| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
Control Identification & Design
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series introduces application controls as the mechanisms that protect data integrity at every stage of processing. Covering input authorization, batch controls, validation edits, file protection, and output security, the episode shows how data integrity is won or lost at the transaction level and why auditors must understand the full control chain.
What this episode covers
- Application control scope — how input, processing, and output controls together deliver accuracy, completeness, and validity.
- Input authorization — signatures, access controls, passwords, terminal identification, and input validation methods.
- Batch controls — grouping transactions and computing monetary, record count, document count, and hash totals to detect errors.
- Error handling — options for rejecting, suspending, or accepting transactions with flagged errors, plus error correction and resubmission procedures.
- Validation edits — a family of preventive checks including limit, range, validity, reasonableness, check digit, completeness, and duplicate checks.
- File controls — protecting system parameters, standing data, balance data, and transaction files with before-and-after images and version control.
- Output controls — securing sensitive output, validating reports, controlling distribution, and following retention schedules.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
What do application controls cover and what properties do they deliver?
Application controls govern input, processing, and output for a system. They ensure only valid and authorized data are entered and updated, that processing performs the correct task, and that results meet expectations. Together they deliver accuracy, completeness, and validity, and automated controls must always be paired with manual follow-up on exceptions to remain effective.
What is a hash total and how does it strengthen batch control?
A hash total sums a field that has no real business meaning, such as account numbers, purely to detect any change in the batch between entry and processing. If the computed total at the end does not match the total calculated at the start, something is missing, duplicated, or altered. It complements monetary and record-count totals by catching errors that those totals might miss.
What are the main validation edits used in processing controls?
Common validation edits include a limit check that rejects values above a ceiling, a range check that keeps values within a band, a validity check that accepts only predefined codes, a reasonableness check that flags unusual quantities, a check digit that catches transposed numbers, a completeness check that rejects blank required fields, and a duplicate check that stops the same record entering twice. If a supervisor overrides any edit, the override must be logged and reviewed by a different manager.
Why do application controls fail when back-end database changes are uncontrolled?
Application controls only protect data flowing through the application layer. If someone updates records directly in the back-end database, those controls are bypassed entirely. Direct fixes may sometimes be necessary, such as after a system outage, but they must be formally authorized and processed under control, because the strength of all application controls depends on the grip maintained over those back-end changes.
📚 Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in Control Identification & Design.