microsoft powerpoint - chapter 6- part 2

3/13/2015

1

CHAPTER 6Systems Development and Documentation

Controls

Part Two

KENT, PORF, MARLON GROUPKPMGroup

3/13/2015

2

POSTIMPLEMENTATION REVIEW

FINAL APPROVAL

SYSTEM TESTING

Part TwoOVERVIEW

OF PRESENTATION

TECHNICAL, MGT, USER, ANDAUDITOR REVIEW AND APPROVAL

USER, ACCOUNTING, AND AUDITPARTICIPATION


Complete Audit Trail

Built-in Audit Features

Adequate InternalControl Structure

DO YOU WANT TO DEVELOP A NEWSYSTEM?Q

AUDITORS(INTERNAL AND

EXTERNAL)

ACCOUNTINGDEPARTMENT STAFF

USER PERSONNEL

PARTICIPATE IN THE SYSTEMS DEVELOPMENT


3/13/2015

3

How can this participation be beneficial?

IMPROVED COMMUNICATION BETWEEN USER AND EDPPERSONNEL

USER PARTICIPATION REPRESENTS A FORM OFCOMMITMENT & APPROVAL

IMPROVEMENTS IN CONTROLS FROM SUGGESTIONS OFEXPERTS

EVIDENCE FOR COMPLIANCE & INCLUSION OFREQUIRED IC & AUDIT FEATURES

GAIN OF REQUIRED UNDERSTANDING OF EDPAPPLICATIONS


What to do?

ScenarioYou plan to assess control risk at a low level

on participation by the user, accounting,and audit personnel

INTERVIEW FOR EVIDENCE OF THE LEVEL OFPARTICIPATION OF THE USER AND ACCOUNTING DEPT

REVIEW APPROPRIATE DOCUMENTS AND RELATEDAPPROVALS FOR EVIDENCE

REVIEW THE AUDITORS’ WORKING PAPERS


3/13/2015

4


FINAL APPROVAL

SYSTEM TESTING

Part TwoOVERVIEW

OF PRESENTATION

TECHNICAL, MGT, USER, ANDAUDITOR REVIEW AND APPROVAL


USER, ACCOUNTING AND AUDITPARTICIPATION

ONGOING REVIEW: BENEFITS

For work accomplished during the process andapproval at the end of each phase of the process

REPRESENT STRONG CONTROLS OVER CONTENT OFSYSTEM PROGRAM AND OUTPUTS

REPRESENT STRONG CONTROLS OVER CONTENT OFSYSTEM PROGRAM AND OUTPUTS

ENSURE THAT THE SYSTEM HAS ADEQUATE CONTROLSENSURE THAT THE SYSTEM HAS ADEQUATE CONTROLS

FACILITATE MONITORING AND MAINTENANCE OF ANACCEPTABLE LEVEL OF QUALITY OF OUTPUT FROM EACHPHASE OF THE PROCESS

FACILITATE MONITORING AND MAINTENANCE OF ANACCEPTABLE LEVEL OF QUALITY OF OUTPUT FROM EACHPHASE OF THE PROCESS


3/13/2015

5

REVIEW AND APPROVAL: LEVELS


OUTPUT LEVEL

TECHNICAL LEVEL

involves systems andprogramming supervisors

requires systems supervisors toreview the work of systems staff

on an ongoing basis review and approve each phase

of the output before submitting itfor approval

involves management, usersand auditors

requires them to review andapprove end products of

systems planning anddevelopment (excluding

programming)

What to do?

ScenarioYou plan to assess control risk at a low level

on technical, management, user andauditor review and approval

REVIEW THE SECTION OF THE SYSTEMS DEVELOPMENTSTANDARDS MANUAL

INTERVIEW TECHNICAL STAFF, MANAGEMENT, ANDUSERS

REVIEW TECHNICAL AND OUTPUT DOCUMENTATION(FOR SELECTED APPLICATIONS DEVELOPED DURING

ACCTG PERIOD)


3/13/2015

6


FINAL APPROVAL

SYSTEM TESTING

TECHNICAL, MGT, USER, ANDAUDITOR REVIEW AND APPROVALPart Two

OVERVIEWOF PRESENTATION

KENT, PORF, MARLON GROUP (VA ROOM 306)KPMGroup


SYSTEM TESTING: AN IMPORTANT CONTROL

ENSURE THAT SYSTEM WILL OPERATE AS INTENDEDENSURE THAT SYSTEM WILL OPERATE AS INTENDED

DETERMINE IF SYSTEM’S OPERATION MEETS USERREQUIREMENTS

DETERMINE IF SYSTEM’S OPERATION MEETS USERREQUIREMENTS

TEST ALL APPLICATION CONTROLS SO THEY WORKAS INTENDED

TEST ALL APPLICATION CONTROLS SO THEY WORKAS INTENDED

SHOW THAT INTRODUCTION OF CORRECT INPUT WILLYIELD CORRECT OUTPUT

SHOW THAT INTRODUCTION OF CORRECT INPUT WILLYIELD CORRECT OUTPUT

VERIFY THAT INCORRECT INPUT, PROCESSING OROUTPUT WILL BE DETECTED

VERIFY THAT INCORRECT INPUT, PROCESSING OROUTPUT WILL BE DETECTED


3/13/2015

7

WHAT IS THE SCOPE & COVERAGE OF SYSTEM TESTING?

