Module 6

Business Application
Software Audit

MODULE 6: BUSINESS APPLICATION

SOFTWARE AUDIT
Table of Contents
MODULE 6: BUSINESS APPLICATION SOFTWARE AUDIT ....................................................1
SECTION 1: OVERVIEW ................................................................................................................9
MODULE 6: BUSINESS APPLICATION SOFTWARE AUDIT (12%) .........................................9
Objective: .....................................................................................................................................9
Learning Objectives .....................................................................................................................9
Task Statements ..........................................................................................................................9
Knowledge Statements .............................................................................................................10
Relationship between Task and Knowledge statements ........................................................10
Knowledge Statement Reference Guide ..................................................................................12
Mapping of cases to chapters ...................................................................................................15
SECTION 2: CONTENTS ..............................................................................................................17
Definition: ...................................................................................................................................17
Learning Objective.....................................................................................................................17
Chapter 1: Business Process and Business Application......................................................18
Part 1: Enterprises business models........................................................................................18
1.1 Introduction ..........................................................................................................................18
1.2. Business Models and controls ...........................................................................................18
1.3 Business Model, Business Process and Business Applications ......................................18
1.3.1 Business Process ........................................................................................................18
1.3.2 Business Processes and Control Structure ...............................................................19
1.3.3 Business Applications .................................................................................................19
Definition ...........................................................................................................................19
1.4 Business model and risk assessment ................................................................................20
1

Introduction ............................................................................................................................20
1.4.1 Auditing Standards ......................................................................................................20
ISACA Standards .............................................................................................................20
ICAI Standards .................................................................................................................20
Internal Audit Standards ..................................................................................................21
1.4.2 Risk assessment for a business application used by organisation ..........................21
1.5 Case Study ..........................................................................................................................22
Case for participants .................................................................................................................24
Part 2: Business Application Software as per Enterprises Business Model .....................25
Learning Objectives ...................................................................................................................25
Introduction ................................................................................................................................25
2.1 Business Application Software: Parameters of selection..................................................25
2.2 Types ...................................................................................................................................26
2.3 Key features and controls for business applications .........................................................27
Part 3: Case Studies ....................................................................................................................29
Case for participants ........................................................................................................31
2.4 Questions .............................................................................................................................32
2.5 Answers and Explanations .................................................................................................33
Chapter 2: Application Control ..................................................................................................35
Part 1: Application controls review ...........................................................................................35
Learning Objective.....................................................................................................................35
1.1 Introduction ..........................................................................................................................35
1.1.1 Application controls .....................................................................................................35
1.1.2 Internal controls ...........................................................................................................35
1.2 Objectives of application control and key business information requirements ................36
1.2.1 Objectives ....................................................................................................................36
1.2.2 Information Criteria ......................................................................................................36
1.2.3 Application controls objectives....................................................................................37
2

1.2.4 Control practices ..........................................................................................................38

1. Source Data Preparation and Authorisation ...............................................................38
2. Source data collection and entry .................................................................................39
3. Accuracy, completeness and authenticity checks ......................................................39
4. Processing integrity and validity ..................................................................................40
5. Output review, reconciliation and error handling ........................................................41
6. Transaction authentication and integrity .....................................................................41
Part 2: Application controls review ...........................................................................................43
2.1 Review of application control various business application ..............................................43
2.1.1 Need for application control review ............................................................................43
2.1.2 How to perform application review? ...........................................................................43
2.2 Review of business application controls through use of audit procedures ......................44
2.3 Application controls review for specialised system ...........................................................44
2.3.1 Artificial Intelligence (AI) ..............................................................................................44
IS Auditor's Role ...............................................................................................................45
2.3.2 Data Warehouse ..........................................................................................................45
IS Auditor's Role ...............................................................................................................45
2.3.3 Decision Support System (DSS) ................................................................................45
IS Auditors role ................................................................................................................46
2.3.4 Electronic Fund Transfer (EFT) ..................................................................................46
IS Auditors role ................................................................................................................46
2.3.5 E-commerce.................................................................................................................47
Risks of E-commerce .......................................................................................................47
IS Auditors role ................................................................................................................47
2.3.6 Point of Sale System (PoS) ........................................................................................47
IS Auditors role ................................................................................................................47
2.3.7 Automatic Teller Machines (ATM) ..............................................................................48
IS Auditor's Role ...............................................................................................................48
3

Part 3: Cases of Application controls .......................................................................................49

3.1 Proper design of source document ....................................................................................49
Case of an educational/vocational institute collecting fees from students ........................49
3.2 Exception reporting .............................................................................................................51
What is the benefit? ..............................................................................................................52
What is the loss if above items are not checked? ...............................................................52
3.3 Case for Dependency check: .............................................................................................53
3.4 Reasonableness Check ......................................................................................................55
3.5 Case to highlight necessity of duplicate check ..................................................................55
3.6 Obsolete stock reporting .....................................................................................................56
3.7 Report on Sales below cost price .......................................................................................57
3.8 Report on TDS deducted but not remitted in time .............................................................57
3.9 Questions .............................................................................................................................58
3.10 Answers and Explanations ...............................................................................................60
Chapter 3: Auditing Application Control ..................................................................................63
Part 1: Audit Program for review of application software .....................................................63
Learning Objectives ...................................................................................................................63
1.1 Introduction ..........................................................................................................................63
1.2 Why IS Audit? ......................................................................................................................63
1.3 What is IS Audit? .................................................................................................................65
1.4 How to perform IS Audit? ....................................................................................................66
1.5 Audit mission .......................................................................................................................67
1.6 Performing an IS Audit ........................................................................................................67
1.7 Steps of IS Audit ..................................................................................................................68
1.8 Audit program for key business application .......................................................................69
1.9 Computer Assisted Audit Techniques ................................................................................69
1.9.1 Needs for CAAT...........................................................................................................69
1.9.2 Types of CAAT ............................................................................................................70
4

1. Generalised Audit Software (GAS) .............................................................................71

2. Specialised Audit Software (SAS) ...............................................................................71
3. Utility Software..............................................................................................................71
1.9.3 Typical Steps in using GAS ........................................................................................72
1.9.4 Selecting, implementing and using CAATs ................................................................72
1. 10 Continuous Auditing Approach ........................................................................................73
1.10.1 Techniques for Continuous Auditing ........................................................................73
1. Snapshot .......................................................................................................................73
2. Integrated Test Facility (ITF) .......................................................................................74
3. System Activity File Interrogation ................................................................................74
4. Embedded Audit Facilities ...........................................................................................75
5. Continuous and Intermittent Simulation ......................................................................75
1.11 Case on using MS Excel to find Duplicate / Missing Sales Invoice .............................75
1.11.1 Steps to be performed in above case through use of excel....................................76
1.11.2 Cases on how to use continuous auditing ...............................................................77
1. Snapshot .......................................................................................................................77
2. Integrated Test Facility (ITF) .......................................................................................78
Part 2: Compliance testing and Substantive testing ..............................................................79
2.1 Compliance Testing ............................................................................................................79
2.1.1 Purpose ........................................................................................................................79
2.2 Substantive Testing .............................................................................................................80
2.2.1 Purpose ........................................................................................................................80
2.3 Relationship between compliance and substantive testing ..............................................80
Part 3: Impact of Business application software on Business processes / controls .......81
3.1 Case: Highlight need for redefining business process ......................................................81
a. To know: Teeming and Lading fraud ..........................................................................81
b. Why this fraud occurs? ................................................................................................81
c. How to control the risk in business application system? ............................................81
5

d. What TALLY users need to do? ..................................................................................82

3.2 Procedures to manage changes to business processes and impact on controls ...........82
Part 4: User Controls ..................................................................................................................83
4.1 Principles to follow while granting user rights ....................................................................83
4.2 Creating users for different level of use .............................................................................83
4.2.1 Key requirement ..........................................................................................................83
4.2.2 IS Auditor key checkpoints ..........................................................................................84
i. Who has the authority to create user rights? ...............................................................84
ii. Authorisation procedure before creating user rights? ................................................84
iii. Validation of user rights created in system? ..............................................................84
iv. Process of alteration of user rights? ...........................................................................85
v. Keeping track of user actions? ....................................................................................85
4.3 Creating users for different level of use .............................................................................85
Case Studies .........................................................................................................................85
1. User rights review Audit ...............................................................................................85
2. GM (F) who left the company. ....................................................................................86
Part 5: Database controls ...........................................................................................................87
5.1 Key features of database ....................................................................................................87
5.1.1 Database architecture .................................................................................................87
5.2 Database Security and Control...........................................................................................87
5.3 User creation in database ...................................................................................................88
5.4 Structured Query Language ...............................................................................................90
5.4.1 Components of SQL ....................................................................................................90
5.4.2 Language elements of SQL ........................................................................................91
5.5 SQL commands for reporting .............................................................................................91
Part 6: Financial Reporting and Regulatory requirement in Information Systems ..........93
6.1 Nature of compliances ........................................................................................................93
6.2 Who is responsible for accuracy and authenticity of reports? ..........................................94
6

6.3 Validation of statutory reports from business application software ..................................95

Case on validation of statutory rates in business application software .........................95
1. PF rates are not properly defined ................................................................................95
2. TDS rates are not correctly specified ..........................................................................97
Part 7: System Audit Report format as per best practices ................................................ 101
7.1 Reporting Standards ........................................................................................................ 101
7.1.1 Case to prepare report in specified format.............................................................. 102
7.2 Questions .......................................................................................................................... 103
7.3 Answers and Explanations .............................................................................................. 104
SECTION 3: APPENDIX ............................................................................................................ 107
Appendix 1: Checklist for Application Controls .................................................................. 107
Appendix 2: ATM Audit Checklist .......................................................................................... 113
Appendix 3: Application Software Checklist ........................................................................ 113
Appendix 4: User Rights Creation Checklist ........................................................................ 113
Appendix 5: Review of business applications impact on controls ................................. 117
Appendix 6: System Audit Report .......................................................................................... 118
Appendix 7: Sample Audit Report Of Application Software .............................................. 121

SECTION 1: OVERVIEW
MODULE 6: BUSINESS APPLICATION
SOFTWARE AUDIT (12%)
Objective:
Provide assurance or consulting services to validate whether required controls have been
designed, configured and implemented in the application software as per enterprise and
regulatory requirements and provide recommendations for mitigating control weaknesses
as required.

Learning Objectives

To understand business processes and business application software.

To understand the business application implemented controls by organisations.
To provide assurance on business application software and the implemented controls
through business application audit.

Task Statements
6.1 Assess the enterprise business models by performing preliminary review of effectiveness of
the entitys business processes and embedded controls
6.2 Assess business processes - risks assessment and control evaluation in the context of
business strategy, impact of business application software on Business processes/controls
6.3 Assess Business processes by performing preliminary review of adequacy of controls
6.4 Identify and document information technology environment and platforms, technology
architecture, network, system software and application environment to assess control architecture.
6.5 Identify application controls in Data warehouse, Data Mart, DSS, ESS, AI, EFT, etc.
6.6 Identify various types of Business Applications like ERP, Banking, Accounting
6.7 Prepare audit program for planning and perform review of application software
6.8 Identify information systems that are used to process and accumulate transactional data, as
well as provide monitoring and financial reporting information and assess the controls.
6.9 Review enterprise security policy relating to the identification, authentication and restriction of
users to authorized functions and data.
6.10 Assess procedures to manage changes to business processes and impact on controls
6.11 Review database structure and tables, user creation, access levels and user management.
6.12 Evaluate application software configuration and user management features such as user
rights and administration and map them with enterprise policies relating to segregation of duties by
reviewing user rights granted to specific roles and responsibilities.

Module 6
6.13 Evaluate internal control systems in application software relating to system design, data
creation/input, data processing, data flow, data transmission and data storage.
6.14 Use reporting, query and SQL features as required for reviewing controls.
6.15 Audit specific application software users; assess business system functionality, user rights
and segregation of duties levels of authorization, and data security by performing analytical
procedures review, compliance testing and substantive testing.
6.16 Assess application software controls and identify areas of weaknesses in controls and advise
remedial measures
6.17 Communicate/Report findings in specific format using standards/best practices as required.
6.18 Performing review of application controls as relevant for assurance or compliance
assignments.

Knowledge Statements
6.1 Enterprise business models
6.2 Key features and functionalities of application software
6.3 Business processes controls, Analytical procedures, compliance testing and substantive
testing
6.4 Risk assessment and control evaluation in the context of business strategy
6.5 Impact of Business application software on Business processes/controls
6.6 Information systems and financial reporting and regulatory requirements for controls.
6.7 structure, roles and responsibilities
6.8 Application controls in Data warehouse, Data Mart, DSS, ESS, AI, EFT, EDI, etc.
6.9 Various types of Business Applications like ERP, Banking, Accounting, etc.
6.10 Procedures to manage changes to business processes and impact on controls
6.11 Audit program for planning and perform review of application software
6.12 Application system software environment at different levels
6.13 Database architecture: database structure and tables, user creation and administration,
reporting, query and SQL Features
6.14 Key business system users, key functionality, user rights and segregation of duties levels of
authorization, and data security
6.15 Controls at different levels, areas of control weaknesses, risk rating and remedial measures
6.16 Report findings in specific format using standards/best practices as required.
6.17 Application controls review as relevant for assurance or compliance assignments.

Relationship between Task and Knowledge statements

The task statements are what the ISA Candidate is expected to know how to perform. The
knowledge statements delineate each of the areas in which is ISA candidate must have a good
understanding in order to perform the tasks. The task and knowledge statements are mapped in
the chart below. Note that although there is often overlap, each task statement will generally map
to several knowledge statements.
10

Section 1
Task Statement
6.1 Assess the enterprise business models by
performing preliminary review of effectiveness
of the organisations business processes and
embedded controls.

Knowledge Statement
1 Enterprise business models
Key features and functionalities of
application software

6.2 Assess business processes: risks

assessment and control evaluation in the
context of business strategy, impact of
business application software on Business
processes/controls
6.3 Assess Business processes by
performing preliminary review of adequacy of
controls
6.4 Identify and document information
technology environment and platforms,
technology architecture, network, system
software and application environment to
assess control architecture.
6.5 Identify application controls in Data
warehouse, Data Mart, DSS, ESS, AI, EFT,
EDI
6.6 Identify various types of Business
Applications like ERP, Banking, Accounting
6.7 Prepare audit program for planning and
perform review of application software
6.8 Identify information systems that are used
to process and accumulate transactional data,
as well as provide monitoring and financial
reporting information and assess the controls.

3 Business processes controls, Analytical

procedures, compliance testing and
substantive testing

6.9 Review enterprise security policy relating

to the identification, authentication and
restriction of users to authorized functions
and data.

10 Application system software environment

at different levels

4 Risk assessment and control evaluation in

the context of business strategy
5 Impact of Business application software on
Business processes/controls

6 Application controls in Data warehouse,

Data Mart, DSS, ESS, AI, EFT, EDI
7 Various types of Business Applications like
ERP, Banking, Accounting
8 Audit program for planning and perform
review of application software
9Information systems and financial reporting
and regulatory requirements for controls.

11 Organisation structure, roles and

responsibilities
12 Procedures to manage changes to
business processes and impact on controls

6.10 Assess procedures to manage changes

to business processes and impact on controls

11

Module 6
6.11 Evaluate application software
configuration and user management features
such as user rights and administration and
map them with enterprise policies relating to
segregation of duties by reviewing user rights
granted to specific roles and responsibilities.
6.12 Evaluate internal control systems in
application software relating to system
design, data creation/input, data processing,
data flow, data transmission and data
storage.
6.13 Review database structure and tables,
user creation, access levels and user
management.

13 Key business system users, key

functionality, user rights and segregation of
duties levels of authorization, and data
security
14 Controls at different levels, areas of
control weaknesses, risk rating and remedial
measures
15 Database architecture: database structure
and tables, user creation and administration,
reporting, query and SQL Features

6.14 Use reporting, query and SQL features

as required for reviewing controls.
6.15 Audit specific application software users;
assess business system functionality, user
rights and segregation of duties levels of
authorization, and data security by performing
analytical procedures review, compliance
testing and substantive testing.
6.16 Assess application software controls and
identify areas of weaknesses in controls and
advise remedial measures
6.17 Performing review of application controls
as relevant for assurance or compliance
assignments.
6.18 Communicate/Report findings in specific
format using standards/best practices as
required.

16 Application controls review as relevant for

assurance or compliance assignments.

17 Report findings in specific format using

standards/best practices as required.

Knowledge Statement Reference Guide

Each knowledge statement is explained in terms of underlying concepts and relevance of the
knowledge statement to the ISA Candidate. It is essential that the candidate understand the
concepts. The knowledge statements are what the IS Auditor must know in order to accomplish
the tasks. Consequently, only the knowledge statements are detailed in this section. The sections
identified in the matrices are described in greater detail in the following chapters of this module.

12

Chapter

Part

Para

Section 1

Business Models and controls

Key features and functionalities of application software

1.2

Business Models and controls

3 Business processes controls, Analytical procedures,
compliance testing and substantive testing
Business Model, Business Process and Business Applications
Business Model and Risk Assessment
4 Risk assessment and control evaluation in the context
of business strategy
5 Impact of Business application software on Business
processes/controls
6 Application controls in Data warehouse, Data Mart, DSS,
ESS, AI, EFT, EDI
Review of Application Control various business application
7 Various types of Business Applications like ERP,
Banking, Accounting
Review of Application Control various business application
Review of business application controls through use of audit
procedures
8 Audit program for planning and perform review of
application software
Audit program for key business application
9 Information systems and financial reporting and
regulatory requirements for controls.
Nature of compliances
Who is responsible for accuracy and authenticity of reports?
Validation of statutory reports from business application
software
10 Application system software environment at different
levels
Review of Application Control various business application
Review of business application controls through use of audit
procedures
Application controls review for specialised system

1.2

1.3
1.4

2.1

2.1

Topic Heading
1 Enterprise business models

13

1
1

2.2

1.6

6.1
6.2
6.3

2.1
2.2
2.3

Module 6
11 Organisation structure, roles and responsibilities
Principles to follow while granting user rights
Creating users for different level of use
Creating users for different level of use
12 Procedures to manage changes to business processes
and impact on controls
13 Key business system users, key functionality, user
rights and segregation of duties levels of authorization,
and data security
Review of business application controls through use of audit
procedures
14 Controls at different levels, areas of control
weaknesses, risk rating and remedial measures
Business Application software: Parameters of selection
Compliance Testing
Substantive Testing
Relationship between compliance and substantive testing
15 Database architecture: database structure and tables,
user creation and administration, reporting, query and
SQL Features
Key features of database
Database security and control
User creations in database
Structured Query Language
SQL commands for reporting
16 Application controls review as relevant for assurance
or compliance assignments.
Compliance Testing
Substantive Testing
Relationship between compliance and substantive testing
17 Report findings in specific format using standards/best
practices as required.
Nature of compliances
Who is responsible for accuracy and authenticity of reports?
Validation of statutory reports from business application
software

14

4.1
4.2
4.3

2.2

2
3

2
2

2.1
2.1
2.2
2.3

5.1
5.2
5.3
5.4
5.5

2.1
2.2
2.3

6.1
6.2
6.3

Section 1

Mapping of cases to chapters

Part

Para

Case Study

Sl. No

Chapter

The scope of Module 6 is Business Application Software Audit. There are a number of cases
(practical case studies) which have been discussed in the module. A chapter wise mapping of the
cases is given.

