Systems Development Controls
transfer of knowledge.
and Application Controls
01 Systems Development Controls
• Controlling systems development
activities
• Controlling program changes.
02 Application Controls
• Input controls
• Processing controls Output controls
CONTROLLING SYSTEMS
DEVELOPMENT ACTIVITIES
Systems Authorization Activities
• All systems should be properly
authorized.
• Users must submit requests to systems
professionals in written form.
User Specification Activities
• Users need to be actively involved in
the systems development process.
• User specification document - A
detailed written description of user's
needs which describe the user's view of
the problem. Users & systems
professionals’ joint effort.
Technical Design Activities
• Translate user specifications into a set
of detailed technical specifications for
a system that meets the user's needs.
• The scope of these activities includes
systems analysis, feasibility analysis,
and detailed systems design.
• The adequacy of these activities is
measured by the quality of
documentation.
Internal Audit Participation
• The internal auditor can play an
important role in the control of systems
development activities.
• The internal auditor can serve as a
liaison between users and the systems
professionals to ensure an effective
Program Testing
• All program modules must be
thoroughly tested before they are
implemented.
• A program testing procedure involves
the creation of hypothetical master files
and transactions files that the tested
modules process.
• The results of the tests are then
compared against predetermined
results to identify programming and
logic errors.
User Test and Acceptance Procedures
• Many consider this to be the most
important control over the systems
development.
• The last point at which the user can
determine the system's acceptability
prior to it going into service.
• The test team should be composed of
user personnel, systems professionals,
and internal auditors.
• The details of the tests performed and
their results need to be formally
documented and analyzed.
Audit Objectives Relating to Systems
Development
The auditor's objectives are to ensure that:
1) Systems development activities are
applied consistently and in accordance
with management's policies to all
systems development projects
2) The system as originally implemented
was free from material errors and fraud
3) The system was judged necessary and
justified at various checkpoints
throughout the SDLC.
 4) System documentation is sufficiently CONTROLLING PROGRAM CHANGE
accurate and complete to facilitate ACTIVITIES
audit and maintenance activities.
Source program library controls

Audit Procedures Relating to Systems In larger computer systems, application

Development | program modules are stored in source code
form on magnetic disks called the source
The auditor should select a sample of program library (SPL).
completed and review the documentation for
evidence of compliance with stated systems Executing a production application requires
development policies. that the source code be compiled and linked to
a load module that the computer can process. As
Specific points for review should include a practical matter, programs in their compiled
determining that: state are secure and free from the threat of
unauthorized modification.
• User and computer services
management properly authorized the Protecting the source code on the SPL is central
project. to protecting the production application.
• A preliminary feasibility study showed
that the project had merit. A controlled SPL environment
• A detailed analysis of user needs was
Controlling the SPL requires SPL management
conducted that resulted in alternative
system (SPLMS) software.
conceptual designs.
• A cost-benefit analysis was conducted The SPLMS, which controls four critical
using reasonably accurate figures, functions:
• The detailed design was an appropriate
and accurate solution to the user's (1) Storing programs on the SPL
problem. (2) Retrieving programs for maintenance
• Test results show that the system was purposes
thoroughly tested. (3) Deleting obsolete programs from the
• There is a checklist of specific library
problems detected during the (4) Documenting program changes to
conversion period, along with evidence provide an audit trail of the changes.
that they were corrected in the
maintenance phase.
• Systems documentation complies with
organizational requirements and
standards.
 A CONTROLLED SPL Audit Objectives Relating to
ENVIRONMENT Systems Maintenance
Password Control The auditor’s objectives are to determine that:

Every financially significant program stored in 1) Maintenance procedures protect

the SPL can be assigned a separate password. applications from unauthorized
changes
Separation of Test Libraries
2) Applications are free from material
Under this concept, a strict separation errors
is maintained between the production programs 3) Program libraries are protected
that are subject to maintenance in the SPL and from unauthorized access
those being developed.
Audit Procedures for Identifying
Direct access to the production SPL is Unauthorized Program Changes
limited to a specific librarian group that must
• Reconcile program version numbers
approve all requests to modify, delete, and copy
• Confirm maintenance authorization
programs.

Audit Trail and Management Reports

Audit Procedures for Identifying
An important feature of SPL
Application Errors
management software is the creation of reports
that enhance management control and support • Reconcile the source code
the audit function. • Review the test results
• Retest the program
Program Version Numbers

The SPLMS assigns a version number

Audit Procedures for Identifying
automatically to each program stored on the
Application Errors
SPL.
• Reconcile the source code
When programs are first placed in the libraries,
• Review the test results
they are assigned version number zero. With
• Retest the program
each modification to the program, the version
number is increased by one.

