Вы находитесь на странице: 1из 60

2014 PhxSAC

Auditing Application
Controls
T u e s d a y, S e p t e m b e r 3 0 , 2 0 1 4

Experis | September 30, 2014 1


Agenda
 What are Application Controls?

 Testing Application Controls

 Auditing Master Files

 Separation of Duties

Experis | September 30, 2014 2


Experis | September 30, 2014 3
What are
Application Controls?

Experis | September 30, 2014 4


Definition of Internal Control - COSO 2013
 Internal control is broadly defined as a process, effected by
an entity's board of directors, management and other
personnel, designed to provide reasonable assurance
regarding the achievement of objectives in the following
categories:
– Effectiveness and efficiencies of operations,
– Reliability of reporting, and
– Compliance with applicable laws and regulations.

Experis | September 30, 2014 5


Definition of Internal Control
 Process - a series of actions or steps taken in order to
achieve a particular end (Oxford Dictionaries).

 Reasonable Assurance - Recognition that it is not possible


to declare with absolute certainty that an event will or will not
happen (LawDictionary.com).

Experis | September 30, 2014 6


COBIT - Definition of Application Control
 Application controls are a subset of internal controls that
relate to an application system and the information
managed by that application.*
 Application controls can be viewed as those policies,
procedures and activities designed to provide reasonable
assurance that objectives relevant to a given automated
solution are achieved.*
 System automated control activities imbedded in
business processes.

*From COBIT and Application Controls: A Management Guide

Experis | September 30, 2014 7


Why Application Controls*
 Efficiency – Application controls automate what would
otherwise be manual processes.
 Consistency – Application controls work the same way
every time.
 Capacity – Application controls can handle extreme
volumes.
 Control – Logical authority functionality make
Segregation of Duties (SoD) more reliable.

*From COBIT and Application Controls: A Management Guide

Experis | September 30, 2014 8


Why Application Controls*

Cost to Operate

Manual

Automated

Process Size & Complexity

*From COBIT and Application Controls: A Management Guide

Experis | September 30, 2014 9


Objectives of Application Controls*
 Completeness - The application processes all transactions and the
resulting information is complete.
 Accuracy - All transactions are processed accurately and as
intended and the resulting information is accurate.
 Validity - Only valid transactions are processed and the resulting
information is valid.
 Authorization - Only appropriately authorized transactions have
been processed.
 Separation of Duties - The application provides for and supports
appropriate segregation of duties and responsibilities as defined by
management.

*From COBIT and Application Controls: A Management Guide

Experis | September 30, 2014 10


Testing Application Controls

Experis | September 30, 2014 11


Examples of Application Control Types
 Automated calculations
 Logical authority controls
 Data entry/field validations
 Business rules
 Work flow rules
 Reconciliations
 Exception Reports

Experis | September 30, 2014 12


Automated Calculations
 The application performs mathematical functions
 Examples
– Invoice amounts
– Inventory balances
– Data entry totals
– Report totals

Experis | September 30, 2014 13


Automated Calculations

Experis | September 30, 2014 14


Automated Calculations

Input Activity Output

• Customer • Automated • Invoice


information calculation with
• Price amount
information due
• Shipping
information

Experis | September 30, 2014 15


Automated Calculations
 Example - Aged Accounts Receivable
– Validate that the query is pointed to the table of customer
invoices
– Ensure that the query is:
• pointed to the “paid” field,
• reading the “created date” field, and
• Selecting amounts from the “invoice amount” field.
– Recalculate to validate that the calculation is:
• selecting only unpaid invoices,
• batching the invoices according to the desired criteria (30, 60, 90
days, etc.), and
• including only the unpaid amount of the invoice.

Experis | September 30, 2014 16


Logical Authority
 The application controls which users can initiate a job
 Examples
– Process Journal Entries
– View Payroll Data
– Print Reports
– Separation of Duties
• Initiate a P.O. / Approve a P.O.
• Approve Credit / Enter an order

Experis | September 30, 2014 17


Logical Authority

Experis | September 30, 2014 18


Logical Authority

Input Activity Output

• P.O. • Automated • Approved


information decision or rejected
• Approved P.O.
authorities/
roles

Experis | September 30, 2014 19


Logical Authority
 Example – Posting general journal entries
– Obtain a report of users with the ability to post general
journal entries
– For a selection of users with the ability to post general
journal entries, determine if :
• the business owner approved the authority,
• the authority is consistent with the users job responsibilities, and
• there are no conflicting authorities/roles.

