Please enable JavaScript.
Coggle requires JavaScript to display documents.
5.4.3 (USER PROCEDURES (User procedures that should be observed and tested…
5.4.3
USER PROCEDURES
User procedures that should be observed and tested by an IS auditor include:
SoD
Ensures that no individual has the capability of performing more
than one of the following processes:
origination,
or
authorization,
verification
distribution.
provide information regarding the
existence and enforcement of SoD
Observation
review of job descriptions
review of authorization levels
procedures
Authorization of input
Provides
evidence of input authorization
via written authorization on input documents or with the use of
unique passwords.
can be tested by
looking through a sampling of input documents for proper authorization or reviewing computer access rules.
Supervisor overrides of
data validation and editing should be reviewed to ensure that automatic logging occurs.
override activity report should
be tested for evidence of managerial review
Excessive overrides may indicate the need for modification of validation and editing routines to improve efficiency
Balancing
Verifies that run-to-run control totals and other application totals are reconciled on a timely basis.
This may be
tested by independent balancing or reviewing past reconciliations.
Error control and correction
Provides evidence of appropriate review in the form of reports, research, timely correction and resubmission. .
Testing of this effort can be achieved by retabulating or reviewing past error corrections.
Input errors and rejections should be reviewed prior to resubmission
MANAGERIAL REVIEW AND AUTHORIZATION OF CORRECTION SHOULD BE EVIDENCED
Distribution of reports
Produces and maintains
critical output reports in a secure area and distributes in an authorized manner.
The distribution process can be
tested by observation and review of distribution output logs.
Access to online output reports should be restricted.
Online access may be tested through a review of the access rules or by monitoring user output.
Review and testing of access authorizations and capabilities
Provides information regarding access levels (control tables).
Access should be BASED ON JOB DESCRIPTION and should provide for SoD.
Testing can be performed
through the REVIEW OF ACCESS RULES to ensure that access has been granted as management intended.
Activity reports—
Provide details, by user, of activity volume and hours. Activity reports should be reviewed
to ensure that activity occurs ONLY DURING AUTHORIZED HOURS OF OPERATION .
Violation reports—
Record any unsuccessful and unauthorized access attempts.
Violation reports should indicate the terminal location, date and time of attempted access.
These reports should evidence managerial review.
Repeated unauthorized access violations may indicate attempts to circumvent access controls.
Testing may include REVIEW OF FOLLOW-UP ACTIVITIES .