Beruflich Dokumente
Kultur Dokumente
Auditing
Application
Controls
Authors
Christine Bellino, Jefferson Wells
Steve Hunt, Crowe Horwath LLP
3. Risk Assessment............................................................................................................................................................... 7
Assess Risk............................................................................................................................................................... 7
Access Controls........................................................................................................................................................ 9
Planning.................................................................................................................................................................. 10
Documentation Techniques................................................................................................................................... 12
Testing.................................................................................................................................................................... 13
6. Appendices..................................................................................................................................................................... 18
7. Glossary.......................................................................................................................................................................... 26
8. References...................................................................................................................................................................... 27
9. About the Authors.......................................................................................................................................................... 28
GTAG Introduction 2
Defining Application Controls
Additional application control components include whether they are preventive or detective. Although both control
types operate within an application based on programmed or
configurable system logic, preventive controls perform as the
name implies that is, they prevent an error from occurring within an application. An example of a preventive control is an input data validation routine. The routine checks
4, 5 GTAG 1: Information Technology Controls, p. 8.
6
GTAG Introduction 2
Lack of IT development projects.10
As these differences point out, there is a direct correlation
between the complexity of transactional and support
applications and the availability, use, and reliance on inherent
and configurable application controls. In other words, a less
complex IT infrastructure may not offer as many inherent
or configurable application controls for risk management.
Hence, the degree of transactional and support application
complexity will drive the scoping, implementation, level
of effort, and knowledge required to execute an application
control review, as well as the degree to which internal
auditors can assist in a consulting capacity.
Reliability
Benchmarking
The Committee of Sponsoring Organizations of the Treadway Commissions (COSOs), Internal Control over Financial Reporting
Guidance for Smaller Public Companies, Vol. III, p. 61.
COSOs, Internal Control over Financial Reporting Guidance for Smaller Public Companies, Vol. III, p. 56.
PCAOB, Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements, paragraph B29.
GTAG Introduction 2
In addition, the nature and extent of the evidence the
auditor should obtain to verify the control has not changed
may vary, based on circumstances such as the strength of the
organizations program change controls.12 As a result, when
using a benchmarking strategy for a particular control, the
auditor should consider the effect of related files, tables, data,
and parameters on the application controls functionality.
For example, an application that calculates interest income
might depend on the continued integrity of a rate table that
is used by the automated calculation.13
The auditor should evaluate the appropriate use of
benchmarking of an automated control by considering how
frequently the application changes. Therefore, as the
frequency of code change increases, the opportunity to rely
on an application controls benchmarking strategy decreases.
Additionally, the auditor should evaluate the reliability of
the information regarding the changes made to the system.
Hence, if there is little to no verifiable information or reports
available for the changes made to the application, database,
or supporting technology, the application control is less likely
to qualify for benchmarking.
However, benchmarking is particularly effective when
companies use pre-packaged software that doesnt allow for
any source code development or modification. In cases like
these, the organization needs to consider more than just
the code change. An application control within a complex
application, such as SAP or Oracle Financials, can be changed,
disabled, or enabled easily without any code change.
Finally, parameter changes and configuration changes
have a significant impact on most application controls. For
example, tolerance levels can be manipulated easily to disable
tolerance-level controls, and purchase approval controls can
be manipulated when their release strategy is modified
once again, without requiring any code changes.
Organizations need to evaluate each application control to
determine how long benchmarking can be effective. Once
the benchmark is no longer effective, it is important to reestablish the baseline by re-testing the application control.
Auditors should ask the following questions when identifying
if the application control is still operating effectively and as
originally benchmarked:
Have there been changes in the risk level associated
with the business process and the application control
from when it was originally benchmarked (i.e., does
the business process provide substantially greater
risk to financial, operational, or regulatory
compliance than when the application control was
originally benchmarked)?
12 PCAOB, Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements, paragraph B29.
13 PCAOB, Auditing Standard No. 5, An Audit of Internal Control Over Financial Reporting That is Integrated with An Audit of Financial Statements, paragraphs B29 - 30.
14 IIA Standard 1220: Due Professional Care.
15 IIA Standard 1210.A3.
GTAG Introduction 2
proficient enough to determine if implemented application
controls are appropriately designed and operating effectively to
manage financial, operational, or regulatory compliance risks.
