Docstoc

Application Control Review RCM

Document Sample
Application Control Review RCM Powered By Docstoc
					                                                                                                                                        Applications Control Review RCM




                    Risk Control Matrix
                 Application Control Review

Ctrl          Process            Control Objective                          Control Description                                                    Testing Performed      Recommendation   Control   Manual/Auto Frequency
 #              Risk                                                                                                                                                                        Type
Project Setup Application Controls
 1   Data entered into the application Edit and validation checks are       Key fields within the project setup process (classification, project
     may be inappropriate or           enabled for critical input screens   type, project manager, etc.) are selected via a lookup function or a
     inaccurate.                       (e.g. formatting, checking against   drop-down selection.
                                       static data).
Accounts Payable Application Controls
 2   Purchase materials/services       Application parameters are           New vendor's must be approved and input by the Accounting
     from unauthorized vendors.        configured to enforce appropriate    Manager.
                                       business rules when necessary.

 3   Journal entries may be posted in Application parameters are            The application will not allow Accounts Payable records to be
     the wrong accounting period.     configured to enforce appropriate     posted to a closed period.
                                      business rules when necessary.

 4   Journal entries may be posted in Application parameters are            The Financial Applications Administrator is the only person that has
     the wrong accounting period.     configured to enforce appropriate     the ability to open and close periods.
                                      business rules when necessary.

 5   Duplicate payments are made on Application parameters are              Vendor ID's and voucher numbers are automatically assigned
     invoices resulting in          configured to enforce appropriate       sequentially by the application.
     overpayment.                   business rules when necessary.

 6   Data entered into the application Edit and validation checks are       Key fields within the Accounts Payable process (vendor, terms,
     may be inappropriate or           enabled for critical input screens   date) are selected via a lookup function or a drop-down selection.
     inaccurate.                       (e.g. formatting, checking against
                                       static data).
 7   Journal entries may be posted     Application parameters are           Posting within the Accounts Payable process is restricted to the
     without the appropriate           configured to enforce appropriate    Accounts Payable Manager.
     authorization.                    business rules when necessary.

 8   Journal entries may be posted in Application parameters are            The application will not allow Accounts Payable records to be
     to a closed project.             configured to enforce appropriate     posted to a closed project.
                                      business rules when necessary.

Accounts Receivable (Billing / Receipts / Revenue) Application Controls
 9   Journal entries may be posted in Application parameters are            The application does not allow Accounts Receivable records to be
     the wrong accounting period.     configured to enforce appropriate     posted to a closed period.
                                      business rules when necessary.




Source: www.knowledgeleader.com                                                                                                                                                                                              1
                                                                                                                                               Applications Control Review RCM




Ctrl               Process                 Control Objective                      Control Description                                                     Testing Performed      Recommendation   Control   Manual/Auto Frequency
 #                   Risk                                                                                                                                                                          Type
 10    Duplicate invoice numbers and       Application parameters are             Invoice numbers and cash receipt numbers are automatically
       cash receipt numbers result in      configured to enforce appropriate      assigned sequentially by the application.
       the misappropriation of cash        business rules when necessary.
       receipts.
 11    Data entered into the application   Key information is reviewed to         A review is performed by the Senior Accountant to validate that the
       may be inappropriate or             ensure that all data was properly      project was set up accurately within the application.
       inaccurate.                         entered within the application.

 12    Data entered into the application Edit and validation checks are           Key fields within the Accounts Receivable process (Customer,
       may be inappropriate or           enabled for critical input screens       terms, date) are selected via a lookup function or a drop-down
       inaccurate.                       (e.g. formatting, checking against       selection.
                                         static data).
Payroll Application Controls
 13    Data interfaces and reports are Key interfaces and reports are             The Employee Synchronization Report is reviewed on a daily basis
       not properly reviewed resulting in reviewed on a periodic basis to         by the Payroll Manager to monitor changes made within ABC, which
       the loss of key application data. ensure all data was transferred          subsequently uploads to the application and Time & Expense
                                          completely and accurately.              systems.
 14    Data interfaces and reports are Key interfaces and reports are             The Employee Class and Work Schedule Exception Report is
       not properly reviewed resulting in reviewed on a periodic basis to         reviewed as needed by the Payroll Manager. The report is received
       the loss of key application data. ensure all data was transferred          when there is an issue with one or more employees’ work schedule
                                          completely and accurately.              and timesheets (a record has been entered in HR’s ABC system
                                                                                  and the sync process has not uploaded to the application and Time
                                                                                  & Expense systems).

 15    Data entered into the application Application parameters are               The Time and Expense application will not allow an individual to
       may be inappropriate or           configured to enforce appropriate        enter more hours than the max percentage allowed that was
       inaccurate.                       business rules when necessary.           originally set-up within ABC.

International Accounting Application Controls
 16    Journal entries may be posted in Application parameters are                The application's Journal Entry Pre-Processor will not allow an input
       the wrong accounting period.     configured to enforce appropriate         file to be uploaded to a closed period.
                                        business rules when necessary.

