Application Controls
In short, application controls can be categorised into :-
- Data origination - preparation
- Input
- Processing
- Output
Data needs to be prepared from the source documents before data is entered (input) into the application system, processed and finally generating the required information in the form of output required.
COBIT version4 has also added one more item i.e. Boundary Controls i.e. the required controls between two parties (sender and receier)
As per COBIT, followings are the recommended controls:-
Data Origination/Authorisation Controls
AC1 Data Preparation Procedures
Data preparation procedures are in place and followed by user departments. In this context, input form design helps ensure that errors and omissions are minimised. Error-handling procedures during data origination reasonably ensure that errors and
irregularities are detected, reported and corrected.
AC2 Source Document Authorisation Procedures
Authorised personnel who are acting within their authority properly prepare source documents and an adequate segregation of duties is in place regarding the origination and approval of source documents.
AC3 Source Document Data Collection
Procedures ensure that all authorised source documents are complete and accurate, properly accounted for and transmitted in a
timely manner for entry.
AC4 Source Document Error Handling
Error-handling procedures during data origination reasonably ensure detection, reporting and correction of errors and irregularities.
AC5 Source Document Retention
Procedures are in place to ensure original source documents are retained or are reproducible by the organisation for an adequate
amount of time to facilitate retrieval or reconstruction of data as well as to satisfy legal requirements.
Data Input Controls
AC6 Data Input Authorisation Procedures
Procedures ensure that only authorised staff members perform data input.
AC7 Accuracy, Completeness and Authorisation Checks
Transaction data entered for processing (people-generated, system-generated or interfaced inputs) are subject to a variety of controls to check for accuracy, completeness and validity. Procedures also assure that input data are validated and edited as close to the point
of origination as possible.
AC8 Data Input Error Handling
Procedures for the correction and resubmission of data that were erroneously input are in place and followed.
Data Processing Controls
AC9 Data Processing Integrity
Procedures for processing data ensure that separation of duties is maintained and work performed is routinely verified. The
procedures ensure that adequate update controls such as run-to-run control totals and master file update controls are in place.
AC10 Data Processing Validation and Editing
Procedures ensure that data processing validation, authentication and editing are performed as close to the point of origination as
possible. Individuals approve vital decisions that are based on artificial intelligence systems.
AC11 Data Processing Error Handling
Data processing error-handling procedures enable erroneous transactions to be identified without being processed and without
undue disruption of the processing of other valid transactions.
Data Output Controls
AC12 Output Handling and Retention
Handling and retention of output from IT applications follow defined procedures and consider privacy and security requirements.
AC13 Output Distribution
Procedures for the distribution of IT output are defined, communicated and followed.
AC14 Output Balancing and Reconciliation
Output is routinely balanced to the relevant control totals. Audit trails facilitate the tracing of transaction processing and the reconciliation of disrupted data.
AC15 Output Review and Error Handling
Procedures assure that the provider and relevant users review the accuracy of output reports. Procedures are also in place for identification and handling of errors contained in the output.
AC16 Security Provision for Output Reports
Procedures are in place to assure that the security of output reports is maintained for those awaiting distribution as well as those already distributed to users.
Boundary Controls
AC17 Authenticity and Integrity
The authenticity and integrity of information originated outside the organisation, whether received by telephone, voice mail, paper document, fax or e-mail, are appropriately checked before potentially critical action is taken.
AC18 Protection of Sensitive Information During Transmission and Transport
Adequate protection against unauthorised access, modification and misaddressing of sensitive information is provided during transmission and transport.
- Data origination - preparation
- Input
- Processing
- Output
Data needs to be prepared from the source documents before data is entered (input) into the application system, processed and finally generating the required information in the form of output required.
COBIT version4 has also added one more item i.e. Boundary Controls i.e. the required controls between two parties (sender and receier)
As per COBIT, followings are the recommended controls:-
Data Origination/Authorisation Controls
AC1 Data Preparation Procedures
Data preparation procedures are in place and followed by user departments. In this context, input form design helps ensure that errors and omissions are minimised. Error-handling procedures during data origination reasonably ensure that errors and
irregularities are detected, reported and corrected.
AC2 Source Document Authorisation Procedures
Authorised personnel who are acting within their authority properly prepare source documents and an adequate segregation of duties is in place regarding the origination and approval of source documents.
AC3 Source Document Data Collection
Procedures ensure that all authorised source documents are complete and accurate, properly accounted for and transmitted in a
timely manner for entry.
AC4 Source Document Error Handling
Error-handling procedures during data origination reasonably ensure detection, reporting and correction of errors and irregularities.
AC5 Source Document Retention
Procedures are in place to ensure original source documents are retained or are reproducible by the organisation for an adequate
amount of time to facilitate retrieval or reconstruction of data as well as to satisfy legal requirements.
Data Input Controls
AC6 Data Input Authorisation Procedures
Procedures ensure that only authorised staff members perform data input.
AC7 Accuracy, Completeness and Authorisation Checks
Transaction data entered for processing (people-generated, system-generated or interfaced inputs) are subject to a variety of controls to check for accuracy, completeness and validity. Procedures also assure that input data are validated and edited as close to the point
of origination as possible.
AC8 Data Input Error Handling
Procedures for the correction and resubmission of data that were erroneously input are in place and followed.
Data Processing Controls
AC9 Data Processing Integrity
Procedures for processing data ensure that separation of duties is maintained and work performed is routinely verified. The
procedures ensure that adequate update controls such as run-to-run control totals and master file update controls are in place.
AC10 Data Processing Validation and Editing
Procedures ensure that data processing validation, authentication and editing are performed as close to the point of origination as
possible. Individuals approve vital decisions that are based on artificial intelligence systems.
AC11 Data Processing Error Handling
Data processing error-handling procedures enable erroneous transactions to be identified without being processed and without
undue disruption of the processing of other valid transactions.
Data Output Controls
AC12 Output Handling and Retention
Handling and retention of output from IT applications follow defined procedures and consider privacy and security requirements.
AC13 Output Distribution
Procedures for the distribution of IT output are defined, communicated and followed.
AC14 Output Balancing and Reconciliation
Output is routinely balanced to the relevant control totals. Audit trails facilitate the tracing of transaction processing and the reconciliation of disrupted data.
AC15 Output Review and Error Handling
Procedures assure that the provider and relevant users review the accuracy of output reports. Procedures are also in place for identification and handling of errors contained in the output.
AC16 Security Provision for Output Reports
Procedures are in place to assure that the security of output reports is maintained for those awaiting distribution as well as those already distributed to users.
Boundary Controls
AC17 Authenticity and Integrity
The authenticity and integrity of information originated outside the organisation, whether received by telephone, voice mail, paper document, fax or e-mail, are appropriately checked before potentially critical action is taken.
AC18 Protection of Sensitive Information During Transmission and Transport
Adequate protection against unauthorised access, modification and misaddressing of sensitive information is provided during transmission and transport.
Labels: application security audit, control
posted by man at 7:29 PM
0 Comments:
Post a Comment
<< Home