Page 482 - ITGC_Audit Guides
P. 482
GTAG — Appendix – Case Studies
• Who should maintain the data history and where will A.2 — Ongoing Control Assessment
it be stored? of an Employee Expense System
• When comparing control data to the previous baseline Continuous auditing potentially is most effective when
audit, who should be responsible for assessing the applied to high volume systems accessed by a large number
significance of the changes in the application and of users. This case illustrates how internal auditors applied
determining which controls need to be retested? continuous auditing techniques to an employee expense
system audit.
Benchmark Results
After the data was extracted, it was compared with a base Background and Challenges
period. The benchmark report identified the key automated Previous audits of the employee expense systems were time
controls that were subjected to change since the base consuming and labor intensive, and the audit scope was
period, and the type of change (see Figure 8 on page 16). sometimes limited by resource constraints. The employee
Ideally, application controls should be unchanged. expense system was rules-based with numerous automated
controls implemented at multiple levels to manage the
Auditors selected key controls and drilled down to assess quality of data entered and initiate the expense approval
the change. As appropriate, benchmark reports were process. Examples include:
incorporated into the audit workpapers, either to provide
evidence that further control testing was not necessary or to • An expense submission control:
support the need for retesting. In this way, benchmarking o If duplicate expenses were entered for the same
facilitated a risk-based approach to retesting, which was date, category, and amount, the system would
performed through management’s continuous monitoring give the user a warning, require a manager’s active
efforts when possible, providing additional efficiency. approval, and flag the entry for operation’s review.
• Active approval controls:
After implementation of the ongoing control assessment,
58 percent of application controls could be validated o At-risk transactions were held pending a
without testing. Of the remaining 42 percent, 16 percent supervisor’s review.
were tested during the first half of the year, and 26 percent o An employee could not approve his or her own
were retested during the second half of the year. Time report.
required for application control testing fell from 6,300 to
352 working hours, a 94 percent decrease year-over-year Controls were typically focused on limits or authorizations
(see Figure 9). but did not necessarily check the validity or accuracy of
the data entered. Inadvertent or intentionally incorrect
Figure 9: Total Working Hours Saved
33; 16%
Total Working Hours
After
122; 58% 55; 26% Implementation 352
5, 948 Hours Saved
Before benchmark
Implementation 6300 Total Working
Hours
0 4000 8000
■ To be retested in H1
■ To be retested in H2
■ Validated without testing
17