MANUAL PHASE

COMPUTERIZED PHASE

PROGRAMS

COMPUTER OPERATIONS

USER ACTIVITIES


CONTROL GROUP FUNCTIONS


AUDITORS(INTERNAL AND

EXTERNAL)

SYSTEMS PERSONNEL

USER PERSONNEL

JOINT EFFORT IN SYSTEM TESTING

3/13/2015

8

SYSTEM TESTING: LEVELS


STRING TESTS

PROGRAM TESTS

Designed to test the processinglogic of the programs

Usually applied on a modular orprogram-by-program basis tofacilitate the review process

Software aids can be useful

Tests applied also to programsbut to a string of logically

related programs To ensure that data are

correctly transferred from oneprogram to another in a string

SYSTEM TESTING: LEVELS


PILOT TESTS

SYSTEMS TESTS Applied to programs within an

application To ensure that programs all work

correctly when they interfacewith each other

Processing of an actual period’stransactions on an after-the-

fact basis To reconcile the results of the

new and old systems and todetect and correct differences

PARALLEL TESTS• Method of ensuring that system is

processing input correctly• Valuable to detect system errors

and for complex systems

3/13/2015

9

What to do?

ScenarioYou plan to assess control risk at a low level on

system testing (first, review the new systemsdeveloped and implemented during the accounting

period and the written standards)

REVIEW STANDARDS FOR COMPREHENSIVENESS

INTERVIEW INTERNAL AUDIT AND USER STAFF

REVIEW TEST DATA AND THE RESULTING OUTPUT FORSELECTED NEW SYSTEMS


REVIEW THE RESULTS OF PROGRAMS AND STRING TESTS

What to do?

ScenarioYou plan to assess control risk at a low level on

system testing (first, review the new systemsdeveloped and implemented during the accounting

period and the written standards)

REVIEW RESULTS OF SYSTEM TESTS OF VALID ANDINVALID TRANSACTIONS

REVIEW PROCEDURES FOR RECONCILING OUTPUTPRODUCED DURING PILOT AND PARALLEL TESTING

EXAMINE PROGRAMS USED TO COMPARE OUTPUT FILESFOR PILOT AND PARALLEL TESTING


EXAMINE RECONCILIATIONS FOR SELECTED TESTS

3/13/2015

10

PROGRAM CHANGE CONTROLS


FINAL APPROVAL

SYSTEM TESTING

TECHNICAL, MGT, USER, ANDAUDITOR REVIEW AND APPROVALPart Two

OVERVIEWOF PRESENTATION



FINAL APPROVAL

MANAGEMENT

USERS


EDP PERSONNEL

Provides an opportunity to examine the final test resultsProvides an opportunity to examine the final test results

Make a final judgment on the quality of application controlsMake a final judgment on the quality of application controls

Consider changes from the original system design specificationsConsider changes from the original system design specifications

Ensure that all the errors are correctedEnsure that all the errors are corrected

Approve planned procedures for system implementation and operationApprove planned procedures for system implementation and operation

3/13/2015

11

What to do?

Scenario

You plan to assess control risk at a low levelon final approval as a general control

Review evidence of the approval of new applicationsby management, users and EDP personnel

Interview management, user and EDP personnel


CONVERSION CONTROL


Numerous errors can result when the master andtransaction files are converted to the new system

File conversion approval be given before conversion process beginsFile conversion approval be given before conversion process begins

Original and new files be reconciled by record counts, hash totals, andamount totals

Original and new files be reconciled by record counts, hash totals, andamount totals

Selected portions of records from the original files be compared withnew files

Selected portions of records from the original files be compared withnew files

Confirmation request be sent to third partiesConfirmation request be sent to third parties

Discrepancy reports be use to detect inconsistencies and correct themDiscrepancy reports be use to detect inconsistencies and correct them

Operational approval be obtained after users used the system a few timesOperational approval be obtained after users used the system a few times

Control Procedures

3/13/2015

12

DiscrepancyReport

What to do?

Scenario

You plan to assess control risk at a low levelon conversion control as a general control

REVIEW PLANS FOR CONTROLLING THE CONVERSIONFROM ONE SYSTEM TO ANOTHER

EXAMINE DOCUMENTATION FOR EVIDENCE

EVALUATE THE PROCEDURES TO ECONCILE ORIGINALAND NEW FILES


3/13/2015

13

What to do?

