Internal Control Deliverables. For. System Development Projects

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Internal Control Deliverables. For. System Development Projects"

Transcription

1 DIVISION OF AUDIT SERVICES Internal Control Deliverables For System Development Projects

2 Table of Contents Introduction... 3 Process Flow... 3 Controls Objectives... 4 Environmental and General IT Controls... 6 Appendix A Process Flow Chart... 7 Appendix B Vendor Payment Narrative Description... 8 Appendix C Control Objective Cross Reference Appendix D Reference Material Internal Control Deliverables For System Development Project - 2 -

3 INTRODUCTION Internal controls are the processes and procedures used to provide assurance that business functions are carried out in a controlled and effective manner. They are implemented through an organization's structure, workflows, people, and information systems. Internal controls govern, direct, manage and monitor the various activities of an organization in order to ensure that the entity s objectives are achieved. The best time to develop and implement a set of controls is during initial process deployment. When dealing with automated application controls, it can be a costly exercise to implement new controls after an application has been moved into production. Therefore, it is essential that internal control issues are properly addressed at the time of system development and implementation. The intent of this document is to provide a framework for identifying required internal controls that need to be implemented during the systems development and implementation process. Project managers will need to work with both business and IT primes in order to successfully address internal controls. The business has ultimate responsibility for defining what application controls are to be implemented for their processes. This assessment should be based on a review of the entire supported business process, not just the components that are to be automated through the system development initiative. The business will decide on what controls are required and whether they should be implemented through manual or automated processes. The system development team will be responsible for the design and implementation of automated application controls, based on requirements established by the business. The project team also needs to give consideration to environmental and general IT controls. These represent the controls that are embedded in the IT processes and services that support the system being designed (e.g. security, change management, backups, etc.). PROCESS FLOW The first step in identifying required internal controls is to document the end to end business processes that are impacted by the project. A process flow provides a narrative on how information moves through the application (including related processes, interfaces, and reports). A graphical representation of the flow will help to provide context to the narrative description. Depending on the complexity of the system or process being designed, it may be necessary to document multiple process flows. Appendix A provides an example of a graphical process flow and Appendix B provides the corresponding narrative description. Each component of the process flow needs to be categorized into either inputs, data transformations (changes and deletes), or outputs. These identified components represent the points within the process where internal controls may be required. Internal Control Deliverables For System Development Project - 3 -

4 Inputs: Any place where information enters into the system. Each inputs should be labeled A1 through A## in the process flow documentation. Inputs include, but are not limited to: - Interfaces from other processes - User data entry - Dedicated devices (e.g. bar code readers, scanners, etc.) Data Transformations: All processes that cause changes to process data (calculations, updates, and deletes). Transformation processes should be labeled B1 through B## in the process flow documentation. Outputs: Any place where information is extracted from the process. Each output should be labeled C1 through C## in the process flow documentation. Outputs include, but are not limited to: - Online queries - Interfaces to other processes - Reports - Deliverables (e.g. cheques, invoices, products, etc.) CONTROLS OBJECTIVES Each control point identified in the process flow documentation should be assessed against a set of relevant control objectives. By mapping the control points with the relevant control objectives, a clear understanding is obtained as to what internal controls already exist within the process and those that need to be defined and implemented. The process flow documentation should be updated to include any new internal controls that are created. There is a different set of control objectives that needs to be applied based on the type of control point being reviewed. The relevant control objective groups are listed below along with the associated control point category: 1. Segregation of Duties (all control points) 2. Source Data Preparation, and Authorization (input control points) 3. Source Data Collection and Entry (input control points) 4. Processing Integrity and Validity (data transformation control points) 5. Output Review, Reconciliation and Error Handling (output control points) 1. Segregation of Duties Segregation of duties focuses on ensuring that individuals are only able to execute authorized processes that are relevant to their role and responsibilities. It reduces the possibility for a single individual to be able to compromise a critical process. Proper segregation of duties provides a means for detecting potential control failures and can help to prevent conflicts of interest, fraud, abuse and errors. The following activities should be segregated from each other: - Data Entry - Transaction Authorization Internal Control Deliverables For System Development Project - 4 -

5 - Transaction Reconciliation - Systems development, acquisition and maintenance - System Administration - Database Administration 2. Source Data Preparation and Authorization Controls designed to ensure the authenticity, accuracy, and validity of source documents (including interfaces) used as input into the system or process. a. Authorization procedures exist for source documents prior to data entry b. Authorized data remains complete, accurate and valid throughout life of source document c. Erroneous source documents are properly handled d. Confirmation receipts are sent to source document originators e. Control over sensitive information exists for source documents f. Source documents are securely stored and maintained in order to facilitate transaction reconstruction, review and audit, litigation inquiries and regulatory requirements 3. Source Data Collection and Entry Controls designed to ensure that data inputs are accurate, complete and authorized. a. Processes are in place to ensure timely data entry and error correction b. Data entry processes are limited to authorized and uniquely identified individuals c. System data can be traced back to originating source documentation and the individual who inputted the data d. Verification and edit checks exist for inputted data e. All authorized transactions are accurately recorded, once and only once f. Incomplete or incorrect transactions are rejected g. Transactions are assigned unique and sequential identifiers 4. Processing Integrity and Validity Controls designed to maintain the integrity and validity of data throughout the system or process. a. Access to data processing routines are limited to authorized and identifiable individuals b. Logs are maintained of programs executed and transactions processed or rejected c. Data changes can be traced back to the changing process and authorized individual d. Multiple versions or repositories of the same data are kept in sync e. Data processing routines include error prevention/detection checks f. Processes are in place to ensure reporting and timely correction of errors g. Correction and resubmission of errors is approved by the original submitting function h. Resubmitted transactions follow the exact processes as the original transaction i. Data updates only occur through fully tested and approved routines j. Controls are in place to ensure the integrity of interdependent routines k. Deleted information is retained for audit purposes and flagged to prevent inclusion in standard reporting l. Recovery processes exist to automatically maintain the integrity of data during unexpected interruptions. Internal Control Deliverables For System Development Project - 5 -

