System Development and Program Change Controls

Document Sample
System Development and Program Change Controls Powered By Docstoc
					         Audit Program Area

                                       AUDIT PROCEDURES                                        Ref.


         DETAILED AUDIT TESTING STEPS
         STANDARD AUDIT PROGRAM

A.       Report
         Objective: to report and discuss audit results.
     1   Prepare a section index.
     2   Prepare a section conclusion related to the objective.
         Prepare a report outline including management point #s & review with audit director
     3   prior to drafting report.
         Prepare a draft audit report including transmittal to management with scheduling of
         closing conference and incorporating sections previously prepared. x-reference the
     4   draft to workpapers or management point #s.
     5   Edit the draft and make changes.
     6   Prepare a report distribution list and keep updated.
     7   Issue final draft report to management.
     8   Document closing conference.
     9   Make any necessary changes to the draft report and issue revisions to management.

B.       Management's response
         Objective: to obtain, review for adequacy and incorporate management's response
         to the audit report.

     1 Prepare a section index.
     2 Prepare a section conclusion in terms of the objective.
     3 Obtain management's written response to the report.
       Review the response, obtain any clarifications necessary and document the
     4 adequacy of the response.
       Incorporate the response into the report, prepare a transmittal letter to the audit
       committee and issue the final report with copies to client management; update report
     5 distribution list on A-6

C        Closing
         Objective: to document audit discussion issues, management points, review
         workpapers and other audit closing matters.

     1 Prepare a section index.
     2 Prepare a section conclusion in terms of objective.
       Document, on an ongoing basis, a schedule of the discussion issues numbering
       them sequentially and including a source workpaper x-reference, brief issue
       identification, name and date of discussion with client, and disposition as:
       management point, oral discussion or no further action plus the reason and adding a
     3 report reference for management points
          Document discussion issues unresolved after review with client as management
          points numbered sequentially with a x-reference to the source workpaper and
          discussion issue #, descriptive title, criteria, condition, cause, effect and
          recommendation. on an ongoing basis and after review with director, share the
          management points with the client and document the name, date and reaction of the
      4   client
          After all audit testing, re-evaluate the preliminary overall conclusion (step g-2) on
          internal controls and document the results for identification as a discussion issue,
          management point and reportable comment in the opinion on internal controls of the
      5   audit report.
          On an ongoing basis, submit the workpapers for review and document the review
      6   notes and responses.
          On an ongoing basis, document communications pertaining to the audit or other
      7   audit related material.
          Prepare a listing of any audit leads for other audits or suggestions regarding
          repeating this audit & give an extra copy of these workpapers to the audit director.
      8



D.        Planning and preparation
          Objective: to properly plan and prepare for the audit by notifications, reviewing
          materials and entrance meeting.

      1 Prepare a section index.
      2 Prepare a section conclusion on the section objective.
        Document the audit assignment from the Audit Plan or amendments and any other
      3 assignment materials.
      4 Document notification of the audit to the client.
        Document a review of relevant prior Internal Audit workpapers, especially for any
      5 follow up needed.
        Document a review of relevant external audit workpapers and coordinate audit efforts
      6 to the extent practical.
        Research, obtain, document and consider relevant audit work from other
      7 governments.
        Document a review of relevant Internal Audit Office materials to become familiar with
        the area and terminology, to include annual reports, budget documents, publications,
        accounting or auditing books or periodicals, relevant published questionnaires,
      8 programs or checklists, Office files and related materials.
        Document a review of applicable policies, procedures, or regulations from the
        Federal, State and Local Government, company policies and procedures, Manager's
      9 Memos or other appropriate sources.
        Arrange and document an entrance conference with client to discuss the audit
        approach, preliminary objectives, timing of audit and client events, management's
     10 emphasis and processing of management's points.

E       Program and Budget
        Objective: To develop audit program and budget.
      1 Prepare a section index.
      2 Prepare a section conclusion on the section objective.
         At the beginning of the audit, prepare the Standard Audit Program for approval
         through the Control Review phase with a preliminary budget and timelines for audit
    3    completion. Initial audit program steps as completed.
         Based on the results of Planning/preparation, Preliminary Survey and Control
         Review/Evaluation, prepare and obtain approval of detailed testing audit program
    4    steps to add to the Standard Audit Program starting with Section
    5    Document and obtain approval of any changes to the program.
         Before beginning the field work testing phase, prepare and obtain approval of a
         revised budget and target dates for completion of audit work, keeping in mind the
    6    target Audit Plan and preliminary budget and timing.
         Document payperiod summaries of actual audit time compared to budget and
         explain significant variations including suggested actions to keep the audit within
    7    budgeted hours and timelines.

F        Preliminary Survey
         Objective: To perform a preliminary survey by reviewing topics in the audit area to
         determine the most critical issues, processes, and areas resulting in defined audit
         testing objectives and report introduction text.

