IT Audit Program for Application Controls

Areas of Risk Possible errors or Irregularities Audit Objectives Audit Procedures

 Entry of the unauthorized data  To ensure the completeness and
 Data entered into the application may accuracy of the records and the validity of
be irrelevant. the entries made therein.
 Incomplete data entry  To minimize the likelihood of input
 Entry of duplicate/redundant data controls by allowing users to select from
 Loss of assets a limited number of alternative choices
 Incompetent employees rather than inputting data.
 To determine the data inputted are
authorized and authenticated.
 To ensure that authorized personnel are
trained.
 To verify the existence and operation of
1. Input Controls manual data entry controls to prevent the
entry of duplicate records.
 To verify that controls exist to prevent
unauthorized changes to system
programs such as calculations and
tables.
 To determine whether appropriate
segregation of duties exists to prevent
users from both entering and authorizing
transactions.
 Review the source code to ensure that the defined edits
are included and are coded properly to achieve the
desired result.
 Review test results performed by the auditor as the system
is being developed or modified.
 Obtain data input procedures and verify that individuals
responsible for entering data have been trained on the
preparation, entry, and control of input.
 Include the pre-numbering of source documents and the
marking of records as “input” after entry.
 Input source verification to provide assurance that data is
only being modified by, or disclosed to, authorized
individuals at known locations during approved time
frames.
 Use audit software developed specifically to read the log
to get a report listing the totals and details of all
transactions processed for the day.
 Use input controls such as check digit, missing data
check, numeric-alphabetic check, limit check, range check,
reasonable check, and validity check.

 Data redundancy
 Inaccurate processing of transactions
leading to wrong outputs/results
 Some of the transactions being
2. Data Processing Controls processed by the application may
remain incomplete
 To ensure processing accomplished the
desired tasks.
 To provide reasonable assurance that
data processing has been performed
accurately, without any omission or
duplication of transactions.
 To identify data errors, incomplete or
missing data and inconsistencies among
related data items.
 To ensure that all rejected transactions
have been identified and reprocessed in
a timely manner.
 To determine the critical edits and checks
necessary for each application.
 Obtain procedures for handling rejected transactions and
subsequent error correction and determine whether
personnel responsible for error correction and data re-
entry have been adequately trained.
 Determine whether routines are embedded within the
application that ensure all correctly entered transactions
are actually processed and posted as intended in the
correct accounting period.
 Verify output is reviewed or reconciled against source
documents for completeness and accuracy, including
verification of control totals.
 Verify a mechanism is in place for notifying the process
owner when transactions have been rejected or errors
have occurred.

 Unauthorized copying of reports
 Repeated errors in the output
generated leading to loss of revenue,
loss of creditability of the system as
3. Output Controls well as that of the organization.
 Non-availability of the data at the time
when it is desired.
 The information which may be of very
confidential nature may go to the wrong
hands.
References:
https://onlinelibrary.wiley.com/doi/pdf/10.1002/9781119203728.app2?fbclid=IwAR3ZwMtT1qaw-zX5sxmC44HFJ7TuWO37RvVQ4qqBsbzbm3303SUmk8t6R3w&
https://www.undp.org/content/dam/albania/docs/STAR/IT%20AUDIT%20MANUAL.pdf
https://www.asu.edu/fs/documents/icq/IT_application_controls_icq.pdf
https://resources.infosecinstitute.com/itac-application-controls/#gref
 To ensure output reports are
protected from disclosure.
 To determine that all output is produced
and distributed on time, physically
controlled at all times, depending on the
confidentiality of the document and errors
and exceptions are properly investigated
and acted upon.
 To ensure that all transaction output has
been distributed to appropriate personnel
and that sensitive and confidential
information is protected during
distribution.
 To ensure that an output report is created
at the designated time and covers the
designated period.
 Use processing controls such as file and operator controls,
run-to-run controls, control total reports, and limit and
reasonableness tests.
 Execute software utility that will dump a few records of the
encrypted file and verify that the printed data is encrypted.
 Review the management of encryption keys and
encryption terminal definitions.
 Identify that the report covers the designated period via
reconciliation against source documents from that period.
 Review existing data output procedures and determine
whether they document which personnel receive the data
output and how the data will be protected during
distribution.
 Obtain data output procedures and gain an understanding
of the review process and verify that individuals
responsible for data entry have been trained on the review
and verification of data output.