6 5. Output Review, Reconciliation and Error Handling Controls designed to ensure the accuracy and security of output generated by the system or process. a. Access to output data is restricted physically and logically to authorized individuals b. Ad-hoc reporting capabilities are restricted to authorized individuals c. Query and reporting functions do not provide data update capabilities d. Output requirements and needs are periodically reviewed e. System output contains all, and only, the requested information f. Verification checks exist for outputted data g. Origination and content of output should be independently verifiable h. Process and responsibility for output disposal is clearly defined Appendix C provides a cross reference of control objectives with the control points identified in Appendix A and B. ENVIRONMENTAL AND GENERAL IT CONTROLS As part of the system development and implementation process, consideration needs to be given to the IT processes required to support the new system. Similar to the internal controls within an application, if required environmental and general IT controls are not identified during the development and implementation of the system, then it may become a more costly initiative to implement them once the system is in production. For each of the following environmental control issues an explanation needs to be provided describing the actual processes that will be implemented to minimize risk exposure. a. Physical Security b. Logical Security c. System Management and Administration d. Database Administration e. Backup and Recovery f. Contingency Planning and Disaster Recovery g. Program Change Control h. Application system support and maintenance i. Capacity Management Internal Control Deliverables For System Development Project - 6 -

7 APPENDIX A PROCESS FLOW CHART UniFi Information Technology Accounts Payable Clerk Director Purchasing Internal Control Deliverables For System Development Project - 7 -

8 APPENDIX B VENDOR PAYMENT NARRATIVE DESCRIPTION The purpose of the vendor payment process is to ensure that after a vendor provides goods or services that the invoice relating to the goods or services received are paid in an efficient and effective manner. Input A1: Invoices received from vendors are forwarded to the Director for review. Transformation B1: The Director reviews each invoice for appropriateness. Approved invoices are stamped, signed, and forwarded to the Accounts Payable (AP) clerk for processing. Input A2: Before entering invoice details into the local financial application, the Accounts Payable clerk must first create a batch record that is used for the consolidation of invoice details. Multiple invoices can be entered into a single batch. The local financial application requires that a separate batch be created for credit memos. Invoice batches are created using the function Purchase Batch while credit memo batches are created using the Returns Batch function. Typical process is to use the same name for the invoice and returns batch so that the transactions can be consolidated in downstream processes. Input A3: Approved invoices and credit memos are entered into the local financial application by the AP clerk, using the Receiving Transaction Entry and Returns Transaction Entry functions respectively. Output C1: There is no set limit on the number of invoices that can be entered into a single batch. The AP clerk arbitrarily decides when a batch is ready to be submitted for payment processing. Using the internally developed Transfer tool, the AP clerk generates a batch summary report showing the payment total for each invoice contained in the batch. Transformation B2: The batch report is then provided to the Director along with the corresponding invoices. The Director then ensures that his stamp and signature are on each of the invoices and that the invoice total matches the amount shown on the batch report. The Director then initials each invoice and checks off the amount on the batch report. Transformation B3: Once the batch report has been approved by the Director, the AP clerk then posts the batch within the local financial application. Posting the batch prevents any further changes to be made to the invoice details. Transformation B4: Within the Transfer tool, the AP clerk uses the Transfer Batch function to copy posted invoice details from the local financial application database into an intermediary oracle database. Output C2: A script is run nightly that checks the oracle database for new invoices. The job then creates an interface file containing the new invoice records that need to be transferred to UniFi. The interface file is saved in a secure drop box on the server Shelf. Output C3: The interface file creation process (C2) creates a notification that is sent to Systems Support and Development in the Financial Services Division (FSD). The provides a record count and total dollar amount for the interface file that was posted on Shelf. Internal Control Deliverables For System Development Project - 8 -

9 Input A4: A process is run nightly on Shelf that reads the interface file and loads the data into UniFi. A Load confirmation is sent to a pre-defined distribution list that reports the number of invoices loaded in to UniFi and the total dollar value. Output C4: The AP clerk prints out the UniFi Load Confirmation and consolidates it with the corresponding batch report and vendor invoices. The consolidated package is then filed together to support future reviews. Internal Control Deliverables For System Development Project - 9 -

