Application Controls Course

How to Perform an Application Controls Review

Course Level: Beginner

CPE Credits: 16

Course Description:

This two-day class will focus on the presentation and discussion of
general guidelines in performing an information system application
controls review (ACR). The overall goal of this course will be to provide
financial, operational, and entry-level IS/IT auditors with the key concepts
and basic knowledge necessary to identify, test, and assess the reliability
of application controls in mainframe, client/server, and/or multi-platform
environments.

The course will also provide the participants with a comprehensive
methodology for examining application controls when reviewing business
applications processed on mainframe, client/server, and/or multi-platform
environments. The various control components of an automated
business application will be presented and discussed, including:
authorization, input, processing, output, security, and documentation.
Application controls will be compared and contrasted with general controls
in an automated environment. Participants will also learn how to identify
and define a specific automated business application in highly integrated
environments. At the conclusion of the second day of the course,
participants will work through a generic application control review audit.

Course Objectives:

At the conclusion of this course, each participant will be able to:

Understand the definition of an application control review (ACR).
Understand and apply the various audit standards involved in an
ACR.
Perform the necessary activities to complete an ACR.
Identify various key issues and concerns that may arise during the
execution of an ACR.

Course Balance:

Lecture / discussion: 65%
Class Exercises: 35%

Course Prerequisites:

Participants should have basic auditor training and/or at least 6 months of
audit or related experience.

Who Should Attend:

Financial, operational, entry-level IS/IT auditors, and other personal with an
interest in understanding application controls and related audit strategies.

Other Information:

Various generic application controls review audit programs will be
included in the course manual, as well as a glossary of common
information technology terms and acronyms for future use and reference
by class participants.

Course Outline:

Day 1

Day 2

A. Course Introduction and
   Overview
  - Introduction to course
  - Purpose and objectives of
    course
  - Types of business application
    audits
B. Types and Definitions of IT
   Controls
  - Application controls
  - General controls
  - Relationship of Application
    controls to general controls
  - Types / subcategories of
     controls
  - About COSO
C. Discussion of Audit Standards
  - ISACA
  - Institute of Internal Auditors
  - General Accounting Office
  - Texas Internal Auditing Act
  - Department of Information
     Resources
  - Statements on Auditing
     Standards (SAS), including
     SAS 94.
D. General Steps in Performing an
    Application Controls Review
  - Planning / resource require-
    ments
  - Scoping / application
     identification
  - Application risk assessment
  - Audit program development
  - Identifying, testing, and
    assessing control reliability
  - Data integrity testing
  - Certifying computer security
  - Issue, finding and report
    development and presentation
  - Follow-up considerations

E. Components and Controls in an
   Automated Business
   Application
  - Transaction authorization and
     origination
  - Input
  - Processing
  - Output
  - Security
  - Maintenance

F. Data Input and Processing
   Relationship Models
  - Batch
  - Online
  - Real-time

G. Key Issues and Concerns
   When:
  - Beginning the audit;
  - Identifying and Documenting
    Controls;
  - Testing Controls; and,
  - Using automated audit
     resources.

H. Hands-on Class Exercise
  - Scenario layout, planning, and
     scoping
  - Audit program development
    and execution
  - Use of automated audit tools
  - Reporting
  - Post-exercise discussion

I. Course Wrap-up & Discussion