Home

IT – Application Controls Questionnaire

1. and process related data or do they have the ability to initiate transactions on their own Controls maintained by the entity to prevent or detect material misstatement in the input or output Remarks
2. of transaction h Are these control totals reconciled to control accounts by an independent supervisor i Are these control totals reconciled by the system and any differences reported and followed up by error control personnel j If the aforementioned controls are missing are there compensating controls such as independent reconciliation of input source to control listings or other output reports k Do data entry operators stamp or otherwise mark batches or source documents once they have been input in order to prevent duplicate processing of transactions OTHER INPUT l Are magnetic tapes cartridges delivered to the computer operations area controlled to ensure all data are processed m Are documents delivered to the computer operations area for scanning or imaging controlled to ensure all data are processed n Are inbound Electronic Data Interchange EDI transactions written to a file and logged to establish input control prior to being processed by the application system o Are other types of input methods controlled to ensure all data are processed 7 Examine the process and controls over error detection correction and reentry of transactions a Are there procedures over the detection correction and reentry of errors Question Yes No N A b If on line system input techniques are used skip to 8c In batch systems are controls over the delivery of the rejected batches proper to ensure that they are n
3. IT Application Controls Questionnaire Internal Control Questionnaire Question Yes No N A Remarks Al a MULTIPLE USER PROCESSING INPUT CONTROLS Input controls are the procedures and methods utilized by the university to help ensure that all transactions or data entered into the computer system are accurate have been authorized and recorded are complete and input only once and have been properly converted into a machine readable format They can be broadly divided into the control areas of data preparation transaction authorization batching and data entry and conversion 1 Are there training policies and procedures for data preparation and input personnel a Are training activities adequate for new personnel and are there any regular training programs Is there a regular training program to update users on new applications If a user s manual or written procedures exist for the preparation handling and input of data for the application under study do they accurately reflect current practice Are they effective in assisting users Review and evaluate the design of the key source documents Are source documents designed in a manner that facilitates the initial recording of data in a uniform complete and accurate format Are source documents serially pre numbered with a cross reference number such as a receipt check to serve as an audit trail and to facilitate tracing to from co
4. ame edit review and approval controls that were applied to the original transaction Question 4 If the application observed produces system generated transactions for instance offsetting accounting entries are they printed out and reviewed by the appropriate personnel Al c MULTIPLE USER PROCESSING OUTPUT CONTROLS Output controls are designed to ensure the accuracy of the processing result such as account listings reports magnetic files disbursement checks etc and to assure that only authorized personnel receive the output The basic output controls are verification through balancing techniques and visual scanning and the controlled distribution of output media The two types of output that must be controlled are machine readable files and reports listings terminal screen displays etc 1 Are current and accurate procedures for balancing and reconciling output formally documented 2 Are output control totals compared and agreed to input and processing control totals 3 Are output reports balanced and reconciled to output from related systems 4 Ifuser management receives and reviews the following reports a Are detail or summary transaction reports scanned for unusual results b Are reports of sensitive on line master file updates such as pay rate changes employee status changes vendor name changes etc reviewed for unauthorized or erroneous modifications to sensitive information 5 Are out
5. cks necessary for each application Critical edits and checks should consist of some or most of the following types Do such edits and checks include Question Yes No N A Remarks a A reasonableness check which determines if an amount or date is greater or less than a predefined limit b A dependency edit which verifies the expected relationship of one field to another c A sequence check which is used to detect missing document numbers d A duplicate number check e An existence edit which determines whether the transaction data matches data on file or look up tables f A format edit which could be used to make sure only numeric data is included in numeric fields or alpha data in alpha only fields g A mathematical check to foot and cross foot all applicable amount fields h A range check which could be utilized to test whether data falls within certain pre set ranges i A confirmation check which utilizes stored data to confirm the modification of infrequently changed data An example would be transactions that alter values such as pay rate changes Do error handling procedures include a Are rejected transactions held in an error suspense file and or prevented from updating the master files b Does the system prepare printouts listing all transactions held in the suspense file c Are entries in error suspense identified as to age and type d Are corrected transactions subjected to the s
6. easonableness checks 3 Access controls limit access to the end user application 4 A mechanism exists to prevent or detect the use of incorrect versions of data files 5 The output of end user applications is reviewed for accuracy or reconciled to source information A3 INFORMATION PROCESSED BY OUTSIDE COMPUTER SERVICE ORGANIZATIONS The Outside Computer Service Organization form was used to document your understanding of the university s use of an outside computer service organization to process entity wide accounting information such as the general ledger In this section you will document your understanding of how the entity uses an outside computer service organization to process information relating specifically to the cycle The service organization is responsible to ensure the orderly and supervised processing of user data The user should ensure the completeness and accuracy of the service organization s processing by establishing controls to verify data input and output In the space below describe the information processed by the outside computer service organization in this cycle Discuss e The general nature of the application e The source documents used by the service organization e The reports or other accounting documents produced by the service organization Remarks Question Yes No N A e The nature of the service organization s responsibilities Do they merely record entity transactions
