1 / 70

Application Security By Prashant Mali

Application Security By Prashant Mali. Application Controls. Application controls are controls over input, processing, and output functions. Application controls include methods for ensuring that: Only complete,accurate, and valid data is entered and updated in a computer system.

acacia
Télécharger la présentation

Application Security By Prashant Mali

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Application Security By Prashant Mali

  2. Application Controls Application controls are controls over input, processing, and output functions. Application controls include methods for ensuring that: • Only complete,accurate, and valid data is entered and updated in a computer system. • Processing accomplishes the correct task. • Processing results meet expectations • Data is maintained.

  3. Auditor’s Tasks • Identifying the significant application components and the flow of transactions through the system. • Identifying the application control strengths and evaluating the impact of the control weaknesses to develop a control testing strategy. • Testing the controls to ensure their functionality and effectiveness. • Considering the operational aspects of the application to ensure its efficiency and effectiveness by comparing against industry standard benchmarks.

  4. Session Agenda 1. Input / Origination Controls 2. Validation, Editing, and Processing Controls 3. Output Controls 4. Auditing Application Controls

  5. Input/Origination Controls • Input control procedures must ensure that every transaction to be processed is received, processed and recorded accurately and completely. • These controls should ensure that only valid and authorized data is input and that these transactions are processed only once. • In an integrated environment, output generated by one system is input for another system, therefore, edit checks, validations, and access controls of the system generating the output must be reviewed as input controls.

  6. Input/Origination Controls • Input Authorization • Batch Controls and Balancing • Input Error Reporting and Handling

  7. Validation, Editing, Processing • Data Validation and Editing • Types of Data Validation • Processing Controls • Data File Control Procedures

  8. Output Controls Output controls provide assurance that the data delivered to the users will be presented, formatted, and delivered in a consistent and secure manner. Following are the types of Output Controls

  9. Auditing Application Controls • Review Application Systems Documentation • Observe and Test Users Performing Procedures • Data Integrity Testing

  10. Input Authorization Input Authorization verifies that all transactions have been authorized and approved by management. • Authorization of input helps ensure that only authorized data is entered into the computer system for processing. • Authorization can be performed online at the time when the data is entered into the system. • It is important that controls exist throughout processing to ensure that authorized data remains unchanged. • This can be done through various accuracy and completeness checks incorporated into the application’s design.

  11. Types of Authorization • Signatures on batch forms - provide evidence of proper authorization • Online Access Controls • Unique passwords • Terminal Identification • Source Documents - are forms used to record data. It may be a piece of paper or an image displayed for online data input. A well designed source document increases speed and accuracy of data recording, controls work flow, facilitates the preparation of machine readable data, and facilitates subsequent reference checking.

  12. Source Documents Ideally Source Documents should be preprinted forms to provide accuracy, consistency, and legibility. The source document layout should: • Emphasize ease of use and readability • Group similar fields together to facilitate input • Provide predetermined input code to reduce errors • Contain appropriate cross reference numbers or a comparable identifier to facilitate research and training • Use boxes to identify field size errors • Include an appropriate area for management to document authorization.

  13. Batch Controls and Balancing Batch controls group input transactions in order to provide control totals. The batch control can be based on total monetary amount, total items, total documents, or hash totals. • Batch header forms are a data preparation control. • All input forms are clearly identified with the application name and transaction codes. • Where possible, preprinted and pre-numbered forms with transaction identification codes and other constant data items are recommended. • This would help reduce data recording / entry errors.

  14. Types of Batch Controls Total Monetary Amount • Verification that the total monetary value of items processed equals the total monetary value of the batch documents. • For example, the total monetary value of sales invoices in the batch agrees with the total monetary value of the sales invoices processed.

  15. Types of Batch Controls Total Items • Verification that the total number of items included on each document in the batch agrees to the total number of items processed. • For example, the total number of units ordered in the batch of invoices agrees with the total number of units processed.

  16. Types of Batch Controls Total Documents • Verification that the total number of documents in the batch equals the total number of documents processed. • For example, the total number of invoices in the batch agrees with the total number of invoices processed.

  17. Types of Batch Controls Hash Totals • Verification that a predetermined numeric field existing for all documents in a batch agrees with the total of the documents processed.