 17    Data interfaces and reports are Key interfaces and reports are             The application automatically generates an error / warning report
       not properly reviewed resulting in reviewed on a periodic basis to         when uploading an input file to the system. This report is reviewed
       the loss of key application data. ensure all data was transferred          for any corrections that need to be made.
                                          completely and accurately.
General Computing Controls: Security Administration
 18    User roles, groups and              System administration capability       Administrators within the application are limited to appropriate
       permissions may be designed         (e.g. add/remove access, change        personnel.
       inappropriately resulting in        configuration) is limited to
       inappropriate access to data.       appropriate personnel.

 19    Unauthorized users may gain         User access requests must be           To gain access to the application, a user's manager/supervisor must
       access to application data.         documented and approved by an          e-mail the application administrator and request type of access
                                           authorized individual.                 required.
 20    Unauthorized users may gain         User access is changed or removed      The administrator is informed of all EDC terminations by e-mail.
       access to application data.         timely upon transfer or termination.   When a termination e-mail is received for a user with access, the
                                                                                  account will either be immediately disabled or the employee's last
                                                                                  day will be entered in the application to remove access on their last
                                                                                  day.
 21    User roles, groups and              Unique user IDs are issued and         All user accounts within the application are assigned a unique ID.
       permissions may be designed         passwords (non-default) are
       inappropriately resulting in        required for authentication.
       inappropriate access to data.

 22    Unauthorized users may gain         System-enforced password policies The application is configured with the following password
       access to application data.         are implemented (e.g. minimum     parameters:
                                           length, expiry).                  - X Character Minimum
                                                                             - Last X Password Remembered
                                                                             - Account lockout after X invalid attempts
                                                                             - Password expiry




Source: www.knowledgeleader.com                                                                                                                                                                                                     2
                                                                                                                                             Applications Control Review RCM




Ctrl        Process            Control Objective                                Control Description                                                     Testing Performed      Recommendation   Control   Manual/Auto Frequency
 #             Risk                                                                                                                                                                              Type
General Computing Controls: Computer Operations
 23   Current version of the               Data backup and retention            The application and application files are backed-up via the X
      applications source code is not      requirements are defined and         application. Backups are performed on a daily incremental and
      maintained and authorized            communicated by appropriate          weekly full schedule.
      changes to the source code is        groups.
      not properly restricted to prevent                                        The application SQL database is scheduled to run a full backup on
      unauthorized changes.                                                     a daily basis.

 24   Current version of the             System backup media is stored at a EDC's main data center is co-located in (insert location). Tape
      applications source code is not    secure offsite facility.           backups are rotated to the data center within the (insert location) on
      maintained and authorized                                             a weekly basis.
      changes to the source code is
      not properly restricted to prevent
      unauthorized changes.

 25   Current version of the             Backup logs are reviewed on a          The backup log is reviewed on a daily basis by the IT department.
      applications source code is not    periodic basis to ensure backups       IT will review and remediate any errors noted in a timely manner.
      maintained and authorized          are available when requested.
      changes to the source code is
      not properly restricted to prevent
      unauthorized changes.

 26   Backup tapes storing critical data Controls provide reasonable            Application's backups are restored on a periodic basis.
      are unable to be restored if       assurance that system data is
      necessary.                         regularly backed up, and archived
                                         data is available for restoration in
                                         the event of processing errors
                                         and/or unexpected interruptions.

General Computing Controls: Change Management
 27   Changes to the application could Application changes are authorized Changes to the application are approved prior to their release into
      negatively impact the existence, before being moved to production. production.
      accuracy and completeness of
      data within the application.



 28   Changes to the application could Changes are tested prior to              Changes to the application go through user acceptance testing
      negatively impact the existence, their release into production.           (UAT) prior to their release into production.
      accuracy and completeness of
      data within the application.



 29   System changes are developed         A separate environment exists        A separate test and production environment exist for the application.
      and tested in an environment         for the testing of application       All changes are tested within the test environment prior to their
      separate from the live               changes.                             release into production.
      environment to prevent changes
      from adversely affecting the
      environment.

General Computing Controls: Key Reports
 30   Unauthorized individuals may         The ability to access key reports    Access to key application reports is restricted to appropriate
      gain access to key reports.          within application are limited to    personnel.
                                           appropriate personnel.
 31   System changes are developed Application reports are functioning New application reports are tested prior to their release into
      and tested in an environment   properly prior to being implemented production.
      separate from the live         into production.
      environment to prevent changes
      from adversely affecting the
      environment.

 32   Changes to the application could The application's reports are     New application reports are approved prior to their release into
      negatively impact the existence, appropriately authorized prior to production.
      accuracy and completeness of     being implemented into
      data within the application.
                                           production.


General Computing Controls: Database Controls




Source: www.knowledgeleader.com                                                                                                                                                                                                   3
                                                                                                                                      Applications Control Review RCM




Ctrl              Process             Control Objective                  Control Description                                                      Testing Performed     Recommendation   Control   Manual/Auto Frequency
 #                  Risk                                                                                                                                                                  Type
 33    Unauthorized individuals may   System Administrators within the   Privileged SQL DB accounts, including the System Administrator
       gain access to the SQL DB.     SQL database are limited to        account, within the application, are limited to appropriate personnel.
                                      appropriate personnel.




Source: www.knowledgeleader.com                                                                                                                                                                                            4

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:3
posted:12/19/2011
language:
pages:4