IT General and

Application Controls
INTRODUCTION TO INPUT CONTRO
LS
 Designed to ensure that the transactions that bring
data into the system are valid, accurate, and compl
ete
 Data input procedures can be either:
 Source document-triggered (batch)
 Direct input (real-time)

 Source document input requires human involveme

nt and is prone to clerical errors.

 Direct input employs real-time editing techniques t

o identify and correct errors immediately
CLASSES OF INPUT CONTROLS

1) Source document controls

2) Data coding controls
3) Batch controls
4) Validation controls
5) Input error correction
6) Generalized data input syste
ms
#1-SOURCE DOCUMENT CONTROL
S
 Controls in systems using physical source doc
uments
 Source document fraud
 To control for exposure, control procedures ar
e needed over source documents to account f
or each one

 Use pre-numbered source documents

 Use source documents in sequence
 Periodically audit source documents
#2-DATA CODING CONTROLS
 Checks on data integrity during processing
 Transcription errors
 Addition errors, extra digits
 Truncation errors, digit removed
 Substitution errors, digit replaced
 Transposition errors
 Single transposition: adjacent digits transposed (reversed)
 Multiple transposition: non-adjacent digits are transposed
 Control = Check digits
 Added to code when created (suffix, prefix, embedde
d)
 Sum of digits (ones): transcription errors only
 Modulus 11: different weights per column: transposition and
transcription errors
 Introduces storage and processing inefficiencies
#3-BATCH CONTROLS
 Method for handling high volumes of transactio
n data – esp. paper-fed IS

 Controls of batch continues thru all phases of s

ystem and all processes (i.e., not JUST an inp
ut control)

1) All records in the batch are processed together

2) No records are processed more than once
3) An audit trail is maintained from input to output

 Requires grouping of similar input transactions

 #3-BATCH CONTROLS
 Requires controlling batch throughout
 Batch transmittal sheet (batch control record)
 Unique batch number (serial #)
 A batch date
 A transaction code
 Number of records in the batch
 Total dollar value of financial field
 Sum of unique non-financial field
 Hash total
 E.g., customer number

 Batch control log

 Hash totals
 #4-VALIDATION CONTROLS
 Intended to detect errors in data befo
re processing

 Most effective if performed close to th

e source of the transaction

 Some require referencing a master fil

e
#4-VALIDATION CONTROLS
 Field Interrogation
 Missing data checks
 Numeric-alphabetic data checks
 Zero-value checks
 Limit checks
 Range checks
 Validity checks
 Check digit
 Record Interrogation
 Reasonableness checks
 Sign checks
 Sequence checks
 File Interrogation
 Internal label checks (tape)
 Version checks
 Expiration date check
#5-INPUT ERROR CORRECTION
 Batch – correct and resubmit
 Controls to make sure errors dealt with co
mpletely and accurately
1) Immediate Correction
2) Create an Error File
 Reverse the effects of partially processe
d, resubmit corrected records
 Reinsert corrected records in processin
g stage where error was detected
3) Reject the Entire Batch
#6-GENERALIZED DATA INPUT SYSTE
MS (GDIS)
 Centralized procedures to manage data input
for all transaction processing systems
 Eliminates need to create redundant routines
for each new application
 Advantages:

 Improves control by having one common sy

stem perform all data validation
 Ensures each AIS application applies a con
sistent standard of data validation
 Improves systems development efficiency
#6-GDIS

 Major components:

1) Generalized Validation Module

2) Validated Data File
3) Error File
4) Error Reports
5) Transaction Log
CLASSES OF PROCESSING CON
TROLS
1) Run-to-Run Controls

2) Operator Intervention Control

s

3) Audit Trail Controls

#1-RUN-TO-RUN (BATCH)

 Use batch figures to monitor

the batch as it moves from o
ne process to another
1) Recalculate Control Totals
2) Check Transaction Codes
3) Sequence Checks
#2-OPERATOR INTERVENTION

 When operator manually enters

controls into the system

 Preference is to derive by logic

or provided by system
#3-AUDIT TRAIL CONTROLS

 Every transaction becomes traceable fr

om input to output
 Each processing step is documented
 Preservation is key to auditability of AIS
 Transaction logs
 Log of automatic transactions
 Listing of automatic transactions
 Unique transaction identifiers [s/n]
 Error listing
 OUTPUT CONTROLS
 Ensure system output:

1) Not misplaced
2) Not misdirected
3) Not corrupted
4) Privacy policy not violated
 Batch systems more susceptible to exposure, r
equire greater controls
 Controlling Batch Systems Output
 Many steps from printer to end user
 Data control clerk check point
 Unacceptable printing should be shredded
 Cost/benefit basis for controls
 Sensitivity of data drives levels of controls
OUTPUT CONTROLS
 Output spooling – risks:
 Access the output file and change criti
cal data values
 Access the file and change the numbe
r of copies to be printed
 Make a copy of the output file so illega
l output can be generated
 Destroy the output file before printing t
ake place
 OUTPUT CONTROLS
 Print Programs
 Operator Intervention:

1) Pausing the print program to load output paper

2) Entering parameters needed by the print run
3) Restarting the print run at a prescribed checkpoint after a
printer malfunction
4) Removing printer output from the printer for review and di
stribution
 Print Program Controls
 Production of unauthorized copies
 Employ output document controls similar to source document cont
rols
 Unauthorized browsing of sensitive data by employees
 Special multi-part paper that blocks certain fields
OUTPUT CONTROLS
 Bursting
 Supervision
 Waste
 Proper disposal of aborted copies an
d carbon copies
 Data control
 Data control group – verify and log
 Report distribution
 Supervision
OUTPUT CONTROLS
 End user controls
 End user detection

 Report retention:
 Statutory requirements (gov’t)
 Number of copies in existence
 Existence of softcopies (backups)
 Destroyed in a manner consistent wit
h the sensitivity of its contents
OUTPUT CONTROLS
 Controlling real-time systems output
 Eliminates intermediaries

 Threats:
 Interception
 Disruption
 Destruction
 Corruption

 Exposures:
 Equipment failure
 Subversive acts

 Systems performance controls

 Chain of custody controls