APPLICATION CONTROLS AUDIT WORK PROGRAM:

SAMPLE 1

PROJECT TEAM: (LIST MEMBERS)

Project Timing Date Comments

Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

Five areas should be considered for all financial end-user developed applications. These include:
• Change Control
• Version Control
• Access Control
• Input Control
• Security and Integrity of Data

Furthermore, for high complexity documents, the following items should also be considered:
• Documentation
• Development Life Cycle
• Backups
• Archiving
• Logic Inspection
• Segregation of Duties/Roles and Procedures
• Overall Analytics

Depending on the complexity, one of the following audit programs should be used:

LOW TO MEDIUM COMPLEXITY

Time Task Initial Index

Obtain a copy of the spreadsheet/end-user developed application

inventory.

Obtain a copy of the company’s policy regarding end-user-developed

applications and spreadsheets used for financial reporting purposes.

Determine the nature of the applications from the inventory.

2 Source: www.knowledgeleader.com
FOR MICROSOFT OFFICE DOCUMENTS

Time Task Initial Index

Change Controls

Verify that the policy appropriately covers how to prevent unauthorized

changes. Examples of appropriate controls are (in descending order of
strength):
• The document is stored on a network drive with restricted access.
Formulas are reviewed for appropriateness after each use (before
making journal entries).
• The document is stored in a read-only or encrypted format on the
network drive. Only individuals with the password or encryption key
can make changes to the entire document.
• Cells with key formulas are password-protected. The password is
changed periodically.

Version Controls

Verify that the policy appropriately covers version control. Examples of

appropriate controls are:
• An electronic storage method is used to house documentation (e.g.,
Share Point) and electronic approval is evidenced.
• Document naming conventions and internal change logs are used to
indicate the last revision and effective dates.
• Only the most recent version of the document is maintained on the
shared drive, and all users use this version.

Access Controls

Verify that the policy appropriately covers access control (see Change
Control – in well-controlled environments, these controls should be the
same).

Input Controls

Verify that the policy appropriately covers input control (see Change
Control – in well-controlled environments, these controls should be the
same).

Security and Integrity of Data

Verify that the policy appropriately covers the security and integrity of
data. An example of appropriate controls is:
• An independent party verifies the data entered in the document
against the source documents (e.g., the spreadsheet matches the
JDE report).

Review

Review the applications where they reside on the network and verify that
the documents comply with the policies.

3 Source: www.knowledgeleader.com
FOR SQL OR OTHER IN-HOUSE DEVELOPED APPLICATIONS

Time Task Initial Index

Change Controls

Verify that the policy appropriately covers how to prevent unauthorized

changes. An example of an appropriate control is:
• Changes are made in a nonproduction environment, tested by
programmers and users before implementation, requested/approved
by appropriate individuals, and appropriately documented.
Documentation can include program code notations and change logs.

Version Controls

Verify that the policy appropriately covers version control. An example of

an appropriate control is:
• Only the most recent version of the application exists in the
production, development and test environments (as applicable).

Access Controls

Verify that the policy appropriately covers access control. Examples of

appropriate controls are:
• Only authorized individuals are permitted to request or approve
access.
• Access provided is commensurate with job responsibilities.
• Individuals are disabled or removed from the system when they no
longer require access (transfers and terminations).
• Access is based upon roles established in the operating
system/network.

Input Controls

Verify that the policy appropriately covers input control. Examples of

appropriate controls are:
• An independent party verifies inputs against source documents.
• Inputs are received directly from another system (file transfers or table
lookups).
• An independent party reviews monitoring reports and verifies check
figures against independent information.

Security and Integrity of Data

Verify that the policy appropriately covers the security and integrity of
data (see Access and Input Control above).

Review

Review the applications where they reside on the network and verify that
they comply with the policies.

4 Source: www.knowledgeleader.com
FOR OUT-OF-THE-BOX APPLICATIONS:

Time Task Initial Index

Change Controls

Verify that the policy appropriately covers how to prevent unauthorized

changes. An example of an appropriate control is:
• The application is in an “out-of-the-box” state and no changes to the
program code have been made.

