Documente Academic
Documente Profesional
Documente Cultură
The evaluation, documentation and testing of relevant IT general controls depends mainly on whether
or not we assess there to exist a key Risk related to IT, and substantive testing will not be efficient in
controlling this risk. Also, we need to evaluate if we are planning to gain comfort from automated
application controls or manual controls/business process reviews that uses computer generated
information.
Process
name
Complex 2. Link to
process
flowcharting
(Y/N)
Enter process Enter a description of the
Enter link to
name,
e.g.: process that focus on elements
relevant
Invoicing
that might imply complexity, or
steps
non-complexity
of
the
process
Salary
Purchasing
Etc
Guidance
When is a business process complex?
Evaluation of business process complexity is not an objective science, but will depend on the auditors'
professional judgment. It might be helpful to think in terms of complexity indicators, and these might
e.g. include
The process involves:
many persons and departments and the relation between these are unclear or complex
a large number of actions and decisions in a process flow
a large number of manual procedures to be performed
advanced processing of data based on complex formulas and large number of data inputs
Evaluate and conclude whether or not the company has complex IT systems. Enter each
relevant system into the table below. For each system document an overall evaluation of
system complexity. The conclusion for each system should be clearly stated as "yes" or "no".
If complex systems are present you should involve SPA personnel. Make sure that SPA
involvement is included in the audit planning. Confirm SPA involvement in the table, and link
to relevant planning steps.
Complex
(Y/N)
system complexity
market share
scope of parameter settings for implementation and operation
new implementation
level of customization (changes from the vendors original layout and type of changes i.e.: just
report changes or changes on the data treatment)
In-house systems
system complexity
period since last significant change in logistics/structure
what consequences have changes to the accounting system
new implementation and period in operation
Number of transactions
is the number of transactions so high that it would be difficult for the users to identify and
correct errors in the data processing?
volume
complex calculations
how easily can the auditor verify the calculations?
volume of systems generated transactions versus manual transactions
can the client document a clear and reliable audit trail, or is the audit trail complex, unclear or
lacking? (If the client has problems in documenting the audit trail, the auditor can carry this out
as assistance).
Have any new database or systems, including operational systems, been implemented? How
significant are these new databases or systems for the business and it's financial statements?
(for instance, has management implemented systems for electronic handling of key processes,
for instance internet based? If so, is maintenance of the system carried out internally or
externally?)
Was the implementation successful? Which problems have been found in the systems and how
were the problems solved?
Has a conversion of data been made as a result of the new database / systems / maintenance?
Which data were converted? Have problems arisen as a result of the conversion?
What is the routine for making changes to the existing systems? Have significant changes been
made?
Have changes been made to the automatic control of the systems?
Have data been moved to new IT environments such as internet based solutions?
Have the system-programmes been significantly upgraded?
Have significant changes been made to the network? (such as installation of wireless
technology)
Have final users been involved in design of changes or in the testing and acceptance process of
changes?
Has the internal audit been involved in the systems changes? Has a review of the systems been
made before or after implementation? If so, obtain copies these reports.
Generally, which changes in the information systems and technology have been planned, long
term and for the next 12 months?
Known problems:
1. Testing approach
(short description):
Categorize approach:
a) IT based controls
b) Non-IT controls
c) Substantive
Enter category a), b) or
c)
Complex Systems
Auditors
SPA
Identify and document significant Combined team
processes and systems
Document and evaluate controls Combined team
other than general computer
controls, for example application
controls
Validate controls
Combined team
Document, evaluate and validate
X
general computer controls
X
*
Combined team
*SPA personnel should be involved if there is uncertainty about the complexity level and the
approach, or if assistance is required for documentation, evaluation and testing of controls.
If involving SPA personnel is considered necessary based on the above criteria but Engagement
Leader still decides to not involve them, this decision must be made in consultation with SPA
When SPA personnel participate in the audit, the Team Manager and responsible SPA personnel
should always agree on the following:
Because controls over program changes, computer operations and access to programs and data impact
the continued effective operation of the application-driven components, testing of controls in these
three areas is required.
Example Linkage of Automated Application Controls to ITGCs
Automated application controls are controls designed into a computer application that help to achieve
information processing objectives. For example, many applications include a number of edit checks designed
to help ensure that input data is accurate. These edit checks might include format checks (i.e., date or number),
existence checks (i.e., customer number exists on customer master file), or reasonableness checks (i.e.,
maximum payment amount). When an input data element fails an edit check, that input data may be rejected
or it may be pulled into an application-generated exception report for subsequent follow-up and resolution.
If ITGC weaknesses are noted in the computing environment supporting an application with key edit checks,
we may be unable to rely on those edit checks continuing to operate as intended. For example, a program
change deficiency could result in an unauthorized change to the programming logic that checks the format of
an input data field such that inaccurate data is allowed into the application. Furthermore, a deficiency related
to security and access rights could allow inappropriate bypassing of a reasonableness check that would
otherwise prevent the processing of payments in excess of a maximum tolerable threshold.
