Testing - General and Automated Controls: Mentor: TS. Truong Tuan Anh Presenter: Huynh Thi Nan
Testing - General and Automated Controls: Mentor: TS. Truong Tuan Anh Presenter: Huynh Thi Nan
Testing - General and Automated Controls: Mentor: TS. Truong Tuan Anh Presenter: Huynh Thi Nan
2
Content (cont)
7. Tests of General Controls at the Business Process –
Application Level.
8. Tests of Business Process Application Controls & User
Controls
9. Appropriateness of Control test
10. Multi year testing plan
11. Documentation of control testing phase
3
Content (cont)
12. Audit Reporting
13. Concurrent or Continuous Audit & Embedded Audit
Modules
14. Hardware Testing
15. Operating system review
16. Network Review
4
1. Testing: Definition
● Testing is the process of assessing Correctness, Completeness and
Quality of system.
● Testing is a process to determining whether the controls are
adequately protect the system.
● Testing of the controls design and the reliable results are done by one
of the following methods:
Substantive Testing
Compliance Testing
5
1. Testing: Definition (cont.)
● The Information System (IS) controls audit involves the
following three phases:
Planning : Here auditor determines the way to collect the
evidence to achieve objectives IS audit.
Testing : Here auditor tests the effectiveness of IS controls.
Reporting : Here auditor concludes and reports the result of
audit to the management.
6
2. Audit Planning
● Planning occurs throughout the audit and includes the following
activities –
Obtain an understanding of the entity and its operations.
Obtain an understanding of internal controls.
Assess the risk.
Design the nature, extent and timing of audit procedure.
7
2. Audit Planning (cont.)
● In planning the IS controls audit, Auditor uses the concept of
Materiality and Significance.
● According to these concepts –
Auditor is not required to spend resources on item that are not
material and significance i.e. those that would not affect the
judgment of users of audit report.
8
3. Audit Testing
Some important decisions before testing begins ~
● Testing Methodology-
Auditor must find testing methods to determine that controls
are effective. This may include reviewing documentary
evidence, conducting personnel interview and personal
observation.
● File interrogation-
Auditor must browse directories of PC to investigate use developed
application files.
9
3. Audit Testing (tt)
● Test pack-
Auditor uses valid and invalid data to test the ability to
prevent, detect, and correct errors.
The intensity and extent of testing depends upon importance of
the application.
● Automated tools –
Audit team can use GAS (Generalised Audit Software) to do
sampling, data extraction, summarizing and reporting.
10
3.0 Types of Control Audit Test
● Financial Audit -
If IS control audit is performed as a part of financial audit, the
auditor understand the controls over financial reporting to assess
the risk of misrepresentation.
● Performance Audit -
If IS control audit is performed as a part of performance audit, the
auditor should evaluate the design and operating effectiveness of
all the controls.
11
3.1. IS Controls Audit Process
● Obtaining an understanding of an entity and its operations and key business
processes,
● Obtaining a general understanding of the structure of the entity’s networks,
● Identifying key areas of audit interest (files, applications, systems, locations)
● Assessing IS risk on a preliminary basis,
● Identifying critical control points (for example, external access points to
networks),
● Obtaining a preliminary understanding of IS controls, and Performing other
audit planning procedures.
12
3.2 Identify Key Areas of Audit Interest
● Key areas are those applications and files that are critical in
achieving audit objectives.
For financial audit : key financial applications
For performance audit : all key system applications
● For each key area, auditor should document –
Operational location
Significant components (h/w, s/w)
Other support systems/resources
Prior audit reports
13
3.3 Performing Information System Controls
Audit Tests
14
3.3 Performing
Information
System Controls
Audit Tests
(cont.)
15
4. Testing Critical Control Point
● Critical control point is that component of system which is of
significant importance.
● Auditor tests controls related to the component, its operating system
and its applications.
● For e.g. – Router. Auditor tests the control related to the router itself,
its operating system and applications.
16
5. Test Effectiveness of IS controls
● Auditor should conduct test of those control technique that are
effective in operation.
● To do so the best way is to test control in tired basis. Starting with –
Entity wide controls
System level controls
Business process application level controls
Data management controls
● Ineffective IS controls at each tier generally prevent effective control
at the subsequent tier.
17
6. Tests of General Controls at the Entitywide
and System Levels
● General controls at entity wide and system level can be tested using
techniques such as Inquiry, Observation, Inspection and re-performance
thru test software.
● After reaching favorable conclusion on general controls at these level auditor
test general control at business process application level.
● If general control are not effectively operating then auditor should-
Determine nature and extent of risk resulting from ineffectiveness.
Identify and test any manual controls as compensating control.
18
7. Tests of General Controls at the Business
Process – Application Level
19
7. Tests of General Controls at the Business
Process – Application Level(cont.)
● If the IS controls audit is part of a financial or performance audit, the
IS controls specialist should discuss the nature and extent of risks
resulting from ineffective general controls with the audit team.
