This memo outlines the assumptions and decision criteria used to scope the documentation efforts around application security.

In this sample, management classified application security as a high-risk process. Management evaluated several attributes and concluded that the process holds the following attributes: highly dependent on manual intervention, has a lack of segregation of duties in key tasks, is moderately people dependent, and involves a moderate level of judgment or assumption. In addition, management considers application security an IT entity–wide process and therefore its control environment affects all financial statement elements.