input controls audit
TRANSCRIPT
University of Nairobi
School of Computing and Informatics
CSC 452: INFORMATION SYSTEMS AUDIT
INPUT CONTROLS ASSIGNMENT
NAIROBI SECURITIES EXCHANGE
Kelvin Wahome Macharia
P15/1446/2012
© February 2016
INPUT CONTROL AUDIT OF NSE PORTAL
Link to the system: https://www.nse.co.ke/
Introduction
Components in the input subsystem are responsible for bringing both data and instructions into
the IS. Both types of input must be validated and any errors detected must be controlled so that
input resubmission is accurate, complete, unique and timely.
For auditors input control are critical because:
In most IS the largest of controls exist in the input subsystem therefore auditors will spend
substantial time assessing the reliability of input controls.
Input subsystem activities are error prone because they involve large amounts of routine,
monotonous human intervention
The input subsystem is often the target of fraud e.g. addition, deletion or alteration of
input transactions.
Existing Input Controls
Input controls are types of application controls in an Information system that ensure data
remains valid, accurate and complete during input. This paper is a report following the audit of
input controls for Nairobi Securities Exchange Portal. The IS in context mainly uses direct entry,
in form of forms, for its data input. Below are some of the observed input controls that exist in
the aforementioned IS:
a) Data entry screen design – Screen design quality is paramount to minimize input errors
that maybe accrue as a result of difficulties with input fields. The NSE information system
audited has data elements organized into functional groups and boxes used to highlight
certain groupings of data elements. In addition, screens are broken at logical points where
multiple screens are required to record entries and captions to indicate the nature of data
to be entered used. Below is a screen grab showing these elements of input controls:
Figure 1: Login and register screens side by side. The register box is broken down into
logical points that are highlighted in different colors and captions are used to
communicate nature of data expected.
b) User authentication and input authorization – Verification of the authenticity of
the information system user entering or consuming information as well as determination
of their access rights and privileges (authorization) to perform input operations on the
information system. The Nairobi Securities Exchange information system uses a password
based login authentication scheme that grants access to users who are registered. Once
logged in, a user is authorized to perform several input actions that the system provides.
Figure 2: The Nairobi Securities Exchange Portal login panel. A user provides their
credentials which allows them to be authenticated. Atop the login and register boxes,
there is a message that shows how this IS uses user authentication and input authorization
as an input control measure.
c) Input accuracy and validation – Verifying that the inputs provided are in the format or
manner accepted. The Nairobi Securities Exchange system has input validation controls
that ensure data capturing forms only accept valid inputs. For instance, the system does
not allow null inputs on fields that are mandatory.
Figure 3: An input form prompting a user to provide data for a mandatory field
d) Select options – It is prudent to sometimes provide options rather than leave inputs at
the discretion of the user. Where plausible patterns and predictable inputs exist, select
options are recommended because uniformity and accuracy will be guaranteed. The NSE
Portal uses select options for certain inputs like dates and durations as demonstrated
below:
Figure 4: Select options for the NSE Share price duration to query. This provides choices
for the user to pick from.
e) Error reporting and handling – This is the determination of errors at the point of input to
ensure that data accepted into the Information System is as error free as possible.
However, this does not stop at identifying errors in input only. It encompasses handling
such errors and pointing them out to users so that they can correct them.
The Nairobi Securities Exchange information system has validated input forms that check
for errors to ensure input data conforms to expected standard. In addition, error
messages explaining the location of errors and how to possibly correct them are posted
at the top of the form and the input fields with errors highlighted as depicted by the
screenshot attached below.
Figure 5: Error message explaining the cause of the error and a possible corrective
measure
Observed Weaknesses and Possible Remedies
1. Some of the data input screen have many data elements that are hard to keep track of
when a user is scrolling down. In addition, the submit button is placed at the end of the
form which means a user does not see certain input fields as the press it. This increases
the chances of submitting forms with errors.
Figure 6: The register form is too long such that a user has to scroll down to click the
submit button.
Remedy
A solution to this would be to break up such input elements into logical sub-screens to
avoid cluttering while allowing easy tracking of elements.
2. Errors on input forms are posted collectively atop the form. While different and eye
catching colors give them visibility, this puts a memory burden on the user as they have
to read them all first the correct the errors on the individual input fields.
Figure 7: Input errors are displayed collectives at the top of input forms
Remedy
A remedy to this would be to have errors posted on the input fields where they have
occurred so that a user has no burden trying to remember what error occurred where.
Highlighting input fields with errors and placing the message containing the cause of the
error as well as corrective measures alongside that field.
3. The location of some of the input screens increases the chances of errors occurring. For
instance, some of the input screens are surrounded by tons of other information that may
steal the user’s attention.
Figure 8: The “subscribe to trading reports” screen is placed at the bottom right corner
surrounded by a lot of other information making it hard to see.
Remedy
A possible remedy to this is to have it as link in the navigation section that leads to a
different page with the subscribe input form once clicked.