Information Technologies

Application Controls

Mouhyi Eddine Lahlali

IT Application Controls are specific to a given application and are

designed to ensure the integrity, accuracy, and confidentiality of the
data and processes that the application manages. They are an essential
part of an organization's overall IT control framework, aiming to
mitigate risks associated with the use of applications. Here is a guideline
outline for establishing IT Application Controls:
 1. Input Controls
Purpose: Ensure accuracy, completeness, and authorization of data
before it is processed by the application.

Examples: Data entry validation checks (e.g., field checks, range checks,
format checks), approval processes, and use of pre-approved data.

2. Processing Controls
Purpose: Ensure data is processed as intended in an application,
including correct data routing and handling of data under error
conditions.

Examples: Transaction and batch controls, logical access controls, and

process validation checks to ensure accurate and complete processing.
 3. Output Controls
Purpose: Ensure system output is accurate, complete, and distributed
securely to authorized users.

Examples: Review and reconciliation of output reports, secure

distribution methods, and confidentiality controls on information
dissemination.

4. Interface Controls

Purpose: Ensure that all data exchanged between different applications

is accurate, complete, and processed correctly.

Examples: Data mapping accuracy checks, interface validation

processes, and reconciliation of data received by interfacing systems.
 5. Data Integrity Controls

Purpose: Protect data from accidental or deliberate unauthorized

modification, addition, or deletion.

Examples: Use of referential integrity checks, data encryption, and audit

trails.

6. Authentication and Authorization

Controls

Purpose: Ensure that only authorized users can access the application
and perform actions according to their permissions.

Examples: User authentication mechanisms (e.g., passwords, multi-

factor authentication), role-based access controls, and periodic review
of user access rights.
 7. Segregation of Duties

Purpose: Divide responsibilities among different individuals or teams to

reduce the risk of error or fraud.

Examples: Separation of tasks such as data entry, authorization, and

review/reconciliation, especially in critical financial or sensitive data
processing.

8. Change Management Controls

Purpose: Ensure that all changes to the application are properly

managed, authorized, tested, and documented.

Examples: Formal change request processes, testing and approval of

changes in a controlled environment, and maintenance of change logs.
 9. Business Continuity and Disaster
Recovery

Purpose: Ensure the application can recover from disruptive incidents

without significant loss of data, functionality, or time.

Examples: Regular backups, disaster recovery plans, and business

continuity strategies specific to the application.

These guidelines serve as a foundation. However, the specific controls and their
implementation will vary depending on the application's nature, the data it
handles, and the business context. Tailoring controls to the organization's risk
profile and regulatory requirements is crucial for effective risk management.