10 APPENDIX C CONTROL OBJECTIVE CROSS REFERENCE CONTROL OBJECTIVE CROSS REFERENCE Control Exists X Control Missing N/A Control Deemed Not Applicable Inputs Control Points Control Objectives # Description 1 2a 2b 2c 2d 2e 2f 3a 3b 3c 3d 3e 3f 3g A1 Invoice N/A N/A X N/A N/A N/A N/A N/A N/A A2 Create Batch N/A N/A N/A N/A N/A N/A N/A X X X N/A N/A A3 Transaction Entry X N/A N/A X X X A4 UniFi Load Confirmation X X N/A N/A X N/A X X N/A N/A A5 Data Transformations Control Points Control Objectives # Description 1 4a 4b 4c 4d 4e 4f 4g 4h 4i 4j 4k 4l B1 Review Invoice N/A N/A N/A X N/A N/A N/A B2 Review Batch Report N/A N/A X N/A N/A N/A B3 Post Batch X X X N/A N/A X X N/A B4 Transfer Batch X X X X X X X X X B5 Review UniFi Load Confirmation X X X X X X X X X X X X X B6 Outputs Control Points Control Objectives # Description 1 5a 5b 5c 5d 5e 5f 5g 5h C1 Batch Report X N/A N/A X C2 UniFi Interface File N/A X N/A X X X X X C3 Trasfer Notification N/A N/A X X X C4 Hardcopy Filing N/A N/A N/A N/A N/A X C5 Notes: A1-3a: No processes are in place to ensure timely data entry A2-3b: Use of common login id prevents the identification of unique users B5: Process does not exist. It represents a new process to be created to address an identified control weakness. Once the process has been defined, and documented in the process flow, it would then be assessed against relevant control objectives and the above chart updated. C4-5h: Food Services has not defined any data archiving and disposal processes Internal Control Deliverables For System Development Project

11 APPENDIX D REFERENCE MATERIAL Accounting Information Systems, Fourth Edition, James A. Hall Auditing and Other Assurance Services, Canadian Eighth Edition, Committee of Sponsoring Organizations of the Treadway Commission (COSO) Control Objectives for Information and related Technology (COBIT) 4.1, IT Governance Institute Control Objectives for Information and related Technology (COBIT) 4.0, IT Governance Institute Control Objectives for Information and related Technology (COBIT) 3 rd Edition, Audit Guidelines, IT Governance Institute Global Technology Audit Guide (GTAG) Auditing Application Controls Information Technology Guidelines, 3rd Edition, Canadian Institute of Chartered Accountants IT Assurance Guide: Using COBIT, IT Governance Institute Statement on Auditing Standards (SAS) No. 78 Internal Control Deliverables For System Development Project

INFORMATION TECHNOLOGY CONTROLS

INFORMATION TECHNOLOGY CONTROLS CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,

More information

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS 11-1 CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION The State Board of Accounts, in accordance with State statutes and the Statements on Auditing Standards Numbers 78

More information

Final Audit Report. Audit of Data Integrity MCCS Feeder System Interfacing with SAP

Final Audit Report. Audit of Data Integrity MCCS Feeder System Interfacing with SAP Final Audit Report Audit of Data Integrity MCCS Feeder System Interfacing with SAP April 2008 Table of Contents Executive Summary... ii Introduction...........1 Background... 1 Audit Objectives... 1 Scope

More information

IT Application Controls Questionnaire

IT Application Controls Questionnaire IT Application Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks A1.a. MULTIPLE USER PROCESSING INPUT CONTROLS Input controls are the procedures and methods utilized by

More information

PART 10 COMPUTER SYSTEMS

PART 10 COMPUTER SYSTEMS PART 10 COMPUTER SYSTEMS 10-1 PART 10 COMPUTER SYSTEMS The following is a general outline of steps to follow when contemplating the purchase of data processing hardware and/or software. The State Board

More information

Information Technology Auditing for Non-IT Specialist

Information Technology Auditing for Non-IT Specialist Information Technology Auditing for Non-IT Specialist IIA Pittsburgh Chapter October 4, 2010 Agenda Introductions What are General Computer Controls? Auditing IT processes controls Understanding and evaluating

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Corporate Property Automated Information System CPAIS. Privacy Impact Assessment

Corporate Property Automated Information System CPAIS. Privacy Impact Assessment Corporate Property Automated Information System CPAIS Privacy Impact Assessment May 2003 CONTENTS Background...3 Access to the Data...5 Maintenance of Administrative Controls...9 1 Introduction The Office

More information

FINANCIAL ADMINISTRATION MANUAL

FINANCIAL ADMINISTRATION MANUAL Issue Date: September 2009 Effective Date: Immediate Chapter: Accounting for Expenditures Responsible Agency: Office of the Comptroller General Directive No: 706-3 Directive Title: ACCOUNTING CONTROLS

More information

Office of the State Controller. Self-Assessment of Internal Controls. Computer Security Cycle. Objectives and Risks

Office of the State Controller. Self-Assessment of Internal Controls. Computer Security Cycle. Objectives and Risks Office of the State Controller Self-Assessment of Internal Controls Computer Security Cycle Objectives and Risks Agency Year-End Objectives Risks Definition and communication of organizational structure,

More information

INTERNAL CONTROLS EVALUATION

INTERNAL CONTROLS EVALUATION INTERNAL CONTROLS EVALUATION Planning an Internal Controls Evaluation Project Internal Control Documentation Internal Control Testing Evaluation of Internal Control Deficiency Reporting Internal Control

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Tel. 202.332.3566 Fax 202.332.3672 www.martinwallcpa.com MANAGEMENT LETTER

