The Application Control Framework

DR YS PATIL ,
ASSOCIATE PROFESSOR,
VAMNICOM,PUNE
 The Application Control Framework

Introduction :
The increasing use of computers for processing business
information has added new aspects to the review and
evaluation of internal controls for audit purposes. An
organization might have completely computerized its
operations. Or some of it may be manual and the rest
computerized. The invisibility of records and the
internal controls being built into the computer program
adds to the complexity of computer security and hence,
the necessity for specific controls
Controls could be broadly classified as follows
 Preventive
 Detective
 Corrective
According to the area of operation controls could be broadly
classified as
 Management controls
 Organisational controls
 Operational controls
 Application Controls
Management controls
 Promulgating a Security Policy
 Business Continuity Plan
 Formalising Systems Development Methology
Physical Security Controls
 Premises The construction of the premises should be
such as to ensure a secure environment for the
company's IT functions
 Equipping the building with fire detection and
protection equipment
 Ensuring constant and protected power supply
and
 Ensuring that all precautions are taken to prevent
any water stagnation due to wrong construction
of drainage ect.
 Storage fo Computer Equipment and Software
Personnel Security Controls
Procedural Security within the Organisation
 Data Ownership
 Software link information
 Documentation Information
Procedural Security External to the Organisation
Business Continuity Plan
 Uninterrupted functioning of the organization
 Minimise recovery time
 Support business recovery plan
Systems Development Methodology
 Feasibility study Structure Analysis
 Requirements Definition Software Development
 Detailed Design Programming
 Testing Implementation
 Post Implementation Review
Organisational Controls
• Business Management Objectives
• Policies and Procedures
• Information Systems Management Practices
Organisational Structure
Controls in Computer Operations
• Physical Security
• Data Security
• Processing Controls
• Data Base Administration
Systems Development
• Systems Analysis
• Application Programming
Separation of Duties
Operational Controls
• Physical Access Controls
• Environmental Controls
Physical access Controls
1.Computer Room 2.Programming
Area
3.Operator Consoles and Terminals 4.All Magnetic
Media
5.Storage Rooms and Supply
6.Micro Computers and Personal Computers
7.Power Sources 8.Fronts-end Processors
9.Portable Equipment Like hand –held Scanners / core
readers, printers, modems etc.
10.Entry Doors 11.Glass Windows and Wall
12.Ventilation Systems 13.Locked Doors
14.Electronic Door Locks 15.Logging of Entry
16.Photo ID Cards 17.Deadman Doors
18.Computer Terminal Locks
Environmental Controls
Control measures to Protect Against Fire
1. Providing Fire Extinguishers 2 Smoke Detectors
3.Fire Suppression Systems 4. Halogen Gas
Provision of Electric Supply
Application Controls
1. Batch processing System
2. Integrated On-line Business System
3. Point of Sale System
4. Office Automation
5. Automatic Teller Machines
6. Input/Originating Controls
7. Online Access Controls
8. Unique Passwords
9. Terminal Identification
10. Input controls
11. Processing Controls
•Online Access Controls
•Unique Passwords
•Terminal Identification
•Input controls
•Processing Controls
•Output Controls
Input Controls
Batch Processing
Batch Input Error Processing
Data Validation and Editing
• Validity Check
• Existence / Table Look ups
• Reasonableness Check
• Dependency Check
• Format Check
• Format Check
• Mathematical Accuracy Check
• Range Check
• Check Digit Verification
Processing Controls
•Programming Errors
•Operational Errors
Programming Errors
Operational Errors
•Wrong Data Files
•Equipment Failure
•Outdated Failure
•Outdated Operating Instructions
•Lack of Proper Training
•Missing Data
•Sequence Check
•Limit Check
•Range Check
•Field Overflow
•Division by Zero
•Run to Run Total
•Exceptin Reports
•Output Controls
•Control over Sensitive Documents
• Control Over Stored Data
Application Controls
for Transaction Processing
 Input Controls

Input controls attempt to ensure the

 validity
 accuracy
 completeness of the data entered into an AIS
The categories of input controls include
 observation, recording, and transcription of data
 edit tests
 additional input controls
 Observation, Recording,
and Transcription of Data

The observation control procedures to assist in

collecting data are
 feedback mechanism
 dual observation
 point-of-sale (POS) devices
 preprinted recording forms
 Data Transcription

 Data transcription
 the preparation of data for computerized
processing
 Preformatted screens
 Make the electronic version
look like the printed version
 Edit Tests

Input validation routines (edit programs)

 check the validity
 check the accuracy
after the data have been
 entered, and
 recorded on a machine-readable file of
input data
 Edit Tests

Edit tests
 examine selected fields of input data and
 reject those transactions whose data
fields do not meet the pre-established
standards of data quality
Real-time systems use edit checks during
data-entry.
 Examples of Edit Tests

The following are the tests for copy editing

 Numeric field
 Alphabetic field
 Alphanumeric field
 Valid code
 Reasonableness
 Sign
 Completeness
 Sequence
 Consistency
 Processing Controls

 Processing controls focus on the manipulation of

accounting data after they are input to the computer
system.
 Key objective is a clear audit trail
 Processing controls are of two kinds:
 Data-access controls
 Data manipulation controls
 Data-Access Control Totals

Some common processing control procedures are

 batch control total
 financial control total
 nonfinancial control total
 hash total
 record count
 Database Controls

Database Subsystem Provides Functions to

• Define

• Create
• Modify
• Delete
• Read
Controls required in Database
 Access Controls
 Integrated Controls
 Cryptographic Controls
 File Handling Controls
 Audit Trail Controls
 Existence Controls
 Grandfather –Father –Son startegy
 Dual recording / Mirroring
 Dumping