Experis | September 30, 2014 20


Data Entry/Field Validations
 System activities that help ensure that data entered is
accurate and complete.
 Examples
– Mandatory data entry fields
– Preset data formats
– Values within a pre-established range
– Information provided across different input fields is consistent
– Drop down lists
– Check digits/batch sums

Experis | September 30, 2014 21


Data Entry/Field Validations

Experis | September 30, 2014 22


Data Entry/Field Validations

Input Activity Output

• Applicable • Automated • Accepted


data decision or rejected
• Field • Data
validation recorded in
rules database

Experis | September 30, 2014 23


Data Entry/Field Validations
 Example – Entering time keeping data
– Determine if the application:
• is configured to prevent the entry of hours unless the employee is
already in the employee master file
• prevents the entry of more than 24 hours in a day
 Example – Adding a new employee to the payroll
application
– Determine if the application
• requires a SSN
• will only accept a 9 digit number in the SSN field

Experis | September 30, 2014 24


Business Rules
 The application makes decisions based on
configurable/preset rules
 Examples
– Credit decisions
– Three way match
– Inventory reorder points

Experis | September 30, 2014 25


Business Rules

Experis | September 30, 2014 26


Business Rules

Input Activity Output

• Client credit • Automated • Accepted or


limit calculation rejected
• Credit • Automated credit
request decision request
• Outstanding
credit

Experis | September 30, 2014 27


Business Rules
 Example – Credit Approval
– Ensure that the ability to add, edit and delete data in the
related master files is appropriate.
– For a selection of requests, determine if:
• the system calculated the total amount of credit exposure
accurately, and
• the system decided the request accurately.

Experis | September 30, 2014 28


Work Flow Rules
 The application automatically routes decisions to the
appropriate user for action.
 Example
– Approval of a purchase order
– Approval of a journal entry
– Approval of a new vendor

Experis | September 30, 2014 29


Work Flow Rules

Experis | September 30, 2014 30


Work Flow Rules

Input Activity Output

• Purchase • Automated • P.O. routed


information decision to the
• Approval appropriate
hierarchy approver

Experis | September 30, 2014 31


Work Flow Rules
 Example – P.O. Approval
– Ensure that the ability to add, edit and delete data in the P.O.
Approval routing table is limited to users that are appropriate.
– Determine if the current approval hierarchy is appropriate.
– For a selection of requests, determine if the system routed
the P.O. to the appropriate approver.

Experis | September 30, 2014 32


Reconciliations
 The application compares data from separate
independent sources for accuracy.
 Examples
– Bank account reconciliation
– Reconciliation of sales to shipments and COGS

Experis | September 30, 2014 33


Reconciliations

Retail
Reconciliation
transactional Transaction All items
Yes report
data captured at Database reconcile?
point of sale

No

$ Research and
Deposit Application
resolve
information performs
reconciling
from bank reconciliation
items
Bank

Experis | September 30, 2014 34


Reconciliations

Input Activity Output

• Transactional • Reconcile • Produce


data from data reconciliation
POS • Research and report
• Bank deposit resolve
information reconciling
items

Experis | September 30, 2014 35


Reconciliations
 Example – Retail sales reconciliation
– Ensure that the ability to add, edit and delete data in the
transactional database is limited to users that are
appropriate.
– Determine that reconciled data is from two independent
sources.
– For a selection of locations, re-perform the reconciliation.
– Determine if unreconciled items are investigated and
cleared.

Experis | September 30, 2014 36


Exception Reports
 The application logs and reports exception events
according to preset rules.
 Examples
– Interface error reports
– Journal entries over a certain amount
– Specific transaction types
– Overtime hours
– System access during certain hours

Experis | September 30, 2014 37


Exception Reports

The system
User edits the
Vendor records that the
vendor master
Master file Vendor Master
file
was edited

System reports
System Log
System log all edits to the
(edit) Report
file Vendor Master
file

Experis | September 30, 2014 38


Exception Reports

Input Activity Output

• Configuration • System logs • Report of


to monitor the edit to edits to the
Vendor the Vendor Vendor
Master file Master file Master file
changes
• User edits

Experis | September 30, 2014 39


Exception Reports
 Example – Vendor master file edit report
– Determine if users with the ability to edit the vendor master
file are appropriate.
– Determine if the application is configured to log and report
edits to the vendor master file.
– For a sample of edits, determine if the edit was included in
the report.
– Confirm that the reports are reviewed and necessary action
is taken.

Experis | September 30, 2014 40


Auditing Master Files

Experis | September 30, 2014 41


Master Files
 Definitions
– A collection of records pertaining to one of the main subjects
of an information system, such as customers, employees,
products and vendors.
– A computer file that is used as the authority in a given job
and that is relatively permanent.
 Typical Master Files
– Customer
– Vendor
– Price
– Item/Inventory

Experis | September 30, 2014 42


Master Files

Customer Customer Name


Master File and Address

Price Master File Item Price

Calculation of Invoice
Amount Owed

Shipping Data Quantity Shipped

Experis | September 30, 2014 43


Master Files
 Objective - Controls provide reasonable assurance that
the ability to add/change/delete price master file
information is limited to those users that are approved
and for which the authority is consistent with their job
responsibilities.
 Objective - Controls provide reasonable assurance that
entered data is accurate, complete and in the appropriate
format.