Tel. 202.332.3566 Fax 202.332.3672 www.martinwallcpa.com MANAGEMENT LETTER Tel. 202.332.3566 Fax 202.332.3672 www.martinwallcpa.com MANAGEMENT LETTER In planning and performing our audit of the financial statements of the U.S. Nuclear Waste Technical Review Board (NWTRB) for

More information

Best Practices Report

Best Practices Report Overview As an IT leader within your organization, you face new challenges every day from managing user requirements and operational needs to the burden of IT Compliance. Developing a strong IT general

More information

The Requirements Compliance Matrix columns are defined as follows:

The Requirements Compliance Matrix columns are defined as follows: 1 DETAILED REQUIREMENTS AND REQUIREMENTS COMPLIANCE The following s Compliance Matrices present the detailed requirements for the P&I System. Completion of all matrices is required; proposals submitted

More information

Accounts Payable User Manual

Accounts Payable User Manual Accounts Payable User Manual Confidential Information This document contains proprietary and valuable, confidential trade secret information of APPX Software, Inc., Richmond, Virginia Notice of Authorship

More information

Welcome to Metafile. Solving document issues for over 30 years. Matt Akin msa@metafile.com 800-638-2445 x 301

Welcome to Metafile. Solving document issues for over 30 years. Matt Akin msa@metafile.com 800-638-2445 x 301 Welcome to Metafile Solving document issues for over 30 years Matt Akin msa@metafile.com 800-638-2445 x 301 Janine Peck jgp@metafile.com 800-638-2445 x 303 Metafile helps many companies with their AP,

More information

Need help? The Accounts Payable Help Documentation is designed to make your Accounts Payable experience as efficient as possible.

Need help? The Accounts Payable Help Documentation is designed to make your Accounts Payable experience as efficient as possible. Need help? The Accounts Payable Help Documentation is designed to make your Accounts Payable experience as efficient as possible. All you have to do to navigate through this document is simply use the

More information

B Resource Guide: Implementing Financial Controls

B Resource Guide: Implementing Financial Controls What s in this Guide: I. Definition: What are Financial Controls? II. Why Do You Need Financial Controls? III. Best Practices: Financial Controls to Consider I. Definition: What are Financial Controls?

More information

4 Testing General and Automated Controls

4 Testing General and Automated Controls 4 Testing General and Automated Controls Learning Objectives To understand the reasons for testing; To have an idea about Audit Planning and Testing; To discuss testing critical control points; To learn

More information

Certification Practice Statement

Certification Practice Statement FernUniversität in Hagen: Certification Authority (CA) Certification Practice Statement VERSION 1.1 Ralph Knoche 18.12.2009 Contents 1. Introduction... 4 1.1. Overview... 4 1.2. Scope of the Certification

More information

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Understanding the Entity and Its Environment 1667 AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Supersedes SAS No. 55.) Source: SAS No. 109.

More information

OFFICE OF THE CITY AUDITOR

OFFICE OF THE CITY AUDITOR CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR Audit of Information Technology Services Department Project No. AU10-012 September 1, 2011 Audit of Information Technology Services Department Executive Summary

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Solutions for Accounts Payable Process Optimization

Solutions for Accounts Payable Process Optimization Solutions for Accounts Payable Process Optimization ScerIS is your resource for Accounts Payable Process Optimization (APPO). We help clients do more at lower cost, in less time and with fewer people.

More information

September 2011 Report No. 12-002

September 2011 Report No. 12-002 John Keel, CPA State Auditor An Audit Report on The Criminal Justice Information System at the Department of Public Safety and the Texas Department of Criminal Justice Report No. 12-002 An Audit Report

More information

Project Risk and Pre/Post Implementation Reviews

Project Risk and Pre/Post Implementation Reviews Project Risk and Pre/Post Implementation Reviews Material Changes to the System of Internal Control VGFOA Conference (Virginia Beach, VA) May 20, 2015 Agenda/Objectives Understand why system implementations

More information

MEMORANDUM INTERNAL CONTROL REQUIREMENTS FOR NON-PROFITS

MEMORANDUM INTERNAL CONTROL REQUIREMENTS FOR NON-PROFITS DIVISION OF CHILD CARE AND EARLY CHILDHOOD EDUCATION HEALTH AND NUTRITION UNIT P O BOX 1437, SLOT S 155 501-320-8982 FAX: 501-682-2334 TDD: 501-682-1550 TO: NON-PROFIT INSTITUTIONS FROM: HEALTH AND NUTRITION

More information

Department of Homeland Security Office of Inspector General. Audit of Application Controls for FEMA's Individual Assistance Payment Application

Department of Homeland Security Office of Inspector General. Audit of Application Controls for FEMA's Individual Assistance Payment Application Department of Homeland Security Office of Inspector General Audit of Application Controls for FEMA's Individual Assistance Payment Application OIG-09-104 September 2009 Table of Contents Objectives,

More information

System Security Plan Template

System Security Plan Template Institutional and Sector Modernisation Facility ICT Standards System Security Plan Template Document number: ISMF-ICT/3.03 - ICT Security/MISP/SD/SSP Template Version: 1.20 Project Funded by the European

More information

SAS 70 Questionnaire

SAS 70 Questionnaire 227 Oil Well Road Telephone: (731) 427-8571 Jackson, TN 38305 Fax: (731) 424-5701 Members of: American Institute of Certified Public Accountants Governmental Audit Quality Center AICPA Tennessee Society

More information

HOWARD UNIVERSITY POLICY

HOWARD UNIVERSITY POLICY HOWARD UNIVERSITY POLICY Policy Number: 300-001 Policy Title: ACCOUNTS PAYABLE: PAYMENTS TO VENDORS Responsible Officer: Chief Financial Officer Responsible Office: Office of the Chief Financial Officer

More information

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010 Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010 This report has been prepared on the basis of the limitations set

More information

Development and Acquisition D&A

Development and Acquisition D&A Federal Financial Institutions Examination Council FFIEC Development and Acquisition D&A APRIL 2004 IT EXAMINATION H ANDBOOK Development and Acquisition Booklet April 2004 TABLE OF CONTENTS INTRODUCTION...

