microsoft powerpoint - chapter 6- part 2
DESCRIPTION
EDPTRANSCRIPT
3/13/2015
1
CHAPTER 6Systems Development and Documentation
Controls
Part Two
KENT, PORF, MARLON GROUPKPMGroup
3/13/2015
2
POSTIMPLEMENTATION REVIEW
FINAL APPROVAL
SYSTEM TESTING
Part TwoOVERVIEW
OF PRESENTATION
TECHNICAL, MGT, USER, ANDAUDITOR REVIEW AND APPROVAL
USER, ACCOUNTING, AND AUDITPARTICIPATION
KENT, PORF, MARLON GROUPKPMGroup
Complete Audit Trail
Built-in Audit Features
Adequate InternalControl Structure
DO YOU WANT TO DEVELOP A NEWSYSTEM?Q
AUDITORS(INTERNAL AND
EXTERNAL)
ACCOUNTINGDEPARTMENT STAFF
USER PERSONNEL
PARTICIPATE IN THE SYSTEMS DEVELOPMENT
KENT, PORF, MARLON GROUPKPMGroup
3/13/2015
3
How can this participation be beneficial?
IMPROVED COMMUNICATION BETWEEN USER AND EDPPERSONNEL
USER PARTICIPATION REPRESENTS A FORM OFCOMMITMENT & APPROVAL
IMPROVEMENTS IN CONTROLS FROM SUGGESTIONS OFEXPERTS
EVIDENCE FOR COMPLIANCE & INCLUSION OFREQUIRED IC & AUDIT FEATURES
GAIN OF REQUIRED UNDERSTANDING OF EDPAPPLICATIONS
KENT, PORF, MARLON GROUPKPMGroup
What to do?
ScenarioYou plan to assess control risk at a low level
on participation by the user, accounting,and audit personnel
INTERVIEW FOR EVIDENCE OF THE LEVEL OFPARTICIPATION OF THE USER AND ACCOUNTING DEPT
REVIEW APPROPRIATE DOCUMENTS AND RELATEDAPPROVALS FOR EVIDENCE
REVIEW THE AUDITORS’ WORKING PAPERS
KENT, PORF, MARLON GROUPKPMGroup
3/13/2015
4
POSTIMPLEMENTATION REVIEW
FINAL APPROVAL
SYSTEM TESTING
Part TwoOVERVIEW
OF PRESENTATION
TECHNICAL, MGT, USER, ANDAUDITOR REVIEW AND APPROVAL
KENT, PORF, MARLON GROUPKPMGroup
USER, ACCOUNTING AND AUDITPARTICIPATION
ONGOING REVIEW: BENEFITS
For work accomplished during the process andapproval at the end of each phase of the process
REPRESENT STRONG CONTROLS OVER CONTENT OFSYSTEM PROGRAM AND OUTPUTS
REPRESENT STRONG CONTROLS OVER CONTENT OFSYSTEM PROGRAM AND OUTPUTS
ENSURE THAT THE SYSTEM HAS ADEQUATE CONTROLSENSURE THAT THE SYSTEM HAS ADEQUATE CONTROLS
FACILITATE MONITORING AND MAINTENANCE OF ANACCEPTABLE LEVEL OF QUALITY OF OUTPUT FROM EACHPHASE OF THE PROCESS
FACILITATE MONITORING AND MAINTENANCE OF ANACCEPTABLE LEVEL OF QUALITY OF OUTPUT FROM EACHPHASE OF THE PROCESS
KENT, PORF, MARLON GROUPKPMGroup
3/13/2015
5
REVIEW AND APPROVAL: LEVELS
KENT, PORF, MARLON GROUPKPMGroup
OUTPUT LEVEL
TECHNICAL LEVEL
involves systems andprogramming supervisors
requires systems supervisors toreview the work of systems staff
on an ongoing basis review and approve each phase
of the output before submitting itfor approval
involves management, usersand auditors
requires them to review andapprove end products of
systems planning anddevelopment (excluding
programming)
What to do?