Legend
1. Management implies certain assertions about its financial statements by publishing those
statements.
2. Financial statement line items represent account balances that have been derived from one or
more transactions.
3. Transactions are often grouped into sub-processes when common processing exists for
different transaction types.
4. Sub-processes are grouped into processes to enable effective management oversight.
5. Management has objectives regarding the processing of its transactions.
6. There are risks to the achievement of information processing objectives.
7. Management implements application controls to mitigate risks to the information processing
objectives.
8. Management implements business performance reviews to identify potential anomalies in
financial results.
9. Management evaluates whether financial anomalies are the result of application control
breakdowns.
10. Certain manual application controls and business performance reviews use reports generated
by computer applications.
This domain is relevant only where significant development, implementation, or conversion projects
exist or are anticipated. The following points of focus may be helpful for identifying ITGCs in this
domain that are relevant to internal controls over financial reporting at your client. Note: Not all points
of focus are relevant to every entity, and other risk factors may exist that will need to be considered. It
is necessary to determine relevant activities and controls based on the entity's unique IT environment.
Does the company employ a formal methodology and/or clear policies and procedures that
govern program development activities?
How does management ensure that comprehensive implementation plans are developed and
executed upon for all significant projects, including consideration of desired system
functionality, internal controls over financial reporting, and proper security and access
controls?
How has management documented and communicated roles and responsibilities to individuals
engaged in program development activities?
How does management ensure that appropriate business sponsors and IT project leads are
involved in defining business requirements, test plans, and test results?
How does management monitor program development activities and related controls?
How does management ensure that development efforts are aligned with overall business and
internal control objectives?
How does management ensure that each project team contains the requisite business and
technology skills, including knowledge of internal controls?
How does management ensure that business sponsors and data owners are identified for all
projects?
How does management ensure that system requirements are consistently developed in
sufficient detail?
How does management ensure that project teams consider system and interface dependencies,
internal control requirements and security requirements for every project?
How does management ensure that business sponsor approval has been obtained prior to
moving to the construction phase of the project?
Construction/Package Selection
Construction and package selection controls should ensure that in-house program development
activities and the selection of packaged software are performed to support the achievement
management's application control objectives. Consider the following:
How does management ensure use of programming standards for in-house developed
applications?
How does management ensure consistent application of control over the selection,
customization and implementation of purchased software packages?
How does management ensure that version control is in place for all systems?
How does management ensure that dependencies between and among integrated applications
and data files are identified and considered?
How does management ensure that test plans are sufficient to address requirements defined in
the analysis and design phase?
How does management determine the nature and extent of testing (i.e. unit, user, regression
testing)?
How does management ensure that appropriate testing is performed and approved by relevant
IT and / or business unit personnel
How does management ensure that the design and operating effectiveness of new or changed
internal controls over financial reporting have been sufficiently addressed during testing?
How does management ensure that programs are not modified after testing before
implementation in production?
How does management ensure the controlled migration of code between logical environments?
How does management ensure that configuration options selected for packaged applications
achieve business and control requirements?
Data Conversion
Data conversion controls should ensure that data is converted completely and accurately to new
systems. Consider the following:
How does management ensure data fields are properly mapped from legacy to target systems?
How does management ensure that converted data remains complete, accurate, and valid?
How does management ensure that critical system interfaces are considered in data conversion
plans?
Program Implementation
Program implementation controls should ensure that new systems are implemented in the live
environment only after adequate testing has been performed, business sponsor approval has been
obtained, and proper implementation and back-out plans have been developed. Consider the following:
How does management ensure that all program implementations are approved by appropriate
business sponsors and IT management?
How does management ensure that a consistent process is followed when making all go- live
decisions (i.e., implementation plans, back-out procedures, etc.)?
How does management ensure that the version of the program implemented in production is
the most recent version that had been tested and approved by the business sponsors?
If the program is run at multiple sites, how does management ensure that all copies of the
program have been updated with the correct version?
How does management ensure that significant implementation risks, particularly in a complex
implementation, are addressed in the post-implementation period (e.g. post-implementation
reviews, shake- down controls, etc.)?
How does management ensure that user and technical documentation are developed and
communicated in a timely manner for all new systems?
How does management ensure that users and IT personnel receive adequate training on all new
systems and related internal controls?
Segregation of duties
Segregation of duties controls should ensure that the roles and responsibilities throughout the program
development process have been appropriately restricted and segregated. Consider the following:
How does management ensure that responsibilities throughout the program development
process are adequately segregated?
How does management ensure that separate environments are maintained for development,
testing and production, and that only appropriately authorized individuals have access to each
of those environments?
