Pemerik Pe merik saan Sistem Sistem I nf ormas ormasii – Appendi Appendi x: Bas Base ed on PwC Audi t Gui de
4428 Reconsidering our audit approach based on our understanding of processes and IT This guidance explains how the auditor should reconsider his/her audit approach based on his/her understanding of the clients processes and IT systems. This includes also how, and for which areas the auditor should consider involving SPA-resources on the audit team. On one hand the audit approach might be altered due to characteristics of the processes and ITsystems. On the other hand the auditor might need to extend his/her focus on IT due to reliance on computer based controls and computer based information. When SPA specialists are included on the audit team it is important that resources cooperate effectively, and that any conclusion drawn by the SPA specialists are an integrated and relevant part of the audit approach. To this end it is important that SPA-involvement is initiated at an early stage of planning. The general guidance that follows is based on the flowchart below which indicates the main issues to consider. Start your evaluation at the top (red arrow), and work through each point, step by step. The evaluation and adjustments made should be documented in the table included below. For most clients the procedure will have to be repeated for each main process, and for each main ITsystem (or portfolio of systems). This is due to the fact that complexity of processes and systems vary and that the audit approach also will vary based on the risk of each financial area/process.
Pemerik Pe merik saan Sistem Sistem I nf ormas ormasii – Appendi Appendi x: Bas Base ed on PwC Audi t Gui de
The evaluation, documentation and testing of relevant IT general controls depends mainly on whether or not we assess there to exist a key Risk related to IT, and substantive testing will not be efficient in controlling this risk. Also, we need to evaluate if we are planning to gain comfort from automated application controls or manual controls/business process reviews that uses computer generated information.
1. Evaluation of process complexity Procedures
1. Evaluate and conclude whether or not each business process is complex. The evaluation could be based on o n show-me meetings or o r previous experience with the company. Each process should be named na med and an overall o verall evaluation eva luation documented docu mented in the t he table t able below. The conc co nclusion lusion should be clearly stated as "yes" or "no". 2. If complex processes exist, these processes should be flowcharted together with relevant systems and outputs. You must therefore accommodate the necessary audit steps to ensure that the relevant processes are flowcharted. Enter a link to the steps in the table.
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
Consider documenting the procedures performed in the following table: 1. Evaluate and conclude whether or not the company has complex business processes.
Process name
Process evaluation (short)
Enter process Enter a description of the name, e.g.: process that focus on elements Invoicing that might imply complexity, or non-complexity of the process…
Complex 2. Link to process flowcharting (Y/N)
Enter link to relevant steps
Salary Purchasing Etc…
Guidance When is a business process complex?
Evaluation of business process complexity is not an objective science, but will depend on the auditors' professional judgment. It might be helpful to think in terms of complexity indicators, and these might e.g. include The process involves:
many persons and departments and the relation between these are unclear or complex a large number of actions and decisions in a process flow a large number of manual procedures to be performed advanced processing of data based on complex formulas and large number of data inputs
Why evaluate process complexity?
In planning an audit approach it is vital to understand the client's processes, and how they are implemented. This is because internal controls will be implemented through these processes, and their efficiency will affect our choice of audit approach. When a business process becomes complex, it is useful to use flowcharting as a tool to document and evaluate the process, including controls, systems and outputs.
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
Why perform flowcharting?
Flowcharting is primarily a tool for workshops and communication about processes, but at the same time we produce easy to read documentation that can be carried forward in our audit file from year to year. Very often our clients find it useful and valuable to participate in flowcharting, because it gives a clearer view of their internal processes, and might reveal improvement o pportunities.
2. Evaluation of system complexity Procedures
Evaluate and conclude whether or not the company has complex IT systems. Enter each relevant system into the table below. For each system document an overall evaluation of system complexity. The conclusion for each system should be clearly stat ed as "yes" or "no". If complex systems are present you should involve SPA personnel. Make sure that SPA involvement is included in the audit planning. Confirm SPA involvement in the table, and link to relevant planning steps.
Further guidance on SPA personnel involvement is given in section 5. Document procedures in the table: 1. Evaluate and conclude whether or not the company has complex IT systems.
