adequate controls exists over the entity’s assets Organizational controls address the proper

and records. Management needs a control segregation of duties and responsibilities within
system that generates a reliable information for the computer processing environment.
decision making. The auditor should give
Segregation of Duties. This general control is
adequate considerations to these controls
vital because a segregation of functions
because the quality of the entity’s internal
(authorization, recording, and access to assets)
control systems can have an impact on the
may not be feasible in an IT environment.
overall audit strategy. The auditor’s
Accordingly, certain tasks should not be
responsibilities with respect to internal control
combined.
over EDP systems remain the same as with
manual systems. (1) Database/network/web administrators.
They are responsible for management,
Auditors should also consider the following risk
supervision, and oversight of computing
to computer information system environment:
facilities.
 Reliance on the functioning capabilities (a) The database administrator (DBA) is
of hardware and software the individual who has the overall
 Visibility of audit trail responsibility for developing and
 Reduced human involvement maintaining the database and for
 Unauthorized access establishing controls to protect its
 Reduced segregation of duties integrity. Thus, only the DBA should be
able to update data dictionaries
 Lack of traditional authorization
(2) Data administrator. They coordinate
INTERNAL CONTROL OVER EDP ACTIVITIES activities within the data administration
department.
Internal control over EDP activities are classified
(3) System analysts. They are specifically
as either general controls or application controls.
qualified to analyze and design computer
Exhibit 11.1 describes the categories of general
information systems. They survey the
controls and application controls
existing system, analyze the
Exhibit 11.2 Categories of General and organization's information requirements,
Application controls and design new systems to meet those
Control Type Category of control needs. These design specifications will
General Organizational and operation guide the preparation of specific
Controls control programs by computer programmers.
Systems development and (4) Programmers. Programmers design,
documentation controls write, test, and document the specific
Access controls programs developed by the analysts.
Data recovery controls Programmers as well as the analysts may
Hardware controls
be able to modify programs, data files,
Application Input controls
and controls and should therefore have
Controls Processing controls
no access to computer equipment and
Output controls
files or to programs used in productions.
(5) Computer (console) operator. Computer
GENERAL CONTROLS operators are responsible for the actual
processing of data in accordance with the
General controls apply to all computer activities.
program and messages received from the
They often include controls over the
system. They load mount storage devices,
development, modification, and maintenance of
and operate the equipment.
computer programs and controls over the use of
(a) Console operators should not be
and changes to data maintained on computer
assigned programming duties
files.
responsibility for systems design and
ORGANIZATIONAL AND OPERATION CONTROLS should have no opportunity to make
changes in programs and systems as
 Organizational Controls they operate the equipment. Ideally,
computer operators should not have
programming knowledge or access to
 documentation not strictly necessary
for their work.
(b) Help desk are usually a responsibility
of computer operations because of
the operational nature of their
functions. A help desk logs reported
problems, resolves minor problems,
and forwards more difficult problems
to the appropriate information
systems resources, such as technical
support unit or vendor assistance.
(6) Data conversion operators. Data
conversion operators perform the tasks
of data preparation and transmission, for
example, conversion of source data to
magnetic disk or tape and entry of
transactions from remote terminals.
(7) Librarians. Librarians should maintain
control over and accountability for
documentation, programs, and data files.
Librarians should have no access to
equipment or the skills to perpetrate
fraud.
(8) Data control group. The data control
group must be independent of systems
development, programming, and
operations. The control group receives
user input, logs it, transfers it to the
computer center, monitors processing,
reviews error, compares control totals,
distributes output, and determines
whether error corrections have been
made by users.
(9) End users. The end users need access to
applications data and functions only.
 Operating controls
Operating controls ensure efficient and effective
operation within the computer department.
These controls also assure proper procedures in
case of data loss because of error or disaster.
Typical operating controls include the proper
labeling of all files both internally and externally,
halt and error procedures duplicate files, and
reconstruction procedures for files.
SYSTEMS DEVELOPMENT AND DOCUMENTATION
CONTROLS
These controls are concerned with the proper
planning, development, writing, and testing
computer applications. These activities require
proper documentation, including flowcharts,
listings, and run manuals for programs already
written. Controls over proper authorization of any
changes in existing programs are also
necessary.
ACCESS CONTROLS
Access controls provide assurance that only
authorized individuals use the system and that
usage is for authorized purposes. Examples of
access controls are
 Encryption. Encryption involves using
fixed algorithm to manipulate plaintext.
