Presentations text content in Application Controls
By Brenda Shiner
Presented to the
National State Auditors Association
2014 Information Technology ConferenceSlide2
This presentation will walk you through the common application controls and how to audit them.
Application Controls Input controlsProcessing controlsOutput controlsAuditing Application ControlsData integrity testing Testing application systemsOnline auditing techniques
Application controls are controls over input, processing, and output functions.
Only complete, accurate, and valid data are entered and updated in a computer systemProcessing accomplishes the correct taskProcessing results meet expectationsData is maintained
Application controls can be automated or manual.
Application controls include:Edit testsTotalsReconciliationsIdentification and reporting of missing or exception dataAutomated controls combined with manual controls
Application controls help ensure data accuracy, completeness, validity, verifiability, and consistency, thus achieving data integrity and reliability.
Application controls ensure:System integritySystem functions as intendedInformation in the system is relevant, reliable, secure, and available as needed
Input or origination controls ensure that every transaction is entered, processed, and recorded accurately and completely.
Types of input controls include:Input authorizationBatch controls and balancing Error reporting and handling
Input authorization controls verify that all transactions have been authorized and approved by management.
Input authorization controls:Signatures on batch forms or source documentsOnline access controlsUnique passwordsTerminal or workstation identificationSource documents
Batch controls combine input transactions into groups or batches to provide control totals that are matched to the source documents to verify that the entire batch was processed.
Batch controls include:Total monetary amount Total items Total documentsHash totals
Batch balancing controls can be performed through either a manual or automated reconciliation.
Batch balancing controls must be combined with adequate follow-up procedures. Batch balancing controls include:Batch registers Control accountsComputer agreement
Input error reporting and handling ensures only correct data are accepted into the system and input errors are identified and corrected.
Input error reporting and handling can be processed by:Rejecting transactions with errorsRejecting the whole batchHolding batches in suspenseAccepting the batch and flagging error transactions
Input processing requires that controls be identified to verify that only correct data are accepted into the system.
Input processing control techniques include:Transaction logs – detailed listings of all updates which can be manually maintained or automatically generated through computer logsReconciliation of data – ensures all data are properly recorded and processedDocumentation – written evidence of control proceduresAnticipation – user groups anticipate the receipt of dataTransmittal log – documents the transmission or receipt of dataCancellation of source documents – prevents duplicate entry
Input processing also requires that controls be identified to ensure that input errors are recognized and corrected.
Error correction procedures include:Logging of errorsTimely correctionsUpstream resubmissionApproval of correctionsSuspense fileError fileValidity of corrections
Processing procedures and controls are meant to ensure the reliability of application program processing.
Processing procedures and controls include:Data validation and editsProcessing controlsData file control procedures
Data validation and edit procedures ensure input data is validated as close to the point of origination as possible.
Limit check – benefits check should not exceed a certain amountRange check – students registering for a certain grade should be in a certain age rangeValidity check – the zip code matches the state in the addressSequence check – the check number being paid matches the range of issued checks
Data validation and edit procedures identify errors, incomplete or missing data, and inconsistencies among related data items and ensures only accurate data are processed.
Existence check – a product number matches a product being soldCompleteness check – all required fields are required to be filled inDuplicate check – a duplicate purchase order is identifiedLogical relationship check – the credit card number has been provided if the payment is by credit card
Processing controls are meant to ensure the completeness and accuracy of accumulated processed data.
Edit checks – most of the data validation examples would also work as edit checksManual recalculation – perform a recalculation of a sample of transactions to verify the accuracy of calculations, for example, sales taxRun-to-Run totals – control totals are maintained through various states of processing to verify the completeness of the recordsException Reports – reports programmatically identify transactions or data that fall outside a predetermined range or do not match other specified criteria
Data file control procedures ensure that only authorized processing occurs in stored data.
