(ii) System development controls compatible with the amount of sales tax charged on the invoice.

The other general controls referred to in ISA 315 cover the areas of system software acquisition development and Validity checks
maintenance; program change; and application system acquisition, development and maintenance. These ensure that the data input is valid. For example, where an entity operates a job costing system costs input to
a previously completed job should be rejected as invalid.
System software refers to the operating system, database management systems and other software that increases
the efficiency of processing. Application software refers to particular applications such as sales or wages. The Exception checks
controls over the development and maintenance of both types of software are similar and include: These ensure that an exception report is produced highlighting unusual situations that have arisen following the input
of a specific item. For example, the carry forward of a negative value for inventory held.
Controls over application development, such as good standards over the system design and program writing, good
documentation, testing procedures (eg use of test data to identify program code errors, pilot running and parallel Sequence checks
running of old and new systems), as well as segregation of duties so that operators are not involved in program These facilitate completeness of processing by ensuring that documents processed out of sequence are reject ed.
development For example, where pre-numbered goods received notes are issued to ac knowledge the receipt of goods into
physical inventory, any input of notes out of sequence should be rejected.
Controls over program changes to ensure no unauthorised amendments and that changes are adequately tested,
eg password protection of programs, comparison of production programs to controlled copies and approval of Control totals
changes by users These also facilitate completeness of processing by ensure that pre-input, manually prepared control totals are
compared to control totals input. For example, non-matching totals of a batch of purchase invoices should result in
Controls over installation and maintenance of system software many of the controls mentioned above are relevant, an on-screen user prompt, or the production of an exception report for follow-up. The use of control totals in this way
are also commonly referred to as output controls (see below).
eg authorisation of changes, good documentation, access controls and segregation of duties.
Check digit verification
This process uses algorithms to ensure that data input is accurate. For example, internally generated valid supplier
Application controls, comprising input, processing, output and master file controls established by an audit client, over numerical reference codes, should be formatted in such a way that any purchase invoices input with an incorrect code
will be automatically rejected.
its computer-based accounting system
Processing controls
Processing controls exist to ensure that all data input is processed correctly and that data files are appropriately
APPLICATION CONTROLS updated accurately in a timely manner. The processing controls for a specified application program should be
Application controls are those controls (manual and computerised) that relate to the transaction and standing data designed and then tested prior to live running with real data. These may typically include the use of run-to-run
pertaining to a computer-based accounting system. They are specific to a given application and their objectives are to controls, which ensure the integrity of cumulative totals contained in the accounting records is maintained from one
ensure the completeness and accuracy of the accounting records and the validity of entries made in those records. data processing run to the next. For example, the balance carried forward on the bank account in a companys
An effective computer-based system will ensure that there are adequate controls existing at the point of input, general (nominal) ledger. Other processing controls should include the subsequent processing of data rejected at the
processing and output stages of the computer processing cycle and over standing data contained in master files. point of input, for example:
Application controls need to be ascertained, recorded and evaluated by the auditor as part of the process of A computer produced print-out of rejected items.
determining the risk of material misstatement in the audit clients financial statements.
Formal written instructions notifying data processing personnel of the procedures to follow with regard to
rejected items.
Input controls
Control activities designed to ensure that input is authorised, complete, accurate and timely are referred to as input Appropriate investigation/follow up with regard to rejected items.
controls. Dependent on the complexity of the application program in question, such controls will vary in terms of
quantity and sophistication. Factors to be considered in determining these variables include cost considerations, and Evidence that rejected errors have been corrected and re-input.
confidentiality requirements with regard to the data input. Input controls common to most effective application
programs include on-screen prompt facilities (for example, a request for an authorised user to log-in) and a facility to Output controls
produce an audit trail allowing a user to trace a transaction from its origin to disposition in the system. Output controls exist to en sure that all data is processed and that output is distributed only to prescribed authorised
users. While the degree of output controls will vary from one organisation to another (dependent on the confidentiality
Specific input validation checks may include: of the information and size of the organisation), common controls comprise:
Use of batch control totals, as described above (see input controls).
Format checks
These ensure that information is input in the correct form. For example, the requirement that the date of a sales in Appropriate review and follow up of exception report information to ensure that there are no permanently
voice be input in numeric format only not numeric and alphanumeric. outstanding exception items.

