Section 3

APPENDIX 1: CHECKLIST FOR APPLICATION

CONTROLS
IS Auditor Review of Application Controls
Process/Application Name:
  Business Process Owner: Date of review:
Control Objective and Control Practices
Description Information Objective

Segregation of
Completeness

Authorisation

Duties
Accuracy

Validity
Ref
Source Data Preparation and Authorisation
Ensure that source documents are prepared by authorised and qualified personnel
following established procedures, taking into account adequate segregation of duties
regarding the origination and approval of these documents. Check whether the source
document is a well-designed input form. Detect errors and irregularities so they can be
1 reported and corrected.
Whether the source documents is designed in a
way that they increase accuracy with which data
can be recorded, control the workflow and facilitate
subsequent reference checking?
[Where appropriate, include completeness controls
a in the design of the source documents.]          
Whether the procedures for preparing source data
entry, and ensure that they are effectively and
properly communicated to appropriate and
qualified personnel? [These procedures should
establish and communicate required authorisation
levels (input, editing, authorising, accepting and
rejecting source documents). The procedures
should also identify the acceptable source media
b for each type of transaction.]          
Whether the function responsible for data entry
maintains a list of authorised personnel, including
c their signatures?          

1
Module 6

Whether all source documents include standard

components and contain proper documentation
(e.g., timeliness, predetermined input codes,
default values) and are authorised by
d management?          
Whether application automatically assigns a
unique and sequential identifier (e.g., index, date
and time) to every transaction?
e          
Whether the document that are not properly
authorised or are incomplete to the submitting
originators for correction, and log the fact that they
have been returned is maintained?Whether review
of logs periodically done to verify that corrected
documents are returned by originators in a timely
fashion, and to enable pattern analysis and root
f cause review?          
Source Data Preparation and Authorisation
Establish that data input is performed in a timely manner by authorised and qualified staff.
Correction and resubmission of data that were erroneously input should be performed
without compromising original transaction authorisation levels. Where appropriate for
reconstruction, retain original source documents for the appropriate amount of time.
2
Whether criteria for timeliness, completeness and
accuracy of source documents have been
communicated?
Whether mechanisms are there to ensure that data
input is performed in accordance with the
a timeliness, accuracy and completeness criteria?          
Whether pre-numbered source documents for
critical transactions are used? Whether application
allows identification and listing of missing source
b documents?          
Whether definition for who can input, edit,
authorise, accept and reject transactions, and
override errors is there?
Whether the same is as per roles and
responsibilities of individual and record supporting
evidence to establish accountability is maintained?
c          
Whether procedures to correct errors, override
d errors and handle out-of-balance conditions, as          
2
 Section 3

well as to follow up, correct, approve and resubmit

source documents and transactions in timely
manner are defined?
Whether application system generates error
messages in a timely manner and as close to the
point of origin as possible?
Whether the transactions are processed without
errors being corrected or appropriately overridden
or bypassed? Whether the errors that cannot be
corrected immediately logged in an automated
suspense log?
Whether error logs are reviewed and acted upon
within a specified and reasonable period of time?
e          
Whether errors and out-of-balance reports are
reviewed by appropriate personnel, followed up
and corrected within a reasonable period of time,
and that, where necessary, incidents are raised for
more senior attention? Whether automated
monitoring tools are used to identify, monitor and
f manage errors?          
Whether all source documents are safe stored
(either by the business or by IT) for a sufficient
period of time in line with legal, regulatory or
g business requirements?          
Accuracy, Completeness and Authenticity ChecksEstablish that data input is performed in
a timely manner by authorised and qualified staff. Correction and resubmission of data that
were erroneously input should be performed without compromising original transaction
authorisation levels. Where appropriate for reconstruction, retain original source
3 documents for the appropriate amount of time.
Whether the transaction data are verified as close
to the data entry point as possible and interactively
during online
sessions?
Whether the transaction data, whether people-
generated, system generated or interfaced inputs,
are subject to a variety of controls to check for
accuracy, completeness and validity?
a          

