Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Examples of EDP Controls Audit Program for Internal Auditor:

advertisement 
Examples of EDP Controls Audit Program for Internal Auditor:
•
•
•
•
•
•
•
Application - General
Authorization
Completeness and Accuracy of Input
Completeness and Accuracy of Update
Output/Standing Data
General Security
Year 2000 Issues
W/P #
A. Application-General
1. Does adequate systems and programming
documentation exist to enable effective and
timely maintenance?
2. Is the User generally satisfied with the
system?
3. Do adequate procedures exist for identifying
information flow (audit trail)?
4. Is the User aware of any continuing system
problems?
5. Have the most recent system enhancements
been properly documented, including back-up
manuals and offsite program library storage?
6. Is all data requiring security (i.e., payroll,
customer lists, price structures, etc) adequately
protected?
7. Have all recent major enhancements been
similarly approved by appropriate levels of
Management?
8. Does adequate segregation of duties exist
within the flow of data to prevent the creation of
unauthorized transactions?
9. Are control procedures adequately described
in systems operator and User documentation to
facilitate consistent compliance?
10. Do adequate controls exist for on-line
systems to restrict access to confidential or
sensitive data?
Control Eval
Test #
Find #
Internal Audit Program- EDP Controls
W/P #
Control Eval
Test #
Find #
A. Application-General
11. Do adequate controls exist for on-line
systems to prevent unauthorized input of data or
other instructions?
12. Have adequate procedures been developed
for terminal security and usage?
13. Do adequate procedures exist for the
maintenance of accurate standing data (i.e.,
periodic cyclical verification of key fields by
Users)?
14. Are operating instructions adequate to
ensure efficient processing of the system?
15. Do the departments that use the application
have a disaster recovery plan in the event the
application is not available?
16. Are all online transaction files backed up on
a daily basis? Is there an audit trail for all
transactions entered into the system?
17. Does data processing have an approved file
retention schedule that meets the needs of both
disaster recovery and governmental
regulations? Is this schedule signed by user
management?
18. Is there a separate Production & Test
Environment?
19. Was a test plan and test data established for
the application when it was written?
20. Review the program change controls for
non-mainframe applications.
Control Evaluation can have a rating of A-Strong, Good, B -Adequate, C -Weak, Poor, or D -N/A (Not Applicable)
This rating does determine the amount and type of testing performed
2
Internal Audit Program- EDP Controls
W/P #
Control Eval
Test #
Find #
B. Authorization
1. Do procedures exist to verify that the following
transactions are properly authorized:
a.
b.
c.
d.
e.
f.
2. Do procedures exist to ensure that the
following authorized transactions are completely
processed (i.e., batch control totals):
a.
b.
c.
d.
e.
f.
3. Do procedures exist to ensure that
unauthorized transactions cannot be entered
before or during data entry?
4. Do procedures exist to ensure that the person
preparing the transaction is not the person
approving/authorizing the transaction?
Control Evaluation can have a rating of A-Strong, Good, B -Adequate, C -Weak, Poor, or D -N/A (Not Applicable)
This rating does determine the amount and type of testing performed
3
Guardian Internal Audit - EDP Controls
W/P #
Control Eval
Test #
Find #
C. Completeness and Accuracy of Input
1. Are input edit controls sufficiently automated
to minimize clerical verification?
2. Have manual controls been developed so as
not to duplicate automated controls?
3. Do multiple copy source documents have a
minimum number of copies?
4. Do procedures exist to minimize and identify
the volume & causes of rejections?
5. Has batch update been developed so as not
to hold up entire batches because of individual
transaction rejection?
6. Do procedures exist to prevent a transaction
from being entered more than once (i.e.,
stamping of documents entered)?
7. Does an adequate audit trail exist, enabling
anyone to trace all authorized transactions
through update and final output, including the
ability to print-out the master files affected after
update?
8. Have edit checks been built into the system to
reject errors in:
a. Document sequence?
b. Batch sequence?
c. Batch control totals?
d. Check digits?
e. Matching checks?
f. Limit checks?
g. Format checks?
9. Do all edit checks work as they were
intended?
Control Evaluation can have a rating of A-Strong, Good, B -Adequate, C -Weak, Poor, or D -N/A (Not Applicable)
This rating does determine the amount and type of testing performed
4
Internal Audit Program- EDP Controls
W/P #
Control Eval
Test #
Find #
C. Completeness and Accuracy of Input
10. Have edit checks been built into the system
to reject errors or provide information on:
a. Reasonableness checks, range checks or
limit checks?
b. Duplicate numerical value fields?
c. Consistency checks?
