Computers, servers, laptops, tablets, smartphones — these are all hardware devices that have connectivity. However, they do nothing without software. Applications are what enable people to work with technology devices and allow them to connect and communicate with other devices.
Internal auditors need to be aware of what applications are being used when they audit a process. In fact, with the reliance being placed on applications in every business area, auditors are not performing a complete audit if they don’t address the controls within those applications.
Application controls encompass every feature and function of the application and will depend on what the business area does, what the application is, and how much the area relies on the application. To identify them, internal auditors must ask process owners: What are the primary objectives for this area? What tools are used to help meet those goals? What types of reviews are performed? These questions can help auditors narrow their focus to the key aspects of the application.
Having identified the key application processes, auditors need to identify the controls that are in place. The IIA’s Global Technology Audit Guide (GTAG) 8: Auditing Application Controls breaks down application controls into input, processing, output, storage, and monitoring. The responsibility for these controls is shared between the business and IT, so auditing them should be based on an integrated audit approach. This can be a team with finance, operations, and IT auditors, or it can be an auditor who is familiar with business and IT functions.
Auditors should identify all of the controls in the application so they can risk-rank them and prioritize their testing. A framework such as the one described in GTAG 8 can help guide this effort.
Controls such as “edit checks” are usually built into the application, but some input controls can be configurable, such as duplication checks and access controls.
Built-in Controls Auditors may not have to test controls such as field definitions (users can’t substitute an “o” for a “0” in a numeric field) if they are considered low risk. If they need to be tested, auditors need to validate that they exist because no change they implement will alter such controls.
Configurable Controls When auditors look at configurable controls, they also need to look at the controls over the configuration. Who can make changes and how are they tested? Look into the configuration settings for the higher-risk controls. Which roles permit data entry versus only data view? Are there role combinations that are prohibited? These parameters are often defined in configuration files that can be viewed and modified.
Another major aspect of application control testing is looking at the processing controls. The internal processing is the reason why the application exists, and it might be justifiable to think the controls over processing are low-risk areas. However, the processing controls may not be as accurate as auditors would like, and changes to the software as it is updated may have an impact on the processing controls. The best way to address these concerns is to look at some of the key processes.
Critical Calculations Discuss any critical calculations with the business owner. Are they performing a manual check or reconciliation? If so, have they ever found an error? If there is still a concern, determine whether there is an application user group where additional details on the internal processes might be available.
Custom Calculations Identify any custom calculations that have been incorporated into the application. Because this introduces another potential source of errors, internal auditors should determine who can create custom codes and assess how they are tested. Some custom calculations may be a low risk. For other calculations, especially where the skills to review code might be lacking, the risk may be high or unknown.
Configuration Settings Some processes have mandatory checks, approvals, and thresholds, but some applications allow these controls to be overridden. If this is the case, internal auditors should look at the configuration settings to identify whether what is allowed is also compliant with the procedures. Also, check the local procedures to ensure that overrides, if allowed, have procedural limitations.
If the application receives its data from another application, or if it sends results to another application, then auditors should review the interface controls. These are a special case of input and output controls.
Error Detection The file transfer process should include the error detection from the data packets of the network protocols (Open Systems Interconnection (OSI) layer 3), so if the file was sent directly, auditors can be fairly confident that the data was sent or received. But if a less secure protocol is used for the transfer, inquire whether there are other controls such as check sums and record totals that can be used to confirm the data received is complete.
API Limits For many applications, internal auditors also can look into the application programming interfaces (APIs) that are being used. APIs define the interface between the application layer and the transport layer (two more OSI layers). Auditors can look them up online to determine whether there is a risk of data corruption or data leakage. Depending on the application, there also may be issues with bandwidth or timing that the API requires to ensure the application functions appropriately.
Many other aspects of application control testing can be incorporated into an audit. Before auditors finalize their audit plan, they should consider these aspects of control to ensure they have identified all the highest risks:
- Output controls look at the destination of the application output.
- Storage controls focus on the database structure on which the application relies.
- Monitoring controls look at access logs, input and output file transfer logs, and super-user access.
- Configuration management addresses the procedures surrounding updates to the configuration of the application and its supporting database and operating system.
- Change control and patch management look at how changes to the application are tested and implemented.
Work With Business Owners
Because applications are critical to businesses, application controls represent a risk that internal auditors should test. Auditors should discuss the process, the applications, and the controls with business owners to reach a consensus on the high-risk areas and focus internal audit’s efforts.