Chapter 08 - Consideration of Internal Control in an Information Technology Environment

CHAPTER 8

Consideration of Internal Control in an

Information Technology Environment

Review Questions
8-1

System software monitors and controls hardware and provides other support to application
programs. The computer's operating system and utility programs are important components of
system software. Application software consists of programs that perform specific tasks, such as
updating the accounts receivable master file.

8-2

End user computing makes the user responsible for the development and execution of the IT
application that generates the information employed by that same user. In end user computing a
user frequently uses off-the-shelf software on a personal computer (work station). A distributed
data processing network uses communication links to share centralized data and programs among
various users in remote locations throughout the organization.

8-3

A local area network interconnects computers within a limited area, typically a building or a small
cluster of buildings.

8-4

User control activities are procedures applied by users to test the accuracy and reasonableness of
computer output. Manual application control activities typically involve information system
employee follow-up of items listed on computer exception reports.

8-5

Internal labels are machine readable messages at the beginning and end of a tape or disk file. The
header label, at the beginning, identifies the file and its creation date, and the trailer label marks the
end of the file and usually includes one or more control totals. External labels are gummed paper
labels placed on the outside of a tape or disk pack to identify its contents. Both internal and
external labels are designed to prevent computer operators from processing the wrong files.

8-1

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

8-6

The term general control activities is used to describe controls that apply to all or many IT
systems in an organization. General control activities include controls over the development of
programs and systems, controls over changes to programs and systems, controls over computer
operations, and controls over access to programs and data.
Application control activities are controls that apply to specific computer accounting tasks,
such as the updating of accounts receivable. This category includes programmed controls
embedded in computer programs and manual follow-up activities consisting of follow-up
procedures on computer exception reports.

8-7

No. While it is true that many duties that might be separated in a manual system are combined in
an information systems department, separation of duties is still an important means of achieving
internal control. The separation of duties in an information systems department follows a
somewhat different pattern than in a manual system. In the latter, duties are separated to enable
independent records to be maintained and reconciled. In an information systems department, many
records can be maintained and reconciled by computer. However, separation of duties is necessary
so that no one employee is in a position to make unauthorized changes in programs or data files.
This is accomplished largely through separation of responsibilities for programming, computer
operations, and custody of programs and files.
Several traditional separations of duties are also applicable to IT systems. Since the
computer performs largely a recordkeeping function, information systems personnel should not
have custody of, or control over, assets. Also, information systems personnel should not authorize
or initiate transactions. When transactions are initiated elsewhere in the organization, an
independent record is usually created which establishes control over the information systems
department.

8-8

An online, real-time system is one in which input devices are in direct (online) communication with
the computer and all relevant files are instantaneously updated (real-time) by input data.

8-9

Documentation in an information systems department consists of an orderly description of the

system and procedures used in all data processing tasks, so that a complete historical record exists
of the use of documents, program changes, etc.
One important form of documentation is system documentation, describing an overall
processing system. System documentation includes system flowcharts and descriptions of the
nature of input, output, and operations controls. System documentation in the user's manual
describes the procedures for entering data, reviewing output, and reprocessing erroneous data.
The details of application programs should be described by program documentation,
including such elements as a description of the purpose of the program, program flowcharts,
operating instructions for processing the programs, and control sheets for approving programs and
changes in programs. Computer operators are provided with the operations manual, consisting of
one type of program documentationthe operating instructions for processing the program.
Auditors use the client's documentation in obtaining an understanding of internal control,
and in planning audit procedures that make use of the client's computer such as generalized audit
programs. Good documentation provides the auditors with much of the background necessary to
develop effective test data.

8-2

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

8-10

The minimum amount of segregation of duties in an information systems department requires that
programming be separate from the functions of operating the computer and controlling input to the
computer. Also, computer operators should not have custody or detailed knowledge of computer
programs.

8-11

The data control group is concerned with the day-to-day operation of controls, such as preparing
batch control totals, reviewing computer activity logs, reprocessing errors, and distributing output.
Internal auditors, on the other hand, do not usually perform routine control activities. Rather, they
test and evaluate the effectiveness of existing controls with the purpose of making
recommendations for improving the system. Internal auditors often participate in the design of
internal controls and subsequently monitor all aspects of the system, including administrative
controls and the activities of the data control group.

