Loading documents preview...
Document Title - Test Sheet Template Teammate Ref: [B.1] - Perform Section
ABCD Client
Period-end
WP Ref.
Northern Cement Corporation
December 31, 2017
APD.04.0020
Prepared by
Reviewed by
Reviewed by
Abraham C. Almeria, Associate
Mary Ann Klaire S. Caritos, Supervisor
Jessamy M. Cepeda, Assistant Manager
I. Control Summary Control ID
APD.04
Control Title
New or Modified Users
Control Owner
Deborah Rombaoa, IT Manager
Control Description (optional)
Northern Cement Corporation (NCC) has established procedures for user creation and modification requests which require authorization and approval by the Department Head and MIS Manager before granting of access to relevant application systems in accordance with the user’s job responsibilities. Northern Cement Corporation (NCC) has proper documentation to support creation and granting access right of users in SAP.
II. Scoping Considerations (KAM 57.1005 and ISA 330.8) 2.1 Have you performed and documented test of operating effectiveness during the evaluation of design and implementation?
No
a) Please document your rationale for deciding to test this control's operating effectiveness during your test of design and implementation. b) Do we plan to utilize Prior Audit Evidence / Benchmarking as audit evidence for the operating effectiveness of this control? (KAM 57.1055, 1695, 1805)). If no, please hide this row.
Not applicable
No
c) Determine the level of automation of this control.
Manual
d) Determine the General IT control type / element.
Access to Programs and Data
Test of Operating Effectiveness
Page 1 of 8
Document Title - Test Sheet Template Teammate Ref: [B.1] - Perform Section e) Method of obtaining the appropriate audit evidence over the operating effectiveness of this control. (KAM 57.1045, 57.1105)
✘ Inquiry ✘ Observation ✘ Inspection
2.2 Will roll-forward procedures be required?
Reperformanc e Prior Period Audit Evidence Use of work of Internal Audit
Yes
a) Determine if control testing is to be performed at an interim date. (KAM 57.1570, 1580 and ISA 330.A11)
Link 2 | Rollforward Procedures
III. Planned Testing Approach (KAM 57.1035, 1045 and ISA 330.10) 3.1 Define the population a) Data or report name and date New and Modified Users (S_BCE_68001439) (Population source) b) Period Covered:
January 1, 2017 to September 31, 2017
c) Document evaluation performed to relevance and reliability (completeness and accuracy) of the data or report. d) Define the control frequency.
Documented results on Link 3 >>>
e) Total number of items in population
2 new users & 6 modified users
3.2 Determine extent of testing a) Risk of failure (based on TOD&I) (KAM 57.1340)
Link 3 | Data Population C&A
Others
Higher
b) Sampling method
Random
c) Sample size
3
d) Sampling rationale
KAM Sampling Guidance
KAM Sampling Guidance
e) Justification if you select more than the minimum (optional) 3.3 Perform testing and evaluate results
Test of Operating Effectiveness
Page 2 of 8
Document Title - Test Sheet Template Teammate Ref: [B.1] - Perform Section a) Document results of testing
Documented results on Link 4 >>>
b) Number of exceptions identified
<0>
Link 4 | Testing
3.5 Control deficiencies a)
Exception considered control deficiency?
No
b) Have you created entry in eAudit?
No
Note that this template is only used for local statutory audits and not for Integrated Audits / ICOFR or SOx Compliance Audit using US GAAS.
Test of Operating Effectiveness
Page 3 of 8
Back to TOE Cover Sheet
Perform update testing for controls tested during an interim audit period (KA Note: The procedures on this tab are to be performed at period-end Suggested procedures 1) Inquire of management and/or control owner regarding changes since interim testing that may impact the control design and operating effectiveness. 2) Considered the following factors in determining the nature and extent of additional audit evidence needed [KAM 57.1645 and ISA 330.A33], and: a) the significance of the assessed RoMM; b) risk of failure of the control; c) whether the control is an automated control; d) the specific controls that were tested during the interim period, the results of those procedures, and significant changes to them since they were tested, including changes in the information system, processes, and personnel; e) the degree to which audit evidence about the operating effectiveness of those controls was obtained at the interim date; f) the length of the remaining period; g) the extent to which we intend to reduce further substantive procedures based on the reliance of controls; and h) the effectiveness of other elements of internal control, including the control environment, the entity’s monitoring of controls and the entity’s risk assessment process. 3) Determined that inquiry alone (see procedure 1) above) provides sufficient evidence about the continued operating effectiveness of the GITC.
Tips: If appropriate, the additional audit evidence needed during the intervening period may be obtained
an interim audit period (KAM 57.1645) Results There were no changes in the process regarding the control for the roll forward period. There were no exceptions noted on the roll forward samples as well.
Reference Tab/Link (if applicable)
Re 1st Follow-up 2017 NCC-KPMG IT Audit SAP ECC 6 0 APD Roll Forward Confirmation.msg
Re 1st Follow-up 2017 NCC-KPMG IT Audit SAP ECC 6 0 APD Roll Forward Confirmation.msg
e intervening period may be obtained from using the work of internal audit function.
