-
8/10/2019 Aplication Control
1/15
ApplicationControls
Presentedtothe
NationalStateAuditorsAssociation
2014InformationTechnologyConference
Thispresentationwillwalkyouthroughthecommon
applicationcontrolsandhowtoauditthem.
ApplicationControls
Inputcontrols
Processingcontrols
Outputcontrols
AuditingApplicationControls
Dataintegritytesting
Testingapplicationsystems
Onlineauditingtechniques
2
-
8/10/2019 Aplication Control
2/15
Applicationcontrolsarecontrolsoverinput,
processing,andoutputfunctions.
Onlycomplete,accurate,andvaliddataareentered
andupdatedinacomputersystem
Processingaccomplishesthecorrecttask
Processingresultsmeetexpectations
Dataismaintained
3
Applicationcontrols
can
be
automated
or
manual.
Applicationcontrolsinclude:
Edittests
Totals
Reconciliations
Identificationandreportingofmissingorexceptiondata
Automatedcontrolscombinedwithmanualcontrols
4
-
8/10/2019 Aplication Control
3/15
Applicationcontrolshelpensuredataaccuracy,
completeness,validity,verifiability,andconsistency,
thusachieving
data
integrity
and
reliability.
Applicationcontrolsensure:
Systemintegrity
Systemfunctionsasintended
Informationinthesystemisrelevant,reliable,secure,and
availableasneeded
5
Inputororiginationcontrolsensurethatevery
transactionis
entered,
processed,
and
recorded
accuratelyandcompletely.
Typesofinputcontrolsinclude:
Inputauthorization
Batchcontrolsandbalancing
Errorreportingandhandling
6
-
8/10/2019 Aplication Control
4/15
Inputauthorizationcontrolsverifythatalltransactions
havebeenauthorizedandapprovedbymanagement.
Inputauthorizationcontrols:
Signaturesonbatchformsorsourcedocuments
Onlineaccesscontrols
Uniquepasswords
Terminalorworkstationidentification
Sourcedocuments
7
Batchcontrolscombineinputtransactionsinto
groupsor
batches
to
provide
control
totals
that
arematchedtothesourcedocumentstoverify
thattheentirebatchwasprocessed.
Batchcontrolsinclude:
Totalmonetaryamount
Totalitems
Totaldocuments
Hashtotals
8
-
8/10/2019 Aplication Control
5/15
-
8/10/2019 Aplication Control
6/15
Inputprocessingrequiresthatcontrolsbe
identifiedtoverifythatonlycorrectdataare
acceptedinto
the
system.
Inputprocessingcontroltechniquesinclude:
Transactionlogs detailedlistingsofallupdateswhichcanbe
manuallymaintainedorautomaticallygeneratedthrough
computerlogs
Reconciliationofdata ensuresalldataareproperlyrecorded
andprocessed
Documentation writtenevidenceofcontrolprocedures
Anticipation usergroupsanticipatethereceiptofdata
Transmittallog
documents
the
transmission
or
receipt
of
data
Cancellationofsourcedocuments preventsduplicateentry
11
Inputprocessingalsorequiresthatcontrols
beidentified
to
ensure
that
input
errors
are
recognizedandcorrected.
Errorcorrectionproceduresinclude:
Loggingoferrors
Timelycorrections
Upstreamresubmission
Approvalofcorrections
Suspensefile
Errorfile
Validityofcorrections
12
-
8/10/2019 Aplication Control
7/15
Processingproceduresandcontrolsaremeantto
ensurethereliabilityofapplicationprogramprocessing.
Processingproceduresandcontrolsinclude:
Datavalidationandedits
Processingcontrols
Datafilecontrolprocedures
13
Datavalidationandeditproceduresensure
inputdata
is
validated
as
close
to
the
point
oforiginationaspossible.
Limitcheck benefitscheckshouldnotexceedacertain
amount
Rangecheck studentsregisteringforacertaingradeshould
beinacertainagerange
Validitycheck thezipcodematchesthestateintheaddress
Sequencecheck thechecknumberbeingpaidmatchesthe
rangeofissuedchecks
14
-
8/10/2019 Aplication Control
8/15
Datavalidationandeditproceduresidentifyerrors,incomplete
ormissingdata,andinconsistenciesamongrelateddataitems
and
ensures
only
accurate
data
are
processed.
