Application Controls

• Application controls refer to the transactions and data relating to each computer based
application system, therefore, they are specific to each application.
• The objectives of application controls are to ensure completeness and accuracy of the records
and the validity of the entries made in.
• Application controls are controls over input, processing and output functions. They include
methods to ensure that:
– Only complete, accurate and valid data are entered and updated in a computer system.
– Processing accomplishes the correct task.
– Processing results meet the expectations.
– Data are maintained.
 Application Controls (Contd.)
• IS Auditor Tasks:
– Identifying the significant application components and the flow of transactions through
the system and gaining a detailed understanding of the application by reviewing the
available documentation and interviewing appropriate personal.
– Identifying the application control strengths and evaluating the impact of the control
weaknesses.
– Developing a testing strategy.
– Testing the controls to ensure their functionality and effectiveness by applying appropriate
audit procedures.
– Evaluating the control environment by analyzing the test results and other audit evidence
to determine that control objectives were achieved.
– Considering the operational aspects of the application to ensure its efficiency and
effectiveness by comparing the system with efficient system design standards, analyzing
procedures used and comparing them to management’s objectives for the system.
 Application Controls

Input/Origination Controls Processing Procedures and Controls Output Controls

• Must ensure that every transaction to

be processed is entered, processed • Ensure the reliability of application • Assure that the data delivered to users
and recorded accurately and program processing. will be presented, formatted and
completely. delivered in a consistent and secure
• Ensure that only valid and authorized manner.
information is input.
• Ensure that the transactions are only
processed once.
• The system receiving the output of
another system as input/origination
must in turn apply edit checks,
validations and access controls to
those data.

Input Authorization Batch Controls and Balancing
• Verifies that all transactions • Batch controls group input
have been authorized and
approved by management.
• Ensure that only authorized • All input forms are clearly
data are entered for
processing the applications.`
• Signatures on batch
forms or source
documents: provide
evidence of proper
authorization
• Online access controls:
ensure that only
authorized individuals
may access data or
perform sensitive
functions
• Unique passwords:
ensure that access
authorization can not
be compromised
through use of another
individual’s authorized
data access. Also
provide
• Terminal or client
workstation
identification: used to
limit input to specific
terminals
• Source Documents:
The forms used to
record data
Application Controls (Contd.)
Input / Origination Controls
Error Reporting and Handling Batch integrity in online or Database systems
transactions to provide
control totals.
identified with the application
name and transaction codes.
• Total monetary amount:
verification that total
monetary value of items
processed equals the total
monetary value of the
batch documents.
• Total Items: Verification
that the total number of
items included on each
document in the batch
agrees with the total
number of item processed.
• Total documents:
Verification that the
total number of
documents in the
batch equals the total
number of documents
processed
• Hash Totals:
Verification that the
total in a batch agrees
with the total
calculated by the
system
• Batch balancing: can be
performed through
manual or automated
reconciliation.
Adequate controls
should exist to ensure
that each transaction
creates an input
document, all
documents are included
in a batch, all batches
are submitted for
processing, all batches
are accepted by the
computer.
• Only correct data are • Online systems also require control over
accepted into the system input. Batches may be established by the
and input errors are end of the day, the specific terminal or
recognized and corrected. the individual inputting the data. A
• Data conversion error supervisor then review the online batch
corrections are needed and release it to the system for
during the data conversion processing. This method is preferred
process. over review of the output by the same
• Errors can occur due to person preparing the input.
duplication of transactions
and inaccurate data entry.
Input handling can be processed by Input control techniques include
• Rejecting only transactions
with errors: only transactions • Transaction log: contains a
containing the errors would be detailed list of all updates
rejected. The rest of the batch • Reconciliation of data:
would be processed. controls whether all data
• Rejecting the whole batch of received are properly
recorded or processed.
transactions: Any batch
containing errors would be • Documentation: Written
rejected for correction prior evidence of user, data entry
processing and data control
• Holding the batch in suspense: procedures.
Any batches containing errors • Error correction
would not be rejected and procedures: logging of
errors, timely corrections
batch would be held in
• Anticipation: The user or
suspense , pending correction.
• Accepting the batch and command group anticipates
flagging error transactions: the receipt of data.
Any batch containing errors • Transmittal log: Documents
would be processed however, transmission or receipt of
transactions containing errors data
would be flagged for • Cancellation of source
identification, enabling documents: procedures to
subsequent error correction. cancel source documents
• Batch Registers: enable manual recording of batch totals and subsequent
comparison with system reported totals
• Control Accounts: Control account use is performed through an initial edit
file to determine batch totals. The data are then transfer to master file and
reconciliation is performed between the totals processed during the initial
edit file and master file.
• Computer Agreement: Computer agreement with
batch totals is performed through the input of batch
header details that record the batch totals. The system
compare these totals , either accepting or rejecting
the batch.