APPLICATION

CONTROLS
Application Controls
• transactions and data relating to each computer-based
application system and are, therefore, specific to each
such application
Application Controls
• transactions and data relating to each computer-based
application system and are, therefore, specific to each
such application
Application Controls
• transactions and data relating to each computer-based
application system and are, therefore, specific to each
such application

 Valid
Accurate
Complete
Application Controls
Input Output

Processing
 Application Controls
Input Output

Processing

Source Document • By Batch

triggered • Human Involvement

Direct Input • Real-time

Input Controls

Input authorization
• Source document controls
• Signatures on batch forms
• Unique passwords
• Terminal or client workstation
identification
• Online access controls
Input Controls
Validation Controls
 Field Interrogation
 Missing data checks
 Numeric-alphabetic data checks
 Zero-value checks
 Limit checks
 Range checks
 Validity checks
 Check digit
 Record Interrogation
 Reasonableness checks
 Sign checks
 Sequence checks
 File Interrogation
 Version checks
 Expiration date check
Input Controls

Batch Controls and Balancing

• Similar types of input transactions
• Processed together, once
• Batch Transmittal sheet
• Total Monetary amount
• Total items
• Total documents
• Hash totals
Input Controls: Error Handling

Reject
errors INPUT CONTROL:
Transaction Log
Reject Reconciliation of Data
Documentation
Batch Error Correction Procedures
Transmittal Log
Suspend Cancellation of Source Document
Batch
Accept Batch
and Flag errors
Application Controls
Input Output

Processing

Operator
Run-to-Run Audit Trail
Intervention
Controls Controls
Controls
Application Controls
Input Output

Processing

Ensure System Output

 Not misplaced
 Not misdirected
 Not corrupted
 Privacy policy not violated
Output Controls
•SPOOL
Simultaneous
Peripheral
Operations
Online
Risks:
• Access output file and
change critical data values
• Access file and change
number of copies to be
printed
• Copy file illegally
• Destruction before printing
Output Controls
Bursting • Supervision

Waste • Proper disposal of aborted copies and carbon copies

Data control group • Verify and log

Report Distribution • Supervision

End user • End user detection

• Statutory Requirements
• Number of copies
Report Retention • Backups
• Destroyed

Print Program • Controls

 AUDITING
APPLICATION
CONTROLS
Auditing Application Controls
• Observation and testing users
• SOD, Authorizations, error controls, distribution of reports, etc.

• Data integrity testing

• Relational integrity tests – data element and record level
• Referential integrity tests

• Testing Application Controls

 TESTING
APPLICATION
CONTROLS
White Box (through) Black Box (around)
 Relies on in-depth
understanding of the internal
logic of the application
 Uses small volume of
carefully crafted, custom test
transactions to verify specific
aspects of logic and controls
 Allows auditors to conduct
precise test with known
outcomes, which can be
compared objectively to
actual results
 Ignore internal logic of
application
 Use functional characteristics
 Flowcharts
 Interview key personnel
 Advantages:
 Do not have to remove
application from operations
to test it
 Appropriately applied:
 Simple applications
 Relative low level of risk
Hall, 3e 20
Hall, 3e 21
Hall, 3e 22