Once financially significant applications have been identified in scoping, the following points of focus
may be helpful for identifying ITGCs in this domain that are relevant to internal controls over
financial reporting at your client. Note: Not all points of focus are relevant to every entity, and other
risk factors may exist that will need to be considered. It is necessary to determine relevant activities
and controls based on the entity's unique IT environment.
How does management ensure that a controlled process is followed for all system changes
across application programs, infrastructure components, management units, and locations?
How has management documented and communicated change management policies and
procedures?
How has management documented and communicated change management roles and
responsibilities?
How does management monitor compliance with implemented program change controls?
How does management ensure that all user requests for changes are captured?
How does management ensure that all user change requests are evidenced as authorized by an
appropriate level of management?
How does management ensure that requests identified as a result of problem management
activities are considered along with user change requests?
How does management consider the potential impact of requested changes on internal controls
over financial reporting?
Construction
Construction controls should ensure that changes are developed and performed to support the
achievement of management's application control objectives. Consider the following:
How does management ensure use of programming standards for in-house developed
applications?
How does management ensure that version control is in place for all systems?
How does management ensure that dependencies between and among integrated applications
and data files are identified and considered?
How does management determine the nature and extent of testing for each change (i.e. unit,
user, regression)?
How does management ensure that testing performed addresses both the change made, as well
as significant functionality within the system that should not have changed?
How does management ensure the appropriate users and management are involved in testing to
properly address the impact of changes on internal controls over financial reporting?
How does management obtain evidence of user acceptance of the change prior to
implementation in production?
How does management ensure the controlled migration of code between logical environments?
How does management ensure that modified configuration options continue to achieve
business and control requirements?
Program Implementation
Program implementation controls should ensure that changes are implemented in the live environment
by appropriate personnel only after adequate testing has been performed and the proper business user
management approvals have been obtained. Consider the following:
How does management ensure that all program implementations are approved by business
users and / or IT management prior to implementation?
How does management ensure that a controlled process is followed when implementing
changes in production?
How does management ensure that emergency changes are captured, documented, and
approved subsequent to production implementation?
How does management ensure that only appropriate and authorized personnel have access to
move program changes into the production environment?
How does management ensure that the version of the program implemented in production is
the most recent version that had been tested and approved by business user management?
If the program is run at multiple sites, how does management ensure that all copies of the
program have been updated with the correct version?
How does management ensure that user and technical documentation are timely updated for
significant changes to its systems?
How does management ensure that users and IT personnel receive adequate training on any
significant system changes, including any resulting changes to internal controls over financial
reporting?
Segregation of Duties
Segregation of duties controls should ensure that the roles and responsibilities throughout the program
change process have been appropriately restricted and segregated. Consider the following:
How does management ensure that responsibilities throughout the program change process are
adequately segregated?
How does management ensure that separate environments are maintained for development,
testing and production and only the appropriate individuals have access to each of those
environments?
How are segregation of duties controls maintained over time?
Once financially significant applications have been identified in scoping, the following points of focus
may be helpful for identifying ITGCs in this domain that are relevant to internal controls over
financial reporting at your client. Note: Not all points of focus are relevant to every entity, and other
risk factors may exist that will need to be considered. It is necessary to determine relevant activities
and controls based on the entity's unique IT environment.
In addition to the following points of focus, also consider using any applicable technical platform
practice aids and work programs that are available in Guardian to assist in your evaluation of controls
over access to programs and data.
How does management ensure that business unit management is appropriately included in the
information security function from a data ownership perspective?
How has management documented and communicated security roles and responsibilities?
How has management defined, documented, and communicated security policies and
procedures applicable all relevant technology components?
How does management ensure that security policies and procedures are updated on a regular
basis and as changes occur to technology components?
How does management periodically educate IT and business users regarding their security
responsibilities and related policies and procedures
Security administration
Security administration activities should ensure that access to applications, data, and operating systems
is appropriately restricted to only authorized individuals whose access rights are commensurate with
their job responsibilities and with management's control objectives. Consider the following:
Have access rights been defined and established by appropriate levels of IT and business unit
management to achieve relevant control objectives, including segregation of duties objectives
in both IT and in business processes? Consider access to:
o Applications
o Application data outside applications.
o Operating system
How has management designed security administration controls to ensure that access rights in
the following areas are properly granted, changed and removed as needed, only upon approval
by appropriate management personnel?
o Applications;
o Application data outside applications;
o Operating system
How does the security administration function facilitate periodic reviews of user access by
business unit management to ensure that access remains commensurate with job
responsibilities over time:
o Applications;
o Application data outside applications;
o How has management defined and linked segregation of duties objectives within the
business processes to the approval and periodic reviews of access rights?