System name System evaluation (short)
Complex (Y/N)
Enter system Enter a description of the system name that focus on elements that might imply complexity, or noncomplexity of the system…
2. SPA personnel involvement.
Confirm SPA personnel involvement, and link to relevant planning steps:
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
Guidance Criteria for evaluating a complexity of systems:
An evaluation of the client's complexity level in the IT system is not purely objective. This evaluation contains a certain amount of judgement and is decided on basis of a number of qualitative criteria in addition to objective ones. The criteria mentioned below can be used as guidance for evaluation of the systems' complexity Standard systems versus in-house systems Standard systems
system complexity market share scope of parameter settings for implementation and operation new implementation level of customization (changes from the vendors original layout and type of changes i.e.: just report changes or changes on the data treatment)
In-house systems
system complexity period since last significant change in logistics/structure what consequences have changes to the accounting system new implementation and period in operation
Size and complexity of IT environment
(Please note that a complex environment does not necessarily mean that the systems are complex, or vice versa.)
number of applications producing accounting data network size LAN versus WAN number of servers/clients number of users Processing outsourced to an ASP supplier (Application Service Pro vider) Data/Connectivity outsourced to an ISP supplier (Infrastructure Service Provider)
Sensitivity in accounting data and risk of non-compliance
stock exchange listing or pending listing concession terms from the Data Inspectorate assurance of values reflected in the accounting data
Number of transactions
is the number of transactions so high that it would be difficult for the users to identify and correct errors in the data processing?
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
Volume of systems generated items and complex calculations
volume complex calculations how easily can the auditor verify the calculations? volume of systems generated transactions versus manual transactions
Transactions generated from Internet or EDI
significance and volume of such transactions via internet and/or EDI
Lack of- or complex audit trail
can the client document a clear and reliable audit trail, or is the audit trail complex, unclear or lacking? (If the client has problems in documenting the audit trail, the auditor can carry this out as assistance).
3. Evaluate risk of material misstatement related to IT Procedures
1. Document significant changes, known problems or other issues relating to existing information systems and technology that may influence our approach in the table below. 2. Evaluate if the issues, changes or problems imply any risk of material misstatement in the Entity. Document your conclusion on risk in the t able. 3. Decide if a substantive testing approach will be efficient in controlling this risk. Document your conclusion in the table. 4. Document the chosen approach based Guidance Factors that may be included in this evaluation are presented below. This documentation should be linked to the SoC – Summary of Comfort, whether or not it was a change to a planned step or a new step to the original plan. In addition, when a risk of material misstatement is identified, which is likely to be a Key risk, this risk should be linked to the Audit Comfort Matrix – ACM as well. System changes:
Have any new database or systems, including operational systems, been implemented? How significant are these new databases or systems for the business and it's financial statements? (for instance, has management implemented systems for electronic handling of key processes, for instance internet based? If so, is maintenance of the system carried out internally or externally?) Was the implementation successful? Which problems have been found in the systems and how were the problems solved?
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
Has a conversion of data been made as a result of the new database / systems / maintenance? Which data were converted? Have problems arisen as a result of the co nversion? What is the routine for making changes to the existing systems? Have significant changes been made? Have changes been made to the automatic control of the systems? Have data been moved to new IT environments such as internet based solutions? Have the system-programmes been significantly upgraded? Have significant changes been made to the network? (such as installation of wireless technology) Have final users been involved in design of changes or in the testing and acceptance process of changes? Has the internal audit been involved in the systems changes? Has a review of the systems been made before or after implementation? If so, obtain copies these repo rts. Generally, which changes in the information systems and technology have been planned, long term and for the next 12 months?
Known problems:
How does management obtain information relating to systems problems? Do any significant problems or inadequacies exist in systems functionality? If so, are there any bypassing procedures (fix-it programmes etc)? Have there been significant problems relating to operational failure, security incidents or changes to fixed data? If so, what was management's response to these problems and how does management obtain assurance of the solution? Have internal audit or others issued reports concerning known problems relating to information systems, data environment or applications? Which are the most common systems problems reported?
4. Conclude on testing approach Procedures
1. Based on your knowledge of control environment, processes and IT, document your testing approach, and whether or not you plan to get comfort from testing of control activities. 1. For areas where you plan to rely on IT based controls: Document your testing approach and your approach to ITGC`s and process flowcharting. 2. For areas where you plan to rely on non-IT based controls: Document your approach. 3. For areas where you will not rely on testing of controls: Evaluate if substantive testing will include computer based information. If yes: document your approach to ITGC`S .
