Professional Documents
Culture Documents
Learning objectives
Describe types of controls Describe application pp controls and classifications Discuss the nature, timing and extent of application control testing Identify when benchmarking of application controls is appropriate Identify y application pp control testing g scoping p g considerations Identify factors impacting reliance on application controls Describe electronic audit evidence
Types of controls
Type of c control
Manual
Automated
Application controls
IT general controls
Prevent
Detect
Support the continued functioning of automated aspects of prevent and detect controls
Objective of control
IT general controls
Controls around the environment
which support the application
Spread sheets
Billing system
Electronic audit evidence
A/P application
Rate Calculations
Application controls
Ad hoc reports
Tolerances
Payroll system
General ledger
Program changes
Logical access
IT operations
Application controls
level controls
ERP
Often more effective than manual controls Test of one strategy may apply
Operating systems
Databases
Company-
Examples Required fields Specific data format on input Three-way Three way match Tolerance limits Accounts receivable aging Pricing calculations Transfer of data between systems Error reporting during batch runs Approval to post journal entries Two approvals pp for check p printing g
Authorizations
The difference between edit checks and validation controls t l is i often ft confused f d
Edit check
Limit risk of inappropriate input, processing or output of data due to field format
Validation
Limit risk of inappropriate input, processing, or output of data due to the confirmation of a test
Edit check control: the application requires a unique customer purchase order number to be entered into the sales order
Validation example
Validation control: the system prevents the entry of incorrect product numbers on sales orders
Request/approve accurate, timely and complete recording of transactions P Prepare accurate, t timely ti l and d complete l t recording di of f transactions t ti Move programs in and out of production Monitor accurate, timely and complete recording of transactions
Request/approve program development or program change Program the development or change Move programs in and out of production Monitor program development and changes
Requesting access, approving access, setting up access, and monitoring access violations/violation attempts Performing rights of a privileged user and monitoring use of a privileged user
Nature of testing will depend on if the control is embedded or configurable Configurable application control: Inspect configuration of each significant transaction type (can be performed via walkthrough also) Consider override capability
Generally can be viewed within a configuration screen or via a system generated report Embedded application control: Walkthrough of each significant transaction type Consider override capability Positive and negative aspects of control
By recognizing that application controls operate in a systematic t ti manner, we may be b able bl t to perform f t testing ti of f application controls in conjunction with the walkthrough for each applicable pp transaction type yp and p processing g alternative. We perform tests to obtain evidence that the application controls operated effectively throughout the period of reliance. Testing g ITGCs is the most effective way y to obtain evidence that the application controls have continued to operate throughout the period.
Embedded (System is programmed to perform the control as a result of either custom coding or packaged delivery of that functionality.)
Test of 1
Test of 1
Test of 1
Test of 1
Inspection of authorization
Sample Selected
Inspected Configurable (System has the capability to perform Re-performance the control depending on via i walkthrough lkth h its setup, but may have been configured differently Inspection of authorization
Test of 1
Test of 1
Test of 1
Test of 1
Test of 1
Test of 1
Test of 1
Test of 1
Sample Selected
Benchmarking
Overview
Audit strategy that may be used to extend the benefits of certain tests of application pp controls into subsequent q audit periods A computer will continue to perform a given procedure in exactly y the same way y until the program p g is changed g
Applicable if change controls are effective Can remain applicable if IT general controls are ineffective, provided we can confirm that no changes have occurred to the particular program In most instances, procedures in subsequent years could be limited to a walkthrough and procedures to maintain the benchmark and would not have to include detailed testing benchmark,
Benchmarking
Considerations
The extent to which the application control can be matched to defined programs within an application; The extent to which the application is stable (i.e., there are few changes from period to period); Whether a report of the compilation dates (or other evidence of changes to the programs) of all programs placed in production is available and is reliable. Program/module name(s) - Recording only the application name is generally insufficient, as each application typically represents a suite of programs. The specific program(s) should be identified. L Location ti of f th the program - Indicate I di t where h th the program/module / d l i is l located. t d File size in bytes - Comparing this information with the previous information may indicate whether the program has been changed. Last change date - In most systems, this will be the date of the file in the directory or program library listing listing. The last change date of the executable program indicates the date of the last change to the program that is actually processing on system. Recognize the possibility that changes could also have been implemented to programs during the period under review prior to the last change date.
E id Evidence considerations: id ti
Testing schedule
Combined meetings vs. IT specific meetings Testing methodology Nature, timing, and extent Determine if ITGCs are effective
Operations Which controls are affected by batch processing? How are batch jobs monitored?
Aging list of accounts receivables Spreadsheet specifying hedging transactions List of gains and losses from sales of marketable securities
Reliance on EAE
Establishing a basis for relying on electronic data includes:
Determining the source of the electronic data (i.e., which application produces the data) Determining, through the identification and evaluation of internal controls or through substantive procedures, whether the electronic data is complete and accurate
What is the origin of the software? Is the report used frequently by the client? Can the client influence the content of the report? Can the client edit the output p of the report? p Are we sure the data in the underlying database is complete and accurate?
Test T t procedures d are based b d on controls t l t testing ti (e.g., ( review i of f clients test documentation) or substantive testing (e.g., reperforming the report, proving footings)
Questions?