Data Security
Data security controls should ensure that direct access to data is limited to appropriate authorized
individuals and is monitored for potential unauthorized activity. Consider the following:
How does management ensure that all direct data access methods (i.e., access from outside of
an application) have been defined and considered in designing security administration and
security monitoring controls? Consider:
o Operating system commands that can be used to change information in data files or
databases,
o Operating system administrator, database administrator, and other powerful IDs that
can be used to change data, but would not appear in lists identifying users with access
to specific data files or databases,
o Operating system and database security administration capabilities that can be used to
grant access to specific data files and databases,
o Report writers and other utility programs that can be used to change data outside
application systems,
How does management ensure that data environments are configured to properly restrict access
to:
o Data files and databases of financially significant applications,
o Operating system commands that can be used to change information in data files or
databases,
o Operating system administrator, database administrator, and other powerful IDs that
can be used to change data, but would not appear in lists identifying users with access
to specific data files or databases,
o Operating system and database security administration capabilities that can be used to
grant access to specific data files and databases,
o Report writers and other utility programs that can be used to change data outside
application systems,
How does management ensure that changes to data access settings (i.e., data file permissions)
are completed in a controlled manner, including approval of business unit owners of access to
data?
How does management periodically review direct data access, considering the access methods
identified above, to ensure that the access remains commensurate with job responsibilities?
If direct data access is controlled using special system utilities, how does management ensure
that the use of such utilities is documented, logged and reviewed on a regular basis?
How does management monitor the data environment for potential unauthorised activity?
How does management ensure that security configuration settings are changed in a controlled
manner and remain consistent with the intended design (i.e., global security parameters,
password parameters, services running, etc.)?
How does management periodically review operating system access to ensure that the security
administration process is working as intended and access remains commensurate with job
responsibilities?
How does management monitor the environment for potential unauthorised activity?
Network Security
Internal and external network security controls might be necessary to protect financially significant
systems from unauthorized access. Depending on the effectiveness of other controls over access to
programs and data, also consider the following:
How does the network design (e.g., logical separation of domains, trust relationships, external
network connections, etc.) ensure the financially significant systems are appropriately
protected from unauthorized access (e.g., behind a firewall)
How does management ensure authentication controls (i.e. password controls, assignment of
users to groups, remote access, etc.) are built into the network configuration?
How does management ensure that appropriate security controls are considered for all changes
to the internal and external network design?
How does management monitor for and respond to potential security events on the internal and
external network?
Physical Security
Physical security controls might be necessary in certain environments to ensure that an organization's
systems are protected from unauthorized physical access. If relevant, consider how management
ensures physical access is restricted for facilities that provide logical access to financially significant
systems.
How has management documented and communicated its computer operations policies and
procedures?
How has management documented and communicated computer operations roles and
responsibilities?
How has management organized the computer operations function to ensure a segregation of
duties?
How does management ensure that computer operations personnel have appropriate skills to
perform their duties?
How does management monitor the computing environment to ensure that potential operational
issues are identified and resolved?
How does management ensure that additions, changes, and deletions to the job schedule are
authorized and completed in a timely manner?
How does management ensure that job dependencies and restart/recovery procedures are
documented for all jobs in the batch schedule?
How does management monitor the processing of jobs to ensure that they run in accordance
with the approved job schedule?
How does management ensure that only authorized personnel have access to the job scheduling
tool?
Real-time processing
Real-time processing controls should ensure that the ongoing transmission and recording of
transaction data occurs completely and accurately in support of management's application control
objectives. Consider the following:
How does management ensure that changes to the configuration of real-time processing
components (including middleware, where applicable) are authorized and completed in a
timely manner?
How does management ensure that real-time processing failures are captured and resolved in a
timely manner?
How does management ensure that only authorized personnel have access to configure any
technology components used to facilitate real-time processing?
How does management ensure that requirements for content and frequency of data backups are
consistent with business objectives?
How does management ensure that backup media would be available in the event of an
emergency (i.e., off-site rotation of media)?
How does management ensure that data can be recovered as intended from backup media when
needed?
How does management ensure that all significant operational failures are identified and
resolved completely and accurately in a timely manner?
Disaster Recovery
Disaster recovery controls are important operational controls that help to ensure that an organisation
will be able to continue operations in the event of a disaster. Evaluate and validate these controls only
if disaster recovery is considered relevant because of territory regulatory requirements and/or
significant impact on going concern issues. Determine the disaster recovery activities that are relevant
to the organisation's objectives. Consider the following:
How does management ensure that environmental risks (i.e., fire, smoke, water, power,
temperature, humidity, etc.) to all significant computing locations are appropriately mitigated?
How does management use a business impact analysis or similar risk assessment to ensure that
disaster recovery plans and related testing exist for all significant applications and underlying
technology components?
How does management ensure that plans are tested and updated on a regular basis?