Scenario

You plan to assess control risk at a low levelon conversion control as a general control

REVIEW OR OBSERVE THE USE OF RECORDCOMPARISONS AND CONFIRMATION REQUESTS

EXAMINE DISCREPANCY REPORTS FOR EVIDENCE

TEST THE CONVERSION



INTERNAL AUDITPERSONNEL

USERS


EDP PERSONNEL

Whether the system is operating as intendedWhether the system is operating as intended

Evaluate effectiveness of the entire process ofdeveloping a system

Evaluate effectiveness of the entire process ofdeveloping a system

Several months after the implementation of thesystem

3/13/2015

14

What to do?

ScenarioYou plan to assess risk at a low level on the

general control of post implementationreview

REVIEW INTERNAL WORKING PAPERS

INTERVIEW SYSTEMS DEV’T STAFF, USERS ANDMANAGEMENT

REVGIEW THE FINAL REPORT OF THE COMMITTEE


PROGRAM CHANGE CONTROLS


PROGRAMENHANCEMENTS

PROGRAMMAINTENANCE

Changes that resulted from thedesire to improve systems, the

need to adjust systems tochanging business conditions

and the need to incorporate newoperating, accounting and

control policies

Represent major systemsrevisions (excluded from the

definition of programmaintenance)

Tested as full systemsdevelopment projects

3/13/2015

15

PROGRAM CHANGE CONTROLS:BENEFITS

ENSURE THAT ALL CHANGES TO PROGRAMS AREPROPERLY APPROVED AND AUTHORIZED

ENSURE THAT ALL CHANGES TO PROGRAMS AREPROPERLY APPROVED AND AUTHORIZED

ENSURE ALL AUTHORIZED CHANGES ARE COMPLETED,TESTED AND PROPERLY IMPLEMENTED

ENSURE ALL AUTHORIZED CHANGES ARE COMPLETED,TESTED AND PROPERLY IMPLEMENTED


SO, CONTROLS ARE REQUIRED OVERPLANNING, DEVELOPMENT AND

IMPLEMENTATION OF PROGRAM CHANGES

PLANNING PROGRAM CHANGES

Requires proper approval authorization anddocumentation of program change

Program change request should be approved by theuser, by the internal audit and by data processing

management

Program change request should be approved by theuser, by the internal audit and by data processing

management

All program change request should be authorizedafter proper approval (usually the data processing

management)

All program change request should be authorizedafter proper approval (usually the data processing

management)

Full documentation of the program change requestFull documentation of the program change request


3/13/2015

16

ProgramChange

Form

DEVELOPMENT PROGRAM CHANGES

Development only for properly approved and authorizedchange requests

Development only for properly approved and authorizedchange requests

Program changes should be restricted to systems personnelProgram changes should be restricted to systems personnel

The design specifications of program changes should bereviewed and approved by the user and internal audit

The design specifications of program changes should bereviewed and approved by the user and internal audit

Program changes should be completed following establishedsystems, programming and documentation standards

Program changes should be completed following establishedsystems, programming and documentation standards


3/13/2015

17

DEVELOPMENT PROGRAM CHANGES

Changes should be made to the test program and not theproduction program

Changes should be made to the test program and not theproduction program

All programs changes should be tested thoroughly beforeimplementation

All programs changes should be tested thoroughly beforeimplementation

Upon completion of testing, the program changes and testresults should be reviewed and approved

Upon completion of testing, the program changes and testresults should be reviewed and approved

User and operating personnel should be retained, if necessary,to handle new procedures

User and operating personnel should be retained, if necessary,to handle new procedures


IMPLEMENTATION PROGRAM CHANGES

All documentation that is affected by the change should beupdated

All documentation that is affected by the change should beupdated

Control should be established over the conversion to thenew program

Control should be established over the conversion to thenew program

Conversion should not be permitted before approval of thetest results and completion of the changes to

documentation

Conversion should not be permitted before approval of thetest results and completion of the changes to

documentation

Final approval should be given by data processingmanagement, the user, and internal audit

Final approval should be given by data processingmanagement, the user, and internal audit


3/13/2015

18

What to do?

Scenario

You plan to assess risk at a low level onsystems change controls

INTERVIEW OPERATIONS AND SYSTEMS PERSONNEL

REVIEW DOCUMENTATION IN SUPPORT OF SELECTEDPROGRAM CHANGES

EXAMINE RESULTS OF TESTS PERFORMED ON MODIFIEDPROGRAMS


What to do?

Scenario

You plan to assess risk at a low level onsystems change contROLS

COMPARE THE ORIGINAL PROGRAM SOURCE CODINGWITH THE MODIFIED PROGRAM SOURCE CODING

ON A TEST BASIS, SELECT CURRENT APPLICATION PROGRAMSFOR WHICH THERE IS NO DOCUMENTATION OF CHANGES

DURING THE PRECEEDING YEAR, & COMPARE THE CODE OFCURRENT PROGRAMS WITH THE CODE OF THE SAME

PROGRAMS AF A YEAR AGO.


microsoft powerpoint - chapter 6- part 2

Documents

user andauditor review

marlon groupkpmgroupuser

marlon groupkpmgroupwhat

systems developmentkent

marlon group va room

systems supervisors

work of systems staffon

ongoing basis review