06. The Nature and Evaluation of Application Controls
06.02. Types of Application Controls
Briefly reflect on the following before we begin:
- How do input application controls contribute to the accuracy and reliability of data entered in an IS?
- What is an example of where processing application controls are essential?
- How would an IS Auditor go about selecting samples during an audit?
- How do input, processing, and output controls work together to ensure the overall effectiveness of an organization’s IS?
In this section, we will categorize application controls based on their function in the data processing cycle to help us better understand how each type contributes uniquely to maintaining data accuracy and reliability. At a high level, the objective of application controls is to ensure that:
- Input data is accurate, complete, authorized, and correct.
- Data is processed as intended in an acceptable time period.
- Data stored is accurate and complete.
- Outputs are accurate and complete.
- A record is maintained to track the process of data from input to storage and to the eventual output.
Correspondingly, the primary five categories of application controls are as follows:
- Input Controls – These controls verify the integrity of data inputted into a business application. This data can be entered directly, remotely, or through a web-enabled application or interface. The purpose of these checks is to confirm that the data stays within the set parameters.
- Processing Controls – These controls are designed to verify that the processing of the input data is complete, accurate, and authorized in a timely manner.
- Output Controls – These controls focus on processing the data and aim to validate the output by comparing it with the expected outcome, ensuring that the results align with the original input.
- Integrity Controls – These controls monitor processed data and data at rest for integrity and accuracy.
- Management Trail – These controls allow management to trace transactions and events from their inception to their final output and vice versa. They also evaluate the efficiency of other control mechanisms and pinpoint errors as near to their origin as feasible.
For all practical purposes, the commonly used types of application controls are input, processing, and output application controls. Hence, we will focus on these three types of application controls in this chapter.
Before we dive deeper into each of the three categories, it is essential to recognize that more than understanding these controls in isolation is required. Organizations gain synergy when all three types of application controls are used harmoniously to optimize the control environment. A failure in a kind of control can impact others, compromising the entire data processing cycle. Hence, this interconnectivity is vital. In the final part of this section, we will examine how these controls work together to create a robust control environment.
Input Controls: Validation and Verification Techniques
Input controls stand as the first line of defence in safeguarding data quality. They are crucial for validation and verification as they ensure data’s accuracy, completeness, and authenticity as it enters a system.
Validation ensures that the data entering the system meets predefined criteria. It checks for accuracy and completeness. For example, an age field in a form should not accept negative numbers or unrealistically high numbers. Verification, conversely, is about ensuring the data’s authenticity. It involves rechecking the data entered into the system. One standard method is double data entry, where the same data is entered twice by different individuals or at other times, and any discrepancies are flagged for review. Given this dual focus, input controls are pivotal in preventing errors at the source, which, if unchecked, can lead to cascading issues throughout the data processing lifecycle.
Error detection and correction are also integral to input controls. Corrective measures must be taken when errors are detected to ensure data integrity. For instance, an online form might highlight fields with incorrect entries, prompting the user to correct them before submission. This proactive approach to error management enhances data quality and reduces the workload of subsequent control processes. Input controls also play a vital role in maintaining the overall quality of data within an information system. Poorly designed or implemented input controls can lead to accurate, complete, and trustworthy data, which can have far-reaching implications for the organization. Decisions based on such data can lead to operational inefficiencies, financial losses, and even legal and compliance issues.