8-12

(a)
Record counts are totals that indicate the number of documents or transactions
processed; the record counts are compared with totals determined before processing. The
purpose of the record count control is to compare the computer-developed totals with the
predetermined totals to detect the loss or omission of transactions or records during
processing. Unauthorized transactions may also be detected by record counts.
(b)

The limit test control in the computer program compares the result of computer processing
against a minimum or maximum amount. The purpose of the limit test is to determine
whether certain predetermined limits have been exceeded. Violations are usually printed
out for follow-up action.

(c)

A validity test involves the comparison of data against a master file or table for accuracy.
For example, employee numbers may be compared with a master file of all valid
employees. The purpose of validity tests is to determine that only legitimate data is
processed.

(d)

Hash totals are sums of data that would ordinarily not be added, such as unit prices,
invoice numbers, etc. These items are added before processing for later comparison with a
total of the same items accumulated by the computer. The purpose of the hash total
control is to provide assurance that all, and only authorized, records were processed.

8-13

A system flowchart is an overall graphic representation of the flow of documents and operations in
the entire data processing application. A program flowchart, in contrast, is a representation of the
major steps and logic of a single computer program.

8-14

Data transmission controls include (only three required):

(1)

Parity checksA redundant bit added to data that may be used to verify the integrity of the
information as it is processed or transmitted.

(2)

Data encryptionA coding of data to make it difficult for unauthorized individuals to read
the information.

8-3

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

(3)

Message acknowledgment techniquesTechniques to help ensure that the receiving device

receives a complete message. One such technique is an echo check in which the receiving
device sends a message that verifies a transmission back to the sending device.

(4)

Private linesTelephone lines that are owned or leased by an organization and are secure.

8-15

There is an increased risk of unauthorized use of workstations because the machines are located in
user work areas. To reduce this risk, system software should maintain a log of computer activities
for management review. Also, the workstation's operating system should require authorization
codes to be entered to gain access to menus that control specific programs and files. Use after
business hours may be prevented by locking away critical programs or replacing the computer
operating switch with a key lock.

8-16

Telecommunications is the electronic transmission of information by radio, wire, fiber optics,

microwave, laser and other electromagnetic systems. (For example, owners of two computers may
transmit information through the use of their computers, modems and fiber optics.)

8-17

In distributed data processing systems small business computers, located throughout the company,
are linked to a main computer. Users may access programs and files in the main computer and
perform limited data processing activities in their own departments.

8-18

Electronic data interchange is a system in which data are exchanged electronically between the
computers of different companies. The audit trail is affected in that "hard copy" source documents
(e.g., invoices, purchase orders, checks, bills of lading) are replaced with electronic transactions
created in a standard format.

8-19

While it is technically possible for an IT system to operate without leaving an audit trail, it is
improbable that this will ever occur in an actual system used by a business entity. Valid business
reasons exist for the deliberate inclusion of an adequate audit trail in even the most sophisticated IT
system. One reason is the practical need for a "management trail," equivalent to an audit trail,
which enables management to determine the status and effects of individual transactions. In
addition, the Internal Revenue Service and other government agencies require businesses to
maintain an audit trail permitting individual transactions to be traced back to their source or
forward to the summary totals. Also, businesses which are audited annually usually are anxious to
accommodate the needs of their independent auditors in order to reduce the time and cost of the
audit.

8-20

The auditors usually begin their consideration of internal control over IT activities with a review of
the general controls. This is an efficient approach since application control activities cannot be
effective in the absence of general control activities over all IT activities. When the auditors
discover that generally control activities are weak, they often decide it is unproductive to test
specific application control activities.

8-4

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

8-21

When using the tagging and tracing technique, the auditors tag input transactions with an indicator
before they are processed. A computer routine provides a printout of the steps used in processing
the tagged transactions. The auditors may then review the print-out for unauthorized processing
steps.