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
Document procedures in the table: Area
1. Testing approach (short description):
Categorize approach:
a) IT based controls b) Non-IT controls
Document revisions to audit planning. Specify approach to ITGC`s and process flowcharting. For c): specify computer based testing.
c) Substantive Enter area name
Enter short description of testing approach for this area
Enter category a), b) or c)
5. Consider involving SPA personnel in audit assignments Consider whether SPA personnel should be involved in the audit assignment Involving SPA specialists are mandatory on:
Clients with complex IT systems Clients where the risk of material errors has been identified in significant systems and where substantial testing is not possible or practical
The table below is used as guidance to determine appropriate SPA involvement. Recommended SPA Participation
Complex Systems
Less Complex Systems
Auditors
Auditors
SPA
Identify and document significant Combined team processes and systems
X
*
Document and evaluate controls Combined team other than general computer controls, for example application controls
X
*
Validate controls
X
*
Document, evaluate and validate general computer controls
SPA
Combined team X
Combined team
*SPA personnel should be involved if there is uncertainty about the complexity level and the approach, or if assistance is required for documentation, evaluation and testing of controls. If involving SPA personnel is considered necessary based on the above criteria but Engagement Leader still decides to not involve them, this decision must be made in consultation with SPA
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
personnel. The conclusion and discussion must be documented in Engagement Leader S ign-Off step in section 1800. In such a situation the engagement leader sign-off on the competence of the team should include a comment on this, and it should be expected that the audit team includes someone who has the capability to address the work otherwise performed by SPA resources. The audit team may evaluate and, when applicable, test the IT general controls if the system is simple (not complex). However this requires that the audit team include personnel with sufficient knowledge to perform these procedures. If we do not plan to obtain comfort from the client's automated application controls or manual controls/business process reviews based on computer generated information, we do not need evaluate and, when applicable, test the general IT controls. However, if our substantive testing will somehow be based on computer generated information, basically reports or documents, we do need to evaluate and, when applicable, validate IT general controls. How do we work with SPA personnel?
SPA personnel must be an integrated part of the audit team SPA personnel must take part in the start-up and planning phase in order to fully utilize the skills and availability, participate in kick-off meeting Team Manager (and others) must familiarize themselves with the client's IT systems and factors that may influence the risk of material misstatements related to IT We must clarify expectations and division of duties between SPA and the audit team, and SPA personnel should participate in Taking Stock meetings
When SPA personnel participate in the audit, the Team Manager and responsible SPA personnel should always agree on the following:
type, timing and scope of SPA involvement on the assignment issues that should receive special attention how identified weaknesses in internal control routines should be documented and reported to the client how SPA personnel and Team Manager should perform review of work carried out how SPA should contribute by reviewing the SoC – Summary of Comfort how SPA should contribute on the Internal Control Framework Components and ITGC's work (coaching, consulting, completing)
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
4423.0.1 Contribution of ITGCs to Audit Comfort Information Technology General Controls (ITGCs) will often contribute indirectly to the achievement of many or all financial statement assertions. In some instances, ITGCs may contribute directly to the achievement of information processing objectives and financial statement assertions. This is because effective ITGCs ensure the continued effective operation of application controls and automated accounting procedures that depend on computer processes. ITGCs are also important when manual controls depend on application-generated information. If the controls to be tested depend upon other controls (indirect controls), we should consider if it is necessary to validate those indirect controls. Thus, if reliance on automated application controls, automated accounting procedures, or controls that depend on application-generated information is planned, validation of relevant ITGCs is required. Audit teams should document a clear link between key ITGCs and:
Key automated application controls and interfaces, Key automated accounting procedures, and System generated data and reports used in key manual controls or in the generation of manual journal entries
Because controls over program changes, computer operations and access to programs and data impact the continued effective operation of the application-driven components, testing of controls in these three areas is required. Example – Linkage of Automated Application Controls to ITGCs Automated application controls are controls designed into a computer application that help to achieve information processing objectives. For example, many applications include a number of edit checks designed to help ensure that input data is accurate. These edit checks might include format checks (i.e., date or number), existence checks (i.e., customer number exists on customer master file), or reasonableness checks (i.e., maximum payment amount). When an input data element fails an edit check, that input data may be rejected or it may be pulled into an application-generated exception report for subsequent follow-up and resolution. If ITGC weaknesses are noted in the computing environment supporting an application with key edit checks, we may be unable to rely on those edit checks continuing to operate as intended. For example, a program change deficiency could result in an unauthorized change to the programming logic that checks the format of an input data field such that inaccurate data is allowed into the application. Furthermore, a deficiency related to security and access rights could allow inappropriate bypassing of a reasonableness check that would otherwise prevent the processing of payments in excess of a maximum tolerable threshold.
