MIS5205 Fall 2016
Group Assignment Three: Develop Testing Procedures for key Controls identified
- Identify four to five controls you plan to (prefer to primary/key controls)
- Fill-in the following control attributes for each control:
- Control type: Primary/secondary
- Control type II: Preventive/detective/monitoring/deterrent
- Control type III: manual/automated
- Control frequency: daily/weekly/monthly?
- Control group: which group performs the control activity?
- Control evidence: how control can be evidenced?
- For those controls you plan to take samples, explain the following:
- Sample method/approach: random/judgmental
- Sample rationale: for samples that are judgmentally selected, explain the rationale (why and how you select those samples)
- Develop detail steps to test the control:
- Testing can be performed via:
- Corroborative inquiry
- Observation
- review of documentation
- re-performing
- Others are able to follow
- Extra Credit: Based on the testing procedure, develop a document request for each control
Sample Template:
Control Description | Control Attributes | Sample Approach and Sample Rational | Test Steps | Required Doc. |
a. Control type: Primary/secondary
b. Control type II: Preventive/detective/monitoring/deter rent c. Control type III: manual/automated d. Control frequency: daily/weekly/monthly? e. Control group: which group performs the control activity? f. Control evidence: how control can be evidenced? |
Example: Judgmental Sampling. Samples are selected based on severity of the tickets, business units that initiated the tickets | 1. Inquiry with Operation supervisor about change management policies and procedures 2.Obtain and review Change | 1. Change management policies and procedure
2. a dump of tickets from the XX ticketing system from the past 6 months. |
and tickets initiated time period. | management policies and procedures 3.
Judgemental select XX tickets that categorized as “critical” or “high” for the past 6 months and verify that (a) tickets were assigned to the proper group (b) closed per SLA (c) changes were properly tested and approved before being promoted to the production environment. |
|||
Due Date: EOD 11/02/2016
Email to: Liang.yao@temple.edu Please call me or email me should you have any questions regarding the completion of this assignment BEFORE the due date.
Assignment #3 Takeaways:
Control Descriptions:
- Use a complete sentence to describe the control. Explain who did what control activity and how frequent; e.g. Information Security group developed and maintained policies and procedures to provide data center physical access. The policies are also reviewed on annual basis.
- Not perfect examples
- “Two-factor authentication”
-
- “BCP/DR Plan”
- “Policies and Procedures on Media Management and Backups and Recovery”
- Control description vs. process description
- Understanding the control objectives:
- The goal that control activities supposed to achieve – C.I.A
Control types:
- Control frequency – Manual controls only
- Daily re-conciliation
- Change requests
- Periodical review, etc.
- For automatic controls – review configurations
- Primary/key controls: management can mainly rely on to mitigate the risks.
- Secondary/mitigation/complementary/compensation controls
- By itself can’t satisfy control objectives
- Multiple secondary controls work together may mitigate the risk (e.g. logging and effective log review)
- Redundant controls (same function as primary control; costly, only used for mission critical areas)
Sample population and size need to be clearly defined
Sample methodology and sample rationale
- Automated control vs. sample
- Manual – estimate control frequency
Testing techniques:
inquiry; observation; sampling; re-performing
Key elements of effective testing:
- Possible, practical and supportable e.g. data/information should be available
- Meaningful evidence to support the conclusion – control activities are either effective or not effective
- Represent adequate coverage (sampling)
- Replicable – can be re-tested
Thing to consider while developing testing procedures:
- What’s the control objective
- What will the test prove
- How many controls can satisfy the control objective?
- What information, documents and reports are available for testing?
Therefore, auditors should:
- Organized when writing test steps
- Always keep the objectives in mind and understand the control
- Be sure all information needed is available and have all facts upfront
Lastly, documentation is equally important
Leadsheet-> purpose; source; date; auditor
Purpose: To verify change procedures are followed. Critical and major changes are requested, reviewed and approved by authorized individuals. In additional, critical and major changes should been tested and accepted by user groups before being deployed into production. Those changes should also have back-out plans.
Source: Change Management Ticketing system
Date: 4/8/2015
Auditor: LY
Testing Procedure:
- Obtain and review change management policies and procedures to verify they are adequately designed based on correspondent COBIT objectives and industry best practice
- Obtain a list of changes made from 1/1/2015 to 3/31/2015 from the ticketing system (extract directly from the ticketing system’s database)
- Determine the frequency of “critical and major” changes made during the three months testing period by dividing the total number of ‘critical and major” changes from the list by TBD
- Based on the frequency, judgmentally select XX of samples from the population (Sample rational: critical and major changes during the three months)
- Review and complete the following attribute sheet:
Change Tickets # | Properly categorized? | Requested by authorized individual? | Review and approved? | Test and accepted? | Back-out Plan |
Conclusion: Effective/Non-effective and WHY
Substantive test -> usually to detect errors in financial statements or account balance