8-22

A computer service center provides data processing services to companies that do not have their
own computer facilities. The customer transmits input to the center, and the center processes the
data and provides the customer with computer output.
When a client uses a service center, the client's internal control interacts with controls
applied at the center. Accordingly, the auditors' understanding of the flow of transactions through
the accounting system must be based in part on an understanding of processing activities at the
service center. Also, if critical controls are applied at the service center, the auditors must obtain
evidence of operating effectiveness of such controls to support a reduced assessed level of control
risk.

Questions Requiring Analysis

8-23

8-24

The characteristics of a satisfactory plan of organization for an information systems department

are as follows:
(1)

The information systems department should have as much autonomy from major user
departments as is reasonably possible. One means of achieving this autonomy is to have
the information systems manager report directly to a vice president of information systems.
If information systems is a unit within the accounting department, the controller should not
have direct contact with computer operations.

(2)

Within the data processing portion of the information systems department there should be
physical and organizational separation of the computer processing unit, the library, and the
systems and programming units. Duties of the programmers and the operators should be
distinctly separated, and access to the computer center, programs and data should be
restricted to authorized persons.

(3)

A separate data control group should review the activities of the information systems
department.

Batch processing refers to a system in which source documents are collected into "batches" for
processing in sequence as one lot. Accumulation of batches means that processing takes place only
periodically. Thus, records and files are only as current as the data in the last batch processed.

8-5

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

In an online, real-time system (OLRT), input terminals are in direct (online) electronic
communication with the central processing unit. Data entered through these online terminals
causes instantaneous (real-time) updating of all relevant files. In an OLRT system, the results of
processing a transaction are immediately available and may even influence the completion of the
transaction. For example, if a credit sale is entered through an online terminal, the computer would
immediately notify the terminal user if that transaction caused the customer's account to exceed a
predetermined credit limit. In a batch processing system, the fact that the customer's credit limit
had been exceeded would not be known until the batch of credit sale documents containing that
transaction had been processed.
Internal control over input is more easily attained in a batch processing system than in an
OLRT system. The concept of a "batch" of input data permits such controls as accounting for the
numerical sequence of source documents, control totals, hash totals, and item counts. These input
controls provide substantial assurance that no data is omitted, added, transposed, or otherwise
misstated between the original recording of the transaction and the completion of processing. In an
OLRT system, these "batch controls" are no longer applicable. Also, if transaction data are entered
directly into terminals, there may be no "hard-copy" source documents for later reference if a
transaction is misprocessed.
As compensating controls in an OLRT system, access to terminals is limited to authorized
users, and the operating system should be programmed to maintain terminal activity logs to be
reviewed for unauthorized use. Also, input validation checks, such as validity tests and limit tests,
should be applied to data as it is entered. Still, these controls often are less effective than batch
controls in preventing omissions, additions, or misstatements of input data.
8-25

(a)
In general, personal computers are less flexible, slower at processing data, and
smaller in terms of storage capacity than larger computers.
(b)

8-26

Auditors are concerned with controls over personal computers whenever they are used by
the client to process or access financial data. In those situations, use of the personal
computers may affect the reliability of the client's financial information.

Other than test data, methods commonly used for testing processing controls in an IT system
include using an integrated test facility, controlled programs, program analysis, tagging and
tracing, and generalized audit software.
The integrated test facility approach uses a subsystem of dummy records and files built into
the regular data processing system. The auditors monitor the processing of test data, studying the
effects upon the dummy files, exception reports, and other output produced, and the follow-up of
exceptions by the data control group.
Controlled programs involve the processing of current data by using a duplicate program
that is held under the control of the auditors. The output is then compared to the output developed
by the client's copy of the program.
The program analysis technique involves the use of software that generates a flowchart of
the logic of the client's application programs that may then be reviewed by the auditors for
unauthorized program steps.
The tagging and tracing of transactions approach involves the selection of certain
transactions as they are entered into the system and using software to follow these transactions
throughout the various processing steps, each of which if normally printed. Unauthorized
processing steps may be detected by reviewing the listing.

