New Expectations for Application Control Testing

Risks and controls. When we hear this phrase, we often think of the organization’s financial controls or maybe even the IT general controls; however, there’s another set of controls that are equally important: application controls.

Application controls are automated controls that are performed by a specific application or system. For example, an application control could perform a validity check or a completeness check to verify that data entered matches a pre-determined criteria. Often application controls are tested by doing a walkthrough; observing the performance of the control by entering data, for each type of transaction and processing alternative, into the system to verify how the control functions. In the past, this testing approach has been sufficient for external auditors to gain comfort that the application controls are operating as expected.

Review comments coming from the PCAOB to external auditors are creating the expectation that additional information for configurable and non-configurable application controls be gathered. External auditors are now looking for evidence directly from the application and its developers indicating that the specific item is not configurable within the system. For example, if the application in question is SAP, information directly from an SAP manual would need to be referenced to show that the specific item or criteria cannot be changed. Similarly, for configurable controls, external auditors are beginning to request additional evidence showing the current configuration and who can change the configuration within the system, and when it was last changed.

The combined walkthrough and testing approach is still appropriate; however, these additional procedures to support the configurable or non-configurable are also needed in order for some external auditors to gain comfort with application controls.

 

Navigating the Challenges of Periodic User Access Reviews

In today’s digital age, where data breaches and cyber threats are on the rise, maintaining robust security practices is of utmost importance for organizations. Periodic user access reviews serve as a critical component of ensuring the integrity and confidentiality of sensitive information. However, executing these reviews comes with its fair share of challenges. Here are four of the top challenges that companies face when conducting periodic user access reviews.

  1. Scale and Complexity: As companies grow and their digital landscapes expand, managing user access rights becomes increasingly complex. Organizations often operate multiple systems, applications, and platforms, each with its own set of access controls. The sheer scale and complexity of user access reviews make it challenging to identify all access points accurately.
  2. Manual Processes and Inefficiency: Many organizations still rely on manual processes to conduct user access reviews, involving spreadsheets, email chains, and manual cross-referencing. These methods are time-consuming, error-prone, and inefficient. Manual processes make it difficult to track and monitor changes in user access over time. The administrative burden placed on IT teams can be overwhelming, diverting their focus from more strategic initiatives. Inefficiencies in the review process can lead to delays, increased costs, and potential security gaps.
  3. Compliance and Audit Requirements: Organizations must comply with industry-specific regulations and standards that necessitate regular user access reviews. Meeting these compliance requirements can be a complex task, particularly when faced with tight deadlines and limited resources. Companies must stay abreast of evolving regulations and ensure their access review processes align with the latest compliance frameworks. Failure to meet these requirements can lead to legal consequences, reputational damage, and financial loss.
  4. Technology Limitations and Legacy Systems: Legacy systems and outdated technologies pose additional challenges to conducting user access reviews. Older systems may lack robust access control mechanisms or integration capabilities, making it difficult to obtain accurate and comprehensive user access data. Integrating these systems with modern identity and access management (IAM) solutions can be a complex endeavor. Striking a balance between maintaining legacy systems and adopting modern IAM solutions is crucial for organizations looking to streamline their periodic user access reviews.

Periodic user access reviews are crucial for ensuring the security and compliance of organizational systems and data. Leveraging skilled advisors can help you overcome these challenges through process improvements and technology.