  18. Batch Balancing Batch Balancing can be performed through manual or automated reconciliation. It involves batch totaling followed by adequate follow-up procedures. Types of batch balancing include: • Batch Registers - enable manual recording of batch totals. • Control Accounts - an initial edit file is used to determine batch totals. The data is then processed to the master file which is reconciled against the edit file. • Computer Agreement - performed through the use of batch header slips that record the batch total.

  19. Input Error Reporting Errors can occur due to duplication of transactions or inaccurate data entry. Input errors can be handled by: • Rejecting only Transactions with Errors • Rejecting the Whole Batch of Transactions • Accepting Batch in Suspense • Accepting Batch and Flagging Error Transactions

  20. Input Control Techniques Transaction Log • Contains a detailed list of all updates. • The log can either be manually maintained or provided through automatic computer logging. • A transactions log can be reconciled to the number of source documents received to verify that all transactions have been input.

  21. Input Control Techniques • Reconciliation of Data - Controls are needed to ensure that all data received is recorded and properly processed. • Documentation - of user, data entry, and data control procedures. • Transmittal Log - This log documents transmission or receipt of data. • Cancellation of Source Documents - Procedures to cancel source documents by, say, punching holes or marking, to avoid duplicate entry.

  22. Input Control Techniques Error Correction Procedures • Logging of errors • Timely corrections • Upstream resubmission • Approval of corrections • Suspense file • Error file • Validity of corrections

  23. Data Validation and Editing Procedures for ensuring that all input data is validated and edited as close as possible to the point of origin. • Pre-programmed input formats ensure that data is input to the correct field in the correct format. • If input procedures allow supervisor overrides of data validation and editing, automatic logging should occur. • A management individual who did not initiate the override should review this log.

  24. Data Validation Edits • Data validation identifies data errors, incomplete or missing data and inconsistencies among related data items. • Front-end data editing and validation can be performed if smart terminals are used. • Edit controls are preventive controls that are used in a program before data is processed. Following are the various types of data validation edit controls.

  25. Data Validation Edits Sequence Check • The control number follows sequentially and any control numbers out of sequence or duplicated are rejected or noted on an exception report for follow-up purposes. • For example, invoices are numbered sequentially. The day’s begin with 12001 and end with 15045. If any invoice larger than 15045 is encountered during processing, that invoice would be rejected as an invalid invoice number.

  26. Data Validation Edits Limit Check • Data should not exceed a predetermined amount. • For example, payroll amounts should not exceed Rs. 1,00,000. If a cheque exceeds Rs. 1,00,000 the data would be rejected for further verification/authorization.

  27. Data Validation Edits Range Check • Data should be within a predetermined range of values. • For example, product type codes range from 100 to 250. Any code outside this range should be rejected as an invalid product code.

  28. Data Validation Edits Validity Check • Programmed checking of the data validity according to predetermined criteria. • For example, a payroll record contains a field for marital status, and the acceptable status codes are M or S. If any other code is entered, the record should be rejected.

  29. Data Validation Edits Reasonableness Check • Input data are matched to predetermined reasonable limits or occurrence rates. • For example, in most instances, a widget manufacturer receives orders for no more than 20 widgets. If an order for 200 widgets is received, the computer program should be designed to display a warning indicating that the order appears unreasonable.

  30. Data Validation Edits Table Look-ups • Input data complies with predetermined criteria is maintained in a computerized table of possible values. • For example, the input operator enters a city code between 1 and 10. This number corresponds with a computerized table that matches the code to a city name.

  31. Data Validation Edits Existence Check • Data is entered correctly and agrees with valid predetermined criteria. • For example, a valid transactions code must be entered in the transactions code field.

  32. Data Validation Edits Key Verification • Keying-in process is repeated by a separate individual using a machine that compares the original keystrokes to the repeated input. • For example, the employee number is keyed twice and compared to verify the keying process.

  33. Data Validation Edits Check Digit • A numeric value that has been calculated mathematically is added to data to ensure that the original data has not been altered or an incorrect but valid value submitted. • This control is effective in detecting transposition and transcription errors. • For example, a check digit is added to an account number so it can be checked for accuracy when it is used.

