Internal Control Deliverables. For. System Development Projects



Similar documents
INFORMATION TECHNOLOGY CONTROLS

Final Audit Report. Audit of Data Integrity MCCS Feeder System Interfacing with SAP

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

FINANCIAL ADMINISTRATION MANUAL

IT Application Controls Questionnaire

The Requirements Compliance Matrix columns are defined as follows:

PART 10 COMPUTER SYSTEMS

Welcome to Metafile. Solving document issues for over 30 years. Matt Akin x 301

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Information Technology Auditing for Non-IT Specialist

IT Service Continuity Management PinkVERIFY

Corporate Property Automated Information System CPAIS. Privacy Impact Assessment

Accounts Payable User Manual

Expense Reports Training Document. Oracle iexpense

05.0 Application Development

Need help? The Accounts Payable Help Documentation is designed to make your Accounts Payable experience as efficient as possible.

Tel Fax MANAGEMENT LETTER

SAS 70 Questionnaire

Guidance for Industry Computerized Systems Used in Clinical Investigations

Best Practices Report

Supplement to the Guidance for Electronic Data Capture in Clinical Trials

PHASE 9: OPERATIONS AND MAINTENANCE PHASE

B Resource Guide: Implementing Financial Controls

Main Reference : Hall, James A Information Technology Auditing and Assurance, 3 rd Edition, Florida, USA : Auerbach Publications

RECORDS MANAGEMENT RECORDS MANAGEMENT SERVICES. Cost-Effective, Legally Defensible Records Management

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

Solutions for Accounts Payable Process Optimization

Certification Practice Statement

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Norming Asset Management. To make asset management easy and automatic with Sage Accpac ERP

September 2011 Report No

Certified Administrator of School Finance and Operations (SFO )

System Security Plan Template

IPPF Practice Guide. Auditing Application Controls

Integrated Financial Management Information System (IFMIS) Merger

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Audit Management Software Solution

Full Compliance Contents

CRG Academy Course Descriptions. Corporate Renaissance Group 6 Antares Drive, Phase 1, Suite 200 Ottawa, ON K2E 8A9

P-Card Fraud Controls. Introduction

Streamlining Your AP Processes with Electronic Document Management

ACCOUNTING POLICIES AND PROCEDURES

PHASE 3: PLANNING PHASE

PROCESS GROUP: PLANNING PROCESS GROUP: INITIATION. Oracle Projects. PMBOK Oracle Mapping. Scope Planning. Develop Project Charter

Department of Homeland Security Office of Inspector General. Audit of Application Controls for FEMA's Individual Assistance Payment Application

15 Organisation/ICT/02/01/15 Back- up

PHASE 3: PLANNING PHASE

Oracle Internal Accounts Management System Manual

Nova Southeastern University Standard Operating Procedure for GCP. Title: Electronic Source Documents for Clinical Research Study Version # 1

DAIDS Appendix 2 No.: DWD-POL-DM-01.00A2. Data Management Requirements for Central Data Management Facilities

White Paper. Regulatory Compliance and Database Management

The Value of Intelligent Capture in Accounts Payable Automation. White Paper

4 Testing General and Automated Controls

Project Risk and Pre/Post Implementation Reviews

Making Automated Accounts Payable a Reality

Accounts Receivable User Manual

Brown County Information Technology Aberdeen, SD. Request for Proposals For Document Management Solution. Proposals Deadline: Submit proposals to:

Accounts Payable Outsourcing Audit April 2014

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010

ARGYLL & BUTE COUNCIL Internal Audit Section INTERNAL AUDIT REPORT

How To Write An Oor Ebusiness Ebusiness Solution

How to Use Oracle Account Generator for Project-Related Transactions

Financial Management Modernization Initiative (FMMI)

Xtender Invoicing Process

General IT Controls Audit Program

Accounts Payable. Cash Projections Reports - 3-tiered Pay on Dates show what is due in the next 30/60/90 days.

Office of the City Auditor. Audit Report. AUDIT OF ACCOUNTS PAYABLE APPLICATION CONTROLS (Report No. A10-003) October 2, 2009.

Auditing in an Automated Environment: Appendix C: Computer Operations

Development and Acquisition D&A

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

The Project Management Plan will be used to guide, communicate and coordinate project efforts.

