“These controls and suggested tests are generic and should apply to all systems,” says Heriot Prentice, director of technology practices at the IIA in Altamonte Springs, Fla.
For one, all transactional systems such as ERP and financial systems–as well as support applications such as e-mail programs and design software–pose risks stemming from how they are configured, managed and used by employees. Another reason for regular audits and tests of software controls is that any configuration changes or modifications to business applications can introduce additional risk. For instance, tolerance levels can be manipulated to disable controls.
For this reason, the GTAG guidance recommends that auditors should be part of any software-implementation or upgrade team to ensure controls are in place and working. Prentice recommends that companies make their software-control audits a joint effort involving the chief internal auditor, the CFO and the CIO. “One of the biggest issues I’ve found when it comes to I.T. is that the chief audit officer or the CFO in many cases may not understand the technology, while at the same time, the CIO may not understand the auditors’ needs,” he says.
Software controls are used to monitor a variety of aspects of the application, including input, processing, output and data integrity, as well as data storage and retrieval. Some controls are embedded into transactional and support applications, such as an automated accounts-payable match of invoice with purchase order and notice of receipt of shipment. Other controls are configurable, such as an accounts-payable system’s limit on the amount of an invoice that can be processed without certain approvals.
Management trail—Processing-history controls, often called an audit trail, allow management to identify the transactions and events they record by tracking each transaction from the source to the output and by tracing backward.
http://www.baselinemag.com/article2/0,1397,2143482,00.asp?kc=BARSS02129TX1K0000533