Application of Controls

The processing of transactions involves three stages:

 Input – involves capturing of a mass of data
 Processing – involves converting the mass of raw data into useful information
 Output – involves preparation of information in a form useful to those who need to
use it.

To ensure that all relevant data are captured as input to the system, and to ensure that
the data are accurately processed during their conversion into meaningful financial
information, controls or other mechanisms must be incorporated.

Application controls are those policies and procedures that relate to specific use of a
system. These are designed to provide reasonable assurance that all transactions are
authorized, and that they are processed completely, accurately and in a timely manner.

1. Controls over input

Large number of errors in a computer system are caused by INACCURATE or
INCOMPLETE data entry. Input controls are designed to provide reasonable
assurance that data submitted for processing are COMPLETE, PROPERLY
AUTHORIZED, and ACCURATELY TRANSLATED into machine readable form.

Examples of input controls include:

o KEY VERIFICATION
This requires data to be entered twice (usually by different operators) to
provide assurance that there are no key entry errors committed.
o FIELD CHECK
This ensures that the input data agree with the required field format. For
example, all SSS number must contain ten digits. An input of an
employee’s SSS number with more or less than ten digits will be rejected
by the computer.
o VALIDITIY CHECK
Information entered are compared with valid information in the master
file to determine the authenticity of the input. For example, the
employees’ master file may contain two valid codes to indicated the
employees’ gender “1” for male and “2” for female. A code of “3” is
considered invalid and will be rejected by the computer.
o SELF-CHECKING DIGIT
This is a mathematically calculated digit which is usually added to a
document number to detect common transpositional errors in data
submitted for processing.
o LIMIT CHECK
 Also called as reasonable check is designed to ensure that data submitted
for processing do not exceed a pre-determined limit or a reasonable
amount.
o CONTROL TOTALS
These are totals computed based on the data submitted for processing.
Control totals ensure the completeness of data before and after they are
processed. These controls include financial totals, hash totals, and record
counts.

2. Controls over processing

Processing controls are designed to provide reasonable assurance that input
data are PROCESSED ACCURATELY, and that DATA ARE NOT LOST, ADDED,
EXCLUDED, DUPLICATED or IMPROPERLY CHANGED. Almost all of the input
controls that were mentioned earlier are also part of the processing controls
because such controls are usually incorporated in the client’s computer program
to detect errors in processing of transactions.

3. Controls over output

Output controls are designed to provide reasonable assurance that the result of
processing are COMPLETE, ACCURATE and that these output are DISTRIBUTED
ONLY TO AUTHORIZED PERSONNEL.

A person who knows what an output should look like must:

o Review the CIS output for reasonableness.
o Control totals are compared with those computed prior to processing to
ensure completeness of information.
o CIS output must be restricted only to authorized employees who will be using
such outputs.

Application Controls Versus IT General Controls

o It is important to understand the relationship and difference between

application controls and Information Technology General Controls (ITGCs).
o Otherwise, an application control review may not be scoped appropriately,
thereby impacting the quality of the audit and its coverage.
o ITGCs apply to all systems components, processes, and data present in an
organization or systems environment.
o The objectives of these controls are to ensure the appropriate development
and implementation of applications, as well as the integrity of program and
data files and of computer operations.

Nature of Application Controls

 o Cost effective and efficient means to manage risk
o Reliant on the effectiveness on the IT general control environment
o Approach varies for complex versus non-complex environments

Benefits of Application Controls

o Reliability
Reduces likelihood of errors due to manual intervention

o Benchmarking
Reliance on IT general controls can lead to concluding the application
controls are effective year to year without re-testing

o Time and cost savings

Typically application controls take less time to test and only require
testing once as long as the IT general controls are effective

Unique Characteristics of Specific CIS

 STAND ALONE
A stand-alone system is one that is not connected to or does not communicate
with another computer system. This type of computer setup requires installing
applications on individual machines and installing software that runs on the
server. Computing is done by an individual at a time. All input data and its
processing takes place on the machine itself. Many small businesses rely on
personal computers for all their accounting functions. Any tasks or data
associated with that computer stay inside it and are not accessible from
anywhere else. Any peripherals, such as printers, must be directly connected to
it in order to work.

