Scribd
Upload
380 views13 pages

GTAG 8 Application Control Testing

This document discusses application controls and provides guidance for internal auditors on assessing application control risk and reviewing application controls. It covers the objectives and benefits of application controls, the role of internal auditors, how to perform risk assessments and scope reviews, common application controls to test, and provides a sample review program. The goal is to help internal auditors evaluate whether application controls are designed appropriately and operating effectively.

Uploaded by

YanYan Yumul
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
380 views13 pages

GTAG 8 Application Control Testing

This document discusses application controls and provides guidance for internal auditors on assessing application control risk and reviewing application controls. It covers the objectives and benefits of application controls, the role of internal auditors, how to perform risk assessments and scope reviews, common application controls to test, and provides a sample review program. The goal is to help internal auditors evaluate whether application controls are designed appropriately and operating effectively.

Uploaded by

YanYan Yumul
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 13

Auditing Application Controls

Global Technology Audit Guide


GTAG® 8
www.theiia.org
What this guides covers
• Application controls and their benefits
• The role of internal auditors
• How to perform a risk assessment
• Application control review scoping
• Application review approaches
• Common application controls, suggested
tests, and a sample review program

www.theiia.org
Application Controls
Objectives:

– Input data is accurate, complete,


authorized, and correct
– Data is processed as intended in an
acceptable time period
– Output and stored data is accurate and
complete
– A record is maintained to track data
processing from input to storage to
output
www.theiia.org
Application Controls

• Cost effective and efficient means


to manage risk
• Reliant on the effectiveness on the
IT general control environment
• Approach varies for complex versus
non-complex environments

www.theiia.org
Benefits of Application Controls
• Reliability
– Reduces likelihood of errors due to manual
intervention
• Benchmarking
– Reliance on IT general controls can lead to
concluding the application controls are
effective year to year without re-testing
• Time and cost savings
– Typically application controls take less time
to test and only require testing once as long
as the IT general controls are effective
www.theiia.org
Role of Internal Auditors
• Knowledge of key IT risks, controls
and audit techniques
• Consultant or assurance
– Independent risk assessment
– Design of controls
– Education
– Controls testing

www.theiia.org
Risk Assessment
• Assess Risk
– Techniques
– Key scope questions
• Approach
– Define the universe
– Define the risks
– Weigh the risk factors
– Rank the risks
– Create a review plan based on the results

www.theiia.org
Scoping the Review
• Business Process Method
– Top down review

• Single Application Method


– Focus on a single application or module

• Access Controls
– Included no matter which method is
chosen

www.theiia.org
Review Approaches
• Planning
• Need for specialized resources
• Documentation
• Testing
• Computer-assisted audit techniques
(CAATs)

www.theiia.org
Common Application Controls
• Input and access controls
– Data checks and validations
– Automated authorization, approval, and
override
– Automated SOD
– Pended items
• File and data transmission controls

www.theiia.org
Common Application Controls (Cont.)

• Processing controls
– Automated file identification and validation
– Automated functionality and calculations
– Audit trails and overrides
– Data extraction, filtering, and reporting
– Interface balancing
– Automated functionality and aging
– Duplicate checks
• Output controls
– General ledger and sub-ledger posting
– Update authorization
www.theiia.org
Sample Detailed Review Program
• Suggested tests
– Test input controls to ensure transactions are
added into and accepted by the application,
processed only once and have no duplicated
– Test processing controls to ensure
transactions are accepted by the application,
processed with valid logic, carried through all
phases of processing and updated to the
correct data files
– The sample included in Appendix B of the
guide provides other detailed tests
www.theiia.org
In Closing
• Application controls are a cost effective and
efficient means to manage risk.
• Internal auditors should determine that
their organization’s application controls are
designed appropriately and operating
effectively.
• Consider benchmarking as a way to further
reduce the testing effort

www.theiia.org

You might also like