Today’s LectureToday’s Lecture

• application controls

• audit methodology

General vs Application General vs Application ControlsControls

• general implemented consist. across all appl.• application are built into specific programs• distinction often arbitrary - general are usually

reviewed once for audit as a whole• application must be considered for each

significant application• if general are uniformly strong and operate

effectively obtain such assur. wrt each app.• if not, does not mean each appl. affected... need

to consider app by app.

Application ControlsApplication Controls

• hardware - – parity checks, character checks

• input and output controls – at source dep’t and data control

• programmed controls (software)

Effective DesignEffective Design

• designed with regard to business requirements

• designed with regard to business risk analysis

• only rely upon after taking general controls into consideration

• use structured programming techniques• use training

Types of TransactionsTypes of Transactions

• each have different sensitivity and risk of errors

• master file changes - updated only periodically

• normal business applications• error correction transactions

Master File ChangesMaster File Changes

• completeness, accuracy, currency and data authorization

• error would occur every time• make sure using current masters• important to guard against fraud

Normal TransactionsNormal Transactions

• second largest concern • necessary to control effectively• need to include controls over regular

transactions and reports

Error Correction TransactionsError Correction Transactions

• watch bypass potential• errors often put aside and ignored• all should be logged with clear responsibility

for correction• ideally put back through regular processing

Preventive Controls over Preventive Controls over ProcessingProcessing

• data entry as close to source of transact as possible to ensure familiarity

• structure operating procedures so that business activity not complete until transaction processing

• eliminate human component as much as possible

• authorize transactions before data entry

• use access control software

Preventive Controls over Preventive Controls over Processing (cont’d)Processing (cont’d)

• use 3 levels of access • physical access to terminal,

access control over use of terminal and authorization in software

• scrutinize manually prepared input • use computer to edit transactions

• use edit progs to check for missing data, format, self checking digit, limits & logical relation checks

• use key verification & interactive systems• use formatted input screens

Preventive Controls over Preventive Controls over Processing (cont’d) Processing (cont’d)

• use appropriately designed input forms• single source transaction data - input once • document application control procedures -

manuals, etc.• training and supervision• adequate working conditions

Detective ControlsDetective Controls

• use suspense records for impending transactions

• monitor & investigate lack of regular activity (see if transactions omitted)

• verify records by examining assets etc.• prepare budgets/investigate variances• number transactions - check sequence• group and count source documents and

count # transactions processed

Detective Controls (cont’d) Detective Controls (cont’d)

• use control totals to check completeness• reconcile changes in recorded assets and

liabilities to transactions processed• If practical, establish procedures for

verification by users• design programmed reasonableness tests• match processing results to source

documents in detail• check computations

Detective Controls (cont’d)Detective Controls (cont’d)

• use summary and exception reports• use double entry recording to balance

transactions• agree summary records to detailed records• require user approval of results• require error tracking and analysis - develop

stats

Master File ControlsMaster File Controls

• authorize all changes before input

• record changes to semi-permanent listings, reconcile changes

• print out for review by knowledgeable users for errors

• use control totals

• application progs should internally label master files

Errors and Exception ControlsErrors and Exception Controls

• use error and exception reports - ensure follow- up

• user error logs and define correction procedures and responsibilities

• resubmit errors into NORMAL processing cycle - do not bypass

Management & Audit TrailsManagement & Audit Trails

• file each record in planned sequence to facilitate retrieval

• provide unique id for each record• retain source copy for transactions• provide methods of tracing data backwards

and forwards through IS• document retention procedures

Management & Audit Trails Management & Audit Trails (cont’d)(cont’d)

• use logs• periodically copy and save permanent

records that are overwritten by changes• provide software capability to scrutinize &

analyse data

Advanced System Advanced System CharacteristicsCharacteristics

• absence independent evidence• no visible audit trails• lack of auth evidence• heavy I/C reliance• need to understand transaction flow• test controls to be relied upon• audit hardware/software