Application controls refer to controls over the processing of transactions and data within an application and are, therefore, specific to each application. The objectives of application controls, which may be manual or automated, are to ensure the accuracy, integrity, reliability and confidentiality of the records and the validity of the entries made therein, resulting from both manual and programmed processing.

Organizations are highly dependent on automated processing of information by a host of applications that are the foundation for the preparation of financial statements.

Virtually every aspect of day-to-day business activity is dependent on timely, accurate and reliable information—information that is generated, processed, accumulated, stored and reported by automated information systems. Customers, suppliers, employees, line management, middle management, the C-suite, board of directors, shareholders and all other stakeholders make decisions based on the information they receive—information whose integrity and reliability depend almost exclusively on

the application systems and surrounding control processes that are used to process the information. These decisions can be only as good as the quality of the information that supports the decision making. Inadequate controls that are embedded within

an application would highly likely result in the misstatement of financial results. Appendix C provides more detailed examples of automated application controls.

Application controls are those policies, procedures and activities that are designed to provide reasonable assurance of achievement of objectives relevant to given automated solutions.

Application Controls Overview

Application controls are a subset of internal controls that relate to an application system and the information that is managed by that application. Timely, accurate and reliable information is critical to enable informed decision making. The timeliness, accuracy and reliability of the information are dependent on the underlying applications systems that are used to generate, process, store and report the information. Application controls are those controls that achieve the business

objectives of timely, accurate and reliable information. They consist of the manual and automated activities that ensure that information conforms to certain criteria—which COBIT 5 refers to as business requirements for information.

Management is also accountable for the reliability of the information that the enterprise generates and provides to stakeholders and as part of any compliance requirement. Ensuring that the necessary application controls are in place to mitigate key risk factors, including fraud risk, and are operating with sufficient effectiveness to provide reliable information is a management responsibility. A number of parties share the obligation for the design, implementation, monitoring and maintenance of application controls. These parties include operational business management, human resource management, and finance and IT management.

This page focuses on application controls related to all types of systems to meet the requirements of SOX compliance. The objective is to provide guidance relative to the design, implementation and execution of control activities related to information systems—no matter what type—because each type provides critical information that supports key decisions.

Common examples of application controls include the following:

• Logical access controls (i.e., those that limit access to application functionality)

• Configurable controls (e.g., credit value limits). These are controls that can be parameterized.

• Data entry/field validations (e.g., validation of entered credit card numbers)

•; Business rules

•; Work flow rules (e.g., routing and sign-off of purchase requests)

• Field entries being enforced based on predefined values (e.g., pricing information)

• Work steps being enforced based on predefined status transitions (e.g., open > reviewed > closed)

• Reconciliations (manual or hybrid)

• Review and follow-up of application-generated exception reports

• Automated activity logs

• Automated calculations

• Management and audit trails (manual and hybrid application controls)

Business Processes and Automated Solutions

Business management (i.e., the business process owner) is responsible for defining the appropriate business rules to ensure achievement of the enterprise’s objectives and the requirements for business processes. Automated tasks and activities are a significant, integral component of most business processes. Business and IT should work together to design the business processes, which cover both manual procedures and automated solutions in a properly integrated manner.

IT management is typically responsible for implementing the automated solutions that enable achievement of management’s business rules and objectives and for providing an environment for the reliable operation of those automated solutions.

Business management has overall responsibility for operating the entire business process, including the operation of manual and automated controls.

Implemented automated solutions will typically take one of the following two forms:

•             Management information systems—These solutions automate the collection and processing of information that is related to the execution and financial aspects of the enterprise core activities, but are also related to the collection and processing of

information about enterprise processes, resources and customers. Common examples include integrated ERP systems that automate the collection and processing of financial information.

•             Process automation systems—These solutions automate specific activities within a process; for example, executive information systems/decision support systems (EIS/DSS) used to support business decision making.

Defining Application Controls

For the purposes of this publication, applications consist of the programmed logic and automated business rules that are used to process information. The term “application” or “automated solution” is used in its generic sense—programmed logic and business rules can exist within specific “modules,” collections of modules can comprise an “application” and a collection of applications and related procedures can comprise a “system.”

The effectiveness of application controls is an important business objective—ensuring the integrity and reliability of information that is used by management to make key decisions about the business and, increasingly, to meet compliance requirements, including SOX. While these concepts may be relatively well understood by auditors and control specialists, they may not be so well understood by business and IT management. An objective of this chapter is to help management grasp these concepts because management needs to define the controls requirements, approve their design and ensure their reliable operation.

