IT Application Controls Questionnaire



Similar documents
FINANCIAL ADMINISTRATION MANUAL

INFORMATION TECHNOLOGY CONTROLS

Cash Handling Questionnaire

The policy and procedural guidelines contained in this handbook are designed to:

INTERNATIONAL STANDARD ON AUDITING 401 AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT CONTENTS

Cash, Petty Cash, Change Funds, and Credit Cards

CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

Chapter 7 Trustee. Internal Control Questionnaire

Chapter 15 Auditing the Expenditure Cycle

Internal Controls. A short presentation from Your Internal Audit Department

Accounts Payable. Best Practices: Existing Control: Control Gap: Controls Evaluation and Gap Analysis. Purchasing

MEMORANDUM INTERNAL CONTROL REQUIREMENTS FOR NON-PROFITS

5:31-7 Appendix B LOCAL AUTHORITIES - ACCOUNTING AND AUDITING IF ANY ARE NOT APPLICABLE, INSERT N/A AS YOUR ANSWER. FIRE DISTRICT YEAR UNDER AUDIT

Internal Control Deliverables. For. System Development Projects

Department of Human Services Client Trust Fund 7290 Trust Accounting System Procedures

PART 10 COMPUTER SYSTEMS

Module #9 Payroll Schemes

Office of the State Controller. Self-Assessment of Internal Controls. Purchasing/Accounts Payable Cycle. Objectives and Risks

ACCOUNTING POLICIES AND PROCEDURES

BDO Consulting. Segregation of Duties Checklist

Case Study Top-Down, Risk-Based Approach Purchase to Pay Process

Accounts Payable System Administration Manual

auditing in a computer-based

Accounting Information Systems, 4th. Ed. CHAPTER 4 THE REVENUE CYCLE

TORONTO PUBLIC LIBRARY Payroll Processing Review Report to Audit Committee Summary of Findings

Ithaca College Accepting Cash and Checks Procedures

4 Testing General and Automated Controls

INTERNAL ACCOUNTING CONTROLS CHECKLIST FOR NTMA CHAPTERS

SESSION 8 COMPUTER ASSISTED AUDIT TECHNIQUE

Internal Audit Committee of Brevard County, Florida Internal Audit of Timekeeping and Payroll Process

ASSOCIATED STUDENTS, INCORPORATED CALIFORNIA STATE UNIVERSITY, LONG BEACH DATE REVISED: 04/10/2013

GENERAL PAYROLL CONTROLS Dates in scope:

Information Systems and Technology

SUMMARY OF CORRECTIVE ACTION FOR SEGREGATION OF DUTIES AUDIT ISSUES

GUIDE FOR AUDITING STATE DISBURSEMENT UNITS

Full Compliance Contents

REAL ESTATE AGENCY DIVISION 25 PROPERTY MANAGEMENT

Internal Controls and Political Committees

CASH HANDLING POLICY

Accounts Payable User Manual

POLICY & PROCEDURE DOCUMENT NUMBER: DIVISION: Finance & Administration. TITLE: Cash Operations Policy and Procedures. DATE: July 15, 2011

How To Manage A Corporation

Audit Evidence. AU Section 326. Introduction. Concept of Audit Evidence AU

FINANCIAL CONTROLS POLICIES AND PROCEDURES FOR SMALL NONPROFIT ORGANIZATIONS

IT - General Controls Questionnaire

-.( FOR MAY 1978 REVTEW GUIDE FEDERAL AGENCY ADP APPLICATION UNITED STATES GENERAL ACCOUNTING OFFICE ACCOUNTLNG SYSTJZM DESIGNS : *r.

PURCHASE CARD POLICIES AND PROCEDURES MANUAL

Solutions to Student Self Assessment Questions

Product. Prologue Accounts Payable Automate Your Accounts Payable Processing

FINANCE COMMITTEE PROCEDURES. Audit Process. Cash Handling

Internal Controls Best Practices

Vance County Schools Individual School Accounting

Or download and view an electronic copy by visiting:

NONPROFIT FINANCIAL MANAGEMENT SELF ASSESSMENT TOOL

Stated below are the SCIRE activity level control objectives for purchasing and accounts payable.