Range checks
Careful scheduling of the processing of data to help facilitate the distribution of information to end users on a
timely basis.
These ensure that information input is reasonable in line with expectations. For example, where an entity rarely, if
ever, makes bulk-buy purchases with a value in excess of $50,000, a purchase invoice with an input value in excess Formal written instructions notifying data processing personnel of prescribed distribution procedures.
of $50,000 is rejected for review and follow-up.
Ongoing monitoring by a responsible official, of the distribution of output, to ensure it is distributed in
Compatibility checks accordance with authorised policy.
These ensure that data input from two or more fields is compatible. For example, a sales invoice value should be
Master file controls
The purpose of master file controls is to ensure the ongoing integrity of the standing data contained in the master (iv) Master files and standing data controls
files. It is vitally important that stringent security controls should be exercised over all master files. Examples include one-for-one checking of changes to master files, eg customer price changes are checked to an
authorised list. A regular printout of master files such as the wages master file could be forwarded monthly to the
These include: personnel department to ensure employees listed have personnel records.
appropriate use of passwords, to restrict access to master file data
the establishment of adequate procedures over the amendment of data, comprising appropriate segregation
of duties, and authority to amend being restricted to appropriate responsible individuals Application controls refers to the transactions and data relating to each computer-based application system and are,
therefore, specific to each such application. The objectives of application controls, which may be manual or
regular checking of master file data to authorised data, by an independent responsible official programmed, are to ensure the completeness and accuracy of the records and the validity of the entries made
processing controls over the updating of master files, including the use of record counts and control totals. therein.

Application controls are controls over the input, processing, and output functions. From the 30,000 foot view they
Application controls include things like:
These are manual or automated procedures that typically operate at a business process level and apply to the
processing of transactions by individual applications. Application controls can be preventative or detective in nature Ensure the input data is complete, accurate and valid
and are designed to ensure the integrity of the accounting records.
Ensure the internal processing produces the expected results
Accordingly, application controls relate to procedures used to initiate, record, process and report transactions or other Ensure the processing accomplishes the desired tasks
financial data. These controls help ensure that transactions occurred, are authorised and are completely and Ensure output reports are protected from disclosure
accurately recorded and processed (ISA 315 (Redrafted)). From the close inspection view they include such things as:

Application controls apply to data processing tasks such as sales, purchases and wages procedures and are normally
divided into the following categories: Edit tests
Control totals/batch balancing
(i) Input controls Reconciliation of accounts
Examples include batch control totals and document counts, as well as manual scrutiny of documents to ensure they
have been authorised. An example of the operation of batch controls using accounting software would be the
Exception handling
Both automated controls and manual procedures should be used to ensure proper coverage. These controls help
checking of a manually produced figure for the total gross value of purchase invoices against that produced on screen
ensure data accuracy, completeness, validity, verifiability, and consistency, and thus ensure the confidentiality,
when the batch-processing option is used to input the invoices. This total could also be printed out to confirm the
integrity and availability of the application and its associated data.
totals agree.

