03.2 application control

Information System:General Control and Application Control

IT Application ControlThe Most Common IT-ACs:

1. Input Control

2. Process Control

3. Output Control

Notes:

AC akan lebih lanjut dipelajari Materi CAAT

Application controls:

“controls that pertain to scope of individual business processes or application system.”

Defining Application Control

AC Objectives:

Business Process Applica-

tion

Applica-tion

system

Input data:accurate, complete,

authorized, and correct.

Data: processed as intended in an

acceptable time period.

Data stored:accurate

and complete.

Outputs:accurate

and complete.

A record :maintained to track the process of data from

input to storage and to the eventual output.

TYPES OF APPLICATION CONTROL

Defining Application Control

Input Controls – Check the integrity

of data entered into a business application, to ensure that is remains within

specified parameters.

Processing Controls –Provide an

automated means to ensure

processing is complete,

accurate, and authorized.

Output Controls –

Address what is done with the data

and should compare output results with the

intended result by checking the

output against the input.

Integrity Controls – Monitor data

being processed and in storage to ensure it remains

consistent and correct.

Management Trail – As an audit trail, enables mgt

to identify the trans and event

recorded by tracking trans

forward / backward. Monitor effective-ness of other control and

identify errors.

Application control: control designed to ensure the complete and accurate processing of data, from input through output.

Application control regulate the input, processing, and output of an application.

Input and output have risks such as loss of data during transmission, duplicate inputs, and manual input errors or incomplete data.

Processing risk include incomplete processing, unrecorded transactions caused either by accident or as part of fraud, automated transactions (e.g. raw materials reordering) failing due to complications, or files lost during processing.

Outputs risk include files being sent to the wrong place or too late to be of use.

These controls are designed to be application-specific. Examples include:

A cash disbursements batch balancing routine that verifies that the total payments to vendors reconciles with the total postings to the A/P subsidiary ledger.

An A/R check digit procedure that validates customer account numbers on sales transactions.

A payroll system limit check that identifies and flags employee time card records with reported hours worked in excess of the predetermined normal limit. 6

Topic 12: IT Application Controls

• Input control: control data as it manually or electronically enters the system.

• Manual IC: require authorization both before the input and after a review, use of concise prenumbered forms, and train for data entry personnel.

• Electronic IC: include user-friendly screen formats that prompt user for required information and use of required fields.

• A field check: a check to see if information in an entry field is complete.

• Drop down menus: allow specific preset input (e.g. list of provinces).

• To protect sensitive information, keystroke verification requires data to be entered twice, by different person if possible, and highlights any differences. (e.g. confirmation PW change)

• Batch control: accumulate transaction and apply test on the batch (e.g. batch total).

• Format check: data is entered in an acceptable formats (e.g. date format).

• Reconciliation and balancing: reconciliation analyze variances or test two balances to see if they are equal.

Topic 12: Input Controls

• Edit check: automated test on data fields. Include:

Control totals: hash total sum of nonfinancial number that have no meaning. A change in hash total indicates a record change.

Range test: allow entry between range of numbers or characters.

Numerical test: prevent alphabetic entry in number fields.

Sequence check: check for an alphanumeric sequence in a field.

Limit check: entries above particular number are prevented or need approval.

Check digit: an extra digit is added that has an algorithmic relationship to the remaining digits to show if the number was incorrectly entered by transposition. (e.g. credit card)

Record count: tallies the number of records.

Historical comparison: measures variance from past records.

Overflow checking: places a memory or length limit on a field to prevent larger numbers than maximum being entered.


• Inquiry log: track all read-only access to records.

• Automated inputs: automation reduces errors and increase input speeds. Include:

Optical character recognition (OCR): convert a scanned image into graphic data, then store, retrieve, and process graphic data. (e.g. scan shipping receipt into a database).

Scanners: a device that digitizes graphic images.