The information is sent in its
manipulated form and the receiver
translates the information back into
plaintext. Although data may be accessed
by tapping into the transmission line, the
encryption key is necessary to
understand the data being sent.
 Call back. A call back feature requires the
remote user to call the computer, give
identification, hang up, and wait for the
computer to call the user's authorized
number. This control ensures acceptance
of data transmissions only from
authorized modems. However, call
forwarding may thwart this control.
 Password and ID numbers. The use of
passwords and identification numbers is
an effective control in an online system to
prevent unauthorized access to
computer files. Lists of authorized
persons are maintained in the computer.
The entry of passwords or identification
numbers; a prearranged set of personal
questions; and the use of badges,
magnetic cards, or optically scanned
cards may be combined to avoid
unauthorized access. To be more
effective, passwords should consist of
random letters, symbols, and numbers.
They should contain words and phrases.
 Security personnel. An organization may
need to hire security specialists. For
example, developing an information
security policy for the organization,
commenting on security controls in new
applications.
 Controlled disposal of documents. One
method of enforcing access restrictions
is to destroy data when they are no longer
in use.
 Biometric technologies. These are
automated methods of establishing an
individual's identity using physiological
or behavioral traits. These characteristics
 include fingerprints, retina patterns,
hand geometry, signature dynamics,
speech, and keystrokes dynamics.
 Automatic log-off. Automatic log-off
(disconnection) of inactive data
terminals may prevent the viewing of
sensitive data on an unattended data
terminal.
 Utility software restrictions. Utility
software may have privileged access and
therefore be able to bypass normal
security measures. Performance
monitors, tape and disk management
systems, job schedulers, online editors,
and report management systems are
example of utility software. Management
can limit the use of privileged software to
security personnel and establish audit
trails to document its use. The purpose is
to gain assurance that its users are
necessary and authorized.
DATA RECOVERY CONTROLS
Disasters such as power failures, fire, excessive
heat or humidity, water damage, or even
sabotage have serious consequences to
business using IT. To address such risks
organizations develop detailed back up
contingency plans. One key to a back
contingency plan is to make sure that all critical
copies of software and data files backed up and
stored off the data premises. Also the plans
should identify alternative hardware to process
company data.
HARDWARE CONTROLS
Hardware controls assure the proper internal
handling of data as they are moved and stored.
They include:
 Parity check. A special bit is added to
each character stored in memory that can
detect if the hardware loses a bit during
the internal movement of a charact%
similar to a check digit.
 Echo checks. It detects line errors by re-
transmitting data back to the sending
device (hardware) for comparison with
the original transmission.
 Read-after-write checks
APPLICATION CONTROLS
Application controls relate to specific tasks
performed by the system. They should provide
reasonable assurance that the recording,
processing, and reporting of data are properly
performed.
INPUT CONTROLS
Input controls provide reasonable assurance
that the data received for processing have been
properly authorized, converted into machine-
readable form, and identified. They also provide
reasonable assurance that the data (including
the data transmitted over communication lines)
have not been lost, suppressed, added,
duplicated, or otherwise improperly changed.
Moreover, input controls relate to rejection,
correction, and resubmission of data that were
initially incorrect.
 Edit checks
They include: Error listing. Editing (validation) of
data should produce a cumulative automated
error listing that includes not only errors found
in the current processing run but also
uncorrected errors from earlier runs. Each error
should be identified and described, and the date
and time of detection should be given.
Sometimes the erroneous transactions may
need to be recorded in a suspensed file. This
process is the basis for developing appropriate
reports.
Field checks. Field checks are tests of the
characters in the field to verify that they are
of an appropriate type for that field.
Financial totals. Financial totals summarize
peso amounts in an information field in a
group of records.
Hash totals. A hash total is a control total
without a defined meaning, such as the total
of employee numbers or invoice numbers,
that is used to verify the completeness of
data. the hash total for the employee listing
by the personnel department could be
compared with the total generated during the
payroll run.
Limit and range checks. Limit and range
checks are based on known limits for given
information.
Preformatting. To avoid data entry errors in
online systems, a screen prompting
approach may be used, that is the equivalent
of the preprinted forms routinely employed
as source documents. The dialogue
approach, for example, presents a series of
question to the operator. The preformatted