This document discusses application control frameworks, which include controls related to individual business processes and applications. It outlines the objectives of application controls as ensuring accurate, complete, authorized, and timely input, processing, storage and output of data. The document then describes various types of application controls like input, processing, output, integrity and management trail controls. It provides details on input control components, data input design, output controls, database controls, processing controls, testing controls and data code control.

1. INFORMATION SYSTEM
AUDIT-II
CHP 1. APPLICATION CONTROL FRAMEWORK
MR JAYANT DALVI

2. APPLICATION CONTROL FRAMEWORK
• controls related to individual business process or application systems
which includes data edits, segregation of business functions,
transaction maintenance and error reporting
• objectives:
1) Input data is accurate, complete, authorized and correct
2) Data should be processed in accurate time.
3) Data should be stored accurately and completely
4) Outputs should be accurate and complete
5) A record should be maintained to track process of data from input to
output and storage

3. TYPES OF APPLICATION CONTROLS
• Input Controls: used to check data integrity
• Processing Controls: to ensure processing is complete, accurate and
authorized
• Output Controls: to compare output results with predicted results by
checking output with input
• Integrity Controls: to ensure data processing and storing it to remain
consistend and correct
• Management Trail: enables mgmt to identify transactions and events
by tracking them from source to output and vice versa

4. 1) INPUT CONTROLS
• are designed to provide reasonable assurance that input data forwarding for
processing should be complete, proper, authorized, accurate and translated
into machine readable form.
• Classes of Input Controls:
1) Source Document Control: controls in system uses source documents and
periodically audit source document
2) Data Coding Control: checks on data integrity during processing
3) Batch Controls: handles large volume of transaction data
4) Validation Controls: detect errors in data before processing
5) Input Error Correction: to ensure immediate correction to be done before
processing data

5. Types of Input Control
• Limit Check: used to identify field values that exceeds preset limit ensure
only data within limit should be entered into and accepted by system
• Range check: accept input between lower and upper limits
• Numeric check: ensure only numbers should be entered.
• Alphabetic check: ensure only alphabets should be entered
• Validity check: compare entered field value with preset value
• Field check: ensure data entered should be in field format
• Password: ensure password enterd should be in given conditions
• Data check: no blank data should be entered
• Missing Data check: complete data should be entered
• Special character check: special characters(dashes between date, account
nos or phone nos) should be properly entered

6. Components of Input Control
• Control environment: provides discipline and structure for financial
reporting
• Risk Assessment: identify and analyse risks to achieve reporting objectives
• Control activities: policies, procedures and practices to ensure financial
reporting objectives are achieved and risk mitigation strategies are carried
out
• Information and Communication: communicate control responsibilities for
financial reporting to employees.
• Monitoring: employees monitors customised procedures or standard
checklists

7. Elements of Input Control Components
• Control Environment: organizational structure, delegation of authority, HR,
Ethical values, Accounting officer/authority participation
• Risk Assessment: Objective and risk identification, Risk evaluation and
response, fraud risk.
• Control activities: authorisation of transactions and segregation of duties,
information systems, physical controls, risk assessment, selection and
development of control activities.
• Information and communication: origin of information and processing,
internal control information and communication
• Monitoring: Ongoing monitoring, critical process evaluations, deficiency
reporting,

8. Data Input Design
Source Document Design: Guidelines
• Titles, Headings, Notes and Instructions,Fields, MCQs to questions,Tick
marks, Spaces for answer
Data-entry Screen Design: Guidelines
1) Screen Organization 2) fields(textboxes) should near or below caption
3) Caption Design: structure, size, font type, display density, format, alignment,
justification, spacing
4) Tabbing and Skipping: avoid automatic skipping and tabbing
5) Color: seperate areas on display, indicate changed status
6) Response Time: it is interval that elapses betn entry of data item and
systems indication it is ready to accept a new data item
7) Display rate: rate at which characters or images on screen
8) Prompting and Help: advice

