BEC 7.08 GENERAL AND APPLICATION CONTROLS
benefits of IT
consistency timeliness monitoring circumvention segregation of duties
input errors can be avoided through
observational controls point of sales devices (scanners, etc) preprinted forms data transcription controls (preformatted screens) Automated log-off
GENERAL CONTROLS-SEGREGATION OF DUTIES-SYSTEM ANALYSTS, PROGRAMMERS
AUTHORIZATION
Test data run through the system includes simulated (fictitious) data along with actual data during a program run. Uses clients system because we are running the fake transactions side by side with their actual data. Prevents the client from supplying us with a different program
Integrated test facility
for transaction tagging, who's program is being used (client or auditor)
Client
The auditor supervised the actual entry of client data into the client program to produce the results of a previous run of the program by the client
Controlled reprocessing
As data is entered it should be subject to various forms of verification (Logic Tests)
Field Checks (type & length) Validity Checks (state) Limit Tests (preprogrammed limits) Check Digits
Programs that duplicate common functions of the client software. The auditor inputs client data into the auditors program to see if it produces the same results as the clients program
Parallel simulation
report on controls at a service organization relevant to user entities internal control over financial reporting
SOC 1
report on controls at a service organization relevant to security, availability, processing, integrity, confidentiality or privacy
SOC 2
trust services criteria for general use report
SOC 3
An approach known as the ————— approach has the auditor develop simulated transactions to enter into the clients program
Test data
controls that are applied to specific business activities within a computerized processing system to achieve financial reporting objectives.
application controls
for Test Data, who's data is used (auditor or client)
auditor
for parallel simulation, who's program is being used (auditors or clients)
auditor
when speaking about computers, and software, the software cannot replace the judgement of the ___________
auditor
when talking softwre, etc, the responsibility for determining the acceptable level of audit risk and assesing the component risk remains with the
auditor
for Integrated Test Facility, who's data is being used auditor or client
auditor(test)client(real)
for "controlled reprocessing" who's data is used (auditor or client)
client
for integrated test facility, who's program is used (auditor or clients)
client
for parallel simulation, who's data is being used (client or auditor)
client
for test data, who's program is used (auditor or client)
client
for conrolled reprocessing, who's program is used (auditor or client)
client's (but on auditors computer)
for transaction tagging, who's data is being used (cleint or auditor)
clients info with a tag
general controls- segregation of duties- control clerks and librarians
custody
an assurance function that reviews an entity's computer system to provide confidence to business partners and customers concerning the security, privacy, and confidentiality of information in addition to system availability and processing integrity.
information systems (systrust service)
controls that are designed to provide reasonable assurance that data received for processing by the computer department have been properly authorized and accurately entered or converted for processing
input controls
___________________ controls represent the final check on the reults of computerized procesing
output
Risks of IT
overreliance access changes in programs failure to change manual intervention loss of data
for each principle reported in trust services, the auditor considers each of the following 4 criteria
policies commuications procedures monitoring
three types of application controls (concern errors and fraud)
preventive controls detective controls corrective controls
Once data is entered________________ controls are designed to provide reasonable assurance that data processing has been performed accurately without any omission or duplicate processing of transactions.
processing
control totals when using batch processing
record count financial total hash total
general controls- segregation of duties- data input clerks and computer operators
recording
trust services report on whether the system meets one or more of the following principles
security availability for operation processing integrity online privacy confidentiality
Are governed by the SSAE and represent attest engagements in which a CPA assesses a clients commercial internet site.
trust services
two risks of major concern to the auditor
unauthorized access audit trail
an assurance function designed to reduce the concerns of internet users regarding the eistence of a company and the reliability of key business information placed on its website.
websites (webtrust)