What are Application Controls?
ISA 315.A156 distinguishes application controls from ITGCs by scope. ITGCs govern the IT environment as a whole. Application controls operate within a specific program or module and act on individual transactions. Examples include a three-way match in accounts payable, automated revenue recognition calculations based on contract terms, input validation checks that reject entries outside defined ranges, and automated journal posting rules.
The consistency advantage is significant. ISA 315.A157 notes that automated controls can be expected to function consistently unless the system configuration is changed. A properly configured three-way match applies the same logic to every purchase order, goods receipt, and invoice. This consistency is what allows smaller sample sizes compared to manual controls — you are testing whether the control is correctly configured rather than whether a person applied it correctly each time.
However, application controls do not stand alone. ISA 315.26(b) establishes that ITGC evaluation is a precondition for placing reliance on application controls. If unauthorised users can modify system configurations, the consistency assumption breaks down. The application control may still be running, but you cannot trust that it is running the way it was designed.
Override populations are a blind spot that ISA 315.A158 addresses directly. Most application controls allow authorised overrides — a manager can force a payment past a matching exception, or post a journal that bypasses validation. The control test is incomplete without reviewing the override population to assess whether overrides were appropriate and within policy.
Key Points
- Application controls operate at the transaction level within specific software applications.
- ITGC evaluation is a precondition — you cannot rely on application controls without first testing the ITGCs that support them.
- Automated controls allow smaller sample sizes because they apply the same logic consistently (ISA 315.A157).
- Override populations must be reviewed — the control test is incomplete without them.
Why it matters in practice
The most common error is testing application controls without first completing the ITGC evaluation. Teams document that the three-way match is operating effectively but have not assessed whether access controls prevent unauthorised changes to matching tolerances. The application control conclusion is unsupported.
Override populations are the second blind spot. Teams test whether the automated control works on a sample of transactions but do not pull the override report to see how many transactions bypassed the control entirely. If 15% of payments were manually forced past the matching exception, the control is not providing the coverage the file claims.
ISA 315.A159 adds a further layer: IT-dependent manual controls. These are controls where the person relies on system-generated output to perform a manual step — for example, reviewing an exception report to follow up on unmatched items. Testing requires both verifying that the system produces the report correctly and that the manual review was performed. Testing only one half is insufficient.
Key standard references
- ISA 315.26(a)–26(b): Requires understanding of application controls and the ITGCs that support them.
- ISA 315.A156: Distinguishes application controls from ITGCs by scope.
- ISA 315.A157: Notes the consistency advantage of automated controls.
- ISA 315.A158: Addresses override populations and their audit relevance.
Related terms
Related reading
Frequently asked questions
Can you test application controls without testing ITGCs?
No. ISA 315.A150 requires evaluating ITGCs that support application controls before placing reliance. An application control test without a completed ITGC evaluation is incomplete.
Why do automated controls need fewer test items than manual controls?
ISA 315.A157 notes automated controls can be expected to function consistently unless configuration changes. Once properly configured, they apply the same logic to every transaction, allowing smaller sample sizes.