8-6

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

Another approach to testing processing controls is processing selected input data using
generalized audit software and comparing the results to those obtained by the client's programs.
This approach, termed "parallel simulation," is similar to using controlled programs in that current
or historical live data may be tested without placing reliance upon the client's equipment or IT
personnel.
An inherent limitation in most of the testing methods described above is that agreement
between the client's processing results and those obtained by the auditors provides no assurance
that the client's system contains processing controls which would detect types of errors not present
in the selected input data. For this reason, auditors may use test data in conjunction with the other
testing methods.
8-27

8-28

Generalized audit software can be used to aid the auditor in examining accounts receivable in a
fully computerized system by performing such tasks as:
(a)

Examining records for quality, completeness, and valid conditions. For instance, customer
accounts might be scanned for account balances in excess of credit limits.

(b)

Rearranging data and performing analyses useful to the auditors. The audit software
might be used to arrange the accounts receivable file in the form of an aged trial balance to
assist in the evaluation of the allowance for doubtful accounts.

(c)

Selecting and printing confirmation requests. The program can include instructions to
select a sample of accounts receivable using any quantifiable selection criteria including a
statistical sample. Also, considerable time can be saved by having the computer print the
confirmation requests.

(d)

Comparing duplicate data maintained in separate files. For example, the changes in
accounts receivable during a given time period can be compared with the detail of credit
sales and cash receipts transactions files.

(e)

Comparing confirmation information with company records. For example, the computer
can be used to compare payment dates indicated on customer confirmations with client
cash receipts records.

An integrated test facility (ITF) is a testing subsystem that is built into the client's processing
system. The major advantage of using the technique is that it allows continuous testing of the
system. Also, test data is processed with actual data ensuring that the programs tested are the same
as those actually used to process transactions.
One disadvantage of the ITF approach is the possibility that personnel may manipulate real
data using the test system. Also, there is a risk that the client's real financial records may be
contaminated with the test data.

8-7

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

8-29

(a)
When a service center processes a company's records, the company should
establish controls to test the accuracy of the center's activities. Control totals should be
developed for input transactions and later reconciled to the center's output. In addition, the
companys personnel should test a sample of the computations performed by the service
centers computer.
(b)

When information is not available from a service auditors' report, the auditors of a client
using a service center may find it necessary to visit the center to consider the center's
internal control. At the center, the auditors obtain an understanding of the internal control.

(c)

Service centers often engage their own auditors to review their processing controls and
provide a report for the users of a center and the users' auditors. These reports are known
as service auditors' reports.

(d)

The service auditors may provide a report on managements description and design of its
controls (Type 1 reports) or that plus operating effectiveness (Type 2 reports).

(e)

A Type 1 report provides the user auditors with an understanding of the prescribed controls
at the service center. It provides no basis for reliance on service center controls, because it
does not report the results of tests of controls. A Type 2 report may provide a basis for the
user auditors' to reduce their assessments of control risk.

Objective Questions
8-30

Multiple Choice
(a)
(2)
LAN is the abbreviation for local area network, a network that
interconnects computers within a limited area, typically a building or a small
cluster of buildings.
(b)
(3)
End-user computing is most likely in a personal computer
environment. End user computing involves environments in which a user
department is responsible for developing and running an IT system with minimal
or no support from the central information systems department.
(c)
(1)
The exception report should be reviewed and followed up on by
the data control group, which also tests input procedures, monitors IT processing,
handles the reprocessing of exceptions, and reviews and distributes all computer
output.
(d)

(1)
A validity check compares data (for example, vendors or employees)
against a master file for authenticity. Accordingly, a validity test will prevent the
positing of a payable to a vendor not included in the online vendor master file.

8-8

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

(e)

(3)
In an online, real-time system, users enter individual transactions from
remote terminals and files are updated immediately. Therefore, it is important that
control be established over computer files through a system of user identification
numbers.

(f)

(3)
A distributed data processing system is one in which communication links
are used to share date and programs among various users in remote locations
throughout the organization. Accordingly, access controls in such a system gain
importance.

(g)

(3)
The assessment of computer control risk is a vague term and ordinarily
there is no assessment of computer control risk. Accordingly, it is least likely
that auditors will use software to assess it.

(h)

(2)
Auditors use utility programs to perform routine processing functions
such as sorting and merging. Generalized audit software programs are utility
programs.

(i)

(2)
When deciding whether to engage an information technology specialist, it
is doubtful that the auditor would consider the number of financial institutions at
which the client has accounts as increases in that number itself doesnt necessarily
result in a more complex computer application. The other replies all involve
factors making such an application more complex.