Data file security – ensures only authorized users have access to alter the data through either access to the application or direct access to the database Source documentation retention – source documents retained for an adequate time period to enable retrieval, reconstruction, and verification of data if necessary Version usage – make sure that the correct, current version of a file is being usedInternal and external labels – use on removable media and files to ensure the correct data is being usedFile updating and maintenance authorizations – ensures that maintenance follows an approved and documented processTransaction logs – useful in tracking down which transactions were processed in the event of an error and investigating the cause Before and after image reporting – useful as a monitoring tool while not as granular as the transaction log
Output controls are meant to provide assurance that the data delivered to users will be presented, formatted, and delivered in an accurate, consistent, and secure manner.
Tracking of sensitive output:Negotiable instrumentsConfidential or sensitive forms Critical FormsReport distribution controlOutput error handlingReconciliation of control counts/totals
The starting point for auditing application controls is identifying significant application components and the flow of information through the system.
Understand transaction flowAssess application risksTest user controlsTest data integrity
The impact of control weaknesses can be evaluated by reviewing available documentation and interviewing appropriate personnel.
An analysis of the transaction flow will allow for an understanding of potential weak points where the controls should be reviewed.
Points where transactions and data are enteredPoints where transaction calculations are performedPoints where data transformations occurPoints where transactions are posted Points where databases are updatedPoints where reports are generatedPoints where data are transmitted
A risk assessment can be based on a variety of factors and can assist in focusing your audit on the inherent risks of an application.
Recent application changesTime elapsed since last auditComplexity of operationsChanges in operations/environmentTransaction volumeMonetary value of transactionsSensitivity of transactionsImpact of application failure
Key user controls may be directly observed and tested to determine if they are performing as intended.
Review and testing of access authorizations and capabilitiesSeparation of dutiesError control and correctionActivity and violation reportingDistribution of reports
Data integrity tests examine the accuracy, completeness, consistency, and authorization of data presently held in a system.
Determine if data validation routines are functioning correctlyDetermine if database tables are properly defined and applying appropriate input constraints and data characteristicsEnsure referential integrity for primary and foreign keys in tables
Data integrity tests will indicate failures in input or processing controls.
Data integrity testing is a set of substantive tests that examines accuracy, completeness, consistency, and authorization of data presently held in a system.
Relational integrity tests - performed at the data element and record-based levels and enforced through data validation routines built into the application or by defining the input condition constraints and data characteristics at the table definition in the database stageReferential integrity tests - define existence of relationships between entities in different tables of a database that need to be maintained by the Database Management System (DBMS)
In multi-user transaction systems, it is necessary to manage parallel user access to stored data typically controlled by a DBMS and deliver fault tolerance.
Of particular importance are four online data integrity requirements known collectively as the ACID principle:Atomicity - from a user perspective, a transaction is either completed in its entirety (i.e., all relevant database tables are updated) or not at allConsistency - all integrity conditions in the database are maintained with each transaction, taking the database from one consistent state into another consistent stateIsolation - each transaction is isolated from other transactions and hence each transaction only accesses data that are part of a consistent database stateDurability - if a transaction has been reported back to a user as complete, the resulting changes to the database survive subsequent hardware or software failures
Testing the effectiveness of application controls involves analyzing computer application programs, testing computer program controls, and selecting and monitoring transactions.
Methods and techniques for testing application systems include:Snapshot MappingTracing and taggingTest data/deckBase-case system evaluationParallel operationIntegrated testing facilityParallel simulationTransaction selection programsEmbedded audit data collectionExtended records
Continuous online auditing is becoming increasingly important in today's e-business world.
Allows IS auditors to monitor the operation of systems on a continuous basis while normal processing takes place and gather selective audit evidence through the computer Cuts down on needless paperwork and leads to the conduct of an essentially paperless audit
There are five types of automated evaluation techniques applicable to continuous online auditing.
Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM)SnapshotsAudit hooksIntegrated test facility (ITF)Continuous and intermittent simulation (CIS)
The selection and implementation of continuous audit techniques depends, to a large extent, on the complexity and understanding of an organization's computer systems and applications.