1

Chapter 5, 6
&7
Application Controls
 Introduction
2

 Application is a computer-based system

which processes data for a specific
business purpose.
 Business applications have the same
three basic risks;
 Confidentiality,
 Integrity and
 Availability
 Cont’d……….
3

 Application controls fall into three categories:

 Input controls:

 Controls at input stage are primarily

preventative.
 It is generally more cost effective to prevent
errors than to detect and correct them.
 Process controls:

 Primarily focused at detecting misstatements.

 Output controls:

 Primarily oriented at correcting misstatements.

4

Chapter 5

Input Controls
 Input Controls
5

 Input Controls are designed to ensure;

 Transactions are properly authorized

before processed,
 Transactions are accurately converted to

machine readable form and recorded,

 Data files and transactions are not lost,

added, duplicated or improperly

changed, and
 Incorrect transactions are rejected,
corrected and, if necessary, resubmitted
on a timely basis.
 Cont’d………..
6

 Data input procedures can be either

source document-triggered (batch) or
direct input (real time).
 Source document input requires human

involvement and is prone to clerical

errors.
 Direct input employs real-time editing

techniques to identify and correct

errors immediately.
 It can significantly reduces the
number of errors that enter to the
 Cont’d……….
7

 Input controls can be divided into the

following broad classes:
 Source document controls
 Data coding controls
 Batch controls
 Validation controls
 Input error correction
 Generalized data input systems
 Cont’d………
8

Source Document Controls

 Control must be exercised over physical

source documents.
 An individual with access to purchase

orders and receiving reports could

fabricate a purchase transaction to a
nonexistent supplier.
 To control against this type of
exposure, control procedures must
implement;
 Use Pre-numbered Source Document
 Use Source Documents in Sequence
 Cont’d…………
9

Data Coding Controls

 Coding controls are checks on the
integrity of data codes used in
processing.
 A customer’s account number, an
inventory item number, and a chart of
accounts number are all examples of
data codes.
 One method for detecting coding errors is

a check digit
 It is a control digit added to the code
 Cont’d………..
10

Batch controls
 An effective method of managing high

volumes of transaction data through a

system.
 The objective is to reconcile output
produced by the system with the input
originally entered into the system.
 Batch controls’ provides assurance:

 All records in the batch are processed.

 No records are processed more than

once.
 Cont’d…………
11

Validation Controls
 They are intended to detect errors in

transaction data before data are

processed.
 Validation procedures are most effective

when they are performed as close to the

source of the transaction as possible.
 There are three levels of input validation

controls:
 Field interrogation (examination)
 Record interrogation
 Cont’d…………
12

Field interrogation
 The programmed procedures that
examine the characteristics of the data in
the field.
 Some common types of field
interrogation;
 Missing data checks - examine the

contents of a field for the presence of

blank spaces.
 Numeric-alphabetic data checks -

determine whether the correct form of

 Cont’d………..
13

 Limit checks - determine if the value

in the field exceeds an authorized limit.
 Range checks - assign upper and lower
limits to acceptable data values.
 Validity checks - compare actual
values in a field against known
acceptable values.
 Check digit – allows the integrity of
the code to be established during
subsequent processing.
 Controls identify keystroke errors in
 Cont’d………..
14

Record interrogation
 Procedures validate the entire record by

examining the interrelationship of its field

values. Some typical tests are;
 Reasonableness checks - determine if a

value in one field, which has already

passed a limit check and a range check, is
reasonable when considered along with
other data fields in the record.
 Sign checks - tests to see if the sign of a

field is correct for the type of record

 Cont’d………
15

File interrogation
 To ensure that the correct file is being

processed by the system.

 Particularly, important for master files, if

destroyed or corrupted, are difficult to

replace.
 Internal label checks - verify that the

file processed is the one the program is

actually calling for.
 Version checks - verify that the version

of the file being processed is correct.

 Expiration date check - prevents a file
 Cont’d………..
16

Input Error Correction

 When errors are detected in a batch, they must

be corrected and the records resubmitted for

reprocessing.
 To ensure that errors are dealt completely

and correctly.
 There are three common error handling
techniques:
 Correct immediately,

 Create an error file, and

 Reject the entire batch

 Cont’d…………
17

Generalized Data Input Systems

 Centralized procedures to manage data

input for all transaction processing

systems.
 GDIS has five major components:
 Generalized Validation Module -
performs standard validation routines and
common to many different applications.
 Validated data file - temporary holding

file through which validated transactions

flow to their respective applications.
 Error file - Error records detected during
 Cont’d………..
18
 Error reports - Standardized error
reports are distributed to users to
facilitate error correction.
 Transaction log - a permanent record of

all validated transactions.

 GDIS approach has the following
advantages.
 Improves control by having one common

system performs all data validation.

 Ensures that each application applies a

consistent standard for data validation.

 Improves systems development
19

Processing Controls

Chapter 6
 Processing Controls
20

 Processing controls are designed to

ensure;
 The correct program is used for
processing
 All transactions are processed
 The correct transactions update files

 Processing controls are divided into three

categories:
 Run-to-run controls
 Operator intervention controls
 Audit Trail Controls
 Cont’d…………
21

Run-to-Run Controls
 Uses to monitor the batch as it moves

from one program procedure (run) to

another.
 These controls ensure that each run in

the system processes the batch correctly

and completely.
 Batch control figures may be contained in

either a separate control record created

at the data input stage or internal label.
 Cont’d…………
22

Specific uses of run-to-run control figures are;

 Recalculate Control Totals – after each run,

dollar amount fields and record counts are

accumulated and compared to the
corresponding values stored in the control
record.
 Transaction Codes - ensures that only the

correct type of transaction is being processed.