(j)

(2)
Generalized audit software allows the auditors to independently process
their clients' records. The software is flexible and may be used on a variety of IT
systems. These packages have not all been written in one language and their use
should have no effect on the auditors' need to obtain an understanding of internal
control, as indicated in answers (1) and (3). Generalized audit software is
primarily used as a tool for performing substantive tests; the software is of limited
value in tests of controls.

(k)

(2)
User IDs and passwords for the various users may be used to restrict
access to the computer in a manner so as to prevent unauthorized access to
sensitive programs.

(l)

(3)
The test data method is used to test controls contained within the program.
The audit approach is that of identifying relevant controls within the computer
program, and then preparing transactions to run through that program to
determine whether the controls operate effectively.

8-9

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

8-31

(a)
(b)
(c)
(d)
(e)

False
True
True
False

(f)
(g)
(h)
(i)

False
True
True
True

True

8-32
(a)
(b)
(c)
(d)
(e)

1 Auditing around the computer involves examining input into and outputs from the
computer while ignoring the processing.
6 Test data is a set of dummy transactions developed by the auditor and processed by thee
clients computer programs to determine whether the controls that the auditor intends to
rely upon are functioning as expected.
3 An integrated test facility introduces dummy transactions into a system in the midst of
live transactions and is often built into the system during the original design.
3 An integrated test facility approach may incorporate a simulated division or subsidiary.
4 Parallel simulation involves processing actual client data through the auditors software
to determine whether the output equals that obtained when the client processed the data.

8-33

a.
b.
c.
d.
e.

2
1
5
3
4

Data warehouse
Batch processing
End user computing
Database system
Decentralized processing system

Problems
8-34

SOLUTION: Ultimate Life Insurance Company (Estimated time: 25 minutes)

(a)

A data base is an integrated set of data elements that is shared by two or more application
programs.

(b)

The fundamental advantage of a data base is the elimination of data redundancy, which (1)
reduces data storage costs, and (2) avoids the problem of data inconsistencies. Also, a
data base provides management with direct access to large amounts of data for decision
making.

(c)

The integrity of the data base may be safeguarded by limiting access to terminals, through
the use of locks or user identification codes. A system of authorization (i.e. passwords)
may be established to assure that only authorized personnel have access to specific
elements of the data base. To prevent access after business hours, terminals may be
disabled during those hours. In addition, improper use of the terminals may be detected by
reviewing computer generated logs of terminal activity.

8-10

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

8-35

SOLUTION: IT Auditing Approaches (Estimated time: 30 minutes)

(a)

Auditing "around" the computer is an audit approach to testing the reliability of computer
processing without the auditors actually making use of the computer. The auditors
manually process samples of transaction input data, compare their results with those
obtained by the client's computer processing, and investigate any material discrepancies.
This approach to the audit of IT-based systems is often contrasted with auditing "through"
the computer. In the latter approach, the auditors make use of computer-assisted
techniques in performing their testing procedures.

(b)

CPA's may decide to audit "through" the computer instead of "around" it (1) when the IT
applications become complex, (2) when the audit trail becomes partly obscured (as, for
example, when transaction data are originally entered into an online terminal without the
preparation of source documents), and (3) when it is more efficient than auditing around
the computer.
Auditing "around" the computer will be inappropriate and ineffective when a major
portion of the internal control is embodied in the computer and when accounting
information is intermixed with operating information in a computer program that is too
complex to permit ready identification of inputs and outputs. Auditing "around" the
computer will also be ineffective if the sample of transactions selected for testing does not
include unusual transactions that require special treatment.
Auditing "through" the computer can provide direct assurance as to the functioning
of the system and affords the opportunity to test specific controls. This technique is
necessary for assessing control risk in all but very simple IT systems.

