• Application controls

Application controls are specific to individual

applications.
Thus, application controls are designed to
prevent, detect, and correct errors in
transactions as they flow through the input,
processing, and output stages of work.
Application controls are classified as input
controls, processing controls, and output
controls.
Application controls focus on the following
objectives:
1) Input completeness and updating
completeness.
2) Input accuracy and updating accuracy.
4) Data is processed in a timely manner.
5) Data files are accurate, complete, and
current.
6) Output is accurate and complete.
Application controls are classified as input
controls, processing controls, and output
controls.
Input Controls
Input controls can also provide some
assurance that items of data have not been
lost, suppressed, added, or changed in some
manner.
Most errors in systems result from input errors
Input controls are divided into three
classifications
The three classifications are:
1) Data observation and recording
2) Data transcription
3) Edit tests.
1.Data Observation and Recording
• Dual observation means more than one
employee sees the input documents.
• Feedback mechanisms are manual systems
that attest to the accuracy of a document. For
instance, a sales person might ask a customer
to confirm an order with a signature.
• Point-of-sale devices such as bar codes that
are scanned can decrease input errors
substantially.
• Preprinted forms such as receipt.
• Batch control totals should be used in the
input phase for transactions grouped in
batches to track input as it travels from place
to place before it reaches the computer, to
make sure no input is lost.
such as total sales revenue in a batch of
billings. Batch control totals are used to
ensure that all input is processed correctly by
the computer.
2.Data Transcription.
Data transcription is the preparation of the
data for processing.
A preformatted input screen can assist in the
transcription process. For example, a date
field to be filled in would be presented
onscreen as __/__/____.
Format checks are used to verify that each
item of data is entered in the proper mode:
numeric data in a numeric field, a date in a
date field, and so forth.
3.Edit Tests
Edit programe or Input validation routines are
used to check the validity and accuracy of
input data.
Edit tests include:
• Completeness, or field, checks, which ensure
that input has been entered into all required
fields and that the input is in the proper
format. For example, a field check would not
permit numbers to be input into a field for a
person’s name.
• Limit checks. For example, the number of
days worked in a week cannot exceed seven.
• Validity checks, which match the input data
to an acceptable set of values.
• Check digits, which determine whether a
number has been transcribed properly.
A check digit is a number that is a part of an
account or other type of number.
If a digit in the account number is keyed in
incorrectly, the check digit will be incorrect,
and the system will generate an error message
and refuse to accept the input.
 Check digits are commonly used in credit card
account and bank account numbers, and they
are especially helpful in detecting
transposition errors.
If an operator keys in a number incorrectly,
the operator will get an error message such as
“invalid account number.”
It helps to catch errors at the point of data
entry.
• Key verification, or keystroke verification, is
the process of inputting the information twice
and comparing the two results. Key
verification is often used when changing a
password.
• Format checks check whether the input has
been entered in the proper mode and within
the proper fields.
• Numerical checks assure that numeric fields
are used only for numeric data.
• Hash totals are another type of control total.
Hash totals are totals of nonmonetary
information. For example, if a batch contains
data on receipts from accounts receivable
customers, the sum of all the customers’
account numbers might be computed to
create a hash total. The sum is, of course,
useful only for control purposes.
Hash totals are a method of validating the
input of data.
2.Processing Controls
Processing controls are controls designed to
provide reasonable assurance that processing
has occurred properly and that no transactions
have been lost or incorrectly added.
Processing controls fall into two
classifications:
1) Data access controls - processing controls at
the time of data access
 2) Data manipulation controls - controls
involving data manipulation later in the
processing.
Note:-
1.parity checks are hardware controls, a type
of general control, not an application control.
Parity checks are used to detect alteration of
bits within bytes during processing caused by
equipment malfunctions.
2.The transaction log is also important as a
backup measure. Copies of all transaction data
are stored as a transaction log as the data are
entered into the system. Should the master
file be destroyed during processing, computer
operations will roll back to the most recent
backup, and recovery takes place by
reprocessing the data transaction log against
the backup copy.
completeness test would not let the
processing proceed if an item is not complete.
3.Output Controls
Output controls are used to provide
reasonable assurance that input and
processing have resulted in valid output.
Output controls consist of:
• Validating processing results
• Controls over printed output Validating
Processing Result.