1.5

1.5

CHAPTER 1
1

3
4

To understand the concept of risk assessment of a business

application and its impact of other audit procedures to be
adopted by auditor.
Case for participants: Issue to audit: A prepare a risk
assessment table to see; Whether the business application
used by organisation restricts negative cash balance.
To check whether the application used by the organisation is
appropriate for the business purpose.
Case for participants Audit Objective: To check whether the
application used by the organisation is appropriate for the
business purpose
CHAPTER 2

a. Proper design of source document: Case of an educational

institute collecting fees from students.

b. Exception reporting: 1. Exception reporting in TALLY.

Exception reporting in bank.

c. Dependency check: Case of validating two related field of

employee database

d. Reasonableness Check: Case of Purchase Order in excess

of five times vendors annual sale

e. Duplicate Check: Case of double payment made to vendors

against one purchase invoice.
Obsolete stock
Sales below cost price
TDS deducted but not remitted in time
CHAPTER 3

2
2
2

3
3
3

10
11
12

15

Module 6
13
14
15
16
17
18
19
20
21
22
23

To perform IS audit as an exercise needs to precede financial

audit
Using MS Excel as an Audit Tool
Case on concurrent audit techniques
Snapshot
Integrated Test Facility (ITF)
Embedded Audit Facilities
To highlight importance of re-defining the business process to
suit the requirements of the selected business application.
User Rights Review Audit
GM (F) leaving the company
PF rates not properly defined
Wrong classification of TDS
To help document a IS audit report for a companys password
management policy

16

3
3
3, 1

1
1
1 /1

3
3
3
3
3

3
3
6
6
7

1.1

SECTION 2: CONTENTS
This module has been written with an objective to help participants learn about the business
application software, and audit of these business applications. Application software is most critical
component of any IT infrastructure used in organisations as this processes the business
transactions for all types of organisations. Hence, it is imperative for an IS Auditor to learn the
process of performing a business application audit.
This module has three chapters.

Chapter 1: Deals with business application softwares, business processes and business
models. The chapter elaborates the nature of business applications that may be used by
entities.
Chapter 2: Deals with application controls in business application software. It further
elaborates relevance of application controls in business operations of an organisation.
Chapter 3: Deals with audit of the business application software. This chapter discusses
database controls and user controls. It also provides guidance on how to prepare IS audit
reports.

Definition:
Business application software audit module is focused on providing practical guidance to members
of ICAI. The module is written with an objective to provide hands on training to members. A DISA
should be able to understand how to perform a business application software audit after going
through this module.

Learning Objective

To understand business processes and business application software.

To understand how business application controls are implemented.
To provide assurance on business application software and the implemented controls by
performing business application software audit.

This module discussed the various business models used by an organisation for their business
purposes. There is a direct co-relation between the business model adopted by an organisation
and the goals of the organisation. The same co-relation extends to the nature of controls that are
put in place by the organisation to achieve its business objectives. The primary objective of this
module is to provide understanding about business processes, business application software and
controls implemented in business application software. This will enable IS Auditors to provide
assurance or consulting services in the critical area of business application audit.

Module 6

CHAPTER 1: BUSINESS PROCESS AND

BUSINESS APPLICATION
PART 1: ENTERPRISES BUSINESS MODELS
1.1 Introduction
A business model describes the rationale of how an organization creates, delivers and creates
value (economic, social, cultural, or other forms of value). The process of business model
construction is part of business strategy. AS per Oxford Dictionary, it is two different words
meaning, Persons particular version of product / service, delivery. A business model can be thus
said to be a way an organization delivers its product / service to customers, strategies to do
business, infrastructure, trading practices, and operational processes and policies. Business
models are a necessary outcome of the vision, mission statements of an organization.
Business models can be varied in nature, like traditional that is sales through retailer or modern
that sales through e-commerce. Each business model represents a different business objective for
an organisation. It is also important to understand that an organisation is not restricted to a specific
business model, an organisation may adopt more than one business model to deliver its product /
services.

1.2. Business Models and controls

Each business model shall have a basic control structure built into its processes. The controls
structure is also dependent upon the business application software that is being used by the
organisation. Control structures are relevant for each business model. The nature of control, the
way they are implemented and executed depends upon the business model being put to use. Each
business model has its set of risks. The risk associated with the way business model works has a
direct link to the nature of controls being put in place.

1.3 Business Model, Business Process and Business

Applications
1.3.1 Business Process
Business Process is defined as way / method of arranging a set of activities / tasks to achieve a
specific business objective or manufacture a product or deliver a service. Business processes as
discussed shall be implemented by an organisation through the business applications it is using.
18

Chapter 1, Part 1: Enterprises Business Models

1.3.2 Business Processes and Control Structure

1. Each business cycle used by an organisation has a defined control structure that has a
direct co-relation to the business model used.
2. Organisations have to document business processes and identify key control points.
3. Organisations have to ensure that the key control points are configured in system.
4. IS auditors have to obtain understanding of the above, to assess associated business
risk, implemented controls and provide assurance whether the available controls are
adequate and appropriate as per business requirements. In case of control weakness,
they have to provide recommendations for risk mitigation or performance improvement as
required as per scope of assignment.

1.3.3 Business Applications

Definition
Business Application, may be defined as applications (meaning computerized software) used by
organisation to run its business. The consideration is whether the said application covers /
incorporates the key business processes of the organisation. Another important consideration is
whether the control structure as available in the Business Application is appropriate to help
organisation achieve its goals. Business applications are where the necessary controls needed
to run business are put in place. The business processes and related controls are put in place
through business applications used by an organisation.

Business Model

Business Process

Business
Application

Figure 1: Business model relationship

Organisations use business application as per the business models adopted and the business
goals set by management. There are a multitude of business applications and we will discuss some
of the critical business applications later in this chapter/module.

19

Module 6

1.4 Business model and risk assessment

Introduction
It is critical for an IS Auditor to understand the business model adopted by an organisation so as
to get better understanding of risks associated with the business model adopted by the
organisation. Auditing standards issued by standards setting bodies across the world highlight the
critical need for performing risk assessment.

1.4.1 Auditing Standards

ISACA Standards
ISACA ITAF, 1201 Engagement Planning, identifies risk assessment as one of the key aspects
and states that IS audit and assurance professionals, have to;

Obtain an understanding of the activity being audited. The extent of the knowledge
required should be determined by the nature of the enterprise, its environment, areas of
risk, and the objectives of the engagement.
Consider subject matter guidance or direction, as afforded through legislation,
regulations, rules, directives and guidelines issued by government or industry.
Perform a risk assessment to provide reasonable assurance that all material items will be
adequately covered during the engagement. Audit strategies, materiality levels and
resource requirements can then be developed.
Develop the engagement project plan using appropriate project management
methodologies to ensure that activities remain on track and within budget.

ICAI Standards
SA 200 Overall Objectives of the Independent Auditor and the conduct of an audit in accordance
with standards on Auditing, Issued by ICAI, requires an auditor to plan an audit and get following
information: The auditor should plan his work to enable him to conduct an effective audit in an
efficient and timely manner. Plans should be based on knowledge of the clients business. Plans
should be made to cover, among other things:
a. Acquiring knowledge of the clients accounting system, policies and internal control
procedures;
b. Establishing the expected degree of reliance to be placed on internal control;
c. Determining and programming the nature, timing, and extent of the audit procedures to
be performed; and
d. Coordinating the work to be performed.

20

Chapter 1, Part 1: Enterprises Business Models

The first step to by an IS auditor is to obtain knowledge about the business of the organisation, do
risk assessment and decide on the specific and additional audit procedures to complete the audit.
The above steps used in a case discussed below at section 1.5

Internal Audit Standards

SIA 14, on INTERNAL AUDIT IN INFORMATION TECHNOLOGY ENVIRONMENT, as issued by
ICAI, states that; The internal auditor should consider the effect of an IT environment on the
internal audit engagement, inter alia:
a. the extent to which the IT environment is used to record, compile, process and analyse
information; and
b. The system of internal control in existence in the organisation with regard to: the flow of
authorised, correct and complete data to the processing centre; the processing, analysis
and reporting tasks undertaken in the installation.

1.4.2 Risk assessment for a business application used by organisation

Risk assessment is a necessary initial procedure to be adopted by IS Auditors, so that they can
determine the nature, timing, and extent of the audit procedures to be performed; ISACA ITAF
1202, states IS auditors have to consider subject matter risk, audit risk and related exposure to the
enterprise.
1. Subject matter risk, relates to business risk, country risk, contract risks. These are
important for an IS auditor to consider but merged with inherent risk (discussed later).
2. Audit risk, is define as auditor reaching incorrect conclusion after an audit. The
components of audit risk being control risk, inherent risk and detection risk.
Control risk is defined as failure of a control to prevent, detect a material error that
exists in system.
Inherent risk is defined as risk arising without taking into account a planned action by
management to reduce the risk. Simply said it related to nature of transaction /
business.
Detection risk is defined as failure of an audit procedure to detect an error that might
be material individually or in combination of other errors.
The above risk assessment will lead to conclusion and extent of compliance testing and other
substantive audit processes to be adopted by the IS Auditors in an audit of business application
system. As per COBIT Business process controls are activities designed to achieve the broad
range of management objectives for the process as a whole. Application controls, on the other
hand, are the sub-set of business process controls that relate specifically to the applications and
related information used to enable those business processes.
21

Module 6

1.5 Case Study

Objective: To understand the concept of risk assessment of a business application and its impact
of other audit procedures to be adopted by auditor.
Issue under consideration: For tax audits done under section 44AB of Income Tax Act, 1961,
auditor has to list cash expenses done by an organisation in excess of Rs.20,000/-. These
expenses disallowed as a business expense under 40A (3) of the Income Tax Act, 1961.
Business consideration for above issue: Any amount of expense in excess of Rs.20, 000/- in
cash shall result in the expense being disallowed as a business expense. The same shall lead to
increase in tax liability and related.
Business Applications used: Two different business applications are being considered.
1. Accounting application: The organisation is using TALLY as its business application.
2. ERP Application: The organisation is using SAP as its business application.
A comparative analysis illustrates the impact of business application on audit procedure
Sl. No.

Description

Business Application under consideration

Auditor audit shall plan include the following steps:

a. acquiring knowledge of the clients accounting system, policies and internal
control procedures;
b. establishing the expected degree of reliance to be placed on internal
control;
c. determining and programming the nature, timing, and extent of the audit
procedures to be performed;
Accounting Application ERP Application
Steps
[TALLY]
[SAP]
First step: Acquiring
Basic configuration in the
knowledge of the clients
The system can be
system does not have an
accounting system, policies
configured to restrict
option to restrict
and internal control
payment in excess
payments in excess of
procedures;
Rs.20,000/Rs.20, 000/-.
IMPACT of the above on auditors assessment of risk.

22

Chapter 1, Part 1: Enterprises Business Models

Sl. No.

Inherent risk assessment

Description

Business Application under consideration

Accounting Application
[TALLY]

This status keeps the

related inherent risk low
regarding noncompliance with law.

This increases the

inherent risk, vis--vis
non-compliance with law.

b. establishing the
expected degree of
reliance to be placed on
internal control;

As the necessary control

does not exist in business
application, the question
of reliance on control
does not arise.
.

ERP Application
[SAP]
Auditor may need to
apply compliance
testing, to check
whether the related
control is working
properly or not.
Compliance testing can
be through CAATs, as
discussed in Module 2.

Impact on the above on auditors risk assessment

Control risk assessment.

c. determining and
programming the nature,
timing, and extent of the
audit procedures to be
performed;

Additional procedures to be
adopted by auditor.

This means auditor shall

need to decide on other
audit procedures to list
such as cash expenses
The result of above
process means the
related risk is higher of
cash payments in excess
of Rs.20, 000/- being
made.
Auditor shall need to
adopt procedure to arrive
at the list.
Option 1: Use facility
available in the
accounting application to
generate such list:
Alt>F12 in TALLY allows
23

Compliance test results

shall indicate the nature
of additional audit
procedure.
Positive result of above
procedures shall lead
IS Auditor to conclude
that the risk is lower of
cash payments in
excess of Rs.20, 000/being made.
Auditor can draw
conclusion that no such
payments have been
made.
In case compliance
testing results are
negative; the resulting
control risk shall be
assessed as high.

Module 6
user to define range of
item to display.
2. Option: Use report from
accounting application
and audit the same to
generate requisite details.

IS Auditor shall need to

adopt one of the two
options given in left
column.

Conclusion:
The above case outlines the method, steps and procedure IS auditor needs to undertake for risk
assessment of a business application. This helps understand the nature; timing of the additional
audit procedures to be taken by IS auditor based on results of risk assessments. This case is
referred again in chapter 3 part 1. 5 under heading CAAT: Embedded Audit Tools

Case for participants

Issue to audit: Prepare a risk assessment table to see: Whether the business application used
by organisation restricts negative cash balance.
Business relevance: Negative cash balance is indicator that the accounting is not timely, and not
as per general business transaction. The same has an implication in Income Tax Act, 1961. Any
negative cash balance may be treated as un-explained expenditure under section 69C of the act
and added to income of Assessee.
Participants are expected to draw the risk assessment chart, draw appropriate conclusions and
comment upon additional audit procedures to be adopted to identify negative cash balance in
books.

24

PART 2: BUSINESS APPLICATION SOFTWARE

AS PER ENTERPRISES BUSINESS MODEL
Learning Objectives
To understand the business application controls implemented in an organisation

Introduction
Business applications are the tool to achieve management goals and objectives. The nature of
business enterprise model is a guide to the business application software selects. Each
organisation selects the software as per its business goals and needs. The software selection is
an important decision for top management to take. Selection of correct application software is quite
often most essential as it contributes to success of business.

2.1 Business Application Software: Parameters of selection

Organisation has to put on a piece of paper the business requirements and business goals. Listing
of these shall be great help for an organisation to conclude which type and nature of business
application it shall use.
Key parameters of selection of business application software may be:
The business goal: Organisation may have varied business objectives, say for example many
organisation are customer driven, few may be driven by social causes, other may emphasise
capitalist mind-set.
The nature of business: One of the key determinants of the business application software type is
the nature of organisation business. Few business may generate daily cash like petrol pumps,
departmental store, few other organisation may generate require daily update of sales made like
milkman, newspaper agent, few other generate lot of credit sales.
a. The geographical spread: As globalisation has spreads, many Indian companies have
been able to reap the benefits by becoming Indian MNCs. Few Indian companies are
trying to foray in export market or increase their global footprint. The more the
geographical spread of an organisation, more robust business application software is
needed. Robustness here is intended to denote the capability of the business application
system to work 24/7 as this may become a critical business need, and it may also denote
whether the business application system has capability to handle multiple currency
accounting.

Module 6
b. The volume of transactions: As the transaction volume increases it is important for
organisation to go for business application software that can support business for the next
five years. This is again an important factor to consider, as improper selection can lead to
a situation where a customer wants organisation to grow but it cannot grow.
c. The regulatory structure at place of operation: As the number and nature of
compliances increase across the world, organisation shall prefer that software which is
capable to cater to the compliance requirements. A software company selling a product
that is SOX compliant is likely to find more buyers than others.

2.2 Types
Business applications can be classified based on processing type (batch, online, real-time) or
source (in-house, bought-in) or based on function covered. The most critical way for management
is based in function it performs. The discussion is restricted to business applications based on
function they perform.
a. Accounting Applications:
Applications like TALLY, TATA EX, UDYOG, used by business entities for purpose of
accounting for day to day transactions, generation of financial information like balance
sheet, profit and loss account, cash flow statements, are classified as accounting
applications.
b. Banking Application:
Today all public sector banks, private sector banks, and including regional rural banks
have shifted to core banking business applications (referred to as CBS). Reserve
Bank of India guidelines mandating all co-operative banks also to shift to core banking
applications by December 013, means 95% plus Indian banks use CBS. CBS used by
Indian banks include, FINACLE (by Infosys Technologies Ltd.), FLEXCUBE (By Oracle
Financial Services Software Limited, formerly called i-flex Solutions Limited), TCS
BaNCS (By TCS Limited), and many more CBS.
c. ERP Application:
These have been created a separate category of business application systems, due to
their importance for an organisation. These software called as enterprise resource
planning software are used by entities to manage resources optimally and to maximize
E^3 i.e. economy, efficiency and effectiveness of business operations.
d. Payroll Application:
Many companies across the world are outsourcing these activities to professionals. In
India also many CA firms are doing good job on payroll outsourcing. TALLY has a payroll
application built into it. ICAI, has made available for its members a payroll application.
e. Other Business Applications
i.
Office Management Software:
ii.
Compliance Applications:
iii.
Customer relationship management Software:
iv.
Management Support Software:
26

Chapter 1, Part 2: Business Application Software as per Enterprise Business Model

v.
vi.
vii.

Logistics Management Software:

Legal matter management
Industry Specific Applications:

The applications detailed above are those which constitute major audit areas for a CA.

2.3 Key features and controls for business applications

Each business application is selected and implemented for a specific business purpose. An IS
Auditor has to verify whether the business objective from implementing the business application is
achieved or even achievable.

27

PART 3: CASE STUDIES

Audit Objective: To review whether the application used by the organisation is appropriate for the
business purpose.
User: Bank in co-operative sector
Business Application Software: Core banking Solution.
Auditor has to obtain understanding of clients business.
Sl. No.

Description

Business Application under consideration

As per SA 200: Overall Objectives of the Independent Auditor and the conduct of
an audit in accordance with standards on Auditing Issued by ICAI, requires an
auditor to plan an audit.
Audit shall plan include the following steps: acquiring knowledge of the clients
accounting system, policies and internal control procedures.

Steps

Applicable laws

Sample list of guidelines

As client is a bank,
guideline as specified
by Reserve Bank of
India (referred to as
RBI) shall be
applicable. All
accounting system
needs to be in
compliance with the
guidelines of RBI.

Reserve Bank of India

Act, 1934
Banking Regulation Act ,
1949
Companies act, 1956.
Co-operative Act for state

Income Recognition and

Asset Classification (IRAC)
Asset Liability Management
Guidelines (ALM)
Investment Guidelines (IG)
CRR and SLR maintenance
Many more guidelines.

