Audit Program: Application Controls

Risk if Objective Not Met

System Documentation
System overview / data flow

Relevant systems and applications are not

adequately handled due to lack of knowing their
existence/importance.

Documentation
A lack of adequate documentation of applications
can result in a loss of application integrity or
availability (e.g. ineffective support deputy does
not handle application correct; operational
procedures are not performed as originally
intended, etc.) or loss of support efficiency.

System Support
Support and Maintenance

1.    Support for systems is inadequate, resulting in

issues with availability and accuracy.

2.    System is not properly maintained.

3.    There is a lack of information to monitor system
performance (capacity, issue logs, etc). System
issues not properly logged or analyzed.

4.    Vendor support is not timely or effective

Logical Security
User Access

1.    Unauthorized or inappropriate user access to the

system or to the data.
2.    Unauthorized or incompatible access to system
and database functions.
Change Control
Change Control

1.    Unauthorized changes occur to the application.

2.    Untested changes occur to the application.

3.    Changes occur that are not documented,
impacting future fixes.
4.    Changes to the application are not tested to
ensure no harmful impacts on other applications or
software.

Problem Management
Problem Management

The application does not work properly because

problems are not identified by users or are not
resolved in a timely manner.
Backup and Recovery
Backup and Recovery (RDR)

1.    Data is lost or contaminated.

2.    Data cannot be recovered in a timely manner.

3.    Business cannot resume in a timely manner.

Interfaces

Incomplete / inaccurate data or duplicate

transmissions are received, which lead to inaccurate
results.
Audit trail / Accountability

Changes to critical data can be done without

possibility to trace who did the change (loss of
accountability).

Automated Applications Controls / Data Input

Invalid or incomplete input data leads to inaccurate

results.

Automated Applications Controls / Data

Processing
Undetected or inherent processing errors leads to
wrong output results
Automated Applications Controls / Data Output

Incomplete / inaccurate output data is produced and

distributed.
Control Technique

·         Applications have a business and IT owner.

·         There is an overview of relevant systems / applications, their

interfaces / data flow and purpose.

·         Responsibilities for development, operation and administration

are clearly defined.

Adequate documentation for each application is maintained.

IT service levels meets user needs and requirements.

1.  Users must be authenticated with user ID and password.

2.  Approval of new or revised user access is required.

3.  Periodic review of user’s access levels granted.

4.  Adequate password controls.

5.  Separation of duties between key functions and roles including

database administration, security admin, business analysts,
application users, and programmers.
1.  Formal change process with user testing and approvals.

2.  Separate test and production environments.

3.  Operations move of changes to production.

4.  Logging and recording of changes made

There are adequate user procedures for identifying & reporting

problems to the Help Desk. All problems are logged & tracked by
the Help Desk.
1. Formal back-up process with multiple iterations kept.

2. Off-site back-ups

3. Formal BCP in place and tested.

4. Back-ups used in BCP testing.

In coordination with manual controls, there are automatic

reconciliations between data sent & received where necessary, such
as:
·         Received data is validated & key fields are checked for
completeness.

·         Data files have headers & trailers which are checked
automatically on receipt (dates & sequence numbers).

·         Errors in processing result in exception reports which are

reviewed, signed off & dated by management.

·         Failures are detected, reported & corrected.

·         Procedures are defined to recover data if a data transfer is

cancelled during the run.
Shared user accounts are reduced to a minimum and are not used
for business purposes.

Access to critical functions and data is logged. The log contains at

least information about the event, date and userid.

Appropriate data input measures are implemented, documented and

working effectively. The application helps reducing manual input
errors with a suitable input screen design and input checks.

Appropriate data processing measures are implemented,

documented and working effectively. Data in tables used for
computation are accurate
Appropriate data processing measures are implemented,
documented and working effectively. Data in tables used for
computation are accurate

Appropriate data output measures are implemented, documented

and working effectively.
 Workpaper Performed Date Date
Audit Procedures Reference By Expected Completed

1.    Determine whether the applications have a business

and IT owner assigned.
2.    Obtain application overview and identify data flow /
interfaces.

3.    Determine which teams are responsible for

administering, operating and developing the application.

Obtain application documentation and assess:

·         Purpose and functionality of application is
documented.

·         Interfaces and data flow from/to other IT systems

are documented
·         Most important files, tables are documented
·         jobs are described
·         User manual exist.
·         Operational manual exist

Ensure system maintenance is performed in a controlled

and effective manner. Determine the following:

a) Ascertain whether there is a system owner. What are

their duties and are they adequate? Do back-ups exist?
Any danger of losing primary support in a short period
of time (i.e. all close to retirement, only limited in-
house resources have knowledge, etc)?

b) Review procedures for identifying and reporting

problems to the application support team. Do the
application support team document and prioritize all
problems and change requests?
c) Review system documentation to ensure it is
adequate.

d) Review the adequacy of maintenance arrangements

for third party systems. Do third parties have remote
access to the live application? How are patches and
upgrades handled?
e) Evaluate the procedures utilized for monitoring
system performance (capacity, downtime, etc) for
adequacy.
f) Review outstanding programming requests to
determine if the quantity and aging of outstanding
requests is reasonable.
g) Discuss with end-user management and determine
their level of satisfaction with application support
services.

