Technology and Security

Risk Services

Session 9
Application Control Review
Part 1

for Universitas Padjadjaran

EDP Audit – S1 Accounting

#
IS Audit Syllabus
1. Introduction of IS Audit
2. IT Environment
3. IT Process
4. General Computer Control Review (1)
5. Kuliah Umum (IT Governance)
6. General Computer Control Review (2)
7. General Computer Control Case Study
8. Mid-semester Exam
9. Application Control Review (1)
10. Application Control Review (2)
11. Data Analysis Approach
12. Application Control Case Study
13. IT Audit Integration
14. IT Security
15. IT Risk Management & ERP Systems
16. Final Exam

!@ #
Module Objectives
• Gain an understanding of the IT Application
Controls
• Understand what are included in the IT
Application Controls

!@ #
Agenda session 4

• Application Controls Overview

• Input Controls
• Process Controls
• Output Controls

!@ #
 Technology and Security
Risk Services

Application Control
Review

#
Overview
Application controls definition:
Application controls are controls exist within
the application to safeguard assets, maintain
data integrity, and achieve their objectives
efficiently and effectively.

Focus on quality aspects

- Correctness
- Timeliness
- Completeness
- Confidentiality
- Auditability

!@ #
Page 6 4 January 2003
• Application controls are programmed
procedures designed to deal with potential
exposures that threaten specific application,
such as payroll, purchases, and cash
disbursement systems.
• Application Controls
– Input controls
– Processing controls
– Output controls
• James A Hall

4 January 2003
!@ #
Classification

Application controls

Input

Processing

Output

!@ #
Page 8 4 January 2003
 Technology and Security
Risk Services

Acess Controls

#
 How?
A pplication P rogram
Library S ettings /
P rogram P rogram R outine

Input P rocess O utput V erification

D atabase

Access Control Review

Parallel Simulation (Process Integrity)
Chapter 17. Code Review, Code Comparison and Test Data (Process Integrity)
4 January 2003
Chapter 18. Concurrent Auditing Techniques
!@
(incl. Embedded audit module)
Chapter 19. Interviews, Questionnaires, and Control Flowcharts
#
Access control review
Input Control - Authorization

Module Verified to User

A B C D
User Authorization
Forms
Manager P P P P
Supervisor A A A A
E: Entry
Clerk1 E E x x A: Approve
Clerk2 P: Posting
x x E E

4 January 2003
!@ #
 Technology and Security
Risk Services

Input Controls

#
Authorization of data entry
Rules set within the system to identify:
WHO can perform WHAT on WHICH data and
HOW.

!@ #
Page 13 4 January 2003
Authorization process
User name,
Identification account number,
password

Objects,
Authentication personal
characteristics

Resources,
Authorization
Action allowed

!@ #
Page 14 4 January 2003
Input controls

• Authorization
• Validation of input on
– completeness
– correctness
– auditability

!@ #
Page 15 4 January 2003
Classes of Input Controls
• Source of document controls
• Data coding controls
• Batch controls
• Validation controls
• Input error correction
• Generalized data input systems

4 January 2003
!@ #
Input Controls
Source Document Controls
– Controls exercised over physical source documents in
systems that use to initiate transactions.
– Source documents fraud can be used to remove assets
from the organization
– Organization must implement control procedures over
source documents :
• Use Prenumbered source documents
• Use source documents in sequence
• Use Periodically audit source documents

May 23, 2023

!@ #
Input Controls
Data coding controls
– Check on integrity of data codes use in processing
– Examples :
• Customer’s account numbers
• Inventory item number
• Chart of accounts number
– Type of errors can courrupt data codes :
• Transcription error
• Single transposition errors
• Multiple transposition error

May 23, 2023

!@ #
• Transcription errors types :
– Addition errors
• An extra digit or character is added to the codes
– Inventory item 83276 is recorded as 832766
– Truncation errors
• A digit or character is removed from the end of a
code
– Inventory item 83276 is recorded as 8327
– Substitution errors
• The replacement of one digit in a code with another
– Inventory item 83276 is recorded as 83266

