UNIVERSITY OF JOHANNESBURG

DEPARTMENT OF ACCOUNTANCY
AUDIT 3A
2013

GENERAL COMPUTER CONTROLS

Index:

A PRE-READING
B INTRODUCTION
C TYPES OF ON-LINE COMPUTER SYSTEMS
D CONTROLS IN A COMPUTERISED ENVIRONMENT
E QUESTIONS RELATING TO THE TOPIC
PART A: PRE-READING
 PART B: INTRODUCTION

1. INTRODUCTION OF THE TOPIC

This module introduces you to the basic concepts regarding computers and their
significance in an organisation. The more complex issues regarding computers will be
dealt with at honours level.
The use of computers is part of everyday life (as you would all know)!
This module will aim to explain the basic concepts in computers, which an audit
professional is expected to have knowledge of.

2. PRIOR KNOWLEDGE

Computers will not be new to you as you have dealt with its basic operations in BIS (2 nd
year) as well as all your other subjects.

With regards to auditing specifically you have already been introduced to general
controls, in Audit 2. This module will pick general controls from where you left it and you
will also be introduced to application controls.

It is an extremely important module as most of you will take on employment next year and
are expected to have certain knowledge about computers, risks associated with
computers and their respective controls. For those of you studying further you will study
computers at a more extensive level in your postgraduate studies.

3. RESOURCES

In order to master this topic you should make use of the following resources

3.1 Lecture attendance and consultation

3.2 Module
3.3 Question Banks
3.4 Lecture Slides
3.5 Pre-reading

4. STUDY OUTCOMES

After you have completed your studies of this topic you must be able to:

4.1 Provide definitions of computers and be able to identify these in a given

scenario.
4.2 Identify the types of controls that should be implemented.
 4.3 Recommend any possible improvements to be implemented in a
computerised environment.
4.4. Be able to apply the concepts of computers to any given scenario.

5. EXAMINATION POSSIBILITIES

You can expect theory based questions that include

 Pure theory
 Practical application
 Scenario based questions
 PART C: DEFINITIONS OF THE TYPES OF ON-LINE COMPUTER SYSTEMS

TYPES OF ON-LINE SYSTEMS

On-Line Entry with Real-Time Processing:

Transactions are entered via terminals, automatically authorised by the system and the
relevant files on the system are updated immediately. Thus, the transaction and the
master file are updated immediately.

On-Line Entry with Batch Processing:

Transactions are entered via a terminal, authorised and written to a transaction file. The
transaction is then updated in batch mode.

This system provides the opportunity for good control over the input and processing of
transactions ensuring the completeness and accuracy of the data through batch
(control) totals and audit trails.

It is obvious from the above that the transaction and master file in this type of system is
not updated immediately, but only after a batch has been entered correctly and is in
balance.

Shadow Processing:

A copy of the master file is used during the day and is updated continuously using on-
line entry with real time processing. The computer simultaneously creates batch files for
the day’s transactions. These batch files are used to update the original master file
overnight in batch mode.

A new copy of the master file is then made for use during the following day.

Shadow processing provides the benefits of both real time processing and batch
processing while affording better protection to the data in the original master file.

On-Line Entry with Memory Update:

Transactions are entered, authorised and written to a memory file which contains
information drawn from the master file.
This process is similar to shadow processing and insinuates that:
o Enquiries are made from the memory master file (which is fully up to date);
o The original master file is updated at a later stage from the transaction files.
On-Line Enquiry Facilities:

Users are limited to enquiry of information on master files which are updated from other
systems.

On-Line Downloading/Uploading:

This involves data being downloaded from a master file onto an intelligent terminal such
as a personal computer. This data can then be updated & uploaded to another
computer e.g. The mainframe computer.
 PART D: CONTROLS IN A COMPUTERISED ENVIROMENT

GENERAL CONTROLS DEFINITION:

General controls are those which establish an overall framework of control for computer
activities. They are controls which should be in place before any processing of
transactions gets underway and they span across all applications.

OVERALL FRAMEWORK OF GENERAL COMPUTER CONTROLS:

The following framework is an outline of the controls to be covered in this module.

These controls will be discussed in detail throughout the module.