● The auditor should determine whether to proceed with the evaluation
of business process application controls and user controls.
20
8. Tests of Business Process Application
Controls & User Controls
● The auditor generally should perform tests of those business process
application controls (business process, interface, data management),
and user controls necessary to achieve the control objectives.
21
8. Tests of Business Process Application
Controls & User Controls (cont.)
22
8. Tests of Business Process Application
Controls & User Controls (cont.)
● The auditor considers whether manual controls achieve the control
objectives, including manual controls that may mitigate weaknesses
in IS controls.
● If IS controls are not likely to be effective and if manual controls do
not achieve the control objectives, the auditor should identify and
evaluate any specific IS controls that are designed to achieve the
control objectives to develop recommendations for improving internal
controls.
23
9. Appropriateness of Control test
● To keep appropriateness of control tests the auditor should perform
appropriate mix of audit procedure that includes the following –
Inquiries of IT and management personnel
Questionnaires
Review documentation of control procedures
Inspection of approvals(authorisation)
Analysis of system information(configuration)
Analysis of output (accuracy of processing)
Review of data file
Re-performance of the control (use of test data)
24
10. Multi year testing plan
● Where auditor regularly performs control audit of the entity, the
auditor may develop a multi year plan for control audit.
● These plan should cover not more then 3 years and include schedule
and scope of assessment.
● Under multi year plan each control is tested at least once during the
multi year period.
● This concept allow auditor to test controls on risk basis rather then
testing every control every year.
25
10. Multi year testing plan (cont.)
● For example a multi year plan for an entity with 7 applications might
include comprehensive test of 2-3 application annually.
● Multi year plans are not appropriate in all situations. For example –
They are appropriate for first time audit.
They are not appropriate where audit has not been tested within a
recent period.
For entity that do not have strong entity wide controls.
26
11. Documentation of control testing phase
● Information gathered during testing phase should be documented. This
include –
Understanding of IS.
IS control objectives and activities.
Description of control techniques used by entity.
Specific test performed.
Description of nature, extent and timing of test.
Evidence of effectiveness of controls.
If ineffective then compensating controls.
Auditor’s conclusion about effectiveness of controls.
For each weakness; material weakness, significant deficiency or just
deficiency.
27
12. Audit Reporting
● After completing testing auditor summarizes the audit result, draw
conclusion on the control weakness.
● Auditor prepares this report on entitywide, system and BPA level
collectively.
● Such documentation may be developed as the audit progresses, allowing
auditor to demo. that the weakness exist and can be exploited.
● Auditor should also document the potential impact of weakness on
completeness, accuracy, validity, confidentiality of system.
28
Some audit terms
Substantive testing
● Substantive testing is used to determine the accuracy of information
generated by a process.
● Auditor generate and process test data to verify the processing steps.
● Where controls are evaluated as ineffective, substantive testing may be
required.
● Auditor uses CAAT to generate test pack and conduct the test.
29
Some audit terms (cont.)
Analysis
● Interviews and tests provide the raw facts for drafting a audit report
but does not guarantee to produce a quality audit report.
● Analysis is important to convert this raw material into finished
product.
● Timely analysis gives the auditor time to conduct further test and
allow more time for corrective actions.
● Thorough analysis includes the following 4 steps –
30
Steps
Re-
examinatio
n
Cause of
conclusion deviation
Materiality
Exposure
31
Steps
Step 1 : Re-examination
● The two factors to be re-examined are : Standard and Facts.
● Standard are the rules, procedures and practices that defines how an
operation under audit should function.
● The standards must be clearly understood by the auditors, because wrong
understanding leads to incorrect findings.
● Facts are evaluated after standards are reviewed. For accuracy the sample
should be
Large enough to reflect behavior of population.
Representative of current control activity
32
Steps (cont.)
Step 2 : Cause of Deviation
● After understanding standards and facts, auditor identify the causes of the
deviation.
● Determining the cause is like answering the following questions –
Who (responsible)
What (initiating event)
Where (system component)
Why (contributing factor)
When (timing)
● Cause determination helps to identify exposure and formulating
recommendations.
33
Steps (cont.)
Step 3 : Exposure and Materiality
● These are consequences of deviation.
● Exposure is the potential loss, harm, damage, theft or inefficient use
and
● Materiality is a qualitative judgment about whether a deviation’s
frequency of occurrence and degree of exposure are significant enough for
the deviation to be corrected.
● Degree of exposure is related to Proximity and Severity of risk.
● Proximity refers to the extent of asset availability to the users or
environment. Limited access – less proximity.
34
Steps (cont.)
Step 4 : Conclusion
● Conclusions are auditor’s opinion on, whether the audit subject
area meets the audit objectives.
● Conclusions must be supported by factual evidences.
35
13. Concurrent or Continuous Audit &
Embedded Audit Modules
Snapshot
s
● Many audit tools are also available
some of which are described: CIS ITF
SCARF
36
13. 1 Snapshot
● Special audit module built into the system where transaction
processing occurs.