Audit Process
Step 1

a.

Understand the requirement of law

IRAC Norms

The guidelines state that once an account has been

marked as NPA, no further interest charging to be done.
Guidelines state that the classification shall be borrowerwise not facility wise, meaning that once an account of a

Module 6
borrower has been marked as NPA all facility extended to
the borrower are classified as NPA.
b.

ALM

c.

Investment Guidelines

d.

CRR and SLR

Step

Understanding the system

Area of
operation

Detailed guidelines issue require bank to create ALCO

(Asset Liability Committee) and classify each item of
balance sheet (both asset and liability), in terms of their
maturity.
Investments need to classified as Held To Maturity
(HTM), Held for Trade (HFT) and Available for Sale (AFS)
HTM investment can be up to limit specified by RBI.
Present limit being 5%.
As per RBI, banks need to keep specified percentage of
their time and demand liabilities in form of cash,
investments, bullion.

Requirement

Questions to get answers to?

Whether system has capability to tag an
advance as NPA?
Whether the system stops calculating interest
on account once tagged as NPA?
To check whether at the time of creation of a
new customer, duplicate check is done?
To check customer report from system
identifies all facility of the customer in the
bank?
To check whether system generates an
exception report for a customer with more
than one facility, when one of the facilities is
marked as NPA?
Whether the CBS used has ALM module?
Whether chart of accounts for balance sheet
as specified in master, have a field to specify
the maturity pattern of account?
Whether advance recovery schedule is
updated in system?
Whether the maturity report from system is as
per required format?
Whether the CBS used has Investment
module?
Whether master data has a field to classify
investment in specified category?

No further interest
on NPA account.

a.

b.

Income
Recognition
and Asset
Classificatio
n

NPA borrower wise

not facility wise.

Asset
Liability
Managemen
t

Classify each item

of balance sheet
(both asset and
liability), in terms of
their maturity.

Investment
Guidelines

Classification of
investment
30

Chapter 1, Part 3: Case studies

Whether the report generated is as per
required format?
Whether system allows update of RBI limits in
master data?
Whether system generates exception report
when the investments made are not as per
RBI guidelines?
Whether the CBS, has capability to generate
the requisite report for CRR and SLR
compliance?

Investment as per
RBI specified limits.
RBI, guidelines to
maintain CRR and
SLR investment.

d.

CRR and
SLR.

Step 3

Drawing conclusions for the audit objective in hand... on next page

Above is a sample checklist for a detailed audit of business application that an IS

Auditor may undertake. Above checklist is focused only on the business validity of
the application selected by the organisation. Whether the organisation has proper
transaction processing system and control is part of next chapter .

Step 3

Drawing conclusions for the audit objective in hand

Answers to the above checklist will help IS Auditor assess whether the
CBS selected is appropriate to meet the business requirements of the
organisation.
Where the IS auditor reaches a conclusion that many of the requirements
are not being met he/she may give any of the following recommendations.
First option: Modify the system to meet requirements of law.
Second option: Change the system.
In case the management response to option 1 is that system cannot be
modified than auditor reaches second option automatically.
Any modifications made are to be validated as per regression testing.

Case for participants

Audit Objective: To check whether the application used by the organisation is appropriate for the
business purpose.
Business Application: The one being used by your client for accounting purpose.
Area to check: Five key business requirements to be validated.
31

Module 6

Audit program for planning and performing audit of business application software
is given in Appendix 1: Checklist for application control review.

2.4 Questions
1. Initial adoption of Business Model adopted by an organisation is dependent upon:
A.
B.
C.
D.

Business Applications
Business Objective
Controls in business applications
Business Laws

2. Which of the following is to be reviewed first by an IS Auditor in audit of application software is

to understand:
A.
B.
C.
D.

Business Application
Business Controls
Business Model
Business Laws

3. Arrange the following in chronological order

A. Establishing the expected degree of reliance to be placed on internal control
B. Determining and programming the nature, timing, and extent of the audit procedures to be
performed
C. Coordinating the work to be performed
D. Acquiring knowledge of the clients accounting system, policies and internal control procedures
The correct serial order:
A.
B.
C.
D.

A, B, C, D
D, A, B, C
D, C, B, A
B, C, D, A

4. ISACA ITAF 1202, states IS auditor needs the following for an enterprise:
A.
B.
C.
D.

Inherent Risk and Audit Risk.

Detection Risk and Control Risk.
Subject matter risk and Audit risk.
None of above
32

Chapter 1, Part 3: Case studies

5. The best definition which fits COBIT 5 is that it is a:

A. Business framework for the governance and management of enterprise IT.
B. System Audit Tool
C. Management tool for corporate governance
D. IT management tool

2.5 Answers and Explanations

1. B. Business Objectives shall be the prime reason for adoption of business models. Other
answers may be valid reasons but are never the first reason for adoption of a specific business
model. A business model describes the rationale of how an organization creates, delivers, and
captures value (economic, social, cultural, or other forms of value). The process of business model
construction is part of business strategy.
2. C. Business Model, needs to be assessed first by IS Auditor. The, b and d, are assessment to
be made later on. As an IS Auditor it becomes important to understand the business model adopted
by an organisation for a better understanding of risk associated with business model adopted by
an organisation.
3. B As per SA 00 SA 200 on OVERALL OBJECTIVES OF THE INDEPENDENT AUDITOR AND
THE CONDUCT OF AN AUDIT IN ACCORDANCE WITH STANDARDS ON AUDITING, the steps
to audit as mentioned at point b.
4. B ISACA ITAF 1202, states IS auditor needs to consider subject matter risk and audit risk.
Subject matter risk, relates to business risk, country risk, contract risks. Audit risk, is define as
auditor reaching incorrect conclusion after an audit. The components of audit risk being control
risk, inherent risk and detection risk.
5. A. COBIT 5 can be best described as Business framework for the governance and management
of enterprise IT by a. Other answers are part of COBIT framework but not full Framework.

33

CHAPTER 2: APPLICATION CONTROL

PART 1: APPLICATION CONTROLS REVIEW
Learning Objective
To understand the implemented business application controls by organisation

1.1 Introduction
Over the last several years, organizations around the world have spent billions of dollars upgrading
or installing new business application systems for reasons ranging from tactical goals, such as year
000 compliance, to strategic activities, such as using technology to establish company
differentiation in the marketplace. An application or application system is software that enables
users to perform tasks by employing a computers capabilities directly. These applications
represent the interface between the user and business functions. For example, a counter clerk at
a bank is required to perform various business activities as part of his job and assigned
responsibilities. From the point of view of users, it is the application that drives the business logic.
Application controls pertain to individual business processes or application systems, including data
edits, separation of business functions, balancing of processing totals, transaction logging, and
error reporting. From an organizational perspective, it is important that application controls:

Safeguard assets
Maintain data integrity
Achieve organisational goals effectively and efficiently

1.1.1 Application controls

As per COBITs management guide: Application controls are a subset of internal controls that
relate to an application system and the information managed by that application. Timely, accurate
and reliable information is critical to enable informed decision making. The timeliness, accuracy
and reliability of the information are dependent on the underlying application systems that are used
to generate process, store and report the information. Application controls are those controls that
achieve the business objectives of timely, accurate and reliable information. They consist of the
manual and automated activities that ensure that information conforms to certain criteriawhat
COBIT refers to as business requirements for information. Those criteria are effectiveness,
efficiency, confidentiality, integrity, availability, compliance and reliability.

1.1.2 Internal controls

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines
internal control as: Internal control is a process, affected by an organisations board of directors,

Module 6
management and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:

Effectiveness and efficiency of operations

Reliability of financial reporting
Compliance with applicable laws and regulations

COSO defines control activities as the policies and procedures that help ensure management
directives are carried out.

1.2 Objectives of application control and key business

information requirements
1.2.1 Objectives
COBIT states that application controls are intended to provide reasonable assurance that
managements objectives relative to a given application have been achieved. Managements
objectives are typically articulated through the definition of specific functional requirements for the
solution, the definition of business rules for information processing and the definition of supporting
manual procedures. Examples include:
i.
ii.
iii.
iv.
v.

Completeness: The application processes all transactions and the resulting information
is complete.
Accuracy: All transactions are processed accurately and as intended and the resulting
information is accurate.
Validity: Only valid transactions are processed and the resulting information is valid.
Authorisation: Only appropriately authorised transactions have been processed.
Segregation of duties: The application provides for and supports appropriate
segregation of duties and responsibilities as defined by management.

1.2.2 Information Criteria

Key business requirements for information also called as information criteria that these quality
parameters need to be present in information generated. These are:
1. Effectiveness: Deals with information being relevant and pertinent to the process as well
as being delivered in a timely, correct, consistent and usable manner
2. Efficiency: Concerns the provision of information through the optimal (most productive
and economical) use of resources
3. Confidentiality: Concerns the protection of sensitive information from unauthorised
disclosure
4. Integrity: Relates to the accuracy and completeness of information as well as to its
validity in accordance with business values and expectations
36

Chapter 2, Part 1: Cases on Application Controls

5. Availability: Relates to information being available when required by the process now
and in the future. It also concerns the safeguarding of necessary resources and
associated capabilities.
6. Compliance: Deals with complying with the laws, regulations and contractual
arrangements to which the process is subject, i.e., externally imposed business criteria
as well as internal policies
7. Reliability: Relates to the provision of appropriate information for management to operate
the organisation and exercise its fiduciary and governance responsibilities
The specific key quality requirements may vary for different organisations based on specific
business needs.

1.2.3 Application controls objectives

COBIT provides best practices for application controls which can be used as a benchmark for
implementing or evaluating application controls. The COBIT 4.1 control objectives and control
practices provides the best collection of controls which are generic and can be customised and
used as benchmark for implementation or used as assessment criteria for any application audit.
COBIT defines six control objectives for application controls:
1.

2.

Source Data Preparation and Authorisation: Ensure that source documents are
prepared by authorised and qualified personnel following established procedures,
taking into account adequate segregation of duties regarding the origination and
approval of these documents. Errors and omissions can be minimised through good
input form design. Detect errors and irregularities so they can be reported and
corrected.
Source Data Collection and Entry: Ensure that data input is performed in a timely
manner by authorised and qualified staff. Correction and resubmission of data that
were erroneously input should be performed without compromising original
transaction authorisation levels. Where appropriate for reconstruction, retain original
source documents for the appropriate amount of time.

1. Accuracy, Completeness and Authenticity Checks: Ensure that transactions are

accurate, complete and valid. Validate data that were input, and edit or send back for
correction as close to the point of origination as possible.
2. Processing Integrity and Validity: Maintain the integrity and validity of data throughout
the processing cycle. Detection of erroneous transactions does not disrupt the processing
of valid transactions.
3. Output Review, Reconciliation and Error Handling: Establish procedures and
associated responsibilities to ensure that output is handled in an authorised manner,
delivered to the appropriate recipient and protected during transmission; verification,
37

Module 6
detection and correction of the accuracy of output occur; and information provided in the
output is used.
4. Transaction Authentication and Integrity: Before passing transaction data between
internal applications and business/operational functions (within or outside the enterprise),
check the data for proper addressing, authenticity of origin and integrity of content.
Maintain authenticity and integrity during transmission or transport

1.2.4 Control practices

Illustrative control practices for the control objectives as per COBIT 4.1 are given below.
Under each of the control objectives, there are list of control practices which need to be
implemented to meet the control objectives. The control practices are to be customised
and implemented as per specific requirements of the organisation. Once the control
practices of specific control objective are implemented, then it can be said that the
application meets the required control objectives.

1. Source Data Preparation and Authorisation

i.

ii.

iii.
iv.

v.
vi.

Design source documents in a way that they increase accuracy with which data can
be recorded, control the workflow and facilitate subsequent reference checking.
Where appropriate, include completeness controls in the design of the source
documents.
Create and document procedures for preparing source data entry, and ensure that
they are effectively and properly communicated to appropriate and qualified
personnel. These procedures should establish and communicate required
authorisation levels (input, editing, authorising, accepting and rejecting source
documents). The procedures should also identify the acceptable source media for
each type of transaction.
Ensure that the function responsible for data entry maintains a list of authorised
personnel, including their signatures.
Ensure that all source documents include standard components, contain proper
documentation (e.g., timeliness, predetermined input codes, default values) and are
authorised by management.
Automatically assign a unique and sequential identifier (e.g., index, date and time) to
every transaction.
Return documents that are not properly authorised or are incomplete to the
submitting originators for correction, and log the fact that they have been returned.
Review logs periodically to verify that corrected documents are returned by
originators in a timely fashion, and to enable pattern analysis and root cause review.

38

Chapter 2, Part 1: Cases on Application Controls

2. Source data collection and entry

i.

ii.

iii.

iv.

v.

vi.

vii.

Define and communicate criteria for timeliness, completeness and accuracy of source
documents. Establish mechanisms to ensure that data input is performed in accordance
with the timeliness, accuracy and completeness criteria.
Use only pre-numbered source documents for critical transactions. If proper sequence is
a transaction requirement, identify and correct out-of-sequence source documents. If
completeness is an application requirement, identify and account for missing source
documents.
Define and communicate who can input, edit, authorise, accept and reject transactions,
and override errors. Implement access controls and record supporting evidence to
establish accountability in line with role and responsibility definitions.
Define procedures to correct errors, override errors and handle out-of-balance conditions,
as well as to follow up, correct, approve and resubmit source documents and transactions
in a timely manner. These procedures should consider things such as error message
descriptions, override mechanisms and escalation levels.
Generate error messages in a timely manner as close to the point of origin as possible.
The transactions should not be processed unless errors are corrected or appropriately
overridden or bypassed. Errors that cannot be corrected immediately should be logged in
an automated suspense log, and valid transaction processing should continue. Error logs
should be reviewed and acted upon within a specified and reasonable period of time.
Ensure that errors and out-of-balance reports are reviewed by appropriate personnel,
followed up and corrected within a reasonable period of time, and, where necessary,
incidents are raised for more senior-level attention. Automated monitoring tools should be
used to identify, monitor and manage errors.
Ensure that source documents are safe-stored (either by the business or by IT) for a
sufficient period of time in line with legal, regulatory or business requirements.

3. Accuracy, completeness and authenticity checks

i.

ii.

Ensure that transaction data are verified as close to the data entry point as possible and
interactively during online sessions. Ensure that transaction data, whether peoplegenerated, system-generated or interfaced inputs, are subject to a variety of controls to
check for accuracy, completeness and validity. Wherever possible, do not stop transaction
validation after the first error is found. Provide understandable error messages
immediately to enable efficient remediation.
Implement controls to ensure accuracy, completeness, validity and compliance to
regulatory requirements of data input. Controls may include sequence, limit, range,
validity, reasonableness, table look-ups, existence, key verification, check digit,
completeness (e.g., total monetary amount, total items, total documents, hash totals),
duplicate and logical relationship checks, and time edits. Validation criteria and
parameters should be subject to periodic reviews and confirmation.
39

Module 6
iii.
iv.

v.
vi.

Establish access control and role and responsibility mechanisms so that only authorised
persons input, modify and authorise data.
Define requirements for segregation of duties for entry, modification and authorisation of
transaction data as well as for validation rules. Implement automated controls and role
and responsibility requirements.
Report transactions failing validation and post them to a suspense file. Report all errors
in a timely fashion and do not delay processing of valid transactions.
Ensure that transactions failing edit and validation routines are subject to appropriate
follow-up until errors are remediated. Ensure that information on processing failures is
maintained to allow for root cause analysis and help adjust procedures and automated
controls.

4. Processing integrity and validity

i.
ii.

iii.

iv.
v.

vi.
vii.

viii.

Establish and implement mechanisms to authorise the initiation of transaction processing

and to enforce that only appropriate and authorised applications and tools are used.
Routinely verify that processing is completely and accurately performed with automated
controls, where appropriate. Controls may include checking for sequence and duplication
errors, transaction/record counts, referential integrity checks, control and hash totals,
range checks and buffer overflow.
Ensure that transactions failing validation routines are reported and posted to a suspense
file. Where a file contains valid and invalid transactions, ensure that the processing of
valid transactions is not delayed and all errors are reported in a timely fashion. Ensure
that information on processing failures is kept to allow for root cause analysis and help
adjust procedures and automated controls, to ensure early detection or prevent errors.
Ensure that transactions failing validation routines are subject to appropriate follow-up
until errors are remediated or the transaction is cancelled.
Ensure that the correct sequence of jobs has been documented and communicated to IT
operations. Job output should include sufficient information regarding subsequent jobs to
ensure that data are not inappropriately added, changed or lost during processing.
Verify the unique and sequential identifier to every transaction (e.g., index, date and time).
Maintain the audit trail of transactions processed. Include date and time of input and user
identification for each online or batch transaction. For sensitive data, the listing should
contain before and after images and should be checked by the business owner for
accuracy and authorisation of changes made.
Maintain the integrity of data during unexpected interruptions in data processing with
system and database utilities. Ensure that controls are in place to confirm data integrity
after processing failures or after use of system or database utilities to resolve operational
problems. Any changes made should be reported and approved by the business owner
before they are processed.
40

Chapter 2, Part 1: Cases on Application Controls

ix.

Ensure that adjustments, overrides and high-value transactions are reviewed promptly in
detail for appropriateness by a supervisor who does not perform data entry.
Reconcile file totals. For example, a parallel control file that records transaction counts or
monetary value as data should be processed and then compared to master file data once
transactions are posted. Identify report and act upon out-of-balance conditions.

x.

5. Output review, reconciliation and error handling

i.

When handling and retaining output from IT applications, follow defined procedures and
consider privacy and security requirements. Define, communicate and follow procedures
for the distribution of output.
At appropriate intervals, take a physical inventory of all sensitive output, such as
negotiable instruments, and compare it with inventory records. Create procedures with
audit trails to account for all exceptions and rejections of sensitive output documents.
Match control totals in the header and/or trailer records of the output to balance with the
control totals produced by the system at data entry to ensure completeness and accuracy
of processing. If out-of-balance control totals exist, report them to the appropriate level of
management.
Validate completeness and accuracy of processing before other operations are
performed. If electronic output is reused, ensure that validation has occurred prior to
subsequent uses.
Define and implement procedures to ensure that the business owners review the final
output for reasonableness, accuracy and completeness, and output is handled in line with
the applicable confidentiality classification. Report potential errors; log them in an
automated, centralised logging facility; and address errors in a timely manner.
If the application produces sensitive output, define who can receive it, label the output so
it is recognisable by people and machines, and implement distribution accordingly. Where
necessary, send it to special access-controlled output devices.

ii.

iii.

iv.

v.

vi.

6. Transaction authentication and integrity

i.

ii.

iii.