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
Figure 1 – Overview of Linkage of Information Technology General Co ntrols to Audit Comfort
Legend 1. Management implies certain assertions about its financial statements by publishing those statements. 2. Financial statement line items represent account balances that have been derived from one or more transactions. 3. Transactions are often grouped into sub-processes when common processing exists for different transaction types. 4. Sub-processes are grouped into processes to enable effective management oversight. 5. Management has objectives regarding the processing of its transactions. 6. There are risks to the achievement o f information processing objectives. 7. Management implements application controls to mitigate risks to the information processing objectives. 8. Management implements business performance reviews to identify potential anomalies in financial results. 9. Management evaluates whether financial anomalies are the result of application control breakdowns. 10. Certain manual application controls and business performance reviews use reports generated by computer applications.
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
11. Effective Information Technology General Controls support management's reliance on automated application controls, automated accounting procedures, or manual controls that use application-generated reports. 12. Effective application controls contribute directly to comfort over financial statement assertions. Example – Linkage of Automated Accounting Procedures to ITGCs Automated accounting procedures are calculations, classifications, estimates, or other accounting procedures that are performed by a computer application instead of a person. For example, an investment accounting application may be programmed to calculate market value for different types of investments according to the business rules for that type of investment, a loan application may automatically calculate amortization schedules based on the loan terms entered by the user, or an accounts receivable application may be programmed to classify receivables into their appropriate aging categories. ITGC weaknesses may impact our ability to rely on automated accounting procedures designed into the client's application. For example, if critical program development controls are missing, it may be difficult to establish whether management has adequately tested that an automated accounting procedure works as intended without substantively validating the calculation. As another example, control weaknesses that permit unauthorized program access could provide the opportunity for management to override the results of automated accounting procedures, which could have an impact on our assessment of fraud risk at the client. Example – Linkage of Application-Generated Reports to ITGCs Application-generated reports are often used in the execution of a manual control, including business performance reviews. In order to assess the effectiveness of manual controls that use application-generated reports, it is necessary to understand the effectiveness of ITGCs related to the computing environment that produces the reports and protects the data that feeds them. One example of such a control is a completeness control that involves the use of pre-numbered documents. As transactions are input, missing and duplicate document numbers are identified and pulled into an exception report for follow-up and resolution. To affect this control, a user may receive a report of all missing or duplicate items that is used in support of a key account reconciliation. Weaknesses in computer operations may impact our ability to rely on the reconciliation control because the integrity of the data being used is in question. For example, weak batch processing controls may result in the wrong input file being used, which could potentially lead to inaccurate presentation of missing or duplicate documents in the exception report. In addition, program change weaknesses could result in unauthorized or unintended changes to the programming logic that results in exceptions not being accurately reflected in the report. These are a few simple examples that illustrate how weaknesses in ITGCs can impact our ability to rely on automated application controls, automated accounting procedures, and system generated data and reports used in key manual controls or in the generation of manual journal entries. As these examples highlight, evaluation of the design and operating effectiveness of ITGCs is an important contribution to our audit comfort when these situations exist. If the audit team intends to place continuous reliance on automated controls or to assume a controls reliance strategy in the financial statement audit, the team must assess the potential impact of all known ITGC weaknesses on the integrity of each underlying application control that the ITGCs were designed to protect.
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
4423.0.2 Management’s Internal Control Framework - Information Technology As described in PwC Audit 4220, an entity's internal control framework comprises of interrelated components that exist at any level of the organisation (i.e., at the entity, management unit and/or business process level). The internal control components, excluding control activities, may have less tangible elements or controls such as "tone at the top." Consequently, these components are more judgmental in nature and may have a pervasive effect on the overall system of control activities. The evaluation and testing of these components should be considered first to determine the impact on the extent of testing of control activities as well as the impact on our audit strategy and plan as early in the audit process as practical. As described in PwC Audit 4220, the audit team should document an understanding and evaluate the design of the programs and controls implemented to address the internal control components t hat it has determined are relevant to financial reporting at the entity and business unit level to the extent necessary to assess the risk of material misstatement and plan the audit. When information technology general controls (ITGCs) are relevant to preserving the integrity of data and key application controls in a system of internal controls over financial reporting, we should evaluate the effectiveness of the internal control components, other than control activities, over IT and consider the results of that work when planning our approach for evaluating ITGCs. No two entities will approach internal controls in exactly the same way. Programs or controls implemented over IT to address the relevant internal control components should reflect how management approaches the entity's information technology needs and should serve to promote the ongoing effectiveness of ITGCs that, in turn, preserve the integrity of key financial applications and data. The quality and effectiveness of these programs or controls over IT are factors to be considered (along with other factors, such as inherent risks and the scope of key automated application controls) when determining the nature, timing and extent of our testing of ITGCs. The types of activities and controls that might be relevant to our evaluation of these components over IT include: 1. The manner in which IT roles and responsibilities are defined and understood including ownership and accountability for internal control 2. How proper segregation of duties among key IT functions is accomplished 3. The nature of IT management's ope rating style and attitude towards internal control 4. The means by which the IT organisation and its leadership promote a strong control environment, including adoption of or participation in broader entity-level control activities 5. Human resource practices in IT that promote integrity and reflect a commitment to competence 6. The manner of governance and oversight of the IT function, including the level of interaction with executive management, the Board, and the Audit Committee regarding the results of monitoring activities and identified IT control weaknesses