The most common example of programmed controls over the accuracy and completeness of input are edit (data So what is an application? Since, as weve said before, it is a computer-based system which processes data for a
validation) checks when the software checks that data fields included on transactions by performing: specific business purpose. Lets give a few examples of some application systems:
reasonableness check, eg net wage to gross wage
existence check, eg that a supplier account exists
General Ledger
Fixed Assets
character check, eg that there are no alphabetical characters in a sales invoice number field
Inventory Control
range check, eg no employees weekly wage is more than $2,000 Sales
check digit, eg an extra character added to the account reference field on a purchase invoice to detect Manufacturing Resource Planning (MRP)
mistakes such as transposition errors during input. Distribution Requirements Planning (DRP) and no thats not Disaster Recovery Plan
Human Resources
When data is input via a keyboard, the software will often display a screen message if any of the above checks reveal And, everyones favorite Payroll
an anomaly, eg Supplier account number does not exist. Business applications have the same three basic risks as any other system which handles data and they are
confidentiality, integrity and availability.
(ii) Processing controls
An example of a programmed control over processing is a run-to-run control. The totals from one processing run, plus
the input totals from the second processing, should equal the result from the second processing run. For instance, the Confidentiality from the point of view of a data breach or a release of data in violation of legal regulations such as the
beginning balances on the receivables ledger plus the sales invoices (processing run 1) less the cheques received Federal Privacy Act or FERPA or HIPAA.
(processing run 2) should equal the closing balances on the receivable ledger.
Integrity from the point of view that the data can be relied upon for accuracy and availability from the point of view that
(iii) Output controls the data is available when it is needed.
Batch processing matches input to output, and is therefore also a control over processing and output. Other examples
of output controls include the controlled resubmission of rejected transactions, or the review of exception reports (eg When we talk about input controls for applications we must look at:
the wages exception report showing employees being paid more than $1,000).
 Input Authorization In output controls, the biggest concern is; Did the information distributed get to the appropriate recipient? So as an
auditor you will need to ask the questions; Where was the sensitive report printed? Was distribution controlled? How
Batch Controls and Balancing
long are the sensitive reports retained and are they stored in a protected environment? And by that I mean are they
Error Reporting and Handling protected from disclosure? (Thats another name for confidentiality.)
Batch Integrity in Online or Database systems
Authorization of input is just that, the data has been properly authorized to be input into the application The online world of transactions and databases present another and slightly different challenge for
system. There are a number of different things to look for here, primarily things like signatures on batch forms; online applications. Since databases consist of many tables all interrelated, the updating is not just a single table but
access controls; unique passwords; workstation identification and source documents. In batch controls and balancing several tables. Think commit and rollback, think failure during midstream, think I need to recover. So how do we do
we might look at total monetary amount; total items; total documents and hash totals. And specifically with batch that? We first write the transaction to a transaction log file and then we start updating all the different tables. Once all
balancing when some of the input might be manually we want to make sure the manual totals are in agreement with the tables are updated successfully (atomicity), we set a flag in the transaction log to say that particular transaction
the computer totals. In error reporting and handling, we want to look for controls that determine what happens to a has been successfully applied. The question becomes how long to keep the transaction log file and where should it
batch that has an error, do we reject only the transaction; do we reject the whole batch; do we hold the batch in be backed up? These questions can best be answered by looking at the business impact analysis for the business
suspense pending correction or do we just process the batch and flag the error? Some of the input control process, finding the supporting applications and then finding the recovery point objective (RPO) and recovery time
techniques include things like a transaction log; reconciliation of data; documentation; error correction procedures; objective (RTO). For example, if you look at the RPO and find that the business process owner has indicated a zero
anticipating; transmittal log; and cancellation of source documents. tolerance for data loss, you can be assured that transaction logging will be taking place and that transaction logging
will most probably be being mirrored to a hot site. As an IT auditor it is your responsibility to determine if the
In processing controls we look at: application controls in place, satisfy the requirements of the RPO and RTO in the business impact analysis.

Data Validation and Editing Procedures A few other areas of concern for application control are how changes to data normally are controlled? Normally they
are through the application, however this needs to be checked. Application access control mechanisms and built in
Processing Controls application controls normally prevent unauthorized access to data. These controls can be circumvented by direct
Data File Control Procedures access to data. For this reason, direct access to data (specifically, write, change, and/or delete access) should
For data validation, think SQL injection, and now you have a very clear picture of just one of the many data validation be restricted and monitored.
edits. Data validation is meant to identify data errors, incomplete or missing data and inconsistencies among related
data items. Editing procedures are preventive controls designed to keep bad data out of your database. ISACA lists So how do you test an application? There are a variety of techniques and my favorite is to write my own Test Data
several Data Validation Edits and Controls among them are: and then run it through the Production system. But in order to accomplish this you will need to insure the existence
Sequence check of an ITF (Integrated Test Facility). And lets not forget SDLC in our discussion. When should you begin testing an
Limit check application? As an auditor you will want to make sure that you begin your testing of the application as soon as
individual units are finished, and you can call that pre-integration testing.
Range check
Validity check
Applications are here to stay, some large (SAP, PeopleSoft) and some small (QuikBooks) but there will always be
Reasonableness check applications and there should always be auditors to check that the controls are in place to ensure CIA.
Table lookups
Existence check There are five different Online Auditing Techniques for online applications. They are:
Key verification
Check digit Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM)
Completeness check Snapshots
Duplicate check Audit hooks
Logical Relationship check Integrated Test Facility
Processing controls are there to ensure that the incoming data is processed according to Hoyle. No Im not being Continuous and Intermittent Simulation
facetious, as Hoyle established rules for playing cards and other games, so too, do business process owners You would use SCARF/ERM when the complexity is very high and regular processing cannot be interrupted. An ITF
establish rules for how particular data is to be processed through the application. Some of these processing controls would be used when the complexity is high and it is not beneficial to use test data. Snapshots give you an audit trail
include run-to-run totals; limit checks; and reasonableness verification of calculated amounts. like taking a lot of snapshots and placing them end to end to get a movie. CIS is for medium complexity when you
have transaction meeting certain criteria which need to be examined and audit hooks are for those low complexity
In data file control procedures we look at such questions as, Are you sure the master file was updated correctly? To tasks when you only need to look at selected transactions or processes.
this you would respond, We made a before image copy of the database, then ran the update, and then ran an after
image copy. We then compared the two images and yes the update performed as expected. You will also run into
the following other types of data file controls:

Parity checking
Transaction logs
Version Usage
File updating and maintenance authorization