Professional Documents
Culture Documents
Application controls are controls over input, processing and output functions. They include methods for ensuring that:
Only complete, accurate and valid data are entered and updated in a computer system
Processing accomplishes the correct task
Processing results meet expectations
Data are maintained
Application controls may consist of edit tests, totals, reconciliations, and identification and reporting of incorrect,
missing or exception data. Automated controls should be coupled with manual procedures to ensure proper
investigation of exceptions.
These controls help ensure data accuracy, completeness, validity, verifiability and consistency, thus achieving data
integrity and data reliability. Implementation of these controls helps ensure system integrity, that applicable system
functions operate as intended, and that information contained by the system is relevant, reliable, secure and available
when needed.
Identifying the significant application components and the flow of transactions through the system, and gaining
a detailed understanding of the application by reviewing the available documentation and interviewing
appropriate personnel.
Identifying the application control strengths, and evaluating the impact of the control weaknesses
Developing a testing strategy
Testing the control to ensure their functionality and effectiveness by applying appropriate audit procedures
Evaluating the control environment by analyzing the test results and other audit evidence to determine that
control objectives were achieved
Considering the operational aspects of the application to ensure its efficiency and effectiveness by comparing
the system with efficient system design standards, analyzing procedures used and comparing them to
management’s objectives for the system.
A. INPUT/ ORIGINATION CONTROLS
Input controls procedures must ensure that every transaction to be processed is entered, processed and
recorded accurately and completely. These controls should ensure that only valid and authorized information is
input and that these transactions are only processed once. In an integrated system environment, output
generated by one system is the input for another system.
Therefore, the system receiving the output of another system as input/ origination must in turn apply edit
checks, validations, and access controls to those data.
INPUT AUTHORIZATION
Input authorization verifies that all transactions have been authorized and approved by management.
Authorization of input helps ensure that only authorized data are entered for processing by applications.
Authorization can be performed online at the time when data are entered into the system. A computer-
generated report listing the items requiring manual authorization may also be generated. It is important that
controls exist throughout processing to ensure that the authorized data remain unchanged. This can be
accomplished through various accuracy and completeness checks incorporated into an application’s design.
Page 1
CMPC 323 APPLICATION CONTROLS
Terminal or client workstation identification- used to limit input to specific terminals or workstations in a
network can be configured with a unique form of identification such as serial number or computer name
that is authenticated by the system.
Source documents-
o Make form easy to read and use
o Group like fields together
o Provide predetermined input codes to reduce errors
o Provide identifier or cross-reference number
o Indicate field sizes
o Provide authorization signature if necessary
Batch controls group input transactions to provide control totals. The batch control can be based on total monetary
amount, total items, total documents or hash totals.
Batch header forms are a data preparation control. All input forms should be clearly identified with the application name
and transaction codes. Where possible, preprinted and pre-numbered forms, with transaction identification codes and
other constant data items are recommended. This would help ensure that all pertinent data have been recorded on the
input forms and can reduce data recording/ entry errors.
TOTAL MONETARY AMOUNT (FINANCIAL TOTALS) - verification that the total monetary value of items processed
equals the total monetary value of the batch documents.
TOTAL ITEMS (record counts) - verification that the total number of items includes on each document in the
batch agrees with the total number of items processed.
Hash totals- verification that the total in a batch agrees with the total calculated by the system.
Control Totals: These are totals computed based on the data submitted for processing. Control totals ensure the
completeness of data before and after they are processed. These controls include financial totals, hash totals and record
counts.
Example:
Voucher No. 141 P15,000
Voucher No. 142 20,000
Voucher No. 143 5,000
Transaction log- contains a detailed list of all updates. The log can be either be manually or provided through
automatic computer logging. A transaction log can be reconciled to the number of source documents received
to verify that all transactions have been input.