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
7. The means by which IT and Finance communicate and collaborate on matters relevant to internal control over financial reporting 8. Policies and procedures designed to preserve the integrity of key financial applications and data, both within IT and outside the IT function where applicable 9. How the company distinguishes routine program maintenance from program development activities and their related ITGCs 10. How changes in people, processes, systems, technologies and business conditions are monitored and addressed from an overall IT co ntrols perspective 11. How management tracks, responds and ensures appropriate resolution to incidents that reflect possible control issues, such as significant security breaches or data corruption problems. Internal control components related to IT include the means by which ITGCs are monitored for ongoing effectiveness (e.g., through some combination of direct supervisory controls, quality assurance reviews, internal audits, regulatory reviews, or others).
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
4423.1 Understand, evaluate and validate: program development The domain objective for program development is: "To ensure that systems are developed, configured, and implemented to achieve management's application control objectives." The typical subcomponents of program development include:
Management of development and implementation activities Project initiation, analysis and design Construction / package selection Testing and quality assurance Data conversion Program implementation Documentation and training Segregation of duties
This domain is relevant only where significant development, implementation, or conversion projects exist or are anticipated. The following points of focus may be helpful for identifying ITGCs in this domain that are relevant to internal controls over financial reporting at your client. Note: Not all points of focus are relevant to every entity, and other risk factors may exist that will need to be considered. It is necessary to determine relevant activities and contro ls based on the entity's unique IT environment.
Overall Management of Program Development Activities Management should establish a process for controlling program development activities, including major system enhancements, and should monitor the effectiveness of that process. Consider the following:
Does the company employ a formal methodology and/or clear policies and procedures that govern program development activities? How does management ensure that comprehensive implementation plans are developed and executed upon for all significant projects, including consideration of desired system functionality, internal controls over financial reporting, and proper security and access controls? How has management documented and communicated roles and responsibilities to individuals engaged in program development activities? How does management ensure that appropriate business sponsors and IT project leads are involved in defining business requirements, test plans, and test results? How does management monitor program development activities and related controls?
Project Initiation, Analysis and Design Project initiation controls should ensure that projects are planned, resourced, and mobilized to support the achievement of management's application control objectives. Consider the following:
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
·How does management ensure that development efforts are aligned with overall business and internal control objectives? ·How does management ensure that each project team contains the requisite business and technology skills, including knowledge of internal co ntrols? ·How does management ensure that business sponsors and data owners are identified for all projects? ·How does management ensure that system requirements are consistently developed in sufficient detail? ·How does management ensure that project teams consider system and interface dependencies, internal control requirements and security requirements for every project? ·How does management ensure that business sponsor approval has been obtained prior to moving to the construction phase of the project?
Construction/Package Selection Construction and package selection controls should ensure that in-house program development activities and the selection of packaged software are performed to support the achievement management's application control objectives. Consider the following:
How does management ensure use of programming standards for in-house developed applications? How does management ensure consistent application of control over the selection, customization and implementation of purchased software packages? How does management ensure that version control is in place for all systems? How does management ensure that dependencies between and among integrated applications and data files are identified and considered?
Testing and Quality Assurance Testing and quality assurance controls should ensure that an adequate level oftesting is performed by appropriate personnel to determine that the new system functions as intended and achieves management's application control objectives. Consider the following:
How does management ensure that test plans are sufficient to address requirements defined in the analysis and design phase? How does management determine the nature and extent of testing (i.e. unit, user, regression testing)? How does management ensure that appropriate testing is performed and approved by relevant IT and / or business unit personnel How does management ensure that the design and operating effectiveness of new or changed internal controls over financial reporting have been sufficiently addressed during testing? How does management ensure that programs are not modified after testing before implementation in production? How does management ensure the controlled migration of code between logical environments? How does management ensure that configuration options selected for packaged applications achieve business and control requirements?
