Experis - Auditing Application Controls PDF

2014 PhxSAC
Auditing Application
Controls
T u e s d a y, S e p t e m b e r 3 0 , 2 0 1 4
Experis | September 30, 2014 1

Agenda
 What are Application Controls?
 Testing Application Controls
 Auditing Master Files
 Separation of Duties

What are
Application Controls?

Definition of Internal Control - COSO 2013
 Internal control is broadly defined as a process, effected by
an entity's board of directors, management and other
personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following
categories:
– Effectiveness and efficiencies of operations,
– Reliability of reporting, and
– Compliance with applicable laws and regulations.

Definition of Internal Control
 Process - a series of actions or steps taken in order to
achieve a particular end (Oxford Dictionaries).
 Reasonable Assurance - Recognition that it is not possible

to declare with absolute certainty that an event will or will not
happen (LawDictionary.com).

COBIT - Definition of Application Control
 Application controls are a subset of internal controls that
relate to an application system and the information
managed by that application.*
 Application controls can be viewed as those policies,
procedures and activities designed to provide reasonable
assurance that objectives relevant to a given automated
solution are achieved.*
 System automated control activities imbedded in
business processes.
*From COBIT and Application Controls: A Management Guide

Why Application Controls*
 Efficiency – Application controls automate what would
otherwise be manual processes.
 Consistency – Application controls work the same way
every time.
 Capacity – Application controls can handle extreme
volumes.
 Control – Logical authority functionality make
Segregation of Duties (SoD) more reliable.

Why Application Controls*
Cost to Operate
Manual
Automated
Process Size & Complexity

Objectives of Application Controls*
 Completeness - The application processes all transactions and the
resulting information is complete.
 Accuracy - All transactions are processed accurately and as
intended and the resulting information is accurate.
 Validity - Only valid transactions are processed and the resulting
information is valid.
 Authorization - Only appropriately authorized transactions have
been processed.
 Separation of Duties - The application provides for and supports
appropriate segregation of duties and responsibilities as defined by
management.

Testing Application Controls

Examples of Application Control Types
 Automated calculations
 Logical authority controls
 Data entry/field validations
 Business rules
 Work flow rules
 Reconciliations
 Exception Reports

Automated Calculations
 The application performs mathematical functions
 Examples
– Invoice amounts
– Inventory balances
– Data entry totals
– Report totals


Input Activity Output
• Customer • Automated • Invoice

information calculation with
• Price amount
information due
• Shipping
information

 Example - Aged Accounts Receivable
– Validate that the query is pointed to the table of customer
invoices
– Ensure that the query is:
• pointed to the “paid” field,
• reading the “created date” field, and
• Selecting amounts from the “invoice amount” field.
– Recalculate to validate that the calculation is:
• selecting only unpaid invoices,
• batching the invoices according to the desired criteria (30, 60, 90
days, etc.), and
• including only the unpaid amount of the invoice.

Logical Authority
 The application controls which users can initiate a job
 Examples
– Process Journal Entries
– View Payroll Data
– Print Reports
– Separation of Duties
• Initiate a P.O. / Approve a P.O.
• Approve Credit / Enter an order

Logical Authority

Logical Authority
• P.O. • Automated • Approved

information decision or rejected
• Approved P.O.
authorities/
roles

Logical Authority
 Example – Posting general journal entries
– Obtain a report of users with the ability to post general
journal entries
– For a selection of users with the ability to post general
journal entries, determine if :
• the business owner approved the authority,
• the authority is consistent with the users job responsibilities, and
• there are no conflicting authorities/roles.

Data Entry/Field Validations
 System activities that help ensure that data entered is
accurate and complete.
 Examples
– Mandatory data entry fields
– Preset data formats
– Values within a pre-established range
– Information provided across different input fields is consistent
– Drop down lists
– Check digits/batch sums


• Applicable • Automated • Accepted

data decision or rejected
• Field • Data
validation recorded in
rules database

 Example – Entering time keeping data
– Determine if the application:
• is configured to prevent the entry of hours unless the employee is
already in the employee master file
• prevents the entry of more than 24 hours in a day
 Example – Adding a new employee to the payroll
application
– Determine if the application
• requires a SSN
• will only accept a 9 digit number in the SSN field

Business Rules
 The application makes decisions based on
configurable/preset rules
 Examples
– Credit decisions
– Three way match
– Inventory reorder points

Business Rules

Business Rules
• Client credit • Automated • Accepted or

limit calculation rejected
• Credit • Automated credit
request decision request
• Outstanding
credit

Business Rules
 Example – Credit Approval
– Ensure that the ability to add, edit and delete data in the
related master files is appropriate.
– For a selection of requests, determine if:
• the system calculated the total amount of credit exposure
accurately, and
• the system decided the request accurately.

