Apd.04.0020apd.04 - New Or Modified Users.xlsx

Document Title - Test Sheet Template Teammate Ref: [B.1] - Perform Section

ABCD Client

Period-end

WP Ref.

Northern Cement Corporation

December 31, 2017

APD.04.0020

Prepared by

Reviewed by

Reviewed by

Abraham C. Almeria, Associate

Mary Ann Klaire S. Caritos, Supervisor

Jessamy M. Cepeda, Assistant Manager

I. Control Summary Control ID

APD.04

Control Title

New or Modified Users

Control Owner

Deborah Rombaoa, IT Manager

Control Description (optional)

Northern Cement Corporation (NCC) has established procedures for user creation and modification requests which require authorization and approval by the Department Head and MIS Manager before granting of access to relevant application systems in accordance with the user’s job responsibilities. Northern Cement Corporation (NCC) has proper documentation to support creation and granting access right of users in SAP.

II. Scoping Considerations (KAM 57.1005 and ISA 330.8) 2.1 Have you performed and documented test of operating effectiveness during the evaluation of design and implementation?

No

a) Please document your rationale for deciding to test this control's operating effectiveness during your test of design and implementation. b) Do we plan to utilize Prior Audit Evidence / Benchmarking as audit evidence for the operating effectiveness of this control? (KAM 57.1055, 1695, 1805)). If no, please hide this row.

Not applicable

No

c) Determine the level of automation of this control.

Manual

d) Determine the General IT control type / element.

Access to Programs and Data

Test of Operating Effectiveness

Page 1 of 8

Document Title - Test Sheet Template Teammate Ref: [B.1] - Perform Section e) Method of obtaining the appropriate audit evidence over the operating effectiveness of this control. (KAM 57.1045, 57.1105)

✘ Inquiry ✘ Observation ✘ Inspection

2.2 Will roll-forward procedures be required?

Reperformanc e Prior Period Audit Evidence Use of work of Internal Audit

Yes

a) Determine if control testing is to be performed at an interim date. (KAM 57.1570, 1580 and ISA 330.A11)

Link 2 | Rollforward Procedures

III. Planned Testing Approach (KAM 57.1035, 1045 and ISA 330.10) 3.1 Define the population a) Data or report name and date New and Modified Users (S_BCE_68001439) (Population source) b) Period Covered:

January 1, 2017 to September 31, 2017

c) Document evaluation performed to relevance and reliability (completeness and accuracy) of the data or report. d) Define the control frequency.

Documented results on Link 3 >>>

e) Total number of items in population

2 new users & 6 modified users

3.2 Determine extent of testing a) Risk of failure (based on TOD&I) (KAM 57.1340)

Link 3 | Data Population C&A

Others

Higher

b) Sampling method

Random

c) Sample size

3

d) Sampling rationale

KAM Sampling Guidance

KAM Sampling Guidance

e) Justification if you select more than the minimum (optional) 3.3 Perform testing and evaluate results

Test of Operating Effectiveness

Page 2 of 8

Document Title - Test Sheet Template Teammate Ref: [B.1] - Perform Section a) Document results of testing

Documented results on Link 4 >>>

b) Number of exceptions identified

<0>

Link 4 | Testing

3.5 Control deficiencies a)

Exception considered control deficiency?

No

b) Have you created entry in eAudit?

No

Note that this template is only used for local statutory audits and not for Integrated Audits / ICOFR or SOx Compliance Audit using US GAAS.

Test of Operating Effectiveness

Page 3 of 8

Back to TOE Cover Sheet

Perform update testing for controls tested during an interim audit period (KA Note: The procedures on this tab are to be performed at period-end Suggested procedures 1) Inquire of management and/or control owner regarding changes since interim testing that may impact the control design and operating effectiveness. 2) Considered the following factors in determining the nature and extent of additional audit evidence needed [KAM 57.1645 and ISA 330.A33], and: a) the significance of the assessed RoMM; b) risk of failure of the control; c) whether the control is an automated control; d) the specific controls that were tested during the interim period, the results of those procedures, and significant changes to them since they were tested, including changes in the information system, processes, and personnel; e) the degree to which audit evidence about the operating effectiveness of those controls was obtained at the interim date; f) the length of the remaining period; g) the extent to which we intend to reduce further substantive procedures based on the reliance of controls; and h) the effectiveness of other elements of internal control, including the control environment, the entity’s monitoring of controls and the entity’s risk assessment process. 3) Determined that inquiry alone (see procedure 1) above) provides sufficient evidence about the continued operating effectiveness of the GITC.

Tips: If appropriate, the additional audit evidence needed during the intervening period may be obtained

an interim audit period (KAM 57.1645) Results There were no changes in the process regarding the control for the roll forward period. There were no exceptions noted on the roll forward samples as well.

Reference Tab/Link (if applicable)

Re 1st Follow-up 2017 NCC-KPMG IT Audit SAP ECC 6 0 APD Roll Forward Confirmation.msg

Re 1st Follow-up 2017 NCC-KPMG IT Audit SAP ECC 6 0 APD Roll Forward Confirmation.msg

e intervening period may be obtained from using the work of internal audit function.