More information

Brown County Information Technology Aberdeen, SD. Request for Proposals For Document Management Solution. Proposals Deadline: Submit proposals to:

Brown County Information Technology Aberdeen, SD. Request for Proposals For Document Management Solution. Proposals Deadline: Submit proposals to: Brown County Information Technology Aberdeen, SD Request for Proposals For Document Management Solution Proposals Deadline: 9:10am, January 12, 2016 Submit proposals to: Brown County Auditor 25 Market

More information

WHITE PAPER. White Paper 2011. The AP Guide to Electronic Invoice Management

WHITE PAPER. White Paper 2011. The AP Guide to Electronic Invoice Management WHITE PAPER The AP Guide to Electronic Invoice Management INTRODUCTION This white paper discusses how to choose an electronic document management system for Accounts Payable managers, CFOʼs, and controllers.

More information

Auditing Applications. ISACA Seminar: February 10, 2012

Auditing Applications. ISACA Seminar: February 10, 2012 Auditing Applications ISACA Seminar: February 10, 2012 Planning Objectives Mapping Controls Functionality Tests Complications Financial Assertions Tools Reporting AGENDA 2 PLANNING Consideration / understanding

More information

Expense Reports Training Document. Oracle iexpense

Expense Reports Training Document. Oracle iexpense Expense Reports Training Document Oracle iexpense Prepared by FSCP Solutions Inc. Table of Contents Create (Enter) Expense Reports...1 Approved Expense Report... 18 Rejected Expense Report... 19 Entering

More information

July 2013 Report No. 13-042

July 2013 Report No. 13-042 John Keel, CPA State Auditor An Audit Report on Selected State Contracts at the Texas Education Agency Report No. 13-042 An Audit Report on Selected State Contracts at the Texas Education Agency Overall

More information

General IT Controls Audit Program

General IT Controls Audit Program Contributed February 5, 2002 by Paul P Shotter General IT Controls Audit Program Purpose / Scope Perform a General Controls review of Information Technology (IT). The reviews

More information

[LSC Name] Items Needed for Internal Audit [Audited as of Date]

[LSC Name] Items Needed for Internal Audit [Audited as of Date] Items Needed for Internal Audit [Audited as of Date] The following items should be available in preparation for your internal audit: 1. General ledger for the last complete fiscal year and year to date

More information

PHASE 9: OPERATIONS AND MAINTENANCE PHASE

PHASE 9: OPERATIONS AND MAINTENANCE PHASE PHASE 9: OPERATIONS AND MAINTENANCE PHASE During the Operations and Maintenance Phase, the information system s availability and performance in executing the work for which it was designed is maintained.

More information

IT Service Continuity Management PinkVERIFY

IT Service Continuity Management PinkVERIFY -11-G-001 General Criteria Does the tool use ITIL 2011 Edition process terms and align to ITIL 2011 Edition workflows and process integrations? -11-G-002 Does the tool have security controls in place to

More information

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS Workpaper Reference Date(s) Completed Organization and Staffing procedures used to define the organization of the IT Department. 2. Review the organization

More information

Case Study Top-Down, Risk-Based Approach Purchase to Pay Process

Case Study Top-Down, Risk-Based Approach Purchase to Pay Process Top-Down, Risk-Based Approach Purchase to Pay Process Overview This case study describes the flow of a Top-Down Risk, Based Approach for an example Purchase to Pay process. This case study is not all-inclusive

More information

Audit Management Software Solution

Audit Management Software Solution 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 Scope of Work I. Scope of Solicitation II. Instructions to Offerors III. Scope of

More information

Full Compliance Contents

Full Compliance Contents Full Compliance for and EU Annex 11 With the regulation support of Contents 1. Introduction 2 2. The regulations 2 3. FDA 3 Subpart B Electronic records 3 Subpart C Electronic Signatures 9 4. EU GMP Annex

More information

August 2012 Report No. 12-048

August 2012 Report No. 12-048 John Keel, CPA State Auditor An Audit Report on The Texas Windstorm Insurance Association Report No. 12-048 An Audit Report on The Texas Windstorm Insurance Association Overall Conclusion The Texas Windstorm

More information

Supplement to the Guidance for Electronic Data Capture in Clinical Trials

Supplement to the Guidance for Electronic Data Capture in Clinical Trials Supplement to the Guidance for Electronic Data Capture in Clinical Trials January 10, 2012 Drug Evaluation Committee, Japan Pharmaceutical Manufacturers Association Note: The original language of this

More information

Certified Administrator of School Finance and Operations (SFO )

