Risks and controls. When we hear this phrase, we often think of the organization’s financial controls or maybe even the IT general controls; however, there’s another set of controls that are equally important: application controls.
Application controls are automated controls that are performed by a specific application or system. For example, an application control could perform a validity check or a completeness check to verify that data entered matches a pre-determined criteria. Often application controls are tested by doing a walkthrough; observing the performance of the control by entering data, for each type of transaction and processing alternative, into the system to verify how the control functions. In the past, this testing approach has been sufficient for external auditors to gain comfort that the application controls are operating as expected.
Review comments coming from the PCAOB to external auditors are creating the expectation that additional information for configurable and non-configurable application controls be gathered. External auditors are now looking for evidence directly from the application and its developers indicating that the specific item is not configurable within the system. For example, if the application in question is SAP, information directly from an SAP manual would need to be referenced to show that the specific item or criteria cannot be changed. Similarly, for configurable controls, external auditors are beginning to request additional evidence showing the current configuration and who can change the configuration within the system, and when it was last changed.
The combined walkthrough and testing approach is still appropriate; however, these additional procedures to support the configurable or non-configurable are also needed in order for some external auditors to gain comfort with application controls.