Experis | September 30, 2014 44


Master Files
 Objective - Controls provide reasonable assurance that
the ability to add/change/delete price master file
information is limited to those users that are approved
and for which the authority is consistent with their job
responsibilities.
– Control - The Corporate Controller reviews and approves
access requests for the authority to add/change/delete
vendor master file data.
– Control - Quarterly, the Corporate Controller reviews the list
of personnel with the authority to add/change/delete master
data information.

Experis | September 30, 2014 45


Master Files
 Control - The Corporate Controller reviews and approves
access requests for the authority to add/change/delete
vendor master file data.
– Test - Obtain a report of users with the authority to
add/change/delete vendor master data. If possible, include
the creation/assignment date.
– Test - From the report, select a number of new users and
obtain evidence confirming that the user’s authority was
approved prior to the granting of authority.
• Determine if the approver is at an appropriate level/position.

Experis | September 30, 2014 46


Master Files
 Control - Quarterly, the Corporate Controller reviews the
list of personnel with the authority to add/change/delete
master data information.
– Test - For a selection of quarterly reviews, obtain evidence of
the Corporate Controller’s review. Inspect the evidence to
determine if:
• The review was performed
• Any users where flagged as inappropriate
– Test – Follow-up on inappropriate user to determine if their
access was removed.

Experis | September 30, 2014 47


Master Files
 Objective - Application controls provide reasonable
assurance that manually entered data is accurate,
complete and in the appropriate format.
– Control - The employee master file entry page is configured
to require a nine (9) digit number in the Social Security
Number field.
– Control - The Accounting Manager reviews the report of
additions/changes to the vendor master file weekly.

Experis | September 30, 2014 48


Master Files
 Control - The employee master file entry page is
configured to require a nine (9) digit number in the Social
Security Number field.
– Test – Observe the entry of a SSN. Attempt to enter an 8
digit number to determine if the application will reject the
entry.
– Test – Observe the entry of a SSN. Attempt to enter a 10
digit number to determine if the application will allow the
entry of more than 9 digits.

Experis | September 30, 2014 49


Master Files
 Control - The Accounting Manager reviews the report of
additions/changes to the vendor master file weekly.
– Test - For a selection of weekly reviews, obtain evidence of
the Accounting Manager’s review. Inspect the evidence to
determine if:
• The review was performed
• Any edits where flagged as inappropriate
– Test – Follow-up on inappropriate edits to determine if they
were resolved.

Experis | September 30, 2014 50


Separation of Duties

Experis | September 30, 2014 51


Separation of Duties
 Definition
– The concept of having more than one person required to
complete a task.
– Control policy according to which no person should be given
responsibility for more than one related function.
 Example Separation of Duties (SoD)
– Add/edit vendor master file data and enter
– Create and approve a P.O.
– Post journal entries and reconcile GL accounts
– System administrator and end user

Experis | September 30, 2014 52


Separation of Duties

Experis | September 30, 2014 53


Segregation of Duties
Functions

Create and maintain vendor records


Approve/release purchase orders

Enter vendor debit memos


Cash payment processing
Release blocked invoices
Process vendor invoices
Process goods receipt
Functions
Create and maintain vendor records x x x
Approve/release purchase orders x x x

Process goods receipt x x x


Process vendor invoices x x x
Cash payment processing x x
Release blocked invoices x x

Enter vendor debit memos x x

From COBIT and Application Controls: A Management Guide


Experis | September 30, 2014 54
Separation of Duties
 Objective – Controls provide reasonable assurance that
a single user does not have end to end access rights
over any function/process.
– Control - Compatible authorities are identified and
configured for each role.
– Control - The business owner reviews and approves any
system authority requests related to their area/module.
– Control - Quarterly, the business owners review a report of
users along with their assigned authorities to determine if
any users have incompatible authorities.

Experis | September 30, 2014 55


Separation of Duties
 Control - Compatible authorities are identified and
programed for each area/module.
– Test – Obtain a report of roles with specific assigned
authorities for each role.
– Test – For a selection of roles, determine if any of the roles
have been assigned incompatible duties.

Be careful to include manual duties that may conflict


with logical authorities.

Experis | September 30, 2014 56


Separation of Duties
 Control - The business owner reviews and approves any
system authority requests related to their area/module.
– Test - Obtain a report of application users that includes an
account creation date.
– Test - For a selection of new users (in the audit period),
obtain and inspect evidence that the business owner
approved the assigned authority prior to the assignment.

Experis | September 30, 2014 57


Separation of Duties
 Control - Quarterly, the business owners review a report
of users along with their assigned authorities to
determine if any users have incompatible authorities.
– Test - For a selection of quarterly reviews, obtain evidence of
the business owner’s review.
– Test – Inspect the evidence to determine if:
• The review was performed
• Any assigned authorities where flagged as inappropriate
– Test – Follow-up on inappropriate authorities to determine if
they access were removed.

Experis | September 30, 2014 58


Questions?

Experis | September 30, 2014 59


Thank You

Joe B. Peacock
Director, Risk Advisory Services
Experis
(602) 707-5428
Joe.Peacock@Experis.com

Experis | September 30, 2014 60