May 23, 2023

!@ #
• Single transpositions error

– When two adjacent digits are reversed

• Inventory item 83276 is recorded as 38276

• Multiple transpositions error

– When non adjacent digits are reversed

• Inventory item 83276 is recorded as 87236

May 23, 2023

!@ #
• Check Digits
– Method for detecting data coding errors
– Control digit(s) added to the code when its is originally
assigned to allows the integrity of code to be established
during subsequent processing
– The check digit can be located anywhere in the code :
prefix, suffix, or embedded some placein the middle
– example
• 5372
• 5+3+7+2 = 17
• 53727 to be customers account number

• Popular method is modulus 11 – find it !!

May 23, 2023

!@ #
Correctness of data entry
• Fixed format (number of decimals)
• Check/control number (batch total)
• Check/control number (hash total)
• Transaction limits
• List of possible input

!@ #
Page 22 4 January 2003
Input Controls
Batch Controls
– Effective method of managing high volume of
transaction data through a system
• All records in the batch are processed
• No records are processed more than once
• An Audit trail of transaction is created from input
through processing to the output stage of the system

May 23, 2023

!@ #
Batch and hash totals - completeness

Material Price Amount

100 f 10 1.000
200 f 50 10.000
200 f 100 20.000
200 f 3.000 600.000
300 f 2.000 600.000
2 631
1.000 f 5.160 1.231.000
800
Batch totals Hash total

!@ #
Page 24 4 January 2003
Completeness of data entry
• Continuously numbered batch
• Number of processed lines
• Check totals on field level
– Batch totals
– Hash totals

!@ #
Page 25 4 January 2003
Input Controls
• Validaton Controls
– Input validation controls are intended to detect errors in
transaction data before data is processed.

– Level input validation controls

• Field interogation
– Missing data checks
– Numeric-alphabetic data checks
– Zero value checks
– Limit checks
– Range checks
– Validity checks
– Check digits

May 23, 2023

!@ #
Validation of input

Correction of errors
Error
file

Validation Correct
data
Completeness
Authorize
d uditability
A Error
report

!@ #
Page 27 4 January 2003
Input Controls
– Record interogation
• Reasonableness checks
• Sign checks
• Sequence checks

– File interogation
• Internal label checks
• Version checks
• Expiration date checks

May 23, 2023

!@ #
 More Input Controls Examples
• Field Check (length, type)
• Sequence check
• Matching check
• Range or Limit check

4 January 2003
!@ #
QUIZ
Jelaskan !!
Maksud Application Controls
• Source of document controls
• Data coding controls
– Trancription control
– Check digits

• Batch controls
– Batch dan Hash controls

• Validation controls
• Input error correction

May 23, 2023

!@ #
May 23, 2023
!@ #
 Technology and Security
Risk Services

Process Controls

#
Process controls
Categories of Processing Controls :
(and most important controls)
– Run-to-run totals
• (network of checksums)
– Audit trail
• Logging (watch completeness!!)
– Operator Intervention Controls
• Checkpoint / restart facilities

4 January 2003
!@ #
Run-to-Run Controls
• Ensure that each run in the system processes the
batch correctly and completely.
• Specific run-to-run control are
– Recalculate Control Totals
• After the major process to the corresponding value stored
in control records
– Transaction Codes
• Each record in the batch is compared to the transaction
code contained in control record
– Sequence Checks
• Compares the sequence of each records in the batch to the
previous record to ensure that proper sorting took the place

May 23, 2023

!@ #
 Process Control - Run to run totals

POS SALES APPLICATION ACCOUNTING / GL APPLICATION

Calulate Creating
Record
Discount Sub General Posting Summarizing
Sales
and PPN Ledger