3
Module 6

Whether controls to ensure accuracy,

completeness, validity and compliancy to
regulatory requirements of data input put in place?
Whether validation criteria and
parameters should be subject to periodic reviews
b and conformation?          
Whether access control and role and responsibility
mechanisms are established so that only
authorised persons input, modify and authorise
c data?          
Whether requirements for segregation of duties for
entry, modification and authorisation of transaction
data as well as for validation rules defined?
d          
Whether report of transactions failing validation
generated? Whether report all errors are
generated in a timely fashion?
e          
Whether transactions failing edit and validation
routines are subject to appropriate follow-up until
errors are remediated? Whether information on
processing failures is maintained to allow for root
cause analysis and help adjust procedures and
f automated controls?          
Processing Integrity and Validity
Maintain the integrity and validity of data throughout the processing cycle. Detection of
4 erroneous transactions does not disrupt the processing of valid transactions.
Whether mechanisms to authorise the initiation of
transaction processing and to enforce that only
appropriate and authorised applications and tools
a are used defined and put in place?          
Whether processing is completed and accurately
performed with automated controls?
[For example: Controls may include checking for
sequence and duplication errors,
transaction/record counts, referential integrity
checks, control and hash totals, range checks, and
b buffer overflow.]          

4
 Section 3

Whether transactions failing validation routines are

reported and posted to a suspense file? Whether
the errors are reported in timely fashion? Whether
the information on processing failures is kept to
allow for root cause analysis and help adjust
procedures and automated controls, to ensure
c early detection or to prevent errors?          
Whether the transactions failing validation routines
are subject to appropriate follow-up until errors are
remediated or the transaction is cancelled?
d          
Whether there is a unique and sequential identifier
e to every transaction (e.g., index, date and time)?          
Whether an audit trail of transactions processed.
Include date and time of input and user
identification for each online or batch transaction
maintained?
Whether there is a listing of sensitive transactions
and before and after images maintained, to check
f for accuracy and authorisation of changes made?          
Whether integrity of data during unexpected
interruptions in data processing with system and
database utilities, maintained? Whether controls
are in place to confirm data integrity after
processing failures or after use of system or
g database utilities to resolve operational problems?          
Whether any adjustments, overrides and high-
value transactions are reviewed promptly in detail
for appropriateness by a supervisor who does not
perform data entry?
h          
Whether reconciliation of file totals done? [For
example, a parallel control file that records
transaction counts
or monetary value as data should be processed
and then compared to master file data once
transactions are posted. Identify report and act
i upon out-of-balance conditions.]          
5 Output Review, Reconciliation and Error Handling
Establish procedures and associated responsibilities to ensure that output is handled in an
authorised manner, delivered to the appropriate recipient, and protected during
transmission; that verification, detection and correction of the accuracy of output occurs;

5
Module 6

and that information provided in the output is used.

Whether the handling and retaining output from IT
applications, follow defined procedures and
consider privacy and security requirements?
Whether procedures for communicating and follow-
a up defined for distribution of output?          
Whether physical inventory of all sensitive output,
such as negotiable instruments taken and
compared it with inventory records?
Whether there are procedures with audit trails to
account for all exceptions and rejections of
b sensitive output documents?          
Whether out-of-balance control totals exist and
exceptions reported to the appropriate level of
management?
c          
Whether procedure exists to check completeness
and accuracy of processing before other
operations are performed? Whether reuse of
electronic output subject to validation check before
d re-use?          
Whether procedures are defined to ensure that the
business owners review the final output for
reasonableness, accuracy and completeness?
Whether the output is handled in line with the
applicable confidentiality classification? Whether
the potential errors are logged in a timely manner?
e          
Whether for sensitive output, definition exists as to
who can receive it? Whether such output is
properly labelled for reorganisation?
f