New Expectations for Application Control Testing

Risks and controls. When we hear this phrase, we often think of the organization’s financial controls or maybe even the IT general controls; however, there’s another set of controls that are equally important: application controls.

Application controls are automated controls that are performed by a specific application or system. For example, an application control could perform a validity check or a completeness check to verify that data entered matches a pre-determined criteria. Often application controls are tested by doing a walkthrough; observing the performance of the control by entering data, for each type of transaction and processing alternative, into the system to verify how the control functions. In the past, this testing approach has been sufficient for external auditors to gain comfort that the application controls are operating as expected.

Review comments coming from the PCAOB to external auditors are creating the expectation that additional information for configurable and non-configurable application controls be gathered. External auditors are now looking for evidence directly from the application and its developers indicating that the specific item is not configurable within the system. For example, if the application in question is SAP, information directly from an SAP manual would need to be referenced to show that the specific item or criteria cannot be changed. Similarly, for configurable controls, external auditors are beginning to request additional evidence showing the current configuration and who can change the configuration within the system, and when it was last changed.

The combined walkthrough and testing approach is still appropriate; however, these additional procedures to support the configurable or non-configurable are also needed in order for some external auditors to gain comfort with application controls.

 

Navigating the Challenges of Periodic User Access Reviews

In today’s digital age, where data breaches and cyber threats are on the rise, maintaining robust security practices is of utmost importance for organizations. Periodic user access reviews serve as a critical component of ensuring the integrity and confidentiality of sensitive information. However, executing these reviews comes with its fair share of challenges. Here are four of the top challenges that companies face when conducting periodic user access reviews.

  1. Scale and Complexity: As companies grow and their digital landscapes expand, managing user access rights becomes increasingly complex. Organizations often operate multiple systems, applications, and platforms, each with its own set of access controls. The sheer scale and complexity of user access reviews make it challenging to identify all access points accurately.
  2. Manual Processes and Inefficiency: Many organizations still rely on manual processes to conduct user access reviews, involving spreadsheets, email chains, and manual cross-referencing. These methods are time-consuming, error-prone, and inefficient. Manual processes make it difficult to track and monitor changes in user access over time. The administrative burden placed on IT teams can be overwhelming, diverting their focus from more strategic initiatives. Inefficiencies in the review process can lead to delays, increased costs, and potential security gaps.
  3. Compliance and Audit Requirements: Organizations must comply with industry-specific regulations and standards that necessitate regular user access reviews. Meeting these compliance requirements can be a complex task, particularly when faced with tight deadlines and limited resources. Companies must stay abreast of evolving regulations and ensure their access review processes align with the latest compliance frameworks. Failure to meet these requirements can lead to legal consequences, reputational damage, and financial loss.
  4. Technology Limitations and Legacy Systems: Legacy systems and outdated technologies pose additional challenges to conducting user access reviews. Older systems may lack robust access control mechanisms or integration capabilities, making it difficult to obtain accurate and comprehensive user access data. Integrating these systems with modern identity and access management (IAM) solutions can be a complex endeavor. Striking a balance between maintaining legacy systems and adopting modern IAM solutions is crucial for organizations looking to streamline their periodic user access reviews.

Periodic user access reviews are crucial for ensuring the security and compliance of organizational systems and data. Leveraging skilled advisors can help you overcome these challenges through process improvements and technology.

 

Preparing for a System Implementation Audit

Whether it’s a global ERP system, or a small payroll system, it’s likely any system implementation has the potential to interest internal audit and possibly even your external auditors. You may be wondering what aspects of an implementation your stakeholders will be most interested in, when the time comes. The following paragraphs identify some of the most common areas that are reviewed during an implementation audit.

Testing.

Testing is often the area where auditors spend a majority of their time during an implementation review. User acceptance testing, validation testing, and interface testing are the main types of testing that auditors will want to review. Consider whether the testing performed was documented in a way to allow an auditor to follow the testing process and understand whether the test was successful or not. When it comes to testing, maintaining adequate documentation is often the key.

End-User Access. 

End-user access is another area to consider when performing an implementation. Your auditors will want to gain comfort that only appropriate users that require access for their job function, are the users that have been set up within the system, and that there are no concerns around the segregation of duties associated with the users, as well. A documented pre-implementation user access review is instrumental in providing your auditors with the comfort they will be looking for, regarding the end-user access to the new system.

Governance and Ongoing Maintenance. 

As you already know, the work doesn’t end when the system goes live, and your auditors know this too. It’s important to show that consideration has been given to the ongoing processes and procedures that will be in place around such things as granting and removing access to the system and handling program changes or upgrades. Ideally, these processes or procedures are formally documented by the time the system is fully implemented.

Documentation. 

You’ve probably heard the phrase, “if it’s not documented, it’s not done.” Often, organizations have very strong system implementation processes and procedures in place; however, the areas where gaps occur are in the documentation and support to evidence the process. Appropriate documentation needs to be maintained to evidence each aspect of the system implementation, so that the support can be provided to auditors, or anyone that is interested in understanding your system implementation process and outcome.