Certified Administrator of School Finance and Operations (SFO ) ASBO International Certified Administrator of School Finance and Operations (SFO ) Practice Questions for Preparation of the SFO Certification Exam Part 1: Accounting www.asbointl.org/certification Practice

More information

NEIAF June 18, 2015. IS Auditing 101

NEIAF June 18, 2015. IS Auditing 101 NEIAF June 18, 2015 IS Auditing 101 http://www.gao.gov/fiscam/overview Planning Understand the Overall Audit Objectives and Related Scope of the Information System Controls Audit Understand the Entity

More information

Norming Asset Management. To make asset management easy and automatic with Sage Accpac ERP

Norming Asset Management. To make asset management easy and automatic with Sage Accpac ERP Norming Asset Management To make asset management easy and automatic with Sage Accpac ERP Modules Asset Accounting Asset Maintenance Asset Leasing Asset Tracking Highlights Integrates with Sage Accpac

More information

IPPF Practice Guide. Auditing Application Controls

IPPF Practice Guide. Auditing Application Controls IPPF Practice Guide Auditing Application Controls Global Technology Audit Guide (GTAG) 8: Auditing Application Controls Authors Christine Bellino, Jefferson Wells Steve Hunt, Crowe Horwath LLP Original

More information

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013 IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends

More information

P-Card Fraud Controls. Introduction

P-Card Fraud Controls. Introduction Introduction According to 2013 Association of Financial Professionals (AFP) Payments Fraud and Survey, the second most targeted payment type for fraud was corporate/commercial purchasing cards. 29% of

More information

The Bureau of the Fiscal Service. Privacy Impact Assessment

The Bureau of the Fiscal Service. Privacy Impact Assessment The Bureau of the Fiscal Service Privacy Impact Assessment The mission of the Bureau of the Fiscal Service (Fiscal Service) is to promote the financial integrity and operational efficiency of the federal

More information

Guidance for Industry Computerized Systems Used in Clinical Investigations

Guidance for Industry Computerized Systems Used in Clinical Investigations Guidance for Industry Computerized Systems Used in Clinical Investigations U.S. Department of Health and Human Services Food and Drug Administration (FDA) Office of the Commissioner (OC) May 2007 Guidance

More information

White Paper. Regulatory Compliance and Database Management

White Paper. Regulatory Compliance and Database Management White Paper Regulatory Compliance and Database Management March 2006 Introduction Top of mind in business executives today is how to meet new regulatory compliance and corporate governance. New laws are

More information

Information Systems and Technology

Information Systems and Technology As public servants, it is our responsibility to use taxpayers dollars in the most effective and efficient way possible while adhering to laws and regulations governing those processes. There are many reasons

More information

Questions & Responses RFP No. 7700 Automated Accounts Payable Processing Solutions

Questions & Responses RFP No. 7700 Automated Accounts Payable Processing Solutions Q1. Is it a mandatory requirement to be an Oracle ebusiness Certified Partner or will you accept proof of successful implementations with Oracle, i.e., can use pre-existing setups and application security

More information

Accounts Payable: Invoice Processing Invoice Certification

Accounts Payable: Invoice Processing Invoice Certification Accounts Payable: Invoice Processing Invoice Certification Note: The application is most effective in the latest version of Mozilla for Windows users and the latest version of Safari for Mac users. In

More information

ITIL A guide to service asset and configuration management

ITIL A guide to service asset and configuration management ITIL A guide to service asset and configuration management The goal of service asset and configuration management The goals of configuration management are to: Support many of the ITIL processes by providing

More information

Financial Management Modernization Initiative (FMMI)

Financial Management Modernization Initiative (FMMI) Financial Management Modernization Initiative (FMMI) FMMI 208 FMMI Accounts Payable Overview Version 2.00 Course Outline Introduction Module Module 1 Accounts Payable Process Overview Module 2 Bank Master

More information

How to Use Oracle Account Generator for Project-Related Transactions

How to Use Oracle Account Generator for Project-Related Transactions How to Use Oracle Account Generator for Project-Related Transactions Marian Crkon 3Gs Consulting OAUG Forum at COLLABORATE 07 Copyright 2007 3Gs Consulting Page 1 of 40 Introduction Account Generators

More information

FairWarning Mapping to PCI DSS 3.0, Requirement 10

FairWarning Mapping to PCI DSS 3.0, Requirement 10 FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are

More information

The Project Management Plan will be used to guide, communicate and coordinate project efforts.

The Project Management Plan will be used to guide, communicate and coordinate project efforts. F.1 General Implementation Contractor Deliverables include critical system planning and development components. Sufficient deliverables have been identified at key steps in the project to guide the project

More information

Office of the City Auditor. Audit Report. AUDIT OF ACCOUNTS PAYABLE APPLICATION CONTROLS (Report No. A10-003) October 2, 2009.

Office of the City Auditor. Audit Report. AUDIT OF ACCOUNTS PAYABLE APPLICATION CONTROLS (Report No. A10-003) October 2, 2009. CITY OF DALLAS Dallas City Council Office of the City Auditor Audit Report Mayor Tom Leppert Mayor Pro Tem Dwaine Caraway Deputy Mayor Pro Tem Pauline Medrano Council Members Jerry R. Allen Tennell Atkins

More information

Integrated Financial Management Information System (IFMIS) Merger

Integrated Financial Management Information System (IFMIS) Merger for the Information System (IFMIS) Merger DHS/FEMA/PIA-020 December 16, 2011 Contact Point Michael Thaggard Office of Chief Financial Officer (202) 212-8192 Reviewing Official Mary Ellen Callahan Chief

More information

Accounts Receivable User Manual

Accounts Receivable User Manual Accounts Receivable User Manual Confidential Information This document contains proprietary and valuable, confidential trade secret information of APPX Software, Inc., Richmond, Virginia Notice of Authorship

More information

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles.