Case Study Top-Down, Risk-Based Approach Purchase to Pay Process

HealthCare Management system

Data Management Implementation Plan

Guidance for Industry COMPUTERIZED SYSTEMS USED IN CLINICAL TRIALS

FairWarning Mapping to PCI DSS 3.0, Requirement 10

ITIL A guide to service asset and configuration management

UCLA Policy 360: Internal Control Guidelines for Campus Departments

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Physical Inventory Guidelines

Electronic Document and Record Compliance for the Life Sciences

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

HOT TREND: ACCOUNTS PAYABLE AUTOMATION

AUDIT REPORT INTERNAL AUDIT DIVISION. Invoice Processing in UNAMID. Internal controls over invoice processing were inadequate and ineffective

HIPAA Compliance Use Case

MEMORANDUM INTERNAL CONTROL REQUIREMENTS FOR NON-PROFITS

ACCOUNTING AND FINANCIAL REPORTING REGULATION MANUAL

ACCOUNTS PAYABLE AUDIT RECOVERING LOST DOLLARS AT NO COST

Human Resources PolicyPro - Quebec Edition

Validating Enterprise Systems: A Practical Guide

Division of IT Security Best Practices for Database Management Systems

Transcription:

DIVISION OF AUDIT SERVICES Internal Control Deliverables For System Development Projects

Table of Contents Introduction... 3 Process Flow... 3 Controls Objectives... 4 Environmental and General IT Controls... 6 Appendix A Process Flow Chart... 7 Appendix B Vendor Payment Narrative Description... 8 Appendix C Control Objective Cross Reference... 10 Appendix D Reference Material... 11 Internal Control Deliverables For System Development Project - 2 -

INTRODUCTION Internal controls are the processes and procedures used to provide assurance that business functions are carried out in a controlled and effective manner. They are implemented through an organization's structure, workflows, people, and information systems. Internal controls govern, direct, manage and monitor the various activities of an organization in order to ensure that the entity s objectives are achieved. The best time to develop and implement a set of controls is during initial process deployment. When dealing with automated application controls, it can be a costly exercise to implement new controls after an application has been moved into production. Therefore, it is essential that internal control issues are properly addressed at the time of system development and implementation. The intent of this document is to provide a framework for identifying required internal controls that need to be implemented during the systems development and implementation process. Project managers will need to work with both business and IT primes in order to successfully address internal controls. The business has ultimate responsibility for defining what application controls are to be implemented for their processes. This assessment should be based on a review of the entire supported business process, not just the components that are to be automated through the system development initiative. The business will decide on what controls are required and whether they should be implemented through manual or automated processes. The system development team will be responsible for the design and implementation of automated application controls, based on requirements established by the business. The project team also needs to give consideration to environmental and general IT controls. These represent the controls that are embedded in the IT processes and services that support the system being designed (e.g. security, change management, backups, etc.). PROCESS FLOW The first step in identifying required internal controls is to document the end to end business processes that are impacted by the project. A process flow provides a narrative on how information moves through the application (including related processes, interfaces, and reports). A graphical representation of the flow will help to provide context to the narrative description. Depending on the complexity of the system or process being designed, it may be necessary to document multiple process flows. Appendix A provides an example of a graphical process flow and Appendix B provides the corresponding narrative description. Each component of the process flow needs to be categorized into either inputs, data transformations (changes and deletes), or outputs. These identified components represent the points within the process where internal controls may be required. Internal Control Deliverables For System Development Project - 3 -

Inputs: Any place where information enters into the system. Each inputs should be labeled A1 through A## in the process flow documentation. Inputs include, but are not limited to: - Interfaces from other processes - User data entry - Dedicated devices (e.g. bar code readers, scanners, etc.) Data Transformations: All processes that cause changes to process data (calculations, updates, and deletes). Transformation processes should be labeled B1 through B## in the process flow documentation. Outputs: Any place where information is extracted from the process. Each output should be labeled C1 through C## in the process flow documentation. Outputs include, but are not limited to: - Online queries - Interfaces to other processes - Reports - Deliverables (e.g. cheques, invoices, products, etc.) CONTROLS OBJECTIVES Each control point identified in the process flow documentation should be assessed against a set of relevant control objectives. By mapping the control points with the relevant control objectives, a clear understanding is obtained as to what internal controls already exist within the process and those that need to be defined and implemented. The process flow documentation should be updated to include any new internal controls that are created. There is a different set of control objectives that needs to be applied based on the type of control point being reviewed. The relevant control objective groups are listed below along with the associated control point category: 1. Segregation of Duties (all control points) 2. Source Data Preparation, and Authorization (input control points) 3. Source Data Collection and Entry (input control points) 4. Processing Integrity and Validity (data transformation control points) 5. Output Review, Reconciliation and Error Handling (output control points) 1. Segregation of Duties Segregation of duties focuses on ensuring that individuals are only able to execute authorized processes that are relevant to their role and responsibilities. It reduces the possibility for a single individual to be able to compromise a critical process. Proper segregation of duties provides a means for detecting potential control failures and can help to prevent conflicts of interest, fraud, abuse and errors. The following activities should be segregated from each other: - Data Entry - Transaction Authorization Internal Control Deliverables For System Development Project - 4 -

