Home     FAQs     Guestbook     Jobs     Travel     Sponsors     Search     E-Mail

AuditNet Links
Audit Programs
AuditNet Newsletter
AuditNet Mailing Lists
AuditNet Library
Audit Jobs
Travel Links
Audit Career Links
Partner Discounts
Search AuditNet
Sign Guestbook
Sponsor Advertising
About AuditNet
About Jim Kaplan
AuditNet Seminars

Application System Internal Control Questionnaire

1. Are there written instructions or online help available for processing all transactions for this application?

2. When transactions are initiated through program logic, are listings or reports sent to the user department?

3. Are the procedures for controlling input the same when applied to correcting entries?

4. Are there controls or procedures which effectively prevent persons outside the company from accessing, via terminals, the files of this application?

5. Are the installation's standard sign-on and sign-off procedures used on this application?

6. Does the system record which users processed transactions that altered the contents of the file?

7. In the event that unauthorized access is attempted, what procedures prevent additional attempts?

8. Is a computer generated log entry created for:

   • Each message?
   • Each sign-on?
   • Each sign-off?
   • All transactions?
   • Other:

9. Are the computer generated logs reviewed and summarized for:

   • Unusual activity?
   • Error rates by user?

10. Are record counts and control totals generated through the online input process and used to validate the completeness of data entry?

11. Does management take strong corrective action when security violations are noted?

12. Is ACF2 password protection used?

13. Are all security violations logged?

14. Is adequate documentation maintained on security procedures?

15. Can each transaction be associated with a USERID number?

16. Is a non-printing feature used when the operator keys in a password?

17. Does each user of the application have a unique LOGONID?

18. Are users instructed on how to keep their passwords secure?

19. Are passwords changed at least every 90 days?

    PROCESSING CONTROLS

20. Are on-line data validation and editing performed as early as possible in the transaction processing cycle to ensure that errors are detected and corrected quickly?

21. Are use of overriding or bypassing data validation and editing routines restricted to designated personnel?

22. Are all uses of the override/bypass feature logged and analyzed for appropriateness and correctness?

23. Does the application include edit routines to check each transaction for:

    • Completeness?
    • Consistency within the transaction?
    • Transaction validity?
    • Proper processing period?
    • Proper cross-footing?

24. Does the application include edit routines to check each applicable field in the transaction types for:

    • Missing date?
    • Limit checks?
    • Range checks?
    • Check digit validity?
    • Valid Codes?
    • Proper sequence?
    • Proper format?

25. Does the application include edit routines to check each character in a transaction, where applicable, for:

    • Numerics?
    • Alphabetic?
    • Special characters?
    • Sign?
    • Blanks?

26. Are there written instructions or online help available for correcting all errors detected?

27. Are resubmitted transactions processed identically to those submitted for a first time?

28. For on-line real-time processing, are all transactions automatically logged, stamped and dated to provide a complete audit trail?

29. Can messages and data be traced back to the terminal and user or origin?

30. For applications that update files, does the system protect against concurrent file updates?

31. Are all changes to the application thoroughly tested and approved by the user before being placed into production?

32. Have users received sufficient training on use of the application?

33. Can users correct errors before they are transmitted?

34. Have adequate user manuals been prepared and distributed to the users?

35. Are operators in IT prohibited from:

    • Initiating any transactions?
    • Processing an unusual program without an approved written request?
    • Duplicating a file without an approved written request?

36. When processing transactions against a master file:

    • Does the program prevent duplicate master records from being established?
    • Are listings printed for all master changes showing:

    • The master record before change?
    • The master records after change?
    • The nature of the change?

37. Does the program check for illogical results prior to changing the master record?

38. Are all transactions not processed:

    • Reported with reason?
    • Placed in a suspense file?

39. Are master files periodically reviewed by a program which reads the entire file and:

    • Counts all records?
    • Totals all fields used to control the file?
    • Crossfoots records where applicable?

40. Are master files periodically purged of obsolete records?

41. Does the application include routines to check the results of calculations for reasonableness?

42. Is the application processed according to a predefined schedule?

43. Are IT's standard library procedures followed for this application?

44. Are programmers prohibited from using live data files from this application for testing?

    OUTPUT

45. Is all output from computer operations reviewed for reasonableness, accuracy, and legibility before distribution?

46. Are totals on output reconciled to predetermined totals?

47. Does Data Control have written procedures which include:

    • Frequency or due dates?
    • Number of copies to be sent?
    • Persons authorized to receive output?

48. Does the control group maintain a control schedule?

49. Is all output sent directly to the user groups from the control group?