Where transactions are exchanged electronically, establish an agreed-upon

standard of communication and mechanisms necessary for mutual authentication,
including how transactions will be represented, the responsibilities of both parties
and how exception conditions will be handled.
Tag output from transaction processing applications in accordance with industry
standards to facilitate counterparty authentication, provide evidence of nonrepudiation and allow for content integrity verification upon receipt by the
downstream application.
Analyse input received from other transaction processing applications to determine
authenticity of origin and the maintenance of the integrity of content during
transmission.
41

Module 6

1
2

Control Objective

5
6

P=
Primary

Reliability

Compliance

Availability

Integrity

Source Data
Preparation and
Authorisation
Source Data
Collection and
Entry
Accuracy,
Completeness
and Authenticity
Checks
Processing
Integrity and
Validity
Output Review,
Reconciliation
and Error
Handling
Transaction
Authentication
and Integrity

Confidentialit
y

APPLICATION AND
CONTROL OBJECTIVES
AND INFORMATION
CRITERIA

Efficiency

Effectiveness

Information Criteria

S = Secondary

Table to the relationship between the information criteria and how achievement of those criteria
can be enabled by various application control objectives. Primary and secondary are the relative
importance of the information criteria.

42

PART 2: APPLICATION CONTROLS REVIEW

An IS auditor has to be aware of the controls that have been put in place in business applications.
He / She may have to review the same as a part of auditors risk assessment procedure. As per
SA 200 on Overall Objectives of the Independent Auditor and the conduct of an audit in
accordance with standards on Auditing, compliance procedures are tests designed to obtain
reasonable assurance that those internal controls on which audit reliance is to be placed are in
effect. As per ISACA ITAF 100 1 Assertions, IS Audit and assurance professional shall review
the assertions against the subject matter will be assessed to determine that such assertions are
capable of being audited and that the assertions are sufficient, valid and relevant.

2.1 Review of application control various business application

2.1.1 Need for application control review
The review is necessary for auditor to draw the following conclusion:
a. How much reliance he/she can put on entities business application system?
b. IS Auditor also is also to plan his/her other audit procedures.
c. In case application controls are found in-effective to achieve the stated business
objectives, than IS Auditor need to plan for alternate audit procedure?

2.1.2 How to perform application review?

AS per ISACA ITAF 1205 Evidences, IS Auditor has to select most appropriate procedure to
gather evidence depending on the subject matter being audited: The procedures used to obtain
evidence include:
1.
2.
3.
4.
5.
6.
7.
8.

Inquiry and confirmation

Re-performance
Recalculation
Computation
Analytical Procedures
Inspection
Observation
Other Generally Accepted Methods

Module 6

2.2 Review of business application controls through use of

audit procedures
AS per SA 500, Audit Evidences, auditor while designing tests of controls shall see whether the
controls so put in place are effective.
a. Inquiry and confirmation: IS Auditor may prepare a checklist to enquire and
confirm whether the said controls are in place. This process shall evaluate
existence of controls. A sample checklist for IS Auditor included at end of
chapter.
b. Re-performance: IS Auditor may process test data on application controls to
see how it responds. This process shall evaluate the effectiveness of

controls.

2.3 Application controls review for specialised system

Changes in technology are very fast. A separate section for these systems has been incorporated
to help IS Auditor put a focused approach to audit of these system.

2.3.1 Artificial Intelligence (AI)

A computer is an electromechanical machine that contains no live elements. However, it is
used for simulating human working which involves thinking and reasoning, solving simple and
complex problems, calculating, etc. Computer history shows that computers are good at making
calculations of repetitive nature speedily. In fact, in the beginning, computers were used
mainly for this purpose. The applications of AI can be classified into three major categories:
i.

ii.

iii.

Cognitive Science: This is an area based on research in disciplines such as biology,

neurology, psychology, mathematics and allied disciplines. It focuses on how human
brain works and how humans think and learn. Applications of AI in the cognitive
science are Expert Systems, Learning Systems, Neural Networks, Intelligent Agents
and Fuzzy Logic
Robotics: This technology produces robot machines with computer intelligence and
human-like physical capabilities. This area includes applications that give robots visual
perception, capabilities to feel by touch, dexterity and locomotion.
Natural Languages.

Being able to 'converse' with computers in human languages is the goal of research in this area.
Interactive voice response and natural programming languages, closer to human conversation, are
some of the applications. Virtual reality is another important application that can be classified under
natural interfaces.
44

Chapter 2, Part 2: Application Controls Review

IS Auditor's Role
IS auditor has to be conversant with the controls relevant to these systems when used as the
integral part of the organizations business process or critical functions and the level of experience
or intelligence used as a basis for developing software. The errors produced by such systems
would be more critical as compared to the errors produced by the traditional system.

2.3.2 Data Warehouse

Data ware house is defined, as a Subject-oriented, integrated, time- variant, non-volatile, collection
of data in support of managements decision making process. It is a Central Repository of clean,
consistent, integrated & summarized information, extracted from multiple operational systems, for
on-line query processing.
Data warehousing system is used for getting valuable information for making management
decisions. Generally, data is processed by TPS (Transaction Processing System), also known as
operational systems. These systems are responsible for day-to-day functioning of business
transactions.
Customers depositing and withdrawing money, applying for loans, opening accounts in a bank are
examples of Transactions Processing System. The data associated with these transactions is
stored in database management system and presented to users or programs whenever required.
These systems process data either in a batch mode or in a real-time manner (e.g., when we book
a railway seat we are presented with a ticket immediately).

IS Auditor's Role
IS Auditor should consider the following while auditing data warehouse:
1.
2.
3.
4.
5.
6.

Credibility of the source data

Accuracy of the source data
Complexity of the source data structure
Accuracy of extraction and transformation process
Access control rules
Network capacity for speedy access

2.3.3 Decision Support System (DSS)

DSS are information systems that provide interactive information support to managers with
analytical models. DSS are designed to be ad hoc systems for specific decisions by individualmanagers. These systems answer queries that are not answered by the transactions processing
systems. Typical examples are:
45

Module 6
1.
2.
3.

Comparative sales figures between two consecutive months for different products
with percentage variation to total sales.
Revenue and Cost projections on the basis of a product mix.
Evaluation of different alternatives, leading to the selection of the best one.

IS Auditors role
As the system shall be used for decision making purpose of the management,
1.
2.
3.
4.
5.

Credibility of the source data

Accuracy of the source data
Accuracy of extraction and transformation process
Accuracy and correctness of the output generated
Access control rules

2.3.4 Electronic Fund Transfer (EFT)

The electronic mode of payment which has made a lot of impact to the way India does business.
All big, medium and small businesses, banks, users, governments, government departments,
logistics, customers, service receivers, service providers, exporters, importers , sellers, buyers,
use EFT for their business and personal transaction. LIFE without EFT seems impossible.
Immense growth of EFT has led to a new set of risk associated with such transactions. Reserve
Bank of India (RBI) has issued detailed guidelines for banks to follow for EFT transactions. RBI
has specified in its NEFT guidelines that, Banks need to create procedural guidelines, for the
purpose of:
i.

Verifying that a payment instruction, a communication authorising a payment

instruction or an NEFT Data File is authorised by the person from whom it purports
to be authorised; and
For detecting error in the transmission or the content of a payment instruction, a
communication or an NEFT SFMS message.

ii.

IS Auditors role
The major concern shall be:
1.
2.
3.
4.

Authorisation of payment.
Validation of receivers details, for correctness and completeness.
Verifying the payment made.
Getting acknowledgement from the receiver, or alternatively from bank about the payment
made.
5. Checking whether the obligation against which the payment was made has been fulfilled.

46

Chapter 2, Part 2: Application Controls Review

2.3.5 E-commerce
Other than buying and selling goods on the Internet, E Commerce (Electronic Commerce) involves
information sharing, payment, fulfilment and service and support.

Risks of E-commerce
1.
2.
3.
4.
5.

Confidentiality of message
Id of organisation of the sender
Integrity of the message
Non Acceptance of confidentiality by receiver
Non Repudiation by sender of having sent the message

IS Auditors role
IS Auditors responsibility shall be to see whether the transactions have:
1. Authorisation
2. Authentication
3. Confirmation

2.3.6 Point of Sale System (PoS)

As the name indicates, a PoS is intended to capture data at the time and place of transaction which
is being initiated by a business user. It is often attached to scanners to read bar codes and magnetic
cards for credit card payment and electronic sales. They provide significant cost and time saving
as compared to the manual methods. They also eliminate errors that are inherent in manual system
(when a user is subjected to make transcription error while entering data from a document into
system). POS may involve batch processing or online processing. These are generally observed
in the case of big shopping malls or departmental shops.

IS Auditors role
1. In case there is batch processing, the IS auditor should evaluate the batch controls
implemented by the organization.
2. Check if they are in operation,
3. Review exceptional transaction logs.
4. Whether the internal control system is sufficient to ensure the accuracy and completeness
of the transaction batch before updating?
5. The relevance of controls is more In the case of online updating system, the IS auditor
will have to evaluate the controls for accuracy and completeness of transactions.
6. RBI guidelines regarding Cash withdrawal at Point of Sale (POS) - Prepaid Payment
Instruments issued by banks: need to be validated in case such transactions are taking
place.
47

Module 6

2.3.7 Automatic Teller Machines (ATM)

An ATM (Automated Teller Machine) is a specialized form of the point of sale terminal. It
is designed for unattended use by a customer of a financial institution. The ATMs generally allow
cash deposits, cash withdrawals and a range of banking operations like requesting cheque books
or account statements. ATMs are generally used for use after the closing hours of the financial
institution and can be located either adjacent to the location of the financial institution or at a distant
place. The facility of ATM can be within a bank, across local banks and amongst the banks outside
a region. ATMs transfer information and money over communication lines. These systems provide
a high level of logical and physical security for both the customer and the ATM machine.

IS Auditor's Role
The following are the guidelines for internal controls of ATM system which the auditor shall have
to evaluate and report:
a. Only authorized individuals have been granted access to the system.
b. The exception reports show all attempts to exceed the limits and reports are reviewed
by the management.
c. The bank has ATM liability coverage for onsite and offsite machines
d. Controls on proper storage of unused ATM cards, Controls on their issue only against
valid application form from a customer, Control over custody of unissued ATM cards,
Return of old/ unclaimed ATM cards, Control over activation of PINs
e. Controls on unused PINs, Procedure for issue of PINs, Return of PINs of
returned ATM cards.
f. Controls to ensure that PINs do not appear in printed form with the customers account
number.
g. Access control over retrieval or display of PINs via terminals
h. Mail cards to customers in envelops with a return address that do not identify the Bank.
Mail cards and PINs separately with sufficient period of time (usually three days)
between mailings.
As on date, there are more than 1,50,000 ATM machines installations in India. Government of India
has already indicated that it wants to further enhance the usage of ATM in India, as this allows
bank to reach remote corners without being physically present. This creates a scope to the IS
Auditor for a separate ATM Audit. RBI has issued detailed set of instructions for bank to follow.
Based on those a separate ATM audit program and checklist is being attached. Please see
Appendix: Checklist for ATM audit to understand different areas of an ATM audit.

48

PART 3: CASES OF APPLICATION CONTROLS

3.1 Proper design of source document
Case of an educational/vocational institute collecting fees from
students
Issue: Improper designed source document led to improper accounting.
Impact: A senior faculty left the Institute as incentives / payoffs were not calculated properly by
accounts department.
Facts: The vocational institute was being run a PE Pvt. Ltd. (Referred to as PE). PE is engaged in
educating CA / CS / CWA students. PE has implemented its fees collection on TALLY. Students
while paying the fees were supposed to fill a pay-in slip and deposit the fees at the counter.
Faculty payoffs are based on fees collected for the subject.
Receipt No.
Cash
/
Cheque
Name
of
student

1111

Level: Tick
SUBJECT:

Date

CPT/ FOUNDATION/ IPCC/ FINAL/

EXECUTIVE / PROFESSIONAL

Cheque
Details
Name of
Bank
Ch.
Number

Cash
details

Date

100X
50X
20X
10X

1000X
500X

Total
Student signature

Receiver
Signature

Based on the slip filled above, the cashier used to enter data in TALLY.
Problem: It was found, that one of the subjects in CA and CS has same name Direct Tax Law
(DTL). Many students who paid fees for CA DTL got accounted in CS DTL. The result was that at
the end of period when all payoffs were cleared TALLY data was used and calculations done.

Module 6
The fees paid by many CA students were credited of CS students. This resulted in payment dispute
and CA Final faculty for PE left the institute in a grudge. The faculty was a respected person; this
affected reputation of the Institute.

Action taken: PE management was worried about the development and sought help from an IS
Auditor. IS Auditors mandate was to look for problem and provide a solution.

IS Auditors Report:
The IS auditor went through the whole fees collection process, the people involved and the present
problem. He/she gave a two-step solution to organisation.
First Step: Modify pay-in-slip, to include the stream (CA/CS/CWA) as another field.
Second Step: Appoint an Internal Auditor to check whether the payments of fees made by the
students have been properly accounted.
Suggested Pay-in-Slip
Receipt No.
Cash
/
Cheque
Name
of
student
Stream:
Tick
Level: Tick
SUBJECT:

1111
Date

CA / CS /
ICWA
CPT/ FOUNDATION/ IPCC/ FINAL/
EXECUTIVE / PROFESSIONAL

Cheque
Details
Name of
Bank
Ch.
Number

Cash
details

Date

100X
50X
20X
10X

1000X
500X

Total
Student signature

Receiver
Signature

Benefit to PE:
1. A big problem was set right with a simple solution i.e. proper design of source

document.

50

Chapter 2, Part 3: Cases of Application Controls

2. PE was relieved that such issues wont recur.
3. An Internal Auditor was also appointed to re-check the daily entries made.

3.2 Exception reporting

These are special reports generated by business application to highlight issues / items which are
not the correct domain. For example: Exception reporting in TALLY:

How to generate the report? The command on GATEWAY OF TALLY: DISPLAY AND
EXCEPTION REPORTS:
What items are displayed? The screen shot lists items that are reported as exception in TALLY.
These include
-

Negative Stock
Negative Ledger and more.

What is the meaning of negative ledger? The word negative ledger means that the ledger
account is not its correct domain. Correct domain means, for example the domain for CASH is
debit, but if is it credit, the system shall show it as negative ledger. The same is true for a
debtors ledger with credit balance or creditors ledger with debit balance.

51

Module 6

What is the benefit?

Users, which include management, auditors, IS Auditors can directly generate these reports and
check as to accuracy of accounting.

What is the loss if above items are not checked?

a. Section 69C of Income Tax Act, 1961: Unexplained expenditure, etc.:
Where in any financial year an Assessee has incurred any expenditure and he offers no
explanation about the source of such expenditure or part thereof, or the explanation, if any, offered
by him is not, in the opinion of the Assessing Officer, satisfactory, the amount covered by such
expenditure or part thereof, as the case may be, may be deemed to be the income of the Assessee
for such financial year. Above negative balance can be treated as Income.
b. It reflects poor accounting controls, and can lead to losses due to frauds.
Exercise: Kindly comment upon: Q.1 The type of error?
a. Input
52

Chapter 2, Part 3: Cases of Application Controls

b. Process
c. Output
d. None of Above
Q.2. What is a better solution possible to the above problem?
2. Exception reporting in bank:
Case for participants:
DISA participants are expected to comment on one of the items reported in banks daily exception
reports.

3.3 Case for Dependency check:

Case of validating two related field of employee database
Facts: A company is held guilty of employing underage employees. The authorities send a notice
to the company. The notice is based on data submitted by the company as a part of its annual
return under labour laws.
The notice states that as per details made available by the company 10 employees have been
found to be underage as the time difference between date of birth and date of employment is less
than 18 years. Company responds by saying that it is basically a data entry problem in system
from where the said return has been made. The company has to physically parade the 10
employees to the department to convince them that they are not underage.

Action Taken: After so much of embarrassment company decides to appoint an IS Auditor to find
the problem and solution.

53

Module 6

Report of IS Auditor:
After studying the system and the problem faced IS auditor suggested the following:
1. System needs to be updated / modified so that it does not allow underage employee
updates.
2. An internal system to validate each new addition to employee payroll.
Exercise:
Q.1 the best way to define the error is:
a.
b.
c.
d.

Input error
Process error
Output error
Design error

54

Chapter 2, Part 3: Cases of Application Controls

3.4 Reasonableness Check

Case of Purchase Order in excess of five times vendors annual sale
Facts: The Company is engaged in manufacturing tyres. While issuing purchase order (PO) to a
vendor, the clerk put 100 kgs as quantity instead of 1 kg. The result was that the PO to be made
for Rs.2/- lacs was actually made for Rs.200/- lacs i.e. 100 times more. The same PO was signed
by Purchase Manager and delivered to vendor by post. Looking at the PO vendor called back the
company and informed that the PO is more than 5 times annual turnover of vendor

himself.
Errors:
1. Lack of reasonableness check: The system must have been created to ensure that
such a PO must not be released. It could be having a check on say:
a. Maximum quantity that could be entered for purchase, or
b. Maximum value a PO could be made.
c. Maximum quantity PO that could be sent to a vendor, or
d. A better definition by management.
2. Purchase Managers poor work.
3. No cross check system built in.
Exercise:
Q.1 Reasonableness verification control is a control at which part of application process?
a.
b.
c.
d.

Input
Process
Output
None of above

3.5 Case to highlight necessity of duplicate check

Case of double payment made to vendors against one purchase invoice.
Facts: A company using local made accounting software. While entering transactions, the software
allowed users to create new ledgers by a command ALT+N. The system being used check
duplicate ledgers for 100% same name. Any alteration in name or change in case was not tracked.
While entering a purchase invoice the data entry operator created a new ledger without checking
the existence of previous ledger. Later on it was found that a double payment was made to the
vendor as the said purchase was against an advance payment and another payment was released
based on new entry.
55

Module 6

Errors:
1. Lack of user controls. Data entry operator can create ledger.
2. Lack of duplicate check.
3. Lack of internal controls, to see how duplicate entries are in system.
Exercise: Q.1 What is the best solution to the problem?

3.6 Obsolete stock reporting

In TALLY from gateway of tally through the following set of commands company can get report on
non-moving / obsolete stock.
Gateway of TALLY: Press Display> Press Inventory books> Press Ageing Analysis: This shall
show the following report:

How does the report help?

