Professional Documents
Culture Documents
Controls Concepts
Manual
Manual
Controls
Controls
(Purely)
(Purely) Manual
Manual
Controls
Controls
Automated
Automated
Controls
Controls
IT-Dependent
Application
IT-Dependent
Manual
Controls
Manual Controls
Controls
Controls
1.
1. Embedded
Embedded Controls
Controls
2.
2. Configurable
Configurable Controls
Controls
IT General Controls
PM10-4, Application
Controls Concepts
Edit Checks Controls to limit the risk of inappropriate input, processing, or output of
data due to field format (e.g., dollar amounts must be in the numeric format).
Interfaces Controls to limit the risk of inappropriate input, processing, or output of data
being exchanged from one system to another (e.g., the system confirms through a record
count that all records were uploaded from the sales sub-ledger to the general ledger or
confirms that totals from a header record reconcile to the detail that was posted).
PM10-4: Application
Controls Concepts
Once the population of application controls has been identified and those that we plan to test
are walked-through, the financial auditor and IT specialist should come to an agreement on
which application controls should be tested (i.e., in scope) and by whom. Testing application
controls may provide for a more effective and efficient audit, as a test of one of each
significant transaction type may suffice, provided we conclude that IT general controls
supporting the application are functioning effectively.
The testing strategy for application controls may utilize the following approach:
First, working together, the financial auditor and IT specialist should identify the
optimum combination of manual, application, and IT-dependent manual controls to
test. The testing should include appropriate controls to provide sufficient frequency,
sensitivity, and pervasiveness to cover the identified assertions and risks.
Finally, confirm the relevant ITGCs are effective for the relevant period. Testing
ITGCs is the most effective way to confirm that an application control has continued
to operate throughout the period. However, if ITGCs are deemed ineffective, it may
be possible to still evaluate application controls as effective if we are able to confirm
via other means that the control operated throughout the period (e.g., confirmation
that the configuration or program did not change or testing 25 of each application
control).
PM10-4, Application
Controls Concepts
Inspection of authorizations and re-performance to confirm that the way the system is
programmed and configured to restrict access to those that are programmed or configured
to have it and that the configuration and programming does work An evaluation by the
auditors of whether the privileges assigned to a particular system user are commensurate
with the users job responsibilities and whether those responsibilities support the control
environment. (Note: the objective of our logical access testing as part of IT general
controls is to confirm there are adequate controls in place around adding, updating,
deleting, and restricting user access to key financial data and that access to that data is
appropriately restricted at the operating system and database levels. We are typically
unable to conclude specifically on whether access to key accounting functions allowed by
the financial applications is appropriately restricted or segregated. Instead, we would
perform specific testing on that access or segregation of that access as part of application
controls testing.)
The techniques to test application controls vary based on the type of control being tested (the
assumption is that a walk-through has been completed). The table below shows the
relationship between the different types of application controls and the techniques that can be
used by an auditor to test such controls.
RAS Core Skills III
PM10-4: Application
Controls Concepts
Configurable
dEmbedde
Edit
Re-performance
via walkthrough
Authorization
1
2
Inspection of
authorization
Inspected
Re-performance
via walkthrough
1
2
Inspection of
authorization
Often a test of one will suffice; this often occurs during walk-through.
A sample of users should be selected.
PM10-4, Application
Controls Concepts