Existencecheck aproductnumbermatchesaproductbeing
sold
Completenesscheck allrequiredfieldsarerequiredtobe
filledin
Duplicatecheck aduplicatepurchaseorderisidentified
Logicalrelationshipcheck thecreditcardnumberhasbeen
providedifthepaymentisbycreditcard
15
Processingcontrolsaremeanttoensurethecompleteness
andaccuracyofaccumulatedprocesseddata.
Editchecks mostofthedatavalidationexampleswouldalso
workaseditchecks
Manualrecalculation performarecalculationofasampleof
transactionstoverifytheaccuracyofcalculations,for
example,salestax
RuntoRuntotals controltotalsaremaintainedthrough
variousstatesofprocessingtoverifythecompletenessofthe
records ExceptionReports reportsprogrammaticallyidentify
transactionsordatathatfalloutsideapredeterminedrange
ordonotmatchotherspecifiedcriteria
16
-
8/10/2019 Aplication Control
9/15
Datafilecontrolproceduresensurethatonly
authorizedprocessingoccursinstoreddata.
Datafilesecurity
ensuresonlyauthorizedusershaveaccesstoalterthedata
througheitheraccesstotheapplicationordirectaccesstothedatabase
Sourcedocumentationretention sourcedocumentsretainedforan
adequatetimeperiodtoenableretrieval,reconstruction,andverificationof
dataifnecessary
Versionusage
makesurethatthecorrect,currentversionofafileisbeing
used
Internalandexternallabels
useonremovablemediaandfilestoensurethe
correctdataisbeingused
Fileupdatingandmaintenanceauthorizations
ensuresthatmaintenance
followsanapprovedanddocumentedprocess
Transaction
logs useful
in
tracking
down
which
transactions
were
processed
intheeventofanerrorandinvestigatingthecause
Beforeandafterimagereporting
usefulasamonitoringtoolwhilenotas
granularasthetransactionlog
17
Outputcontrolsaremeanttoprovideassurancethatthe
datadelivered
to
users
will
be
presented,
formatted,
and
deliveredinanaccurate,consistent,andsecuremanner.
Trackingofsensitiveoutput:
Negotiableinstruments
Confidential orsensitiveforms
CriticalForms
Reportdistributioncontrol
Outputerrorhandling
Reconciliationof
control
counts/totals
18
-
8/10/2019 Aplication Control
10/15
Thestartingpointforauditingapplicationcontrolsis
identifyingsignificantapplicationcomponentsandthe
flowof
information
through
the
system.
Understandtransactionflow
Assessapplicationrisks
Testusercontrols
Testdataintegrity
Theimpactofcontrolweaknessescanbeevaluatedbyreviewing
availabledocumentationandinterviewingappropriatepersonnel.
19
Ananalysisofthetransactionflowwillallowforan
understandingof
potential
weak
points
where
the
controlsshouldbereviewed.
Pointswheretransactionsanddataareentered
Pointswheretransactioncalculationsareperformed
Pointswheredatatransformationsoccur
Pointswheretransactionsareposted
Pointswheredatabasesareupdated
Pointswherereportsaregenerated
Pointswheredataaretransmitted
20
-
8/10/2019 Aplication Control
11/15
Ariskassessmentcanbebasedonavarietyof
factorsandcanassistinfocusingyourauditon
theinherent
risks
of
an
application.
Recentapplicationchanges
Timeelapsedsincelastaudit
Complexityofoperations
Changesinoperations/environment
Transactionvolume
Monetaryvalueoftransactions
Sensitivityoftransactions
Impactof
application
failure
21
Key
user
controls
may
be
directly
observed
and
tested
todetermineiftheyareperformingasintended.
Reviewandtestingofaccessauthorizations andcapabilities
Separationofduties
Errorcontrolandcorrection
Activityandviolationreporting
Distributionofreports
22
-
8/10/2019 Aplication Control
12/15
Dataintegritytestsexaminetheaccuracy,
completeness,consistency,andauthorization
ofdata
presently
held
in
asystem.