Radio frequency identification (RFID): use tag in packaging, RFID read tag via radio frequency and identify where the product is. Useful in tracking inventory. (e.g. DHL)

Bar codes: a machine-readable representation of data, allowing for rapid reading and processing of associated data (such as price or inventory level).

Magnetic ink character recognition (MICR): Included on check (bank transaction), and indicate check no., account no., routing no., and possibly check amount.


• Processing control: automated errors checks built into computer processing as well as segregation of duties, such as controlling programmer’s access to files and records.

• Data center operator’s access to applications should be restricted to equipment and software installation and responding to errors, also override file names.

• A console log or system control file should track operators interventions.

• Access to configuration parameters within application must be controlled. Auditors should reconcile actual versus planned configuration.

• Completeness check: reject saving a record until all field are complete.

• Control totals: totals are recorded in a system control file when an application generates temporary files; an errors occurs if each control total doesn’t match.

• Date and file total check: logs of item and monetary totals with date and time stamps. Exact duplicate entries are flagged as errors.

Auditors test for processing controls by inserting known test data and comparing it against expected results (walkthrough-test or round-test?).

Topic 12: Processing Controls

Other processing controls, include:

• Reasonable checks: verify that amounts fall within predetermined limits

• Suspense file: a file used to retain transaction processed with errors.

• Activity log: records actions of users by date, time, and access terminal (bedakan dengan ITGC).

• Processing logic test (e.g. posting check, zero balance check, cross-footing check): various check that verify if accounts or transactions are at the expected level (e.g. checking that an account actually has a zero balance after payment are processed, other example?)

• Run-to-run totals: data control group monitors batch run totals (or verify that amounts fall within predetermined limits).

• End-of-file procedures: prevent additional operations from taking place in a file when the end of the file reached.

• Primary and secondary key integrity check: verify encryption key security.

• Access control list: a list of all valid users. Auditors should verify that the list cannot be altered without proper authorization.

Topic 12: Processing Controls

Output controls: detective controls that find errors and verify the accuracy and reasonableness of output data after processing is complete. Output controls, as following:

• Error listings: auditors ensure that errors followed up w/o exceeding backlog limits, and corrected reports are resubmitted.

• Reference documents: when systems are interrupted, these logs show what was in memory at the time of the interruption.

• Spooling controls: a spool is a temporary memory allocation for a system output. These controls regulate data spooling method.

• Working documents: legal records, such as checks, invoices, or stock certificates are safeguarded. There are audit evidence that can detect if input really match outputs.

• Reports controls: include ensuring that the reports are accurate, simple, timely, and meaningful, and that sensitive data is secured using distribution controls.

• Exception reporting: highlight only unusual data, it helps to determine the sources of the error (human error, processing error).

Topic 12: Output Controls

13

• Encryption uses a mathematical algorithm to scramble data so that it cannot be unscrambled without a numeric key code.

• Can be used on stored and physical transmitted data (on CD) and electronically transmitted data (wireless data).

• Two basic types of encryption:

Private (or symmetric) key encryption.

Public (or asymmetric) key encryption.

• Variant of public key encryption:

Digital signatures.

Elliptic curve cryptography (ECC) (y2 = x3 + ax + b)

Topic 7: Encryption

14

1. Sue (aka Sender) selects a key, and then uses that key to encrypt the plaintext to produce the ciphertext.

2. Sue gives both the key and the ciphertext to you (aka Receiver). (Not together, obviously, or anyone could intercept the delivery and use the key to decrypt the ciphertext.)

3. You use that same key to decrypt the ciphertext to regenerate the plaintext.

Topic 7: Symmetric Encryption

Decrypting the ciphertext w/ your Pub-K proves that the ciphertext had to come from you. This provides authenticity, w/o privacy. Your Pub-K is public, so anyone could decrypt this ciphertext, not just Sue. But Pub/Priv-K pairs make digital signatures possible, which provide authentic and integrity w/o sacrificing privacy. 1. You give Sue (aka Sender) a copy of your public key.2. Sue uses your public key to encrypt the plaintext to produce a ciphertext for you.3. She then gives (just) the ciphertext to you, and 4. You use your private key to decrypt the ciphertext to reproduce the plaintext.

