Due to the uniformity of processing performed by IT based systems, errors in computer software can result in incorrect processing for all transactions processed.. Controlling: Errors alw
Trang 1INTERNAL CONTROL IN THE COMPUTER INFORMATION SYSTEM
I Review Questions
1 The proper installation of IT can lead to internal control enhancements by replacing manually-performed controls with computer-performed controls IT-based accounting systems have the ability to handle tremendous volumes of complex business transactions cost effectively Computer-performed controls can reduce the potential for human error by replacing manual controls with programmed controls that apply checks and balances to each transaction processed The systematic nature of IT offers greater potential to reduce the risk
of material misstatements resulting from random, human errors in processing The use of IT based accounting systems also offers the potential for improved management decisions by providing more and higher quality information on a more timely basis than traditional manual systems IT-based systems are usually administered effectively because the complexity requires effective organization, procedures, and documentation That in turn enhances internal control
2 When entities rely heavily on IT systems to process financial information, there are new risks specific to IT environments that must be considered Key risks include the following:
Reliance on the functioning capabilities of hardware and software The risk
of system crashes due to hardware or software failures must be evaluated when entities rely on IT to produce financial statement information
Visibility of audit trail The use of IT often converts the traditional paper
trail to an electronic audit trail, eliminating source documents and paper-based journal and records
Reduced human involvement The replacement of traditional manual
processes with computer-performed processes reduces opportunities for employees to recognize misstatements resulting from transactions that might have appeared unusual to experienced employees
Systematic versus random errors Due to the uniformity of processing
performed by IT based systems, errors in computer software can result in incorrect processing for all transactions processed This increases the risk
of many significant misstatements
Unauthorized access The centralized storage of key records and files in
electronic form increases the potential for unauthorized on-line access from remote locations
Trang 2 Loss of data The centralized storage of data in electronic form increases
the risk of data loss in the event the data file is altered or destroyed
Reduced segregation of duties The installation of IT-based accounting
systems centralizes many of the traditionally segregated manual tasks into one IT function
Lack of traditional authorization IT-based systems can be programmed to
initiate certain types of transactions automatically without obtaining traditional manual approvals
Need for IT experience As companies rely to a greater extent on IT-based
systems, the need for personnel trained in IT systems increases in order to install, maintain, and use systems
3 General controls relate to all aspects of the IT function They have a global
impact on all software applications Examples of general controls include controls related to the administration of the IT function; software acquisition and maintenance; physical and on-line security over access to hardware, software, and related backup; back-up planning in the event of unexpected emergencies;
and hardware controls Application controls apply to the processing of
individual transactions An example of an application control is a programmed control that verifies that all time cards submitted are for valid employee ID numbers included in the employee master file
4 The most significant separation of duties unique to computer systems are those performed by the systems analyst, programmer, computer operator, and data base administrator The idea is that anyone who designs a processing system should not also do the technical work, and anyone who performs either of these tasks should not also be the computer operator when real data is processed
5 Typical duties of personnel:
a Systems analysis: Personnel will design and direct the development of new
applications
b Programming: Other personnel will actually do the programming dictated
by the system design
c Operating: Other people will operate the computer during processing runs,
so that programmers and analysts cannot interfere with the programs designed and executed, even if they produce errors
d Converting data: Since this is the place where misstatements and errors can
be made – the interface between the hardcopy data and the machine-readable transformation, people unconnected with the computer system itself do the data conversion
e Library-keeping: Persons need to control others’ access to system and
program software so it will be used by authorized personnel for authorized purposes
Trang 3f Controlling: Errors always occur, and people not otherwise connected with
the computer system should be the ones to compare input control information with output information, provide for correction of errors not involving system failures, and distribute output to the people authorized to receive it
6 Documentation differs significantly as to inclusion of program flowcharts, program listings, and technical operating instructions File security and retention differs because of the relatively delicate form of the magnetic media requiring fireproof vault storage, insulation from other magnetic fields, safeguards from accidental writing on data files, and so forth
7 Auditors review documentation to gain an understanding of the system and to determine whether the documentation itself is adequate for helping manage and control the computer processing
8 Responsibilities of the database administrator (DBA) function are:
• Design the content and organization of the database, including logical data relationships, physical storage strategy and access strategy
• Protect the database and its software, including control over access to and use of the data and DBMS and provisions for backup and recovery
in the case of errors or destruction of the database
• Monitor the performance of the DBMS and improve efficiency
• Communicate with the database users, arbitrate disputes over data ownership and usage, educate users about the DBMS and consult users when problems arise
• Provide standards for data definition and usage and documentation of the database and its software
9 Five things a person must have access to in order to facilitate computer fraud are:
a The computer itself
b Data files
c Computer programs
d System information (documentation)
e Time and opportunity to convert assets to personal use
10 Because many companies that operate in a network environment decentralize their network servers across the organization, there is an increased risk for a lack
of security and lack of overall management of the network operations The decentralization may lead to a lack of standardized equipment and procedures
In many instances responsibility for purchasing equipment and software, maintenance, administration, and physical security, often resides with key user groups rather than with features, including segregation of duties, typically
Trang 4available in traditionally centralized environments because of the ready access to software and data by multiple users
II Multiple Choice Questions
III Comprehensive Cases
Case 1 Does access to on-line files require specific passwords to be entered to identify
and validate the terminal user?
