Scribd
Upload
601 views21 pages

MSA 516 Application Controls PowerPoint Presentation

This document provides information on application controls, including defining them, their objectives, how they differ from general controls, types of application controls, and benefits of relying on them. Application controls pertain to individual processes/systems and include edits, separation of duties, and error reporting. Their objectives are to ensure accurate, complete, authorized and timely processing of data. The document also discusses preventive, detective, and corrective controls; how to assess risks related to application controls; and how to scope and test application controls.

Uploaded by

Prince Ric
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
601 views21 pages

MSA 516 Application Controls PowerPoint Presentation

This document provides information on application controls, including defining them, their objectives, how they differ from general controls, types of application controls, and benefits of relying on them. Application controls pertain to individual processes/systems and include edits, separation of duties, and error reporting. Their objectives are to ensure accurate, complete, authorized and timely processing of data. The document also discusses preventive, detective, and corrective controls; how to assess risks related to application controls; and how to scope and test application controls.

Uploaded by

Prince Ric
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 21

Group 3

John Gregory
John Marsh
Gerri Houston
Samantha McNeily

Defining Application Controls


Application controls are those controls that pertain

to the scope of individual processes or application


systems
They include data edits, separation of business
functions, balancing of processing totals, transaction
logging, and error reporting

Objectives of Application Controls


Input data is accurate, complete, authorized, and

correct
Data is processed in an acceptable time period
Data stored is accurate and complete
Outputs are accurate and complete
A record is maintained to track the process of data
from input to storage and the the eventual ouput

Application Controls vs. General Controls


Application controls are those controls that pertain

to the scope of individual processes or application


systems (specific to a given application)

General controls are controls that apply to all

systems components, processes, and data present in an


organization or systems environment

Types of Application Controls


Input Controls - check the integrity of data entered into a

business application

Processing Controls - ensure processing is complete,

accurate, and authorized

Output Controls -compare output results with expected

results by checking the output against the input

Management Trial (Audit Trail) Controls - monitors the

effectiveness of other controls and identifies errors as close


as possible to their sources

Preventive, Detective, and


Corrective Controls
Preventive: keep undesirable events from occurring
Detective: should identify expected error types, as

well as those that are not expected to occur


Corrective: cause or encourage a desirable event or
corrective action to occur after an undesirable event
has been detected

Benefits of Relying on Application


Controls

Reliability
Once an application control is established, and there is

little change to the application, database, or


supporting technology, the organization can rely on
the application control until a change occurs.
An application control will continue to operate more
effectively if the general controls that have a direct
impact on its programmatic nature are operating
effectively as well. As a result, the auditor will be able
to test the control once and not multiple times during
the testing period.

Benefits of Relying on Application


Controls
Benchmarking
If general controls that are used to monitor program

changes, access to programs, and computer operations are


effective and continue to be tested on a regular basis, the
auditor can conclude that the application control is
effective without having to repeat the previous years
control test.
Auditor should evaluate the appropriate use of
benchmarking or an automated control by considering
how frequently the application changes. (If application
changes frequently, auditor should not rely on
benchmarking)

Benefits of Relying on Application


Controls
Time and Cost Saving
Application controls generally take less time to test

than application controls


Application controls are typically tested one time as
long as the general controls are effective

Risk Assessment
Use top-down approach
Determine applications and controls to be reviewed
Determine appropriate tests to be performed
Mapping:
Financial Statement
Accounts/Assertions
Business Processes/Units
Risk Identification and Analysis

Risk Assessment Approach


Identify applications, databases, and supporting

technology that uses application controls


Define the risk factors associated with each
application control
Weigh all risks to determine rankings by importance
Evaluate risk assessment results
Create review plan based on the risk assessment and
ranked risk areas

Example of Application Control Risk


Assessment

Scoping of Application Controls


Business Process Method
Top-down review approach used to evaluate the
application controls present in all the systems that
support a particular business process.
Single Application Method
Used to review the application controls within a single
application

Business Process Method

Application Review Approach


Planning
Create a planning memorandum

All review procedures to be performed


Any computer-assisted tools and techniques used and how
they are used
Sample sizes, if applicable
Review items to be selected
Timing of the review

Planning
Detailed Review Program
Meeting with Management
Managements concerns regarding risks
Previously reported issues
Internal auditings risk and control assessment
A summary of the reviews methodology
The reviews scope
How concerns will be communicated
Which managers will be working on the review team
Any Preliminary information needed
The length of the review

Testing Application Controls


Are application controls working?
Substantive testing
Information technology general controls review
Ways to test:
Inspection of system configurations
Inspection or re-performance of reconciliations with
supporting details
Re-Performance of the control activity using system data
Inspection of user access listings
Re-Performance of the control activity in a test environment

Flowchart-Documentation

Process Narrative-Documentation
1) Procurement
a) Requisitioning

i) When employees need to buy goods or services, they will


create a purchase requisition in the procurement application
(Control C1). Once the requisition has been created, the
buyer will review the purchase requisition for the
appropriateness, completeness, and accuracy. Components of
the purchase requisition that are reviewed include, but are not
limited to, the vendor, item, quantity, and account coding. If
the review does not reveal any errors, the buyer will approve
the purchase requisition. If the buyer rejects the purchase
requisition for any reason, the requisitioner will be notified.
Finally, if issues with the original requisition are resolved as
required, the buyer will approve the requisition.

Risk and Control Matrix


What to include in a matrix:
Identified risks
Control Objectives
Control Attributes such as control type and frequency
Testing Information

Sources
Auditing Application Controls
Christine Bellino, Jefferson Wells & Steve Hunt;
Enterprise Controls Consulting LP

www.theiia.org/download.cfm?file=21838

Information Technology Audits-Application Controls


Xenia, Ley, and Parker

You might also like