Topic 7: Asymmetric Encryption

A sender -- Sue -- is using your Pub-K to produce a ciphertext for you. But the process also works backwards; you could encrypt a plaintext with your Priv-K and send the resulting ciphertext to Sue.

16

Topic 7: Digital Signature

17

• Other encryption tools:

Quantum (or quantum key) cryptography: uses uncertainty to produce a shared bit string or key, created randomly and known only to the two communicating parties.

Digital envelope: uses two layers of encryption, 1. messages is encrypted symmetrically (private), then 2. decipher code is encrypted with public key.

Cryptographic module or system: is packaged encryption application that is purchased or developed as part of a larger application (Secure Socket Layer)

• Auditing Issues:

Evaluating encryption includes evaluating physical control over computers that have passwords keys, testing policies to see if they are being followed, and implementing and monitoring logic control.

Topic 7: Encryption

18

• The choice of networks types will affect IT control design.

• Computer network:

The sum of all infrastructure and applications required to connect two or more networks nodes, which are computers and devices:

Computers (own processing power), servers (powerful computer with high bandwidth), and client (recipient of server function) /server infrastructure (data request server, database server).

Mainframe (large, scalable computer to process and store large amount of data) and data terminal (input/output node for a mainframe system)

• Data Processing method:

Centralized: all data processing is performed by one or more large computers housed at a central site that serves users throughout the organization.

Decentralized.

Distributed (decentralized processing, but networked together/centralized).

Topic 2: Data and NetworkCommunication / Connections

19

The choice of networks types will affect IT control design. Types of networks:• Peer-to-peer network= between two computer

• Personal-area networks (PANs)= wireless within a room area

• Local-area networks (LANs)= for limited geographical (building)

• Wide-area networks (WANs) = networks of LAN (nation/world).

• Metropolitan networks (MANs)= metropolitan

• Public data networks (PDNs) = allow public access, such as world wide web.

Other related terms

• Value-added networks (VANs)= provider of networking services.

• Consortium networks= group of organization that form networks.

Networks Transmission Option:

• Wired.

• Wireless.

• Virtual private networks (VPNs): secure method of connecting two points of the internet (ISP).

Topic 2: Networks Types

20

• Is a method of defining how messages should be sent through a network so that unrelated products can be work together.

• OSI model is divided into 7 layers for comm and computer network protocol design.

OSI Layer Description Related Controls

Layer 1: Physical layer (HW, NW)

Mechanical layer transmits digital signals

Wiring and other physical protection

Layer 2: Data link layer (HW, NW)

Synchronizes layer 1 data movements and compresses data where possible.

Encryption

Layer 3: Network layer (SW, NW)

Routes and forwards data to the right places.

IP addresses is tracked, Firewalls

Layer 4: Transport layer (SW, Comp)

Ensures that data transfer are complete by managing end-to-end control and error checking

Logical control layer, Firewalls

Layer 5: Session layer (SW, Comp)

Initiates and terminates conversation between appl.

Layer 6: Presentation layer (SW, Comp)

Is operating system (O/S), which apply syntax and formatting.

O/S Control

Layer 7: Application layer (SW, Comp, Closes to user)

The constraint of data, such as user and communication partner authentication and privacy

Configurable data constraint and authentication, Intrusion detection.

Topic 2: Open System Interconnections (OSI)Refference Model

Network topology : physical connection points between devices on a LAN or similar network.

(1) Bus network, (2) Ring network, and (3) Star network.

Topic 2: Networks Topology

22

1. Ports: physical connection points to a device.

2. Hubs: the center of networks and switch/direct comm.

3. Repeaters: extend the range of network by amplifying or regenerating signals.

4. Switches: connect telecom circuits and may allow network mgt capabilities.

5. Routers: intelligent processors that link networks segments, allowing them to communicate but also remain separate and independent.

