CIOs, Auditors To Get New Software Controls Guide on July 9

It’s time for an audit of the application controls for every business system throughout your organization, from enterprise resource planning to e-mail programs, document imaging systems and product design software. As a CIO, are you prepared?

If you’ve upgraded or modified applications since the last application controls audit, you’d be smart to check out a forthcoming 33-page guide on applications controls to be released July 9 by the Institute of Internal Auditors (IIA). The eighth in the institute’s Global Technology Audit Guide (GTAG) series, “Auditing Application Controls” will be available for free to the institute’s 130,000 members in 160 countries, as well as to nonmembers via the group’s Web site at

Although the GTAG guidance is not mandatory, the auditing and testing of software controls on a periodic basis is considered a best practice by the IIA. The GTAG guide includes an eight-page section listing a series of controls and tests that companies can perform to make sure controls are correct and working properly. “These controls and suggested tests are generic and should apply to all systems,” says Heriot Prentice, director of technology practices at the IIA in Altamonte Springs, Fla.

There are plenty of reasons software controls need to be periodically audited and tested. For one, all transactional systems such as ERP and financial systems–as well as support applications such as e-mail programs and design software–pose risks stemming from how they are configured, managed and used by employees.

Another reason for regular audits and tests of software controls is that any configuration changes or modifications to business applications can introduce additional risk. For instance, tolerance levels can be manipulated to disable controls. Likewise, purchase approval controls can be altered without requiring any changes in the underlying code.

For this reason, the GTAG guidance recommends that auditors should be part of any software-implementation or upgrade team to ensure controls are in place and working. “Your auditors need to identify the controls that need to be built into that application,” Prentice says.

Prentice recommends that companies make their software-control audits a joint effort involving the chief internal auditor, the CFO and the CIO. “One of the biggest issues I’ve found when it comes to I.T. is that the chief audit officer or the CFO in many cases may not understand the technology, while at the same time, the CIO may not understand the auditors’ needs,” he says. “We at the IIA thought, ‘Wouldn’t it be great if we had a guide for this?'” That’s how the forthcoming guide was initiated, Prentice says.

In most cases where companies are using packaged software applications such as SAP or Oracle, the applications have built-in controls, but even these should be examined, according to Prentice. “It’s not necessarily certain that with packaged applications, the controls are always set up properly and not, for instance, switched off,” he cautions. “Auditors should always conduct a risk assessment and test these application controls to make sure they are set up correctly and are actually working.”

Software controls are used to monitor a variety of aspects of the application, including input, processing, output and data integrity, as well as data storage and retrieval. Some controls are embedded into transactional and support applications, such as an automated accounts-payable match of invoice with purchase order and notice of receipt of shipment.

Other controls are configurable, such as an accounts-payable system’s limit on the amount of an invoice that can be processed without certain approvals. Both of these kinds of controls are considered application controls—i.e., controls that relate to an individual business process or application, including data edits, balancing of processing totals, logging of transactions and reporting of errors.

Types of application controls include:

  • Input controls—These are used to check the integrity of data entered into the application, whether it’s entered by staff, by a business partner, or via a Web-enabled application or interface. Data input is checked to confirm that it falls within specific parameters.
  • Processing controls—An automated means to ensure that processing is complete, accurate and authorized.
  • Output controls—These address what is done with the data, and should compare output results with the intended result by checking output against input. Integrity controls-These monitor data being processed and in storage to ensure it stays consistent and correct.
  • Management trail—Processing-history controls, often called an audit trail, allow management to identify the transactions and events they record by tracking each transaction from the source to the output and by tracing backward. These controls also monitor the effectiveness of other controls and identify the origin of errors.
  • In addition, some application controls prevent errors. For example, a validation routine checks to make sure the data entered is consistent with the program logic and allows only the correct data to be saved. Other controls detect errors based on predefined program logic. For instance, the control can identify a variation between the amount on a vendor invoice and the purchase order price.