(c)

(1)
"Test data" is a set of data in some machine readable form (historically on
punched cards) representing a full range of simulated transactions, some of which
may be erroneous, to test the effectiveness of the control activities and to ascertain
how transactions would be handled (accepted or rejected) and, if accepted, the
effect they would have on the accumulated accounting data.
(2)

CPAs may use test data to gain a better understanding of how the computer
processes data. Test data may be used to test the accuracy of programming by
comparing computer results with results predetermined manually. Test data may
also be used to determine whether or not the system is capable of detecting various
types of error conditions. Assurance is provided by the fact that, if one transaction
of a given type passes a test, then all transactions containing the identical test
characteristics willif the appropriate control features are functioningpass the
same test. Accordingly, the volume of test transactions of a given type is not
important.

8-11

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

(d)

8-36

To obtain assurance about this matter, the CPAs should consider the client's general
controls over IT operations, especially those related to the approval of changes in computer
programs. The auditors may also observe the processing of data by the client. If the
general control activities are weak the auditors might consider requesting the program on a
surprise basis from the librarian and using it to process test data.
The CPAs may also request on a surprise basis that the program be left in the
computer at the completion of processing so that they may use it to process test data. This
procedure may reveal computer operator intervention as well as assuring that a current
version of the program is being tested. This is an especially important consideration in
newly organized IT systems undergoing many program changes.

SOLUTION: Horizon Incorporated (Estimated time: 25 minutes)

(a)

In a well-organized IT operation, the functions of programming and operating the

computer are segregated. Programmers are restricted from having unsupervised use of the
computers to prevent them from making unauthorized changes to programs. Since
computer operators have access to the computer, they should not be allowed to have details
regarding the programs. A computer operator with knowledge of an application program
may be in a position to circumvent the controls in that program.

(b)

The lack of segregation of programming and computer operations may be mitigated by

other general controls, such as the following:

8-37

Close supervision of the computer operations.

Review of computer generated activity logs by an independent employee, who does not
write computer programs or operate the computer.
Rotation of operator and programmer assignments.
Mandatory vacations for all computer personnel.
Periodic comparison of programs in use to controlled copies to check for unauthorized
changes.
Joint operation of the computer by two or more operators.

SOLUTION: Norton Corporation (Estimated time: 25 minutes)

(a)
(b)

Whenever workstations are used for processing financial data, it is important that internal
controls be established to help ensure the reliability of financial data.
Controls that should be established for the workstation include the following (five
required):

8-12

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

8-38

Programs and operating procedures should be fully documented.

The computer operator should be well trained.
Segregation of duties should be established to insure that the operator is not in a
position to perpetrate errors or irregularities and prevent their detection.
Critical software should be locked away after business hours.
The computer's operating system should provide a log of workstation use that may be
reviewed by an employee that does not operate the computer or authorize transactions.
Back-up diskettes or tapes of records should be prepared and stored in a secure
location.
A system of authorization or a locking operating switch should be used to prevent
unauthorized use of the workstation.

SOLUTION: The Outsider, Inc. (Estimated time: 20 minutes)

(a)

Generalized audit software includes computer programs that can process a variety of file
media and record formats to perform a number of functions.
While generalized audit software may be used to test a client's computer programs
through the process of "parallel simulation," the primary uses of this software are in
locating, selecting, and mathematically testing data contained in the client's files. Audit
software can be used to perform or verify mathematical computations; to include, exclude,
or summarize items having specified characteristics; to provide subtotals and final totals;
to compute, select, and evaluate statistical samples for audit tests; to print results in a form
specified by the auditors; to arrange data in a format or sequence that will facilitate an
audit procedure; to compare, merge, or match the contents of two or more files, and to
produce machine readable files in a format specified by the auditors. These applications
are used primarily in substantive testing procedures rather than in conjunction with the
auditors' tests of internal control.

(b)

Ways in which generalized audit software can be used to assist in the audit of inventory of
The Outsider, Inc., include the following (only five required):
(1)
(2)
(3)

(4)

(5)

Select items of high unit cost or total value from the inventory master file for test
counting by the CPA.
Select a random sample of other, lower value items and parts for test counting by
the CPA.
Compare the CPA inventory count file with the Outsider inventory count file for
those items the CPA test counted. Ideally, this step can be performed during the
inventory count so as to reconcile any differences on a timely basis and stress the
importance of an accurate count to client personnel.
Compare quantities in the CPA inventory count file with those in the client's
adjusted inventory master file and list any differences. This will indicate whether
the CPA's year-end inventory counts and the master file are substantially in
agreement.
Compare all quantities in the Outsider inventory count file with those in the
clients adjusted inventory master file and list any differences. This will also
indicate whether the client's year-end inventory counts and the master file are
substantially in agreement.