ADVANTAGES
o Allows management to monitor websites accessed and documents scanned
or printed by individual users.
o No bandwidth problems experiences in a networked arrangement.
o Data may be saved on the hard drive or may be stored on an external hard
disk or flash drive.
o One advantage of a standalone computer is damage control. For example, if
something goes wrong, only the standalone will be affected.
o Simplicity is another advantage, because it takes a lot less expertise to
manage one computer than it does to setup or troubleshoot several.
Standalone computers can also be more convenient. For example,
printing on a network may require you to walk some distance from the
computer to the printer. Inversely, any peripherals on a standalone
 have to be in arm's reach. Finally, a standalone does not affect other
computer users. With a network, one user may waste space by
watching movies or listening to music. In turn, everyone else using the
network may see slower computer performance.

DISADVANTAGES
o A lot of time required to load applications on individual machines. The same
software cannot be installed simultaneously. While a network allows
everything to be changed at once, a standalone requires that any new
programs must be set up one-by-one, which is much more time-consuming.
o Users are restricted to a single computer. The shortcomings of standalone
computers may be overcome by a workstation. This refers to networked
computers. This networking allows users to share information with others
within the network. Users can share emails, data files, and devices such as
printers and instant messaging.

 ON-LINE
On -line processing refers to processing of individual transactions as they occur
from their point of origin as opposed to accumulating them into batches. This is
possible by direct access device such as magnetic disk and number of terminals
connected to and controlled by central processors. In this way, various
departments in a company can be connected to the processor by cable. Apart
from transaction processing and file updating, inquiries are also handled by the
on-line processing system. On-line processing ensures that the records are in
updated status at any time whereas this is not so with batch processing, but the
fact remains that online processing is costly.

o On-line real time processing

The term “Real Time” refers to the technique of updating files with
transaction data immediately after the occurrence of the event.

 On-line system - Real time systems are basically on-line system with
one specialty in enquiry processing
 Response - Response to the enquiry itself is used to control the
activity. The response of a real time system is one type of feedback
control system. The response time would naturally differ from one
activity to another. Real time system usually operates in multi-
programming and multi-processing. This increases both availability
and reliability of the system.
 ‘Program Interrupts’ - CPU’s in real time systems should possess the
capability of ‘Program Interrupts’. These are temporary stoppage of
halts in the execution of a program so that more urgent message can
be handled on priority.
  DATABASE SYSTEM
Database is an organized data collection that is and accessed electronically. The
database system enables data synchronization by maintaining one copy of
important records locked in an organized file system (i.e. database) which is
shared by various users without the necessity of maintaining a copy of a file for
themselves. This type of system eliminates data redundancy. Current system
entrust responsibility of database maintenance and control over a database
administrator.

Auditing in CIS environment

 The auditor need to consider how CIS environment affects the audit. The overall
audit objective and scope does not change but the use of CIS have changed the
processing, storage and communication of financial information and also may affect
internal control of an entity.
 Consideration of internal controls - Procedures in obtaining understanding
accounting and internal control, i.e. audit around computer. (Auditor’s
consideration of internal control which will include an assessment of IT as well as
manual controls)
 Performing test of control and substantive test - i.e. audit through computer.
(Procedures to be performed in considering internal IT controls, Nature, timing
and extent of substantive test.)
 CIS may affect the audit process on the following:
o Skill and Competence
Auditor should have sufficient knowledge of CIS to plan, direct,
supervise and review work performed. The auditor needs:
- Obtain sufficient understanding of the accounting and
internal control affected by the CIS environment
- Determine the effect of CIS on the procedures to assess the
audit risk
- Able to design and perform appropriate test of control and
substantive test
- If required, auditor may seek for assistance of the expert.
Internal auditors need to apply the care and skill of a reasonably prudent
and competent auditor, as well as have the necessary knowledge of key
IT risks, controls, and audit techniques to perform their assigned work,
although not all internal auditors are expected to have the expertise of
an auditor whose primary responsibility is IT.
o Risk assessment, i.e. assessment of inherent risk and control risk
An auditor is required to identify and assess risks of material
misstatements through an understanding of the entity and its
environment. The understanding should incorporated the components
of internal control which include the information system.

In relation to this an auditor is required to obtain understanding of the

information system, including the related business processes, relevant
to financial reporting, including the following areas:

 Classes of transactions – in the entity’s operations that are

significant to the financial statements.
 Procedures – within both information technology and manual
systems, by which those transactions are initiated, recorded ,
processed, corrected as necessary, transferred to the general
ledger and reported in the financial statements.
 Related accounting records, supporting information and specific
accounts – in the financial statements that are used to initiate,
record, process and report transactions; this includes the
correction of incorrect information and how information is
transferred to the general ledger. The records may be in either
manual or electronic form.
 How the information system captures – events and conditions,
other than transactions, that are significant to the financial
statements.
 Financial reporting process – used to prepare the entity’s financial
statements, including significant accounting estimates and
disclosures.
 Controls surrounding journal entries – including non-standard
journal entries used to record non-recurring, unusual transaction
or adjustments.