1.        Determine the process used to grant, change, and

terminate user access to applicable applications. Ensure
that the process is adequate and reasonable. Items to
evaluate include:
a. Use of standard forms

b. Approvals for new and changed users

c. Timely identification of terminated or departing

users
d. Review the recent process owner review of user
access for appropriateness. When was the review
conducted and for what time period? Were changes
suggested based on this review?
e. Identify the area responsible for user
administration and ensure that it is independent of the
users.
2.        Evaluate the password controls including password
length, password change policy, password history, and
others to ensure compliance with WUSH directives.

3.        Determine the differing levels of access allowed.

Specifically determine the following:
a. Any access levels would be incompatible.
b. Any access level that allow critical processing or
functions
c. Any access levels that would be considered
privileged.
4.        Obtain current listing of users with access to the
applications. Review for appropriateness given the
users' responsibilities and items noted in 3a-c. Ensure
all users are active employees and the access granted is
line with their assigned duties. Ensure that the process
owner's changes were appropriately made. Review the
user list for any IDs which are not current, cannot be
identified or indicate shared accounts e.g. OPS1,
ADMIN.

1.    Validate that the change control process for the

applicable application/s is subject to the organization’s
established change management procedures. (Change
control is audited as part of the IT Operations Audit.)

2.    For any changes such as table updates that are not
subject to normal change management procedures:

a) Ascertain whether there are agreed authorization

levels.
b) Ascertain whether only changes submitted by
authorized users have been accepted.

c) Ascertain that approvals are obtained for detailed

proposals before work commenced.
d) Ascertain whether security controls and integrity
procedures are reviewed to ensure that they are not
compromised by changes.
e) Ascertain that an authorized user accepts changes
before their implementation.

1.    Validate that the change control process for the

applicable application/s is subject to the organization’s
established Problem Management procedures.
(Problem Management is audited as part of the IT
Operations Audit.)
2.    Review any problem resolution process specific to
the application. Verify that information regarding
problems is collected and recorded whenever problems
are encountered. Ensure that periodic analysis and
reporting of the information collected occurs to identify
and address any trends.

1. Evaluate the process of backing up the application

and database. As part of this process, determine the
number of iterations of back-ups made and where the
back-ups are stored.
2. Ensure the application and database, and any other
critical applications are contained in the Business
Continuity/Disaster Recovery Plan. Perform the
following:
a) Ensure the plan has been tested in the past year and
determine frequency of scheduled testing.

b) Review the adequacy of the test results, issues

raised, corrective action taken and sign off by
management.

Depending on the implemented manual controls, assess

the extent and quality of automated interface controls.

Consider:

·         Obtain evidence that there are automatic

reconciliations / control totals, checksums, etc. and that
they are working effectively.
·         Obtain evidence that received data is validated &
key fields are checked for completeness.

·         Assess whether there are automatic header/footer,

date & sequence checks.
·         Review a sample of hardcopy exception reports if
available, for evidence of review and corrective action.
Where hardcopy reports are not available, determine
how exceptions are identified, recorded & treated.

·         Obtain description of procedures in case of errors

and assess whether they are adequately reported and
corrected.
·         Discuss the procedures for transmission recovery
(i.e. how can data be recovered if a data transfer has
started and is afterwards cancelled
·         Discuss how data integrity is assured when the
same data is sent twice.

Assess whether personal accountability is ensured:

Identify shared user accounts; discuss their purpose and

persons using this account.

Identify critical functions and data sets and assess:

·         existence of audit trail
·         information in log-data (date, userid)
·         possibility to modify audit trail

Assess whether input controls are appropriate:

·         Identify who enters which data.

·         Determine how data is entered into the application
(manually, batch or online).
·         Document the flow of online input transactions
(e.g. screenshots, walkthrough).
·         Verify how input data is checked for correctness,
completeness and validity. Verify that manual input
screens are suited to lower error rates (e.g. match with
corresponding paper forms, "easy" to use, input checks).
Verify how the transmission of complete, correct and
authorised data is ensured (reconciliation).

·         Ascertain how is ensured that wrong data is refused

and re-entered afterwards. Which controls for wrong
data input do exist? Verify that rejected data is logged,
tracked and resolved in a timely manner.

Assess whether processing controls are appropriate:

·         Verify that key computations are documented

·         Identify which data is processed where.
·         Review how data processing errors are detected.

·         Ascertain how data, which is not processed because

of failures, is processed again.
·         Ensure that faults can be traced back up to its
origin.
·         Verify that data in tables used for computation are
accurate

Assess whether output controls are appropriate:

·         Determine where the data output is located.

·         Obtain the written defined processes concerning
data output.
·         Review how it is ensured that all data output is
produced.
·         Determine how is ensured, that where confidential
data is output (electronic or paper), only authorized staff
has access. Are sensitive documents protected?

·         Identify how failed data outputs are corrected.

·         Verify whether regularly produced output (i.e.
reports) is still required.
·         Ascertain how confidential output, which is not
used anymore, has been destroyed?
Budget Actual Document Reviewed
Hours Hours Reference Source By Remarks/Comments