9. 2) OUTPUT CONTROLS
• Determine content and ways, data to be presented to user
• they are designed to provide reasonable assurance that processing results are
accurate and distributed to authorized personnel only.
• Issues of Output control:
1) Inference control:
- used to prevent compromise of statistical database: user can only get statistics
not values of data
- restriction control: provide limited data to user
2) Batch Output production and distribution controls:
- provide output in batch to users and are controlled to ensure that accurate,
complete, timely output to provide to user
- control of it includes storage security, no access to unautorized users,

10. 3) Online Output Production and Distribution controls:
- ouput provided electronically for gaining access to system for user
-provide output to users and are controlled to ensure that accurate, complete,
timely output to provide to user
- Implementation of control: online output should be accurate, authorized and
complete, output should be distributed to proper network address, preserve
privacy of output transmitted, data checks by intended user,.
4) Audit Trails: For auditing following questions to be check-
What output was presented to user, Who received the output, when output
was received, what actions were subseqently taken with output,

11. 3) Database Controls
• controls security and integrity of database.
• while auditing the controls of database, auditor should check following
controls should be implemented and maintained to ensure database integrity
and availability:
- Definition standards and access controls
- Data backup and recovery procedures
- updation of database by authorised person
- handle concurrent access problems
- ensure accuracy, completeness and consistency of data and relationships
- checkpoints to minimize the loss and database reorganizations
- Monitor databse performance and capacity planning

12. • Database Security:
1) Access Control: only authorized person can access the database
2) Inference Control: prevent extraction of private information from publicly
available statistical databases
3) Flow Control: control the flow of data to authorized persons only.
4) Data encryption: encrypt the data for security purpose
Database Administrator is main central authority for managing database
systems.

13. 4) PROCESSING CONTROLS
- ensure that incoming data should be processed
- processing controls include Data validation, Editing procedures, Data file
control procedures
- Data validation is used to identify data errors, incomplete or missing data and
inconsistencies among related data items.
- Editing procedures are preventive controls designed to keep bad data out of
our database.
- Data validation edits and controls are: Sequence check, limit check, range and
validity check, reasonableness and existence check, table lookups, key
verification, check digit, completeness and duplicate check.
- Data file controls are: parity checking, transactions logs, file maintenance and
updating authorization

14. 5) Testing Controls
• controls to be tested: test of controls must be performed in audit of
financial statements, evidence is necessary to support audits control risk
assessment.
• Testing design effectiveness: auditor should test design effectiveness of
controls by determining satisfy company's control objectives and prevent or
detect error or faults.
• Testing operating effectiveness: determine whether control is operating as
designed and whether the person performing control possesses necessary
authority and competence to perform the contro effectively. It includes:
enquiry of appropriate personnel, observe company's operations, inspect
documentation and re-performance of control.
• Nature of test controls: provide appropriate evidence depends to large
degree on nature of control to be tested i.e enquiry, observation, inspection
of documentation, and reperformance of control.

15. • Extent of test of controls: affects frequency of performance of control,
length of time, expected rate of deviation, reliability of the audit, nature
of control during audit period.
• Timing of test controls: related to when evidence about operating
effectivness of controls is obtained and period of time to which it applies.
• Audit evidence obtained in past audit: factors to determine
nature and materiality of misstatements, inherent risk associated with
related account, changes in volume or nature of transactions, errored
accounts, competence of personnel, individual or automated performance,
complexity of control, planned degree of reliance

16. 6) DATA CODE CONTROL
• identity of person who was source of data and who entered the data into
system.
• time and date when data was captured.
• no of keying errors and read errors by scanning device.
• details of transaction
• updation of account or record
• identify physical device used to enter the data

17. 7) Communication Control
• establish requirements regarding designing and implementing appropriate
responses to risk of material misstatement.
• objective of auditor is to address the risks of material misstatement through
overall audit response and audit procedures
• types of audit responses:
1) responses that have overall effect on how the audit is conducted
2) responses involving the nature, timing and extent of audit procedures to be
performed

18. Advantages and Disadvantages of ACF
• Advantages:
1) Reliability
2) Benchmarking
3) Time and Cost Saving
Disadvantage:
1) low degree of assurance of audit with respect to cost benefit analysis
2) no guarantee of achievement of organizational and strategic
objectives