Let’s explore some types of input controls commonly used by organizations:
| Control Domain | Brief Definition | Underlying Risk | Control Example |
|---|---|---|---|
| Field Checks | Verifies the data type of an input. | Incorrect data type entry resulting in data processing errors. | Ensuring a numeric field accepts only numbers. |
| Form Checks | Confirm that data is entered in the correct format. | Misformatted data entry resulting in inaccurate data processing. | Date fields require a specific format like MM/DD/YYYY. |
| Range Checks | Ensures data falls within a predefined range. | Entry of implausible values resulting in unrealistic or erroneous outputs. | The age field is restricted between 18 and 99. |
| Limit Checks | Checks for data exceeding a specific limit. | Excessively high or low values result in skewed results or processing errors. | Purchase orders are within a set budget limit. |
| Validity Checks | Verifies whether data is reasonable and logical. | Only logical or valid data entry results in reliable outputs and decision-making. | The zip code field matches known valid zip codes. |
| Completeness Checks | Ensures all required data fields are entered. | Missing data results in incomplete records, leading to processing errors. | Mandatory fields in a registration form. |
| Check Digits | Adds a digit to numbers to validate their authenticity. | Transcription errors result in misdirected or lost transactions. | Check the digit in a bank account number. |
| Duplication Checks | Prevents entering the same information more than once. | Duplicate records resulting in inflated or erroneous data. | Alerting if a customer tries to register twice with the same email. |
| Sequence Checks | Verifies data is in a proper sequence. | Out-of-order data entry resulting in chronological errors in processing. | Ensuring invoices are numbered sequentially. |
| Cross-Field Validation | Compares data entered in one field against another. | Inconsistent data entries resulting in data integrity issues. | Total cost equals quantity multiplied by unit price. |
| Preformatted Screens | Guides data entry with a specific layout. | Incorrect or misaligned data entry resulting in errors in data interpretation. | Standard templates for data entry. |
| Transactional Totals | Summarizes numerical data for verification. | Incomplete or incorrect data batches resulting in errors in batch data processing. | Totalling the amount in a batch of sales transactions. |
| Error Prompts | Alerts users to incorrect data entries immediately. | Unnoticed data entry errors resulting in downstream processing errors. | Prompt when an invalid email format is entered. |
| Input Authorization | Ensures only authorized personnel enter data. | Unauthorized data entry resulting in data integrity and security breaches. | Manager approval is needed for entering high-value transactions. |
| Batch Controls | Manages data processing in groups for verification. | Errors in batch processing resulting in compromised data integrity in batches. | Tracking the number of items processed in a batch against expected counts. |
Despite their importance, input controls must be balanced with user experience. Overly stringent controls can lead to frustration and reduced productivity. The challenge lies in designing controls that are effective yet user-friendly. This balance is ever-evolving with technological changes, user behaviour, and organizational needs.
Processing Controls: Data Transformation and Calculation Controls
Processing controls in application systems are designed to ensure data integrity during its transformation, processing, revision, and calculation. These controls are tasked with safeguarding the accuracy and consistency of data as it undergoes various operations. Their role is crucial; any mishap in this phase can lead to significant errors in the final output, affecting decision-making and organizational operations. These controls encompass a wide range of mechanisms designed to oversee the accuracy and integrity of data processing. This includes verifying that calculations are performed accurately, data is stored correctly, and subsequent operations are executed as intended.
The former is becoming increasingly prevalent in automated versus manual processing controls. Automated controls offer advantages in terms of speed, accuracy, and efficiency. However, they also require careful design and regular monitoring to ensure they function as intended. While more labour-intensive, manual controls still play a role in situations where human judgment is essential.
Let’s explore some types of processing controls commonly used by organizations:
| Control Domain | Brief Definition | Underlying Risk | Control Example |
|---|---|---|---|
| Automated Error Detection | Automatically identifies and flags errors in data processing. | Risk of undetected errors in processing resulting in inaccurate data output. | System alerting to mismatches in account reconciliation. |
| Transaction Matching | Ensures related transactions are correctly matched. | Risk of unmatched transactions resulting in financial discrepancies. | Matching purchase orders with corresponding invoices. |
| Workflow Authorization | Requires specific approvals for certain processing steps. | Risk of unauthorized transactions resulting in fraud or policy violations. | Manager approval is needed to process refunds over a certain amount. |
| Logical Access Controls | Restrict processing functions to authorized users. | Risk of unauthorized access resulting in data breaches or manipulation. | Only allowing payroll staff to process payroll transactions. |
| Data Integrity Checks | Verifies data remains unchanged during processing. | Risk of altered data during processing resulting in compromised decision-making. | The system checks to ensure sales data remains consistent through processing. |
| Audit Trail Maintenance | Tracks changes to data throughout the processing phase. | Risk of untracked changes resulting in inability to trace errors or fraud. | Logging all modifications made to financial records. |
| Exception Reporting | Flags transactions that fall outside normal parameters. | Risk of overlooked anomalies resulting in unaddressed errors or irregularities. | Generating alerts for unusually large transactions. |
| Duplication Checks | Prevents processing the same transaction multiple times. | Risk of duplicate processing resulting in financial and operational inefficiencies. | System alerts if the same invoice number is entered more than once. |
| Reconciliation Procedures | Matches processed data with source documents. | Risk of data mismatches resulting in inaccurate financial reporting. | Reconciling bank statements with ledger entries. |
| Automated Calculations Verification | Checks the accuracy of system calculations. | Risk of incorrect calculations resulting in erroneous decision-making. | The system recalculates total sales and compares them with manual calculations. |
| Sequence Control | Ensures transactions are processed in the correct order. | Risk of out-of-sequence processing resulting in data inconsistency. | Verifying chronological order in transaction processing. |
| Input/Output Control | Matches input data with output data to ensure accuracy. | Risk of input-output mismatches resulting in erroneous reports. | Comparing input sales figures with output sales reports. |
| Processing Limits | Sets thresholds for transaction processing. | Risk of exceeding processing limits resulting in operational and financial risks. | Limiting the number of transactions an employee can process in a day. |
| Version Control | Manages updates to the software to ensure consistency. | Risk of using outdated software versions resulting in compatibility and security issues. | Track and update to the latest version of the financial software. |
| Integrity Controls | Ensures the integrity of processing operations and data. | Risk of compromised data integrity resulting in unreliable system outputs. | Regular system checks to validate the integrity of the sales database. |
Processing controls can either save or endanger an organization. A small error in a processing control can lead to significant financial losses or operational disruptions. On the other hand, well-designed and effectively implemented controls can enhance the efficiency, accuracy, and reliability of data processing operations. Hence, monitoring and evaluating the effectiveness of these controls is a continuous process. It involves regular audits and reviews to ensure the controls operate as expected and remain relevant to the current processing environment. This monitoring is crucial, especially in today’s rapidly changing technological landscape, where new risks and challenges emerge constantly.
