3/13/2015

CHAPTER 6
Systems Development and Documentation
Controls
Part Two

KPMGroup

KENT, PORF, MARLON GROUP

3/13/2015

USER, ACCOUNTING, AND AUDIT

PARTICIPATION

Part Two

TECHNICAL, MGT, USER, AND

AUDITOR REVIEW AND APPROVAL
SYSTEM TESTING

OVERVIEW

FINAL APPROVAL

OF PRESENTATION

POSTIMPLEMENTATION REVIEW

KPMGroup

KENT, PORF, MARLON GROUP

Adequate Internal
USER PERSONNEL
Control Structure

ACCOUNTING
DO YOU WANT TO DEVELOP
A NEW
Built-in
Audit
Features
SYSTEM?
DEPARTMENT STAFF

AUDITORS
(INTERNAL
AND
Complete
Audit
Trail
PARTICIPATE
IN
THE SYSTEMS DEVELOPMENT
EXTERNAL)

KPMGroup

KENT, PORF, MARLON GROUP

3/13/2015

How can this participation be beneficial?

IMPROVED COMMUNICATION BETWEEN USER AND EDP
PERSONNEL
USER PARTICIPATION REPRESENTS A FORM OF
COMMITMENT & APPROVAL
IMPROVEMENTS IN CONTROLS FROM SUGGESTIONS OF
EXPERTS
EVIDENCE FOR COMPLIANCE & INCLUSION OF
REQUIRED IC & AUDIT FEATURES
GAIN OF REQUIRED UNDERSTANDING OF EDP
APPLICATIONS

KPMGroup

KENT, PORF, MARLON GROUP

Scenario
You plan to assess control risk at a low level
on participation by the user, accounting,
and audit personnel

What to do?
INTERVIEW FOR EVIDENCE OF THE LEVEL OF
PARTICIPATION OF THE USER AND ACCOUNTING DEPT
REVIEW APPROPRIATE DOCUMENTS AND RELATED
APPROVALS FOR EVIDENCE
REVIEW THE AUDITORS WORKING PAPERS

KPMGroup

KENT, PORF, MARLON GROUP

3/13/2015

USER, ACCOUNTING AND AUDIT

PARTICIPATION

Part Two

TECHNICAL, MGT, USER, AND

AUDITOR REVIEW AND APPROVAL
SYSTEM TESTING

OVERVIEW

FINAL APPROVAL

OF PRESENTATION

POSTIMPLEMENTATION REVIEW

KPMGroup

KENT, PORF, MARLON GROUP

ONGOING REVIEW: BENEFITS

For work accomplished during the process and
approval at the end of each phase of the process
REPRESENT STRONG CONTROLS OVER CONTENT OF
SYSTEM PROGRAM AND OUTPUTS
ENSURE THAT THE SYSTEM HAS ADEQUATE CONTROLS
FACILITATE MONITORING AND MAINTENANCE OF AN
ACCEPTABLE LEVEL OF QUALITY OF OUTPUT FROM EACH
PHASE OF THE PROCESS

KPMGroup

KENT, PORF, MARLON GROUP

3/13/2015

REVIEW AND APPROVAL: LEVELS

TECHNICAL LEVEL

involves systems and

programming supervisors
requires systems supervisors to
review the work of systems staff
on an ongoing basis
review and approve each phase
of the output before submitting it
for approval

involves management, users

and auditors
requires them to review and
approve end products of
systems planning and
development (excluding
programming)

KPMGroup

OUTPUT LEVEL

KENT, PORF, MARLON GROUP

Scenario
You plan to assess control risk at a low level
on technical, management, user and
auditor review and approval

What to do?
REVIEW THE SECTION OF THE SYSTEMS DEVELOPMENT
STANDARDS MANUAL
INTERVIEW TECHNICAL STAFF, MANAGEMENT, AND
USERS
REVIEW TECHNICAL AND OUTPUT DOCUMENTATION
(FOR SELECTED APPLICATIONS DEVELOPED DURING
ACCTG PERIOD)

KPMGroup

KENT, PORF, MARLON GROUP

3/13/2015

USER, ACCOUNTING AND AUDIT

PARTICIPATION

Part Two

TECHNICAL, MGT, USER, AND

AUDITOR REVIEW AND APPROVAL
SYSTEM TESTING

OVERVIEW

OF PRESENTATION

FINAL APPROVAL

POSTIMPLEMENTATION REVIEW

KPMGroup

KENT, PORF, MARLON GROUP (VA ROOM 306)

SYSTEM TESTING: AN IMPORTANT CONTROL

ENSURE THAT SYSTEM WILL OPERATE AS INTENDED
DETERMINE IF SYSTEMS OPERATION MEETS USER
REQUIREMENTS
TEST ALL APPLICATION CONTROLS SO THEY WORK
AS INTENDED
SHOW THAT INTRODUCTION OF CORRECT INPUT WILL
YIELD CORRECT OUTPUT
VERIFY THAT INCORRECT INPUT, PROCESSING OR
OUTPUT WILL BE DETECTED

KPMGroup

KENT, PORF, MARLON GROUP

3/13/2015

WHAT IS THE SCOPE & COVERAGE OF SYSTEM TESTING?