Work Flow Rules
 The application automatically routes decisions to the
appropriate user for action.
 Example
– Approval of a purchase order
– Approval of a journal entry
– Approval of a new vendor

Work Flow Rules

Work Flow Rules
• Purchase • Automated • P.O. routed

information decision to the
• Approval appropriate
hierarchy approver

Work Flow Rules
 Example – P.O. Approval
– Ensure that the ability to add, edit and delete data in the P.O.
Approval routing table is limited to users that are appropriate.
– Determine if the current approval hierarchy is appropriate.
– For a selection of requests, determine if the system routed
the P.O. to the appropriate approver.

Reconciliations
 The application compares data from separate
independent sources for accuracy.
 Examples
– Bank account reconciliation
– Reconciliation of sales to shipments and COGS

Reconciliations
Retail
Reconciliation
transactional Transaction All items
Yes report
data captured at Database reconcile?
point of sale
No
$ Research and
Deposit Application
resolve
information performs
reconciling
from bank reconciliation
items
Bank

Reconciliations
• Transactional • Reconcile • Produce

data from data reconciliation
POS • Research and report
• Bank deposit resolve
information reconciling
items

Reconciliations
 Example – Retail sales reconciliation
– Ensure that the ability to add, edit and delete data in the
transactional database is limited to users that are
appropriate.
– Determine that reconciled data is from two independent
sources.
– For a selection of locations, re-perform the reconciliation.
– Determine if unreconciled items are investigated and
cleared.

Exception Reports
 The application logs and reports exception events
according to preset rules.
 Examples
– Interface error reports
– Journal entries over a certain amount
– Specific transaction types
– Overtime hours
– System access during certain hours

Exception Reports
The system
User edits the
Vendor records that the
vendor master
Master file Vendor Master
file
was edited
System reports
System Log
System log all edits to the
(edit) Report
file Vendor Master
file

Exception Reports
• Configuration • System logs • Report of

to monitor the edit to edits to the
Vendor the Vendor Vendor
Master file Master file Master file
changes
• User edits

Exception Reports
 Example – Vendor master file edit report
– Determine if users with the ability to edit the vendor master
file are appropriate.
– Determine if the application is configured to log and report
edits to the vendor master file.
– For a sample of edits, determine if the edit was included in
the report.
– Confirm that the reports are reviewed and necessary action
is taken.

Auditing Master Files

Master Files
 Definitions
– A collection of records pertaining to one of the main subjects
of an information system, such as customers, employees,
products and vendors.
– A computer file that is used as the authority in a given job
and that is relatively permanent.
 Typical Master Files
– Customer
– Vendor
– Price
– Item/Inventory

Master Files
Customer Customer Name

Master File and Address
Price Master File Item Price
Calculation of Invoice
Amount Owed
Shipping Data Quantity Shipped

Master Files
 Objective - Controls provide reasonable assurance that
the ability to add/change/delete price master file
information is limited to those users that are approved
and for which the authority is consistent with their job
responsibilities.
entered data is accurate, complete and in the appropriate
format.

Master Files
the ability to add/change/delete price master file
information is limited to those users that are approved
and for which the authority is consistent with their job
responsibilities.
– Control - The Corporate Controller reviews and approves
access requests for the authority to add/change/delete
vendor master file data.
– Control - Quarterly, the Corporate Controller reviews the list
of personnel with the authority to add/change/delete master
data information.

Master Files
 Control - The Corporate Controller reviews and approves
access requests for the authority to add/change/delete
vendor master file data.
– Test - Obtain a report of users with the authority to
add/change/delete vendor master data. If possible, include
the creation/assignment date.
– Test - From the report, select a number of new users and
obtain evidence confirming that the user’s authority was
approved prior to the granting of authority.
• Determine if the approver is at an appropriate level/position.

Master Files
 Control - Quarterly, the Corporate Controller reviews the
list of personnel with the authority to add/change/delete
master data information.
– Test - For a selection of quarterly reviews, obtain evidence of
the Corporate Controller’s review. Inspect the evidence to
determine if:
• The review was performed
• Any users where flagged as inappropriate
– Test – Follow-up on inappropriate user to determine if their
access was removed.

Master Files
 Objective - Application controls provide reasonable
assurance that manually entered data is accurate,
complete and in the appropriate format.
– Control - The employee master file entry page is configured
to require a nine (9) digit number in the Social Security
Number field.
– Control - The Accounting Manager reviews the report of
additions/changes to the vendor master file weekly.

Master Files
 Control - The employee master file entry page is
configured to require a nine (9) digit number in the Social
Security Number field.
– Test – Observe the entry of a SSN. Attempt to enter an 8
digit number to determine if the application will reject the
entry.
– Test – Observe the entry of a SSN. Attempt to enter a 10
digit number to determine if the application will allow the
entry of more than 9 digits.