Output Controls: Data Presentation and Reporting Controls
Output controls ensure that the data exiting the system is as accurate and reliable as when entered. They are the final checkpoint in the data processing cycle. They are responsible for the integrity and security of data outputs, which include reports, electronic data transfers, and other forms of data dissemination. After data has been processed, it must be presented correctly and securely. Output controls are designed to verify that the data presented or reported is accurate, complete, and in the correct format. They are also responsible for ensuring that the data is only accessible to authorized users, maintaining its confidentiality and security.
Output control design plays a significant role in ensuring data integrity. Design considerations include user accessibility, data formatting, and clear and understandable language. The design must ensure that the data is accurate, usable, and meaningful to the intended audience. This includes considering the layout and presentation of reports, ensuring they are clear and free from ambiguity
Let’s explore some types of output controls commonly used by organizations:
| Control Domain | Brief Definition | Underlying Risk | Control Example |
|---|---|---|---|
| Review & Reconciliation of Output Reports | Compares output data with source data for accuracy. | Risk of uncorrected inaccuracies in output resulting in flawed decision-making. | Comparing monthly sales reports with daily sales logs. |
| Output Distribution Controls | Manages who receives output data. | Risk of unauthorized access to data resulting in security breaches. | Restricting access to financial performance reports to senior management only. |
| Output Encryption | Protects data integrity and confidentiality during transmission. | Risk of data interception during transmission resulting in information leakage. | Encrypting email attachments containing sensitive company performance data. |
| Error Reporting Mechanisms | Enables reporting of discrepancies in output data. | Risk of unreported errors in output resulting in continued use of erroneous data. | The mechanism for employees to report mistakes found in payroll slips. |
| Audit Trails of Output Data | Tracks access to output data. | Risk of unmonitored access resulting in unauthorized use or alteration of data. | Logging who accessed and downloaded annual financial reports. |
| Printout Management | Secure handling and disposal of printed reports. | Risk of sensitive information leaks from printed materials resulting in data breaches. | Secure shredding of printed confidential client lists. |
| Electronic Data Interface (EDI) Controls | Ensures accuracy and security in EDI transactions. | Risk of EDI inaccuracies resulting in flawed business transactions. | Verifying the accuracy of EDI transmitted sales orders to suppliers. |
| User Access Logs for Output Retrieval | Tracks who retrieves output data. | Risk of unauthorized data retrieval resulting in data misuse or theft. | Monitoring who downloads customer data reports from the system. |
| Data Integrity Verifications Post-Output | Ensures data consistency after processing. | Risk of post-processing data alterations resulting in unreliable data. | Regular checks to ensure exported sales data matches system records. |
| Automated Output Alerts | Notifies relevant personnel of critical data outputs. | Risk of overlooked necessary outputs resulting in delayed responses. | Alerts to finance when monthly expenditures exceed budgets. |
| Backup and Recovery Procedures | Ensures output data can be recovered in case of system failure. | Risk of data loss due to system failure resulting in operational disruptions. | Regular backups of sales databases to prevent data loss. |
| Version Management | Keeps track of different versions of output reports. | Risk of using outdated information resulting in misinformed decisions. | Maintaining version history for quarterly sales performance presentations. |
| Confidentiality Measures | Protects sensitive information in output documents. | Risk of data breaches due to exposed sensitive information in outputs. | Masking customer personal details in publicly shared sales reports. |
| Output Formatting Controls | Ensures output data is presented in a consistent and understandable format. | Risk of misinterpretation due to poorly formatted data resulting in incorrect conclusions. | Standardizing the format of financial statements for clarity and consistency. |
| Timeliness Controls | Ensures output data is generated and distributed promptly. | Risk of outdated information due to delayed outputs resulting in missed opportunities. | Weekly sales summaries are provided and available every Monday morning. |
However, output controls face challenges, especially in data presentation and reporting. One challenge is maintaining the balance between accessibility and security. While it is essential to ensure that data is easily accessible to authorized users, protecting it from unauthorized access is equally important. Another challenge is adapting to different users’ diverse needs and preferences, requiring a flexible approach to data presentation. Best practices in output control management include regular audits and updates based on changes in system requirements or user needs. Regular audits help identify any weaknesses or inefficiencies in the output controls. At the same time, updates ensure that the controls remain relevant and effective in changing technologies and business environments.