6. Bridges: an early software-based device that function similarly to switch and routers, but not as efficient as switches.

7. Gateways: convert protocols between networks with dissimilar networks architectures.

8. Multiplexers: for data combine multiple channels into a single channel, such as multiple phone lines sharing a single physical phone line.

Case:The Internet consists of a series of networks that include A. Gateways to allow PC to connect to mainframe computers, B. Bridges to direct messages through the optimum data path, C. Repeaters to physically connect separate local area networks (LANs), D.Routers to strengthen data signals between distant computers.

Topic 2: Networks Hardware

23

• Firewall: a HW/SW combination that routes all communication to or from the outside world through itself, blocking unauthorized traffic.

• Firewalls can:

1. Improve security by blocking access from certain servers or applications.

2. Reduce vulnerability to external attacks and ensure IT system efficiency by limiting user access to certain sites.

3. Provide a means of monitoring communications and detecting external intrusions, and internal sabotage.

4. Provide encryption internally (within an enterprise).

Topic 2: Firewall

24

• Layer 3 and 4 firewall types:1. Packet filtering: comparing source and destination addresses to an allowed list.

2. Gateways: stopping traffic flowing to specific application such as file transfer protocol (FTP), e.g. rules may block outgoing FTPs but permit incoming FTPs.

One common gateway is proxy server.

• Auditor should work with the network administrator to determine the efficacy (effectiveness) of a firewall, how specific rules are, and whether the list of acceptable users, IP address, and application are kept up-to-date.

• Firewall log can be used as legal audit evidence if data was collected, processed, and retained properly.

• Firewall has some limitation, such as physical intrusion, incorrect configuration, and trojan horses using IRC (internet relay chat).

• Intrusion detection/prevention systems:

Intrusion detection system (IDS) combined with application layer firewall (layer 7) is called an intrusion prevention system (IPS). Two types of IPS = HIPS and NIPS.

Topic 2: Firewall

25

• EFT: the transfer of monetary value and financial data from one bank to another (it cannot involve other parties)

• FEDI (EFT and financial EDI) is subset o electronic data interchange (EDI).

• FEDI transfer payment information between companies, banks, or others, but settlement through EFT.

EFT Risk and controls More reliable, cost-effective, and efficient than check

payment Control:

• Password and physical restriction access to FEDI terminals.

• Dual approval (one enters, one release)

• Test key or codes for validation

• Encryption

• Credit monitoring, backup, and continuity plan.

Topic 3: Electronic Funds Transfer (EFT)

EFT Method:

• RTGS (such as Fedwire-USA, TARGET-Europe, CHAPS-UK).

• ACH (automated clearing house): a. for high volume, b. low-value transfer, c. send payment in batch, and d. prenotification.

IA evaluate the adequacy and the effectiveness of IC applied to EFT, such as:

• Logic control that restrict unauthorized access to the EFT systems.

• Program change management control.

• Physical control

• System data backup and recovery controls.

• Operation control to ensure availability.

• Application control to ensure transaction accuracy.

Case:Which 1 of following is least likely to be recomm. by auditor when EDI-EFT system is being designed? A. The identity of the individual approving an electronic document should be stored as a data field.B. Disaster recovery plans should be established.C. Data security procedures should be written to prevent changes to data by unauthorized individuals.D. Remote access to electronic data should be denied.

Topic 3: EFT Method and Internal Auditing

27

• E-Commerce:Defined as “conducting commercial activities over the internet”, include:

Business to business (B2B) e-commerce.

Business to consumer(B2C) e-commerce.

Business to employee (B2E) e-commerce.

Mobile e-commerce (using mobile device such as smart cell phones)

• Control concerns:

Determine how authorization for transactions are handled.

End-user can initiate input data directly.

Risk analysis include hardware used, transmission methods, firewalls, back-end system, middleware, links to another application.

Control over sensitive information.

