Business process and application control audits

Business Process and Application Control Audits

Business process controls are automated and manual procedural controls over data input, processing and output. Application controls are automated process controls and are designed to protect the validity and integrity of business data in an organisation’s application. An application controls audit examines and evaluates a number of data input, processing and output controls.

According to “Control Objectives for Information and related Technology” (COBIT):

“At the business process level, controls are applied to specific business activities. Most business processes are automated and integrated with IT application systems, resulting in many of the controls at this level being automated as well. These controls are known as application controls. However, some controls within the business process remain as manual procedures, such as authorisation for transactions, separation of duties and manual reconciliations. Therefore, controls at the business process level are a combination of manual controls operated by the business and automated business and application controls. Both are the responsibility of the business to define and manage, although the application controls require the IT function to support their design and development.”

COBIT therefore states that controls embedded in business process applications are commonly referred to as application controls. Examples include:

  • Completeness controls.
  • Accuracy controls.
  • Validity controls.
  • Authorisation controls.
  • Segregation of duties controls.

An application audit therefore covers the completeness, accuracy, validity and authorization of:

  • Data input (including system input interfaces).
  • Data processing.
  • Data output (including system output interfaces).
  • Data storage.

It also covers:

  • Data security.
  • System change control (depending on agreed scope).
  • Data backups (depending on agreed scope).

An application audit can be performed by means of different methods – e.g. a source code review, dummy testing in a test environment, or by making use of Computer Assisted Audit Techniques (CAATS) tests or observing and reviewing users’ interaction with the system or a combination of all methodologies.

BDO South Africa understands how processes facilitate transaction and data flows in a business and how built-in (automated and manual) procedural controls can mitigate risks associated with data validity and integrity. Unauthorised, incomplete and incorrect data can result in incorrect financial data, and, by implication, financial statements. BDO’s value proposition:

  • We provide more than just a technical audit – we understand the business implications of weaknesses in automated and manual process controls.
  • We can identify the connection between weaknesses in business process controls and the integrity of financial data.
  • We can ascertain the impact of compromised (unauthorised, incomplete and/or inaccurate) data on the profitability of an organisation.