MANUAL PHASE
COMPUTERIZED PHASE
PROGRAMS
COMPUTER OPERATIONS
USER ACTIVITIES
CONTROL GROUP FUNCTIONS

KPMGroup

KENT, PORF, MARLON GROUP

USER PERSONNEL

SYSTEMS PERSONNEL

AUDITORS
(INTERNAL AND
JOINT EFFORT IN SYSTEM TESTING
EXTERNAL)

KPMGroup

KENT, PORF, MARLON GROUP

3/13/2015

SYSTEM TESTING: LEVELS

Designed to test the processing
logic of the programs
Usually applied on a modular or
program-by-program basis to
facilitate the review process
Software aids can be useful

PROGRAM TESTS

Tests applied also to programs

but to a string of logically
related programs
To ensure that data are
correctly transferred from one
program to another in a string

KPMGroup

STRING TESTS

KENT, PORF, MARLON GROUP

SYSTEM TESTING: LEVELS

SYSTEMS TESTS

Applied to programs within an

application
To ensure that programs all work
correctly when they interface
with each other

Processing of an actual periods

transactions on an after-thefact basis
To reconcile the results of the
new and old systems and to
detect and correct differences

PILOT TESTS

PARALLEL TESTS

Method of ensuring that system is

processing input correctly
Valuable to detect system errors
and for complex systems

KPMGroup

KENT, PORF, MARLON GROUP

3/13/2015

Scenario
You plan to assess control risk at a low level on
system testing (first, review the new systems
developed and implemented during the accounting
period and the written standards)

What to do?
REVIEW STANDARDS FOR COMPREHENSIVENESS
INTERVIEW INTERNAL AUDIT AND USER STAFF
REVIEW TEST DATA AND THE RESULTING OUTPUT FOR
SELECTED NEW SYSTEMS
REVIEW THE RESULTS OF PROGRAMS AND STRING TESTS

KPMGroup

KENT, PORF, MARLON GROUP

Scenario
You plan to assess control risk at a low level on
system testing (first, review the new systems
developed and implemented during the accounting
period and the written standards)

What to do?
REVIEW RESULTS OF SYSTEM TESTS OF VALID AND
INVALID TRANSACTIONS
REVIEW PROCEDURES FOR RECONCILING OUTPUT
PRODUCED DURING PILOT AND PARALLEL TESTING
EXAMINE PROGRAMS USED TO COMPARE OUTPUT FILES
FOR PILOT AND PARALLEL TESTING
EXAMINE RECONCILIATIONS FOR SELECTED TESTS

KPMGroup

KENT, PORF, MARLON GROUP

3/13/2015

USER, ACCOUNTING AND AUDIT

PARTICIPATION

Part Two

TECHNICAL, MGT, USER, AND

AUDITOR REVIEW AND APPROVAL
SYSTEM TESTING

OVERVIEW

FINAL APPROVAL

OF PRESENTATION

POSTIMPLEMENTATION REVIEW

PROGRAM CHANGE CONTROLS

KPMGroup

KENT, PORF, MARLON GROUP

FINAL APPROVAL
EDP PERSONNEL

MANAGEMENT
USERS

Provides an opportunity to examine the final test results

Make a final judgment on the quality of application controls
Consider changes from the original system design specifications
Ensure that all the errors are corrected
Approve planned procedures for system implementation and operation

KPMGroup

KENT, PORF, MARLON GROUP

10

3/13/2015

Scenario
You plan to assess control risk at a low level
on final approval as a general control

What to do?
Review evidence of the approval of new applications
by management, users and EDP personnel

Interview management, user and EDP personnel

KPMGroup

KENT, PORF, MARLON GROUP

CONVERSION CONTROL
Numerous errors can result when the master and
transaction files are converted to the new system
Control Procedures
File conversion approval be given before conversion process begins
Original and new files be reconciled by record counts, hash totals, and
amount totals
Selected portions of records from the original files be compared with
new files
Confirmation request be sent to third parties
Discrepancy reports be use to detect inconsistencies and correct them
Operational approval be obtained after users used the system a few times

KPMGroup

KENT, PORF, MARLON GROUP

11

3/13/2015

Discrepancy
Report

Scenario
You plan to assess control risk at a low level
on conversion control as a general control

What to do?
REVIEW PLANS FOR CONTROLLING THE CONVERSION
FROM ONE SYSTEM TO ANOTHER
EXAMINE DOCUMENTATION FOR EVIDENCE
EVALUATE THE PROCEDURES TO ECONCILE ORIGINAL
AND NEW FILES

