Application Controls

Application Controls
Presented to the
National State Auditors Association
2014 Information Technology Conference
This presentation will walk you through the common
application controls and how to audit them.
• Application Controls
– Input controls
– Processing controls
– Output controls
• Auditing Application Controls
– Data integrity testing
– Testing application systems
– Online auditing techniques
Application controls are controls over input,
processing, and output functions.
• Only complete, accurate, and valid data are entered
and updated in a computer system
• Processing accomplishes the correct task
• Processing results meet expectations
• Data is maintained
Application controls can be automated or manual.
Application controls include:
Edit tests
Identification and reporting of missing or exception data
Automated controls combined with manual controls
Application controls help ensure data accuracy,
completeness, validity, verifiability, and consistency,
thus achieving data integrity and reliability.
Application controls ensure:
• System integrity
• System functions as intended
• Information in the system is relevant, reliable, secure, and
available as needed
Input or origination controls ensure that every
transaction is entered, processed, and recorded
accurately and completely.
Types of input controls include:
• Input authorization
• Batch controls and balancing
• Error reporting and handling
Input authorization controls verify that all transactions
have been authorized and approved by management.
Input authorization controls:
Signatures on batch forms or source documents
Online access controls
Unique passwords
Terminal or workstation identification
Source documents
Batch controls combine input transactions into
groups or batches to provide control totals that
are matched to the source documents to verify
that the entire batch was processed.
Batch controls include:
Total monetary amount
Total items
Total documents
Hash totals
Batch balancing controls can be performed through
either a manual or automated reconciliation.
Batch balancing controls must be combined with
adequate follow-up procedures. Batch balancing
controls include:
• Batch registers
• Control accounts
• Computer agreement
Input error reporting and handling ensures only
correct data are accepted into the system and
input errors are identified and corrected.
Input error reporting and handling can be processed
Rejecting transactions with errors
Rejecting the whole batch
Holding batches in suspense
Accepting the batch and flagging error transactions
Input processing requires that controls be
identified to verify that only correct data are
accepted into the system.
Input processing control techniques include:
• Transaction logs – detailed listings of all updates which can be
manually maintained or automatically generated through
computer logs
• Reconciliation of data – ensures all data are properly recorded
and processed
• Documentation – written evidence of control procedures
• Anticipation – user groups anticipate the receipt of data
• Transmittal log – documents the transmission or receipt of data
• Cancellation of source documents – prevents duplicate entry
Input processing also requires that controls
be identified to ensure that input errors are
recognized and corrected.
Error correction procedures include:
Logging of errors
Timely corrections
Upstream resubmission
Approval of corrections
Suspense file
Error file
Validity of corrections
Processing procedures and controls are meant to
ensure the reliability of application program processing.
Processing procedures and controls include:
• Data validation and edits
• Processing controls
• Data file control procedures
Data validation and edit procedures ensure
input data is validated as close to the point
of origination as possible.
• Limit check – benefits check should not exceed a certain
• Range check – students registering for a certain grade should
be in a certain age range
• Validity check – the zip code matches the state in the address
• Sequence check – the check number being paid matches the
range of issued checks
Data validation and edit procedures identify errors, incomplete
or missing data, and inconsistencies among related data items
and ensures only accurate data are processed.
• Existence check – a product number matches a product being
• Completeness check – all required fields are required to be
filled in
• Duplicate check – a duplicate purchase order is identified
• Logical relationship check – the credit card number has been
provided if the payment is by credit card
Processing controls are meant to ensure the completeness
and accuracy of accumulated processed data.
• Edit checks – most of the data validation examples would also
work as edit checks
• Manual recalculation – perform a recalculation of a sample of
transactions to verify the accuracy of calculations, for
example, sales tax
• Run-to-Run totals – control totals are maintained through
various states of processing to verify the completeness of the
• Exception Reports – reports programmatically identify
transactions or data that fall outside a predetermined range
or do not match other specified criteria
Data file control procedures ensure that only
authorized processing occurs in stored data.
Data file security – ensures only authorized users have access to alter the data
through either access to the application or direct access to the database
Source documentation retention – source documents retained for an
adequate time period to enable retrieval, reconstruction, and verification of
data if necessary
Version usage – make sure that the correct, current version of a file is being
Internal and external labels – use on removable media and files to ensure the
correct data is being used
File updating and maintenance authorizations – ensures that maintenance
follows an approved and documented process
Transaction logs – useful in tracking down which transactions were processed
in the event of an error and investigating the cause
Before and after image reporting – useful as a monitoring tool while not as
granular as the transaction log
Output controls are meant to provide assurance that the
data delivered to users will be presented, formatted, and
delivered in an accurate, consistent, and secure manner.
