Application Controls Defined.

A Management Guide

Application Controls Defined

Design and Implementation of Application Controls

Operation and Maintenance of Application Controls

Application Controls and IT General Controls

Application Controls Assurance

Personal Copy of: Mr. Manuel R. Castro

2

ISACA®

With more than 86,000 constituents in more than 160 countries, ISACA® (www.isaca.org) is a recognised worldwide leader

in IT governance, control, security and assurance. Founded in 1969, ISACA sponsors international conferences, publishes the

ISACA® Journal, and develops international information systems auditing and control standards. It also administers the globally

respected Certified Information Systems Auditor™ (CISA®) designation, earned by more than 60,000 professionals since 1978;

the Certified Information Security Manager® (CISM®) designation, earned by more than 10,000 professionals since 2002; and

the new Certified in the Governance of Enterprise IT® (CGEIT®) designation.1

Disclaimer

ISACA has designed this publication, CobiT® and Application Controls: A Management Guide (the ‘Work’), primarily as

an educational resource for control professionals. ISACA makes no claim that use of any of the Work will assure a successful

outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusive of other

information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of

any specific information, procedure or test, control professionals should apply their own professional judgement to the specific

control circumstances presented by the particular systems or information technology environment.

Reservation of Rights

© 2009 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed,

displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording

or otherwise) without the prior written authorisation of ISACA. Reproduction and use of all or portions of this publication are

permitted solely for academic, internal, non-commercial use and for consulting/advisory engagements and must include full

attribution of the material’s source. No other right or permission is granted with respect to this work.

ISACA

3701 Algonquin Road, Suite 1010

Rolling Meadows, IL 60008 USA

Phone: +1.847.253.1545

Fax: +1.847.253.1443

E-mail: info@isaca.org

Web site: www.isaca.org

ISBN: 978-1-933284-85-9

CobiT® and Application Controls: A Management Guide

Printed in the United States of America

CobiT® and Application Controls

1 CGEIT is a trademark/servicemark of ISACA. The mark has been applied for or registered in countries throughout the world.

Personal Copy of: Mr. Manuel R. Castro

3

Acknowledgements

ISACA wishes to recognise:

Authors

Eugene Atangan, CISA, PMP, Deloitte & Touche LLP, Canada

Gary S. Baker, CGEIT, CA, Deloitte & Touche LLP, Canada

Steven Cauwenberghs, CISA, CISM, CIA, Deloitte, Belgium

Candy (Yi-Ting) Chen, Deloitte & Touche LLP, Canada

Dan Cimpean, CISA, CISM, CIA, Deloitte, Belgium

Cosmin Croitor, CISA, CGEIT, ACCA, CIA, Deloitte, Belgium

Jessica Galland, Deloitte, Belgium

Gary Hardy, CGEIT, IT Winners, South Africa

Tony Jiang, CISA, CPA, Deloitte & Touche LLP, Canada

Gord Kilarski, I.S.P., Deloitte & Touche LLP, Canada

Monica Tang, Deloitte & Touche LLP, Canada

Geert Thoelen, Deloitte, Belgium

Johan Van Grieken, CISA, CGEIT, Deloitte, Belgium

Expert Reviewers

Mark Adler, CISA, CISM, CIA, CISSP, Allstate Insurance Company, USA

Kenneth C. Brancik, Ph.D., CISA, CISM, CISSP, ITIL, Northrop Grumman Information Systems, USA

Dirk Bruyndonckx, CISA, CISM, MCA, KPMG Advisory, Belgium

Luis A. Capua, CISM, Sigen, Argentina

Muhammad Fadli Davies, CISA, Old Mutual, South Africa

Seda Demircioglu, PricewaterhouseCoopers, The Netherlands

Heidi L. Erchinger, CISA, CISSP, System Security Solutions, Inc., USA

Robert F. Frelinger, CISA, CGEIT, Sun Microsystems, Inc., USA

Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium

J. Winston Hayden, CISA, IT Governance Service Consultants, South Africa

Monica Jain, CGEIT, CSQA, CSSBB, Covansys–A CSC Company, USA

Kamal Khan, CISA, Saudi Aramco, Saudi Arabia

Suzana S. Keller, CISM, CISSP, Coca Cola Enterprises, USA

John W. Lainhart IV, CISA, CISM, CGEIT, IBM Global Business Services, USA

Charles Mansour, CISA, Charles Mansour Audit & Risk Services, UK

Malcolm R. Pattinson, CISA, CISM, University of South Australia, Australia

Cheryl Faye Santor, CISA, CISM, CISSP, CNE, Metropolitan Water District of SoCal, USA

Maxwell J. Shanahan, CISA, FCPA, MACS, MII, Max Shanahan & Associates, Australia

Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA

Peter Van Mol, CISA, Atos Worldline nv, Belgium

Greet Volders, CGEIT, Voquals, Belgium

Acknowledgements

Personal Copy of: Mr. Manuel R. Castro

4

Acknowledgements (cont.)

ISACA Board of Directors

Lynn Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG LLP, UK, International President

George Ataya, CISA, CISM, CGEIT, CISSP, ICT Control SA, Belgium, Vice President

Howard Nicholson, CISA, CGEIT, City of Salisbury, Australia, Vice President

Jose Angel Pena Ibarra, CGEIT, Consultoria en Comunicaciones e Info. SA & CV, Mexico, Vice President

Robert E. Stroud, CGEIT, CA Inc., USA, Vice President

Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President

Frank Yam, CISA, CCP, CFE, CFSA, CIA, FFA, FHKCS, FHKIoD, Focus Strategic Group Inc., Hong Kong, Vice President

Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young, USA, Past International President

Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President

Gregory T. Grocholski, CISA, The Dow Chemical Company, USA, Director

Tony Hayes, CGEIT, FCPA, Queensland Government, Australia, Director

Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia, Director

IT Governance Committee

Tony Hayes, CGEIT, FCPA, Queensland Government, Australia, Chair

...