System Development, Program Changes, & Application Auditing

avatar
Created by
billy

Cards (46)

  • All systems should be properly authorized to ensure their economic justification and feasibility.
  • Users need to be actively involved in the systems development process.
  • The technical design activities translate user specifications into a set of detailed technical specifications for a system that meets the user's needs.
  • Documentation is both a control and evidence of control, and it is critical to the system's long-term success.
  • To meet the governance-related expectations of management under SOX, an organization's internal audit department needs to be independent, objective, and technically qualified.
  • The internal auditor can play an important role in the control of systems development activities.
  • All program modules must be thoroughly tested before they are implemented.
  • Prior to system implementation, the individual modules of the system need to be formally and rigorously tested as a whole.
  • The test should be composed of user personnel, systems professionals, and internal auditors.
  • The auditor's objectives are to ensure that:
    1. Systems development activities are applied consistently and in accordance with management's policies to all systems development projects;
    2. The system as originally implemented was free from material errors and fraud;
    3. The system was judged necessary and justified at various checkpoints throughout the SDLC; and
    4. System documentation is sufficiently accurate and complete to facilitate audit and maintenance activities.
  • The auditor should select a sample of completed projects and review the documentation for evidence of compliance with stated systems development policies.
  • Upon implementation, the information system enters the maintenance phase of the SDLC.
  • SPLMS controls four critical functions:
    1. Storing programs on the SPL;
    2. Retrieving programs for maintenance purposes;
    3. Deleting obsolete programs from the library; and
    4. Documenting program changes to provide an audit trail of the changes.
  • An important feature of SPL management software is the creation of reports that enhance management control and support the audit function.
  • The SPLMS assigns a version number automatically to each program stored on the SPL.
  • The auditor's objectives are to determine that:
    1. Maintenance procedures protect applications from unauthorized changes;
    2. Applications are free from material errors; and
    3. Program libraries are protected from unauthorized access.
  • To establish that program changes were authorized, the auditor should examine the audit trail of program changes for a sample of applications that have undergone maintenance.
  • The permanent file of the application should contain program change authorization documents that correspond to the current version number of the production application.
  • The program maintenance authorization should indicate the nature of the change requested and the date of the change.
  • The auditor can perform three types of tests of controls:
    1. Reconcile the source code;
    2. Review the test results; and
    3. Retest the program
    to determine that programs ate free from material errors.
  • Each application's permanent file should contain the current program listing and listings of all changes made to the application. These documents describe in detail the application's maintenance history.
  • Every program change should be thoroughly tested before being implemented.
  • The auditor can retest the application to confirm its integrity.
  • The existence of a secure program library is central to preventing errors and program fraud.
  • The auditor can select a sample of programmers and review their access authority.
  • To test the programmer's access privileges, the auditor may violate the authorization rules in an attempt to access unauthorized libraries.
  • In addition to general IT controls, SOX requires management and auditors to consider application controls relevant to financial reporting. These controls fall into three broad categories: input controls, processing controls, and output controls.
  • Access tests verify that individuals, programmed procedures, or messages attempting to access a system are authentic and valid.
  • Validity tests ensure that the system, processes only data values that conform to specified tolerances.
  • Accuracy tests ensure that mathematical calculations are accurate and posted to the correct accounts.
  • Completeness tests identify missing data within a single record and entire records missing from a batch.
  • Redundancy tests determine that an application processes each record only once.
  • Audit trail tests ensure that the application creates an adequate audit trail.
  • This fraud affects large numbers of victims, but each in a minimal way.
    Salami Fraud
  • The __ (also called auditing around the computer) does not require the auditor to create test files or to obtain a detailed knowledge of the application's internal logic.
    Black box approach
  • Through-the-computer employs computer-assisted audit tools and techniques and requires an in-depth understanding of the internal logic of the application under review.
  • 5 Key features of CAATTs:
    1. The test data method;
    2. Base case system evaluation;
    3. Tracing;
    4. Integrated test facility; and
    5. Parallel Simulation.
  • To employ the test data method approach, the auditor requires detailed and current systems documentation.
  • Test data should consist of a complete set of valid and invalid transactions.
  • Base case system evaluation is a variant of the test data approach. BSCE tests are conducted with a set of test transactions containing all possible transaction types.