Application AuditingScope, Approach, & Execution

January 2009Michael Kirk, CIA, CISA

Risk-based

2

Mike Kirk, CIA, CISA– Application experience includes: Oracle,

PeopleSoft, JD Edwards, and industry-specific and customized applications for healthcare, insurance, energy/utility, manufacturing, construction, and environmental industries.

– Board member of the Central Ohio Chapter of ISACA

Introduction

3

Introduction

JD Edwards

4

Risk Considerations for Application Auditing

• Defining Your Scope

• Developing Your Approach

• Execution

• Q & A

Overview

5

Where do you start?

1. Understand the environment

2. Understand business & technical processes

3. Assess risks & controls

4. Develop improvements

ScopeAudit Methodology

6

1. Understand the business environment the application supports

Develop a complete understanding of the business process flow (inputs, processing, & outputs),

and, the data flow, including interfaces

Defining Your Scope

7

2. Understand the application’s technical environment

– IT control environment– “Off-the-shelf” or customized – Legacy or web-based – Housed internally or external provider– Developed in-house or 3PP – User population– Dispersion of users

Defining Your Scope

8

Understand the business process and technical environment

Assess business information risks

Defining Your Scope

Start

Notify

shipping

Confirm customer

order

Item

out-of-stock

?

Log revenue

A

Information System

EndConfirm receipt

Create

invoice

Send info to

Acct

A Close books

1

2 3

# Critical Risk / Control Points

Financial Accounting Systems

EDI Hub

Treasury ManualCheck Printing

System

Invoice Imaging A/P

A/P OpenItems

A/P ClosedItems

A/R

A/R OpenItems

DD & A

Depr. AssetMaster

AFE

Actual DetailCosts

BudgetedCosts

CorporateG/L

Hyperion

Invoicing Systems

OperationalSystems

C

Payroll System

1 1

Risks

Data integrity and completeness are notmaintained in the transfer between applications.

Data security is not maintained in the transferbetween applications.

2

Standard password protection required in transfer protocol

Transfers are automated using a job scheduler.

Application logs into Windows NT using a password-protectedaccount and uses an interface directory protected by NT FileSystem (NTFS) security.

Application logs into UNIX environment with password protectedaccount to make the transfer.

Interface uses integrity checking tools to detect data corruption.

2

Controls

3

4

1 12 2 41 12 2 3

1 12 2 3

5

1 2 5

Invoices

ReconciliationFigures

Manual Check Information

EDI Communications

General Ledger Entries

Corp Tax1 2 3Acct. Info. for Tax Return (manual)

International G/L

Time andAttendance

Employee Hours

Intranet

Manual reconciliation of data is performed after transfer.

Only one user and the System admins have access to theinterface directory on the UNIX server.

Error reports are generated after the data is transferred.

Record Counts are compared to ensure completeness andaccuracy.

6

7

8

7

7

9

8 9

81 2

1 2

Payroll Entries

Critical Process Maps Data-Flow/Interface Diagrams

9

Business & Information Risks:– Regulatory compliance – F/S integrity– PCI-related– Integration of an acquisition– Data privacy– Integrity of the application– Process control validation

Defining Your Scope

10

Lessons Learned on Scope

• Critical dependencies: personnel, technical, external providers [BCP]

• “Canned” still seems to get modified

• Don’t forget spreadsheets & report-writers!

• Leverage existing flow diagrams

• Invest the time to understand the process flow...– Adds value to your internal

client– You may find that you are

now the expert!

11

Top-down Approach:

Auditing around the application…

Information Technology General Controls (ITGCs)

Bottom-up Approach:

Auditing the insides…

Application Controls Testing

Developing Your Approach

12

Relationship between ITGCs and application controls

1. Development

2. Change Management

3. Security Administration

4. Operations

Top-down Approach

13

Top-down Approach

Source: COBIT 4.1 Framework

Boundaries of Business, General, and Application Controls

14

DevelopmentAI2 Acquire and Maintain Application Software

AI2.7 Development of Application Software• Ensure that automated functionality is developed in accordance

with design specifications, development and documentation standards, QA requirements, and approval standards.

Top-down Approach

Source: COBIT 4.1 Framework

15

Change ManagementAI6 Manage Changes

AI6.1 Change Standards and Procedures• Set up formal change management procedures to handle all

requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms in a standardised manner.

Top-down Approach

Source: COBIT 4.1 Framework

16

Security AdministrationAI2 Acquire and Maintain Application Software

AI2.4 Application Security and Availability• Address application security and availability requirements in

response to identified risks and in line with the organisation’s data classification, information architecture, information security architecture and risk tolerance.