POSSIBLE ERRORS OR IRREGULARITIES – unauthorized access may be obtained to processing programs or accounting data resulting in the loss of assets or other company resources
Are control totals established by the user prior to submitting data for processing?
POSSIBLE ERRORS OR IRREGULARITIES – sales transactions may be lost in data conversion or processing, or errors made in data conversion or processing
Are input totals reconciled to output control totals?
POSSIBLE ERRORS AND IRREGULARITIES – (same as above) Control totals are useless unless reconciled to equivalent controls created during processing
Case 2 a 1 Input control objectives
Transactions have been recorded properly (neither double-counted nor omitted – that is, control over validity and completeness)
Transactions are transmitted from recording point to processing point Transactions are in acceptable form
2 Processing control objectives
Loss or nonprocessing of data is detected Arithmetic functions are performed accurately Transactions are posted properly
Errors detected in the processing of data are controlled until corrected and processed
3 Output control objectives
Processed data are reported correctly and without unauthorized alteration
Trang 5Output is required by the user Output is distributed only to persons authorized to receive it
b 1 Control procedures – input source data
Registration at point of entry Sequential numbering Grouping (batching) with control totals Key verification
Programmed edits Edits for completeness and reasonableness Checklists to ensure input arrived and on time
2 Control procedures – processing controls
Prevention of loss or nonprocessing of data (e.g., control totals) Performance of arithmetic functions
Assurance of proper posting (sample test of postings) Correction of errors
Exclusion of unauthorized persons from operating areas (e.g., programmers)
3 Control procedures – output controls
Review performed by originating area of the reports and other output data
Sampling and testing of individual transactions Use of control totals obtained independently from prior processing or original source data
Distribution lists used to route output only to authorized persons Making inquiries as to whether the output is desired by the recipient
Case 3 a The primary internal control objectives in separating the programming and
operating functions are achieved by preventing operator access to the computer or to input or to output documents, and by preventing operator access to operating programs and operating program documentation, or by preventing operators from writing or changing programs
Programmers should not be allowed in the computer room during production processing They should submit their tests to be scheduled and run by the operators as any other job
Operators should not be allowed to interfere with the running of any program If an application fails, the operators should not be allowed to attempt to fix the programs The failed application should be returned to the programmers for correction
b Compensating controls usually refer to controls in user departments
(departments other than computer data processing) In a small computer installation where there are few employees, segregation of the programming
Trang 6and operating functions may not be possible (as in a microcomputer or minicomputer environment) An auditor may find compensating controls in the user department such as: (1) manual control totals compared to computer output totals and (2) careful inspection of all output Such compensating controls in a simple processing system could provide reasonable assurance that all transactions were processed, processing was proper and no unauthorized transactions were processed
An auditor may find the following compensating controls that are particularly important when the programming and operating functions are not separate:
1 Joint operation by two or more operators
2 Rotation of computer duties
3 Comparison of computer times to an average or norm
4 Investigation of all excess computer time (errors)
5 Adequate supervision of all computer operations
6 Periodic comparison of a program code value to a control value
7 Required vacations for all employees
Case 4 a Input editing is the process of including, in EDP systems, programmed
routines for computer checking as to validity and accuracy of input Types
of input editing controls are: tests for valid codes; tests for reasonableness; completeness tests; check digits; and tests for consistency of data entered in numeric and alphabetic fields
b Examples of payroll input editing controls are:
Test for validity of employee number;
Test for proper pay rate;
Test for reasonableness of hours worked
Examples of sales input editing controls are:
Test for validity of customer number;
Test for credit approval;
Credit limit test;
Sales price list
c As EDP system complexity increases, documentation, as well as manual checking decreases To provide reasonable assurance as to completeness, existence, and accuracy of processed transactions under these circumstances, input editing becomes increasingly necessary
Case 5 a Most commonly associated with supervisory programs contained in on-line
real-time systems, design phase auditing involves the auditor in system
design The goal is to ensure inclusion of controls that will detect exceptions or unusual conditions and record and log information about the
Trang 7initiating transactions Once the necessary controls have been designed and incorporated into the system, frequent visits by the auditor to the client’s premises are necessary to determine that the controls are functioning properly
b Some individuals and groups have suggested that independence may be impaired, given auditor monitoring and reviewing a system which he/she has helped to design The AICPA has taken the position that making control recommendations during system design is no different from auditor recommendations for control improvements after the fact and documented
in the management letter
c In some complex EDP systems, a computer audit specialist may be needed
to assist in designing the necessary controls, as well as monitoring and
reviewing the control functions A computer audit specialist is an employee
of the CPA firm who, typically, will have served on the audit staff for a period of time, followed by specialized training in computer system design and control, and EDP auditing
d The auditor may rely on the computer audit specialist to whatever degree considered necessary to assure proper control installation and implementation The in-charge field auditor must keep in mind, however, that use of a computer audit specialist does not compensate for the field auditor’s lack of understanding of the internal control, including the EDP applications