Appropriateness of Control Tests:
Testing is an endless process i.e. the auditor cannot say with certainty that all aspects of a particular system have been tested. However, for concluding on operating effectiveness of the IS controls, the auditor can perform the best of audit procedures to obtain sufficient and appropriate evidence to support his/her conclusions. For example:
•
Personal observation and testing for operation of controls: e.g. the auditor can personally verify the password controls by using combination of passwords to tests their effectiveness.
•
Review of controls’ documentation: to understand design and applicability of controls
•
Inspection and verifications of approvals processes to check that the management is performing appropriate checks.
•
Analysis of system configuration i.e. checking configuration setting of components and access control lists
•
Review of data and processing outputs: this provides evidence that system processing is accurate
•
Use of CAAT to tests application processing accuracy and efficiency
•
Use of test data with correct and incorrect data values to check that system should accept the correct data for processing and should reject the incorrect data for processing
•
Interviews with IT users and management to gather information on operating effectiveness of IT systems
•
Questionnaire can be designed to obtain information from IT users and management for controls effectiveness
Based on the results from above audit procedures, the auditor should determine whether the controls are operating effectively. If controls are not operating effectively then reasons for ineffectiveness should be determined i.e. design weaknesses or operating weaknesses are the reasons. For each potential weakness, the auditor can also determine whether there are
Chapter‐4 Testing General and Automated Controls
appropriate compensatory controls or other factors that can mitigate the weakness and can help to achieve the audit objectives.
Auditor can communicate the findings on above aspects with recommendations to achieve the effectiveness of controls.
|