    1 Prepare a section index.
      Prepare a section summary and conclusion on the section objective with specific
    2 objectives for further audit.

         Review and document the relevant organizational structure, list key personnel and
         their titles, document relevant background and job experience of key personnel, and
    3    position descriptions (highlight information on relevant key duties.
         Document additional interviews with key personnel to identify any other relevant
         activities, procedures, functions, responsibilities, information flow, changes planned
    4    and personnel availability during the audit.
         Document any goals, objectives or standards applicable to the area including
    5    compliance regulations.
         Document significant statistics on activity transactions, value, cost, especially data
    6    for report introduction presentation.
         Document review of operating manuals, procedures, instructions, or other written
    7    materials that guide the operations of the activity.
         Clearly identify the audit scope planned and any areas to be excluded (with reasons)
    8    for the audit report.
    9    Consider the need for a follow up audit objective.
         Arrange and document a meeting with appropriate IT personnel, if needed, to
    10   discuss relevant automated systems.
         Draft report text on background, objectives and scope, nature/extent of testing and
    11   closing.

G        Internal Control
         Objective: To study and evaluate the adequacy of internal controls over activities
         identified for continued auditing.

    1 Prepare a section index.
      Determine the overall conclusion and document with a Management Point the
    2 adequacy and effectiveness of internal controls in the audit area as related to:
        a.The reliability and integrity of financial and operational information and the means
        to process this data.
          b.The sufficiency of compliance with significant plans, policies, procedures, laws
          and regulations.
          c. The adequacy of controls for safeguarding assets (money, people property,
          information, and reputation).
        Document the system of internal controls in the form of a flowchart, questionnaire or
        narrative AND confirm accuracy of understanding of internal control processes by
        consulting management, transaction walk-through or other appropriate means.
    3
      Identify and evaluate the strengths and weaknesses in the systems of internal control
    4 as documented in Step G-3.
      Document consideration of reasonably possible irregularities; identify significant risks
    5 and exposures; and evaluate audit implications for further testing.
      Consider, if appropriate, the quality of performance in carrying out assigned
      responsibilities as related to economic and efficient use of resources and
    6 accomplishment of established objectives and goals

        Include a specific audit objective for each section. Initial audit program steps as
H       completed.
        DETAIL TESTING STEPS

        Project Team Detail Testing

        Objective: To assess System Development and Program Change processes for
        appropriate management; documentation of team procedures and guidelines; and
        implementation of the procedures and guidelines through sample testing of selected
        projects completed and program changes implemented during test period.
    1   Prepare a section conclusion in terms of the objective.
        Discuss with management the methods for assigning projects, ensuring the team is
        following appropriate procedures and guidelines; and keeping the projects on
    2   schedule
        Obtain and review the team's documented procedures and guidelines for systems
    3   development and program changes.
        Determine that the development / test environments are separated from production
    4   environment. Obtain access rights to each of the environments.

      Determine that appropriate separation of duties is maintained and developers are
    5 prevented from moving their own development into the production environment.
      Determine the percentage of time the team spends on maintenance vs. new
    6 projects.
      Select a sample of projects completed during test period for testing against
      procedures and guidelines identified in Step 3. The test should include the following:
      Request; Recording of Project; Requirements; Design; Security Assessment;
    7 Testing; Data Migration; Rollback Plans; Move to Production
Done   Time      Date     Date           Checked
 By    Spent   Expected Finished Remarks   By:
Audit Program Area

                     AUDIT PROCEDURES   Ref.
Done   Time      Date     Date           Checked
 By    Spent   Expected Finished Remarks   By:
                             Client Name
                     Internal Control Framework

          Date Completed:
          Completed By:
          Reviewed By:

          Question                                            Yes No* Comment




* For a “No” answer, cross-reference to either a compensating control or to audit work which has been performed
or is to be performed.                            Questionnaire
Audit Program


Audit Procedure   Control Objective
                                                Workpaper   Performed     Date
Risk if Objective Not Met   Control Technique   Reference       By      Expected
  Date      Budget   Actual   Document
Completed   Hours    Hours    Reference   Source   Reviewed By
Remarks/Comments
AREA:



   Process   Control Objective   Risk
                         Assertion                            Documentation W/P
Control Considerations   E,A,C,V,P   Description of control         Ref.
                               Testing
Do controls meet
                             exceptions
   objective?
                    Test       noted?     Resolution / remediation/ comments
    Yes/No
                   W/P Ref     Yes/No                    W/P Ref
       Audit Program Area

Global Audit Procedure      Control Objective Risks Control     Control      KeyControl? Frequency
Ref No,                                             Activity   Description
                                                    Number
Owner Exceptions Type   Document    Mapping to
                        Reference   Standards
Finding Ref #   Control Testing   Finding
Management Response & Treatment

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:13
posted:8/8/2012
language:
pages:23