ScenarioYou plan to assess control risk at a low level
on technical, management, user andauditor review and approval
REVIEW THE SECTION OF THE SYSTEMS DEVELOPMENTSTANDARDS MANUAL
INTERVIEW TECHNICAL STAFF, MANAGEMENT, ANDUSERS
REVIEW TECHNICAL AND OUTPUT DOCUMENTATION(FOR SELECTED APPLICATIONS DEVELOPED DURING
ACCTG PERIOD)
KENT, PORF, MARLON GROUPKPMGroup
3/13/2015
6
POSTIMPLEMENTATION REVIEW
FINAL APPROVAL
SYSTEM TESTING
TECHNICAL, MGT, USER, ANDAUDITOR REVIEW AND APPROVALPart Two
OVERVIEWOF PRESENTATION
KENT, PORF, MARLON GROUP (VA ROOM 306)KPMGroup
USER, ACCOUNTING AND AUDITPARTICIPATION
SYSTEM TESTING: AN IMPORTANT CONTROL
ENSURE THAT SYSTEM WILL OPERATE AS INTENDEDENSURE THAT SYSTEM WILL OPERATE AS INTENDED
DETERMINE IF SYSTEM’S OPERATION MEETS USERREQUIREMENTS
DETERMINE IF SYSTEM’S OPERATION MEETS USERREQUIREMENTS
TEST ALL APPLICATION CONTROLS SO THEY WORKAS INTENDED
TEST ALL APPLICATION CONTROLS SO THEY WORKAS INTENDED
SHOW THAT INTRODUCTION OF CORRECT INPUT WILLYIELD CORRECT OUTPUT
SHOW THAT INTRODUCTION OF CORRECT INPUT WILLYIELD CORRECT OUTPUT
VERIFY THAT INCORRECT INPUT, PROCESSING OROUTPUT WILL BE DETECTED
VERIFY THAT INCORRECT INPUT, PROCESSING OROUTPUT WILL BE DETECTED
KENT, PORF, MARLON GROUPKPMGroup
3/13/2015
7
WHAT IS THE SCOPE & COVERAGE OF SYSTEM TESTING?
MANUAL PHASE
COMPUTERIZED PHASE
PROGRAMS
COMPUTER OPERATIONS
USER ACTIVITIES
KENT, PORF, MARLON GROUPKPMGroup
CONTROL GROUP FUNCTIONS
KENT, PORF, MARLON GROUPKPMGroup
AUDITORS(INTERNAL AND
EXTERNAL)
SYSTEMS PERSONNEL
USER PERSONNEL
JOINT EFFORT IN SYSTEM TESTING
3/13/2015
8
SYSTEM TESTING: LEVELS
KENT, PORF, MARLON GROUPKPMGroup
STRING TESTS
PROGRAM TESTS
Designed to test the processinglogic of the programs
Usually applied on a modular orprogram-by-program basis tofacilitate the review process
Software aids can be useful
Tests applied also to programsbut to a string of logically
related programs To ensure that data are
correctly transferred from oneprogram to another in a string
SYSTEM TESTING: LEVELS
KENT, PORF, MARLON GROUPKPMGroup
PILOT TESTS
SYSTEMS TESTS Applied to programs within an
application To ensure that programs all work
correctly when they interfacewith each other
Processing of an actual period’stransactions on an after-the-
fact basis To reconcile the results of the
new and old systems and todetect and correct differences
PARALLEL TESTS• Method of ensuring that system is
processing input correctly• Valuable to detect system errors
and for complex systems
3/13/2015
9
What to do?
ScenarioYou plan to assess control risk at a low level on
system testing (first, review the new systemsdeveloped and implemented during the accounting
period and the written standards)
REVIEW STANDARDS FOR COMPREHENSIVENESS
INTERVIEW INTERNAL AUDIT AND USER STAFF
REVIEW TEST DATA AND THE RESULTING OUTPUT FORSELECTED NEW SYSTEMS
KENT, PORF, MARLON GROUPKPMGroup
REVIEW THE RESULTS OF PROGRAMS AND STRING TESTS
What to do?
