Application controls and intergrated auditing

Why is application control testing significantly important?

The complexity of business processes and the related data flows has significantly increased due to technological advances, mergers and acquisitions, and broader globalisation. Company's use of technology continues to increase and change at a rapid pace and, therefore, the increased complexity in technology, business processes and related data flows make an overall more complicated picture, which in turn can increase financial risk.

Application controls testing plays a major role in relation to technology-related audit procedures. These controls help ensure that processes are authorised and are completely and accurately recorded. For example, application controls can be classified as edit checks, validations, calculations, interfaces and authorisations.

Application controls can also be divided into configurable and non-configurable controls:

• Configurable controls: These function according to key application settings which can be modified by specific users. These changes are not typically subject to change management controls. Additional procedures are required to confirm the understanding of the automated controls in place. For example, a configurable control is one that operates differently depending on settings that are configured using the IT application. Configurable controls have additional IT risks related to inappropriate users with access to the control configuration.
• Non-configurable controls: These controls are programmed within the application logic and can be modified only through code changes. These controls do not involve tolerances or other variable configurations. Further, any changes to application controls are subject to change management controls.

Effective application controls will support any business to ensure the integrity, accuracy and confidentiality of systems and data. It is important for Internal Audit (IA) to develop and perform audits of application controls on a periodic basis to verify whether controls are appropriately designed and operating effectively.

Why integrated audit plays a major role in IA and application controls testing?

An integrated audit considers the relationship between information technology, financial and operational controls, in establishing an effective and efficient internal control environment. An integrated audit differs from a non-integrated audit in terms of scope and overall complexity. For example, a traditional audit may only focus on financial or operational aspects, while an integrated audit will take a holistic view that looks across both the business process, including the operational and financial aspects of the control, and the technology that underpins the business process and controls being considered.

Implementing an integrated audit provides an effective coverage of the business processes, which in turn gives further comfort that the risk is being treated effectively. Other advantages include audit planning, effective risk assessments and reporting.

When performing application control testing as part of the audit, an integrated audit approach can provide a better outcome as specialist skills or knowledge within the audit team can provide better input during the audit review. Business auditors can support technology auditors in understanding the business processes, which helps to verify whether controls are appropriately designed and operating effectively, and vice versa, technology auditors can help business auditors understand the technology risks underpinning the processes they are considering, giving a more accurate view of the risk landscape.

How can internal audit (IA) functions contribute to support the organisation?

These are the steps in which IA can help an organisation better manage integrated audits and application controls:

1.??????By performing integrated audits, IA will have a view on the organisation’s enterprise-wide approach to managing risks. This will include the development of and compliance with risk appetite, process outcomes and culture. There will be an increased focus on thematic and organisation-wide risk management rather than process or control level improvements.

2.??????During audit planning, IA should consider the specialist skills required during each stage of the audit review. The audit team should be built with the combined knowledge and experience to assess the risks and controls relevant to the activity under review, both from a business process and a technology perspective - this broad range of skills should then be utilised across the delivery of the audit.

3.??????IA should consider the use of multiple audit techniques when undertaking an integrated audit to achieve the desired outcome efficiently and effectively. Examples of these audit techniques can include, but are not limited to, continuous auditing, sampling and the use of data analytics. When reviewing application controls, an organisation can leverage existing data analytics capabilities and continuous auditing where they exist, but a focus must always be on applying an audit mindset to the use of existing analytics, not just taking it at face value.

As a final thought, as technology becomes ever present across all aspects of business processes, the need to consider application controls and to look to undertake integrated audits as a default becomes even greater.

Note: The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organisation or its member firms.