Contributed March 5, 2001 by Julianne Sasso System Conversion and Reconciliation Audit Program Objective: Review Conversion & Reconciliation plans and develop appropriate audit procedures to ensure the accuracy of converted data. Scope: We will perform a review of the Conversion & Reconciliation Plans to ensure that there exists complete documentation which includes procedures identifying acceptable and unacceptable differences, that exceptions and discrepancies are identified and adequately resolved and that there exists a formal review process prior to data acceptance. 1.0 Background Obtain Organizational Chart of the personnel responsible for the conversion and reconciliation and gain a general understanding of the roles each function performs. Obtain and understanding of how conversion/reconciliation personnel interface with outsource data center personnel during the pre-conversion and reconciliation process. Obtain a time line chart which outlines the various personnel and their responsibilities as it relates to the implementation of the system. Obtain documentation which outlines who is responsible for performing the conversion/reconciliation and who is responsible for tracking the conversion/reconciliation. Obtain documentation which outlines who is responsible for signing off on the conversion/reconciliation. 2.0 Conversion Has a Target Date been established? Review the conversion document for completeness: The identification of data files used. The identification of acceptable and unacceptable differences. The identification of tolerance levels. The resolution plan for exceptions identified. Review the conversion plan timetable for completeness, appropriate assignments of responsibilities and consideration of impacts on production. Are there formal mapping procedures which identify each data field converted? Review the data clean-up policy for completeness. Has all system-related and user documentation been completed and made ready for use by computer operations personnel and users? Spot check conversion results. Spot check for user sign-off. Spot check for exception resolution. 3.0 Reconciliation If available, obtain a copy of the Reconciliation plan and perform the following: Does the plan include procedures for automated vs. manual reconciliation? If automated, is the tolerance level appropriate to risk? If manual, is the reconciliation based on a statistical sample and if so, is the sample appropriate to risk? Gain an understanding of the "check-out" procedures (reviewing test results). Spot check for Reconciliation Results. Spot check for user sign-off. Spot check for exceptions resolution. 4.0 High Level Control Objectives Confirm that there exists an active on-going participation of user areas. Determine the adequacy of security and controls for the system and affected processes (access security, completeness and accuracy of process, data integrity checks etc...) Determine the quality and effectiveness of system testing, system performance and capacity planning and resolution of problems encountered. Discuss with key users to verify that they are comfortable with the system enough to provide user sign-off for production installation. Discuss with project manager and obtain supporting documentation to confirm that all previous recommendations and management action plans that have security and control objectives that need to be addressed include: Access Security: evaluate security features for operating system security and application security. Data Integrity: evaluate validation edits, control totals, reconciliation, error detection mechanism and procedures. Accuracy & Completeness of processing: evaluate manual or electronic controls to verify business transactions are processed accurately (in accordance with business rules and external regulations) and all transactions received are accounted for. Review security profiles for production to verity that appropriate separation of functions is maintained. Using a sample of problems in the problem log, discuss with key users to confirm that the users are satisfied with their resolutions. Review open problems with users to determine that these items do not affect the accuracy and integrity of business transactions if they are not corrected prior to production. Verify the Freeze Date and that no new program changes will be introduced during this period to ensure system stability. Determine if there is a reasonable "backout plan" to continue operations in the event that there are significant unexpected problems when the system is poised for production. 5.0 Miscellaneous Consult with independent auditors to determine if there are any other procedures that need to be performed in order to complement their annual review process.