ABCD
Back to TOE Cover Sheet
Data Population Completeness & Accuracy Extracted data are complete as the KPMG IRM Team has performed the actual extraction and verified on set that the data extracted and transported using the encrypted media device contains the same records.
Back to TOE Cover Sheet
ABCD Control Tested: <Title> Test procedures Detail procedures followed to test the control, including names and titles of client contacts, name of KPMG team member who performed the work, and how it was determined the population from which samples were taken was complete and accurate.
a) Perform inquiry with personnel knowledgeable of the control to gain an understanding of how the control is designed and implemented. b) Using the system, determine the population of new or changed access rights. Inspect, by examining records or documents, a sample during the relevant period to determine whether appropriate supporting evidence exists of the review and approval of user access. In addition, determine if the review and approval was performed in accordance with agreed upon working practices/policies. Evidence of performance of the control could include an explicit approval (e.g., a signature or initials on the document, etc.) or other evidence of review (e.g., written explanations, checkmarks, or other indications of follow up, such as an email). c) Evaluate whether the approval, which includes determining that access requested is commensurate with job responsibilities, is performed by appropriate personnel. d) Evaluate the appropriateness of the person performing the control. e) Document the desired level of evidence sought when performing the test(s) of control documented in this working paper.
Control attributes A SAP ID Request Form and SAP Job/Task Authorization Request Form are properly defined and documented B Approved by the Department Head and MIS Manager C Access right given is commensurate to job function D Access right granted is in accordance with the request. Tickmark legend NA Not applicable No exception noted * Observation noted X Exception noted Testing table Sample Details #
USER_NAME
1
SAPSUPPORT
2
BASISADM01
3 4
5
TIME
6/24/2017
22:00:12
User created
X
06/30/17
14:16:16
Profile Added
SAP_ALL
All SAP System authorizations
X
GUARDIANOG
2/9/2017
13:17:17
Profile Added
NCC-MIRO__
NCC-ENTER INVOICE TASK
PAREDESC
01/13/17
17:39:33
Profile Added
ALL-ME51N_
Profile Added Profile Added
NCC-SE16__ NCC_SPALV1
SARROSAR
9/13/2017
15:37:49
ACTION
OLD_VALUE
Attributes
DATE
NEW_VALUE
TEXT1
(D) Access right granted is in accordance with the request
Notes
Supporting doc. reference
With Exception or No Exception?
Observation under note 1, however, please see see supporting response.
Link 1
No Exception
Observation under note 1, however, please see see supporting response.
No Exception
Please refer to supporting document.
No Exception
ALL-MM CREATION OF PURCHASE REQUISITION
Please refer to supporting document.
No Exception
NCC-DATA BROWSER Profile for role NCC-SAP-ALL-VIEW-N-01-01212015
Please refer to supporting document. Please refer to supporting document.
No Exception No Exception
Profile Added Profile Added
NCC_SPALV11 Profile for role NCC-SAP-ALL-VIEW-N-01-01212015 NCC_SPALV12 Profile for role NCC-SAP-ALL-VIEW-N-01-01212015
Please refer to supporting document. Please refer to supporting document.
No Exception No Exception
Profile Added Profile Added
NCC_SPALV13 Profile for role NCC-SAP-ALL-VIEW-N-01-01212015 NCC_SPALV14 Profile for role NCC-SAP-ALL-VIEW-N-01-01212015
Please refer to supporting document. Please refer to supporting document.
No Exception No Exception
Profile Profile Profile Profile Profile
NCC_SPALV15 NCC_SPALV16 NCC_SPALV17 NCC_SPALV18 NCC_SPALV19
Please Please Please Please Please
No No No No No
Profile Profile Profile Profile Profile
for for for for for
role role role role role
NCC-SAP-ALL-VIEW-N-01-01212015 NCC-SAP-ALL-VIEW-N-01-01212015 NCC-SAP-ALL-VIEW-N-01-01212015 NCC-SAP-ALL-VIEW-N-01-01212015 NCC-SAP-ALL-VIEW-N-01-01212015
(A) (B) SAP ID Request Approved by the Form and SAP Department Job/Task Head and MIS Authorization Manager Request Form are properly defined and documented
Details of Observation(s) Noted Note 1 - Documentation is not required for emergency purposes, this was observed, however, this was regarded as a valid action taken as no policy are currently in place to prevent and require documentations for emergency purposes. Test Conclusion No exception noted. Evidences
BASISADM01 & SAP SUPPORT.zip
Results
(C) Access right given is commensurate to job function
Added Added Added Added Added
TEXT
GUARDIANO.zip
PAREDESC.zip
SARROSAR.zip
refer refer refer refer refer
to to to to to
supporting supporting supporting supporting supporting
document. document. document. document. document.
Exception Exception Exception Exception Exception
Back to TOE Cover Sheet
KAM Guidance [57.2100]: “General IT controls may be manual, manual with an automated component, or automated. Where a general IT control is manual or manual with an automated component, the guidance above related to the extent of testing of manual controls may be used to determine the extent of testing of general IT controls. Where a general IT control is automated, we use our professional judgment, combined with the guidance in this section and the guidance on extent of testing in the section in this KAM topic beginning at KAM 57.1275.”