You expect your software to function properly, on the basis of the programming rules that the software manufacturer or you have put into it. At a certain moment a system can become so complex, that you can not rely on it for a full 100 percent; errors creep in. When you are implementing new versions of software, you can ask yourself: is everything still working properly? To ensure quality you can continuously check the functioning of the system with application controls. A computer system should function well on three areas to be optimally usable to organizations:
- Accessibility: do I have access to the data?
- Integrity: am I getting the right data?
- Confidentiality: should I even be receiving this data?
Accessibility is warranted by robust software and hardware. Confidentiality is managed by for example authorization software or rights management for the business information. However, the automization of integrity of data is a less known area. Often the correctness of the data is placed into the hands of employees and the organization trusts the agreements and procedures.
People, processes and tools
A thriving business has handled three essential things well: people, processes and tools. In addition, the administrative organization and internal control (AO/IC) should be well organized. AO describes who is allowed what, why, when and with what, and where the data is headed. IC checks whether this is complied with. The coherence of the controls is laid down in a control framework. Besides a segregation of functions it consists of:
user controls: people who execute a control by themselves, manually; management controls: procedure agreements that have been drawn up by the company and should be followed;
application controls: control mechanisms build into systems. Control of the organization can be filled by a combination of these control mechanisms. The three mechanisms are interchangeable up to a certain extent. management controls: procedure agreements that have been drawn up by the company and should be followed;
application controls: control mechanisms build into systems. Control of the organization can be filled by a combination of these control mechanisms. The three mechanisms are interchangeable up to a certain extent.
What does an application control do?
How human controls and management processes work, may be assumed to be known information. But what about application controls? An application control compares values that have been entered with a list of other values commonly known as a good source, so it is compared with standards.
If the value that is entered does not occur in the list of approved values, there will be a small alarm. This allows the user or the system to repair the possible error before any actual damage occurs. A good example of an application control is automatic control of the entered amounts. By way of illustration an example from the financial sector. A stockbroker wants to offer 1 share for 100 euro each, but accidentally types: 100 shares for 1 euro each. Quick conclusion: this stockbroker has a problem. He is now forced to sell more shares than he actually wanted to part with, for an amount that is one hundredth of his envisaged proposal. It would have been nice if the system had said: are you sure you wish to offer a share for less than half of the normal trade value? Then there would have been no problem.
More and stricter rules for financial reporting
The government and other supervisory authorities are increasing the demands on the financial reports of companies. The laws and legislations are becoming stricter and increasing in quantity. That means there is a decreasing amount left for human error. That is not even that odd, considering the current technical possibilities. Application controls can take over tasks of the earlier mentioned controls. Therefore they are a good way to make companies less dependent on humans and processes. It is not just that there are more rules around financial accounting and reporting. Financial reporting is in itself becoming more important as well. Automatically the importance of entering the proper data in the accounting and reports is increasing as well. In the preparation of a report it is important to be able to indicate how data can be traced back to the source. This is easy to automate. You can make a relation between for example the data in the general ledger and the data in the report. This guarantees that the amount can be traced back, so errors can be analyzed better and can be solved.
No new idea
Application controls are not new. The idea behind them is as old as double entry. However, not a lot of systems take this properly into account, according to the experiences of Invantive. Consultants often have to add application controls in existing systems and processes to meet the current demands. Companies are aware that controls are important and would also like to see those controls to be automated. However, they are often unaware how hard this is to accomplish in practice. So they limit themselves to human controls.
The addition of application controls in existing systems is not a simple matter. So that makes the reluctance of the corporate world understandable. But luckily there are specialists on the market that know what needs to happen for such an implementation.
Companies can not afford to lean back and watch their business being managed for them. There are plenty of common internal and external obstacles that need to be cleared. We present the most important obstacles one by one.
The first obstacle is internal decision making. Not just the system needs to be prepared for application controls, but also the organization. It is often the case that internal stakeholders stop the introduction. With the implementation of the automatic controls it is exposed how good or bad the current situation and current system is. For those involved there is the risk of criticism.
Quality of the current systems
Which brings us to the second and biggest obstacle: the quality of the current systems. Which is regularly far from satisfactory. To introduce application controls, there needs to be a reliable starting situation. Otherwise you can not determine where the deviations are that need to be found. Creating that proper starting situation can be an incredibly difficult process. It can be hard to predict how long this phase will last. Small deviations can turn out to be incredibly hard to solve sometimes, while the large differences can suffice with a simple solution.
“The increase in legislation demands more control measures for SNS REAAL too. Although we are not subjected to SOX, we do want to be demonstrably ‘in control’ at all times. Basel II also rewards this by a decreased capital requirement. So our choice for application control is not just a defensive one, but it allows offers the opportunity to decrease the capital costs. To keep the costs of the chain as low as possible the use of application controls is imperative. Because of the automation of the controls the process is not only becoming more efficient, but also more effective, because they only ask for attention when there are problems. Thanks to application controls SNS REAAL can not only monitor the proper quality, but also achieve the lowest costs.” Arthur Spanjer, holder at SNS REAAL.
Coordination with suppliers
The third obstacle is coordination with the suppliers of information. To standardize the system there needs to be clear communication about the method of supplying data. The separate supply of standard values requires effort on the part of the supplier.
These obstacles can collectively lead to a situation where the successful implementation of application controls never happens. To cross these obstacles there are a number of suggestions to make the successful implementation of application controls happen:
Work together: clarify to all involved that the goal is not to criticize them. Errors in a system are very normal. Create an environment of trust. Otherwise a successful implementation is not possible.
Provide insight: clarify what the current situation is. How is the situation right now? What are the actions and processes within the software?
Inspire: outline the benefits of a successful implementation for all involved and indicate what it will offer them.
Determine the ambitions: which parts need to be checked exactly? And at what level (imports, exports, the total process chain)? Make the desired and expected outcomes clear.
Balance the result: weigh costs and the revenues against each other. Every precision level and every risk has its price. You won’t get there with just application controls. That’s why you should not forget the other control mechanisms!
If a company prepares itself on the basis of these tips for the implementation of application controls, then the process will run more fluent and quicker. That way a company is ensured in a relatively short span of time of demonstrable correct data and a system that meets the demands of this time.
More information on system integrity? Please contact us.
Publication Guido Leenders IT Management 2005