  34. Data Validation Edits Completeness Check • A field should always contain data and not zeros or blanks. A check of each byte of that field should be performed to determine that some form of data, not blanks or zeros, is present. • For example, the employee number field on a new employee record is kept blank. This is identified as a key field and the record would be rejected, with the request that the field be completed before the record is accepted for processing.

  35. Data Validation Edits Duplicate Check • New transactions are matched to those preciously input to ensure that they have not already been entered. • For example, an invoice number is checked against previously entered invoice numbers to make sure that the number is unique and a duplicate number is not being assigned.

  36. Data Validation Edits Logical Relationship Check • If a particular condition is true, then one or more additional conditions or data input relationships may be required to be true to consider the input valid. • For example, the wedding date of an employee may be required to be more than sixteen years past his or her date of birth.

  37. Processing Controls Processing Controls ensure the completeness and accuracy of accumulated data. They ensure that data on a file or in a database remains complete and accurate until changed as a result of authorized processing or modification routines. The following are processing control techniques: • Manual Recalculations - A sample of transactions may be recalculated manually to ensure that processing is accomplishing the anticipated task.

  38. Processing Controls • Edit Check - is a program instruction or subroutine that tests for accurate, complete and valid input and updates in an operation. • Run-to-Run Totals - provide the ability to verify data values through the stages of application processing. Run-to-run total verification ensures that data read into the computer was accepted and then applied to the updating process.

  39. Processing Controls Programmed Controls • Software can be used to detect and initiate corrective action for errors in data and processing. • For example, if the incorrect file or file version is provided for processing, the application program could display messages instructing that the proper file and version be used.

  40. Processing Controls Reasonableness Verification of Calculated Amounts • Application programs can verify the reasonableness of calculated amounts. • The reasonableness can be tested against predetermined criteria to ensure appropriateness. • Any transactions determined to be unreasonable may be rejected pending further review.

  41. Processing Controls Limit Checks on Calculated Amounts • An edit check can provide assurance through the use of predetermined limits that calculated amounts have not been keyed incorrectly. • Any transactions exceeding the limit may be rejected for further investigation.

  42. Processing Controls Reconciliation of File Totals • Should be performed on a routine basis. • Reconciliation may be performed through use of a manually maintained account, a file control record or an independent control file.

  43. Processing Controls Exception Reports • An exception report is generated by a program that identifies transactions or data that appear to be incorrect. • These items may be outside a predetermined range or may not conform to specified criteria.

  44. Data File Controls Before and After Image Reporting • Computer data on a file before and after a transaction is processed can be recorded and reported. • The before and after image makes it possible to trace the impact transactions have on the computer records.

  45. Data File Controls Maintenance Error Reporting and Handling • Control procedures should be in place to ensure that all error reports are properly reconciled and corrections submitted on a timely basis. • To ensure segregation of duties, error corrections should be properly reviewed and authorized by personnel who did not initiate the transaction.

  46. Data File Controls Source Document Retention • Source documentation should be retained for an adequate period to enable retrieval, reconstruction, or verification of data. • Policies regarding the retention of source documents should be enforced. • Originating departments should maintain copies of source documentation and ensure that only authorized personnel have access. • When appropriate, source documentation should be destroyed in a secure, controlled environment.

  47. Data File Controls Internal and External Labeling • Internal and external labeling of removable storage media is imperative to ensure that the proper data are loaded for processing. • External labels provide the basic level of assurance that the correct data medium is loaded for processing. • Internal labels, including file header records, provide assurance that the proper data files are used and allow for automated checking.

  48. Data File Controls Version Usage • It is critical that the proper version of a file, such as date and time of data, be used as well as the correct file in order for the processing to be correct. • For example, transactions should be applied to the most current database, while restart procedures should use earlier versions.

  49. Data File Controls Data File Security • Data File Security controls prevent access by unauthorized users who may have access to the application to alter data files. • These controls do not provide assurances about the validity of the data, but prevent unauthorized alteration to the data.

  50. Data File Controls One-on-one Checking • Individual documents agree with a detailed listing of documents processed by the computer. • It is necessary to ensure that all documents have been received for processing.

More Related