Top-down Approach

Source: COBIT 4.1 Framework

17

Top-down Approach

ChangeMgt

NetworkSecurity

Development

ApplicationSecurity

DatabaseSecurity

Process Controls

ApplicationControls

18

• Security roles and functionality

• Software Development Life Cycle– Test plans & supporting documentation– Testing to break vs. testing to pass

Lessons Learned on Top-down

19

• Dispersion and diversity of the business, processes, and technology compounds the effort

• Don’t underestimate the value of a thorough general controls review!

Lessons Learned on Top-down

20

Auditing the functionality and control effectiveness of the application can only be determined based on the maturity level and effectiveness of the ITGCs

Auditing the insides… Application Controls Testing

Bottom-up Approach

21

Bottom-up Approach

BusinessManagement

Reporting Controls

ApplicationData Processing

Controls

Access andData Source

Origination SetupControls

Input Processing Output

22

Understand the business process and technical environment

Assess business information risks

Bottom-up Approach

Start

Notify

shipping

Confirm customer

order

Item

out-of-stock

?

Log revenue

A

Information System

EndConfirm receipt

Create

invoice

Send info to

Acct

A Close books

1

2 3

# Critical Risk / Control Points

Financial Accounting Systems

EDI Hub

Treasury ManualCheck Printing

System

Invoice Imaging A/P

A/P OpenItems

A/P ClosedItems

A/R

A/R OpenItems

DD & A

Depr. AssetMaster

AFE

Actual DetailCosts

BudgetedCosts

CorporateG/L

Hyperion

Invoicing Systems

OperationalSystems

C

Payroll System

1 1

Risks

Data integrity and completeness are notmaintained in the transfer between applications.

Data security is not maintained in the transferbetween applications.

2

Standard password protection required in transfer protocol

Transfers are automated using a job scheduler.

Application logs into Windows NT using a password-protectedaccount and uses an interface directory protected by NT FileSystem (NTFS) security.

Application logs into UNIX environment with password protectedaccount to make the transfer.

Interface uses integrity checking tools to detect data corruption.

2

Controls

3

4

1 12 2 41 12 2 3

1 12 2 3

5

1 2 5

Invoices

ReconciliationFigures

Manual Check Information

EDI Communications

General Ledger Entries

Corp Tax1 2 3Acct. Info. for Tax Return (manual)

International G/L

Time andAttendance

Employee Hours

Intranet

Manual reconciliation of data is performed after transfer.

Only one user and the System admins have access to theinterface directory on the UNIX server.

Error reports are generated after the data is transferred.

Record Counts are compared to ensure completeness andaccuracy.

6

7

8

7

7

9

8 9

81 2

1 2

Payroll Entries

Critical Process Maps Data-Flow/Interface Diagrams

23

• Understand the transaction process related to the application… identify key transactions

• Assess Application Controls

Bottom-up Approach

24

Bottom-up ApproachTransaction and Data Flow Detail

Screens to Test

25

Bottom-up Approach

Screens to Test

Application Walk Through: Key Screens

26

Bottom-up Approach

Source: COBIT 4.1 Framework

Boundaries of Business, General, and Application Controls

27

Bottom-up ApproachApplication Controls• AC1 Source Data Preparation and Authorisation

– Ensure that source documents are prepared by authorised and qualified personnel following established procedures…

• AC2 Source Data Collection and Entry– Establish that data input is performed timely

• AC3 Accuracy, Completeness and Authenticity Checks– Ensure that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for

correction as close to the point of origination as possible.

Source: COBIT 4.1 Framework

28

Bottom-up Approach

Application Controls• AC4 Processing Integrity and Validity

– Maintain the integrity and validity of data throughout the processing cycle.

• AC5 Output Review, Reconciliation and Error Handling– Establish procedures and associated responsibilities to ensure that… verification, detection and correction of the

accuracy of output occurs.

• AC6 Transaction Authentication and Integrity– When sharing data between internal applications and business/operational functions… maintain integrity.

Source: COBIT 4.1 Framework

29

Bottom-up Approach

• Testing Documentation– Application Function (screen mapping)– Function Description– Testing Procedures– Control Observations (testing results)

& Recommendations– Key Risks & Impact

• Lots of screen shots!

30

Bottom-up ApproachApplication

FunctionFunction

DescriptionTesting

ProceduresControl Observations &

RecommendationsKey Risks & Impact

Order Entry – Override Pricing

Screen #:OE480

Screen allows user to override pricing information for the order.

