Develop a data flow diagram to highlight the flow of data in and out of key applications including key transaction data exchanged.  Identify the screen names and function types where the transactions are processed.

INPUT CONTROLS 

Describe the edit and validation controls for critical input transactions.  Review input screens to see that they are designed to prevent the omission of data and the acceptance of invalid data.  Ensure that significant input is verified by an associate other than the person inputting the data.   If the application uses batch processing, determine through test and observation that controls over input (e.g. control totals, reconciliations) are effective. Review controls over interfaces such as feeds and different hops (e.g. where the data is stored in an interim folder before being picked up by the downstream application) between the upstream application and the downstream applications to determine if it is secured from tampering (access permissions is appropriate); SLA/OLA is defined and monitored with the upstream data providers in terms of expectations around delivery time, notification of when changes are required in the upstream application and its impact on the downstream applications.

PROCESSING CONTROLS 

Review system documentation to determine that key computations are fully documented.  Test a sample of key computations using a manual recalculation process.

Determine and document the process to ensure that rejected transactions are corrected and re-entered promptly, and that corrected transactions are subject to the same edit and balancing controls as the original transactions.

Verify that a reconciliation process is performed daily for all interfaces and any outstanding items are aged and resolved timely.  Ensure that the reconciliation activities are adequately separated from input activities.

Determine that rejected items are logged, tracked, aged, and resolved timely.

Review reject items reports to determine that:   a. Reports are produced and distributed to the business user area. b. Reports evidence that they are reviewed daily by appropriate business user staff (e.g., user initials and review date). c. Rejects are resolved accurately and timely (e.g., request  reject follow-up procedures).

OUTPUT CONTROLS

Verify that controls are in place to ensure that output confidentiality is maintained (when necessary).  Obtain a list of reports indicating their frequency, purpose, and the identity of the recipient.

Review reports produced by the application.  Provide an opinion on the adequacy of the reports to satisfy the requirements of management.  These requirements should have been gathered in the Preliminary Audit Steps.

Determine that a review of critical transactions is performed.  This should be performed by someone other than the person who input data from the source documents.

LOGICAL ACCESS CONTROLS

Review the User Security Administrator Procedures to ensure that: a. Procedures are in place for issuing, approving and monitoring application access. b. Application access procedures comply with the policy of “minimum access”. c. User access control reports are periodically reviewed for accuracy and completeness by user management. Look out for instances whereby readonly tag actually provides write and update permissions.

Ensure that User Security Administration procedures are defined for the timely deletion/disabling of user Ids (e.g., hires, terminations, changes in responsibility).

Verify that User Security Administration procedures exist to ensure that unique user Ids are assigned to system users.  In cases where the access control system prevents individual accountability, compensating controls must exist.

Obtain a sample of access request forms for users of the application.  Ensure that the forms evidence proper approvals for the requested access.

Obtain a copy of the system generated user access report that identifies all users and their assigned authority levels and determine that: a. Only current employees have access to the application. b. All users are uniquely identified on the access control report. c. Passwords are not displayed on the report. d. Each user is granted an access level that is commensurate with their job responsibility. e. Management periodically reviews and approves users who have access to the application.  The review should be performed independently of the

Obtain a copy of the current Password Management/Access Control Policy and determine that this application complies with guidelines for:

a. Character components b. Length c. Password change frequency d. Invalid password attempts e. Password storage Obtain a job description for the Application Security Administrator function.  Ensure that the reporting lines and responsibilities for this function do not compromise security policies.

Identify the other responsibilities assigned to data security-related personnel besides security administration.  Evaluate if a separation of duties deficiency may exist.

Determine whether there are designated back-up security administrators.  Ensure that the responsibilities of the back-up security administrators do not cause separation of duties deficiencies.

Obtain copies of the security violation reports and verify that they evidence documented management review.  Verify that questionable activity can be identified and is appropriately addressed.

Determine that a review of the security administrator’s maintenance activity is periodically performed by someone other than the User Security Administrator who performed the maintenance.