ScenarioYou plan to assess control risk at a low level on
system testing (first, review the new systemsdeveloped and implemented during the accounting
period and the written standards)
REVIEW RESULTS OF SYSTEM TESTS OF VALID ANDINVALID TRANSACTIONS
REVIEW PROCEDURES FOR RECONCILING OUTPUTPRODUCED DURING PILOT AND PARALLEL TESTING
EXAMINE PROGRAMS USED TO COMPARE OUTPUT FILESFOR PILOT AND PARALLEL TESTING
KENT, PORF, MARLON GROUPKPMGroup
EXAMINE RECONCILIATIONS FOR SELECTED TESTS
3/13/2015
10
PROGRAM CHANGE CONTROLS
POSTIMPLEMENTATION REVIEW
FINAL APPROVAL
SYSTEM TESTING
TECHNICAL, MGT, USER, ANDAUDITOR REVIEW AND APPROVALPart Two
OVERVIEWOF PRESENTATION
KENT, PORF, MARLON GROUPKPMGroup
USER, ACCOUNTING AND AUDITPARTICIPATION
FINAL APPROVAL
MANAGEMENT
USERS
KENT, PORF, MARLON GROUPKPMGroup
EDP PERSONNEL
Provides an opportunity to examine the final test resultsProvides an opportunity to examine the final test results
Make a final judgment on the quality of application controlsMake a final judgment on the quality of application controls
Consider changes from the original system design specificationsConsider changes from the original system design specifications
Ensure that all the errors are correctedEnsure that all the errors are corrected
Approve planned procedures for system implementation and operationApprove planned procedures for system implementation and operation
3/13/2015
11
What to do?
Scenario
You plan to assess control risk at a low levelon final approval as a general control
Review evidence of the approval of new applicationsby management, users and EDP personnel
Interview management, user and EDP personnel
KENT, PORF, MARLON GROUPKPMGroup
CONVERSION CONTROL
KENT, PORF, MARLON GROUPKPMGroup
Numerous errors can result when the master andtransaction files are converted to the new system
File conversion approval be given before conversion process beginsFile conversion approval be given before conversion process begins
Original and new files be reconciled by record counts, hash totals, andamount totals
Original and new files be reconciled by record counts, hash totals, andamount totals
Selected portions of records from the original files be compared withnew files
Selected portions of records from the original files be compared withnew files
Confirmation request be sent to third partiesConfirmation request be sent to third parties
Discrepancy reports be use to detect inconsistencies and correct themDiscrepancy reports be use to detect inconsistencies and correct them
Operational approval be obtained after users used the system a few timesOperational approval be obtained after users used the system a few times
Control Procedures
3/13/2015
12
DiscrepancyReport
What to do?
Scenario
You plan to assess control risk at a low levelon conversion control as a general control
REVIEW PLANS FOR CONTROLLING THE CONVERSIONFROM ONE SYSTEM TO ANOTHER
EXAMINE DOCUMENTATION FOR EVIDENCE
EVALUATE THE PROCEDURES TO ECONCILE ORIGINALAND NEW FILES
KENT, PORF, MARLON GROUPKPMGroup
3/13/2015
13
What to do?
Scenario
You plan to assess control risk at a low levelon conversion control as a general control
REVIEW OR OBSERVE THE USE OF RECORDCOMPARISONS AND CONFIRMATION REQUESTS
EXAMINE DISCREPANCY REPORTS FOR EVIDENCE
TEST THE CONVERSION
KENT, PORF, MARLON GROUPKPMGroup
POSTIMPLEMENTATION REVIEW
INTERNAL AUDITPERSONNEL
USERS
KENT, PORF, MARLON GROUPKPMGroup
EDP PERSONNEL
Whether the system is operating as intendedWhether the system is operating as intended
Evaluate effectiveness of the entire process ofdeveloping a system
Evaluate effectiveness of the entire process ofdeveloping a system
Several months after the implementation of thesystem
3/13/2015
14
What to do?
