Information Technology Reference
In-Depth Information
ors. The IS auditors can review these procedure documents to test existence and effective-
ness of these controls. The IS auditor should regularly review user access rights which have
been allocated to users on the application system. This will give the IS auditor sufficient
information on input authorisation activities.
The IS auditor can go further by conducting reviews of authorisation documentation which
were used to grant input authorisation. Authorisations could have been done manually or
on the system. Activity or audit logs normally would record creation of user accounts and
allocation of user rights which IS auditors can use to review input authorisation processes.
e) How is segregation of duties implemented?
Segregation of duties allows users to perform specific functions on the system. The roles
are determined by job descriptions or job roles. In some cases, users are granted extra du-
ties in addition to their everyday job roles. Access rights are also applied to groups which
will consist of users with similar job roles.
The IS auditor can review segregation of duties by comparing allocated user rights with job
descriptions. User rights can be found on the application system or offline documentation.
Job descriptions are usually available with human resources department or line managers.
f) How does the system handle input errors?
Application systems generate error reports after a batch has been captured and submitted.
In other application systems, error messages are displayed on-screen once an input form
is submitted. The system highlights all fields with errors. Users can then make changes to
the input data and resubmit the form. There are many other ways in which input errors are
handled, and this varies from one application system to the other.
It is recommended that IS auditors conduct walk-throughs to test if error-handling controls
are effective. Walk-throughs would include inputting test data and reviewing the results.
Enterprises also do maintain error-handling procedure documents which IS auditors can
use when reviewing implementation of error-handling procedures.
g) What controls does the application system have for data captured using website
input forms?
Systems which are available on the public networks such as the Internet face a lot risks
from hackers and other unauthorised users. Enterprises should take extra care to ensure that
such systems are secure. Most online input forms use web tools and sit on servers which
are not on the internal network. Once data is submitted, it is temporarily stored on serv-
ers which are not on the internal network. Captured data is validated including checking
authorised data sources with valid accounts; the data is then sent to the main servers for
processing. Other systems handle online input data differently using more complex proced-
Search WWH ::
Custom Search