Steps 2 Flashcards
Before an IS auditor can begin an audit of infrastructure or application systems,
the auditor must understand the environment.
Automated controls include
validation and edit checks, programmed logic func- tions, and controls.
Manual controls are those that auditors or staff manually verify, such as
the review of reconciliation reports, and exception reports.
The purpose of both automated and manual controls is to verify the following:
. The validity of data processed is ensured.
. The accuracy of data processed is ensured.
. The data is stored so that controls maintain the security of the data so that accuracy, validity, confidentiality, and integrity of the data is maintained.
. Processed data is valid and meets expectations.
Auditors can perform control checks by doing the following:
. Discovering and identifying application components so that transaction flow can be analyzed.
. Determining the appropriate audit procedures to perform tests to evaluate strengths and weaknesses of the application.
. Analyzing test results.
. Validating the results and reporting on the application’s effectiveness and efficiency. The results should also be measured against good programming standards and com- pared against management’s objectives for the application.
Setting the Scope of the Review
The audit engagement letter should set out clearly the types of matters that will be reviewed during the audit and the scope of such review.
Before controls can be examined, an auditor must
understand the business strategy and the business process.
To understand business objectives and strategy, start with
the company’s busi- ness plan.
Next, review
the long- and short-term goals
Finally, review
the organization’s goals.
After reviewing this background information,
examine process flow charts.
Next, review
application controls, data integrity controls, and controls for busi- ness systems.
When reviewing input controls, the auditor must
ensure that all transactions have been entered correctly. Whatever controls are used, they should be capable of checking that input is valid. This becomes important because in many automated systems, the output of one sys- tem is the input of another. In such situations, data should be checked to verify the informa- tion from both the sending and receiving applications.
types of authorization controls include these:
. Signatures on forms or documents approving a change.
. Password controls that are required to process a change.
. Client identification controls that allow only certain clients to authorize the change. As an example, the clerk at the local market cannot authorize a price override, yet the manager can by using their access login.
A batch control is a second type of input control. Batch controls combine
transactions into a group. This group then has a value assigned. The total of this transaction can be based on dol- lar amounts, total counts, total document numbers, or hash totals. This number should match the count in the receivables system.
