APPLICATION CONTROLS AUDIT WORK PROGRAM:
SAMPLE 1
PROJECT TEAM: (LIST MEMBERS)
Project Timing Date Comments
Planning
Fieldwork
Report Issuance (Local)
Report Issuance (Worldwide)
Five areas should be considered for all financial end-user developed applications. These include:
• Change Control
• Version Control
• Access Control
• Input Control
• Security and Integrity of Data
Furthermore, for high complexity documents, the following items should also be considered:
• Documentation
• Development Life Cycle
• Backups
• Archiving
• Logic Inspection
• Segregation of Duties/Roles and Procedures
• Overall Analytics
Depending on the complexity, one of the following audit programs should be used:
LOW TO MEDIUM COMPLEXITY
Time Task Initial Index
Obtain a copy of the spreadsheet/end-user developed application
inventory.
Obtain a copy of the company’s policy regarding end-user-developed
applications and spreadsheets used for financial reporting purposes.
Determine the nature of the applications from the inventory.
2 Source: www.knowledgeleader.com
�FOR MICROSOFT OFFICE DOCUMENTS
Time Task Initial Index
Change Controls
Verify that the policy appropriately covers how to prevent unauthorized
changes. Examples of appropriate controls are (in descending order of
strength):
• The document is stored on a network drive with restricted access.
Formulas are reviewed for appropriateness after each use (before
making journal entries).
• The document is stored in a read-only or encrypted format on the
network drive. Only individuals with the password or encryption key
can make changes to the entire document.
• Cells with key formulas are password-protected. The password is
changed periodically.
Version Controls
Verify that the policy appropriately covers version control. Examples of
appropriate controls are:
• An electronic storage method is used to house documentation (e.g.,
Share Point) and electronic approval is evidenced.
• Document naming conventions and internal change logs are used to
indicate the last revision and effective dates.
• Only the most recent version of the document is maintained on the
shared drive, and all users use this version.
Access Controls
Verify that the policy appropriately covers access control (see Change
Control – in well-controlled environments, these controls should be the
same).
Input Controls
Verify that the policy appropriately covers input control (see Change
Control – in well-controlled environments, these controls should be the
same).
Security and Integrity of Data
Verify that the policy appropriately covers the security and integrity of
data. An example of appropriate controls is:
• An independent party verifies the data entered in the document
against the source documents (e.g., the spreadsheet matches the
JDE report).
Review
Review the applications where they reside on the network and verify that
the documents comply with the policies.
3 Source: www.knowledgeleader.com
�FOR SQL OR OTHER IN-HOUSE DEVELOPED APPLICATIONS
Time Task Initial Index
Change Controls
Verify that the policy appropriately covers how to prevent unauthorized
changes. An example of an appropriate control is:
• Changes are made in a nonproduction environment, tested by
programmers and users before implementation, requested/approved
by appropriate individuals, and appropriately documented.
Documentation can include program code notations and change logs.
Version Controls
Verify that the policy appropriately covers version control. An example of
an appropriate control is:
• Only the most recent version of the application exists in the
production, development and test environments (as applicable).
Access Controls
Verify that the policy appropriately covers access control. Examples of
appropriate controls are:
• Only authorized individuals are permitted to request or approve
access.
• Access provided is commensurate with job responsibilities.
• Individuals are disabled or removed from the system when they no
longer require access (transfers and terminations).
• Access is based upon roles established in the operating
system/network.
Input Controls
Verify that the policy appropriately covers input control. Examples of
appropriate controls are:
• An independent party verifies inputs against source documents.
• Inputs are received directly from another system (file transfers or table
lookups).
• An independent party reviews monitoring reports and verifies check
figures against independent information.
Security and Integrity of Data
Verify that the policy appropriately covers the security and integrity of
data (see Access and Input Control above).
Review
Review the applications where they reside on the network and verify that
they comply with the policies.
4 Source: www.knowledgeleader.com
�FOR OUT-OF-THE-BOX APPLICATIONS:
Time Task Initial Index
Change Controls
Verify that the policy appropriately covers how to prevent unauthorized
changes. An example of an appropriate control is:
• The application is in an “out-of-the-box” state and no changes to the
program code have been made.
