Académique Documents
Professionnel Documents
Culture Documents
DR YS PATIL ,
ASSOCIATE PROFESSOR,
VAMNICOM,PUNE
The Application Control Framework
Introduction :
The increasing use of computers for processing business
information has added new aspects to the review and
evaluation of internal controls for audit purposes. An
organization might have completely computerized its
operations. Or some of it may be manual and the rest
computerized. The invisibility of records and the
internal controls being built into the computer program
adds to the complexity of computer security and hence,
the necessity for specific controls
Controls could be broadly classified as follows
Preventive
Detective
Corrective
According to the area of operation controls could be broadly
classified as
Management controls
Organisational controls
Operational controls
Application Controls
Management controls
Promulgating a Security Policy
Business Continuity Plan
Formalising Systems Development Methology
Physical Security Controls
Premises The construction of the premises should be
such as to ensure a secure environment for the
company's IT functions
Equipping the building with fire detection and
protection equipment
Ensuring constant and protected power supply
and
Ensuring that all precautions are taken to prevent
any water stagnation due to wrong construction
of drainage ect.
Storage fo Computer Equipment and Software
Personnel Security Controls
Procedural Security within the Organisation
Data Ownership
Software link information
Documentation Information
Procedural Security External to the Organisation
Business Continuity Plan
Uninterrupted functioning of the organization
Minimise recovery time
Support business recovery plan
Systems Development Methodology
Feasibility study Structure Analysis
Requirements Definition Software Development
Detailed Design Programming
Testing Implementation
Post Implementation Review
Organisational Controls
• Business Management Objectives
• Policies and Procedures
• Information Systems Management Practices
Organisational Structure
Controls in Computer Operations
• Physical Security
• Data Security
• Processing Controls
• Data Base Administration
Systems Development
• Systems Analysis
• Application Programming
Separation of Duties
Operational Controls
• Physical Access Controls
• Environmental Controls
Physical access Controls
1.Computer Room 2.Programming
Area
3.Operator Consoles and Terminals 4.All Magnetic
Media
5.Storage Rooms and Supply
6.Micro Computers and Personal Computers
7.Power Sources 8.Fronts-end Processors
9.Portable Equipment Like hand –held Scanners / core
readers, printers, modems etc.
10.Entry Doors 11.Glass Windows and Wall
12.Ventilation Systems 13.Locked Doors
14.Electronic Door Locks 15.Logging of Entry
16.Photo ID Cards 17.Deadman Doors
18.Computer Terminal Locks
Environmental Controls
Control measures to Protect Against Fire
1. Providing Fire Extinguishers 2 Smoke Detectors
3.Fire Suppression Systems 4. Halogen Gas
Provision of Electric Supply
Application Controls
1. Batch processing System
2. Integrated On-line Business System
3. Point of Sale System
4. Office Automation
5. Automatic Teller Machines
6. Input/Originating Controls
7. Online Access Controls
8. Unique Passwords
9. Terminal Identification
10. Input controls
11. Processing Controls
•Online Access Controls
•Unique Passwords
•Terminal Identification
•Input controls
•Processing Controls
•Output Controls
Input Controls
Batch Processing
Batch Input Error Processing
Data Validation and Editing
• Validity Check
• Existence / Table Look ups
• Reasonableness Check
• Dependency Check
• Format Check
• Format Check
• Mathematical Accuracy Check
• Range Check
• Check Digit Verification
Processing Controls
•Programming Errors
•Operational Errors
Programming Errors
Operational Errors
•Wrong Data Files
•Equipment Failure
•Outdated Failure
•Outdated Operating Instructions
•Lack of Proper Training
•Missing Data
•Sequence Check
•Limit Check
•Range Check
•Field Overflow
•Division by Zero
•Run to Run Total
•Exceptin Reports
•Output Controls
•Control over Sensitive Documents
• Control Over Stored Data
Application Controls
for Transaction Processing
Input Controls
Data transcription
the preparation of data for computerized
processing
Preformatted screens
Make the electronic version
look like the printed version
Edit Tests
Edit tests
examine selected fields of input data and
reject those transactions whose data
fields do not meet the pre-established
standards of data quality
Real-time systems use edit checks during
data-entry.
Examples of Edit Tests
• Create
• Modify
• Delete
• Read
Controls required in Database
Access Controls
Integrated Controls
Cryptographic Controls
File Handling Controls
Audit Trail Controls
Existence Controls
Grandfather –Father –Son startegy
Dual recording / Mirroring
Dumping