1. Helps assess the quality of inventory.

56

Chapter 2, Part 3: Cases of Application Controls

2. Basis for valuation of inventory, as non-moving / obsolete stock may be valued at net
realizable value.

3.7 Report on Sales below cost price

From GATEWAY OF TALLY following command shall provide the above mentioned report:
a. Gateway of TALLY: Display>Inventory Books>Stock Item: Then select the item from list
and press F7, which shows the profit/ loss on items sold. Above details can also be seen
through
b. Gateway of TALLY: Display>Account Books>Sales Register: Then select the month for
which sales need to be displayed and press F7, which shows the profit/ loss on items
sold.
Benefits of the report:
1. Management tool for performance analysis.
2. Any fraud done can be checked through the same.

3.8 Report on TDS deducted but not remitted in time

Gateway of TALLY: Display>StatutOry Report>TDS Report>Outstandings>TDS
Payables: The following report is displayed:

57

Module 6

Benefits of the report:

1. Management tool for performance analysis.
2. Timely compliance can be ensured.

3.9 Questions
1. Application controls shall include all except
A.
B.
C.
D.

Application controls are a subset of internal controls.

The purpose is to collect timely, accurate and reliable information.
It is part of the IS Auditors responsibility to implement the same.
It is part of business application software.

2. As per Income Tax Act, 1961 and banking norms, all fixed deposit holders of bank need to submit
their PAN or form 60/61(a form as per Income Tax Act/Rules). Bank in its account opening form,
has not updated the need for form 60/61 in case PAN is not there. This defines which control lapse
as per COBIT.
A. Source Data Preparation and Authorisation:
B. Source Data Collection and Entry
58

Chapter 2, Part 3: Cases of Application Controls

C. Accuracy, Completeness and Authenticity Checks
D. Processing Integrity and Validity

3. In a public sector bank while updating master data for advances given, the bank employee does
not update INSURANCE DATA. This includes details of Insurance Policy, Amount Insured, Expiry
Date of Insurance and other related information. This defines which control lapse as per COBIT.
A.
B.
C.
D.

Source Data Preparation and Authorisation:

Source Data Collection and Entry
Accuracy, Completeness and Authenticity Checks
Processing Integrity and Validity

4. Emailed purchase order for 500 units was received as 5000 units.
This defines which control lapse as per COBIT.
A.
B.
C.
D.

Source Data Collection and Entry

Accuracy, Completeness and Authenticity Checks
Output Review, Reconciliation and Error Handling
Transaction Authentication and Integrity

5. An IS Auditor, processes a dummy transaction to check whether the system is allowing cash
payments in excess of Rs.20,000/-. This check by auditor represents which of the following
evidence collection technique?
A.
B.
C.
D.

Inquiry and confirmation

Re-calculation
Inspection
Re-performance

6. While auditing e-commerce transactions, auditors key concern includes all except:
A.
B.
C.
D.

Authorisation
Authentication
Author
Confirmation

7. RBI instructed banks to stop cash retraction in all ATMs across India from April 1, 013. This was
result of few ATM frauds detected. This action by RBI can be best classified as:
59

Module 6
A.
B.
C.
D.

Creation
Rectification
Repair
None of above

8. Non repudiation relates to all terms except one:

A.
B.
C.
D.

Right to deny withdrawn.

Digital Signatures.
E-commerce
None of above

9. Companys billing system does not allow billing to those dealers who have not paid advance
amount against proforma invoice. This check is best called as:
A.
B.
C.
D.

Limit Check
Dependency Check
Range Check
Duplicate Check

10. While posting message on FACEBOOK, if user posts the same message again, FACEBOOK
gives a warning. The warning indicates which control.
A.
B.
C.
D.

Limit Check
Dependency Check
Range Check
Duplicate Check

3.10 Answers and Explanations

1. C. Represents what auditors verifies but not that what he/she implements. Rest is part of
definition and purpose of application controls.
2. A. is the correct answer as the source data capture is not proper. Ensure that source
documents are prepared by authorised and qualified personnel following established procedures,
taking into account adequate segregation of duties regarding the origination and approval of
these documents. Errors and omissions can be minimised through good input form design.
3. C. This ensures that transactions are accurate, complete and valid. Validate data that were
input, and edit or send back for correction as close to the point of origination as possible.
60

Chapter 2, Part 3: Cases of Application Controls

4. D. is the correct answer. As per COBIT, where transactions are exchanged electronically,
establish an agreed-upon standard of communication and mechanisms necessary for mutual
authentication, including how transactions will be represented, the responsibilities of both parties
and how exception conditions will be handled.
5. D. IS Auditor may process test data on application controls to see how it responds.
6. C. Is correct. Others are key concerns of an IS auditor while auditing e-commerce
transactions.
7. B. is the right answer. A, is not an answer as action by RBI is based on fraud detection. Repair
is done to rectify an error which has occurred in a working system.
8. D. is the correct answer. The other options are related to non-repudiation. A, is definition of
word. B, digital signatures create non-repudiation. E-commerce transactions need it (nonrepudiation) for execution of contract.
9. B. Dependency check is one where value of one field is related to that of another.
10. D. is the answer as this is a duplicate check.

61

CHAPTER 3: AUDITING APPLICATION

CONTROL
PART 1: AUDIT PROGRAM FOR REVIEW OF
APPLICATION SOFTWARE
Learning Objectives
To provide assurance on business application software and the controls put in place, through
business application audit.

1.1 Introduction
The role of information System audit has become a critical mechanism for ensuring the integrity of
information and the reporting of organization finances to avoid and hopefully prevent future
financial fiascos such as Satyam in recent years. Electronic infrastructure and commerce are
integrated in business process around the globe. There is a need to control and audit using IS to
avoid such kind of scam in near future. Today the business processes are tightly integrated to
systems. In few organisations the level of integration is that when systems are off business if off.
In such a scenario it is important to ensure that systems are working properly and nothing is there
to affect the working of system. The way businesses are integrated to system, any audit shall be
preceded by system audit, as proper working of system is necessary to proper working of
business. It shall be great risk being taken by a pure financial auditor to submit his/her report
without going through the system audit report of the organisation for which financial audit is being
done.

1.2 Why IS Audit?

Case to highlight NPA provisioning in system may be wrong
Issue: NPA provisioning as per RBI guidelines.
Objective: To learn that system audit as an exercise needs to precede financial audit.
Location: Public Sector Bank using a CBS.
Reference: RBI guidelines for Income Recognition and Asset Classification.
[RBI/2013-14/62:DBOD.NO.BP.BC.1/21.01.048/2013-14/1. 013]

Module 6
Specific Point: Provision to be made for sub-standard assets, where the advance as per nature
is unsecured. The guidelines state that a provision of @25% has to be made of total out-standing.
This is an exception to general rule of provision @15%. The exception is created as the advance
is basically unsecured in nature. For example: Credit Card o/s turning sub-standard. This
advance is unsecured in nature.
Point to remember: The provision is on total o/s, not on the amount of outstanding. As the advance
is an unsecured advance.
Auditor observation:
Auditor observed that for credit card outstanding of Rs.1, 00,000/- the branch had made a
provision @15% of out-standing amount, as reflected from system generated Non-PerformingAsset statement. The issue was brought to notice of branch manager. The interaction between the
bank employees and the action taken by auditor is shown in the matrix below.
Sl. No.

Query Made to and nature

of query.

Branch Manager (BM): The

provision is not as per RBI
guideline.

Regional Manager (RM):

The provision is not as per
RBI guideline.

Assistant General Manager

(IT) of the bank: AGM (IT):
The provision is not as per
RBI guideline.

Response from person at

bank
BM: The bank supplied
data to regional office. The
calculations have been
made the regional office.
No fault of branch.
RM: The regional office
only fed data in the
software supplied by HO.
No fault of regional office.
AGM (IT): Accepts the
problem in software.

Auditor Action

Take to next level

Take to next level.

Qualify the main

report.

Learning from the above:

1. For Bank: Above means that if the banks unsecured sub-standard advances are to the tune of
Rs.10/- crore, bank shall be making short provision of Rs.1/- crore against its NPAs.
2. For Auditor:
a. Branch auditor had to qualify the main audit report.
64

Chapter 3, Part 1: Audit program for review of application software

b. Branch auditor would be within his/her rights to ask bank to supply the system audit report
of the software being used by the bank for calculating the NPA status and provisions thereon.
3. For us: Case helps us understand that IS Audit is necessary in todays business environment
as business processes have been integrated into system and lot of decision is being taken through
these integrated system.
IS auditing is an integral part of the audit function because it supports the auditors judgment on
the quality of the information processed by computer systems. Initially, auditor with IT audit skills
are viewed as the technological resource for the audit staff. The IS auditors role has evolved to
provide assurance that adequate and appropriate controls are in place. The audits primary role,
except in areas of management advisory services, is to provide a statement of assurance as to
whether adequate and reliable internal controls are in place and are operating in an efficient and
effective manner. Therefore, whereas the management is to ensure, auditors are to assure.

1.3 What is IS Audit?

An information technology audit, or information systems audit, is an examination of the controls
within an Information technology (IT) infrastructure. An IS audit is the process of collecting and
evaluating the evidence of an organization's information systems, practices, and operations. The
evaluation of obtained evidence determines if the information systems are safeguarding assets,
maintaining data integrity, and operating effectively and efficiently to achieve the organization's
goals or objectives. These reviews may be performed in conjunction with a financial statement
audit, internal audit, or other form of attestation engagement.
The IT audit's agenda may be summarized by the following questions:
1. Will the organization's computer systems be available for the business at all times when
required? (Availability)
2. Will the information in the systems be disclosed only to authorized users?
(Confidentiality)
3. Will the information provided by the system always be accurate, reliable, and Timely?
(Integrity)
The IS audit focuses on determining the risks that are relevant to information assets, and in
assessing controls in order to reduce or mitigate these risks. By implementing controls, the effect
of risks can be minimized, but cannot completely eliminate all risks.

65

Module 6
As per ISACA ITAF 1007 Assertions, IS Audit and Assurance professional shall review the
assertions against which the subject matter will be assessed to determine that such assertions are
capable of being audited and that the assertions are sufficient, valid and relevant.
Information Systems Audit is often misunderstood as a mere technical audit and a domain of
Information Technology professionals. On the contrary, Information Systems Audit involves
evaluating the adequacy and efficiency of internal controls in business processes that are either
partly or fully computerized. Hence, Audit and control professionals who have expertise in
understanding of business processes and internal controls with exposure to information technology
risks and controls are considered the most appropriate professionals to conduct information
systems audits. Therefore, depending on the audit environment, objectives and scope, the audit
could involve the audit of entire business processes, partially or fully automated, or audit of
specified application, technology and related controls.

1.4 How to perform IS Audit?

The fundamental principles of audit do not change with change in the audit subject, however, the
perspective of audit and the methods, tools and techniques to achieve the audit objectives do
undergo a change. As in a financial audit, audit focus is on the risk arising from inadequate or
inefficient controls on recording of transactions which could result in misstatement of financial
statements. In an Information Systems Audit the focus is on the risks arising from the use of
information technology in carrying out business processes.
ISACA ITAF 1008 Criteria, specifies that IS Audit assurance criteria should consider the source
for which the IS Audit is being done and the potential audience. For example, when dealing with
government regulations criteria based on assertions developed from legislation and regulations
shall apply to the subject matter may be most appropriate. Sources of criteria may be:
1. Established by ISACA: These are publicly available criteria.
2. Those established by other expert bodies: Like those created by SYSTRUST certification
body.
3. Established by laws and regulations: For example the one discussed in case above
relating to RBI guidelines.
4. Developed specifically for IS Audit or Assurance engagement .
Above shall help decide on the key objective for an IS Audit.
Audit Objective: The entire audit program and methodology depends upon the audit objective and
scope. The objective of the IS audit is to evaluate an auditee's computerized information
system(CIS) in order to ascertain whether the CIS produces timely, accurate, complete and reliable
66

Chapter 3, Part 1: Audit program for review of application software

information outputs as well as ensuring confidentiality, integrity, availability and reliability of the
data.

1.5 Audit mission

Establishing an IS audit function may be critical in organisations that are specifically dependent on
Information Technology. The IS audit function could be established either within the organisation
as an internal department or the function could be fully or partly outsourced to an external agency.
In either case there are certain fundamental principles that should be taken into consideration. The
mission statement defines the primary purpose of the audit function and provides an overview of
the focus, priorities, values and principles that will measure audit decisions. It also outlines the
value addition that will be provided and clarifies the purpose and meaning for the audit function. IS
audit function reviews the reliability and integrity of information, compliance with the policies and
regulations, and the processes for safeguarding of assets, as well as to make suggestions for
improvements in operating efficiencies and internal controls? It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes. The audit mission
statement may vary between various organisations and audit functions.

1.6 Performing an IS Audit

The detailed concepts and practice of IS Audit are covered in detail in Module 3: IS Assurance
services. However, some of the key concepts and practice are summarised here in the context of
application audit. The standards of IS Audit provided by ISACA in ITAF 1200 on performance
standards outlines the following steps for performing an IS audit as under:
i.

ii.

iii.

Engagement Planning: This includes conclusions on objective(s), scope, timeline and

deliverables, compliance with applicable laws and professional auditing standards, use of
a risk-based approach, where appropriate, engagement-specific issues, documentation
and reporting requirements.
Risk Assessment in Planning: The IS audit and assurance function shall use an
appropriate risk assessment approach and supporting methodology to develop the overall
IS audit plan and determine priorities for the effective allocation of IS audit resources. IS
audit and assurance professionals shall identify and assess risk relevant to the area under
review, when planning individual engagements. IS audit and assurance professionals
shall consider subject matter risk, audit risk and related exposure to the enterprise.
Performance and Supervision: IS audit and assurance professionals shall conduct the
work in accordance with the approved IS audit plan to cover identified risk and within the
agreed-on schedule. IS audit and assurance professionals shall provide supervision to IS
67

Module 6

iv.

v.

vi.

vii.

audit staff for whom they have supervisory responsibility, to accomplish audit objectives
and meet applicable professional audit standards. IS audit and assurance professionals
shall accept only tasks that are within their knowledge and skills or for which they have a
reasonable expectation of either acquiring the skills during the engagement or achieving
the task under supervision. IS audit and assurance professionals shall obtain sufficient
and appropriate evidence to achieve the audit objectives. The audit findings and
conclusions shall be supported by appropriate analysis and interpretation of this evidence.
IS audit and assurance professionals shall document the audit process, describing the
audit work and the audit evidence that supports findings and conclusions. IS audit and
assurance professionals shall identify and conclude on findings.
Materiality: IS audit and assurance professionals shall consider potential weaknesses or
absences of controls while planning an engagement, and whether such weaknesses or
absences of controls could result in a significant deficiency or a material weakness.
IS audit and assurance professionals shall consider materiality and its
relationship to audit risk while determining the nature, timing and extent of audit
procedures. IS audit and assurance professionals shall consider the cumulative effect of
minor control deficiencies or weaknesses and whether the absence of controls translates
into a significant deficiency or a material weakness.
Evidence: IS audit and assurance professionals shall obtain sufficient and appropriate
evidence to draw reasonable conclusions on which to base the engagement results. IS
audit and assurance professionals shall evaluate the sufficiency of evidence obtained to
support conclusions and achieve engagement objectives.
Using the Work of Other Experts: IS audit and assurance professionals shall consider
using the work of other experts for the engagement, where appropriate. IS audit and
assurance professionals shall assess and approve the adequacy of the other experts
professional qualifications, competencies, relevant experience, resources, independence
and quality-control processes prior to the engagement. IS audit and assurance
professionals shall assess, review and evaluate the work of other experts as part of the
engagement, and document the conclusion on the extent of use and reliance on their
work.
Irregularity and Illegal Acts: IS audit and assurance professionals shall consider the risk
of irregularities and illegal acts during the engagement. IS audit and assurance
professionals shall maintain an attitude of professional scepticism during the
engagement. IS audit and assurance professionals shall document and communicate any
material irregularities or illegal act to the appropriate party in a timely manner.

1.7 Steps of IS Audit

Gather Information and Plan
68

Chapter 3, Part 1: Audit program for review of application software

Knowledge of
business and industry
Prior years audit results
Recent financial information

Regulatory statutes
Inherent risk assessments

Obtain Understanding of Internal Control

Control environment
Control procedures
Detection risk assessment

Control risk assessment

Equate total risk

Perform Compliance Tests

Identify key controls to be tested.

Analytical procedures

Other
substantive audit
Detailed tests of account
procedures
balances
Conclude the Audit

Create recommendations.

Perform tests on
reliability, risk prevention and
adherence to organization
policies and procedures.
Perform Substantive Tests

Write audit report.

1.8 Audit program for key business application

Detailed checklist for auditing business application software is given in appendix 3.

1.9 Computer Assisted Audit Techniques

CAAT is a significant tool for auditors to gather evidences independently. It provides a mean to
gain access and to analyse data for a predetermined audit objective, and report the audit findings
with evidences. It helps the auditor to obtain evidence directly on the quality of records produced
and maintained in the system. The quality of the evidence collected gives reassurance on the
quality of the system processing such transactional evidences.

1.9.1 Needs for CAAT

During the course of the audit an IS auditor should obtain sufficient, relevant and useful evidence
to effectively achieve the audit objectives. The audit findings and conclusions have to be supported
by appropriate analysis and interpretation of this evidence. Computerised information processing
environments pose a challenge to the IS auditor to collect sufficient, relevant and useful evidence,
since the evidence exists on magnetic media and can be examined only by using CAATs. With
69

Module 6
systems having different hardware and software environments, different data structure, record
formats, processing functions, etc., it is almost impossible for the auditors to collect evidence and
analyse the records without a software tool. Owing to resource constraints and the ever changing
audit objectives, it is almost impossible to quickly develop audit capabilities, without using audit
software like CAATs.
The ICAI Guidance note on CAAT describes CAATs as important tools for the auditor in performing
audits. CAATs may be used in performing various auditing procedures including the following:
a. Tests of details of transactions and balances, for example, the use of audit software for
recalculated interest or the extraction of invoices over a certain value from the computer
records.
b. Analytical procedures, for example, identifying inconsistencies or significant
fluctuations.
c. Tests of general controls, for example testing the setup or configurations of the
operating system or access procedures to the program libraries or by using code
comparison software to check that the version of the program in use is the version
approved by management.
d. Sampling programs to extract data for audit testing
e. Tests of application controls, for example, testing the functionality of a
programmed control
f. Re-performing calculations performed by the organisations accounting system.

1.9.2 Types of CAAT

While selecting the CAAT, IS Auditor is faced with certain critical decisions that he / she may be
required to make, while balancing on the quality and cost of audit:
a.
b.
c.

Use the audit software developed by the client.

