection programs Embedded audit data collection Extended records 26

Continuous online auditing is becoming increasingly important in today's e-business world. Allows IS auditors to monitor the operation of systems on a continuous basis while normal processing takes place and gather selective audit evidence through the computer Cuts down on needless paperwork and leads to the conduct of an essentially paperless audit 27

There are five types of automated evaluation techniques applicable to continuous online auditing. Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM) Snapshots Audit hooks Integrated test facility (ITF) Continuous and intermittent simulation (CIS) 28

The selection and implementation of continuous audit techniques depends, to a large extent, on the complexity and understanding of an organization's computer systems and applications. 29

Questions? 30