Validating Processing Results
Output totals should be reconciled with input
and processing totals.
A suspense account is used as a control total
for items awaiting further processing.
A discrepancy report is a listing of items that
have violated some detective control and
need to be investigated.
Upstream resubmission is the resubmission of
corrected error transactions as if they were
new transactions.
Printed Output Controls.
Forms control, such as physical control over
company blank checks, is one type of printed
output control. Checks should be kept under
lock and key, and only authorized persons
should be permitted access.
Any form should be pre-numbered
Confidential reports should be shredded when
they are no longer needed.
Controls Classified as Preventive, Detective
and Corrective
Information system controls can be classified
as preventive, detective, and corrective.
• Preventive controls prevent errors and fraud
before they occur.
• Detective controls uncover errors and fraud
after they have occurred.
• Corrective controls are used to correct
errors.
Controls Classified as Feedback& Feedforward
• Feedback controls produce feedback that
can be monitored and evaluated to determine
if the system is functioning as it is supposed
to.
A feedback loop is a part of a control system.
It uses feedback to measure differences
between the actual output and the desired
output.
• A feedforward control system may be used
in addition to the feedback loop to provide
better controls. A feedforward system
attempts to predict when problems and
deviations will occur before they actually
occur.
Assessing Controls by Means of Flowcharts
A flowchart is a diagram that creates a visual
representation of processes or events.
System and Program Development and
Change Controls
1) Statement of Objectives.
2) Investigation and Feasibility Study of
Alternative Solutions
3) Systems Analysis.
4) Conceptual Design.
5) Physical Design.
6) Development and Testing.
7) System Implementation and Conversion.
8) Operations and Maintenance.
Business Continuity Planning.
Business continuity planning involves defining
the risks facing a company in the event of a
disaster.
The primary objective of a disaster recovery
plan is to minimize the effects of a disaster on
business operations and productivity.
It include backup of data and the recovery of
data.
Several different processes and backup plans
function as part of the backup and recovery
plan.
• Program files, as well as data files, should be
backed up regularly.
• Copies of all transaction data are stored as a
transaction log as they are entered into the
system.
• Data backups should be tested regularly to
verify that the backups are complete.
• Backup data can be transmitted
electronically to the backup site through a
process called electronic vaulting, or backing
up to the cloud.
• Computers should be on Uninterruptible
Power Supplies (UPS) to provide some
protection in the event of a power failure.
• Grandparent-parent-child processing is used
because of the risk of losing data before,
during or after processing work. Data files
from previous periods are retained and if a file
is damaged during updating, the previous data
files can be used to reconstruct a new current
file.
Disaster Recovery
Not many firms could survive for long without
computing facilities. Therefore, an
organization should have a formal disaster
recovery plan to fall back on in the event of a
hurricane, fire, earthquake, flood, or criminal
or terrorist act.
A disaster recovery site may be a hot site, a
cold site, a warm site, or a mobile site.
1. A hot site, or a mirrored data center, is a
backup facility that has a computer system
similar to the one used regularly. The hot site
must be fully operational and immediately
available, with all necessary
telecommunications hookups for online
processing.
2.A cold site is a facility where space, electric
power, and heating and air conditioning are
available and processing equipment can be
installed, though the equipment and the
necessary telecommunications are not
immediately available.
3.A warm site is in between a hot site and a
cold site. It has the computer equipment and
necessary data and communications links
installed, just as a hot site does.
4.A mobile site is a disaster recovery site on
wheels. It can be a hot site, a warm site, or a
cold site.
Note:-
Storing of all files in one location is the
most compromise the use of backups as
protection against loss or damage of master
files.
Testing business continuity plans gives a
company confidence that business operations
should resume quickly in the event of a
disaster.
Contingency planning is a management
activity which is essential to ensure continuity
of operations in the event a disaster impairs
information systems processing.
A disaster recovery plan specifies:
1) Which employees will participate in disaster
recovery.
2)The priority of the services that need to be
restored.
3) What facilities will be used in the course of
recovery.
Note:-
1.The operating system should be restored
first, because without the operating system,
none of the other applications can be run.
2.A crucial aspect of recovery planning for the
company is ensuring that organizational and
operational changes are incorporated in the
plans because such changes have the potential
to make the recovery plans inapplicable.