For any discussion of controls, it is important to incorporate risk concepts and the need for management to be involved in the decisions that are related to the control activities that are necessary to reduce risk to an acceptable level.

Attributes of Application Controls

Manual/automated/hybrid/configurable application controls are defined as follows:

• Business process controls—Control activities performed without the assistance of applications or automated systems. Examples include supervisory controls; written authorizations, such as a signature on a check; or manual tasks, such as reconciling purchase orders to goods receipt statements. Manual controls are subject to the inherent risk of human error and, as a result, are often considered less reliable than automated controls.

•Automated application controls—Controls that can be programmed and embedded within an application. Examples include input edit checks that validate order quantities and check digits that validate the correctness of bank account numbers.

•Hybrid controls—Controls that consist of a combination of manual and automated activities, all of which must operate for the control to be effective. For example, the order fulfillment process might include a control whereby the shipping manager reviews a report of unshipped orders. For this control to be effective, both the automated activity (generation of a complete and accurate unshipped orders report) and the manual activity (review and follow up by management) are necessary for the control activity to be effective. Care must be taken to ensure that hybrid or computer-dependent controls are not inappropriately identified as being manual controls. Because of the need for all parts of a hybrid control to be effective, there is a significant risk of key elements of the true control not being considered as part of the overall design effectiveness, if such controls are incorrectly identified. For example, if the review of the unshipped orders report in the previous example was incorrectly identified as a manual control,

there is a risk that the design of controls to ensure the completeness and accuracy of the unshipped orders report may be overlooked.

• Configurable controls—Typically, automated controls that are based on and, therefore, dependent on the configuration of parameters within the application system. For example, a control in automated purchasing systems that allows orders only up to preconfigured authorization limits is dependent on controls over changes to those configurable authorization limits. Most of the current commercial and

in-house developed application systems are heavily dependent on the configuration of various parameter tables. In these cases, it may be appropriate to consider the design of controls over the configuration tables as a separate element of the control design.

Preventive/detective application controls are defined as follows:

• Preventive application controls—These controls prevent an error from occurring (based on predefined business logic or business rules) and are typically executed at the transaction level, before an action is performed or confirmed. An example of a preventive application control is an input validation control in a human resources (HR) application, which blocks the user when entering a new employee without specifying a valid bank account number for salary payment.

• Detective application controls—These controls detect errors based on predefined logic or business rules. These controls usually execute after an action has taken place and often cover a group of transactions. An example is a periodic exception report that is generated by the purchasing application that lists critical changes that have been performed to the supplier master file (e.g., changes to supplier bank account numbers).

Preventive controls are typically more efficient and effective, especially when detecting and correcting an error can result in significant incremental costs. Preventive controls may also be easier to automate than detective controls. Detective controls often involve manual review activities. Effective control design should consider a reasonable balance of preventive and detective controls.

Application Control Objectives

As noted previously, application controls seek to provide reasonable assurance of achievement of management’s objectives relative to a given application.

Management’s objectives are typically articulated through the definition of specific functional requirements for the solution, the definition of business rules for information processing and the definition of supporting manual procedures. Examples include the following:

• Completeness—The application processes all transactions, and the resulting information is complete.

• Accuracy—All transactions are processed accurately and as intended, and the resulting information is accurate.

• Validity—Only valid transactions are processed, and the resulting information is valid.

• Authorization—Only appropriately authorized transactions have been processed.

• Segregation of duties—The application provides for and supports appropriate segregation of duties and responsibilities as defined by management.

There is a need to establish and document an application baseline that identifies key application controls, programmed functions and reports that are relied on to ensure completeness, accuracy, timeliness, proper processing and the reporting of

transactions. This is a PCAOB AS 5 requirement according to paragraphs B28, B32 and B33 (chapter 2 introduces this concept).

To satisfy business objectives, information needs to satisfy certain criteria that COBIT 5 refers to as the business requirements for information, which is named information criteria in COBIT 4.1. Information is the fifth enabler in COBIT 5 and contains certain information requirements and enabler goals:

• The effectiveness of information corresponds to the following quality information goals:

– Appropriateness, relevance, understandability, interpretability and objectivity

• The efficiency of information refers to the process of obtaining and using information, and this takes into consideration the following information goals:

– Believability, accessibility, ease of manipulation and reputation

• Does the information have integrity? Is it free from error and complete? It corresponds to the following information goals:

– Accuracy and completeness

•Is the information credible and reliable? Compared to integrity, this is more subjective. It corresponds to the following information quality goals:

– Believability, reputation and objectivity

•; Is it available? This corresponds to:

– Ac