Madan Mohan
Organisations around the world have spent huge sums of money in implementing and upgrading business application and systems for various reasons, to meet current and future business requirements. Technology is not only an enabler but also a key business driver in the past decade.
It is necessary for an organisation to understand how the applications are configured, what roles are set, and who manages these applications. This is essential to govern the data within these applications appropriately and to make an informed decision. An application controls reviews examines and evaluates several data input, processing, and output controls. Typically, the more complex the structure/ configuration of the application is, the more risks it poses, which can result in operational and financial losses.
Application controls are those controls that pertain to the scope of individual processes or application systems in use. Application systems range from very small to Enterprise Resource Planning (ERP) systems. Our IT Auditors assess application controls which include: Inherent controls, Configurable controls, Security controls (Such as user access, segregation of duties controls), Reporting controls, Workflow controls and automated computations and Validation checks. These automated controls are designed to protect the confidentiality, integrity, availability of the business-critical data stored in these applications.
According to “Control Objectives for Information and related Technology (COBIT)”:
“At the business process level, controls are applied to specific business activities. Most business processes are automated and integrated with IT application systems, resulting in many of the controls at this level being automated as well. These controls are known as application controls. However, some controls within the business process remain as manual procedures, such as authorisation for transactions, separation of duties and manual reconciliations. Therefore, controls at the business process level are a combination of manual controls operated by the business and automated business and application controls. Both are the responsibility of the business to define and manage, although the application controls require the IT function to support their design and development.”
Our team will follow the below approach to review the application controls: