INTRODUCTION TO

APPLICATION

CONTROLS

Session

objectives

To revise the relationship between

general and application controls.

To explain the importance of application

controls

To identify the roles and responsibilities

of application users

To examine how the external financia

auditor can place reliance on a client'

application controls

General Controls

General controls ensure the

integrity of the

systems as a whole, including an

application run on the systems

and the

data files they produce.

General

Controls

r: Usually incorporate

Change Management Process

- Source code/Document version control procedures

- Software development life cycle standards

- Security Policies, Standards and Processes

- Incident Management Policies and Procedures

-Technical Support Policies and Procedures

- Hardware/Software configuration, installation,

testing, management stds, policies and procedures

- Disaster Recovery/Backup and Recovery Procedures

Application Controls

Definition for Application

[ A program or group of

programs designed for end

users. Software can be divided

into two general classes:

systems software and

applications software.

[ Systems software consists of

low-level programs that interact

with the computer at a very

basic level. This includes

operating systems, compilers,

and utilities for managing

computer resources

Definition for Application

In contrast, applications software (also

called end-user programs) includes

database programs, word processors, and

spreadsheets.

E Figuratively speaking, applications

software sits on top of systems software

because it is unable to run without the

operating system and system utilities.

Application Behavior Chart

Whilo: most functIonal bugs are: the re s ult of missing

funa:ii".Jr"lity.

most security bugs are tn..: result of ettr, furu:t:ior,.Ju:v.

What are Application Controls?

Application controls are used to

ensure the

completeness, accuracy and validity

of

accounting records/transactions.

Controls are applied at each stage:

-Input

- Processing

-Output

1·--- '!i==- JIl==- 1;...—1

Application Controls

The control objectives remain the same

Application controls can automate control

procedures previously carried out by

finance personnel.

Trend is towards more automated

systems.

Application controls = manual + automated

Types of Application Control

File integrity controls

Application security controls

Data input controls

r Processing controls

EF Output controls

L Masterfile and Standing Data controls.

Application Users

Owner

Administrator

Normal users

Application Owner

£ A senior user

~. Ultimate responsibility for an

application

I: Not involved in the detailed

running

of the application

E Delegates day to day duties

Application Administrator

Tasks include:

- Ensuring logical access controls work as

intended and are up to date

- Checking that the application is backed up

- Resolving user queries

- Identification, monitoring and reporting of

problems

- Documentation storage and distribution

- Liaison : with IT department, other system

users and the software supplier.

Part of the IT function or part of finance?

Ordinary everyday users

These account for the vast majority of

application users.

They use the application as a tool to meet

business goals.

- They are trained on how to use the

application in relation to their jobs

Application categorisation

Batch data entry systems

Batch data entry with on line

enquiry

II Batch processing with on

line enquiry

If Real time systems

External audit reliance on application controls

The auditor should adopt an efficient and

effective audit approach.

r: The auditor should obtain an

understanding of the systems, and internal

controls.

May include reliance on the system of

internal controls, which may be IT based.

If controls cover audit objectives and are

likely to be robust the auditor may carry out

compliance tests

Compliance test audit

programmes

Programmes normally include:

a description of the control the evidence

that we expect to

obtain . the extent of planned testing

what will constitute a control

failure

how many such failures can be

tolerated.

Evidence of compliance tests

[: Evidence of the controls in operation may

be in the form of access control lists,

automated user authorisation limits,

security logs, change request forms etc.

[: Obtained by using a combination of :

- Observation

- Enquiry

- Examination

- Sampling

(Computer assisted audit techniques )

Problems with computer

controls

E: Evidence of an automated control having

been applied.

l: Many application controls are preventative

in nature.

[ Spans of computer control.

[' Fear of the hacker, or the "intelligent" thief ,;;

~. Computer controls are frequently

preventative.

Program Audit Kawalan

Aplikasi

1.

How much controls testing?

Based largely on a combination of audit

judgement and "statistics

Judgement affected by :

- the frequency of control

- the degree of reliance to be placed on the

control

- source/nature of evidence

- continuous nature of the control

- the importance of the control (and

transactions)