IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.

Slides:



Advertisements
Similar presentations
ITAuditing Using GAS & CAATs
Advertisements

© 2009 by SAP AG. All rights reserved. / SAP University Alliances Page 1 Primary Learning Objectives Use the SAP system to experience the steps in a typical.
Overview of Transaction Processing and Enterprise Resource Planning Systems Chapter 2.
Group 3 John Gregory John Marsh Gerri Houston Samantha McNeily.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Purchases & Cash Disbursements Transactions By David N. Ricchiute
Chapter 10: Auditing the Expenditure Cycle
Chapter 5 Expenditure Cycle Applications. Expenditure Documents i.Purchase Requisitions ii.Purchase Orders iii.Receiving Report iv.Voucher Systems v.Invoice.
The TRUTH About SOX, Auditors & Oracle Applimation is the leading provider of Application Lifecycle Management solutions.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 85 C HAPTER 1 Accounting Information Systems: An Overview.
Principles of Information Systems, Seventh Edition2 An organization’s TPS must support the routine, day-to- day activities that occur in the normal course.
Introduction to SAP R/3.
University of Southern California Enterprise Wide Information Systems The Procurement Process Instructor: Richard W. Vawter.
SAP R/3 Materials Management Module
9 C H A P T E R Transaction Processing and Enterprise Resource Planning Systems.
Procurement Processes SAP Implementation
SAP An Introduction October 2012.
Overview of Transaction Processing and Enterprise Resource Planning Systems Chapter 2.
Chapter Lead Black Slide © 2001 Business & Information Systems 2/e.
Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
IT Service Delivery And Support Week Five IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA CISA CISSP) 1.
TRANSACTION PROCESSING SYSTEM (TPS)
Best in Class Controls for AP The Institute of Financial Operations Indiana – Southern Illinois Chapter June 15, 2011 Sherry DePew.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Istanbul Kultur University Enterprise Wide Information Systems The Procurement Process.
Overview of Systems Audit
Lead Black Slide Powered by DeSiaMore1. 2 Chapter 10 Business Operations.
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
Chapter 6 Supporting Processes with ERP Systems Copyright © 2013 Pearson Education, Inc. Publishing as Prentice Hall 6-1.
The Acquisition/Payment Process
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee
Principles of Information Systems, Sixth Edition Systems Design, Implementation, Maintenance, and Review Chapter 13.
Copyright © 2007 Pearson Education Canada 1 Chapter 13: Audit of the Sales and Collection Cycle: Tests of Controls.
Auditing Information Systems (AIS)
Understanding the IT environment of the entity. Session objectives Defining contours of financial accounting in an IT environment and its characteristics.
S4: Understanding the IT environment of the entity.
1 California State University, Fullerton Chapter 10 Business Operations.
Principles of Information Systems, Sixth Edition Systems Design, Implementation, Maintenance, and Review Chapter 13.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Chapter 10 THE ACQUISITION CYCLE— PURCHASE INVOICES AND PAYMENTS.
Oracle Business Models
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Principles of Information Systems, Sixth Edition 1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
Hall, Accounting Information Systems, 7e ©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
Adapted from Auditing User-Developed Applications (UDA) End User Computing (EUC) Global Technology Audit Guide GTAG® 14.
Chapter 8 Auditing in an E-commerce Environment
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
Chapter 8-1 Chapter 8 Accounting Information Systems Information Technology Auditing Dr. Hisham madi.
1 CHAPTER 5 - b INTERNAL CONTROL OVER FINANCIAL REPORTING.
Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals.
12/06/20161 ObjectiveProcess Risk Inherent Risk – risk of not achieving objectives Inherent risk Inherent risk – before the assessment of any controls.
Overview of Transaction Processing and Enterprise Resource Planning Systems Chapter 2.
Chapter 22 Procurement Cycle and Documents
Accounts Receivable, Accounts Payable & Cash
BUDGET Process Change Description Type of Change Process
Auditing Information Technology
Controlling Computer-Based Information Systems, Part II
Part I: Purchases and Cash Disbursements Procedures
Managing the IT Function
Auditing Application Controls
Defining Internal Control
Overview of Transaction Processing and Enterprise Resource Planning Systems Chapter 2.
Chapter 10: Auditing the Expenditure Cycle
Purchases and Cash Disbursements Procedures
Course: Module: Lesson # & Name Instructional Material 1 of 32 Lesson Delivery Mode: Lesson Duration: Document Name: 1. Professional Diploma in ERP Systems.
SAP GRC EOH GRC Solutions Divisional divider Option 1.
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA CISA CISSP) 1

 Transactional Applications vs. Support Application  Application Controls Objectives  Application Control Types  Application Control vs. Infrastructure Control (GCC)  Why Relying on Application Controls  Application Auditors Roles and Responsibilities  Application Control Risk Assessment Approach  Documentation Techniques Application Controls 2