Topic 4: E - Commerce

28

Expected result of e-commerce security policies include:

• Authenticity: both parties are able to verify the other’s party’s identity, e.g., passwords, encryption keys, and digital signatures certificates.

• Integrity: web site information is unaltered from its original form.

• Nonrepudiation: e-commerce participants cannot deny or repudiate their on-line activities, i.e.: e-commerce data is legal evidence.

• Confidentiality: only authorized parties can access their data.

• Privacy: users are informed of a site’s privacy policy and can decide to provide personal inf.

• Availability: the site is available when needed. Redundant systems and reliable partners help ensure availability.

Case:Mgt has implemented controls such as firewall, password mgt, independent recon., and audit trail. The controls should be reviewed and evaluated by IAr when doing test for which e-commerce audit area? A. Fraud. B. Corruption of data.C. Business interruptions. D. Authentication.

Topic 4: Result of E-Commerce Security

29

When conducting audit of e-commerce, IA should look for:1. Networks security control (e.g.: firewalls, encryption, virus protection, policies,

communication of security standards within and outside the enterprises) and intrusion detection system.

2. User identification system (e.g. digital signatures).

3. Privacy and confidential controls.

4. All list of e-commerce application within the enterprises.

5. Maintenance activities to ensure continued operation.

6. Failure detection and automated repairs.

7. Application change management controls.

8. Business continuity plan in case of system interruption.

Continuous auditing in e-commerce:

• Is a software, include continuous assessment risk assessment, control assessment, and assessment of continuous monitoring tools, able to uncover fictitious sales and returns.

Topic 4: Internal Audit of E-Commerce Controls

• ERP system : modular suites (chain) of business application that share data between modules and store all data in a single repository (database).

• Purpose: facilitate the flow of information between all business functions inside the boundaries of the org. and manage the connections to outside.

• ERP reduce redundancy of data and creates synergies such as automated forwarding of transactions to the appropriate department.

• ERP increase efficiency by keeping inventory levels low, reducing cycle time, and improve the timelines of data for decision making.

• Core modules of ERP: (a) finance, manufacturing, sales and distribution, human resource, (b) transaction processing system (TPS) and management information system (MIS), (c) Customer relationship management (CRM) and Supplier relationship mgt (SRM).

Topic 10: Enterprise-Wide Resource Planning (ERP) Software

• Simplify gathering audit evidence.

• Disparate applications, so use different language, so audit of ERP require multiple workarounds (solution) and redundancies.

• IA assess that mgt has evaluated the efficiency of ERP relative to competitor ERP.

• IA need to be involved in ERP development, monitor the implementation, and personnel training plan, recommend ERP improvements.

• Since integrated, there no paper audit trail to follow between departments, approval to be automatic, exacerbating the segregation of control issue.

• Therefore, audit must focus on IT controls such as quality of PW and other logic control.

• Even the best ERP is unlikely to cover all needs, so the remaining needs can be achieved through customization or configuration.

Customization: change the code of the system to provide unavailable process.

Configuration: change of preset parameters (cheaper and not impede (disturb) upgrade).

• To overcome the problem, ERP should separate business process from controls.

31

Topic 10: Internal Auditing for ERP

• WBEM

Used the external networking component of ERP, provide portal access to external vendor and large customer via XML communication.

Auditor should focus on controls (especially to protect org’s data).

Mgt and IT professional should determine which information will be shared.

WBEM provide int’l integration and best-of-breed system (focus on niche).

• Continuous auditing for ERP system.

Automated control in ERP must be designed and implemented w/ audit involvement.

Need exception report to high light unusual data/areas/operational concern.

Topic 10: WBEM (Web-Based Enterprise Management)

When identifying risks, auditors may find it useful to employ a top-down RA to determine which applications to include as part of control review and what tests need to be performed.