More information

RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES. Cost-Effective, Legally Defensible Records Management

RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES. Cost-Effective, Legally Defensible Records Management RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES Cost-Effective, Legally Defensible Records Management Does This Sound Familiar? A data breach could send our share price tumbling. I need to minimise our

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

5.1 4.1 4.2 4.3 PROCESS GROUP: PLANNING PROCESS GROUP: INITIATION. Oracle Projects. PMBOK Oracle Mapping. Scope Planning. Develop Project Charter

5.1 4.1 4.2 4.3 PROCESS GROUP: PLANNING PROCESS GROUP: INITIATION. Oracle Projects. PMBOK Oracle Mapping. Scope Planning. Develop Project Charter Develop Project Charter Develop Preliminary Project Scope Statement Develop Project Management Plan Scope Planning PROCESS GROUP: INITIATION 4.1 The project charter serves as the input document for the

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

Audit of NSERC Award Management Information System

Audit of NSERC Award Management Information System Internal Audit Audit Report Audit of NSERC Award Management Information System TABLE OF CONTENTS 1. EXECUTIVE SUMMARY... 2 2. INTRODUCTION... 3 3. AUDIT FINDINGS- BUSINESS PROCESS CONTROLS... 5 4. AUDIT

More information

The Value of Intelligent Capture in Accounts Payable Automation. White Paper

The Value of Intelligent Capture in Accounts Payable Automation. White Paper The Value of Intelligent Capture in Accounts Payable Automation White Paper Contents Executive Summary... 2 Evolution of Capture in AP... 2 Intelligent Capture for AP... 3 Any Source or Format... 3 Integration

More information

Sarbanes-Oxley Compliance A Checklist for Evaluating Internal Controls

Sarbanes-Oxley Compliance A Checklist for Evaluating Internal Controls Sarbanes-Oxley Compliance A Checklist for Evaluating Internal Controls Companies today are immersed in audits of their internal controls and financial processes in an effort to comply with Section 404

More information

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls Information System Audit Arkansas Administrative Statewide Information System (AASIS) General Controls ARKANSAS DIVISION OF LEGISLATIVE AUDIT April 12, 2002 April 12, 2002 Members of the Legislative Joint

More information

Table of Contents: Chapter 2 Internal Control

Table of Contents: Chapter 2 Internal Control Table of Contents: Chapter 2 Chapter 2... 2 2.1 Establishing an Effective System... 2 2.1.1 Sample Plan Elements... 5 2.1.2 Limitations of... 7 2.2 Approvals... 7 2.3 PCard... 7 2.4 Payroll... 7 2.5 Reconciliation

More information

DAIDS Appendix 2 No.: DWD-POL-DM-01.00A2. Data Management Requirements for Central Data Management Facilities

DAIDS Appendix 2 No.: DWD-POL-DM-01.00A2. Data Management Requirements for Central Data Management Facilities DAIDS Appendix 2 No.: DWD-POL-DM-01.00A2 Data Management Requirements for Central Data Management Facilities The following clinical trial data management requirements must be met in order to ensure the

More information

Internal Control Systems

Internal Control Systems D. INTERNAL CONTROL 1. Internal Control Systems 2. The Use of Internal Control Systems by Auditors 3. Transaction Cycles 4. Tests of Control 5. The Evaluation of Internal Control Component 6. Communication

More information

Company Quality Manual Document No. QM Rev 0. 0 John Rickey Initial Release. Controlled Copy Stamp. authorized signature

Company Quality Manual Document No. QM Rev 0. 0 John Rickey Initial Release. Controlled Copy Stamp. authorized signature Far West Technology, Inc. ISO 9001 Quality Manual Document No.: QM Revision: 0 Issue Date: 27 August 1997 Approval Signatures President/CEO Executive Vice President Vice President/CFO Change Record Rev

More information

Main Reference : Hall, James A. 2011. Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications

Main Reference : Hall, James A. 2011. Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications Main Reference : Hall, James A. 2011. Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications Suggested Reference : Senft, Sandra; Gallegos, Frederick., 2009.

More information

IMPLEMENTATION NOTE. Data Maintenance at IRB Institutions. Category: Capital. I. Introduction. No: A-1 Date: January 2006

IMPLEMENTATION NOTE. Data Maintenance at IRB Institutions. Category: Capital. I. Introduction. No: A-1 Date: January 2006 IMPLEMENTATION NOTE Subject: Category: Capital No: A-1 Date: January 2006 I. Introduction This implementation note elaborates on the data management requirements for institutions 1 adopting the internal

More information

UCLA Policy 360: Internal Control Guidelines for Campus Departments

UCLA Policy 360: Internal Control Guidelines for Campus Departments UCLA Policy 360: Internal Control Guidelines for Campus Departments Issuing Officer: Assistant Vice Chancellor, Corporate Financial Services Responsible Dept: Financial Management Programs Effective Date:

More information

ISDA International Swaps and Derivatives Association, Inc.

