Application Control

Application control is to control, by means of IT functions, proper execution of business and accurate storage of related information.

Overview of Application Control
Under the COSO framework, there are five elements of internal control:


 * "Control Environment"
 * "Risk Assessment"
 * "Controlling Activities"
 * "Information and Communication"
 * "Monitoring"

In Japan, Financial Services Agency (FSA) adds


 * "Adaptation to IT"

and lists six elements of internal control. FSA considers application control as "application control related to IT," and categorizes it into "Adaptation to IT" of six elements. In a word, application control is supposed to use IT. Concretely,


 * A responsible person's approval for task execution.
 * Proper execution of approved tasks.
 * Accurate storage of contents of execution in databases.

Application control (IT application control) is a series of execution management illustrated above, which are built into business processes with the help of information systems. However, FSA also refers to application control as "controlling activities in which humans and IT work together," hence in fact, application control requires manual work as well. (See below).

Position of Application Control in Japan
Application control is defined in "Execution criteria of evaluation and supervision concerning internal control over financial reports" (FSA). In other words, "Adaptation to IT," which is one perspective of "six basic elements of internal control," is achieved by the following two points:


 * "Adaptation to IT Environment"
 * "Use of IT and contol over it"

In addition, "use of IT and contol over it" is composed of "five viewpoints of use of IT" and "two viewpoints of control over IT." Application control is defined in "establishment of control over IT" that is one aspect of "control over IT."

"Establishment of IT control" explains two activities as follows:
 * "Application control related to IT"
 * "General control related to IT"

The former is defined as "Management for correct data input, processing, and output in an individual business processing system," while the latter is defined as "establishment of infrastructure and environment that enables sound and effective functions of application control." Sometimes, the former is simply called "application control" and the latter is called "general control."

IT Application Control
IT application control is automatic application control embedded into information systems. In individual business processing applications, it secures "accuracy", "legitimacy", "integrity", and "maintenance continuity" of data concerning business execution.


 * Accuracy: Correct input, processing, and storage of necessary information.
 * Legitimacy: Input of only information that passed an appropriate approval route
 * Completeness: Processing of entered information without omission or repetition, and output as intended
 * Continuity of maintenance: Continuous update of correct information, and constant consistency

To secure four points above, there are specific controlling activities as follows:
 * Access control: Control over access privileges for in-house resources
 * Input control: Control to prevent input data from including improper ones
 * Processing control: Control to maintain proper business process
 * Interface control: Control over the interface with which different systems cooperate
 * Output control: Control to prevent output data from including improper ones
 * Master data control: Control to appropriately register and maintain basic data (master data) which become references

Existence of "Hand Working" in Application Control
Some kinds of control cannot be automated by information systems, and they require combination of information systems and hand working. Specifically, the following types of hand work are combined.


 * Collation: Tasks to make sure of accuracy and integrity, e.g. collation of slips.
 * Approval: Tasks to make sure of accuracy and legitimacy, e.g. approval in writing.
 * Confirmation of present goods: Tasks to ensure existence, e.g. inventory check by physical stocktaking.
 * Check of exception handling: Tasks to check appropriateness by responding to exception handling.

Procedure of Execution of Application Control
Because application control is a controlling activity that controls proper business execution, documentation of each individual business process is indispensable. There are two ways for documentation of a business process: the way to clarify the problems of the present business process and the way to design a new business process. The former has advantages such as few confusion or repulsion in fields etc., while the latter has advantages such as easy risk management etc. For documentation of business processes, a modeling function of BPM products is useful.

After defining a business process, we clarify each individual risk related to the business process, and we examine appropriate control over each risk. At that time, the important point is to respond by means of IT application control. Because internal control is a continuous activity, when response by means of IT application control becomes insufficient, evaluation and improvement of effectiveness of internal control need human resources and time. Actually, in the U.S. where the SOX Act has come into force in advance, there is a tendency, in controlling activities, to shift to IT-based system as much as information systems can deal with.

As for business process execution, it is necessary to observe whether business is executed properly, and to store all information about execution results. Especially, clarified risks are observed intensively. Monitoring function of BPM products is effective for risk management.

There is a strong resemblance between execution procedure of application control and installation procedure and roles of BPM. Therefore, adopting BPM enables smooth execution of application control, as well as enhancement of business efficiency.

Evaluation of Application Control
According to definitions concerning internal control, "company-wide internal control" means "internal control that exerts a great influence on all of consolidated financial reports," while "internal control related to business processes" refers to "internal control built into business processes, which is accomplished as a whole." As an evaluation method for application control, method of evaluating "internal control related business processes" can be adopted. Evaluation of "internal control related business processes" is based on evaluation result of "company-wide internal control." Therefore, evaluation of application control should also be based on evaluation of general control.

If application control has flaws, degree of influence and possibility of occurrence will be evaluated. Moreover, it is necessary to discern whether the flaws stem from IT application control or from hand working in application control.

Related Articles

 * Internal Control
 * Internal Control System
 * SOX Act
 * J-SOX
 * General Control
 * IT Control

Reference
"Execution criteria of evaluation and supervision concerning internal control over financial reports" (Financial Services Agency)