Design and develop his /her own audit software.
Use a standard off the shelf Generalised Audit Software

The first two options require the auditor to be technically competent in programming and its
methodology, which may not be his area of expertise. Computer audit software also known as
Generalised Audit Programs (GAS) is readily available off-the-shelf software with specific features
useful for data interrogation and analysis. The auditor do not require much expertise knowledge
to be able to use for auditing purpose
The various types of CAATs can be categorized as follows:
1. Generalised Audit Software
2. Specialised Audit Software
70

Chapter 3, Part 1: Audit program for review of application software

3. Utility Software
A brief description of the types of software is given below:

1. Generalised Audit Software (GAS)

Computer audit software may be defined as: The processing of a clients live files by the auditors
computer programs. Computer audit software may be used either in compliance or substantive
tests. Generalised Audit software refers to generalized computer programs designed to perform
data processing functions such as reading data, selecting and analyzing information, performing
calculations, creating data files and reporting in a format specified by the auditor. The use of
Generalised Audit Software is perhaps the most widely known computer assisted audit technique.
GAS has standard packages developed by software companies exclusively for auditing data stored
on computers. These are economical and extensively used by auditors the world over. Available
off the shelf, GAS can be used for a wide range of hardware, operating systems, operating
environments and database.
Typical operations using GAS include:
a.
b.
c.
d.
e.

Sampling Items are selected following a value based or random sampling

plan.
Extraction Items that meet the selection criteria are reported individually.
Totalling the total value and number of items meeting selection criteria are
reported.
Ageing Data is aged by reference to a base date
Calculation Input data is manipulated prior to applying selection criteria

2. Specialised Audit Software (SAS)

Specialised Audit software, unlike GAS, is written for special audit purposes or targeting
specialized IT environments. The objective of these software to achieve special audit procedures
which may be specific to the type of business, transaction or IT environment e.g. testing for NPAs,
testing for UNIX controls, testing for overnight deals in a Forex Application software etc. Such
software may be either developed by the auditee or embedded as part of the clients mission critical
application software. Such software may also be developed by the auditor independently. Before
using the organisations specialized audit software, the auditor should take care to get an
assurance on the integrity and security of the software developed by the client...

3. Utility Software
Utility software or utilities though not developed or sold specifically for audit are often extremely
useful and handy for conducting audits. These utilities usually come as part of office automation
71

Module 6
software, operating systems, and database management systems or may even come separately.
Utilities are useful in performing specific system command sequences and are also useful in
performing common data analysis functions such as searching, sorting, appending, joining,
analysis etc. Utilities are extensively used in design, development, testing and auditing of
application software, operating systems parameters, security software parameters, security
testing, debugging etc.
a.
b.

File comparison: A current version of a file for example, is compared with the
previous years version, or an input file is compared with a processed file.
Production of circularisation letters.

1.9.3 Typical Steps in using GAS

i.
ii.
iii.
iv.
v.
vi.
vii.
viii.
ix.
x.

Define the audit objectives

Identify the tests that the package can undertake to meet the objectives.
Make out the package input forms for the tests identified.
Compile the package on the computer, clearing reported edit errors.
If a programmer has been adding coded routines to the package to fill out the input forms
or to advice, the programmers work must be tested.
Obtain copies of the application filed to be tested.
Attend the execution of the package against these copy files.
Maintain security of the copy files and output until the tests have been fully checked out.
Check the test results and draw audit conclusions.
Interface the test results with whatever subsequent manual audit work to be done.

Refer case at the end of chapter on the above steps:

1.9.4 Selecting, implementing and using CAATs

Computer Assisted Audit Techniques (CAATs) are a significant tool for auditors to gather evidence
independently. CAATs provide a means to gain access and analyse data for a predetermined audit
objective and to report audit findings with evidence. They help the auditor to obtain evidence
directly on the quality of the records produced and maintained in the system. The quality of the
evidence collected confirms the quality of the system processing. The following are some examples
of CAATs, which can be used to collect evidence:

ACL, IDEA etc.

Utility Software such as Find, Search, flowcharting utilities
Spreadsheets such as Excel
SQL Commands, OS commands
Third party access control software
Application systems
72

Chapter 3, Part 1: Audit program for review of application software

Options and reports built in as part of the application/systems software

Performance monitoring tools
Network management tools, OS utilities
High end CAATs
RSAREF, DES, PGP
TCP Wrapper, SOCKS, TIS Toolkit
COPS, Tripwire, Tiger
ISS, SATAN, etc.

1. 10 Continuous Auditing Approach

Continuous auditing is a process through which an auditor evaluates the particular system(s) and
thereby generates audit reports on real time basis. Continuous auditing approach may be required
to be used in various environments. Such environments usually involve systems that are 4*7
mission critical systems. In the traditional method, the scope for market influence on the information
contained in the audit report is less due to

The time gap between the audit and reporting

The deficiencies identified in the control systems can be rectified even by the
management during the time gap.

1.10.1 Techniques for Continuous Auditing

1. Snapshot
Most applications follow a standard procedure whereby, after taking in the user input they process
it to generate the corresponding output. Snapshots are digital pictures of procedures of the console
that are saved and stored in the memory. Procedures of the console refer to the application
procedures that take input from the console i.e. from the keyboard or the mouse. These procedures
serve as references for subsequent output generations in the future. Typically, snapshots are
implemented for tracing application software and mapping it. The user provides inputs through the
console for processing the data. Snapshots are means through which each step of data processing
(after the user gives the input through) is stored and recalled.
Let us consider, for example, a banking transaction. Numerous transactions are effected and
processed by various application systems in a banking environment. While all applications are
tested before being deployed, in an integrated computing environment, a cash withdrawal at the
ATM may be processed by more than one software working in an integrated manner. In the event
of some errors in transactions being detected or suspected, snapshot software installed as part of
the production environment would continuously take pictures of transactions passing a particular
control point e.g. instruction set executed in the memory of the ATM machine for processing
73

Module 6
withdrawal. Hence the error in code/ instruction can be pinpointed and identified by the snapshot
software.
Snapshots are employed in the following:

They are used for analysing and tracking down the flow of data in an application
program, so as to know the underlying logic of the data processing software.
For documenting the logic, input/output controls (or conditions) of the application
program and the sequence of processing.

Snapshots are generally deployed for tracking down the reasons for any disruption in the
functioning of application or system software like operating system or database system.
Case at the end of this part: SNAPSHOT for payroll process.

2. Integrated Test Facility (ITF)

Integrated Test Facility (ITF) is a system in which a test pack is pushed through the production
system affecting dummy entities. Hence this requires dummy entities to be created in the
production software. For example, the auditor would introduce test transactions that affect targeting
dummy customer accounts and dummy items created earlier for this testing purpose. The approach
could also involve setting a separate dummy organisation using the application software in the live
environment. ITF is useful in identifying errors and problems that occur in the live environment and
that cannot be traced in the test environment. However the disadvantage in using ITF is that the
dummy transactions also append to the live database and hence will impact the results and reports
drawn from the live database. It will therefore, be necessary to delete the test transaction from the
system once the test is performed. As with all test packs, the output produced is compared with
predicted results. This helps to determine whether the programmed procedures being tested are
operating correctly.
Case at the end of this part: Stores and Purchase program testing through ITF.

3. System Activity File Interrogation

Most computer operating systems provide the capability of producing a log of every event occurring
in the system, both user and computer initiated. This information is usually written to a file and can
be printed out periodically. As part of audit testing of general controls, it may be useful for the
auditor to review the computer logs generated at various points to build an audit trail. Wherever
possible, unauthorised or anomalous activity would need to be identified for further investigation.
Where a suitable system activity file is retained on magnetic media, one can select and report
exceptional items of possible audit interest such as unauthorised access attempts, unsuccessful
login attempts, changes to master records and the like. Similar implementation is also possible by
74

Chapter 3, Part 1: Audit program for review of application software

embedding special audit software in application software that maintains continuous transaction
logs at various points in the application software. This technique is also referred to as the Systems
Control Audit Review File. The files can be further analysed to determine deviations and improper
transactions.

4. Embedded Audit Facilities

Embedded audit facilities consist of program audit procedures, which are inserted into the clients
application programs and executed simultaneously. The technique helps review transactions as
they are processed and select items according to audit criteria specified in the resident code, and
automatically write details of these items to an output file for subsequent audit examination.
This technique generally uses one or more specially designed modules embedded in the computer
application system to select and record data for subsequent analysis and evaluation. The data
collection modules are inserted in the application system or program at points predetermined by
the auditor. The auditor also determines the criteria for selection and recording. Automated or
manual methods may be used to analyse the data later. This is intended to highlight unusual
transactions, which can be later taken up for scrutiny. Please refer to the case of listing cash
payments in excess of Rs.20,000/- through use of range function in TALLY discussed in detail in
chapter 1.

5. Continuous and Intermittent Simulation

With significant advancements in technologies, business systems are increasingly driven by clientserver systems with distributed computing and databases. The components of such systems are
networked generally over geographically disparate locations. This has resulted in the need for
auditing systems that not only enable continuous auditing of transactions but also have a low
overhead on the IT resources of the auditee but without compromising on the independence of
such systems. This has resulted in the use of continuous auditing techniques that the client-server
environment to enable independent simulation of suspect transactions independently by the
simulation audit software under the control of the auditor but using the online data of the auditee
waiting to be written to the database. Please note this case is part of PT. Please refer to

reference material which includes the publication: Data analysis for an auditor
which has detailed case studies on using CAATs. Please also refer to Module-2
which has explanation on CAATs.

1.11 Case on using MS Excel to find Duplicate / Missing

Sales Invoice
Objective: The case is to help understand the steps of using CAATs.
75

Module 6
Facts: Company using TALLY has selected manual invoice numbering as an option in TALLY. The
option is available when user creates / configures Vouchers.
Problem: Management action of selecting manual invoice numbers, for data entry purpose raises
the following risks:
-

Duplicate
Missing invoice number.

IS Auditors concern: To identify a mechanism to track the missing / duplicate invoice number.
Using Audit tools to achieve the above audit objectives:
a. Through use of Excel: Discussed here
b. Through use of IDEA, the generalized audit tool: Part of online demo in PT.

1.11.1 Steps to be performed in above case through use of excel

i.
ii.
iii.

iv.
v.
vi.
vii.

Define the audit objectives: To identify duplicate / missing invoice number.

Identify the tests that the package can undertake to meet the objectives. The objective is to
identify duplication / missing invoice number through use of excel.
Make out the package input forms for the tests identified. No separate input form required.
TALLY exports data directly in excel. This is a good control as it reduces the risk of discrepancy
occurring during the system hand over process.
Compile the package on the computer, clearing reported edit errors. Display the sales register
from TALLY and export the same to excel.
If a programmer has been adding coded routines to the package to fill out the input forms or
to advice, the programmers work must be tested. Not applicable in the instant case.
Obtain copies of the application file to be tested. Before testing on excel a copy of report kept
separately.
Attend the execution of the package against these copy files.: Execution includes the following
steps:

Index the excel sheet in ascending order, based on Invoice Number.

Insert an additional column to the right side of invoice number.
Put the rule Invoice number (Row Next)-Invoice number (current row).
The same shall appear like:

1
2

A
Invoice
number
10001

B
Inserted
column
=A3-A2
76

C
Result of
command
1.00

Chapter 3, Part 1: Audit program for review of application software

3
4
5
6
7
8
9
10

10002
10003
10005
10006
10006
10007
10008

=A3-A4
=A4-A5
=A5-A6
=A6-A7
=A7-A8
=A8-A9
=A9-A10

1.00
2.00
1.00
0.00
1.00
1.00

Reading the above: Where the value of column C is other than 1, it means there is a
problem with invoice numbering. Above is one way of doing the same in excel, there could
be multiple ways of getting the audit conclusions in excel.
viii.

Maintain security of files and output until the tests have been fully checked out: Important to

ix.

Check the test results and draw audit conclusions. Based on above results auditor can
draw conclusions.
Interface the test results with whatever subsequent manual audit work to be done.

x.

remember.

1.11.2 Cases on how to use continuous auditing

1. Snapshot
Facts: A software company with more than 1,00,000 employees. Organisation uses payroll
software to process salary. The payroll is processed in four distinct steps in system. They are:

Calculate basic salary: Based on basic input data, like attendance and master data is
used here
Calculate Allowance: Based on basic salary calculated allowances like House Rent
Allowances, calculated.
Calculate deductions: Once Basic Salary and Allowances calculated deductions like TDS,
PF etc. made.
Calculate the net salary: Same based on above calculation.

Audit objective: Management has appointed a system auditor to check whether the payroll system
is working properly.
Auditors use of SNAPSHOT as a technique:
1. This technique allows auditor to capture images of transactions as the same is processed
in system.
77

Module 6
2. Auditor identifies the transactions for which snapshot shall be taken.
3. Based on the snapshot auditor is able to come to a conclusion about the nature and
location or error in payroll process if any.

2. Integrated Test Facility (ITF)

Facts: Company has linked its stores system to its purchase system. In the stores system
whenever an items level comes to re-order level, system automatically generates a purchase

order.
Objective: Company appoints an IS Auditor to check whether the same system is working properly
or not.
IS Audit process: IS auditor uses the technique of ITF.
IS Audit Steps:
1. Create a dummy organisation. In the given case the dummy organisation is an issue
slip. The objective is to reduce an items balance below re-order level.
2. Once the dummy organisation is processed in system, auditor checks whether the system
triggers a purchase order.
3. If the answer is yes, it means the system is working properly.

Points to remember:
1. Items selected for the above test shall be material.
2. Effect of dummy organisation need to be reversed.

78

PART 2: COMPLIANCE TESTING AND

SUBSTANTIVE TESTING
Business application software controls has to be analysed through compliance and substantive
testing. These tests are necessary for risk assessment. The evaluation of internal control is
accomplished through compliance and substantive testing. The purposes for compliance and
substantive testing differ and will be achieved during the fieldwork.

2.1 Compliance Testing

ISACA ITAF 201 Performance Guidelines on Engagement Planning states as follows: Audit and
assurance projects should include consideration of internal controls either directly as a part of the
project objectives or as a basis for reliance upon information being gathered as a part of the project.
Where the objective is evaluation of internal controls, IT audit and assurance professionals should
consider the extent to which it will be necessary to review such controls. When the objective is to
assess the effectiveness of controls over a period of time, the audit plan should include procedures
appropriate for meeting the audit objectives, and these procedures should include compliance
testing of controls. When the objective is not to assess the effectiveness of controls over a period
of time, but rather to identify control procedures at a point in time, compliance testing of controls
may be excluded.
SA 00 issued by ICAI, Basic Principles Governing an Audit, defines compliance procedures as
tests designed to obtain reasonable assurance that those internal controls on which audit reliance
is to be placed are in effect. A compliance test determines if controls are being applied in a manner
that complies with management policies and procedures. The broad objective of compliance test
is to provide the IS auditors with reasonable assurance that the particular control on which the IS
auditor plans to rely is operating as the IS auditor perceived in the preliminary evaluation.
Compliance tests can be used to test the existence and effectiveness of a defined process, which
may include a trail of documentary and/or automated evidence, for e.g., to provide assurance that
only authorized modifications are made to production programs.

2.1.1 Purpose
Compliance tests are used to help determine the extent of substantive testing to be performed, as
stated in Statement of Auditing Standards. Such tests are necessary if the prescribed procedures
are to be relied upon in determining the nature, time or extent of substantive tests of particular
classes of transactions or balances. Once the key control points are identified, the auditor seeks
to develop a preliminary understanding of the controls to ensure their existence and effectiveness.
It is achieved through compliance testing. Compliance testing helps an auditor determine that

The controls exist and are working as expected

Module 6

The controls are applied in a manner that complies with policies and procedures.

2.2 Substantive Testing

To obtain evidence of the validity and propriety of accounting treatment of transactions and
balances or, conversely, of errors or irregularities therein
SA 00 issued by ICAI, Basic Principles Governing an Audit, defines substantive procedures are
designed to obtain evidence as to the completeness, accuracy and validity of the data produced
by the accounting system. A substantive test substantiates the integrity of actual processing and
the outcome of compliance testing. Substantive testing is the testing of individual transactions. It
provides evidence of the validity and integrity of the balances in the financial statements and the
transactions that support these balances. The IS auditors use substantive tests to test for monetary
errors directly affecting financial statement balances.

2.2.1 Purpose
Substantive testing procedures focus on broadly two types of tests:
i.
ii.

Tests of details of transactions and balance such as recalculating interest to ensure the
accuracy of process and effectiveness of controls over the process of the calculation of
interest.
Analysis of significant ratios and trends including the resulting enquiry of unusual
fluctuations and items in exceptions e.g. debit balance in deposit accounts, pending items
to ensure the controls to prevent or detect such transactions or balances are in place.

2.3 Relationship between compliance and substantive testing

There is a direct correlation between the effectiveness of controls and the extent of substantive
testing required. If the auditor after compliance testing concludes that the controls are adequate
and are working effectively as expected, then he is justified in reducing the size of his sample for
substantive testing. If testing of controls reveals weak controls, he might decide to go for increasing
his sample for substantive testing.
Please refer to chapter 2 of module 2: IS Assurance services for more details of compliance
testing and substantive testing.

80

PART 3: IMPACT OF BUSINESS APPLICATION

SOFTWARE ON BUSINESS PROCESSES /
CONTROLS
As discussed in previous sections, an organisation selects business application to achieve its
business goals and objectives. In part 1 of the chapter, the case study has highlighted the
importance of selecting the correct business application software. Once an organisation has
selected a business application, it needs to implement appropriate business processes or re-define
its way of working to ensure that business application software process and organisation own
business operations are in sync.

3.1 Case: Highlight need for redefining business process

Objective: To highlight importance of re-defining the business process to suit the requirements of
the business application selected to be used.

a. To know: Teeming and Lading fraud

Definition: It is a type of fraud that involves the crediting of one account through the abstraction of
money from another account. It can happen when one customer's payment is stolen and another
customer's payment is posted to hide the theft.

b. Why this fraud occurs?

If the internal check is lacking then the fraud perpetuator can divert the cash cheque for his/her
personal use. As we have read that person in possession must not possess the record of asset.
This fraud occurs when a person acts as cashier as well as ledger writer or enters data.

c. How to control the risk in business application system?

1. Organisation using TALLY:
In TALLY, as soon as a cash voucher is entered in system, it immediately updates ledger and
related financial statements also. The issue to resolve is safeguarding against occurrence of fraud.
Safeguards put in place: In TALLY it is preferred that better input controls be put in place to prevent
occurrence of fraud by creating specific users with access for specific functions.
2. Organisation using ERP system like SAP:
In SAP, the transaction processing follows a two-step process:

Module 6
i. Park of entry: This step is used to enter and store (park) incomplete documents in the SAP
System without carrying out extensive entry checks.
ii. Posting of entry: Parked documents can be completed, checked, and then posted at a later
date - if necessary by a different accounting clerk.
This ensures that same accounting clerk does not receive the cash and also update the records.

d. What TALLY users need to do?

