Application Controls

1
Application Controls

• Batch Processing
• Application Audit

2
Acknowledgments

• Material is from
• CISA Review Manual, 2009
• Author Susan J Lincke, PhD
• Univ. of Wisconsin-Parkside
• Reviewers
• Funded by National Science Foundation (NSF)
  Course, Curriculum and Laboratory Improvement
  (CCLI) grant 0837574 Information Security
  Audit, Case Study, and Service Learning.
• Any opinions, findings, and conclusions or
  recommendations expressed in this material are
  those of the author(s) and/or source(s) and do
  not necessarily reflect the views of the National
  Science Foundation.

3
Security in Software Development
Security Requirements
Requirements
Risk Analysis
Architecture Design
Abuse Cases
Code Review
External Review
Code
Risk-Based Security Test
Penetration Test
Test
Security Operation
Deploy
4
Input Form
No. 12083
Sales Order Form

• Make form easy to read and use
• Group like fields together
• Provide predetermined input codes to reduce
  errors
• Provide identifier or cross-reference number
• Indicate field sizes
• Provide authorization signature if necessary

Date 11/09/09 Time 324 PM
Product Quantity _____________ _______ __________
___ _______ _____________ _______ ____________
_ _______ Salesperson Authorization
5
Transaction Validation

• Sequence Check Sequence number use causes
  out-of-sequence and duplicate numbers to be
  rejected.
• Limit or Range Check Valid numbers are below or
  between a maximum value. E.g., checks should not
  exceed 3,000
• Validity Check or Table Lookup Only certain
  values are accepted SexM/F.
• Reasonableness Check Values entered are
  reasonable A takeout order of 100 pizzas???
• Existence Check Required fields are entered
  correctly.
• Key Verification Input is double checked via
  second person OR all digits are entered twice.
• Check Digit A digit may verify the correct entry
  of other digits.
• Completeness Check Complete input is provided
  zeros or spaces are checked for each required
  letter or digit
• Duplicate Check Duplicate transactions or
  transactions with duplicate IDs are checked for
  and rejected.
• Logical Relationship Check Data is consistent
  with other known data An employees birth date
  must be at least 16 years ago.

6
Batch Processing
Input is authorized and collected into a
batch Batch controls are automatically calculated
and associated with the batch file.
Validation of the transactions occur. Rejected
transactions are corrected and resubmitted or
otherwise handled.
Processing occurs (e.g., orders, payments,
storage to DB)
Processing is complete. Batch balancing occurs
through manual or automatic reconciliation of
batch controls.
7
Batch Controls
Account TransType Amount Clerk
01001 054 54.43 212 01222 054 89.99 215
02022 033 10.19 212 02022 036 999.99 215
01098 054 50.00 215 Batch Control
12242 435 9544.34 818
A Batch groups transactions to control
processing. Batch controls can include totals or
hashed values. Totals may include total items,
documents, or values.
8
Transaction Authorization

• Manual
• Signature by management on batch forms or source
  documents
• Pre-numbered for control preferably
• Automatic
• Online access control via password or terminal
  identification

9
Error Handling Alternatives

• Reject transaction(s) with errors but process
  remaining batch
• Reject batch with error transactions
• Hold the batch in suspense hold batch until
  error transactions are fixed
• Accept the full batch but flag the error
  transactions for later correction

10
Data Processing
Controls processing e.g., specify
limit maximums
System Control Parameters
Transaction File (for today)
Standing Data (Permanent Files)
Processing
Exception Report
Master Data/Balance Data
Reports errors in transactions
Records running balances and totals updated by
transactions
Audit Trail (or transaction log)
11
Processing Controls

• Batch Register Batch totals are recorded
  manually to be compared with system totals
• Checks on Calculated Amounts Calculated values
  are checked to be reasonable or not exceed
  maximum
• Exception Report Reports error transactions
  with their error types
• Run-to-Run Totals Each processing stage reports
  its calculated batch controls
• Reconciliation Supervisor should review that
  all data was properly recorded and processed

12
Data File Control Procedures

• Parity Checking When data is transmitted, check
  codes are added to ensure data is transmitted
  without error.
• Before and After Image Reporting File data
  before and after processing is recorded, enabling
  traces to occur based on transactions
• Internal External Labeling Removable storage
  media is labeled to ensure correct processing
• Version usage The version of a file is always
  accessible, maintained, and used
• Data File Security Ensure authorized access only
• Transaction Logs An audit trail records
  date/time of input, user ID and terminal
  location, and input transactions
• One-for-One Checking Documents correctly
  describe the processing that has occurred

