GTAG – Appendices – 6

Appendix A: Common Application Controls authorized and converted into a machine-sensible form
and Suggested Tests and that data is not lost, suppressed, added, duplicated, or
The following outlines common application controls and improperly changed. Computerized input controls include
suggested tests for each control. The table was provided by data checks and validation procedures such as check digits,
the AXA Group.17 record counts, hash totals, and batch financial totals, while
computerized edit routines — which are designed to detect
Input Controls data errors — include valid character tests, missing data tests,
These controls are designed to provide reasonable assurance sequence tests, and limit or reasonableness tests. Input
that data received for computer processing is appropriately controls and suggested tests are identified in the table below.

Input and Access Controls

These controls ensure that all input transaction data is accurate, complete, and authorized.
Domain Control Possible Tests
Data checks and • Reasonableness and limit checks on financial values. • Conduct a sample test of each scenario.
validation • Format and required field checks; standardized input • Observe attempts to input incorrect data.
screens. • Determine who can override controls.
• Sequence checks (e.g., missing items), range checks, • If table driven, determine who can change
and check digits. edits and tolerance levels.
• Cross checks (e.g., certain policies are only valid with
certain premium table codes).
• Validations (e.g., stored table and drop-down menu
of valid items).
Automated authorization, • Authorization and approval rights (e.g., of expenses or • Conduct tests based on user access rights.
approval, and override claim payments or credit over a certain threshold) are • Test access privileges for each sensitive
allocated to users based on their roles and their need function or transaction.
to use the application. • Review access rights that set and
• Override capability (e.g., approval of unusually large amend configurable approval and
claims) is restricted by the user’s role and need to use authorization limits.
the application by management.
Automated segregation of • Individuals who set up approved vendors cannot • Conduct tests based on user access rights.
duties and access rights initiate purchasing transactions. • Review access rights that set and amend
• Individuals who have access to claims processing configurable roles or menu structures.
should not be able to set up or amend a policy.
Pended items • Aging reports showing new policy items with • Review aging results and evidence of
incomplete processing are reviewed daily or weekly supervisor review procedures.
by supervisors. • Walk through a sample of items to and
• Pending files where there is insufficient information from the aging report or pending file.
available to process transactions.

File and Data Transmission Controls

These controls ensure that internal and external electronically transmitted files and transactions are received from an identified source
and processed accurately and completely.
Domain Control Possible Tests
File transmission controls • Checks for completeness and validity of content, • Observe transmission reports and error
including date and time, data size, volume of records, reports.
and authentication of source. • Observe validity and completeness
parameters and settings.
• Review access to set and amend configurable
parameters on file transfers.
Data transmission controls • Application of selected input controls to validate • Test samples of each scenario.
data received (e.g., key fields, reasonableness, etc.). • Observe attempts to input incorrect data.
• Determine who can override controls.
• If table driven, determine who can change
edits and tolerance levels.

17 Taken from AXA Group’s Common Application Controls and Suggested Testing.

18