Master Files
 Control - The Accounting Manager reviews the report of
additions/changes to the vendor master file weekly.
– Test - For a selection of weekly reviews, obtain evidence of
the Accounting Manager’s review. Inspect the evidence to
determine if:
• Any edits where flagged as inappropriate
– Test – Follow-up on inappropriate edits to determine if they
were resolved.

Separation of Duties

 Definition
– The concept of having more than one person required to
complete a task.
– Control policy according to which no person should be given
responsibility for more than one related function.
 Example Separation of Duties (SoD)
– Add/edit vendor master file data and enter
– Create and approve a P.O.
– Post journal entries and reconcile GL accounts
– System administrator and end user


Segregation of Duties
Functions
Create and maintain vendor records

Approve/release purchase orders
Enter vendor debit memos

Cash payment processing
Release blocked invoices
Process vendor invoices
Process goods receipt
Functions
Create and maintain vendor records x x x
Approve/release purchase orders x x x
Process goods receipt x x x

Process vendor invoices x x x
Cash payment processing x x
Release blocked invoices x x
Enter vendor debit memos x x
From COBIT and Application Controls: A Management Guide

 Objective – Controls provide reasonable assurance that
a single user does not have end to end access rights
over any function/process.
– Control - Compatible authorities are identified and
configured for each role.
– Control - The business owner reviews and approves any
system authority requests related to their area/module.
– Control - Quarterly, the business owners review a report of
users along with their assigned authorities to determine if
any users have incompatible authorities.

 Control - Compatible authorities are identified and
programed for each area/module.
– Test – Obtain a report of roles with specific assigned
authorities for each role.
– Test – For a selection of roles, determine if any of the roles
have been assigned incompatible duties.
Be careful to include manual duties that may conflict

with logical authorities.

 Control - The business owner reviews and approves any
system authority requests related to their area/module.
– Test - Obtain a report of application users that includes an
account creation date.
– Test - For a selection of new users (in the audit period),
obtain and inspect evidence that the business owner
approved the assigned authority prior to the assignment.

 Control - Quarterly, the business owners review a report
of users along with their assigned authorities to
determine if any users have incompatible authorities.
– Test - For a selection of quarterly reviews, obtain evidence of
the business owner’s review.
– Test – Inspect the evidence to determine if:
• Any assigned authorities where flagged as inappropriate
– Test – Follow-up on inappropriate authorities to determine if
they access were removed.

Questions?

Thank You
Joe B. Peacock
Director, Risk Advisory Services
Experis
(602) 707-5428
Joe.Peacock@Experis.com

Experis - Auditing Application Controls PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Experis - Auditing Application Controls PDF

Uploaded by

Copyright:

Available Formats

2014 PhxSAC

Experis | September 30, 2014 1

 Testing Application Controls

 Auditing Master Files

Experis | September 30, 2014 2

Experis | September 30, 2014 4

Experis | September 30, 2014 5

 Reasonable Assurance - Recognition that it is not possible

Experis | September 30, 2014 6

*From COBIT and Application Controls: A Management Guide

Experis | September 30, 2014 7

*From COBIT and Application Controls: A Management Guide

Experis | September 30, 2014 8

Process Size & Complexity

*From COBIT and Application Controls: A Management Guide

Experis | September 30, 2014 9

*From COBIT and Application Controls: A Management Guide

Experis | September 30, 2014 10

Experis | September 30, 2014 11

Experis | September 30, 2014 12

Experis | September 30, 2014 13

Experis | September 30, 2014 14

Input Activity Output

• Customer • Automated • Invoice

Experis | September 30, 2014 15

Experis | September 30, 2014 16

Experis | September 30, 2014 17

Experis | September 30, 2014 18

Input Activity Output

• P.O. • Automated • Approved

Experis | September 30, 2014 19

Experis | September 30, 2014 20

Experis | September 30, 2014 21

Experis | September 30, 2014 22

Input Activity Output

• Applicable • Automated • Accepted

Experis | September 30, 2014 23

Experis | September 30, 2014 24

Experis | September 30, 2014 25

Experis | September 30, 2014 26

Input Activity Output

• Client credit • Automated • Accepted or

Experis | September 30, 2014 27

Experis | September 30, 2014 28

Experis | September 30, 2014 29

Experis | September 30, 2014 30

Input Activity Output

• Purchase • Automated • P.O. routed

Experis | September 30, 2014 31

Experis | September 30, 2014 32

Experis | September 30, 2014 33

Experis | September 30, 2014 34

Input Activity Output

• Transactional • Reconcile • Produce

Experis | September 30, 2014 35

Experis | September 30, 2014 36

Experis | September 30, 2014 37

Experis | September 30, 2014 38

Input Activity Output

• Configuration • System logs • Report of

Experis | September 30, 2014 39

Experis | September 30, 2014 40

Experis | September 30, 2014 41