1

Chapter 5, 6 & 7

Application Controls
 Introduction
2

 Application is a computer-based system which

processes data for a specific business purpose.
 Business applications have the same three basic risks;
 Confidentiality,

 Integrity and

 Availability
 Cont’d……….
3

 Application controls fall into three categories:

 Input controls:
 Controls at input stage are primarily preventative.
 It is generally more cost effective to prevent errors
than to detect and correct them.
 Process controls:
 Primarily focused at detecting misstatements.
 Output controls:
 Primarily oriented at correcting misstatements.
4

Chapter 5

Input Controls
 Input Controls
5

 Input Controls are designed to ensure;

 Transactions are properly authorized before
processed,
 Transactions are accurately converted to machine
readable form and recorded,
 Data files and transactions are not lost, added,
duplicated or improperly changed, and
 Incorrect transactions are rejected, corrected and, if
necessary, resubmitted on a timely basis.
 Cont’d………..
6

 Data input procedures can be either source document-

triggered (batch) or direct input (real time).
 Source document input requires human involvement
and is prone to clerical errors.
 Direct input employs real-time editing techniques to
identify and correct errors immediately.
 It can significantly reduces the number of errors
that enter to the system.
 Cont’d……….
7

 Input controls can be divided into the following

broad classes:
 Source document controls

 Data coding controls

 Batch controls

 Validation controls

 Input error correction

 Generalized data input systems

 Cont’d………
8

Source Document Controls

 Control must be exercised over physical source
documents.
 An individual with access to purchase orders and
receiving reports could fabricate a purchase
transaction to a nonexistent supplier.
 To control against this type of exposure, control
procedures must implement;
 Use Pre-numbered Source Document
 Use Source Documents in Sequence
 Periodically Audit Source Documents
 Cont’d…………
9

Data Coding Controls

 Coding controls are checks on the integrity of data
codes used in processing.
 A customer’s account number, an inventory item
number, and a chart of accounts number are all
examples of data codes.
 One method for detecting coding errors is a check digit

 It is a control digit added to the code when it is

originally assigned that allows the integrity of the
code to be established during subsequent processing.
 Cont’d………..
10

Batch controls
 An effective method of managing high volumes of
transaction data through a system.
 The objective is to reconcile output produced by the
system with the input originally entered into the system.
 Batch controls’ provides assurance:

 All records in the batch are processed.

 No records are processed more than once.

 An audit trail of transactions is created from input

through processing to the output stage.
 Cont’d…………
11

Validation Controls
 They are intended to detect errors in transaction data
before data are processed.
 Validation procedures are most effective when they are
performed as close to the source of the transaction as
possible.
 There are three levels of input validation controls:

 Field interrogation (cross-examination)

 Record interrogation

 File interrogation
 Cont’d…………
12

Field interrogation
 The programmed procedures that examine the
characteristics of the data in the field.
 Some common types of field interrogation;
 Missing data checks - examine the contents of a
field for the presence of blank spaces.
 Numeric-alphabetic data checks - determine
whether the correct form of data is in a field.
 Zero-value checks - used to verify that certain
fields are filled with zeros.
 Cont’d………..
13

 Limit checks - determine if the value in the field

exceeds an authorized limit.
 Range checks - assign upper and lower limits to
acceptable data values.
 Validity checks - compare actual values in a field
against known acceptable values.
 Check digit – allows the integrity of the code to be
established during subsequent processing.
 Controls identify keystroke errors in key fields by
testing the internal validity of the code.
 Cont’d………..
14

Record interrogation
 Procedures validate the entire record by examining the
interrelationship of its field values. Some typical tests are;
 Reasonableness checks - determine if a value in one
field, which has already passed a limit check and a
range check, is reasonable when considered along with
other data fields in the record.
 Sign checks - tests to see if the sign of a field is
correct for the type of record being processed.
 Sequence checks - used to determine if a record is
out of order.
 Cont’d………
15