Internal Audit FINAL INTERNAL AUDIT REPORT. Management Initiated Review of Child Support Master Program Payments

Accounts Payable Best Practices

MANAGEMENT AUDIT REPORT ACCOUNTS PAYABLE

GLOSSARY the terms below are to be interpreted as follows wherever they appear in the classification specification:

Table of Contents. Transmittal Letter Executive Summary Background Objectives and Approach Issues Matrix...

Payment Systems and Funds Transfer Internal Control Questionnaire

CHAPTER 9 PRESCRIBED FORMS, TAXES, AND GENERAL INFORMATION

Financial Administration Manual Chapter 4 Financial Systems and Controls. Chapter 4 Financial Systems and Controls

DIXON MONTESSORI CHARTER SCHOOL FISCAL CONTROL POLICY

Community Ambulance Service District

Florida A & M University

Agency Escrow Accounting Standards.

GREAT AMERICAN TITLE OF HOUSTON, LLC D/B/A GREAT AMERICAN TITLE COMPANY EXAMINATION REPORT NOVEMBER 24, 2015

CASH: CHECK CONTROLS C ACCOUNTING MANUAL Page 1 CASH: CHECK CONTROLS. Contents. I. Introduction 2

B Resource Guide: Implementing Financial Controls

Chapter 7 Securing Information Systems

Accounts Receivable System Administration Manual

Fiscal Procedure Sequence page number

Nova Southeastern University Standard Operating Procedure for GCP. Title: Electronic Source Documents for Clinical Research Study Version # 1

Standard Procedures and Controls for the Title Industry. Prepared by the ALTA Internal Auditing Committee ALTA

FS-06-SF3 School Funds Receipt Log; FS-04-SF2 Schools Funds Payment Request; FS-04-SF1 School Funds: Advance of Funds

Internal Controls over Cash for Small Nonprofits

STATE OF NEVADA GAMING CONTROL BOARD MINIMUM INTERNAL CONTROL STANDARDS TABLE GAMES

BEDFORD PUBLIC SCHOOLS BUSINESS OFFICE PROCEDURES MANUAL

ACCOUNTS PAYABLE AUDIT RECOVERING LOST DOLLARS AT NO COST

Control Matters. Computer Auditing. (Relevant to ATE Paper 8 Auditing) David Chow, FCCA, FCPA, CPA (Practising)

Oracle ERP Cloud Period Close Procedures O R A C L E W H I T E P A P E R J U N E

City of Berkeley. Accounts Payable Audit

Chapter 2. Concepts and Tasks

Payment Procedures. Corruption Prevention Department

Cash Receipts Internal Controls

Supplement to the Guidance for Electronic Data Capture in Clinical Trials

Accounting software & data

Tel Fax MANAGEMENT LETTER

FDA Title 21 CFR Part 11:Electronic Records; Electronic Signatures; Final Rule (1997)

Software Test Plan (STP) Template

Expense Reports Training Document. Oracle iexpense

Internal Control Systems

An Audit Report on the Child Support Enforcement Program at the Office of the Attorney General

User Guide Package Exception Management

Model risk mitigation and cost reduction through effective design*

Sarbanes-Oxley Compliance A Checklist for Evaluating Internal Controls

DISBURSEMENTS: INVOICE PROCESSING IN RESPONSE TO PURCHASE AUTHORIZATIONS D ACCOUNTING MANUAL Page 1

Department of Labor, Licensing and Regulation Division of Unemployment Insurance Division of Workforce Development

Community Ambulance Service District

Transcription:

IT Application Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks A1.a. MULTIPLE USER PROCESSING INPUT CONTROLS Input controls are the procedures and methods utilized by the university to help ensure that all transactions (or data) entered into the computer system are accurate, have been authorized and recorded, are complete and input only once, and have been properly converted into a machine-readable format. They can be broadly divided into the control areas of data preparation, transaction authorization, batching, and data entry and conversion. 1. Are there training policies and procedures for data preparation and input personnel? a. Are training activities adequate for new personnel and are there any regular training programs? b. Is there a regular training program to update users on new applications? c. If a user's manual or written procedures exist for the preparation, handling and input of data for the application under study, do they accurately reflect current practice? (Are they effective in assisting users?) 2. Review and evaluate the design of the key source documents. a. Are source documents designed in a manner that facilitates the initial recording of data in a uniform, complete, and accurate format? b. Are source documents serially pre-numbered with a cross-reference number (such as a receipt #, check #) to serve as an audit trail and to facilitate tracing to/from computerized reports? c. Do source documents provide a unique code or identifier for each transaction type to provide an audit trail?

