The three strategies for testing internal controls would first be to assess a control risk based on user controls. This can be done by comparing computer-generated output with the source documents that can support the transactions. The second strategy would be by planning for a low control risk assessment based on application controls. This means that the auditor should test the computer application controls, test the computer general controls, and test the manual follow up of the exceptions noted by the application controls. The last strategy would be planning for a high control risk assessment based on general controls and manual follow up. When an auditor test the general controls they can usually learn about the effectiveness of the design and testing application controls.
Before any strategy takes place, an auditor must determine the end result desired from the Information Technology being used as well as the type of technology being dealt with. The most important thing is security thus it is vital to know this technology in and out to be able to determine its strengths and weaknesses. This allows for proper compensation to combat such attacks whether they are fraudulent or accidental in nature. It is necessary to be familiar with different types of proven viable internal control setups to properly test and gage an IT’s internal control system. There are three different strategies use when testing internal controls. First includes assessing the controls using user control information. In this strategy, an auditor would gather computer-generated reports and compare those to all documentation on specific transactions. This process is also known as auditing around the computer because it deals with more hard copy documents. The next strategy entails using application controls to determine the level of risk