Application Controls

Defining Application Controls

 Application controls are those controls that pertain to the
scope of individual processes or application systems.
 Application control is a security practice that blocks or
restricts unauthorized applications from executing in ways
that put data at risk.
 They include data edits, separation of business functions,
balancing of processing totals, transaction logging, and error
reporting.
 The main objective of application control is to help ensure
the privacy and security of data used by and transmitted
between applications.
Objectives of Application Controls
 Input data is accurate, complete, authorized, and correct
 Data is processed in an acceptable time period
 Data stored is accurate and complete
 Outputs are accurate and complete
 A record is maintained to track the process of data from
input to storage and the the eventual output
Components of application controls
 Completeness checks – controls ensure records
processing from initiation to completion.
 Validity checks – controls ensure only valid data is input
or processed.
 Identification – controls ensure unique, irrefutable
identification of all users.
 Authentication – controls provide an application system
authentication mechanism.
 Authorization – controls ensure access to the application
system by approved business users only.
 Forensic controls – controls ensure scientifically and
mathematically correct data, based on inputs and outputs
Components continues
 Application controls ensure proper coverage and the
confidentiality, integrity, and availability of the application
and its associated data.
 With the proper application controls, businesses and
organizations greatly reduce the risks and threats associated
with application usage because applications are prevented
from executing if they put the network or sensitive data at
risk.
 Application Controls vs. General
Controls
 Application controls are those controls that pertain to the
scope of individual processes or application systems (specific
to a given application)

 General controls are controls that apply to all systems

components, processes, and data present in an organization
or systems environment
 Types of Application Controls
 Input Controls - check the integrity of data entered into a
business application

 Processing Controls - ensure processing is complete, accurate,

and authorized

 Output Controls -compare output results with expected results

by checking the output against the input

 Management Trial (Audit Trail) Controls - monitors the

effectiveness of other controls and identifies errors as close as
possible to their sources
 Preventive, Detective, and Corrective
Controls
 Preventive: keep undesirable events from occurring
 Detective: should identify expected error types, as well as
those that are not expected to occur
 Corrective: cause or encourage a desirable event or corrective
action to occur after an undesirable event has been detected
 Benefits of Relying on Application
 Reliability Controls
 Once an application control is established, and there is little
change to the application, database, or supporting
technology, the organization can rely on the application
control until a change occurs.
 An application control will continue to operate more
effectively if the general controls that have a direct impact on
its programmatic nature are operating effectively as well. As
a result, the auditor will be able to test the control once and
not multiple times during the testing period.
 Benefits of Relying on Application
 Benchmarking
Controls
 If general controls that are used to monitor program changes,
access to programs, and computer operations are effective
and continue to be tested on a regular basis, the auditor can
conclude that the application control is effective without
having to repeat the previous year’s control test.
 Auditor should evaluate the appropriate use of benchmarking
or an automated control by considering how frequently the
application changes. (If application changes frequently,
auditor should not rely on benchmarking)
 Benefits of Relying on Application
Controls
 Time and Cost Saving
 Application controls generally take less time to test than general
controls
 Application controls are typically tested one time as long as the
general controls are effective
Features of Application Controls
 Automatically identify trusted software that has
authorization to run.
 Prevent all other, unauthorized applications from executing
– they may be malicious, untrusted, or simply unwanted.
 Eliminate unknown and unwanted applications in your
network to reduce IT complexity and application risk.
 Reduce the risks and costs associated with malware.
 Improve your overall network stability
 Protect against exploits of unpatched OS and third-party
application vulnerabilities
 DATA ENVIRONMENT WITH
APPLICATION CONTROL
 Application control gives companies and organizations
knowledge about key areas regarding applications, web
traffic, threats, and data patterns.
 Users can also benefit from application control by gaining a
better understanding of applications or threats, applications’
key features and behavioral characteristics, details on who
uses an application, and details on those affected by a threat.
 Organizations also gain knowledge about traffic source and
destination, security rules, and zones to get a complete
picture of application usage patterns, which in turn allows
them to make more informed decisions on how to secure
applications and identify risky behavior
 Risk Assessment
 The auditor should use Risk assessment techniques to
identify critical vulnerabilities pertaining to the
organization’s reporting, operational and compliance
requirements when developing the risk assessment
review plan. These techniques include:
 The review’s nature, timing, and extent.
 The critical business functions supported by application
controls.
 The extent of time and resources to be expended on the
review.
 Risk Assessment Approach

 Identify applications, databases, and supporting technology that

uses application controls
 Define the risk factors associated with each application control
 Weigh all risks to determine rankings by importance
 Evaluate risk assessment results
 Create review plan based on the risk assessment and ranked risk
areas
Scoping of Application Controls
 Following are two methods for determining the review scope
of application controls.
 Business Process Method : The business process scoping
method is a top-down review approach used to evaluate the
application controls present in all the systems that support a
particular business process.
 Single Application Method: The single application
scoping method is used when the auditor wants to review the
application controls within a single application or module, as
opposed to taking a business process scoping approach
 Scoping of Application Controls
 Business Process Method
 Top-down review approach used to evaluate the application
controls present in all the systems that support a particular
business process.
 Single Application Method
 Used to review the application controls within a single
application
Business Process Method
Testing Application Controls
 Are application controls working?
 Substantive testing
 Information technology general controls review
 Ways to test:
 Inspection of system configurations
 Inspection or re-performance of reconciliations with supporting
details
 Re-Performance of the control activity using system data
 Inspection of user access listings
 Re-Performance of the control activity in a test environment
Sources
 Auditing Application Controls
 Christine Bellino, Jefferson Wells & Steve Hunt; Enterprise
Controls Consulting LP
 www.theiia.org/download.cfm?file=21838

 Information Technology Audits-Application Controls

 Xenia, Ley, and Parker