Information Technology Reference
In-Depth Information
grammed to calculate commission, the results of processing will always be wrong. It is the
responsibility of the IS auditor to ensure that configurations, scripts, and other program-
ming functions are checked for errors through regular audits.
Auditors would confirm that processed data is correct by comparing input data and output
information using analytical tools such as Excel, ACL, IDEA, or other advanced tools.
b) Does the system produce transaction logs?
Most application systems produce transactions logs which are a record of transactions tak-
ing place on the application system. The transaction log would record the date the transac-
tion took place, the amounts involved, the ID of the user, reference code for the transac-
tions, and other relevant information. This information is very useful to both the IS auditor
and the user as it has all the details of the transactions. The transaction log can be used to
track transactions taking place on the system.
If the application does not produce transaction logs the IS auditor should take note and re-
port to management. The IS auditor should request for a copy of a transaction log from IT
department or system owner for review.
It would be useful for the IS auditor to take a sample of data in the transactions log and test
it for errors or unauthorised activities.
c) How is access to data on databases achieved?
Access to the database is through a user account which was created by the database admin-
istrator. In some applications, the user account on the application system is mapped to the
database account or group account and uses permissions defined on the database when ac-
cessing data. Where user accounts on the application system are mapped to group accounts
on the database, the IS auditor will be required to review the account mapping in order to
make sure the mapping was done correctly.
The IS auditor can review access rights on the database to determine what type of rights
have been allocated to user and group accounts. The IS auditor may be requested to audit
user accounts or group activities on the database.
d) How does the system process commissions for sales consultants?
The application system would use a commission business process to compute commissions
for the sales consultants. In the application system, an automated process for paying com-
missions can be used to process commissions. When the commission process is selected
from the menu and input variables identified, commissions are processed and a report is
produced showing all commissions to be paid to the consultants. The variables would have
been captured into the system such as sales amounts, commission rates, and product type.
The application would use this information to calculate commissions. The application sys-
Search WWH ::
Custom Search