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
Data Conversion Data conversion controls should ensure that data is converted completely and accurately to new systems. Consider the following:
How does management ensure data fields are properly mapped from legacy to target systems? How does management ensure that converted data remains complete, accurate, and valid? How does management ensure that critical system interfaces are considered in data conversion plans?
Program Implementation Program implementation controls should ensure that new systems are implemented in the live environment only after adequate testing has been performed, business sponsor approval has been obtained, and proper implementation and back-out plans have been developed. Consider the following:
How does management ensure that all program implementations are approved by appropriate business sponsors and IT management? How does management ensure that a consistent process is followed when making all go- live decisions (i.e., implementation plans, back-out procedures, et c.)? How does management ensure that the version of the program implemented in production is the most recent version that had been tested and approved by the business sponsors? If the program is run at multiple sites, how does management ensure that all copies of the program have been updated with the correct version? How does management ensure that significant implementation risks, particularly in a complex implementation, are addressed in the post-implementation period (e.g. post-implementation reviews, shake- down controls, etc.)?
Documentation and Training Documentation and training controls should ensure that end users and technical support personnel are provided with adequate documentation and training concurrently with program implementation. Consider the following:
How does management ensure that user and technical documentation are developed and communicated in a timely manner for all new systems? How does management ensure that users and IT personnel receive adequate training on all new systems and related internal controls?
Segregation of duties Segregation of duties controls should ensure that the roles and responsibilities throughout the program development process have been appropriately restricted and segregated. Consider the following:
How does management ensure that responsibilities throughout the program development process are adequately segregated? How does management ensure that separate environments are maintained for development, testing and production, and that only appropriately authorized individuals have access to each of those environments?
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
4423.2 Understand, evaluate and validate: program changes The domain objective for program changes is: "To ensure that changes to programs and related infrastructure components are requested, authorized, performed, tested, and implemented to achieve management's application control objectives." The typical subcomponents of program change include:
Management of maintenance activities Specification, authorization and tracking of change requests Construction Testing and quality assurance Program implementation Documentation and training Segregation of duties
Once financially significant applications have been identified in scoping, the following points of focus may be helpful for identifying ITGCs in this domain that are relevant to internal controls over financial reporting at your client. Note: Not all points of focus are relevant to every entity, and other risk factors may exist that will need to be considered. It is necessary to determine relevant activities and controls based on the ent ity's unique IT environment.
Management of Maintenance Activities Management should establish a process for controlling program changes and should monitor the effectiveness of that process. Consider the following:
How does management ensure that a controlled process is followed for all system changes across application programs, infrastructure components, management units, and locations? How has management documented and communicated change management policies and procedures? How has management documented and communicated change management roles and responsibilities? How does management monitor compliance with implemented program change controls?
Specification, Authorization and Tracking of Change Requests Change request controls should ensure that user requests are captured, authorized, and prioritized to support the achievement of management's application co ntrol objectives. Consider the following:
How does management ensure that all user requests for changes are captured? How does management ensure that all user change requests are evidenced as authorized by an appropriate level of management? How does management ensure that requests identified as a result of problem management activities are considered along with user change requests?
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
How does management consider the potential impact of requested changes on internal controls over financial reporting?
Construction Construction controls should ensure that changes are developed and performed to support the achievement of management's application control objectives. Consider the following:
How does management ensure use of programming standards for in-house developed applications? How does management ensure that version control is in place for all systems? How does management ensure that dependencies between and among integrated applications and data files are identified and considered?
Testing and Quality Assurance Testing and quality assurance controls should ensure that an adequate level of testing is performed by appropriate personnel to determine that the program continues to work as intended and achieve management's application control objectives. Consider the following:
How does management determine the nature and extent of testing for each change (i.e. unit, user, regression)? How does management ensure that testing performed addresses both the change made, as well as significant functionality within the system that should not have changed? How does management ensure the appropriate users and management are involved in testing to properly address the impact of changes on internal controls over financial reporting? How does management obtain evidence of user acceptance of the change prior to implementation in production? How does management ensure the controlled migration of code between logical environments? How does management ensure that modified configuration options continue to achieve business and control requirements?
Program Implementation Program implementation controls should ensure that changes are implemented in the live environment by appropriate personnel only after adequate testing has been performed and the proper business user management approvals have been obtained. Consider the following:
How does management ensure that all program implementations are approved by business users and / or IT management prior to implementation? How does management ensure that a controlled process is followed when implementing changes in production? How does management ensure that emergency changes are captured, documented, and approved subsequent to production implementation? How does management ensure that only appropriate and authorized personnel have access to move program changes into the production environment?