7. mputerized reports Do source documents provide a unique code or identifier for each transaction type to provide an audit trail Question Yes No N A Remarks Evaluate and review the procedures involved in the handling of blank source documents If source documents are maintained on line then access rights to those documents should be reviewed during the performance of module G1 Access Controls a Are blank source documents stored in a secure location and in the custody of designated persons who have no role in their preparation b Is the release of blank source documents from storage adequately controlled through the use of logs and proper authorizations Is there a preprocessing review of source documents prior to data input to detect errors in completeness and consistency as well as obvious mistakes a Is there a preprocessing review of source documents performed by someone other than the preparer b If source documents are maintained on line are controls in place to ensure review of the documents on line Evaluate and review the transaction approval process of the key source documents Steps 5a 5b 5c and 5d should be considered for all transaction approvals a Are all source documents approved by someone other than the preparer b Is evidence of approval required for all transactions or only for critical ones c Determine whether the system generates summary or detail reports showing the transac
8. ot lost c Are data entry operators in on line systems restricted from making corrections of any non keying errors d Are error messages maintained on line or on the error exception reports clear and easily understood so that the proper corrective actions may be taken e Are error exception reports corrected initialed dated and retained for management review f Are corrected errors reviewed and approved by management before reentry A1 b MULTIPLE USER PROCESSING PROCESSING CONTROLS Processing controls are designed to help ensure that all transactions or data are processed as authorized that no authorized transactions are omitted and that no unauthorized transactions are added These controls include the use of automated edits and logic tests that are coded into application programs as well as the use of automated control total verification 1 Review the controls that ensure all input transactions are processed by the computer For batch systems or on line batch systems batch control totals should be generated by the computer and compared to manually calculated control totals On line real time systems should have compensating controls to ensure all input transactions are processed a Are record counts and control totals verified to ensure that all data are processed b Is there evidence audit trail of transactions processed rejected being reconciled or investigated 2 Determine the critical edits and che
9. put distribution lists produced which show the reports that are generated for each application processing run 6 Are output distribution logs maintained to record the date and or time received and the signatures of the users authorized to receive the output Yes No N A Remarks Question A2 END USER COMPUTING End user computing EUC is any development programming or other activity where the end users create or maintain their own system or application As such the control of the EUC environment and the information it produces is critical EUC controls at the application level are essentially the same process as that used to review a traditional mainframe application input processing and output controls At the application level the auditor would typically interview the end users In the space provided below describe how end user computing is used in the transaction cycle Describe e The person or department who performs the computing e A general description of the application and its type e g spreadsheet e The source of the information used in the application e How the results of the application are used in further processing or decision making Yes No N A Remarks Question Yes No N A Audit Procedures 1 The end user applications listed above have been adequately tested before use 2 The application has an appropriate level of built in controls such as edit checks range tests or r
10. tion types input and approved for each user Is this report reviewed by management d Is there any physical evidence to verify that the review was performed Question Yes No N A Remarks MANUAL APPROVALS Pf fo e Are signatures compared to a list of authorized signers in order to verify proper source document approval f Are any methods other than signatures or initials used to provide evidence of approval ON LINE APPROVALS Pf ff g Are users given the appropriate approval authority h Are users restricted from approving a transaction which they initiated i Are all documents screens approved 6 Determine whether the controls in effect are sufficient to account for all transactions BATCH INPUT a Are source documents batched in manageable groups of similar transaction types b Are the batches assigned a unique sequential identification number c Are control totals used and compared at intervals during the processing d Are discrepancies resolved and documented e Does a batch header card accompany the batch throughout the input process and is it retained with the batch to serve as an audit trail f Are the batches logged in and verified Question Yes No N A Remarks ON LINE REAL TIME NON BATCH INPUT g Does the system establish control totals such as by processing run input time of day specific input terminal or individual inputting the data Are control totals further computed by type

IT – Application Controls Questionnaire

Contents

Download Pdf Manuals

Related Search

Related Contents

IT &ndash; Application Controls Questionnaire

Contents

Download Pdf Manuals

Related Search

Related Contents

IT – Application Controls Questionnaire