11. Do adequate controls exist over rejections to
ensure timely resubmission, including the
authorization for corrections by the appropriate
User?
12. Do proper procedures exist for the
distribution and action to be taken in exception
reports?
13. Do the following automated interfaces
generate adequate control totals for verification:
a.
b.
c.
d.
e.
14. Are the following source documents
maintained and stored in accordance with a firm
retention policy (to cover Firm and Legal
requirements):
a.
b.
c.
d.
e.
f.
g.
h.
Control Evaluation can have a rating of A-Strong, Good, B -Adequate, C -Weak, Poor, or D -N/A (Not Applicable)
This rating does determine the amount and type of testing performed
5
Guardian Internal Audit - EDP Controls
W/P #
Control Eval
Test #
Find #
C. Completeness and Accuracy of Input
15. Do adequate controls exist over access to
and use of terminals?
16. Do adequate controls exist over data
communications?
17. Does adequate control exist over the
physical movement of source documents
between locations?
18. Are there adequate controls over the
following input transactions to ensure
completeness and accuracy of input:
a.
b.
c.
d.
e.
f.
g.
h.
Control Evaluation can have a rating of A-Strong, Good, B -Adequate, C -Weak, Poor, or D -N/A (Not Applicable)
This rating does determine the amount and type of testing performed
6
EDP Controls
W/P #
Control Eval
Test #
Find #
D. Completeness and Accuracy of Update
1. Do adequate run-to-run controls exist within
the system to enable early detection of errors
and minimize avoidable processing time?
2. Does adequate control exist over the timely
updating of master files to ensure that essential
output is not delayed or incomplete?
3. Do adequate procedures exist to identify and
minimize unmatched, unallocated or incomplete
transaction files?
4. Is an adequate audit trail generated for the
automatic generation and/or deletion of data?
5. Is all data which is automatically generated
subjected to the same edit criteria as that data
which is manually entered?
6. Is there adequate system verification of
control sequences or control totals to verify
completeness of update of the following
transactions:
a.
b.
c.
d.
e.
f.
g.
h.
Control Evaluation can have a rating of A-Strong, Good, B -Adequate, C -Weak, Poor, or D -N/A (Not Applicable)
This rating does determine the amount and type of testing performed
7
Guardian Internal Audit - EDP Controls
W/P #
Control Eval
Test #
Find #
E. Output/Standing Data
1. Does a report distribution list exist, indicating
all reports generated and their distribution?
2. Do procedures exist to ensure efficient and
timely output distribution (i.e., distribution log)?
3. Are all reports generated by the system
actually required and/or used by the User?
4. Are Users satisfied with the timing, content,
layout, etc of key outputs?
5. Is output information and format produced in
such a manner so that little or no manual
reformatting or analysis is required by the User?
6. Does the location maintain an adequate
supply of special forms?
7. Do adequate controls exist to enable Users to
verify that all output has been received?
8. Are the following reports, including those
generated by interfaces, proven or reconciled
back to input (i.e., source documents or batch
controls):
a.
b.
c.
d.
e.
f.
g.
Control Evaluation can have a rating of A-Strong, Good, B -Adequate, C -Weak, Poor, or D -N/A (Not Applicable)
This rating does determine the amount and type of testing performed
8
Internal Audit Program- EDP Controls
W/P #
Control Eval
Test #
Find #
E. Output/Standing Data
9. Is there adequate control over negotiable or
critical forms (i.e., checks, credit notes, etc)?
10. Are all critical master file updates printed out
in detail for verification by the User
(periodically)?
11. Do procedures exist to identify inactive
master file records which are subjected to
transaction processing?
Control Evaluation can have a rating of A-Strong, Good, B -Adequate, C -Weak, Poor, or D -N/A (Not Applicable)
This rating does determine the amount and type of testing performed
9
Related documents
Name: Use the following chart to evaluate your group members’ involvement... HPER 3150
Name: Use the following chart to evaluate your group members’ involvement... HPER 3150
Document14628367 14628367
Document14628367 14628367
Endocrine Systems and Reproduction 2014-15
Endocrine Systems and Reproduction 2014-15
Download
advertisement