3. *Evaluate and review the procedures involved in the handling of blank source documents. If source documents are maintained on-line, then access rights to those documents should be reviewed during the performance of module G1 - Access Controls. a. Are blank source documents stored in a secure location and in the custody of designated persons who have no role in their preparation? b. Is the release of blank source documents from storage adequately controlled through the use of logs and proper authorizations? 4. Is there a preprocessing review of source documents prior to data input to detect errors in completeness and consistency as well as obvious mistakes? a. Is there a preprocessing review of source documents performed by someone other than the preparer? b. If source documents are maintained on-line, are controls in place to ensure review of the documents on-line? 5. *Evaluate and review the transaction approval process of the key source documents. Steps 5a, 5b, 5c, and 5d should be considered for all transaction approvals. a. Are all source documents approved by someone other than the preparer? b. Is evidence of approval required for all transactions (or only for critical ones)? c. Determine whether the system generates summary (or detail) reports showing the transaction types input and approved for each user. Is this report reviewed by management? d. Is there any physical evidence to verify that the review was performed?

MANUAL APPROVALS e. Are signatures compared to a list of authorized signers in order to verify proper source document approval? f. Are any methods other than signatures or initials used to provide evidence of approval? ON-LINE APPROVALS g. Are users given the appropriate approval authority? h. Are users restricted from approving a transaction which they initiated? i. Are all documents (screens) approved? 6. *Determine whether the controls in effect are sufficient to account for all transactions. BATCH INPUT a. Are source documents batched in manageable groups of similar transaction types? b. Are the batches assigned a unique sequential identification number? c. Are control totals used and compared at intervals during the processing? d. Are discrepancies resolved and documented? e. Does a batch header card accompany the batch throughout the input process and is it retained with the batch to serve as an audit trail? f. Are the batches logged-in and verified?

ON-LINE, REAL-TIME (NON-BATCH) INPUT g. Does the system establish control totals such as by processing run, input time of day, specific input terminal, or individual inputting the data? Are control totals further computed by type of transaction? h. Are these control totals reconciled to control accounts by an independent supervisor? i. Are these control totals reconciled by the system and any differences reported and followed up by error control personnel? j. If the aforementioned controls are missing, are there compensating controls such as independent reconciliation of input source to control listings or other output reports? k. Do data entry operators stamp or otherwise mark batches or source documents once they have been input in order to prevent duplicate processing of transactions? OTHER INPUT l. Are magnetic tapes/cartridges delivered to the computer operations area controlled to ensure all data are processed? m. Are documents delivered to the computer operations area for scanning or imaging controlled to ensure all data are processed? n. Are inbound Electronic Data Interchange (EDI) transactions written to a file and logged to establish input control prior to being processed by the application system? o. Are other types of input methods controlled to ensure all data are processed? 7. *Examine the process and controls over error detection, correction, and reentry of transactions. a. Are there procedures over the detection, correction, and reentry of errors?

b. If on-line system input techniques are used, skip to 8c. In batch systems, are controls over the delivery of the rejected batches proper to ensure that they are not lost? c. Are data entry operators in on-line systems restricted from making corrections of any non-keying errors? d. Are error messages maintained on-line or on the error exception reports clear and easily understood so that the proper corrective actions may be taken? e. Are error exception reports corrected, initialed, dated, and retained for management review? f. Are corrected errors reviewed and approved by management before reentry? A1.b. MULTIPLE USER PROCESSING PROCESSING CONTROLS Processing controls are designed to help ensure that all transactions (or data) are processed as authorized, that no authorized transactions are omitted, and that no unauthorized transactions are added. These controls include the use of automated edits and logic tests that are coded into application programs as well as the use of automated control total verification. 1. *Review the controls that ensure all input transactions are processed by the computer. For batch systems or on-line batch systems, batch control totals should be generated by the computer and compared to manually calculated control totals. On-line realtime systems should have compensating controls to ensure all input transactions are processed. a. Are record counts and control totals verified to ensure that all data are processed? b. Is there evidence (audit trail) of transactions processed/rejected being reconciled or investigated? 2. Determine the critical edits and checks necessary for each application. Critical edits and checks should consist of some or most of the following types. Do such edits and checks include:

a. A reasonableness check which determines if an amount or date is greater or less than a predefined limit? b. A dependency edit which verifies the expected relationship of one field to another? c. A sequence check which is used to detect missing document numbers? d. A duplicate number check? e. An existence edit which determines whether the transaction data matches data on file or look-up tables? f. A format edit which could be used to make sure only numeric data is included in numeric fields or alpha data in alpha-only fields? g. A mathematical check to foot and cross-foot all applicable amount fields? h. A range check which could be utilized to test whether data falls within certain pre-set ranges? i. A confirmation check which utilizes stored data to confirm the modification of infrequently changed data? (An example would be transactions that alter values, such as pay rate changes.) 3. *Do error handling procedures include: a. Are rejected transactions held in an error suspense file and/or prevented from updating the master files? b. Does the system prepare printouts listing all transactions held in the suspense file? c. Are entries in error suspense identified as to age and type? d. Are corrected transactions subjected to the same edit, review and approval controls that were applied to the original transaction?

4. If the application observed produces system-generated transactions (for instance, offsetting accounting entries), are they printed out and reviewed by the appropriate personnel? A1.c. MULTIPLE USER PROCESSING - OUTPUT CONTROLS Output controls are designed to ensure the accuracy of the processing result (such as account listings, reports, magnetic files, disbursement checks, etc.) and to assure that only authorized personnel receive the output. The basic output controls are verification through balancing techniques and visual scanning, and the controlled distribution of output media. The two types of output that must be controlled are machine-readable files, and reports, listings, terminal screen displays, etc. 1. Are current and accurate procedures for balancing and reconciling output formally documented? 2. *Are output control totals compared and agreed to input and processing control totals? 3. *Are output reports balanced and reconciled to output from related systems? 4. If user management receives and reviews the following reports, a. Are detail or summary transaction reports scanned for unusual results? b. Are reports of sensitive on-line master file updates (such as pay rate changes, employee status changes, vendor name changes, etc.) reviewed for unauthorized or erroneous modifications to sensitive information? 5. Are output distribution lists produced which show the reports that are generated for each application processing run? 6. Are output distribution logs maintained to record the date and/or time received and the signatures of the users authorized to receive the output?

A2. END-USER COMPUTING End-user computing (EUC) is any development, programming, or other activity where the end-users create or maintain their own system or application. As such, the control of the EUC environment and the information it produces is critical. EUC controls at the application level are essentially the same process as that used to review a traditional mainframe application: input, processing, and output controls. At the application level the auditor would typically interview the end-users. In the space provided below, describe how end-user computing is used in the transaction cycle. Describe The person or department who performs the computing. A general description of the application and its type (e.g., spreadsheet). The source of the information used in the application. How the results of the application are used in further processing or decision making.

Audit Procedures 1. *The end-user applications listed above have been adequately tested before use. 2. The application has an appropriate level of built-in controls, such as edit checks, range tests, or reasonableness checks. 3. *Access controls limit access to the end-user application. 4. *A mechanism exists to prevent or detect the use of incorrect versions of data files. 5. *The output of end-user applications is reviewed for accuracy or reconciled to source information. A3. INFORMATION PROCESSED BY OUTSIDE COMPUTER SERVICE ORGANIZATIONS The Outside Computer Service Organization form was used to document your understanding of the university s use of an outside computer service organization to process entity-wide accounting information such as the general ledger. In this section you will document your understanding of how the entity uses an outside computer service organization to process information relating specifically to the cycle. The service organization is responsible to ensure the orderly and supervised processing of user data. The user should ensure the completeness and accuracy of the service organization s processing by establishing controls to verify data input and output. In the space below, describe the information processed by the outside computer service organization in this cycle. Discuss The general nature of the application. The source documents used by the service organization. The reports or other accounting documents produced by the service organization.

The nature of the service organization s responsibilities. Do they merely record entity transactions and process related data, or do they have the ability to initiate transactions on their own? Controls maintained by the entity to prevent or detect material misstatement in the input or output.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information