Applications are software programs that facilitate an organization’s key business processes including finance, human resources, case management, licensing, and billing. Applications also enable entities to perform important functions that are unique and essential to them. Applications may affect stakeholders, including the public if the application and related processes are not managed appropriately.
IT Application Controls (ITAC) – are controls that relate to specific computer software applications and individual transactions. For example, a company would usually place restrictions on which personnel have the authorization to access its general ledger so as to revise its chart of accounts, posting/ approving journal entries, etc. In order to enact this policy and restrict access, the general ledger software package would require the necessary functionality. Furthermore, assuming the functionality exists, does the company have a policy in place and is there evidence that the general ledger authorizations align with the policy? Controls around application access are obviously very important and need to be reviewed closely as part of the certification process.
The literature and regulations pertaining to the review and testing of IT Application controls by auditors and management address 3 types of application controls; Input Controls (transactions captured, accurately recorded, and properly authorized), Processing Controls (transaction processing has been performed as intended), and Output Controls (accuracy of processing result). These control tests are typically performed when a new system has been implemented. Afterward, once the controls have been confirmed to be operating effectively, for purposes of expediency, the focus tends to be on the “key” controls, such as who has system access to make changes to the various applications and are the policies being followed.
Each year we review a selection of important applications that entities rely on to deliver services. We focus on the key controls that ensure data is complete, accurately captured, processed, and maintained. Failings or weaknesses in these controls have the potential to affect other organizations and the public. Impacts range from delays in service and loss of information to possible fraudulent activity and financial loss.