Reconciliation of data- controls whether all data received are properly recorded and processed
Documentation- written evidence of user, data entry and data control procedures
Page 2
CMPC 323 APPLICATION CONTROLS
o Field Check: This ensures that the input data agree with the required field format
o Limit or Range Check: Valid numbers are below or between a maximum value. E.g., checks should not
exceed $3,000
o Validity Check or Table Lookup: Only certain values are accepted: Sex=M/F.
o Reasonableness Check: Values entered are reasonable: A takeout order of 100 pizzas???
o Existence Check: Required fields are entered correctly.
o Key Verification: Input is double checked via second person OR all digits are entered twice.
o Check Digit: A digit may verify the correct entry of other digits.
o Completeness Check: Complete input is provided: zeros or spaces are checked for each required letter
or digit
o Duplicate Check: Duplicate transactions or transactions with duplicate IDs are checked for and rejected.
o Consistency or Logical Relationship Check: Data is consistent with other known data: An employee’s
birth date must be at least 16 years ago.
PROCESSING CONTROLS
Processing controls are meant to ensure the completeness and accuracy of accumulated data. They would endure data
in a file/database remain complete and accurate until changed as a result of authorized processing or modification
routines. The following are processing control techniques that can be used to address the issues of completeness and
accuracy of accumulated data:
Manual recalculations- a sample of transactions may be recalculated manually to ensure that processing
is accomplishing the anticipated task.
Editing- an edit check is a program instruction or subroutine that tests the accuracy, completeness and
validity of data. It may be used to control input or later processing of data
Run-to-run totals- provide the ability to verify data values through the stages of application processing.
Run-to-run total verification ensures that data read into the computer were accepted and then applied
to the updating process
Reasonableness verification of calculated amounts- application programs can verify reasonableness of
calculated amounts. The reasonableness can be tested to ensure appropriateness to predetermined
criteria. Any transaction that is determined to be unreasonable may be rejected pending further review.
Limit checks on amounts- an edit check can provide assurance, through the use of predetermined limits,
that amounts have been keyed or calculated correctly. Any transaction exceeding the limit may be
rejected for further investigation.
Page 3
CMPC 323 APPLICATION CONTROLS
Reconciliation of file totals- reconciliation of file totals should be performed on a routine basis.
Reconciliations may be performed through the use of a manually maintained account, a file control
record or an independent control file.
Exception reports- an exception report is generated by a program that identifies transactions or data
that appear to be incorrect. These items may be outside a predetermined range or may not conform to
specified criteria.
Prerecorded Input: Certain information fields are preprinted on a blank input form to reduce input errors.
Data File Security: Ensures authorized access only
Version usage: The correct version of a file is always accessed
Transaction Logs: An audit trail records date/time of input, user ID and terminal location, and input transactions
Before and After Image Reporting: File data is recorded before and after processing, enabling traces to occur based on
transactions
Parity Checking: When data is transmitted, check codes are added to ensure data is transmitted without error.
Batch Processing
Error reporting & handing: All error reports are properly reconciled and authorizations/corrections are submitted in a
timely manner.
One-for-One Checking: Source Documents correctly describe the processing that has occurred
Source document retention: Source documents are retained as necessary for error handling and audits.
Internal & External Labeling: Removable storage media is labeled to ensure correct processing
C. OUTPUT CONTROLS
Output controls are designed to provide reasonable assurance that the results of processing are complete, accurate, and
that these output are distributed only to authorized personnel
A person who knows what an output should look like must review the CIS output for reasonableness. Control totals are
compared with those computed prior to processing to ensure completeness of information. Finally, CIS outputs must be
restricted only to authorized employees who will be using such output.
Page 4
CMPC 323 APPLICATION CONTROLS
Output error handling- procedures for reporting and controlling errors contained in the application program
output should be established. The error report should be timely and delivered to the originating department for
review and error correction.
Output error retention- a record retention schedule should be adhered to firmly. Any governing legal
regulations should be included in the retention policy
Verification of receipt of reports- to provide assurance that sensitive reports are properly distributed, the
recipient should sign a log as evidence of receipt of output.
Page 5