Since yesterday I have completed categorizing the evidence documents today I started to proceed with the audit working paper. The majority of the evidence given is sufficient and it has no major issue for the control, it is all effective, be it the design and implementation of operating effectiveness.
Several control does have my attention as I think the control is not enough or even there is no control being implemented for that area. The first is on the monitoring of user access, even in the meeting, we can notice that there is actually no practice being done by the company in monitoring the user access matrix, the ideal is for the company will periodically even just once a year to have all the department head together to review all the user’s access matrix since the company does not have this practice so I marked it as ineffective for this particular area. Another area that takes my attention is the super user's section, I noted that Mr. Elthon, the general manager is part of the finance person and he is also the super user for the company ERP system. It is quite contradicting and what thing from bad to worse is the company does not have the practice to review the audit trail that records all the activities done by the superuser, in other words, if Mr. Elthon performs any fraud, it will be unnoticeable. The thing area that gets my attraction is incident report management, in the meeting, we noted that for every problem raised by the user, it is mostly through phone communication or email communication to the IT personnel, what I am concerned is if like this way, we can say that the company does not have proper documentation as it is unable to keep track on the status on every incident raised, how they are able to know whether the raised problem is solved or not.
I then asked my senior and director to confirm whether what I am concerned about are actually the points I can raise in the management letter for the client’s attention, the answer I got is positive, hence I highlight the points on the audit working paper so that I can notice of it and put it to the management letter after that.
Main things that have learned
-Continue ITGC for Accurus Scientific Ltd and identified the controls that are ineffective.
Comment/idea/opinion
I believe by doing more ITGC audit work, the faster I can be in identifying the ineffective controls of the company.
Comentários