8-13

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

(6)
(7)
(8)
(9)

(10)
(11)

8-39

Read the client's inventory master file and extract all items or parts of which the
date of last sale or usage indicates a lack of recent transactions. This list provides
basic data for determining possible obsolescence.
Read the client's disk inventory master file and list all items or parts of which the
quantity on hand seems excessive in relation to quantity used or sold during the
year. This list should be reviewed for possible slow-moving or obsolete items.
Read the client's inventory master file and list all items or parts of which the
quantity on hand seems excessive in relation to economic order quantity. This list
should be reviewed for possible slow-moving or obsolete items.
Use the adjusted inventory master file and independently extend and total the yearend inventory and print the grand total on an output report. When compared to the
balance determined by the client, this will verify the calculations performed by the
client.
Use the client's inventory master file and list all items with a significant cost per
unit. This list should show both unit cost and major and secondary vendor codes.
The list can be used to verify the cost per unit.
Use the costs per unit on the client's disk file, and extend and total the dollar value
of the counts on the audit test count cards. When compared to the total dollar
value of the inventory, this will permit evaluation of audit coverage.

SOLUTION: Central Savings and Loan Association (Estimated Time: 25 minutes)

(a)

The internal controls pertaining to input of information that should be in effect because an
online, real-time IT-based system is employed should include:
(1)
(2)
(3)
(4)
(5)

(6)
(7)

A self-checking digit or some other redundant check should be used with every
account number to prevent an entry to a wrong account.
Input validation checks, such as validity tests and limit tests, should be applied to
input data to test their accuracy and reasonableness.
A daily record of all transaction inputs from each input terminal should be
produced as a by-product of the computer processing so as to provide a
supplemental record.
A log of input transactions should be maintained at each terminal and reconciled
on a daily basis (at least with respect to daily totals) with the record of
transactions by the terminal maintained by the computer.
Computer personnel should not initiate input to the computer except for testing
purposes so that a proper segregation of duties is maintained. Any testing should
be done after regular processing is completed and should be recorded in the
computer log.
Consideration should be given to establishing an integrated test facility of dummy
accounts to enable the internal audit staff to include test data with the actual input.
Computer file security should be provided to assure that entries are not made to
the accounts except during normal processing periods.

8-14

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

(b)

The internal controls that should be in effect pertaining to matters other than information
input are as follows:
(1)
(2)
(3)
(4)
(5)
(6)
(7)

8-40

Account balances should be printed out or dumped on magnetic tape at regular

intervals to provide for record reconstruction and testing.
Limit tests should be included in the computer program to permit ready
identification of obvious errors or irregularities, e.g., a withdrawal from an
account should not exceed the balance on deposit in the account.
The data control group should review terminal logs.
The internal audit staff should have the responsibility for testing accounts and
transactions.
Account balance printouts and transaction records necessary to reconstruct the
accounts should be maintained in a separate location from the computer file
storage as a precaution against simultaneous destruction.
There should be provision for continued operation to avoid a time loss in case of
computer failure, e.g., each terminal should have mechanical registers in addition
to the computer's electronic registers.
Security should be provided at each terminal to assure that certain operations
could be initiated only by authorized supervisory personnel, e.g., user
identification numbers and passwords.

SOLUTION: Alexandria Corporation (Estimated time: 40 minutes)

Weakness

Recommended Improvement

(1)

Computer department functions have not

been properly separated. Under existing
procedures, one employee completely
controls programming and operations.

The function of systems analysis and design,

programming, computer operations and control
should be assigned to different employees. This
also should improve efficiency since different
levels of skill are involved.

(2)

Records of computer operations have not

been maintained.

In order to properly control usage of the

computer, a usage log should be kept and
reconciled with running times by the
supervisor. The system also should provide for
preparation of exception reports on the
operator's terminal. These should be removable
only by the supervisor or the control clerk
independent of the computer operators.

(3)

Physical control over computer operations is

not adequate. All computer department
employees have access to the computer.