- Transaction Reconciliation - Systems development, acquisition and maintenance - System Administration - Database Administration 2. Source Data Preparation and Authorization Controls designed to ensure the authenticity, accuracy, and validity of source documents (including interfaces) used as input into the system or process. a. Authorization procedures exist for source documents prior to data entry b. Authorized data remains complete, accurate and valid throughout life of source document c. Erroneous source documents are properly handled d. Confirmation receipts are sent to source document originators e. Control over sensitive information exists for source documents f. Source documents are securely stored and maintained in order to facilitate transaction reconstruction, review and audit, litigation inquiries and regulatory requirements 3. Source Data Collection and Entry Controls designed to ensure that data inputs are accurate, complete and authorized. a. Processes are in place to ensure timely data entry and error correction b. Data entry processes are limited to authorized and uniquely identified individuals c. System data can be traced back to originating source documentation and the individual who inputted the data d. Verification and edit checks exist for inputted data e. All authorized transactions are accurately recorded, once and only once f. Incomplete or incorrect transactions are rejected g. Transactions are assigned unique and sequential identifiers 4. Processing Integrity and Validity Controls designed to maintain the integrity and validity of data throughout the system or process. a. Access to data processing routines are limited to authorized and identifiable individuals b. Logs are maintained of programs executed and transactions processed or rejected c. Data changes can be traced back to the changing process and authorized individual d. Multiple versions or repositories of the same data are kept in sync e. Data processing routines include error prevention/detection checks f. Processes are in place to ensure reporting and timely correction of errors g. Correction and resubmission of errors is approved by the original submitting function h. Resubmitted transactions follow the exact processes as the original transaction i. Data updates only occur through fully tested and approved routines j. Controls are in place to ensure the integrity of interdependent routines k. Deleted information is retained for audit purposes and flagged to prevent inclusion in standard reporting l. Recovery processes exist to automatically maintain the integrity of data during unexpected interruptions. Internal Control Deliverables For System Development Project - 5 -

5. Output Review, Reconciliation and Error Handling Controls designed to ensure the accuracy and security of output generated by the system or process. a. Access to output data is restricted physically and logically to authorized individuals b. Ad-hoc reporting capabilities are restricted to authorized individuals c. Query and reporting functions do not provide data update capabilities d. Output requirements and needs are periodically reviewed e. System output contains all, and only, the requested information f. Verification checks exist for outputted data g. Origination and content of output should be independently verifiable h. Process and responsibility for output disposal is clearly defined Appendix C provides a cross reference of control objectives with the control points identified in Appendix A and B. ENVIRONMENTAL AND GENERAL IT CONTROLS As part of the system development and implementation process, consideration needs to be given to the IT processes required to support the new system. Similar to the internal controls within an application, if required environmental and general IT controls are not identified during the development and implementation of the system, then it may become a more costly initiative to implement them once the system is in production. For each of the following environmental control issues an explanation needs to be provided describing the actual processes that will be implemented to minimize risk exposure. a. Physical Security b. Logical Security c. System Management and Administration d. Database Administration e. Backup and Recovery f. Contingency Planning and Disaster Recovery g. Program Change Control h. Application system support and maintenance i. Capacity Management Internal Control Deliverables For System Development Project - 6 -

APPENDIX A PROCESS FLOW CHART UniFi Information Technology Accounts Payable Clerk Director Purchasing Internal Control Deliverables For System Development Project - 7 -