Consultant or Assurance
Design of Controls
GTAG Introduction 2
Education
Controls Testing
Application Reviews
10-K
Financial
Statements
Revenue
and
Receivables
Management
and Financial
Reporting /
Accounting
Purchases
and
Payables
BU1
BU2
BU3
Non-financial
Disclosures Mapped
to Processes
Corporate
Payroll and
Benefits
BU1
BU2
BU3
Treasury
Corporate
Legal
Compliance
Manufacturing
Corporate
Investor
Relations
Environmental
Prepare Risk
Control Matrices
(Manual and
Automated)
Define Risk
Assessment for
Application
Controls
10
10
10
10
Design
Effectiveness
of the App
Controls
Pre-packaged
or Developed
Application
Supports
More Than
One Critical
Business
Process
Frequency of
Change
10
Complexity
of Change
15
Financial
Impact
15
Effectiveness
of the ITGCs
Composite
Score
APPA
375
APPB
170
APPC
245
APPD
395
APPE
225
Access Controls
Planning
Major Process
(Level 2)
Subprocess
(Level 3)
Activity (Level 4)
Procurement
Requisition
processing
Purchase order
processing
Goods receipt
processing
Goods return
processing
Vendor
management
Invoice
processing
Credit memo
processing
Process
payments
Void payments
Receiving
Accounts
Payable
Requisitioner
START
C1
1. Enter Purchase
Requisition Details
(PR) Details
Resolve Issue
With PR
C3
No, notify
Procurement
C4
Buyer
2. Approve
PR?
Yes
3. Purchase
Requisition
Notify 4. Convert PR
into Purchase
Order (PO)
Accounts
Payable
Receiving
C2
C9
8. Enter invoice in
AP application by
matching to PO and
Receiver
5. Send PO
to Supplier
C6
6. Receive
Goods
Against PO
C7
7. Vendor
Invoice
Received
C5
C12
C13
C14
C8
9. Vendor
Payment
C10
END
C11
Triangles represent each control in the process. The number of each control ties to the activity represented on the Risk and Controls Matrix.
Flowcharts
Process Narratives
2) Receiving
Procure-to-pay
Primary Contact(s)
Key Components
3) Accounts Payable
1) Procurement
a) Requisitioning
i) When employees need to buy goods or services,
they will create a purchase requisition in the
procurement application (Control C1). Once the
12
Testing
13
$0/530"$5*7*5*&4
3*4,4
$0/530$0/530$040
$0.10/&/54 "553*#65&4 $-"44*'*$"5*0/
5&45*/(
/PUFT
0QFSBUJPOBM
&GGFDUJWFOFTT
:/
5FTU
3FTVMUT
1PTUFE
$MBTTJGJFE
5JNFMZ
7BMVFE
3FDPSEFE
3FBM
'SFRVFODZ
1SF%FU
.BO"VUP
, :/
*$
$"
3"
$&
$POUSPM
"DUJWJUJFT
*NQBDU
-JLFMJIPPE
3JTLT
$POUSPM
0CKFDUJWFT
/VNCFS
.BKPS1SPDVSFNFOU
4VC1VSDIBTF3FRVJTJUJPO1SPDFTTJOH
"DUJWJUZ$SFBUF
$
%VFUPUIFMBDL
PGBQQSPQSJBUF
TFHSFHBUJPOPGEVUJFT
BVTFSJTBCMFUP
DSFBUF
BQQSPWF JF
SFMFBTF
BTTJHO
BOE
DPOWFSUBQVSDIBTF
SFRVJTJUJPO
SFTVMUJOH
JOUIFJOBQQSPQSJBUF
SFXBSEJOHPG
CVTJOFTTUPTVQQMJFST
PWFSQBZNFOUT
BOE
FYDFTTJWFJOWFOUPSZ
MFWFMT
$POUSPMTQSPWJEF
6OBVUIPSJ[FEPS
SFBTPOBCMFBTTVSBODF FYDFTTJWFQVSDIBTF
UIBUQVSDIBTF
SFRVJTJUJPORVBOUJUJFT
SFRVJTJUJPOTBSF
DPVMEMFBEUP
DSFBUFECZBVUIPSJ[FE VOGBWPSBCMFQSJDFT
QFSTPOOFMDPNQMFUFMZ FYDFTTJWFJOWFOUPSZ
BOEBDDVSBUFMZ
BOEVOOFDFTTBSZ
QSPEVDUSFUVSOT
6OBVUIPSJ[FEPS
FYDFTTJWFQVSDIBTF
SFRVJTJUJPORVBOUJUJFT
DPVMEMFBEUP
VOGBWPSBCMFQSJDFT
FYDFTTJWFJOWFOUPSZ
BOEVOOFDFTTBSZ
QSPEVDUSFUVSOT
-JTUPGBDSPOZNTVTFEJOUIFDIBSU
#/3/ #OMPONENTS