Only operating employees should have access

to the computer room. Programmers' usage
should be limited to program testing and
debugging.

8-15

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

(4)

System operations have not been adequately

documented. No record has been kept of
adaptations made by the programmer or
new programs.

The company should maintain up-to-date

system and program flowcharts, record layouts,
program listings, and operator instructions. All
changes in the system should be documented.

(5)

Physical control over tape files and system

documentation is not adequate. Materials
are unguarded and readily available in the
computer department. Environment control
may not be satisfactory.

Programs and tape libraries should be carefully

controlled in a separate location. Preferably a
librarian who does not have access to the
computer should control these materials and
keep a record of usage. The company should
consult with the computer company about
necessary environmental controls.

(6)

The company has not made use of

programmed controls.

Program controls should be used to supplement

existing manual controls. Examples of
programmed controls include data validity
tests, check digits, limit and reasonableness
tests, sequence checks, and error routines for
unmatched items, erroneous data, and
violations of limits.

(7)

Insertion of prices on shipping notices by

the billing clerk is inefficient and subject to
error.

The company's price list should be placed on a

master file in the computer and matched with
product numbers on the shipping notices to
obtain appropriate prices.

(8)

Manual accounting for the numerical

sequence of shipping notices is inefficient.

The computer should be programmed to review

the numerical sequence of shipping notices and
list missing notices.

(9)

Control over computer input is not effective.

The computer operator has been given
responsibility for verifying agreement of
output with the control tapes. This is not an
independent verification.

The billing clerk (or other designated control

clerk) should retain the control tapes and
compare them to the daily sales register. This
independent test should be supplemented by
programming the computer to check control
totals and print exception reports where
appropriate.

(10)

The billing clerk should not maintain

accounts receivable detail records.

If receivable records are to be maintained

manually, a receivable clerk who is independent
of billing and cash collections should be
designated. If the computer department
updates the records, as recommended below,
there still should be an independent review by
the general accounting department.

8-16

Chapter 08 - Consideration of Internal Control in an Information Technology Environment

(11)

Accounts receivable records are maintained

manually in an open invoice file.

These records could be maintained more

efficiently on magnetic disk.

(12)

The billing clerk should not receive or mail

invoices.

Copies of invoices should be forwarded by the

computer department to the customer (or to the
mailroom) and distributed to other recipients in
accordance with established procedures.

(13)

Maintaining a chronological file of invoices

appears to be unnecessary.

This file's purpose may be fulfilled by the daily

sales register.

(14)

Sending duplicate copies of invoices to the

warehouse is inefficient.

The computer can be programmed to print a

daily listing of invoices applicable to individual
warehouses. This will eliminate the sorting of
invoices.

In-Class Team Case

8-41

SOLUTION: Jenz Corporation (Estimated time: 45 minutes)

(1)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)
(13)

M. Perform customer credit checkCustomer credit file is being accessed, making it

likely that a credit check is occurring.
Z. Open order fileProcessing to the right of #2 begins with "open orders," making this
an open order file.
L. Match customer purchase order with sales orderTwo copies of the sales order are
being combined with the customer purchase order through a manual operation (the
trapezoid).
B. Verify agreement of sales order and shipping documentManual operation includes
two copies of the shipping document being combined with the sales order.
H. Release goods for shipmentDepartment is the warehouse and shipping department,
and out of this operation is "shipping information," accordingly goods are being released
for shipment.
S. Master price fileThe operation below #6 include entering price data; since the first
two files being accessed are the accounts receivable master file and the shipping file, this
third file must include prices.
O. Prepare sales invoiceSince a document is being prepared through this computerized
billing program, it is the sales invoice.
U. Sales invoiceA sales invoice is normally sent to the customer.
I. To accounts receivable departmentCopy of the sale invoice informs accounts
receivable that the sale has been processed and shipped.
Q. General ledge master fileBecause the processing step below includes updating of
master files, this is the general ledge master file.
N. Prepare sales journalSales transactions are being processed; therefore, a sales
journal is prepared.
T. Sales JournalA sales journal was prepared; the accounting department will receive
the sales journal.
Y. Aged trial balanceAn aged trial balance is prepared; the credit department will
receive such a report.

8-17