ABCD

Back to TOE Cover Sheet

Data Population Completeness & Accuracy Extracted data are complete as the KPMG IRM Team has performed the actual extraction and verified on set that the data extracted and transported using the encrypted media device contains the same records.

Back to TOE Cover Sheet

ABCD Control Tested: <Title> Test procedures Detail procedures followed to test the control, including names and titles of client contacts, name of KPMG team member who performed the work, and how it was determined the population from which samples were taken was complete and accurate.

a) Perform inquiry with personnel knowledgeable of the control to gain an understanding of how the control is designed and implemented. b) Using the system, determine the population of new or changed access rights. Inspect, by examining records or documents, a sample during the relevant period to determine whether appropriate supporting evidence exists of the review and approval of user access. In addition, determine if the review and approval was performed in accordance with agreed upon working practices/policies. Evidence of performance of the control could include an explicit approval (e.g., a signature or initials on the document, etc.) or other evidence of review (e.g., written explanations, checkmarks, or other indications of follow up, such as an email). c) Evaluate whether the approval, which includes determining that access requested is commensurate with job responsibilities, is performed by appropriate personnel. d) Evaluate the appropriateness of the person performing the control. e) Document the desired level of evidence sought when performing the test(s) of control documented in this working paper.

Control attributes A SAP ID Request Form and SAP Job/Task Authorization Request Form are properly defined and documented B Approved by the Department Head and MIS Manager C Access right given is commensurate to job function D Access right granted is in accordance with the request. Tickmark legend NA Not applicable  No exception noted * Observation noted X Exception noted Testing table Sample Details #

USER_NAME

1

SAPSUPPORT

2

BASISADM01

3 4

5

TIME

6/24/2017

22:00:12

User created

X

06/30/17

14:16:16

Profile Added

SAP_ALL

All SAP System authorizations

X

GUARDIANOG

2/9/2017

13:17:17

Profile Added

NCC-MIRO__

NCC-ENTER INVOICE TASK

PAREDESC

01/13/17

17:39:33

Profile Added

ALL-ME51N_

Profile Added Profile Added

NCC-SE16__ NCC_SPALV1

SARROSAR

9/13/2017

15:37:49

ACTION

OLD_VALUE

Attributes

DATE

NEW_VALUE

TEXT1

(D) Access right granted is in accordance with the request

Notes

Supporting doc. reference

With Exception or No Exception?







Observation under note 1, however, please see see supporting response.

Link 1

No Exception







Observation under note 1, however, please see see supporting response.

No Exception









Please refer to supporting document.

No Exception

ALL-MM CREATION OF PURCHASE REQUISITION









Please refer to supporting document.

No Exception

NCC-DATA BROWSER Profile for role NCC-SAP-ALL-VIEW-N-01-01212015

 

 

 

 

Please refer to supporting document. Please refer to supporting document.

No Exception No Exception

Profile Added Profile Added

NCC_SPALV11 Profile for role NCC-SAP-ALL-VIEW-N-01-01212015 NCC_SPALV12 Profile for role NCC-SAP-ALL-VIEW-N-01-01212015

 

 

 

 

Please refer to supporting document. Please refer to supporting document.

No Exception No Exception

Profile Added Profile Added

NCC_SPALV13 Profile for role NCC-SAP-ALL-VIEW-N-01-01212015 NCC_SPALV14 Profile for role NCC-SAP-ALL-VIEW-N-01-01212015

 

 

 

 

Please refer to supporting document. Please refer to supporting document.

No Exception No Exception

Profile Profile Profile Profile Profile

NCC_SPALV15 NCC_SPALV16 NCC_SPALV17 NCC_SPALV18 NCC_SPALV19

    

    

    

    

Please Please Please Please Please

No No No No No

Profile Profile Profile Profile Profile

for for for for for

role role role role role

NCC-SAP-ALL-VIEW-N-01-01212015 NCC-SAP-ALL-VIEW-N-01-01212015 NCC-SAP-ALL-VIEW-N-01-01212015 NCC-SAP-ALL-VIEW-N-01-01212015 NCC-SAP-ALL-VIEW-N-01-01212015

(A) (B) SAP ID Request Approved by the Form and SAP Department Job/Task Head and MIS Authorization Manager Request Form are properly defined and documented

Details of Observation(s) Noted Note 1 - Documentation is not required for emergency purposes, this was observed, however, this was regarded as a valid action taken as no policy are currently in place to prevent and require documentations for emergency purposes. Test Conclusion No exception noted. Evidences

BASISADM01 & SAP SUPPORT.zip

Results

(C) Access right given is commensurate to job function

Added Added Added Added Added

TEXT

GUARDIANO.zip

PAREDESC.zip

SARROSAR.zip

refer refer refer refer refer

to to to to to

supporting supporting supporting supporting supporting

document. document. document. document. document.

Exception Exception Exception Exception Exception

Back to TOE Cover Sheet

KAM Guidance [57.2100]: “General IT controls may be manual, manual with an automated component, or automated. Where a general IT control is manual or manual with an automated component, the guidance above related to the extent of testing of manual controls may be used to determine the extent of testing of general IT controls. Where a general IT control is automated, we use our professional judgment, combined with the guidance in this section and the guidance on extent of testing in the section in this KAM topic beginning at KAM 57.1275.”