Version Controls
Verify that the policy appropriately covers version control. An example of
an appropriate control is:
• Only the most recent version of the application exists in the production
environment.
Access Controls
Verify that the policy appropriately covers access control. Examples of
appropriate controls are:
• Only authorized individuals are permitted to request or approve
access.
• Access provided is commensurate with job responsibilities.
• Individuals are disabled or removed from the system when they no
longer require access (transfers and terminations).
• Access is based upon roles established in the operating
system/network.
• A formal process exists for the request, approval, change and removal
of access, and the process is followed.
Input Controls
Verify that the policy appropriately covers input control. Examples of
appropriate controls are:
• An independent party verifies inputs against source documents.
• Inputs are received directly from another system (file transfers or table
lookups).
• An independent party reviews monitoring reports and verifies check
figures against independent information.
Security and Integrity of Data
Verify that the policy appropriately covers the security and integrity of
data (see Access and Input Control above).
Review
Review the applications where they reside on the network and verify that
they comply with the policies.
5 Source: www.knowledgeleader.com
� APPLICATION CONTROLS AUDIT WORK PROGRAM:
SAMPLE 2
This sample work program covers various application controls necessary to support the business, focusing
primarily on access and change controls.
Time Project Work Step Initial WP Ref.
Change Control
Verify that the policy appropriately covers how to prevent unauthorized
changes. Appropriate controls are:
• All changes are presented to the change control committee every
week for authorization.
Verify that the policy requires significant application changes (e.g.,
upgrades) to be appropriately tested, including unit, system, user-
acceptance, integration and stress testing where appropriate. Appropriate
controls are:
• Formal test scripts are utilized by business users to test the system
before migrating changes to the production environment.
• The change owner determines the level of testing and documentation
required for each change.
Verify that the policy requires significant report changes and new reports
are appropriately tested by the requester. Appropriate control is:
• Users test through re-performance significant changes to existing
reports and newly created significant reports upon completion. Users
respond with changes or authorization that no changes are necessary.
Verify that a nonproduction environment exists so that testing may be
performed without impacting the production environment. Appropriate
control is:
• A separate testing database is utilized to segregate development and
testing from production processing.
Verify that changes are tracked from requests appropriately through
completion. Appropriate control is:
• Change requests are submitted to IT using the application change
request form. Changes are tracked using the XYZ application, which
enables online authorization of change requests and captures
information such as status, dates and results of the change.
Access Controls
Verify that the policies and procedures appropriately cover access
control. Appropriate controls are:
• Only authorized individuals are permitted to request or approve
access.
• Access provided is commensurate with job responsibilities.
6 Source: www.knowledgeleader.com
� Time Project Work Step Initial WP Ref.
• Individuals are disabled or removed from the system when they no
longer require access (transfers and terminations).
• A formal process exists for the request, approval, change and removal
of access and the process is followed.
• Adequate password parameters are enforced by the system.
Input Controls
Verify that the application is appropriately configured to include input
controls where possible. Examples of appropriate controls are:
• The application validates key inputs against cross-reference tables
and/or provides lists with which to select valid values.
• The application utilizes control totals to minimize errors during batch
processing.
• The application has built-in error checks to detect formatting, value
and balancing errors (e.g., debits = credits).
• Inputs are received directly from another system (file transfers or table
lookups), reducing the need for manual re-entry.
Verify that manual input controls are in place and followed. Examples of
appropriate controls are:
• An independent party verifies inputs against source documents.
• An independent party reviews monitoring reports and verifies check
figures against independent information.
Application Management
Verify that appropriate controls exist to detect performance, capacity and
availability problems. Appropriate controls are:
• An independent party verifies inputs against source documents.
• An independent party reviews monitoring reports and verifies check
figures against independent information.
Determine if key functional users have issues or problems regarding
application availability, integrity or performance:
• Identify what actions were taken to correct any problems/incidents.
• Identify any recurring or persistent problems with the application that
have gone unresolved.
7 Source: www.knowledgeleader.com
