Application Controls Audit

In an era where most of the decision-making is driven by data, it is essential that business entities pay unwavering attention to the integrity and security of its applications in use in their business operations. By appointing reputable application control experts, organizations ensure avoiding risks that may cause business disruptions and effective use of applications.

What are Application Controls?

The Information Systems Audit and Control Association (ISACA) defines Application Controls as follows:

The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved.

Further, these controls may be detective, preventive or corrective in nature and ensure maintaining the proper functioning of the applications as well as accuracy, protection and confidentiality of data and information.

What is the purpose of conducting a technology application controls audit?

A technology application controls audit may be conducted to meet regulatory requirements or for internal purposes aimed at making continuous improvements to these applications.

What are the regulatory requirements in the State of Kuwait that require companies to conduct an audit of technology application controls?

The Capital Markets Authority has required digital financial advisory service providers to appoint an external consultant, other than the external auditor, to conduct an audit of the electronic applications used to provide this service. Article 3-3-9 of the Executive Bylaws of Law No. 7 of 2010, Module Nineteen “Financial Technologies,” stipulates the following:

The Digital Financial Advisory service provider is obliged to ensure that the scope of work of the overall control framework and the algorithm functionalities are evaluated and tested independently by an independent external consultant other than the external Auditor, provided that they are submitted to the Board of Directors, senior management and the Authority. This should be done as follows:

1. Initially upon implementation of this Module and prior to launching the Digital Financial Advisory service.
2. When there are any material changes to the systems and controls.
3. At least once every 3 years.

How are the application controls audits conducted?

A thorough application controls testing takes place to verify their adequacy and effectiveness. This allows the auditor to identify weakness in controls thereby framing the recommended action plan in identifying gaps and strengthening the existing application controls within an entity. Furthermore, in the case a business entity is subject to regulation, it aligns the application controls with industry standards such as Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Regulation (GDPR).

What are the key components of Application Controls Audit?

The key components covered under the application controls audit are as follows:

1. Access Controls: Evaluate the mechanisms in place to manage user access to the application, including user authentication, authorization, and segregation of duties.
2. Data Integrity Controls: Assess the processes and controls implemented to maintain the accuracy and completeness of data entered into the application.
3. Transaction Controls: Review controls related to transaction processing, such as input validation, error handling, and transaction logging.
4. Change Management Controls: Examine procedures for implementing changes to the application, including testing, approval, and documentation of changes.
5. Security Controls: Analyze security measures implemented to protect the application from unauthorized access, data breaches, and other security threats.
6. Monitoring and Logging: Evaluate the effectiveness of monitoring and logging mechanisms to detect and respond to security incidents or unauthorized activities.

What are the international standards and frameworks addressing application controls?

There are several international standards and frameworks addressing the application controls enabling the business entities to meet the statutory requirements related to sensitive information and data, including but not limited to:

1. ISO 27034 provides guidance on best practices related to application security management, including comprehensive guidelines.
2. COBIT, developed by ISACA, is intended to ensure quality, control and reliability of information systems through providing a control model that guarantees the integrity of these systems.

What is the added value to business entities from Applications Controls Audit?

1. Comply with laws, regulations, resolutions, and instructions issued by the regulatory and administrative authorities.
2. Ensure that the application controls can mitigate the risks threatening the applications.
3. Provide protection to systems and data and enhance the business entity’s reputation.

What are the Services offered by Baker Tilly Kuwait?

Baker Tilly provides the following services:

1. Application Controls Audit Report.
2. A Report on the Overall Control Framework and the Algorithm Functionalities of the Digital Financial Advisory Application as per the CMA requirements.

Why Baker Tilly?

• Expert Insights: our application control experts hold extensive experience across various industries and standards hence delivering comprehensive gap analysis and recommendation reports
• Customized Solutions: Tailored audit approach on application controls fit to a business entity’s needs and regulatory requirements.
• Ongoing Support: Offering guidance on how to implement recommendations beyond the audit for continuous improvement.