● It takes images of the transactions of audit significance and stores
them in auditor’s file.
● Main issues to decide are –
Location of snapshot
Condition to capture the image
Reporting system
37
13.2 Integrated Test Facility
● It involves creation of dummy entity in the client system and
processing special audit data against that.
● Methods of creation of test pack –
An embed audit module, recognize transaction having certain
characteristic. These tagged tr. can be used as test pack.
Auditor may use test data specially prepared for audit.
38
13.2 Integrated Test Facility (cont.)
39
13.3 System Control Audit Review File
● It involves use of special audit module within system under audit.
● It provide continuous monitoring of system’s transactions.
● Collected information is stored in special audit file : SCARF.
Application system errors
Policy and procedure variance
System exceptions
Statistical sample
Snapshot and extended records
Profiling data
Performance measurement
40
13.4 Continuous and Intermittent Simulation (CIS):
● The database management system reads an application system
transaction. It is passed to CIS. CIS then determines whether it wants to
examine the transaction further. If yes, the next steps are performed or
otherwise it waits to receive further data from the database management
system.
● CIS replicates or simulates the application system processing.
● Every update to the database that arises from processing the selected
transaction will be checked by CIS to determine whether discrepancies
exist between the results it produces and those the application system
produces.
41
13.4 Continuous and Intermittent Simulation
(CIS) (cont.):
● Exceptions identified by CIS are written to a exception log file.
● The advantage of CIS is that it does not require modifications to the
application system and yet provides an online auditing capability.
42
14. Hardware Testing
● H/w testing is done against FRS and SRS.
● Types –
44
Operating system review (cont.)
● Review cost benefit analysis –
Direct financial cost of the product.
Cost of product maintenance.
Hardware capacity requirement.
Training and support requirement.
Impact of the product on the processing.
Impact on data security.
Financial stability of the vendor.
45
Operating system review (cont.)
● Review control over installation of changed System software –
All updates are implemented.
Installation of changes SS is scheduled when they least impact
processing.
There is a written plan for testing.
Problems encountered during testing were resolved and changes
were re-tested.
Test procedures ensure that changes do not create new problems.
Restoration procedure are in place.
46
Operating system review (cont.)
● Review control over installation of changed System software – (cont.)
Software must be properly authorised prior moving from test to
production environment.
Access to libraries is limited to individual’s need.
● Review system software’s maintenance activities
Changes made to the SS are documented.
Vendor support current version of software.
47
Operating system review (cont.)
● Review SS documentation –
Installation control statement.
Parameter tables.
Exit definition.
Activity log.
● Review SS for adequacy of controls, such as –
Change procedure controls
Authorisation controls
Access privileges controls
Documentation controls
Testing controls
Audit trails
48
Operating system review (cont.)
● Review authorization document to determine –
Addition, deletion or change to access authorisation is documented.
Attempted violation reporting and response is documented.
● Review SS security, to determine –
Procedure have been established to prevent bypass of access control.
Procedure have been established to limit access to system interrupt
capability.
Physical and logical access controls are adequate.
Vendor supplied passwords are changed.
49
Operating system review (cont.)
● Review database supported controls –
Access to shared data is appropriate.
Data organization is appropriate.
Change procedures are established to ensure integrity of DBMS.
Integrity of data dictionary is maintained.
Data redundancy is minimised.
50
16. Network Review
● Review the LAN, to understand –
LAN Architecture
Cost benefit analysis
LAN topology
LAN components
Internetworking
LAN uses
LAN administrator
LAN users
51
Network Review (cont.)
● Review LAN to make an assessment of –
Threat Impact Controls
● Review physical access controls –
Ensure that LAN h/w, file server and documentation are located in
secured area.
Verify that LAN wiring is physically secured.
Observe LAN file server and verify that it is secure.
Keys to file server facility is controlled.
Obtain copy of key log for the file server room and determine that keys
are assigned to appropriate persons.
Select keys held by people and determine that these keys do not permit
to access LAN facilities.
52
Network Review (cont.)
● RReview Environment controls to –
Ensure that LAN file server is protected from electric surges.
Ensure that AC and humidity control system are adequate to
maintain temperature.
Ensure that LAN server is equipped with UPS.
LAN file server is free of dust, smoke and pollutants.
Backup disks are protected from environmental damage.
Fire extinguishers are nearby.
Food and beverages are prohibited.
53
Network Review (cont.)
● Review Logical access controls to ensure –
Users have unique password, password are change periodically and does
not appears on screen while entry.
LAN access should be based on written authorization.
Remote access to the system supervisor should be prohibited.
All log-on attempts should be logged.
LAN supervisor should maintain up-to-date information of all outside
communication.
Evaluate LAN server access profile.
Attempt to gain access using unauthorised ID/PWD.
If LAN is connected to an outside source through a modem attempt to
gain access to the LAN thru correct and incorrect means.
54
THANKS YOU !
55