Information Technology Reference
In-Depth Information
sess how the policies are being implemented in the enterprise. Policy documents can be
obtained from IT department or other departments responsible for assurance services.
g) When did the enterprise last perform a risk assessment covering all key applica-
tion systems?
Risk assessment enables an enterprise to determine its risk exposure. Enterprises can identi-
fy risks or update its risk profile by performing risk assessments regularly. Risk assess-
ments can also be performed when changes are being made on IT systems. IS auditors are
required to appraise themselves with risk management policies and procedures of the en-
terprise so that they can conduct effective application systems audits.
It is important that a risk assessment plan be developed which can be used to conduct reg-
ular risk assessments or when there are new changes to be implemented. The IS auditor
would be interested in knowing when the last risk assessment was conducted and the reas-
ons why the risk assessment was performed. The IS auditor can also review all other rel-
evant changes in order to determine that risk assessments are performed when changes are
being made.
Evidence of whether risk assessments are regularly performed can be obtained from risk
assessment reports, departmental reports, or management reports and meeting minutes.
Input Controls
Input controls are used to ensure that captured data is accurate, complete, valid, and con-
sistent. Various types of input controls are used, which are either automated or manual.
Automated controls are embedded in application systems. Input controls are important as
they enable the enterprise to have clean data. Clean data will enable the enterprise to have
accurate reports which can be relied upon and used for decision-making.
IS auditors should conduct input controls audits in order to determine that the design of
the controls is correct and that the controls are effective. Examples of input controls in-
clude input authorisation, data validation checks, input error reporting, batch controls,
and use of transaction logs.
a) Are automated input controls supported by manual methods?
Automated input controls are in some cases supported by manual methods such as the use
of manual source documents. Hard copy receipts and invoices can be used to capture data
 
Search WWH ::




Custom Search