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
How does management ensure that the version of the program implemented in production is the most recent version that had been tested and approved by business user management? If the program is run at multiple sites, how does management ensure that all copies of the program have been updated with the correct version?
Documentation and Training Documentation and training controls should ensure that end user and IT support documentation and training is updated concurrently with implementation of program changes. Co nsider the following:
How does management ensure that user and technical documentation are timely updated for significant changes to its systems? How does management ensure that users and IT personnel receive adequate training on any significant system changes, including any resulting changes to internal controls over financial reporting?
Segregation of Duties Segregation of duties controls should ensure that the roles and responsibilities throughout the program change process have been appropriately restricted and segregated. Consider the following:
How does management ensure that responsibilities throughout the program change process are adequately segregated? How does management ensure that separate environments are maintained for development, testing and production and only the appropriate individuals have access to each of those environments? How are segregation of duties controls maintained over time?
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
4423.3 Understand, evaluate and validate: access to programs and data The domain objective for access to programs and data is: "To ensure that only authorized access is granted to programs and data upon authentication of a user's identity." The subco mponents of access to programs and data typically include:
Management of security act ivities Security administration Data security Operating system security Network security Physical security
Once financially significant applications have been identified in scoping, the following points of focus may be helpful for identifying ITGCs in this domain that are relevant to internal controls over financial reporting at your client. Note: Not all points of focus are relevant to every entity, and other risk factors may exist that will need to be considered. It is necessary to determine relevant activities and controls based on the ent ity's unique IT environment. In addition to the following points of focus, also consider using any applicable technical platform practice aids and work programs that are available in Guardian to assist in your evaluation of controls over access to programs and data.
Management of Security Activities A security function and related policies and procedures should be designed and implemented to support the information integrity objectives of the entity. Consider the following:
How does management ensure that business unit management is appropriately included in the information security function from a data ownership perspective? How has management documented and communicated security roles and responsibilities? How has management defined, documented, and communicated security policies and procedures applicable all relevant technology components? How does management ensure that security policies and procedures are updated on a regular basis and as changes occur to technology components? How does management periodically educate IT and business users regarding their security responsibilities and related policies and procedures
Security administration Security administration activities should ensure that access to applications, data, and operating systems is appropriately restricted to only authorized individuals whose access rights are commensurate with their job responsibilities and with management's control objectives. Consider the following:
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
Have access rights been defined and established by appropriate levels of IT and business unit management to achieve relevant control objectives, including segregation of duties objectives in both IT and in business processes? Consider access to: Applications o Application data outside applications. o Operating system o How has management designed security administration controls to ensure that access rights in the following areas are properly granted, changed and removed as needed, only upon approval by appropriate management personnel? Applications; o Application data outside applications; o Operating system o How does the security administration function facilitate periodic reviews of user access by business unit management to ensure that access remains commensurate with job responsibilities over time: Applications; o Application data outside applications; o How has management defined and linked segregation of duties objectives within the o business processes to the approval and periodic reviews of access rights?
Data Security Data security controls should ensure that direct access to data is limited to appropriate authorized individuals and is monitored for potential unauthorized activity. Consider the following:
How does management ensure that all direct data access methods (i.e., access from outside of an application) have been defined and considered in designing security administration and security monitoring controls? Consider: Operating system commands that can be used to change information in data files or o databases, o Operating system administrator, database administrator, and other powerful IDs that can be used to change data, but would not appear in lists identifying users with access to specific data files or databases, Operating system and database security administration capabilities that can be used to o grant access to specific data files and databases, Report writers and other utility programs that can be used to change data outside o application systems, How does management ensure that data environments are configured to properly restrict access to: Data files and databases of financially significant applications, o Operating system commands that can be used to change information in data files or o databases, Operating system administrator, database administrator, and other powerful IDs that o can be used to change data, but would not appear in lists identifying users with access to specific data files or databases, Operating system and database security administration capabilities that can be used to o grant access to specific data files and databases, Report writers and other utility programs that can be used to change data outside o application systems,
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
How does management ensure that changes to data access settings (i.e., data file permissions) are completed in a controlled manner, including approval of business unit owners of access to data? How does management periodically review direct data access, considering the access methods identified above, to ensure that the access remains commensurate with job responsibilities? If direct data access is controlled using special system utilities, how does management ensure that the use of such utilities is documented, logged and reviewed on a regu lar basis? How does management monitor the data environment for potential unauthorised activity?