13
Application Audit

14
Auditor Tasks

• Identify significant application components and
  flow of transactions
• Identify controls and evaluate their
  effectiveness
• Test the controls
• Analyze the test results to determine whether
  controls work as expected

15
Testing Applications Test Data
Pgm1
Pgm2
Pgm3
Test Data
Processes test data through real programs.
16
Testing Applications Snapshot
Pgm1
Pgm2
Pgm3
Displays snapshots of how transactions are
processed, as they are processed. Certain
transactions are designated for recording.
17
Integrated Testing Facilities
Real Data
Pgm1
Pgm2
Pgm3
Test Data
Test data and real data are merged. Must be
careful to isolate test results.
18
Parallel Operation or Parallel Simulation
New System or System under Test
Pgm1
Pgm2
Pgm3
Real Data
Pgm1
Pgm2
Pgm3
Stable System or Simulated System
Data is processed through two systems and results
are compared. Useful to verify new
system. Parallel Operation Compare new system
with older stable system Parallel Simulation
Compare actual and simulated system
19
Continuous Online AuditingAudit Hooks
Regular Data
Pgm1
Pgm2
Pgm3
Continuous Online Auditing enables auditors to
test the system without disrupting a companys
regular operation. Audit hooks are software logic
embedded into the application, which prints error
reports of red flags enabling auditors to act to
catch errors early, before they become
problems..
20
Transaction Selection Program
Transaction Selection Program
Pgm1
Pgm2
Pgm3
Test Data
A tool helps to select transactions to build a
test deck..
21
Embedded Audit Data Collection
Regular Data
Pgm1
Pgm2
Pgm3
Embedded Audit Modules (EAM) Audit software is
embedded directly into the application programs
to monitor specific types of transactions. Systems
Control Audit Review File (SCARF) Provides
statistical information about the normal input
data file, to determine if the file
is sufficiently varied for the auditor. Sample
Audit Review File (SARF) Selects random
transactions for analysis.
22
Question

• A hash total of customer numbers is one
  input to the sales program. This program
  generates its own total to compare against this
  input parameter. What is the purpose of this
  procedure?
• Validate customer numbers are accurate
• Detect lost or changed transaction(s)
• Detect error(s) in sales transactions
• Validate that each sales transaction is complete

23
Question

• Batch balancing is used to?
• Ensure that test data accurately matches real
  data when considering transaction types
• Detect lost or changed transaction(s)
• Detect error(s) in sales transactions
• Compare batch totals before and after processing

24
Question

• Embedded audit modules is associated mostly
  clearly with
• Audit hooks
• Snapshots
• Batch processing
• Parallel operation

25
Question

• This technique provides statistical
  information about the normal input data file, to
  determine if the file is sufficiently varied for
  the auditor.
• Test data
• Snapshots
• Systems Control Audit and Review File
• Transaction Selection Program

26
Question

• Combining real and test data during an
  audit is known as
• Parallel operation
• Integrated testing facilities
• Batch processing
• Embedded audit modules

27
Match Definitions

• Sequence number use causes out-of-sequence and
  duplicate numbers to be rejected.
• Valid numbers are below a maximum value.
• Values entered are plausible
• Required fields are entered correctly.
• Input is double checked via second person OR all
  digits are entered twice.
• Transactions with duplicate IDs are checked for
  and rejected.

• Duplicate Check
• Existence Check
• Reasonableness Check
• Limit Check
• Key Verification
• Sequence Check

28
Match Definitions

• Sequence number use causes out-of-sequence and
  duplicate numbers to be rejected.
• Valid numbers are below a maximum value.
• Values entered are plausible
• Required fields are entered correctly.
• Input is double checked via second person OR all
  digits are entered twice.
• Transactions with duplicate IDs are checked for
  and rejected.

• Duplicate Check
• Existence Check
• Reasonableness Check
• Limit Check
• Key Verification
• Sequence Check

29
Vocabulary Review

• Batch control, validation, batch balancing,
  reconciliation
• Standing data, balance data, exception report,
  audit trail, system control parameters
• Checks sequence, limit or range, validity check
  or table lookup, reasonableness, existence, key
  verification, completeness, duplicate, logical
  relationship. Check digit.
• Test data, snapshot, integrated testing
  facilities, parallel operation, parallel
  simulation, continuous online auditing, audit
  hooks, transaction selection program, embedded
  audit modules, systems control audit review
  file
• Test Questions from Book p 1018 2,3,7,9,22