 Sequence Checks - compares the sequence of

each record in the batch with the previous

record to ensure that proper sorting took place.
 Cont’d…………
23

 Example: Run-to-run controls in revenue

cycle comprises four runs:
 Data input, Accounts receivable update,

Inventory update, and Output.

 At the end of the accounts receivable
run, batch control figures are
recalculated and reconciled with the
control totals passed from the data
input run.
 Batch control figures are then passed
to the inventory update run, where
 Cont’d…………
24

Operator Intervention Controls

 Systems sometimes require operator
intervention to initiate certain actions, such
as;
 Entering control totals for a batch of

records,
 Providing parameter values for logical

operations, and
 Activating a program from a different point

when reentering semi-processed error

records.

 Cont’d…………
25

Audit Trail Controls

 The preservation of audit trail is an important

objective of process control.

 Every transaction must be traceable through

each stage of processing from its economic

source to its presentation in financial statements.
 Techniques use to preserve audit trails;

 Transaction Logs - Every transaction

successfully processed should be recorded on a
transaction log, which serves as a journal.
 Cont’d…………
26
 Log of Automatic Transactions - all
internally generated transactions must be
placed in a transaction log.
 Listing of Automatic Transactions - To
maintain control over automatic
transactions processed, the responsible end
user should receive a detailed listing of all
internally generated transactions.
 Unique Transaction Identifiers - Each
transaction processed must be uniquely
identified with a transaction number.
 Error Listing - a list of all error records
27

Chapter 7

Output Controls
 Introduction
28

 Output controls use to ensure;

 System output is not lost, misdirected,

or corrupted and privacy is not violated.

 Data generated by the system are valid,

accurate, complete, and distributed to

authorized persons in appropriate
quantities.
 Batch systems are more susceptible to
exposure and require a greater degree of
control than real-time systems.
 Batch Systems Output Controls
29

 Outputs in the form of hard copy requires

involvement of intermediaries.
 Outputs removed from printer by
operator reviews for correctness by data
control clerk, and then sent to end user.
 Each stage is a point of potential

exposure where the output could be

reviewed, stolen, copied, or
misdirected.
 Batch output control Techniques
30

Output Spooling
 In large-scale data-processing operations,

output devices such as line printers can

become backlogged with many programs
at once demanding these limited
resources.
 To ease this burden, applications are

often designed to direct their output to

a magnetic disk file rather than to the
printer directly, called output
spooling.

 Cont’d…………
31

 The creation of an output file as an

intermediate step in the printing process
presents an added exposure.
 A computer criminal may use this
opportunity to perform any of the
following unauthorized acts:
 Access the output file and change

critical data values

 Access the file and change the number

of copies
 Copy the output file to produce illegal
 Cont’d…………
32

Print Programs
 Print programs require operator
intervention.
 The common types of operator actions:

 Pausing the print program to load the

correct type of output documents

 Entering parameters needed by the

print run, such as the number of copies

to be printed.
 Restarting the print run at a prescribed

checkpoint after a printer malfunction.

 Cont’d…………
33

 Print program controls are designed to

deal with:
 The production of unauthorized copies

of output &
 Employee browsing of sensitive data

Bursting (or separating)

 When output reports are removed from

the printer, they go to the bursting stage

to have their pages separated and
collected.
 The concern is that the bursting clerk
 Cont’d…………
34

Waste
 Output waste represents a potential
exposure.
 It is important to organize aborted
reports and the carbon copies from
multipart paper removed during bursting
properly.
 Computer criminals have been known to

filter through trash cans searching for

carelessly discarded output that is
presumed by others to be of no value.

 Cont’d…………
35

Data Control
 Data control group is responsible for

verifying accuracy of output before

distributes to users.
 Data control clerk;

 Reviews the batch control figures for

balance;
 Examines the report body for distorted,

illegible, and missing data; and

 Records the receipt of the report in data

control’s batch control log.

 Cont’d…………
36

Report Distribution
 Risks include reports being lost, stolen, or

misdirected in transit to the user.

 Maintaining adequate access control

over this file becomes highly important.

 For highly sensitive reports, distribution

techniques:
 Reports may be placed in a secure

mailbox to which only the user has the

key.
 User may be required to appear in
 Cont’d…………
37

End User Controls

 Output reports should be reexamined for

any errors that may have evaded the data

control clerk’s review.
 Errors may be signs of improper
systems design, incorrect procedures,
errors inserted by accident during
systems maintenance, or unauthorized
access to data files or programs.
 Once a report has served its purpose, it

should be stored in a secured location

 Real-Time Systems Output Controls
38

 Real-time systems direct their output to

users computer screen, terminal, or printer.
 It eliminates various intermediaries in the
journey from the computer center to the
user.
 The primary threats to real-time output are
the interception, disruption, destruction, or
corruption of the output message as it
passes along the communications link.
 Cont’d…………
39

 These threats come from two types of

exposures:
 Exposures from equipment failure; and
 Exposures from subversive acts,
whereby a computer criminal intercepts
the output message transmitted
between the sender and receiver.
40

Questions?

Thank you!