ISDA International Swaps and Derivatives Association, Inc. STANDARD SETTLEMENT INSTRUCTIONS REPOSITORY Best Practice Requirements August 2010 Table of Contents 1 REVISION HISTORY... 2 2 PROBLEM STATEMENT... 3 3 DOCUMENT PURPOSE... 3 4 SCOPE... 3 5 STANDARD SETTLEMENT

More information

Financial Administration Manual Chapter 4 Financial Systems and Controls. Chapter 4 Financial Systems and Controls

Financial Administration Manual Chapter 4 Financial Systems and Controls. Chapter 4 Financial Systems and Controls Chapter 4 Financial Systems and Controls 4.0 GENERAL POLICY STATEMENTS 4.1 INTRODUCTION 4.2 SYSTEMS OVERVIEW 4.3 FUNCTIONAL RESPONSIBILITIES OVERVIEW 4.4 CLASSIFICATION AND CODING OF FINANCIAL INFORMATION

More information

ARGYLL & BUTE COUNCIL Internal Audit Section INTERNAL AUDIT REPORT

ARGYLL & BUTE COUNCIL Internal Audit Section INTERNAL AUDIT REPORT ARGYLL & BUTE COUNCIL Internal Audit Section INTERNAL AUDIT REPORT CUSTOMER DEPARTMENT AUDIT DESCRIPTION AUDIT TITLE CUSTOMER SERVICES SYSTEM BASED AUDIT REVIEW OF ELECTRONIC SIGNATURES AND AUTHORISATION

More information

Accounts Payable Outsourcing Audit April 2014

Accounts Payable Outsourcing Audit April 2014 Accounts Payable Outsourcing Audit April 2014 Craig Terrell, Interim City Auditor Lee Hagelstein, Internal Auditor Accounts Payable Outsourcing Audit Table of Contents Page Executive Summary...1 Audit

More information

Oracle Internal Accounts Management System Manual

Oracle Internal Accounts Management System Manual Oracle Internal Accounts Management System Manual School Financial Services Phone: 773-553-2750 Fax: 773-553-2711 Email: IAMS@cps.k12.il.us IAMS Website: https://dev.ocs.cps.k12.il.us/sites/finance/iams/

More information

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland Audit Report Effectiveness of IT Controls at the Global Fund Follow-up report GF-OIG-15-20b Geneva, Switzerland Table of Contents I. Background and scope... 3 II. Executive Summary... 4 III. Status of

More information

Internal Control Guide & Resources

Internal Control Guide & Resources Internal Control Guide & Resources Section 5- Internal Control Activities & Best Practices Managers must establish internal control activities that support the five internal control components discussed

More information

IT Governance and Control: An Analysis of CobIT 4.1. Prepared by: Mark Longo

IT Governance and Control: An Analysis of CobIT 4.1. Prepared by: Mark Longo IT Governance and Control: An Analysis of CobIT 4.1 Prepared by: Mark Longo December 15, 2008 Table of Contents Introduction Page 3 Project Scope Page 3 IT Governance.Page 3 CobIT Framework..Page 4 General

More information

Xtender Invoicing Process

Xtender Invoicing Process Xtender Invoicing Process Description: Xtender Electronic Invoice Paying is a virtual paperless way to pay invoices that have a Purchase Order set up for payment. Invoices are received in Accounts Payable

More information

Continuous Audit and Case Management For SAP: Prevent Errors and Fraud in your most important Business Processes

Continuous Audit and Case Management For SAP: Prevent Errors and Fraud in your most important Business Processes REMEDYNE Fraud Prevention Document Version: Rel. 1.4 2015-03-05 Continuous Audit and Case Management For SAP: Prevent Errors and Fraud in your most important Business Processes TABLE OF CONTENTS 1. SOLUTION

More information

Access Control and Audit Trail Software

Access Control and Audit Trail Software Varian, Inc. 2700 Mitchell Drive Walnut Creek, CA 94598-1675/USA Access Control and Audit Trail Software Operation Manual Varian, Inc. 2002 03-914941-00:3 Table of Contents Introduction... 1 Access Control

More information

PRIVACY IMPACT ASSESSMENT

PRIVACY IMPACT ASSESSMENT PRIVACY IMPACT ASSESSMENT Once the Privacy Impact Assessment is completed and the signature approval page is signed, please submit an electronic copy and hard copy with original signatures of the PIA to

More information

Internal Controls. A short presentation from Your Internal Audit Department

Internal Controls. A short presentation from Your Internal Audit Department Internal Controls A short presentation from Your Internal Audit Department The Old Internal Audit Department The New Internal Audit Department We re here to help! Teach + Train = Change Our goal: Promote

More information

December 21, 2012. The services being procured through the proposed amendment are Hosting Services, and Application Development and Support for CITSS.

December 21, 2012. The services being procured through the proposed amendment are Hosting Services, and Application Development and Support for CITSS. Justification for a Contract Amendment to Contract 2012-01: Interim Hosting and Jurisdiction Functionality for the Compliance Instrument Tracking System Service (CITSS) December 21, 2012 Introduction WCI,

More information

Financial Management Information System Centralized Operations

Financial Management Information System Centralized Operations Audit Report Financial Management Information System Centralized Operations March 2003 This report and any related follow-up correspondence are available to the public. Alternate formats may also be requested

More information