The design phase involves converting the informational, functional, and network requirements identified during the initiation and planning phases into unified design specifications that developers use to script programs during the development phase. Program designs are constructed in various ways. Using a top-down approach, designers first identify and link major program components and interfaces, then expand design layouts as they identify and link smaller subsystems and connections. Using a bottom-up approach, designers first identify and link minor program components and interfaces, then expand design layouts as they identify and link larger systems and connections.
Contemporary design techniques often use prototyping tools that build mock-up designs of items such as application screens, database layouts, and system architectures. End users, designers, developers, database managers, and network administrators should review and refine the prototyped designs in an iterative process until they agree on an acceptable design. Audit, security, and quality assurance personnel should be involved in the review and approval process.
Management should be particularly diligent when using prototyping tools to develop automated controls. Prototyping can enhance an organization's ability to design, test, and establish controls. However, employees may be inclined to resist adding additional controls, even though they are needed, after the initial designs are established.
Designers should carefully document completed designs. Detailed documentation enhances a programmer's ability to develop programs and modify them after they are placed in production. The documentation also helps management ensure final programs are consistent with original goals and specifications.
Organizations should create initial testing, conversion, implementation, and training plans during the design phase. Additionally, they should draft user, operator, and maintenance manuals.
Application Control Standards
Application controls include policies and procedures associated with user activities and the automated controls designed into applications. Controls should be in place to address both batch and on-line environments. Standards should address procedures to ensure management appropriately approves and control overrides. Refer to the IT Handbook's "Operations Booklet" for details relating to operational controls.
Designing appropriate security, audit, and automated controls into applications is a challenging task. Often, because of the complexity of data flows, program logic, client/server connections, and network interfaces, organizations cannot identify the exact type and placement of the features until interrelated functions are identified in the design and development phases. However, the security, integrity, and reliability of an application is enhanced if management considers security, audit, and automated control features at the onset of a project and includes them as soon as possible in application and system designs. Adding controls late in the development process or when applications are in production is more expensive, time consuming, and usually results in less effective controls.
Standards should be in place to ensure end users, network administrators, auditors, and security personnel are appropriately involved during initial project phases. Their involvement enhances a project manager's ability to define and incorporate security, audit, and control requirements. The same groups should be involved throughout a project's life cycle to assist in refining and testing the features as projects progress.
Application control standards enhance the security, integrity, and reliability of automated systems by ensuring input, processed, and output information is authorized, accurate, complete, and secure. Controls are usually categorized as preventative, detective, or corrective. Preventative controls are designed to prevent unauthorized or invalid data entries. Detective controls help identify unauthorized or invalid entries. Corrective controls assist in recovering from unwanted occurrences.
Automated input controls help ensure employees accurately input information, systems properly record input, and systems either reject, or accept and record, input errors for later review and correction. Examples of automated input controls include:
- Check Digits - Check digits are numbers produced by mathematical calculations performed on input data such as account numbers. The calculation confirms the accuracy of input by verifying the calculated number against other data in the input data, typically the final digit.
- Completeness Checks - Completeness checks confirm that blank fields are not input and that cumulative input matches control totals.
- Duplication Checks - Duplication checks confirm that duplicate information is not input.
- Limit Checks - Limit checks confirm that a value does not exceed predefined limits.
- Range Checks - Range checks confirm that a value is within a predefined range of parameters.
- Reasonableness Checks - Reasonableness checks confirm that a value meets predefined criteria.
- Sequence Checks - Sequence checks confirm that a value is sequentially input or processed.
- Validity Checks - Validity checks confirm that a value conforms to valid input criteria.
Automated processing controls help ensure systems accurately process and record information and either reject, or process and record, errors for later review and correction. Processing includes merging files, modifying data, updating master files, and performing file maintenance. Examples of automated processing controls include:
- Batch Controls - Batch controls verify processed run totals against input control totals. Batches are verified against various items such as total dollars, items, or documents processed.
- Error Reporting - Error reports identify items or batches that include errors. Items or batches with errors are withheld from processing, posted to a suspense account until corrected, or processed and flagged for later correction.
- Transaction Logs - Users verify logged transactions against source documents. Administrators use transaction logs to track errors, user actions, resource usage, and unauthorized access.
- Run-to-Run Totals - Run-to-run totals compiled during input, processing, and output stages are verified against each other.
- Sequence Checks - Sequence checks identify or reject missing or duplicate entries.
- Interim Files - Operators revert to automatically created interim files to validate the accuracy, validity, and completeness of processed data.
- Backup Files - Operators revert to automatically created master-file backups if transaction processing corrupts the master file.
Automated output controls help ensure systems securely maintain and properly distribute processed information. Examples of automated output controls include:
- Batch Logs - Batch logs record batch totals. Recipients of distributed output verify the output against processed batch log totals.
- Distribution Controls - Distribution controls help ensure output is only distributed to authorized individuals. Automated distribution lists and access restrictions on information stored electronically or spooled to printers are examples of distribution controls.
- Destruction Controls - Destruction controls help ensure electronically distributed and stored information is destroyed appropriately by overwriting outdated information or demagnetizing (degaussing) disks and tapes. Refer to the IT Handbook's "Information Security Booklet" for more information on disposal of media.