• Tracking of sensitive output:
– Negotiable instruments
– Confidential or sensitive forms
– Critical Forms
• Report distribution control
• Output error handling
• Reconciliation of control counts/totals
The starting point for auditing application controls is
identifying significant application components and the
flow of information through the system.
Understand transaction flow
Assess application risks
Test user controls
Test data integrity
The impact of control weaknesses can be evaluated by reviewing
available documentation and interviewing appropriate personnel.
An analysis of the transaction flow will allow for an
understanding of potential weak points where the
controls should be reviewed.
Points where transactions and data are entered
Points where transaction calculations are performed
Points where data transformations occur
Points where transactions are posted
Points where databases are updated
Points where reports are generated
Points where data are transmitted
A risk assessment can be based on a variety of
factors and can assist in focusing your audit on
the inherent risks of an application.
Recent application changes
Time elapsed since last audit
Complexity of operations
Changes in operations/environment
Transaction volume
Monetary value of transactions
Sensitivity of transactions
Impact of application failure
Key user controls may be directly observed and tested
to determine if they are performing as intended.
Review and testing of access authorizations and capabilities
Separation of duties
Error control and correction
Activity and violation reporting
Distribution of reports
Data integrity tests examine the accuracy,
completeness, consistency, and authorization
of data presently held in a system.
• Determine if data validation routines are functioning correctly
• Determine if database tables are properly defined and
applying appropriate input constraints and data
• Ensure referential integrity for primary and foreign keys in
Data integrity tests will indicate failures in input or processing controls.
Data integrity testing is a set of substantive tests that
examines accuracy, completeness, consistency, and
authorization of data presently held in a system.
• Relational integrity tests - performed at the data element and
record-based levels and enforced through data validation
routines built into the application or by defining the input
condition constraints and data characteristics at the table
definition in the database stage
• Referential integrity tests - define existence of relationships
between entities in different tables of a database that need to
be maintained by the Database Management System (DBMS)
In multi-user transaction systems, it is necessary to
manage parallel user access to stored data typically
controlled by a DBMS and deliver fault tolerance.
Of particular importance are four online data integrity
requirements known collectively as the ACID principle:
• Atomicity - from a user perspective, a transaction is either completed
in its entirety (i.e., all relevant database tables are updated) or not at
• Consistency - all integrity conditions in the database are maintained
with each transaction, taking the database from one consistent state
into another consistent state
• Isolation - each transaction is isolated from other transactions and
hence each transaction only accesses data that are part of a consistent
database state
• Durability - if a transaction has been reported back to a user as
complete, the resulting changes to the database survive subsequent
hardware or software failures
Testing the effectiveness of application controls involves
analyzing computer application programs, testing computer
program controls, and selecting and monitoring transactions.
Methods and techniques for testing application systems include:
Tracing and tagging
Test data/deck
Base-case system evaluation
Parallel operation
Integrated testing facility
Parallel simulation
Transaction selection programs
Embedded audit data collection
Extended records
Continuous online auditing is becoming increasingly
important in today's e-business world.
• Allows IS auditors to monitor the operation of systems on a
continuous basis while normal processing takes place and
gather selective audit evidence through the computer
• Cuts down on needless paperwork and leads to the conduct
of an essentially paperless audit
There are five types of automated evaluation techniques
applicable to continuous online auditing.
• Systems Control Audit Review File and Embedded Audit
Modules (SCARF/EAM)
• Snapshots
• Audit hooks
• Integrated test facility (ITF)
• Continuous and intermittent simulation (CIS)
The selection and implementation of continuous audit techniques
depends, to a large extent, on the complexity and understanding
of an organization's computer systems and applications.
Continuous Audit Technique
Useful When:
Systems Control Audit Review
File and Embedded Audit
Modules (SCARF/EAM)
Regular processing cannot be
An audit trail is required
Audit hooks
Only select transactions or processes
need to be examined
Integrated test facility (ITF)
It is not beneficial to use test data
Continuous and intermittent
simulation (CIS)
Transactions meeting certain criteria
need to be examined
[email protected]

similar documents