Version Controls

Verify that the policy appropriately covers version control. An example of

an appropriate control is:
• Only the most recent version of the application exists in the production
environment.

Access Controls

Verify that the policy appropriately covers access control. Examples of

appropriate controls are:
• Only authorized individuals are permitted to request or approve
access.
• Access provided is commensurate with job responsibilities.
• Individuals are disabled or removed from the system when they no
longer require access (transfers and terminations).
• Access is based upon roles established in the operating
system/network.
• A formal process exists for the request, approval, change and removal
of access, and the process is followed.

Input Controls

Verify that the policy appropriately covers input control. Examples of

appropriate controls are:
• An independent party verifies inputs against source documents.
• Inputs are received directly from another system (file transfers or table
lookups).
• An independent party reviews monitoring reports and verifies check
figures against independent information.

Security and Integrity of Data

Verify that the policy appropriately covers the security and integrity of
data (see Access and Input Control above).

Review

Review the applications where they reside on the network and verify that
they comply with the policies.

5 Source: www.knowledgeleader.com
 APPLICATION CONTROLS AUDIT WORK PROGRAM:
SAMPLE 2

This sample work program covers various application controls necessary to support the business, focusing
primarily on access and change controls.

Time Project Work Step Initial WP Ref.

Change Control

Verify that the policy appropriately covers how to prevent unauthorized

changes. Appropriate controls are:
• All changes are presented to the change control committee every
week for authorization.

Verify that the policy requires significant application changes (e.g.,

upgrades) to be appropriately tested, including unit, system, user-
acceptance, integration and stress testing where appropriate. Appropriate
controls are:
• Formal test scripts are utilized by business users to test the system
before migrating changes to the production environment.
• The change owner determines the level of testing and documentation
required for each change.

Verify that the policy requires significant report changes and new reports
are appropriately tested by the requester. Appropriate control is:
• Users test through re-performance significant changes to existing
reports and newly created significant reports upon completion. Users
respond with changes or authorization that no changes are necessary.

Verify that a nonproduction environment exists so that testing may be

performed without impacting the production environment. Appropriate
control is:
• A separate testing database is utilized to segregate development and
testing from production processing.

Verify that changes are tracked from requests appropriately through

completion. Appropriate control is:
• Change requests are submitted to IT using the application change
request form. Changes are tracked using the XYZ application, which
enables online authorization of change requests and captures
information such as status, dates and results of the change.

Access Controls

Verify that the policies and procedures appropriately cover access

control. Appropriate controls are:
• Only authorized individuals are permitted to request or approve
access.
• Access provided is commensurate with job responsibilities.

6 Source: www.knowledgeleader.com
 Time Project Work Step Initial WP Ref.

• Individuals are disabled or removed from the system when they no

longer require access (transfers and terminations).
• A formal process exists for the request, approval, change and removal
of access and the process is followed.
• Adequate password parameters are enforced by the system.

Input Controls

Verify that the application is appropriately configured to include input

controls where possible. Examples of appropriate controls are:
• The application validates key inputs against cross-reference tables
and/or provides lists with which to select valid values.
• The application utilizes control totals to minimize errors during batch
processing.
• The application has built-in error checks to detect formatting, value
and balancing errors (e.g., debits = credits).
• Inputs are received directly from another system (file transfers or table
lookups), reducing the need for manual re-entry.

Verify that manual input controls are in place and followed. Examples of
appropriate controls are:
• An independent party verifies inputs against source documents.
• An independent party reviews monitoring reports and verifies check
figures against independent information.

Application Management

Verify that appropriate controls exist to detect performance, capacity and

availability problems. Appropriate controls are:
• An independent party verifies inputs against source documents.
• An independent party reviews monitoring reports and verifies check
figures against independent information.

Determine if key functional users have issues or problems regarding

application availability, integrity or performance:
• Identify what actions were taken to correct any problems/incidents.
• Identify any recurring or persistent problems with the application that
have gone unresolved.

7 Source: www.knowledgeleader.com