Sales Consolidated General Financial

Sub Ledger
Report Sales Report Ledger Statement
Journal
Account Account

POS 1 Sales Net 1700 Kas 1540 100 Kas 1540 100 Kas 1500
Sales Net 305 Discount (300) Discount 300 201 Deferred PPN (140) 201Deferred PPN (140)
Discount (5) PPN 140+ PPN 140
PPN 30+ Total Sales 1540 Sales 1700 500 Sales (1700) 300 Inventory
Total POS 1 330 503 Discount 300 Begining 1000
Total Transaction 4500 Sales 1700 Add 1000
POS 2 300 Total POS 5 Sales Product 1 1000 Substract 1700
POS 3 350 Sales Product 2 700 Ending (300)
POS 4 330
POS 5 250+ Total Transaction 4500
Total Sales

Total Transaction
1540

4500
4 January
Total POS2003
5
!@ #
Audit Trail Controls
• Audit trail is an important objective of process
control.
• In an accounting system, every transaction
must be traceable through each stage of
processing from its economic source to its
presentation in financial statements.

May 23, 2023

!@ #
Auditability of data entry

Audit trail: recording of

• Identity source and/or person of entry
• Date and time of entry
– Medium of entry
– Account or record that is changed
– Fixed data that is changed
– Details of entry
– Sequence number of data entry batch

!@ #
Page 37 4 January 2003
Process Control -Audit trail

Audit Trail
Account Source
No. UserID Input Amount
No. DocID
1. 1002 12:03-09-11-01 1,000,000 103 31.232.212-5
2. 1005 13:15-09-10-01 454,000 500 31.232.211-7
3. 1050 09:40-09-11-01 (50,000) 506 12.342.423-4

User Master File

No. UserID Name Function

1. 1002 Darma Cashier
2. 1005 Rudy Cashier
3. 1050 Hamdi Assistant Mgr

4 January 2003
!@ #
Other –
Interfaces among systems

POS SALES APPLICATION ACCOUNTING / GL APPLICATION

Calulate Creating
Record
Int Discount Sub General Int Posting Summarizing
Sales
and PPN Ledger

Sales Consolidated General Financial

Sub Ledger
Report Sales Report Ledger Statement
Journal
Account Account

4 January 2003
!@ #
 Technology and Security
Risk Services

Output Controls

#
Output Controls
• Ensure that the system output is not lost,
misdirected, or corrupted and the privacy is not
violated
• Controlling Batch Systems Output
– Output spooling
– Print programs

• Controlling Real-time systems output

– Primary threat : interception, disruption, destruction or
corruption of the output message as it passes along the
communication links
– Risk : equipment failure & subversive acts

May 23, 2023

!@ #
Output controls
• Outline
– Integrity
– Format
– Distribution
– Storage media

!@ #
Page 42 4 January 2003
Output integrity

• Batch control
• File identification
• Selection criteria
• Date / time / sequence number report
• Page number incl. Mark for last page

!@ #
Page 43 4 January 2003
Format of output

• Financial report format

• Classification on particular information such as branch,
inventory type, etc.
• Company’s logo, sign off, etc

!@ #
Page 44 4 January 2003
Distribution controls
• Distribution Register or Log
• Restricting Information (filtering)
• Encryption of sensitive information
• Specially protected print paper

4 January 2003
!@ #
Output Control - Distribution

Module A B C D Verified to User

User Authorization
Form
Manager A A A A
Supervisor P P P P
A: All
Clerk1 V V V - V: View
Clerk2 - V V V P: Print

4 January 2003
!@ #
Storage media
Choices of media :
– Diskette
– Hard disk
– Disk tape
– Compact disk, etc

!@ #
Page 47 4 January 2003
Points to remember
• Application controls are to ensure safeguard
assets, maintain data integrity, and achieve their
objectives efficiently and effectively.
• There are three types of application controls;
input, process, output.
• Application controls have to be combined with
user controls to work properly.
• Important because the data processed in the
application is the basis for financial statement

4 January 2003
!@ #
 Technology and Security
Risk Services

Question and Answer

#
 Technology and Security
Risk Services

Thank You