The nature of the risk in CIS environment includes:

 Lack of transaction trail. Audit trail may available for the short
period or not in the form of computer readable form. Or if the
transaction is too complex and high volume, errors may embedded
in application’s program logic and difficult to detect on a timely
basis.
 Lack of segregation of duties. Many of control procedures are
performed by separate individual in manual systems but may not in
CIS.
 Potential for errors and irregularities. Potential for human error
and unable to detect the error may be greater in CIS. Also the
potential of unauthorized access to data without visible evidence
may be greater in CIS than manual system. Furthermore, decreased
human involvement in handling transaction in CIS can reduce
“check and balance” activities that may cause error unable to
detect.
 Initiation or execution of transaction. CIS may have capabilities to
execution transaction automatically. For example calculation of
depreciation. The authorization for transaction is not available.
 Lack of visible output. Certain transaction or result may not be
printed. Thus, the lack of visible output may result in the need to
access data retained on files readable only by computer.
 Ease of access to data and computer programs. Data and computer
programs can be accessed and altered at the computer or from the
remote location. Therefore, auditor should review the appropriate
control measure to prevented unauthorized access and alteration
of the data.

What can go wrong?

Availability, security, integrity, confidentiality, effectiveness and
efficiency

Type of risks
– Pervasive: impact the enterprise as a whole
– Specific risks

Traditional risk assessment process may not be suitable for IT risk

assessment

IT Risk assessment process should

– Be performed in depth every year, not just an update of the prior
year.
– Considers all the layers of the IT environment.
– Considers both static and dynamic risks.
– Not strictly be based on interviews, but use other discovery
techniques.
– Be supplemented with the appropriate level of analysis after
discovery.
– Be performed by the appropriate personnel.
o Planning
 After completing the risk evaluation and determining the scope of
the review, auditors need to focus on the development and
communication of the detailed review plan. The first step in
developing the detailed review plan is to create a planning
memorandum that lists the following application control review
components:
- All review procedures to be performed.
- Any computer-assisted tools, techniques used & how they
are used.
- Sample sizes, if applicable.
- Review items to be selected.
- Timing of the review.
 When preparing the memorandum, all of the required internal
audit resources need to be included on the planning team. This is
also the time when IT specialists need to be identified and included
as part of the planning process.
 After completing the planning memorandum, the auditor needs to
prepare a detailed review program. When preparing the review
program, a meeting should be held with management to discuss:

- Management’s concerns regarding risks.

- Previously reported issues. I
- Internal auditing’s risk and control assessment.
- A summary of the review’s methodology.
- The review’s scope.
- How concerns will be communicated.

 In Planning, auditor should obtain an understanding the significance

and complexity of CIS activities and the availability of data for use in
the audit. The understanding include:

- The volume of transaction that would make users

difficult to identify and correct errors.
- The computer automatically generates transactions
direct from/to another application. Example: From
production department automatically inventory
information.
- The Computer performs complicated computations
of financial information.
- Transactions are exchanged electronically with other
organization.
 - Organization structure of entity also may change.
For example: IT department as part of the structure
and responsible for control application of CIS as a
whole.
- The availability of data such as source document,
computer data files and other evidential matter that
may require by the auditor.

o Audit procedures
The auditor’s specific objective do not change whether the accounting
data is processed manually or by the computer. However, method of
applying audit procedures to gather evidence may different. Auditor may
perform audit procedures manually or use CAAT or combination of both.

 Auditing around the computer

Auditor does not examine the computer processing but perform
procedures to obtain understanding accounting and internal
control:
- Emphasis on ensuring the completeness, accuracy and validity
of information by comparing the output reports with the input
documents
- To ensure the effectiveness of input controls and output
controls
- To ensure the adequacy of segregation of duties

 Auditing through the computer

Auditor performing test of control and substantive test. For
example: "test data" enable the auditor to examine the computer
processing, internal control of the client CIS.

Auditor may use CAAT in this procedures. CAAT - helps auditor in

organizing, analyzing and extracting computerized data and re-
performing computation and other processing.