They need to redefine their business process in a manner to prevent the occurrence of above
frauds. The redefined business process needs to address the following propositions:
1. There are proper internal check is established, and
2. The business process shall be as per the nature of business of organisation.

3.2 Procedures to manage changes to business processes and

impact on controls
During the procedure conversion performed in the implementation phase of system
development life cycle approach, an organisation needs to prepare a control impact assessment
chart. This documentation is important to help identify the following:
Step 1: What is the impact of new business application on the internal controls? This assessment
has to be done for all items specified in the Checklist for Application Control Review of Business
Application (Annexure 1 of this module). An evaluation checklist for impact assessment is given
in Appendix-5 Business Applications impact on internal controls.
Step 2: Based on the assessment made at step 1 IS auditor shall check how management has
addresses the shortcoming. Management may address the concerns raised by specifying new
business process, approval process. All such new business process, approval process need to be
validated. For validation IS auditor shall use the checklist given in Appendix 1.

82

PART 4: USER CONTROLS

The most important aspect of a business application is the user controls. User controls are defined
as the rights given to users as per job profile and their rights and duties within the organization.
Entitlement of access to an information resource and degree of access is determined according to
the job description, functions and role of the user in the organisation.
The rights of access is to ensure that user does not gain access to undesired information
resources or an undesired mode of access to the information, This is governed by philosophy need
to know and need to do basis or the principle of least privilege. Principle of least privilege is an
important concept in information security. It advocates minimal user profile privileges on
computers, based on users job necessities. It can also be applied to processes on the computer;
each system component or process should have least authority necessary to perform its duties.
This is also called the default deny principle. All these terms imply that access is available only
to users after it has been specifically granted to them, only to perform the job function that has
been granted to them. Please refer to the chapter on Logical access controls in Module-4 for more
details.

4.1 Principles to follow while granting user rights

User rights are to be assigned based on following guiding principles:
1. Rights are allocated on the basic philosophy of, NEED TO KNOW and NEED TO DO
2. Rights need to be allocated based on users job profile.
3. Maker and checker distinction need to be followed, for example a user who creates a cash
voucher must not be able to modify the same.
4. Asset recorder must be different from person physically holding asset.

4.2 Creating users for different level of use

4.2.1 Key requirement
Proper user rights definition in system has two key requirements.

Well defined structure

Application software capability

Module 6
a. Well defined management structures with employee roles and responsibility.
b. Capability of the business application to allow user rights creation
The job of user rights creation, modification and deletion is a critical from internal control
perspective.

4.2.2 IS Auditor key checkpoints

It is important for an IS Auditor to check:

i. Who has the authority to create user rights?

IS auditor is also concerned to know the person who has the authority to create users in system.
IS auditor needs to evaluate the rights of persons doing this job and how these rights have been
granted and monitored.
Case at the end of this part: An accounting softwares USER RIGHTS AUDIT.]

ii. Authorisation procedure before creating user rights?

IS Auditor needs to check whether there is a formal user rights approval form/document. The
question that need to be answered being
a. Who triggers the request for user rights creation? Ideally this request has to be generated
through HR department.
b. Whether the form contains all relevant information for the specific user?
c. Whether the form has been properly filled?
d. Whether the form has valid authorisation?
e. Whether forms are marked once user rights are created in system?

iii. Validation of user rights created in system?

IS Auditor needs to evaluate the process how user rights created at step (ii) are validated once
they have been put in system. IS Auditor may seek answers to the following questions.
a. Whether there is a proper cross check mechanism build in organisation to validate the
user rights of employee once they have been created?
b. Whether there is timely validation of user rights and user job profiles? For example this is
a cyclical process to be done once each year to see whether the job profile of individual
is appropriately reflected in his/her user rights?

84

Chapter 3, Part 4: User Controls

iv. Process of alteration of user rights?

IS Auditor is concerned with the process of alteration of rights. The IS Auditor seeks answers to
the following questions.
a. Whether the user right alteration process is linked to job profile of individual?
b. Who triggers the request for user rights alteration?
c. Whether the alterations are done through proper validated USER RIGHTS ALTEARTION
FORMS?
d. Whether these forms follow the similar authorisation process as done during initial
creation of user rights?

v. Keeping track of user actions?

This shall be part audit trail review, dealt in detail at other location in this module.

4.3 Creating users for different level of use

A checklist from TALLY to allow creation of user rights is explained in the case which follows.

Case Studies
1. User rights review Audit
An Internal Auditor asked the company to make available user rights lists as provided by the
company in accounting software. Internal Auditor also asked the HR department to make available
the hierarchy chart and job profile of the individuals. On comparison of the two documents auditor
found the following: There were 50 employees in the company. Details of two employees are:

85

Display

Print

Material Receipt Note

Vendor Master
VAT Rate Master

Delete

Name of Document /
Master

Alter

Stores Clerk

Prepare
Material
Receipt Note
after validation
with PO for
quantity, rate,
and other
terms.

Accounting Software rights: Allowed Rights

Create

Designation

HR department
profile
Major
responsibility as
defined by
company

Yes
Yes
Yes

Yes
Yes
Yes

Yes
Yes
Yes

Yes
Yes
Yes

Yes
Yes
Yes

Module 6

Manager
Accounts

Timely and
accurate
accounting,
statutory
compliances,
timely
preparation of
financial
statements,
timely
submission of
MIS to
management.

Vouchers
Account Masters,
including debtors and
creditors master.

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

The person was allowed to do back dated entries 365

days in past.

Exercise for participants: What are the risks and what are the remedies?

2. GM (F) who left the company.

Facts: The Company had a policy of allocating the super-user password to General Manager
(Finance). The same defined in the job profile of the GM (F). GM (F) shall be responsible to ensure
for allocation, deletion, modification and suspension of user rights based on approvals made
available by HR department.
Problem: The GM (F) left the organisation. Another one joined. The new joinee was given another
super-user password. Six months after the new joinee, it came to notice of Internal Auditor that all
employees of the accounts department have been using the super-user password of the previous
GM (F).
Exercise for the participants: What was wrong and how these could be corrected for future?

86

PART 5: DATABASE CONTROLS

In this chapter we will understand database structure and tables, user creation, access levels and
user management. We will also understand how to evaluate internal control systems in application
software relating to system design, data creation/input, data processing, data flow, data
transmission and data storage. How to use reporting, query and SQL features as required for
reviewing controls are briefly discussed.

5.1 Key features of database

5.1.1 Database architecture
Data is defined as collection of different data. Database is like an electronic file cabinet i.e. a
collection of computerised data files. Database being a critical system resource needs elaborate
controls to be put in place. Data architecture is composed of models, policies, rules or standards
that govern which data is collected, and how it is stored, arranged, integrated, and put to use in
data systems and in organizations. They are namely;
(i)

(ii)

(iii)

External or user view: It is at the highest level of the database abstraction. It includes
only that portion of database or application programs which is of concern to the users.
It is defined by the users or written by the programmers. It is described by the external
schema.
Conceptual or global view: This is reflection of a database is viewed by database
administrator. Single view represents the entire database. It describes all records,
relationships and constraints or boundaries. Data description to render it independent
of the physical representation. It is defined by the conceptual schema,
Physical or internal view: It is at the lowest level of database abstraction. It is closest
to the physical storage method. It indicates how data will be stored, describes data
structure, and the access methods. It is expressed by internal schema.

5.2 Database Security and Control

Database Controls could be in terms of:
1. Database Roles and Permissions

Segregation of duties
Roles & Permissions allow control of operations that a user can perform on database,

2. Concurrency Control: Addresses conflicts relating to simultaneous accesses

Module 6
3. Views: Views enable data access limitations. A view is a content or context dependent subset
of one or more tables. E.g. A view might be created to allow a sales manager to view only the
information in a customer table that is relevant to customers of his own territory Restrict user views
of the database.
4. Stored Procedures: Database servers offer developers the ability to create & reuse SQL code
through the use of objects called as Stored Procedures (Group of SQL statements). This is
discussed later.

5.3 User creation in database

Please refer to the eLearning part of module 1 for more details on concepts of database. The
objective of Data base security would be Authorized people should be given Right access to the
Right data. In this context user management becomes very important. There could be different
types of database users;
1.
2.
3.
4.

Application programmers
Sophisticated users
Specialized users
Naive users

This user management is achieved through Authorization and access control

Basic model for accessing control involves:
a. Subjects (Right People)
b. b. Objects (Right data)
c. Access Rights (Right Access)

Subject is allowed access rights to objects.

To access the database, a user must specify a valid database user account and successfully
authenticate as required by that user account. Normally, a database administrator first uses
CREATE USER to create an account, then GRANT to define its privileges and characteristics. For
Example in Oracle, The SYS and SYSTEM accounts have the database administrator (DBA) role
granted to them by default. These are predefined all other users have to be created. There is a
need to create user and assign some authentication mechanism like a Password.

88

Chapter 3, Part 5: Database Controls

Data base Administrator will then grant access rights or privileges to user as shown below.

89

Module 6

5.4 Structured Query Language

A query language is a set of commands to create, update and access data from a database
allowing users to raise ado queries / questions interactively without the help of programmers.
Structured Query Language (SQL) is a programming language used to manipulate information in
relational database management systems (RDBMS).

5.4.1 Components of SQL

a. DML or data manipulation language: DML consist of SELECT, UPDATE, INSERT, and
DELETE statements.
b. DDL or data definition language: DDL is made up of CREATE and ALTER statements.
c. DCL or data control language: DCL is comprised of GRANT and REVOKE statements.
In recent years DML, has been expanded to include the MERGE statement and DDL
has had the APPEND statement added.

90

Chapter 3, Part 5: Database Controls

5.4.2 Language elements of SQL

a.
b.
c.

d.
e.

Clauses, which are in some cases optional, constituent components of statements

and queries.
Expressions which can produce either scalar values or tables consisting of columns
and rows of data.
Predicates which specify conditions that can be evaluated to Boolean
(true/false/unknown) truth values and which are used to limit the effects of statements
and queries, or to change program flow.
Queries which retrieve data based on specific criteria.
Statements which may have a persistent effect on schemas and data, or which may
control transactions, program flow, connections, sessions, or diagnostics.

5.5 SQL commands for reporting

SELECT Statement Syntax
S.no.

Action

Target

Select

Columns

From

Tables

Where

Criteria are met

Group by

Summarize

Order By

Options to specify
i. Specific columns by name
ii. All columns through wildcard
Lists qualified table name
i. Optional
ii. Conditions that limit the records to be
displayed
i. Optional
ii. Sorts the query results
ASC - ascending order
DESC - descending order

Order Results

The above can be used to generate specified reports directly from database. These are covered
in more detail through practical examples in the hands on training of this module.

91

PART 6: FINANCIAL REPORTING AND

REGULATORY REQUIREMENT IN INFORMATION
SYSTEMS
6.1 Nature of compliances
As the usage of business application has been increasing in business, so has been the increase
of regulatory compliances. Today businesses rely on reports generated from business applications
for their statutory compliances. The list of compliances may include:

i. Taxation related: TDS, TCS, Excise Duty, Service Tax, VAT, PF, etc.
ii. Control Related: Those specified in:
-

Section 17(2AA) of Companies Act 1956 (old): Detailing Directors Responsibility

Statement, which specifies that directors of the company are responsible to

implement proper internal controls.

-

CARO, 2003 (As amended in 2004), has many clauses where statutory auditor
needs to comment upon the internal controls.
SOX compliance: Financial transaction analysis, for example aging analysis for
debtors and inventory, capability to drill down un-usual financial transactions.

iii. XBRL compliance: Looking to the growth of XBRL compliance in India and governments
intention to slowly increase the coverage area of eligible entities, XBRL compliance shall increase
in India. Many business application vendors have already started making their software capable of
generating XBRL reporting.
iv. Accounting Standard related: Accounting standards prescribing the accounting guidance to
transactions. It is important that the business applications used are in compliance with the
applicable accounting standards.
v. Compliances as specified in the newly notified Companies act, 2013:

- Maintenance of books in e-form. (Section 128)

-Compulsory Internal Audit: Prescribed companies to have an Internal Auditor. This

provision makes it more important for company to implement proper

controls in business application used. (Section 138)

Module 6

- Constitution of National Financial Reporting Authority (NFRA). This body has been
entrusted with task of framing auditing and accounting standards. (Section 132)
vi. Compliances requirements from industry specific statutes
-

Banking industry compliances

Insurance Industry
Stock market industry

6.2 Who is responsible for accuracy and authenticity of

reports?
The responsibility may be defined through the following chart:

i.
ii.
iii.

The prime responsibility for accuracy of report generated from the business applications
lies with the management.
The role of internal auditor is to see whether established controls ensure the accuracy of
reports.
Where statutory auditor wishes to use the above reports for his/her documentation, or
forms and opinion based on such reports.

SA 580 on Written Representations, issued by ICAI, state that auditor when decides to obtain
written representations as assertions, and to respond appropriately to written representations
94

Chapter 3, Part 6: Financial reporting and regulatory requirement in Information Systems

provided by management or if management does not provide the written representations
requested by the auditor.

6.3 Validation of statutory reports from business application

software
This requires IS auditor to have an understanding of system, this includes the way it is configured
and the way it generates reports. To highlight the above issue two cases are given here.

Case on validation of statutory rates in business application software

1. PF rates are not properly defined
a. Facts: Employees PF Contribution @10% Pay Head Creation. If rate of % defined incorrectly
in master configuration, then salary calculated and report will also be affected and shown
incorrectly.
b. How to define the rate?
Go to Gateway of Tally > Payroll Info. > Pay Heads> Create> In the Pay Head Creation screen,

Type Employees PF Contribution @ 10% as the Name of the Pay Head

Select Employees Statutory Deductions in the field Pay Head Type

95

Module 6

c. What shall be the impact?

- Deduction of PF at wrong rates
- Other liabilities associated with the above.

96

Chapter 3, Part 6: Financial reporting and regulatory requirement in Information Systems

2. TDS rates are not correctly specified

a. Wrong classification of payments and the related section under which payment
is to be made.
Default Nature of Payment for professional fees is entered as payment to contractors
instead of Fees for Technical Services U/s 194-J.

97

Module 6

b. Improper classification regarding exemptions:

Income Tax Exemption Limit: Income tax exemption limit is ignored which results in deduction of
tax from the first voucher ignoring the basic exemption limit. For example, TDS on interest is
deducted only if the amount of interest exceeds Rs. 10000.

98

Chapter 3, Part 6: Financial reporting and regulatory requirement in Information Systems

c. What shall be the impact?

- Deduction of TDS at wrong rates
- Other liabilities associated with the above

99

PART 7: SYSTEM AUDIT REPORT FORMAT AS

PER BEST PRACTICES
7.1 Reporting Standards
Report is the output of effort taken. Quality of report is the key to success of audit effort. ISACA
ITAF 401 guidance on reporting standards states: The reports produced by IS audit and assurance
professionals will vary, depending on the type of assignments performed. Considerations include
the levels of assurance, whether IS audit and assurance professionals were acting in an audit
capacity, whether they are providing direct reports on the subject matter or reporting on assertions
regarding the subject matter, and whether the reports are based on work performed at the review
level or the examination level.
1 Audit report format ISACA ITAF 401 on Reporting and SA 700 on Forming an opinion and
Reporting on Financial Statements, the audit report need to cover the following. IT audit and
assurance professionals report about the effectiveness of control procedures should include the
following elements:
i.
ii.
iii.

iv.
v.

vi.
vii.

Title:
Addressee
Description of the scope of the audit, the name of the organisation or component of
the organisation to which the subject matter relates, including:
a. Identification or description of the area of activity.
b. Criteria used as a basis for the IS audit and assurance professionals
conclusion.
c. The point in time or period of time to which the work, evaluation or
measure of the subject matter relates.
d. A statement that the maintenance of an effective internal control
structure, including control procedures for the area of activity, is the
responsibility of management.
A statement that the IT audit and assurance professional has conducted the
engagement to express an opinion on the effectiveness of control procedures.
Identification of the purpose for which the IT audit and assurance professionals report
has been prepared and of those entitled to rely on it, and a disclaimer of liability for its
use for any other purpose or by any other person.
Description of the criteria or disclosure of the source of the criteria.
Statement that the audit has been conducted in accordance with specified IT Audit
and Assurance Standards or other applicable professional standards.

Module 6
viii.
ix.
x.
xi.
xii.

A paragraph stating that because of the inherent limitations of any internal control,
misstatements due to errors or fraud may occur and go undetected.
An expression of opinion about whether, in all material respects, the design and
operation of control procedures in relation to the area of activity were effective.
IT audit and assurance professionals signature.
IT audit and assurance professionals address.
Date of the IT audit and assurance professionals report. In most instances, the dating
of the report is based upon applicable professional standards. In other instances, the
date of the report should be based on the conclusion of the fieldwork.

7.1.1 Case to prepare report in specified format

Objective: to help document a system audit report for a companys password management

policy.
Facts: Password Management Policy has been framed as a part of main security policy of the
company.
Policy details:
1. Policy Name: Password Management Policy. The objective is to ensure that the company has
no loss due to password mismanagement.
2. Policy Guidelines:

Password length to be minimum 8 characters.

Password to be alpha-numeric.
Password to be changed every 30 days.
Password not to be shared.

3. Policy design and implementation: Management informed its system developers to implement
the above policy as a part of system design.
4. Policy monitoring: Manager (PW) appointed by the company in HR department, having access
to password log of system reports to System Administrator. At the end of year management
appointed an IS Auditor with the following scope:
1. To review policy compliance.
2. To suggest:
i.
Modification in policy
ii.
Any other aspect for better implementation.
102

Chapter 3, Part 7: System Audit Report format as per best practices

IS Audit steps: The basic audit steps including those mentioned at chapter 1, IS Auditor used the
audit procedures including compliance and substantive procedures. IS Auditor uses the following
audit techniques to collect audit evidence.
i.

Inquiry: Interacting with the stakeholders to confirm understanding of the policy

and level of compliance by the users.
Documentation: Reviewing the Audit Logs in system. These logs inform which
employee logged in on a specific date. Reviewing the attendance records of staff.
Observation: Validating the process by which staff enters their passwords in
system.
Re-performance: With the permission of management, IS Auditor tries to create
passwords which were not in line with the policy.

ii.
iii.
iv.

B. IS Auditors Findings: Based on the audit done auditor came across the following.
1. There were 200 employee data available. Of these 175 are working and 5 have left.
2. The password of employee who had left had not been disabled.
3. 20 Employees did not change their password every 30 days, as defined in policy. 5 were
repeat offenders.
4. 50 instances of employee passwords being used when they were absent have been
observed.
Please refer to Appendix 6: System Audit Report.