Transactional Applications vs. Support Application  Transactional Applications (SAP R/3, Oracle Financials, etc.)  Accounting applications  Repository for financial, operational and regulatory data  Reporting applications (sales orders and invoices, etc.)  Support Applications ( s, fax sw, document imagining, etc) Application Controls 3

Application Controls Objectives  Input data is accurate, complete, authorized, and correct.  Data is processed as intended in an acceptable time period.  Data stored is accurate and complete.  Outputs are accurate and complete.  A record is maintained to track the process of data from input to storage and to the eventual output GTAG – Auditing Application Controls Application Controls 4

Application Control Types  Input Controls – These controls are used mainly to check the integrity of data entered into a business application, whether the data is entered directly by staff, remotely by a business partner, or through a Web-enabled application or interface. Data input is checked to ensure that is remains within specified parameters.  Processing Controls – These controls provide an automated means to ensure processing is complete, accurate, and authorized.  Output Controls – These controls address what is done with the data and should compare output results with the intended result by checking the output against the input.  Integrity Controls – These controls monitor data being processed and in storage to ensure it remains consistent and correct.  Management Trail – Processing history controls, often referred to as an audit trail, enables management to identify the transactions and events they record by tracking transactions from their source to their output and by tracing backward. These controls also monitor the effectiveness of other controls and identify errors as close as possible to their sources. GTAG – Auditing Application Controls Application Controls 5

Application Control vs. Infrastructure Control (GCC)  GCC  Logical access controls over infrastructure, applications, and data. System development life cycle controls. Program change management controls.  Physical security controls over the data center.  System and data backup and recovery controls.  Computer operation controls. GTAG – Auditing Application Controls Application Controls 6

Application Control vs. Infrastructure Control (GCC)  Application Controls  Determining whether sales orders are processed within the parameters of customer credit limits.  Making sure goods and services are only procured with an approved purchase order.  Monitoring for segregation of duties based on defined job responsibilities.  Identifying that received goods are accrued  Ensuring fixed-asset depreciation is recorded accurately in the appropriate accounting period.  Determining whether there is a three-way match among the purchase order, receiver, and vendor invoice. GTAG – Auditing Application Controls Application Controls 7

Why Relying on Application Controls  Reliability  More reliable than manual controls (automated vs. human intervention)  Relationship with GCC (Change Management, SOD, etc.)  Benchmarking  Application Controls won’t change very often  Rely on general controls  Identify “Changes” of the Environment  Changing of Application Controls Without Changing Code (Parameter changes and configuration changes)  Time and Cost Saving  Less Time to test than manual controls (frequency of the manual controls)  Can be Test Once Using Automated Tools GTAG – Auditing Application Controls Application Controls 8

Application Auditors Roles and Responsibilities  Understand Business Process Associated with the Application audited (Building Industry Specialties)  Consultant During the Application Development  Independent Risk Assessment  Education  How the risk profile will change once the new application is brought online.  Known inherent control weaknesses in the applications under development.  Prospective solutions to mitigate identified weaknesses.  The various services auditors can provide to management as part of the system’s development efforts.  Control Testing  Application Review GTAG – Auditing Application Controls Application Controls 9

Application Control Risk Assessment Approach  Define the Assets (application, database, supporting technology, etc.)  Define the Risk Factor Associated with the Application Under Review:  Primary application control  Design effectiveness  Natural of the application (in-house developed vs. on-shelf, commercial applications)  Data Classification  Frequency of Changes related to the Application and Complexity of Changes  Financial Impact  Reliance on GCC controls  Audit History GTAG – Auditing Application Controls Application Controls 10

Business Process Method vs. Single Application Method  Business Process Method  Top-down review approach  Review all applications support one Business Process  Typically apply to ERP review  Single Application – controls within one application or module  Logical Access Control needs to be reviewed no matter which method was used. GTAG – Auditing Application Controls Application Controls 11

Documentation Techniques  Flowchart  Process Narratives  Procurement  Requisition  PO Processing  Receiving  Receiving Goods  Accounting Review and Reconciliation  Buyer Review  Accounts Payable  A/P receives invoice from the Suppliers  Payment Requests  Month-end Reconciliation GTAG – Auditing Application Controls Application Controls 12

Documentation Techniques  Testing  Inspection of system configurations.  Inspection of user acceptance testing, if conducted in the current year.  Inspection or re-performance of reconciliations with supporting details.  Re-performance of the control activity using system data.  Inspection of user access listings.  Re-performance of the control activity in a test environment (using the same programmed procedures as production) with robust testing scripts.  CAAT – ACL, SAS, SQL, Excel, Crystal Report, Access, etc. GTAG – Auditing Application Controls Application Controls 13

Summary 14

 Sample Application Audit Program – Chapter 13 Auditing Application (page 312 of IT Auditing Text Book) Sample Audit Program 15

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.