BEC 7.08 GENERAL AND APPLICATION CONTROLS

benefits of IT

consistency timeliness monitoring circumvention segregation of duties

input errors can be avoided through

observational controls point of sales devices (scanners, etc) preprinted forms data transcription controls (preformatted screens) Automated log-off

GENERAL CONTROLS-SEGREGATION OF DUTIES-SYSTEM ANALYSTS, PROGRAMMERS

AUTHORIZATION

Test data run through the system includes simulated (fictitious) data along with actual data during a program run. Uses clients system because we are running the fake transactions side by side with their actual data. Prevents the client from supplying us with a different program

Integrated test facility

for transaction tagging, who's program is being used (client or auditor)

Client

The auditor supervised the actual entry of client data into the client program to produce the results of a previous run of the program by the client

Controlled reprocessing

As data is entered it should be subject to various forms of verification (Logic Tests)

Field Checks (type & length) Validity Checks (state) Limit Tests (preprogrammed limits) Check Digits

Programs that duplicate common functions of the client software. The auditor inputs client data into the auditors program to see if it produces the same results as the clients program

Parallel simulation

report on controls at a service organization relevant to user entities internal control over financial reporting

SOC 1

report on controls at a service organization relevant to security, availability, processing, integrity, confidentiality or privacy

SOC 2

trust services criteria for general use report

SOC 3

An approach known as the ————— approach has the auditor develop simulated transactions to enter into the clients program

Test data

controls that are applied to specific business activities within a computerized processing system to achieve financial reporting objectives.

application controls

for Test Data, who's data is used (auditor or client)

auditor

for parallel simulation, who's program is being used (auditors or clients)

auditor

when speaking about computers, and software, the software cannot replace the judgement of the ___________

auditor

when talking softwre, etc, the responsibility for determining the acceptable level of audit risk and assesing the component risk remains with the

auditor

for Integrated Test Facility, who's data is being used auditor or client

auditor(test)client(real)

for "controlled reprocessing" who's data is used (auditor or client)

client

for integrated test facility, who's program is used (auditor or clients)

client

for parallel simulation, who's data is being used (client or auditor)

client

for test data, who's program is used (auditor or client)

client

for conrolled reprocessing, who's program is used (auditor or client)

client's (but on auditors computer)

for transaction tagging, who's data is being used (cleint or auditor)

clients info with a tag

general controls- segregation of duties- control clerks and librarians

custody

an assurance function that reviews an entity's computer system to provide confidence to business partners and customers concerning the security, privacy, and confidentiality of information in addition to system availability and processing integrity.

information systems (systrust service)

controls that are designed to provide reasonable assurance that data received for processing by the computer department have been properly authorized and accurately entered or converted for processing

input controls

___________________ controls represent the final check on the reults of computerized procesing

output

Risks of IT

overreliance access changes in programs failure to change manual intervention loss of data

for each principle reported in trust services, the auditor considers each of the following 4 criteria

policies commuications procedures monitoring

three types of application controls (concern errors and fraud)

preventive controls detective controls corrective controls

Once data is entered________________ controls are designed to provide reasonable assurance that data processing has been performed accurately without any omission or duplicate processing of transactions.

processing

control totals when using batch processing

record count financial total hash total

general controls- segregation of duties- data input clerks and computer operators

recording

trust services report on whether the system meets one or more of the following principles

security availability for operation processing integrity online privacy confidentiality

Are governed by the SSAE and represent attest engagements in which a CPA assesses a clients commercial internet site.

trust services

two risks of major concern to the auditor

unauthorized access audit trail

an assurance function designed to reduce the concerns of internet users regarding the eistence of a company and the reliability of key business information placed on its website.

websites (webtrust)