7.2 Questions
1. The best way to define the purpose for an IS Audit in one word:
A.
B.
C.
D.

Assurance
Activity
Review
Performance

2. What is the primary basis of audit strategy? It should be based on:

A.
B.
C.
D.

knowledge.
life-cycle.
user-request
risk assessment.

3. Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required?
A. Integrated test facility (ITF)
B. Continuous and intermittent simulation (CIS)
103

Module 6
C. Audit hooks
D. Snapshots
4. Which of the following is the first step in compliance testing? To review:
A.
B.
C.
D.

access security controls

input controls
processing controls
output controls.

5. The cashier of a company has rights to create bank master in TALLY. This error is a reflection
of poor definition for which type of control:
A.
B.
C.
D.

User Controls
Application Control
Input Control
Output Control

6. An employees has left the company. The first thing to do is to:

A.
B.
C.
D.

Hire a replacement employee.

Disable his/her access rights.
Ask the employee to clear all dues/advances.
Escort employee out of company premises.

8. Common features in ISACA ITAF 401, SA 700 and NFRA (National Financial Reporting
Authority) is.
A.
B.
C.
D.

Reporting
Auditing
Accounting
Standard

7.3 Answers and Explanations

1. A. The IS audit focuses on determining the risks that are relevant to information assets, and in
assessing controls in order to reduce or mitigate these risks. Management gets an assurance about
the functioning of controls.
2. D. Audit Strategy is based on risk assessment done by the auditor. Other answers do not
represent basis for deciding audit strategy.
3. D. Snapshots is the right answer as in this technique IS auditor can create evidence through
IMAGE capturing? A snapshot tool is most useful when an audit trail is required. ITF can be used
104

Chapter 3, Part 7: System Audit Report format as per best practices

to incorporate test transactions into a normal production run of a system. CIS is useful when
transactions meeting certain criteria need to be examined. Audit hooks are useful when only select
transactions or processes need to be examined.
4. A. is the first step towards compliance test. Other steps are more part of application system
transaction audit.
5. A. user controls are not properly defined. User controls need to be defined based on NEED TO
DO and NEED TO DO basis. The above is reflection of a greater problem of improper assessment
user profiles created in the system.
6. B. the first thing to do as soon as an employee leaves the company is to disable his/her access
rights in system. This needs to be done to prevent frauds being committed. Other answers may be
valid but are not the first thing to do.
C is the correct answer other options are components of SQL.
7. D. ISACA ITAF is a reporting standard by ISACA. SA 700 is a reporting standard by ICAI. NFRA
is an authority created in the new Companies act, to prescribe standard for accounting and
auditing.

105

SECTION 3: APPENDIX
APPENDIX 1: CHECKLIST FOR APPLICATION
CONTROLS
Date of review:

Segregation of
Duties

Authorisation

Validity

Ref

Accuracy

Information Objective

Completeness

IS Auditor Review of Application Controls

Process/Application Name:
Business Process Owner:
Control Objective and Control Practices
Description

Source Data Preparation and Authorisation

Ensure that source documents are prepared by authorised and qualified personnel
following established procedures, taking into account adequate segregation of duties
regarding the origination and approval of these documents. Check whether the source
document is a well-designed input form. Detect errors and irregularities so they can be
reported and corrected.
Whether the source documents is designed in a
way that they increase accuracy with which data
can be recorded, control the workflow and facilitate
subsequent reference checking?
[Where appropriate, include completeness controls
in the design of the source documents.]
Whether the procedures for preparing source data
entry, and ensure that they are effectively and
properly communicated to appropriate and
qualified personnel? [These procedures should
establish and communicate required authorisation
levels (input, editing, authorising, accepting and
rejecting source documents). The procedures
should also identify the acceptable source media
for each type of transaction.]

Whether the function responsible for data entry

maintains a list of authorised personnel, including
their signatures?

Module 6

Whether all source documents include standard

components and contain proper documentation
(e.g., timeliness, predetermined input codes,
default values) and are authorised by
management?
Whether application automatically assigns a
unique and sequential identifier (e.g., index, date
and time) to every transaction?
Whether the document that are not properly
authorised or are incomplete to the submitting
originators for correction, and log the fact that they
have been returned is maintained?Whether review
of logs periodically done to verify that corrected
documents are returned by originators in a timely
fashion, and to enable pattern analysis and root
cause review?
Source Data Preparation and Authorisation
Establish that data input is performed in a timely manner by authorised and qualified staff.
Correction and resubmission of data that were erroneously input should be performed
without compromising original transaction authorisation levels. Where appropriate for
reconstruction, retain original source documents for the appropriate amount of time.
Whether criteria for timeliness, completeness and
accuracy of source documents have been
communicated?
Whether mechanisms are there to ensure that data
input is performed in accordance with the
timeliness, accuracy and completeness criteria?
Whether pre-numbered source documents for
critical transactions are used? Whether application
allows identification and listing of missing source
documents?
Whether definition for who can input, edit,
authorise, accept and reject transactions, and
override errors is there?
Whether the same is as per roles and
responsibilities of individual and record supporting
evidence to establish accountability is maintained?

108

Section 3

Whether procedures to correct errors, override

errors and handle out-of-balance conditions, as
well as to follow up, correct, approve and resubmit
source documents and transactions in timely
manner are defined?
Whether application system generates error
messages in a timely manner and as close to the
point of origin as possible?
Whether the transactions are processed without
errors being corrected or appropriately overridden
or bypassed? Whether the errors that cannot be
corrected immediately logged in an automated
suspense log?
Whether error logs are reviewed and acted upon
within a specified and reasonable period of time?
Whether errors and out-of-balance reports are
reviewed by appropriate personnel, followed up
and corrected within a reasonable period of time,
and that, where necessary, incidents are raised for
more senior attention? Whether automated
monitoring tools are used to identify, monitor and
manage errors?
Whether all source documents are safe stored
(either by the business or by IT) for a sufficient
period of time in line with legal, regulatory or
business requirements?
Accuracy, Completeness and Authenticity ChecksEstablish that data input is
performed in a timely manner by authorised and qualified staff. Correction and
resubmission of data that were erroneously input should be performed without
compromising original transaction authorisation levels. Where appropriate for
reconstruction, retain original source documents for the appropriate amount of time.
Whether the transaction data are verified as close
to the data entry point as possible and interactively
during online
sessions?
Whether the transaction data, whether peoplegenerated, system generated or interfaced inputs,
are subject to a variety of controls to check for
accuracy, completeness and validity?

109

Module 6

Whether controls to ensure accuracy,

completeness, validity and compliancy to
regulatory requirements of data input put in place?
Whether validation criteria and
parameters should be subject to periodic reviews
and conformation?
Whether access control and role and responsibility
mechanisms are established so that only
authorised persons input, modify and authorise
data?
Whether requirements for segregation of duties for
entry, modification and authorisation of transaction
data as well as for validation rules defined?
Whether report of transactions failing validation
generated? Whether report all errors are
generated in a timely fashion?
Whether transactions failing edit and validation
routines are subject to appropriate follow-up until
errors are remediated? Whether information on
processing failures is maintained to allow for root
cause analysis and help adjust procedures and
automated controls?
Processing Integrity and Validity
Maintain the integrity and validity of data throughout the processing cycle. Detection of
erroneous transactions does not disrupt the processing of valid transactions.
Whether mechanisms to authorise the initiation of
transaction processing and to enforce that only
appropriate and authorised applications and tools
are used defined and put in place?
Whether processing is completed and accurately
performed with automated controls?
[For example: Controls may include checking for
sequence and duplication errors,
transaction/record counts, referential integrity
checks, control and hash totals, range checks, and
buffer overflow.]

110

Section 3

d
e

Whether transactions failing validation routines are

reported and posted to a suspense file? Whether
the errors are reported in timely fashion? Whether
the information on processing failures is kept to
allow for root cause analysis and help adjust
procedures and automated controls, to ensure
early detection or to prevent errors?
Whether the transactions failing validation routines
are subject to appropriate follow-up until errors are
remediated or the transaction is cancelled?
Whether there is a unique and sequential identifier
to every transaction (e.g., index, date and time)?
Whether an audit trail of transactions processed.
Include date and time of input and user
identification for each online or batch transaction
maintained?
Whether there is a listing of sensitive transactions
and before and after images maintained, to check
for accuracy and authorisation of changes made?
Whether integrity of data during unexpected
interruptions in data processing with system and
database utilities, maintained? Whether controls
are in place to confirm data integrity after
processing failures or after use of system or
database utilities to resolve operational problems?
Whether any adjustments, overrides and highvalue transactions are reviewed promptly in detail
for appropriateness by a supervisor who does not
perform data entry?

Whether reconciliation of file totals done? [For

example, a parallel control file that records
transaction counts
or monetary value as data should be processed
and then compared to master file data once
transactions are posted. Identify report and act
upon out-of-balance conditions.]

Output Review, Reconciliation and Error Handling

Establish procedures and associated responsibilities to ensure that output is handled in an
authorised manner, delivered to the appropriate recipient, and protected during
111

Module 6
transmission; that verification, detection and correction of the accuracy of output occurs;
and that information provided in the output is used.

Whether the handling and retaining output from IT

applications, follow defined procedures and
consider privacy and security requirements?
Whether procedures for communicating and followup defined for distribution of output?
Whether physical inventory of all sensitive output,
such as negotiable instruments taken and
compared it with inventory records?
Whether there are procedures with audit trails to
account for all exceptions and rejections of
sensitive output documents?
Whether out-of-balance control totals exist and
exceptions reported to the appropriate level of
management?
Whether procedure exists to check completeness
and accuracy of processing before other
operations are performed? Whether reuse of
electronic output subject to validation check before
re-use?
Whether procedures are defined to ensure that the
business owners review the final output for
reasonableness, accuracy and completeness?
Whether the output is handled in line with the
applicable confidentiality classification? Whether
the potential errors are logged in a timely manner?

Whether for sensitive output, definition exists as to

who can receive it? Whether such output is
properly labelled for reorganisation?

112

APPENDIX 2: ATM AUDIT CHECKLIST

This is provided as soft copy.

APPENDIX 3: APPLICATION SOFTWARE

CHECKLIST
This is provided as a soft copy.

APPENDIX 4: USER RIGHTS CREATION

CHECKLIST
EMPLOYEE ACCESS RIGHT'S FORM
Form Sl. No.

Date

Name:
Department / Designation
Name of Security Level:
Days allowed for Back Dated Entry:
Cut- off Date for back Dated Vouchers:
Put Y /N only
Reports / Items to ALLOW / DISALLOW
ACCOUNTING STANDARDS
ACCOUNT MASTERS
ANNEXURE TO AUDIT REPORT
CARO
ATTENDANCE VOUCHERS
AUDITING AND ASSURANCE
STANDARDS
AUDIT JOURNALS
AUDIT LISTINGS

CREATE ALTER DISPLAY

PRINT

Remark

Module 6
AUDIT PROGRAMS
AUDIT WORKING PAPERS
BACK DATED VOUCHERS
BALANCE SHEET
BANK BOOKS
BANK RECONCILIATION
BATCH GOWDOWN SUMMARY
BATCH SUMMARY
CASH FLOW
CHEQUE PRINTING
CHEQUE REGISTER
CLIENT/ SERVER RULE
COMMODITY WISE PURCHASE
COMMODITY WISE SALES
COMPANY FEATURES
CONNECT COMPANY
COST CENTER DETAILS
CST PURCHASE REGISTER
CST REPORTS
CST SALES REGISTER
DAY BOOK
DEALER EXCISE REPORTS
DEPOSIT SLIP
EMPLOYEE VOUCHERS
EXCISE COMPUTATION
EXCISE ER-1 REPORT
EXCISE REPORTS
FBT REPORTS
FORM 3CA
FORM 3CB
FORM 3CD
FUNDS FLOW
GROUP MONTHLY SUMMARY
GROUP OUTSTANDING
114

Section 3
GROUP SUMMARY
GROUP VOUCHER DETAILS
IMPORT DATA
INTEREST CALCULATIONS
INVENTORY MASTERS
INVOICE CONFIGURATION
JOB WORK ANALYSIS
JOB WORK ORDER DETAILS
JOB WORK REGISTERS
JOB WORK STOCK
LEDGER MONTHLY SUMMARY
LEDGER OUTSTANDING
LEDGER VOUCHER DETAILS
LOCATION-WISE SUMMARY
MCA REPORTS
NOTE SUMMARY
ORDER DETAILS
OUTSTANDINGS
OVERRIDE INVOICE CLASS
OVERRIDE INVOICE DEFAULTS
PAYMENT ADVICE
PAYROLL MASTERS
PAYROLL REPORTS
PAYROLL VOUCHERS
PRICE LIST
PROFIT & LOSS A/C
PURCHASE REGISTER
QUICK SETUP
RECEIPTS & PAYMENTS
SALES REGISTER
SCHEDULE VI
SERVICE TAX REPORTS
STATUTORY AUDIT
STOCK CATEGORY OUTSTANDING
115

Module 6
STOCK CATEGORY SUMMARY
STOCK GROUP OUTSTANDING
STOCK ITEM MONTHLY DETAILS
STOCK ITEM OUTSTANDING
STOCK QUERY
STOCK SUMMARY
STOCK VOUCHER DETAILS
SYNCHRONISATION
SYNC REPORTS
TALLY.NET FEATURES
TAX AUDIT
TCS REPORTS
TDS REPORTS
TRACKING NUMBER DETAILS
TRIAL BALANCE
VAT COMPUTATION
VAT PURCHASE REGISTER
VAT SALES REGISTER
VOUCHER REGISTER
VOUCHERS
VOUCHING DONE
Prepared by:
Checked By:
Approved By:
Date of Approval

116

Section 3

1
2
3
4
5

Authorisation

Validity

Changes to Source Data Preparation and

Authorisation.
Changes to Source Data Preparation and
Authorisation.
Accuracy, Completeness and Authenticity
Checks
Processing Integrity and Validity.
Output Review, Reconciliation and Error
Handling

Accuracy

Ref

Completeness

IS Auditor Review of Impact of Business Application on Controls

Process/Application Name:
Business Process Owner:
Date of review:
Changes made to business process due to
Information
implementation of business application
Objective. Put Y, to denote
software. Matrix to evaluate whether the new negative impact, and N to
business application has impact on key
denote NO / Positive Impact
information objectives to be achieved.

Segregation of Duties

APPENDIX 5: REVIEW OF BUSINESS

APPLICATIONS IMPACT ON CONTROLS

For all items labelled as Y, IS auditor needs to check how the issue has been addressed.

117

Module 6

APPENDIX 6: SYSTEM AUDIT REPORT

Sl.
No.
1

Title:

Addressee

Report

Description

Description of the scope of

the audit, the name of the
organisation or component of
the organisation to which the
subject matter relates,
including:
a. Identification or description of
the area of activity
b. Criteria used as a basis for
the IS audit and assurance
professionals conclusion
c. The point in time or period of
time to which the work,
evaluation or measure of the
subject matter relates
d. A statement that the
maintenance of an effective
internal control structure,
including control procedures for
the area of activity, is the
responsibility of management
A statement that the IT audit and
assurance professional has
conducted the engagement to
express an opinion on the
effectiveness of control
procedures.

REPORT ON PASSWORD
MANAGEMENT SYSTEM
CHIEF INFORMATION OFFICER, XYZ
LTD.
Scope: System Audit of the Password
Management Policy.
User rights department in HR
department.
Password Management Policy:
Implementation and Compliance
The mandate of management to comment
on compliance, suggest methods to
improve compliance
Audit period starts from April 1st, 013 and
ends on December 31st, 013.
The responsibility of implementing proper
and effective internal controls in general
and specifically in terms of the policy
under audit lies with the management.
The IS Audit method and approach is to
express an opinion on existence,
effectiveness and continuity of internal
controls put in place by the management.

118

Section 3

Identification of the purpose for

which the IT audit and
assurance professionals report
has been prepared and of those
entitled to rely on it, and a
disclaimer of liability for its use
for any other purpose or by any
other person

Description of the criteria or

disclosure of the source of the
criteria

Statement that the audit has

been conducted in accordance
with specified IT Audit and
Assurance Standards or other
applicable professional
standards.

A paragraph stating that

because of the inherent
limitations of any internal control,
misstatements due to errors or
fraud may occur and go
undetected.

An expression of opinion about

whether, in all material respects,
the design and operation of
control procedures in relation to
the area of activity were
effective.

The IS Audit has been conducted to help

management identify lacunae's in policy
implementation. It does not provide and
assurance as to the future viability but is a
comment on the present state of affairs.
The report is for use by management not
for external agency.
The report is based on management
request to perform an audit of Password
Management System, its effective
implementation and monitoring.
The IS Audit has been conducted as per
the ISACA ITAF Standards on System
Audit and ICAI SA on Audit.

The audit is done as per mentioned

standards. The expression on an opinion
is subject to inherent limitation of internal
controls. These arising from the fact that
implemented controls may fail to prevent,
detect mis-statement due to errors and
frauds. Audit is subject to its limitation,
arising from the fact that audit is done on
test basis, leaving a possibility of error or
fraud going undetected.
Based on the information, explanations
provided, we comment that: a. Password
Management System has not been
implemented properly. B. It fails to achieve
the purpose. C. Management needs to
take the following actions to improve its
performance:
i. Policy modification: Policy needs to
specifically state, that as employee leaves
and organisation his/her password shall be
immediately disabled.

119

Module 6
ii. The attendance system of the
organisation needs to be joined to the
password system. This is necessary to
ensure that a password of absent
employee is not misused.
iii. Employee training is a must, for proper
understanding and implementation of
policy.
Basis of our recommendation as findings
during the audit. Findings are enclosed as
an annexure to the report.
10
11

12

IT audit and assurance

professionals signature
IT audit and assurance
professionals address
Date of the IT audit and
assurance professionals report.
In most instances, the dating of
the report is based upon
applicable professional
standards. In other instances,
the date of the report should be
based on the conclusion of the
fieldwork.

ABC
ICAI BHAWAN, NEW DELHI

01-Jan-14

Sl.
No.

Annexure to System Audit Report

There were 200 employee data available. Of these 175 are working and 5
have left.

The password of employee who had left had not been disabled.

3
4

5
6

20 Employees did not change their password every 30 days, as defined in

policy. 5 were repeat offenders.
50 instances of employee passwords being used when they were absent have
been observed.
[IS Auditor may add name and detail of employees]
IT audit and assurance
ABC
professionals signature
ICAI BHAWAN, NEW DELHI
IT audit and assurance
professionals address
120

Section 3

Date of the IT audit and

assurance professionals report.
In most instances, the dating of
the report is based upon
applicable professional
standards. In other instances,
the date of the report should be
based on the conclusion of the
fieldwork.

01-Jan-14

APPENDIX 7: SAMPLE AUDIT REPORT OF

APPLICATION SOFTWARE
This is provided as soft copy.

121