Sarbanes Oxley Application Controls

Business Systems Must Meet the Needs of the Business

CONFIDENTIALITY

INTEGRITY

AVAILABILITY

Confidentiality
Unauthorised access to DATA by outsiders by insiders

Integrity
Of DATA incomplete data inaccurate data incorrect information Of DATA PROCESSING incomplete processing incorrect processing inappropriate processing

Availability
Of the Right Functionality & Data To the Right People At the Right Place At the Right Time and With the Right Performance

Application Controls
Application controls are controls designed within the application software, e.g. SAP, PIMS and operated to prevent or detect unauthorised transactions and support business objectives including completeness, accuracy, authorisation and validity of transactions. Application controls always function as designed and are not subject to intermittent error.

Application Controls
Application controls can be divided into three key areas:

INPUT

PROCESSING

OUTPUT

Application Controls Input Controls

Source Document Procedures:
Source document design ensures that data is appropriately captured to facilitate input into the system, e.g. use of standard components such as headings, instructions, pre-populated fields etc. Critical source documents are pre-numbered, and out-of-sequence numbers are identified and accounted for. Batch headers are used to group similar transactions and record batch control totals. A batch register or control account is used to balance document/transaction batch control totals to input. Processing dates are marked on source documents and data entry personnel initial and date the documents when entered.

Application Controls Input Controls

Source Document Procedures
Approvers of source documents and data entry personnel review source documents for missing data and accuracy. Documents missing data or containing inaccurate information are returned to originators for correction/ Source documents returned are logged and logs are reviewed periodically. Follow-up procedures exist for documents not returned within turnaround times. Retention of source documents within user areas is clearly defined, and is design to aid in investigations. Physical access to source documents is restricted. Destruction is performed in a secure, controlled environment as appropriate.

Application Controls Input Controls

Data Input Authorisation:
Transactions only originate from recognised sources. Transactions are explicitly authorised by manual or electronic means. Transaction processing access authority is restricted to only those individuals authorised by management who need it to perform their duties. There is a segregation of duties between input and authorisation functions. Override authority is appropriately assigned.

Application Controls - Input controls

Data Accuracy, Completeness and Authorisation Checks:
Online transaction screens are formatted and interactive to facilitate the keying of data into the proper field. When paper source documents are used, screens are similarly formatted. Transaction data input online are edited in real time to inhibit the ommission of data and prevent the acceptance of invalid data, e.g. duplicate records. Error messages are returned in real time for the data, e.g. one field at a time. Edits of key data fields include duplicate or blank values, sequence, limit, range, time, validity, reasonableness, consistence, completeness, relationship checks, as well as table look-ups, and check digit edits. The system is configured to produce accurate, and valid systemgenerated transactions.

Application Controls Input Controls

Data Accuracy, Completeness and Authorisation Checks continued:
Interfaced inputs are automatically validated by the system for missing information, format, consistency, and reasonableness. Transactions failing edit routines are posted to a suspense file and reported. Valid transaction processing continues. Interfaced inputs are transmitted in batch files,and batch control totals are used to balance sent transactions to received transactions. Out-of-balance conditions are reported, corrected and re-entered.

Application Controls - Input Controls

Data Input Error Handling:
Procedures exist for the correction of errors and out-of-balance conditions. Online error messages are generated in real time for online errors. Transactions will not process unless errors are corrected or appropriately overridden. Errors that are not corrected immediately are logged and valid transaction processing continues. Error logs are reviewed in a timely manner. Suspense files are used for interfaced input transactions that fail edits and valid transactions continue processing. The system reports all errors in the suspense file on a regular basis.

Application Controls Input Controls

Data Input Error Handling continued:
Appropriate personnel review daily error reports. Errors are followed up and corrected within a reasonable period of time. Errors are reported daily until corrected. If suspense files are not used, errors that cannot be corrected are logged and the log is reviewed regularly. Interfaced, input out-of-balance reports are reviewed frequently and followed up to determine the cause of the out-of-balance. If the issues cannot be resolved an incident report is produced and logged, and the logs reviewed periodically.

Application Controls Processing Controls

Data Processing Integrity:
Transactions are date and time-stamped. A sequential number for identification and processing is assigned to each transaction. An audit trail of transactions is maintained and reviewed periodically, as appropriate, for unusual activity by a supervisor separate from data entry. Date of input, time of input and userid are included for each transaction. This listing contains before and after images for changed data and is checked for accuracy of changes made. Adjustments, overrides and high value transactions are reviewed in detail for appropriateness by a supervisor separate from data entry.