ScenarioYou plan to assess risk at a low level on the
general control of post implementationreview
REVIEW INTERNAL WORKING PAPERS
INTERVIEW SYSTEMS DEV’T STAFF, USERS ANDMANAGEMENT
REVGIEW THE FINAL REPORT OF THE COMMITTEE
KENT, PORF, MARLON GROUPKPMGroup
PROGRAM CHANGE CONTROLS
KENT, PORF, MARLON GROUPKPMGroup
PROGRAMENHANCEMENTS
PROGRAMMAINTENANCE
Changes that resulted from thedesire to improve systems, the
need to adjust systems tochanging business conditions
and the need to incorporate newoperating, accounting and
control policies
Represent major systemsrevisions (excluded from the
definition of programmaintenance)
Tested as full systemsdevelopment projects
3/13/2015
15
PROGRAM CHANGE CONTROLS:BENEFITS
ENSURE THAT ALL CHANGES TO PROGRAMS AREPROPERLY APPROVED AND AUTHORIZED
ENSURE THAT ALL CHANGES TO PROGRAMS AREPROPERLY APPROVED AND AUTHORIZED
ENSURE ALL AUTHORIZED CHANGES ARE COMPLETED,TESTED AND PROPERLY IMPLEMENTED
ENSURE ALL AUTHORIZED CHANGES ARE COMPLETED,TESTED AND PROPERLY IMPLEMENTED
KENT, PORF, MARLON GROUPKPMGroup
SO, CONTROLS ARE REQUIRED OVERPLANNING, DEVELOPMENT AND
IMPLEMENTATION OF PROGRAM CHANGES
PLANNING PROGRAM CHANGES
Requires proper approval authorization anddocumentation of program change
Program change request should be approved by theuser, by the internal audit and by data processing
management
Program change request should be approved by theuser, by the internal audit and by data processing
management
All program change request should be authorizedafter proper approval (usually the data processing
management)
All program change request should be authorizedafter proper approval (usually the data processing
management)
Full documentation of the program change requestFull documentation of the program change request
KENT, PORF, MARLON GROUPKPMGroup
3/13/2015
16
ProgramChange
Form
DEVELOPMENT PROGRAM CHANGES
Development only for properly approved and authorizedchange requests
Development only for properly approved and authorizedchange requests
Program changes should be restricted to systems personnelProgram changes should be restricted to systems personnel
The design specifications of program changes should bereviewed and approved by the user and internal audit
The design specifications of program changes should bereviewed and approved by the user and internal audit
Program changes should be completed following establishedsystems, programming and documentation standards
Program changes should be completed following establishedsystems, programming and documentation standards
KENT, PORF, MARLON GROUPKPMGroup
3/13/2015
17
DEVELOPMENT PROGRAM CHANGES
Changes should be made to the test program and not theproduction program
Changes should be made to the test program and not theproduction program
All programs changes should be tested thoroughly beforeimplementation
All programs changes should be tested thoroughly beforeimplementation
Upon completion of testing, the program changes and testresults should be reviewed and approved
Upon completion of testing, the program changes and testresults should be reviewed and approved
User and operating personnel should be retained, if necessary,to handle new procedures
User and operating personnel should be retained, if necessary,to handle new procedures
KENT, PORF, MARLON GROUPKPMGroup
IMPLEMENTATION PROGRAM CHANGES
All documentation that is affected by the change should beupdated
All documentation that is affected by the change should beupdated
Control should be established over the conversion to thenew program
Control should be established over the conversion to thenew program
Conversion should not be permitted before approval of thetest results and completion of the changes to
documentation
Conversion should not be permitted before approval of thetest results and completion of the changes to
documentation
Final approval should be given by data processingmanagement, the user, and internal audit
Final approval should be given by data processingmanagement, the user, and internal audit
KENT, PORF, MARLON GROUPKPMGroup
3/13/2015
18
What to do?
Scenario
You plan to assess risk at a low level onsystems change controls
INTERVIEW OPERATIONS AND SYSTEMS PERSONNEL
REVIEW DOCUMENTATION IN SUPPORT OF SELECTEDPROGRAM CHANGES
EXAMINE RESULTS OF TESTS PERFORMED ON MODIFIEDPROGRAMS
KENT, PORF, MARLON GROUP (VA ROOM 306)KPMGroup
What to do?
Scenario
You plan to assess risk at a low level onsystems change contROLS
COMPARE THE ORIGINAL PROGRAM SOURCE CODINGWITH THE MODIFIED PROGRAM SOURCE CODING
ON A TEST BASIS, SELECT CURRENT APPLICATION PROGRAMSFOR WHICH THERE IS NO DOCUMENTATION OF CHANGES
DURING THE PRECEEDING YEAR, & COMPARE THE CODE OFCURRENT PROGRAMS WITH THE CODE OF THE SAME
PROGRAMS AF A YEAR AGO.
KENT, PORF, MARLON GROUP (VA ROOM 306)KPMGroup