Professional Documents
Culture Documents
CHAPTER 6
Systems Development and Documentation
Controls
Part Two
KPMGroup
3/13/2015
Part Two
OVERVIEW
FINAL APPROVAL
OF PRESENTATION
POSTIMPLEMENTATION REVIEW
KPMGroup
Adequate Internal
USER PERSONNEL
Control Structure
ACCOUNTING
DO YOU WANT TO DEVELOP
A NEW
Built-in
Audit
Features
SYSTEM?
DEPARTMENT STAFF
AUDITORS
(INTERNAL
AND
Complete
Audit
Trail
PARTICIPATE
IN
THE SYSTEMS DEVELOPMENT
EXTERNAL)
KPMGroup
3/13/2015
KPMGroup
Scenario
You plan to assess control risk at a low level
on participation by the user, accounting,
and audit personnel
What to do?
INTERVIEW FOR EVIDENCE OF THE LEVEL OF
PARTICIPATION OF THE USER AND ACCOUNTING DEPT
REVIEW APPROPRIATE DOCUMENTS AND RELATED
APPROVALS FOR EVIDENCE
REVIEW THE AUDITORS WORKING PAPERS
KPMGroup
3/13/2015
Part Two
OVERVIEW
FINAL APPROVAL
OF PRESENTATION
POSTIMPLEMENTATION REVIEW
KPMGroup
KPMGroup
3/13/2015
TECHNICAL LEVEL
KPMGroup
OUTPUT LEVEL
Scenario
You plan to assess control risk at a low level
on technical, management, user and
auditor review and approval
What to do?
REVIEW THE SECTION OF THE SYSTEMS DEVELOPMENT
STANDARDS MANUAL
INTERVIEW TECHNICAL STAFF, MANAGEMENT, AND
USERS
REVIEW TECHNICAL AND OUTPUT DOCUMENTATION
(FOR SELECTED APPLICATIONS DEVELOPED DURING
ACCTG PERIOD)
KPMGroup
3/13/2015
Part Two
OVERVIEW
OF PRESENTATION
FINAL APPROVAL
POSTIMPLEMENTATION REVIEW
KPMGroup
KPMGroup
3/13/2015
MANUAL PHASE
COMPUTERIZED PHASE
PROGRAMS
COMPUTER OPERATIONS
USER ACTIVITIES
CONTROL GROUP FUNCTIONS
KPMGroup
USER PERSONNEL
SYSTEMS PERSONNEL
AUDITORS
(INTERNAL AND
JOINT EFFORT IN SYSTEM TESTING
EXTERNAL)
KPMGroup
3/13/2015
PROGRAM TESTS
KPMGroup
STRING TESTS
SYSTEMS TESTS
PILOT TESTS
PARALLEL TESTS
KPMGroup
3/13/2015
Scenario
You plan to assess control risk at a low level on
system testing (first, review the new systems
developed and implemented during the accounting
period and the written standards)
What to do?
REVIEW STANDARDS FOR COMPREHENSIVENESS
INTERVIEW INTERNAL AUDIT AND USER STAFF
REVIEW TEST DATA AND THE RESULTING OUTPUT FOR
SELECTED NEW SYSTEMS
REVIEW THE RESULTS OF PROGRAMS AND STRING TESTS
KPMGroup
Scenario
You plan to assess control risk at a low level on
system testing (first, review the new systems
developed and implemented during the accounting
period and the written standards)
What to do?
REVIEW RESULTS OF SYSTEM TESTS OF VALID AND
INVALID TRANSACTIONS
REVIEW PROCEDURES FOR RECONCILING OUTPUT
PRODUCED DURING PILOT AND PARALLEL TESTING
EXAMINE PROGRAMS USED TO COMPARE OUTPUT FILES
FOR PILOT AND PARALLEL TESTING
EXAMINE RECONCILIATIONS FOR SELECTED TESTS
KPMGroup
3/13/2015
Part Two
OVERVIEW
FINAL APPROVAL
OF PRESENTATION
POSTIMPLEMENTATION REVIEW
KPMGroup
FINAL APPROVAL
EDP PERSONNEL
MANAGEMENT
USERS
KPMGroup
10
3/13/2015
Scenario
You plan to assess control risk at a low level
on final approval as a general control
What to do?
Review evidence of the approval of new applications
by management, users and EDP personnel
KPMGroup
CONVERSION CONTROL
Numerous errors can result when the master and
transaction files are converted to the new system
Control Procedures
File conversion approval be given before conversion process begins
Original and new files be reconciled by record counts, hash totals, and
amount totals
Selected portions of records from the original files be compared with
new files
Confirmation request be sent to third parties
Discrepancy reports be use to detect inconsistencies and correct them
Operational approval be obtained after users used the system a few times
KPMGroup
11
3/13/2015
Discrepancy
Report
Scenario
You plan to assess control risk at a low level
on conversion control as a general control
What to do?
REVIEW PLANS FOR CONTROLLING THE CONVERSION
FROM ONE SYSTEM TO ANOTHER
EXAMINE DOCUMENTATION FOR EVIDENCE
EVALUATE THE PROCEDURES TO ECONCILE ORIGINAL
AND NEW FILES
KPMGroup
12
3/13/2015
Scenario
You plan to assess control risk at a low level
on conversion control as a general control
What to do?
REVIEW OR OBSERVE THE USE OF RECORD
COMPARISONS AND CONFIRMATION REQUESTS
EXAMINE DISCREPANCY REPORTS FOR EVIDENCE
TEST THE CONVERSION
KPMGroup
POSTIMPLEMENTATION REVIEW
INTERNAL AUDIT
PERSONNEL
EDP PERSONNEL
USERS
KPMGroup
13
3/13/2015
Scenario
You plan to assess risk at a low level on the
general control of post implementation
review
What to do?
REVIEW INTERNAL WORKING PAPERS
INTERVIEW SYSTEMS DEVT STAFF, USERS AND
MANAGEMENT
REVGIEW THE FINAL REPORT OF THE COMMITTEE
KPMGroup
PROGRAM
MAINTENANCE
KPMGroup
PROGRAM
ENHANCEMENTS
14
3/13/2015
KPMGroup
KPMGroup
15
3/13/2015
Program
Change
Form
KPMGroup
16
3/13/2015
KPMGroup
KPMGroup
17
3/13/2015
Scenario
You plan to assess risk at a low level on
systems change controls
What to do?
INTERVIEW OPERATIONS AND SYSTEMS PERSONNEL
REVIEW DOCUMENTATION IN SUPPORT OF SELECTED
PROGRAM CHANGES
EXAMINE RESULTS OF TESTS PERFORMED ON MODIFIED
PROGRAMS
KPMGroup
Scenario
You plan to assess risk at a low level on
systems change contROLS
What to do?
COMPARE THE ORIGINAL PROGRAM SOURCE CODING
WITH THE MODIFIED PROGRAM SOURCE CODING
ON A TEST BASIS, SELECT CURRENT APPLICATION PROGRAMS
FOR WHICH THERE IS NO DOCUMENTATION OF CHANGES
DURING THE PRECEEDING YEAR, & COMPARE THE CODE OF
CURRENT PROGRAMS WITH THE CODE OF THE SAME
PROGRAMS AF A YEAR AGO.
KPMGroup
18