Application Controls Processing Controls

Data Processing Integrity continued: Run-to-run control totals that balance transactions as they flow through the application processing are used where appropriate. Out-of-balance conditions are reported. Reconciliation of file totals is performed on a routine basis, e.g. a parallel control file that records transaction counts or monetary value as data is processed and compared to master file data once transactions are posted. Out-of-balance conditions are reported. The system is configured to accurately perform calculations and post data. Out-of-balance conditions are reported. Master file update controls are used where appropriate including, comparison of the current periods beginning balance to the previous periods balance, programmed routines that check internal file header labels for the current version, and programs that prevent concurrent file updates.

Application Controls Processing Controls

Data Processing Validation and Editing:
Transaction data are validated and edited during processing, and valid transactions continue processing. Errors are reported daily. End user reconciliation procedures ensure completeness and accuracy of processing. Edits include sequence, limit, range, reasonableness, validity, existence, completeness, relationship checks, tale look-ups and check digit checks. Interactive authorisations are used for authentication of data input for vital management decisions. Automated routing is performed that notifies appropriate management as information needs to be approved. A message is transmitted back to the transaction initiator when approvals are not processed within a time period.

Application Controls Processing Controls

Data Processing Error Handling:
Detailed descriptions exist for error codes including specific procedures for follow-up, correction, approval and re-submission. Suspense files are used for transactions that fail edits, and valid transaction continue processing. The system reports all errors contained in the suspense files on a regular basis. Appropriate personnel periodically review error reports that list rejected transactions, and errors are followed up and corrected within a reasonable time. Errors are reported until corrected. If a suspense file is not used, errors that cannot be corrected are logged and reviewed. Processing out-of-balance reports are reviewed promptly and followed up to determine the cause of the out-of-balance. If the issues cannot be resolved an incident report is produced and logged, and the logs reviewed periodically.

Application Controls Processing Controls

Data Processing Error Handling continued:
Transactions reprocessed are controlled in a similar manner to the original transactions with appropriate modifications.

Application Controls Output Controls

Output Management: Sensitive or critical output is numbered sequentially, logged and secured to provide protection against theft or damage. The log is reconciled to inventory on hand, and any discrepencies resolved in a timely manner. Retention standards for output are clearly defined to facilitate ready access by authorised users. An online report management system is used to maintain and purge electronic output and is configured to comply with the retention policy. The system also generate reports and posts output in a timely manner. A distribution list is used for all generated output. Physical access to output is restricted. Sensitive output is disposed of securely. Receivers of sensitive reports sign as evidence of acceptance. Output is checked to ensure that it is reasonable, consistent and complete. Errors are reported and logged and resolved.

Application Controls Output Controls

Output Management: Output files contain control totals in header and trailer records which are balanced back to the control totals produced by the system. Processing out-of-balance reports are reviewed promptly and followed up to determine the cause of the out-of-balance. If the issues cannot be resolved an incident report is produced and logged, and the logs reviewed periodically. The confidentiality of sensitive outputs is maintained (e.g. there is a list of reports and who should receive them). For electronic output logical access to the print spool and output files is restricted to authorised personnel. Physical access is likewise restricted. There are procedures for controlled stationary, e.g. cheques. ############################################## Transactions reprocessed are controlled in a similar manner to the original transactions with appropriate modifications. Transaction journals are reviewed.

Application Controls Output Controls

Output Management: Output is checked to ensure that it is reasonable, consistent and complete. Processing out-of-balance reports are reviewed promptly and followed up to determine the cause of the out-of-balance. If the issues cannot be resolved an incident report is produced and logged, and the logs reviewed periodically. Control totals on output reports can be broken down into the transactions that form the totals. The confidentiality of sensitive outputs is maintained (e.g. there is a list of reports and who should receive them). There are procedures for controlled stationary, e.g. cheques. Physical security of output is ensured. Sensitive output is disposed of securely. Transactions reprocessed are controlled in a similar manner to the original transactions with appropriate modifications. Review output reports for completeness, e.g. page numbers, report title, dates, page numbering, control totals. Transaction journals are reviewed.

Application Controls Others

Maintenance of key system parameters and standing data is strictly controlled. Access is restricted and there is an audit trail of changes to key data which is reviewed.