APPENDIX B VENDOR PAYMENT NARRATIVE DESCRIPTION The purpose of the vendor payment process is to ensure that after a vendor provides goods or services that the invoice relating to the goods or services received are paid in an efficient and effective manner. Input A1: Invoices received from vendors are forwarded to the Director for review. Transformation B1: The Director reviews each invoice for appropriateness. Approved invoices are stamped, signed, and forwarded to the Accounts Payable (AP) clerk for processing. Input A2: Before entering invoice details into the local financial application, the Accounts Payable clerk must first create a batch record that is used for the consolidation of invoice details. Multiple invoices can be entered into a single batch. The local financial application requires that a separate batch be created for credit memos. Invoice batches are created using the function Purchase Batch while credit memo batches are created using the Returns Batch function. Typical process is to use the same name for the invoice and returns batch so that the transactions can be consolidated in downstream processes. Input A3: Approved invoices and credit memos are entered into the local financial application by the AP clerk, using the Receiving Transaction Entry and Returns Transaction Entry functions respectively. Output C1: There is no set limit on the number of invoices that can be entered into a single batch. The AP clerk arbitrarily decides when a batch is ready to be submitted for payment processing. Using the internally developed Transfer tool, the AP clerk generates a batch summary report showing the payment total for each invoice contained in the batch. Transformation B2: The batch report is then provided to the Director along with the corresponding invoices. The Director then ensures that his stamp and signature are on each of the invoices and that the invoice total matches the amount shown on the batch report. The Director then initials each invoice and checks off the amount on the batch report. Transformation B3: Once the batch report has been approved by the Director, the AP clerk then posts the batch within the local financial application. Posting the batch prevents any further changes to be made to the invoice details. Transformation B4: Within the Transfer tool, the AP clerk uses the Transfer Batch function to copy posted invoice details from the local financial application database into an intermediary oracle database. Output C2: A script is run nightly that checks the oracle database for new invoices. The job then creates an interface file containing the new invoice records that need to be transferred to UniFi. The interface file is saved in a secure drop box on the server Shelf. Output C3: The interface file creation process (C2) creates a notification email that is sent to Systems Support and Development in the Financial Services Division (FSD). The email provides a record count and total dollar amount for the interface file that was posted on Shelf. Internal Control Deliverables For System Development Project - 8 -

Input A4: A process is run nightly on Shelf that reads the interface file and loads the data into UniFi. A Load confirmation email is sent to a pre-defined distribution list that reports the number of invoices loaded in to UniFi and the total dollar value. Output C4: The AP clerk prints out the UniFi Load Confirmation email and consolidates it with the corresponding batch report and vendor invoices. The consolidated package is then filed together to support future reviews. Internal Control Deliverables For System Development Project - 9 -

APPENDIX C CONTROL OBJECTIVE CROSS REFERENCE CONTROL OBJECTIVE CROSS REFERENCE Control Exists X Control Missing N/A Control Deemed Not Applicable Inputs Control Points Control Objectives # Description 1 2a 2b 2c 2d 2e 2f 3a 3b 3c 3d 3e 3f 3g A1 Invoice N/A N/A X N/A N/A N/A N/A N/A N/A A2 Create Batch N/A N/A N/A N/A N/A N/A N/A X X X N/A N/A A3 Transaction Entry X N/A N/A X X X A4 UniFi Load Confirmation X X N/A N/A X N/A X X N/A N/A A5 Data Transformations Control Points Control Objectives # Description 1 4a 4b 4c 4d 4e 4f 4g 4h 4i 4j 4k 4l B1 Review Invoice N/A N/A N/A X N/A N/A N/A B2 Review Batch Report N/A N/A X N/A N/A N/A B3 Post Batch X X X N/A N/A X X N/A B4 Transfer Batch X X X X X X X X X B5 Review UniFi Load Confirmation X X X X X X X X X X X X X B6 Outputs Control Points Control Objectives # Description 1 5a 5b 5c 5d 5e 5f 5g 5h C1 Batch Report X N/A N/A X C2 UniFi Interface File N/A X N/A X X X X X C3 Trasfer Notification email N/A N/A X X X C4 Hardcopy Filing N/A N/A N/A N/A N/A X C5 Notes: A1-3a: No processes are in place to ensure timely data entry A2-3b: Use of common login id prevents the identification of unique users B5: Process does not exist. It represents a new process to be created to address an identified control weakness. Once the process has been defined, and documented in the process flow, it would then be assessed against relevant control objectives and the above chart updated. C4-5h: Food Services has not defined any data archiving and disposal processes Internal Control Deliverables For System Development Project - 10 -

APPENDIX D REFERENCE MATERIAL Accounting Information Systems, Fourth Edition, James A. Hall Auditing and Other Assurance Services, Canadian Eighth Edition, Committee of Sponsoring Organizations of the Treadway Commission (COSO) Control Objectives for Information and related Technology (COBIT) 4.1, IT Governance Institute Control Objectives for Information and related Technology (COBIT) 4.0, IT Governance Institute Control Objectives for Information and related Technology (COBIT) 3 rd Edition, Audit Guidelines, IT Governance Institute Global Technology Audit Guide (GTAG) Auditing Application Controls Information Technology Guidelines, 3rd Edition, Canadian Institute of Chartered Accountants IT Assurance Guide: Using COBIT, IT Governance Institute Statement on Auditing Standards (SAS) No. 78 Internal Control Deliverables For System Development Project - 11 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information