File interrogation
 To ensure that the correct file is being processed by the
system.
 Particularly, important for master files, if destroyed or
corrupted, are difficult to replace.
 Internal label checks - verify that the file processed
is the one the program is actually calling for.
 Version checks - verify that the version of the file
being processed is correct.
 Expiration date check - prevents a file from being
deleted before it expires.
 Cont’d………..
16

Input Error Correction

 When errors are detected in a batch, they must be
corrected and the records resubmitted for reprocessing.
 To ensure that errors are dealt completely and
correctly.
 There are three common error handling techniques:

 Correct immediately,

 Create an error file, and

 Reject the entire batch

 Cont’d…………
17

Generalized Data Input Systems

 Centralized procedures to manage data input for all
transaction processing systems.
 GDIS has five major components:
 Generalized Validation Module - performs standard
validation routines and common to many different
applications.
 Validated data file - temporary holding file through
which validated transactions flow to their respective
applications.
 Error file - Error records detected during validation
are stored in the file, corrected & resubmitted to GVM.
 Cont’d………..
18

 Error reports - Standardized error reports are

distributed to users to facilitate error correction.
 Transaction log - a permanent record of all validated
transactions.
 GDIS approach has the following advantages.
 Improves control by having one common system
performs all data validation.
 Ensures that each application applies a consistent
standard for data validation.
 Improves systems development efficiency.
 Eliminates the need to recreate redundant routines for
each new application.
19

Processing Controls

Chapter 6
 Processing Controls
20

 Processing controls are designed to ensure;

 The correct program is used for processing

 All transactions are processed

 The correct transactions update files

 Processing controls are divided into three categories:

 Run-to-run controls

 Operator intervention controls

 Audit Trail Controls

 Cont’d…………
21

Run-to-Run Controls
 Uses to monitor the batch as it moves from one
program procedure (run) to another.
 These controls ensure that each run in the system
processes the batch correctly and completely.
 Batch control figures may be contained in either a

separate control record created at the data input stage

or internal label.
 Cont’d…………
22

Specific uses of run-to-run control figures are;

 Recalculate Control Totals – after each run, dollar
amount fields and record counts are accumulated
and compared to the corresponding values stored in
the control record.
 Transaction Codes - ensures that only the correct
type of transaction is being processed.
 Sequence Checks - compares the sequence of each
record in the batch with the previous record to
ensure that proper sorting took place.
 Cont’d…………
23

 Example: Run-to-run controls in revenue cycle

comprises four runs:
 Data input, Accounts receivable update, Inventory
update, and Output.
 At the end of the accounts receivable run, batch
control figures are recalculated and reconciled with
the control totals passed from the data input run.
 Batch control figures are then passed to the
inventory update run, where they are again
recalculated, reconciled, and passed to the output
run.
 Cont’d…………
24

Operator Intervention Controls

 Systems sometimes require operator intervention to initiate
certain actions, such as;
 Entering control totals for a batch of records,

 Providing parameter values for logical operations, and

 Activating a program from a different point when

reentering semi-processed error records.
 Operator intervention increases a potential for human

error.
 Systems that limit operator intervention through operator
intervention controls are less prone to processing errors.
 Cont’d…………
25

Audit Trail Controls

 The preservation of audit trail is an important
objective of process control.
 Every transaction must be traceable through each stage
of processing from its economic source to its
presentation in financial statements.
 Techniques use to preserve audit trails;

 Transaction Logs - Every transaction successfully

processed should be recorded on a transaction log,
which serves as a journal.
 Cont’d…………
26

 Log of Automatic Transactions - all internally

generated transactions must be placed in a transaction log.
 Listing of Automatic Transactions - To maintain
control over automatic transactions processed, the
responsible end user should receive a detailed listing of all
internally generated transactions.
 Unique Transaction Identifiers - Each transaction
processed must be uniquely identified with a transaction
number.
 Error Listing - a list of all error records should go to
appropriate user to support error correction and
resubmission.
27

Chapter 7

Output Controls
 Introduction
28

 Output controls use to ensure;