Auditi AC: Assess Risk

10-K

F/S

Financial Statements AssertionF/S Accounts mapped to processes;

Processes mapped BUs

Non Financial Disclosures mapped to processes

Revenue and

Receivables

Purchases and

Payables

Mgt and Financial

Reporting/Accounting

Payroll and

BenefitsTreasury Legal

Compliance

Manufacturing

Investor Relation

Environmental

BU 1BU 2BU 3

BU 1BU 2BU 3

Corporate

Corporate

Corporate

Risk Identification and AnalysisRisk Assessment Documents:•Risk analysis matrix by F/S Accounts and Disclosures•Accounts risk analysis mapped to Business and Critical Applications and Underlying Technology

Prepare Risk Control Matrix

(Manual and Automated)

Define Risk Assessment

for Application

Control

See Risk Assessment Approach in the Following Section

Example: Financial Statement Risk Analysis Approach

To add value to organization-wide AC risk assessment activities, internal auditors:

Define the universe of application, database, and supporting tech that use AC,

Summarize risk and control using matrice documented during risk assessment process.

Define the risk factors associated with each application control, including:

Primary (i.e., key) application controls.

The design effectiveness of the application controls.

Pre-packaged or developed applications or databases.

Effectiveness of GCs residing within application (e.g., change mgt, logical security).

Weigh all risk factor to determine which risk need tobe weighed more heavily than other.

Determine scale to rank each AC risk by considering qualitative and quantitative scale:

Numeric scales based on qualitative information (e.g., 1=low-impact, 5=high-impact).

Numeric scales based on quantitative inf (e.g., 1 = < US $50 and 5 = > US $1,000).

Conduct the risk assessment and rank all risk areas.

Evaluate risk assessment results.

Create a risk review plan that is based on the risk assessment and ranked risk areas.

Application Control: Risk Assessment Approach

Notes: RA approach is different with RA in RM. In RA approach, internal auditor does not decide responds to risks. RA Approach used as input in establishing review plan (e.g.. determining the scope of review application control).

Example Application Control: Risk Assessment Approach

Risk Factor Weighting20 10 10 10 10 10 15 15 100

Applica-tion

Application contains primary controls

Design effective-

ness of the App control

Pre-packaded

or developed

App supports more than one

critical business process

Frequency of change

Complexity of change

Financial impact

Effectiveness of the ITGCs

Composite scores

App A 5 1 5 5 3 3 5 2 375

App B 1 1 2 1 1 1 4 2 170

App C 5 2 2 1 5 5 5 2 245

App D 5 3 5 1 5 5 5 2 395

App E 5 1 1 1 1 1 3 2 225

Composite scores = ∑ (risk factor weight x risk scale) and adding the totals.

The composite score of 375 = [(20 x 5) + (10 x 1) + (10 x 5 ) +…].

For this example, the auditor may determine that the application control review will include all applications with a score > 200.

Computer-assisted audit techniques (CAATs) make use of computer applications, such as ACL, IDEA, VIRSA, SAS, SQL, Excel, Crystal Reports, Business Objects, Access, and Word, to automate and facilitate the audit process.

The use of CAATs helps to ensure that appropriate coverage is in place for an AC review, particularly when there are thousands, or perhaps millions, of transactions occurring during a test period. In these situations, it would be impossible to obtain adequate inf in a format that can be reviewed w/o the use of an automated tool.

Because CAATs provide the ability to analyze large volumes of data, a well-designed audit supported by CAAT testing can perform a complete review of all transactions and uncover abnormalities (e.g., duplicate vendors or transactions) or a set of predetermined control issues (e.g., segregation of duty conflicts).

Approaches and Other Consideration: Computer-assisted Audit Techniques

Audit specialized software may perform:

- Data queries - Data stratification

- Sample extractions - Statistical analysis

- Calculations - Duplicated transactions

- Pivot tables - Cross tabulation

- Missing sequence identification

Approaches and Other Consideration: Computer-assisted Audit Techniques

Example ACL: Verify duplicate transaction

Example ACL: Verify calculations (recomputation)

Sample of Intrusion Reports

Sample of Transaction History

Informasi Lebih Lanjut,Hubungi:

03.2 application control

Education