automated control is reliable, then the manual substantive procedures can be reduced substantially by
            relying on the automated control and reducing the scope of substantive procedures by increasing the
            cutoff or reducing the sample size. Another key factor is that it may be possible to test this particular kind
            of control with a sample or instance of one transaction (probably two transactions at the most, given
            there are two outcomes: approved, disapproved).

            Besides ToC over automated controls, ToC could be associated with ITGC such as application or
            systems testing.

            Application control testing
            Application testing is a vital component of ITGC and auditing procedures. Application testing should
            follow basic system development life cycle (SDLC) guidelines for customized code (applications written
            by the entity’s own IT staff). That includes the testing of new or revised applications by the programming
            team. This testing should be a hurdle for which no change to applications can be performed without first
            successfully passing through the internal programming test.

            Next, the IT function should have a quality assurance testing whereby an independent party in the IT
            function tests the application. Again, the application cannot be moved to the next stage without passing
            through this stage properly in an ideal SDLC environment.

            After that process, the application should be tested by the end users and the internal sponsor in
            particular. Once this stage is passed, an end-user acceptance agreement should be signed to provide
            evidence that the application was properly tested by the end users.

            Finally, the application is tested by being interfaced to all potential applications and modules in the
            entity’s system, offline, to ensure that integration errors do not occur. This integration testing is best
                                           24
            performed within a staging area.

            The CITP would perform the application testing by interviewing key personnel and asking about the
            testing processes, reviewing the chain of relevant documents (for example, end-user acceptance report),
            observing the processes in operations, or other relevant procedures. Observation might be particularly
            useful in staging or project management meetings. The purpose of those procedures would be to gain
            assurance that the testing of applications follows the proper procedures and employs adequate controls
            to ensure minimal probability of errors, fraud, or operational problems in deploying new or revised
            applications.

            System testing
            System testing follows the same processes as previously stated, but with some additional controls and
            best practices, due to the scope of a system versus a single application; a new or revised system should
            go through all of the described testing. The use of a staging area is much more important in system


            24
              A staging area is a simulated enterprise system environment where all of the relevant applications and systems
            are present as they are in real operations, including the same type of hardware and connectivity. Only in this manner
            can an application or system be tested to the highest effectiveness. Applications can work properly when isolated,
            but have errors or create problems when interfaced with other applications or systems.


            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-42