 System output is not lost, misdirected, or corrupted
and privacy is not violated.
 Data generated by the system are valid, accurate,
complete, and distributed to authorized persons in
appropriate quantities.
 Batch systems are more susceptible to exposure and
require a greater degree of control than real-time
systems.
 Batch Systems Output Controls
29

 Outputs in the form of hard copy requires

involvement of intermediaries.
 Outputs removed from printer by operator reviews for
correctness by data control clerk, and then sent to end
user.
 Each stage is a point of potential exposure where the
output could be reviewed, stolen, copied, or
misdirected.
 Batch output control Techniques
30

Output Spooling
 In large-scale data-processing operations, output
devices such as line printers can become backlogged
with many programs at once demanding these limited
resources.
 To ease this burden, applications are often designed
to direct their output to a magnetic disk file rather
than to the printer directly, called output spooling.
 Later, when printer resources become available, the
output files are printed.
 Cont’d…………
31

 The creation of an output file as an intermediate step

in the printing process presents an added exposure.
 A computer criminal may use this opportunity to
perform any of the following unauthorized acts:
 Access the output file and change critical data values

 Access the file and change the number of copies

 Copy the output file to produce illegal reports

 Destroy the output file before printing takes place

 Auditors should be aware of these potential exposures

and ensure that proper access and backup procedures
are in place to protect output files.
 Cont’d…………
32

Print Programs
 Print programs require operator intervention.

 The common types of operator actions:

 Pausing the print program to load the correct type

of output documents
 Entering parameters needed by the print run, such as
the number of copies to be printed.
 Restarting the print run at a prescribed checkpoint
after a printer malfunction.
 Removing printed output from the printer for review
and distribution.
 Cont’d…………
33

 Print program controls are designed to deal with:

 The production of unauthorized copies of output &
 Employee browsing of sensitive data
Bursting (or separating)
 When output reports are removed from the printer,
they go to the bursting stage to have their pages
separated and collected.
 The concern is that the bursting clerk may make an

unauthorized copy of the report, remove a page from

the report, or read sensitive information.
 Primary control against these exposures is supervision.
 Cont’d…………
34

Waste
 Output waste represents a potential exposure.

 It is important to organize aborted reports and the

carbon copies from multipart paper removed during

bursting properly.
 Computer criminals have been known to filter through

trash cans searching for carelessly discarded output that

is presumed by others to be of no value.
 Computer waste is also a source of technical data, such
as passwords and authority tables, which a perpetrator
may use to access the firm’s data files.
 Cont’d…………
35

Data Control
 Data control group is responsible for verifying
accuracy of output before distributes to users.
 Data control clerk;

 Reviews the batch control figures for balance;

 Examines the report body for distorted, illegible, and

missing data; and
 Records the receipt of the report in data control’s
batch control log.
 Cont’d…………
36

Report Distribution
 Risks include reports being lost, stolen, or misdirected
in transit to the user.
 Maintaining adequate access control over this file
becomes highly important.
 For highly sensitive reports, distribution techniques:

 Reports may be placed in a secure mailbox to which

only the user has the key.
 User may be required to appear in person at the
distribution center and sign for the report.
 A security officer may deliver the report to the user.
 Cont’d…………
37

End User Controls

 Output reports should be reexamined for any errors
that may have evaded the data control clerk’s review.
 Errors may be signs of improper systems design,
incorrect procedures, errors inserted by accident
during systems maintenance, or unauthorized access
to data files or programs.
 Once a report has served its purpose, it should be

stored in a secured location until its retention period

has expired.
 Real-Time Systems Output Controls
38

 Real-time systems direct their output to users computer

screen, terminal, or printer.
 It eliminates various intermediaries in the journey from
the computer center to the user.
 The primary threats to real-time output are the
interception, disruption, destruction, or corruption of
the output message as it passes along the
communications link.
 Cont’d…………
39

 These threats come from two types of exposures:

 Exposures from equipment failure; and

 Exposures from subversive acts, whereby a computer

criminal intercepts the output message transmitted
between the sender and receiver.
40

Questions?

Thank you!