Ex, 4 – major, 2 – minor, 1 – patch Application Controls

Controlling Access to Maintenance Application controls are associated with
Commands specific applications (SAP B1, Oracle ERP,
Quickbooks, etc.)
Powerful maintenance commands are
available for most library systems that can be These fall into three broad categories:
used to alter or eliminate program passwords,
alter the program version number, and 1. Input controls
temporarily modify a program without 2. Processing controls
generating a record of the modification. 3. Output controls

Access to the maintenance commands

themselves should be password controlled, and
management or an IT security group should
control the authority to use them.
 INPUT CONTROLS Illustration:

Input controls are programmed procedures CUSTOMER ACCT NO: 5372

(routines) that perform tests on transaction
Step 1: Weights: 5,4,3,2
data to ensure that they are free from errors.
Step 2: 5 x 5 = 25
Input controls in real-time systems are placed 3 x 4 = 12
at the data collection stage to monitor data as 7 x 3 = 21
they are entered from terminals. 2x2=4
62
In batch systems, input control tests are
performed as a separate procedure (or run) Step 3: 62/11 = 5 r7
prior to the master file update process. Step 4: 11-7 = 4
Step 5: CUSTOMER ACCT NO: 53724
Check digit

A control digit is added to the code to detect Example: Sales clerk entered 53274
data coding errors. instead of 53724
Two common classes of data input errors: Computer will reconcile the check digit.
a. transcription errors 5 x 5 = 25
b. transposition errors. 3 x 4 = 12
2x3=6
Data Input Errors 7 x 2 = 14
1) Transcription errors 57
57/11 = 5 remainder 2
Illustration: CUSTOMER ACCT NO.: 12345 11-2 = 9
Conclusion: 9 should be the check digit of
123455 Addition error
53274 and not 4.
1234 Truncation error
The system will detect the encoding error.
12845 Substitution error
INPUT CONTROLS

Missing data check

2) Transposition errors

Illustration: CUSTOMER ACCT NO.: 12345

12435 Single transposition

14325 Multiple transposition

Check Digit

Using Modulus 11:

1) Assign weights Numeric – alphabetic check
2) Sum the products
3) Divide by the modulus
4) Subtract the remainder fromthe
modulus to obtain the check digit
5) Add the check digit to the original
code to yield the new code.
Limit check PROCESSING CONTROLS

Batch Controls

• Batch number
• Batch date
• Transaction code
• Record count
• Batch control total
• Hash total

Range Check

Run-to-run control

• Run-to-run control is the use of batch

figures to monitor the batch as it moves
from one programmed procedure (run)
to another.
Reasonableness Check • At various points throughout
processing and at the end of processing,
the batch totals are recalculated and
compared to the batch control record.
• This ensures that each run in the system
processes the batch correctly and
completely.

Validity Check

Audit Trail Controls

Transaction logs
Every transaction the system successfully
processes should be recorded on a transaction
log, which serves as a journal.
Log of automatic transactions
All internally generated transactions must be
placed in a transaction log.
Transaction listings
The system should produce a (hard-copy)
transaction listing of all successful transactions.
OUTPUTS CONTROLS
Output controls are a combination of
programmed routines and other procedures to
ensure that system output is not lost,
misdirected, or corrupted and that privacy is not
violated.
Controlling Hard-Copy Output
Output spooling
in large-scale data processing
operations, output devices such as line printers
can become backlogged with many programs
simultaneously demanding limited resources.
Applications are often designed to
direct their output to a magnetic disk file rather
than print it directly. This is called spooling.
Print programs
When a printer becomes available, the print run
program produces hard-copy output from the
output file.
Print program controls should be designed to
deal with two types of exposures present in this
environment:
1) The production of unauthorized copies
of output
2) Employee browsing of sensitive data.
WASTE
Computer output waste is a potential source of
exposure. Aborted reports and the carbon
copies from multipart paper need to be disposed
of properly.
From trash, computer criminals may obtain
information about a firm’s market research,
credit ratings of its customers, or trade secrets,
which they can sell to a competitor.
Report distribution
The primary risks associated with the
distribution of sensitive reports include their
being lost, stolen, or misdirected in transit to the
user.
The following control techniques can be used:
1) The reports may be placed in a secure
mailbox to which only the user has the
key.
2) The user may be required to appear in
person at the distribution center and
sign for the report.
3) A security officer or special courier
may deliver the report to the user.
End-user controls
Once in the hands of the user, output reports
should be examined for correctness.
Errors the user detects should be reported to the
appropriate computer services management.
Once a report has served its purpose, it should
be stored in a secure location until its retention
period has expired and then it should be
shredded.
Digital output controls
The primary output threat is the interception,
disruption, destruction, or corruption of the
output message as it passes across the
communications network.
Controls against exposures from equipment
failure - Parity check, echo check
Controls against exposures from subversive
acts - Encryption, digital envelope, digital
signature, digital certificate