KPMGroup

KENT, PORF, MARLON GROUP

12

3/13/2015

Scenario
You plan to assess control risk at a low level
on conversion control as a general control

What to do?
REVIEW OR OBSERVE THE USE OF RECORD
COMPARISONS AND CONFIRMATION REQUESTS
EXAMINE DISCREPANCY REPORTS FOR EVIDENCE
TEST THE CONVERSION

KPMGroup

KENT, PORF, MARLON GROUP

POSTIMPLEMENTATION REVIEW
INTERNAL AUDIT
PERSONNEL

EDP PERSONNEL
USERS

Several months after the implementation of the

system
Whether the system is operating as intended
Evaluate effectiveness of the entire process of
developing a system

KPMGroup

KENT, PORF, MARLON GROUP

13

3/13/2015

Scenario
You plan to assess risk at a low level on the
general control of post implementation
review

What to do?
REVIEW INTERNAL WORKING PAPERS
INTERVIEW SYSTEMS DEVT STAFF, USERS AND
MANAGEMENT
REVGIEW THE FINAL REPORT OF THE COMMITTEE

KPMGroup

KENT, PORF, MARLON GROUP

PROGRAM CHANGE CONTROLS

Changes that resulted from the
desire to improve systems, the
need to adjust systems to
changing business conditions
and the need to incorporate new
operating, accounting and
control policies

PROGRAM
MAINTENANCE

Represent major systems

revisions (excluded from the
definition of program
maintenance)
Tested as full systems
development projects

KPMGroup

PROGRAM
ENHANCEMENTS

KENT, PORF, MARLON GROUP

14

3/13/2015

PROGRAM CHANGE CONTROLS:

BENEFITS
ENSURE THAT ALL CHANGES TO PROGRAMS ARE
PROPERLY APPROVED AND AUTHORIZED
ENSURE ALL AUTHORIZED CHANGES ARE COMPLETED,
TESTED AND PROPERLY IMPLEMENTED
SO, CONTROLS ARE REQUIRED OVER
PLANNING, DEVELOPMENT AND
IMPLEMENTATION OF PROGRAM CHANGES

KPMGroup

KENT, PORF, MARLON GROUP

PLANNING PROGRAM CHANGES

Requires proper approval authorization and
documentation of program change
Program change request should be approved by the
user, by the internal audit and by data processing
management
All program change request should be authorized
after proper approval (usually the data processing
management)
Full documentation of the program change request

KPMGroup

KENT, PORF, MARLON GROUP

15

3/13/2015

Program
Change
Form

DEVELOPMENT PROGRAM CHANGES

Development only for properly approved and authorized
change requests

Program changes should be restricted to systems personnel

The design specifications of program changes should be

reviewed and approved by the user and internal audit
Program changes should be completed following established
systems, programming and documentation standards

KPMGroup

KENT, PORF, MARLON GROUP

16

3/13/2015

DEVELOPMENT PROGRAM CHANGES

Changes should be made to the test program and not the
production program
All programs changes should be tested thoroughly before
implementation
Upon completion of testing, the program changes and test
results should be reviewed and approved
User and operating personnel should be retained, if necessary,
to handle new procedures

KPMGroup

KENT, PORF, MARLON GROUP

IMPLEMENTATION PROGRAM CHANGES

All documentation that is affected by the change should be
updated
Control should be established over the conversion to the
new program
Conversion should not be permitted before approval of the
test results and completion of the changes to
documentation
Final approval should be given by data processing
management, the user, and internal audit

KPMGroup

KENT, PORF, MARLON GROUP

17

3/13/2015

Scenario
You plan to assess risk at a low level on
systems change controls

What to do?
INTERVIEW OPERATIONS AND SYSTEMS PERSONNEL
REVIEW DOCUMENTATION IN SUPPORT OF SELECTED
PROGRAM CHANGES
EXAMINE RESULTS OF TESTS PERFORMED ON MODIFIED
PROGRAMS

KPMGroup

KENT, PORF, MARLON GROUP (VA ROOM 306)

Scenario
You plan to assess risk at a low level on
systems change contROLS

What to do?
COMPARE THE ORIGINAL PROGRAM SOURCE CODING
WITH THE MODIFIED PROGRAM SOURCE CODING
ON A TEST BASIS, SELECT CURRENT APPLICATION PROGRAMS
FOR WHICH THERE IS NO DOCUMENTATION OF CHANGES
DURING THE PRECEEDING YEAR, & COMPARE THE CODE OF
CURRENT PROGRAMS WITH THE CODE OF THE SAME
PROGRAMS AF A YEAR AGO.

KPMGroup

KENT, PORF, MARLON GROUP (VA ROOM 306)

18