Evaluating the Interplay Between Different Types of Application Controls
The different types of application controls discussed in the previous section do not operate in isolation. Their effectiveness is intrinsically linked, creating a unified shield that safeguards data throughout its lifecycle in the system. Input controls ensure that data entering the system is accurate and valid, setting the stage for effective data processing. With precise input data, processing controls to maintain data integrity during operations like calculations and transformations would be protected. Similarly, output controls rely on the accuracy and integrity of data held by input and processing controls to ensure that the final data presented or reported is correct and secure.
Overemphasis on one type of control at the expense of others can lead to vulnerabilities in the system. For example, focusing solely on input controls without adequate processing and output controls might prevent initial errors but expose the system to issues during data processing or when data is exported or reported. Conversely, robust output controls cannot compensate for weaknesses in input or processing controls. This balance between the three types of application controls also shows how failures in one kind of control can have a domino effect, leading to system-wide issues. On the flip side, seamless integration of these controls can lead to improved system reliability and performance.
From an auditor’s perspective, evaluating the interplay of these controls is a critical part of assessing an organization’s information system. This evaluation involves looking at each type of control in isolation and understanding how they work together to protect the system. It includes assessing the design and implementation of these controls and testing them under various scenarios to ensure their collective effectiveness. Similarly, from management’s perspective, continuous improvement is a crucial aspect of managing the interplay between different types of application controls. This involves regular assessments to ensure the controls function as intended and align with the current operational environment and technological landscape. It requires a proactive approach, where potential issues are anticipated and addressed before they can impact the system.
In the Spotlight
For additional context on the nature of application controls, please read the article titled “IT Application Controls and the Benefits of Automation” [opens a new tab].
SafePAAS. (2023, November). IT application controls and the benefits of automation. https://www.safepaas.com/articles/it-application-controls-and-the-benefits-of-automation/
Key Takeaways
Let’s recap the key concepts discussed in this section by watching this video.
Source: Mehta, A.M. (2023, December 6). AIS OER ch 06 topic 02 key takeaways [Video]. https://youtu.be/ycHFnCej5_Q
Knowledge Check
Review Questions
- What is the primary purpose of input validation in application controls?
- Why are logic checks important in processing controls?
- What critical method is used in output controls to maintain data accuracy?
- Why is evaluating the interplay between input, processing, and output controls important?
These controls allow management to trace transactions and events from their inception to their final output and vice versa.
Input controls that verify the data type of an input.
Confirm that data is entered in the correct format.
Input controls that ensure data falls within a predefined range.
Checks for data exceeding a specific limit.
Verifies whether data is reasonable and logical.
Input controls that ensure all required data fields are entered.
Input control method that adds a digit to numbers to validate their authenticity.
Controls that prevent entering the same information more than once in input and processing stages.
Compares data entered in one field against another.
Guides data entry with a specific layout.
Summarizes numerical data for verification.
Input control mechanism that alerts users to incorrect data entries immediately.
Ensures only authorized personnel enter data.
Automatically identifies and flags errors in data processing.
Ensures related transactions are correctly matched.
Restrict processing functions to authorized users.
Verifies data remains unchanged during processing.
Tracks changes to data throughout the processing phase.
Processing controls that flag transactions falling outside normal parameters.
Processing controls that match processed data with source documents.
Sets thresholds for transaction processing.
Manages updates to the software to ensure consistency.
Output controls that manage who receives output data.
Protects data integrity and confidentiality during transmission.
Enables reporting of discrepancies in output data.
Tracks access to output data.
Secure handling and disposal of printed reports.
Ensures accuracy and security in EDI transactions.
Tracks who retrieves output data.
Notifies relevant personnel of critical data outputs.
Ensures output data can be recovered in case of system failure.
Ensures output data is presented in a consistent and understandable format.
Ensures output data is generated and distributed promptly.