Examined updateable fields for data validation edits. 1. Gross Price2. Sales, Inventory, and Expense G/L Codes

Noted existence of adequate validation checks of the following:1. Table Look-up (Sales Inventory, and Expense G/L Codes)2. Existence Check (Sales Inventory, and Expense G/L Codes)3. Completeness Check (Sales Inventory, and Expense G/L Codes)Noted the lack of the following validation checks:4. Limit Check (Gross Price)5. Reasonableness Check (Gross Price)

Noted that limit and reasonableness checks are not in place for the gross price field to restrict the price of items ordered. This screen will also allow the gross price of the ordered item to be zero. We recommend that the appropriate limit and reasonableness checks be implemented for the gross pricing field to prevent blank or unreasonable data entry.Noted the following control weakness:Access to Override G/L Accounts

Noted that the sales, expense, and inventory general ledger code fields could be edited through the override pricing screen. User access to edit critical fields should be minimal. We recommend that only appropriate and essential users be granted the permission to edit the G/L codes.

Reports that rely on the gross price field or perform calculations based on this field have the potential to contain incorrect information based upon the observed control weakness.

Modifying the G/L codes in the order screens could result in the posting of orders to inappropriate G/L accounts and subsequently impact updates to the Sales General Ledger and the Sales by Branch/Product Group (SLS042) report.

31

Bottom-up Approach

Testing Procedures– Good code vs. not-so-good code

• Sequence checks• Limit checks• Range checks• Validity checks• Reasonableness checks

• Table lookups• Existence checks• Completeness checks• Duplicate checks• Logical relationships

32

System-Based Data Entry Integrity ControlsEdits Description

Sequence Checks

The control number follows sequentially and any control numbers out of sequence or duplicated are rejected or noted on an exception report for follow-up purposes. For example, invoice numbers are systematically and generated sequentially generated and cannot be overridden.

Limit Checks Data should not exceed a predetermined amount. For example, it may be determined that quantities ordered should not exceed a maximum of 500 each, or that a sales commission cannot exceed 12% without an override. If a quantity exceeds the limit, the data would be rejected for further verification or authorization.

Range Checks Data should be within a predetermined range of values. For example, date ranges. Once books are closed for the current month, entries are not permitted for the previous month’s date range.

Validity Checks Programmed checking of the data validity in accordance with predetermined criteria. For example, department & expenses relationships, account codes, company numbers, vendor numbers, customer numbers, invoice types, etc.

Reasonableness Checks

Input data are matched to predetermined reasonable limits or occurrence rates. For example, the tolerances exist within purchasing application to allow for quantity variations or unit price variations based on preset tolerable limits.

Table Lookups Input data are agreed to predetermined criteria maintained in a data table of possible values. Essentially the same type of controls as validity – any pull-down menu, pre-defined field… an employee must exist within the EMPMSTR table for payroll processing.

Existence Checks Data are entered correctly and agree to valid predetermined criteria. For example, a picking pack slip can only be generated for an existing order number, or in order to receive against a P.O., it must exist.

Completeness Checks

Data fields should always contain data and not zeros or blanks. A company number, accounting unit, and account code for a general ledger entry are required fields prior to the record being added to the system. A “hard stop” is received by the user if the required fields are not completed. Completeness check controls can be utilized by individual field or by data entry screen.

Duplicate Checks New transactions are matched to those previously input to ensure that they have not already been entered. For example, accounts payable invoices cannot be entered twice for the same vendor invoice.

Logical Relationship Checks

If a particular condition is true, then one or more additional conditions or data input relationships may be required to be true and consider the input valid. Company, accounting unit, & account relationships exist. For example the marketing department cannot charge an expense to lease expenses, only to accounts logically tied to that department.

33

Bottom-up Approach

Testing Procedures contd.

– Field formats are defined & locked– “Grayed” fields… better yet, linked to user and

displayed only if applicable to functionality– On screen, visual feedback

– Not-so-good… better have monitoring reports as mitigating controls!

34

• Applications pre-dating the current climate of control

• Baselining• Value of an implementation project audit• Application functionality… best if conducted

throughout testing stage • End user training & desktop procedures

Lessons Learned on Bottom-up

35

• Monitoring controls… issues typically arise from the one $1,000,000 transaction, not from the million $1 transactions

• Please remember to conduct audit work in a Test environment

• Don’t underestimate the time commitment!• Emerging technology trends… web-based,

PDAs, now smartphones

Lessons Learned on Bottom-up

36

• Risk considerations for application auditing

• Risk-based approach drives increased efficiency + decreased costs = organizational value

Summary

Questions & Discussion

Mike Kirk

t: 614.403.7700

e: m_kirk01@yahoo.com