an integrated audit
Learning objectives
Control environment
Risk assessment
Monitoring
Control activities
What are the different types of controls?
Manual controls
Manual
Type of ccontrol
IT-dependent
p
manual control
IT general
Automated Application controls
controls
Objective of control
Application
pp controls vs. ITGCs
Application controls IT general controls
Reside within the application and Controls around the environment
apply to individual transactions which support the application
Examples
p include: Examples
p include:
Edit checks Manage Change
Validations Logical Access
Calculations IT Operations
Interfaces
Authorizations
Effect of ITGCs on applications controls
Edit
Spread checks
sheets
IT
T general conttrols
neral controls
Ad hoc Tolerances
reports Payroll system General ledger
level controls
configurable controls
Configurable control is
Segregation of dutiess
performed depending on an IT general controls foundation
applications setup
Company-
Often more effective than Operating systems Databases ERP
manual controls
Test of one strategy may
apply
Classifications of application controls
Authorizations Limit the risk of inappropriate input, processing or output Approval to post journal entries
of key financial data due to unauthorized access to key Two approvals
pp for check pprinting
g
financial functions or data. Includes:
Segregation of incompatible duties
Authorization checks, limits and hierarchies
Edit check vs. validation
Validation control:
the system prevents
the entry of
incorrect product
numbers on sales
orders
SoD ITGC vs. application level
What is the difference between SoD at the ITGC level and SoD
att th
the application
li ti level?
l l?
Transaction level
Request/approve accurate, timely and complete recording of transactions
P
Prepare accurate,
t timely
ti l andd complete
l t recording
di off transactions
t ti
Move programs in and out of production
Monitor accurate, timely and complete recording of transactions
Embedded (System is
Re-performance
programmed to perform Test of 1 Test of 1 Test of 1 Test of 1
via walkthrough
the control as a result of
either custom coding or
packaged delivery of that Inspection of
functionality.) Sample Selected
authorization
Inspection of
Sample Selected
authorization
Benchmarking of application controls
Benchmarking
Overview
Audit strategy that may be used to extend the benefits of
certain tests of application
pp controls into subsequent
q audit
periods
A computer will continue to perform a given procedure in
exactlyy the same way y until the program
p g is changed
g
Applicable if change controls are effective
Can remain applicable if IT general controls are ineffective,
provided we can confirm that no changes have occurred to the
particular program
In most instances, procedures in subsequent years could be
limited to a walkthrough and procedures to maintain the
benchmark and would not have to include detailed testing
benchmark,
Benchmarks are generally reestablished every three to five
years
Benchmarking
Considerations
Benchmarking strategy considerations:
The extent to which the application control can be matched to defined programs within an
application;
The extent to which the application is stable (i.e., there are few changes from period to period);
Whether a report of the compilation dates (or other evidence of changes to the programs) of all
programs placed in production is available and is reliable.
E id
Evidence considerations:
id ti
Program/module name(s) - Recording only the application name is generally insufficient, as
each application typically represents a suite of programs. The specific program(s) should be
identified.
L
Location
ti off th
the program - Indicate
I di t where
h th
the program/module
/ d l iis llocated.
t d
File size in bytes - Comparing this information with the previous information may indicate
whether the program has been changed.
Last change date - In most systems, this will be the date of the file in the directory or program
library listing
listing. The last change date of the executable program indicates the date of the last
change to the program that is actually processing on system. Recognize the possibility that
changes could also have been implemented to programs during the period under review prior to
the last change date.
Application controls testing considerations
Application control testing considerations
Interfaces
te aces
What is the flow of data?
What controls monitor the timely
and effective operation of
interfaces?
Electronic audit evidence (EAE)
What is electronic audit evidence (EAE)?
Testt procedures
T d are based
b d on controls
t l ttesting
ti (e.g.,
( review
i off
clients test documentation) or substantive testing (e.g., re-
performing the report, proving footings)
Questions?