Application controls are a necessary part of online banking because they ensure that input, processing and output of fragile data is complete, accurate, authorized and valid. Online banking and ATM’s require manual and automatic application controls, which operate at the business level. The following ten application controls help to achieve smooth procedures.
1. System Generated Notifications for Unusual Transactions
The computer system sends notifications that flag transactions not typically made by the customer. An example of an unusual transaction could be making large online purchases from unknown vendors. This is an authorization mechanism because transactions are brought to the attention of bank employees to ensure that they were authorized before being processed. After the notification is sent, the bank should contact clients to verify these transactions using email or SMS for early detection.
The auditor should make an unusual transaction at random through a test account to determine if the notification system alerts bank employees. Making strange purchases or transferring money to unknown vendors would prompt a notification. The auditor should observe that only authorized personnel are overriding the notification and that the system generates notifications in a timely manner after this false transaction occurred. Logs should be checked to ensure data about the false transaction such as: date, location, amount are correctly generated by the application.
2. Missing Data Check (i.e All Mandatory Fields are Filled In)
The objective of this control is to prevent incorrect information from being processed and recorded on the bank’s networks. Users often leave blank data fields when completing banking forms or processing online transactions. This tool ensures all data processed is complete and accurate, missing data will result in being redirected to highlighted fields indicating what information is wrong. Data entry screens should be user friendly featuring the user examples of how data should be formatted and where they can find the information requested. A summary screen should be presented before submission. Upon completion, a ticket number should be issued for reference.
The application should accept valid data and reject data that is incorrect using a dummy account and attempting to submit forms with incomplete and incorrect data, an auditor can perform a test. The system should detect missing data and the application should prompt the auditor notifying which fields are invalid, indicating if this tool is functioning properly. For example, letters can be inputted when entering a bank card number on the online form and the application should not accept the submission of letters. Data submission tests will indicate how functional the control is.
3. Exception Report
An exception report lists all errors, invalid transactions and is used as a completeness check when processing data. For...