Determineifdatavalidationroutinesarefunctioningcorrectly
Determineifdatabasetablesareproperlydefinedand
applyingappropriateinputconstraintsanddata
characteristics
Ensurereferentialintegrityforprimaryandforeignkeysin
tables
Dataintegritytestswillindicatefailuresininputorprocessingcontrols.
23
Dataintegritytestingisasetofsubstantiveteststhat
examinesaccuracy,
completeness,
consistency,
and
authorizationofdatapresentlyheldinasystem.
Relationalintegritytestsperformedatthedataelementand
recordbasedlevelsandenforcedthroughdatavalidation
routinesbuiltintotheapplicationorbydefiningtheinput
conditionconstraintsanddatacharacteristicsatthetable
definitioninthedatabasestage
Referentialintegritytestsdefineexistenceofrelationships
betweenentitiesindifferenttablesofadatabasethatneedto
bemaintained
by
the
Database
Management
System
(DBMS)
24
-
8/10/2019 Aplication Control
13/15
Inmultiusertransactionsystems,itisnecessaryto
manageparalleluseraccesstostoreddatatypically
controlledbyaDBMSanddeliverfaulttolerance.
Ofparticularimportancearefouronlinedataintegrity
requirementsknowncollectivelyastheACIDprinciple:
Atomicityfromauserperspective, atransactioniseithercompleted
initsentirety(i.e.,allrelevantdatabasetablesareupdated)ornotat
all
Consistencyallintegrityconditionsinthedatabasearemaintained
witheachtransaction,takingthedatabasefromoneconsistentstate
intoanotherconsistentstate
Isolationeachtransactionisisolatedfromothertransactionsand
henceeachtransactiononlyaccessesdatathatarepartofaconsistent
database
state Durabilityifatransactionhasbeenreportedbacktoauseras
complete,theresultingchangestothedatabasesurvivesubsequent
hardwareorsoftwarefailures
25
Testingtheeffectivenessofapplicationcontrolsinvolves
analyzingcomputer
application
programs,
testing
computer
programcontrols,andselectingandmonitoringtransactions.
Methodsandtechniquesfortestingapplicationsystemsinclude:
Snapshot
Mapping
Tracingandtagging
Testdata/deck
Basecasesystemevaluation
Paralleloperation
Integratedtestingfacility
Parallelsimulation
Transactionselectionprograms
Embeddedauditdatacollection
Extendedrecords
26
-
8/10/2019 Aplication Control
14/15
Continuousonlineauditingisbecomingincreasingly
importantintoday'sebusinessworld.
AllowsISauditorstomonitortheoperationofsystemsona
continuousbasiswhilenormalprocessingtakesplaceand
gatherselectiveauditevidencethroughthecomputer
Cutsdownonneedlesspaperworkandleadstotheconduct
ofanessentiallypaperlessaudit
27
Therearefivetypesofautomatedevaluationtechniques
applicabletocontinuousonlineauditing.
SystemsControlAuditReviewFileandEmbeddedAudit
Modules(SCARF/EAM)
Snapshots
Audithooks
Integratedtestfacility(ITF)
Continuousandintermittentsimulation(CIS)
28
-
8/10/2019 Aplication Control
15/15
Theselectionandimplementationofcontinuousaudittechniques
depends,toalargeextent,onthecomplexityandunderstanding
ofanorganization'scomputersystemsandapplications.
29
Continuous
Audit
Technique Useful
When:
Systems
Control
Audit
Review
FileandEmbeddedAudit
Modules(SCARF/EAM)
Regular
processing
cannot
be
interrupted
Snapshots Anaudittrailisrequired
AudithooksOnlyselecttransactionsorprocesses
needtobeexamined
Integratedtestfacility(ITF) Itisnotbeneficialtousetestdata
Continuousandintermittent
simulation
(CIS)
Transactionsmeetingcertaincriteria
need
to
be
examined
Questions?
Contact:
[email protected]
30
