Database Reference
In-Depth Information
The Application Controls provide assurance over critical business applications to
ensure the proper authorization, completeness, accuracy, and validity of transactions
for business processes supported by each application in scope of the Audit plan.
InFission Audit plan includes Oracle E-Business Suite for Financial Management,
Hyperion for consolidation and report, PeopleSoft for HRMS, and Seibel for CRM.
The InFission Application Audit scope includes four principal areas:
• Access Controls
• Transaction Controls
• Change Controls
• Preventive Controls
Access Controls
include controls over segregation of duties, user provisioning, and
access verification process. For example, an employee may violate an access control
if she/he has access to create supplier and approve payment. The Access Controls
audit includes assessment of the inherent design of application security roles that
enable users to access the application functions as well as the risk of access granted
to the users in each application function, menu, form, and module that support a
business process.
Transaction Controls
include controls that monitor the application data for
exceptions and errors, for example, duplicate payments to a supplier. The IT Audit
plan includes the assessment application controls over entering, correcting, posting,
authorization, and reversing transaction. Transaction Controls assessment also
includes verification of error-handling for transaction outside the normal course of
business, tolerance levels, and business polices.
Change Controls
include controls over the application configuration such as three-
way match setting in Payables application and master data change, such as supplier
bank accounts or address. Change Controls assessment requires the review of
controls over application setups and master data changes as documented in user and
system documentation for the application in scope. The auditor tests the application
setups by independently reviewing the application or conducing application setup
walk-through with the application controls owner.
Preventive Controls
ensure compliance with business policies in the flow and
accuracy in processing data within the selected application. For example, preventing
setup of a supplier or processing transaction to a supplier that is on a Restricted
Party Screening list issued by the United States or some other country for specific
foreign entities (individuals, companies, and countries). The Preventive Controls
assessment validates the input into the application to ensure data integrity and
prevent errors. Flow controls prevent invalid numeric, character, and date fields
against a range of valid value sets. Process controls embed application specific logic
to prevent process flow control failures.
Search WWH ::
Custom Search