Operating System Security Operating system security controls should ensure that operating system access is limited to appropriate authorized individuals and is monitored for potential unauthorized activity. Consider the following:
How does management ensure that security configuration settings are changed in a controlled manner and remain consistent with the intended design (i.e., global security parameters, password parameters, services running, etc.)? How does management periodically review operating system access to ensure that the security administration process is working as intended and access remains commensurate with job responsibilities? How does management monitor the environment for potential unauthorised activity?
Network Security Internal and external network security controls might be necessary to protect financially significant systems from unauthorized access. Depending on the effectiveness of other controls over access to programs and data, also consider the following:
How does the network design (e.g., logical separation of domains, trust relationships, external network connections, etc.) ensure the financially significant systems are appropriately protected from unauthorized access (e.g., behind a firewall) How does management ensure authentication controls (i.e. password controls, assignment of users to groups, remote access, etc.) are bu ilt into the network configuration? How does management ensure that appropriate security controls are considered for all changes to the internal and external network design? How does management monitor for and respond to potential security events on the internal and external network?
Physical Security Physical security controls might be necessary in certain environments to ensure that an organization's systems are protected from unauthorized physical access. If relevant, consider how management ensures physical access is restricted for facilities that provide logical access to financially significant systems.
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
4423.4 Understand, evaluate and validate: computer operations The domain objective for computer operations is: "To ensure that production systems are processed completely and accurately in accordance with management's control objectives, and that processing problems are identified and resolved completely and accurately to maintain the integrity of financial data." Once financially significant applications have been identified in scoping, the following points of focus may be helpful for identifying ITGCs in this domain that are relevant to internal controls over financial reporting at your client. Note: Not all points of focus are relevant to every entity, and other risk factors may exist that will need to be considered. It is necessary to determine relevant activities and controls based on the entity's unique IT environment.
Overall Management of Computer Operations Activities Management should establish processes for controlling computer operations and should monitor the effectiveness of those processes. Consider the following:
How has management documented and communicated its computer operations policies and procedures? How has management documented and communicated computer operations roles and responsibilities? How has management organized the computer operations function to ensure a segregation of duties? How does management ensure that computer operations personnel have appropriate skills to perform their duties? How does management monitor the computing environment to ensure that potential operational issues are identified and resolved?
Batch Scheduling and Processing Batch scheduling and processing controls should ensure that authorized production jobs are appropriately scheduled and monitored, and that exceptions are resolved completely and accurately in support of management's application control objectives. Consider the following:
How does management ensure that additions, changes, and deletions to the job schedule are authorized and completed in a timely manner? How does management ensure that job dependencies and restart/recovery procedures are documented for all jobs in the batch schedule? How does management monitor the processing of jobs to ensure that they run in accordance with the approved job schedule? How does management ensure that only authorized personnel have access to the job scheduling tool?
Pemerik saan Sistem I nf ormasi – Appendi x: Based on PwC Audi t Gui de
Real-time processing Real-time processing controls should ensure that the ongoing transmission and recording of transaction data occurs completely and accurately in support of management's application control objectives. Consider the following:
How does management ensure that changes to the configuration of real-time processing components (including middleware, where applicable) are authorized and completed in a timely manner? How does management ensure that real-time processing failures are captured and resolved in a timely manner? How does management ensure that only authorized personnel have access to configure any technology components used to facilitate real-time processing?
Backup and Problem Management Backup and recovery controls should ensure that backup requirements are defined so that data is available when needed, problems requiring resolution are identified in a timely manner, and recovery from those problems is performed completely and accurately. Consider t he following:
How does management ensure that requirements for content and frequency of data backups are consistent with business objectives? How does management ensure that backup media would be available in the event of an emergency (i.e., off-site rotation of media)? How does management ensure that data can be recovered as intended from backup media when needed? How does management ensure that all significant operational failures are identified and resolved completely and accurately in a timely manner?
Disaster Recovery Disaster recovery controls are important operational controls that help to ensure that an organisation will be able to continue operations in the event of a disaster. Evaluate and validate these controls only if disaster recovery is considered relevant because of territory regulatory requirements and/or significant impact on going concern issues. Determine the disaster recovery activities that are relevant to the organisation's objectives. Consider the following:
How does management ensure that environmental risks (i.e., fire, smoke, water, power, temperature, humidity, etc.) to all significant computing locations are appro priately mitigated? How does management use a business impact analysis or similar risk assessment to ensure that disaster recovery plans and related testing exist for all significant applications and underlying technology components? How does management ensure that plans are tested and updated on a regular basis?
