june 2017 19 Internal audItor
To commen T on this article,
email the author at firstname.lastname@example.org
Auditors should check local procedures
to ensure overrides have limitations.
are they tested? Look into the configuration settings for the
higher-risk controls. Which roles permit data entry versus
only data view? Are there role combinations that are prohibited? These parameters are often defined in configuration files
that can be viewed and modified.
Another major aspect of application control testing is
looking at the processing controls. The internal processing
is the reason why the application exists, and it might be
justifiable to think the controls over processing are low-risk areas. However, the processing controls may not be as
accurate as auditors would like, and changes to the software as it is updated may have an impact on the processing
controls. The best way to address these concerns is to look
at some of the key processes.
critical calculations Discuss any critical calculations with
the business owner. Are they performing a manual check or
reconciliation? If so, have they ever found an error? If there
is still a concern, determine whether there is an application
user group where additional details on the internal processes
might be available.
custom calculations Identify any custom calculations that
have been incorporated into the application. Because this
introduces another potential source of errors, internal auditors should determine who can create custom codes and assess
how they are tested. Some custom calculations may be a low
risk. For other calculations, especially where the skills to review
code might be lacking, the risk may be high or unknown.
configuration Settings Some processes have mandatory
checks, approvals, and thresholds, but some applications
allow these controls to be overridden. If this is the case,
internal auditors should look at the configuration settings to
identify whether what is allowed is also compliant with the
procedures. Also, check the local procedures to ensure that
overrides, if allowed, have procedural limitations.
If the application receives its data from another application,
or if it sends results to another application, then auditors
should review the interface controls. These are a special case
of input and output controls.
error Detection The file transfer process should include the
error detection from the data packets of the network protocols (Open Systems Interconnection (OSI) layer 3), so if the
file was sent directly, auditors can be fairly confident that the
data was sent or received. But if a less secure protocol is used
for the transfer, inquire whether there are other controls such
as check sums and record totals that can be used to confirm
the data received is complete.
aPi limits For many applications, internal auditors also
can look into the application programming interfaces (APIs)
that are being used. APIs define the
interface between the application layer
and the transport layer (two more OSI
layers). Auditors can look them up
online to determine whether there is a
risk of data corruption or data leakage.
Depending on the application, there
also may be issues with bandwidth or timing that the API
requires to ensure the application functions appropriately.
Many other aspects of application control testing can be
incorporated into an audit. Before auditors finalize their audit
plan, they should consider these aspects of control to ensure
they have identified all the highest risks:
Ʌ Output controls look at the destination of the application output.
Ʌ Storage controls focus on the database structure on
which the application relies.
Ʌ Monitoring controls look at access logs, input and output file transfer logs, and super-user access.
Ʌ Configuration management addresses the procedures surrounding updates to the configuration of the application
and its supporting database and operating system.
Ʌ Change control and patch management look at how
changes to the application are tested and implemented.
Work With Business Owners
Because applications are critical to businesses, application
controls represent a risk that internal auditors should test.
Auditors should discuss the process, the applications, and the
controls with business owners to reach a consensus on the
high-risk areas and focus internal audit’s efforts.
RichaRD B. FowleR, cia, cRma, cFe, ciSa, is senior audit
specialist with Huntington Ingalls Industries in Newport News, Va.