General Computer Controls

1. System Development and Implementation Controls
2. System maintenance Controls (Change Controls)
3. Organisational and Management Controls
4. Access Controls to Data and Programs
5. Computer Operating Controls
6. System Software Controls
7. Business Continuity Controls

UNDERSTANDING THE GENERAL CONTROL ENVIRONMENT

1. Systems Development & Implementation Controls

o Objective: To ensure self-developed/purchased system properly developed,

authorised and meet user’s needs.

These are the controls in place over the actual development of a new system the entity
intends on using. This could be a purchased package or a system developed in-house.
In a question, you need to ensure that you know what type of system you are dealing
with to ensure that you suggest the relevant controls. Examples of the types of controls
over the development of a system in-house include, but are not limited to the following:

o The client should develop a system with a clear view of its strategic business plan to
ensure that the system will aid the process of achieving the business objectives;
o A steering committee should conduct a feasibility study and define the selection
criteria;
o Projects should be authorised after analysing the users’ needs and performing a
proper systems analysis;
o Project authorisation & management;
o System design and programming standards;
o Testing of new system;
 o Conversion to new system.

Please take note of the following controls over a self-developed system:

1. Project authorisation and management

o Development plan authorized
o Steering committee
 Made up of senior management from both user and computer
departments

o Steering committee must ensure that :

 Project authorized
 Timetables are adhered to
 Budgets are achieved
 Quality requirements

o Involvement from :
o User department
 Departmental requirements
 Internal / external auditors

o Data processing department

 Technical soundness
 Compatibility with other systems
 Operational aspects

o Quality control department

 Standard of design
 Testing
 Documentation

o Perform feasibility study

 Buy / self-developed
 Cost / benefit analysis

o Project team
 Day to day management of project
 Ensure project is developed in stages
 Prepare timetables for each stage

o Project authorized after feasibility study/analysis before commence

2. System specification & user needs

o Definition
 Defining the way the system must work
 To meet the specification of users and business

Two methods of specifying systems

o Traditional method
 Written systems specification by means of discussions between the
data processing department and users
o Prototype systems
 Design prototype
 User department try out
 Refine the design through a series of prototypes

3. System design and programming standards

o System design and programming standards needed to :

 Ensure system interacts properly with existing systems and system
software;
 Ensure that appropriate control-related programmed procedures are built
in;
 Ensure there is supervision over system design;
 Comply with predetermined standards;
 Done on program library not live data.

4. Testing

Testing of in-house systems should be carried out in 3 stages

4.1 Program testing

o Checking the logic of the program to their specs
o Methods used :
 Test data
 Desk checking (program code analysis)

4.2 System testing

o Ensure the logic of various individual programs links together to form a
system in line with the detailed system description
o Methods used
 Test data
 User testing
4.3 Live testing
o Tested under operational conditions
  Parallel running
 Pilot running
o Parallel running
 New system in parallel with old system
 Problem : cost of double processing, difficulty of comparison (e.g.
additional info)
o Pilot running
 Introduce system for only small portion

Take note of the following controls over a purchased package:

Purchased package:

Important information to consider when purchasing a package:

o Package must meet user requirements

 Prepare statement of requirements
 Measure available packages against requirements

o Keep in mind :
 Minimum changes should be made to package
 If modifications is necessary, use normal rules i.r.o system development
 Possibility of future amendments (e.g. tax updates)
 Quality of maintenance service from supplier

The above information has to be applied to the selection of a package and the
implementation of a package. This can be done as follows:

1. Specification and selection of package

o Discussions with other users

o Observing operation of package
o Questioning other users of package re:
 Facilities offered by program
 Freedom from program errors
 Speed & efficiency
 Ease of use
 Quality of support

2. Implementation and testing of package

o Testing
o Independent testing
o Review of experiences of other users

o Implementation
 o Involvement of:
 User departments
 Data processing
 Management
 Quality assurance

Advantages of purchased systems:

o Less implementation time (immediate implementation)

o Lower cost and cost is predetermined
o Tested thoroughly – thus very reliable

Disadvantages of purchased systems:

o Dependent on vendors for maintenance

o Too general /inflexible to cater for needs
o Change maintenance difficult/impossible
o Written overseas (Vat and Tax differs)

A conversion from an old system to a new system often takes place an

organisations, thus it is important to implement controls for these conversions.

Controls during conversion to the new system (self-developed /

purchased)

o Planning and preparation

 Prepare timetables for conversion
 Define methods used (e.g. parallel / pilot)
 Determine cut-off dates
 Prepare data files for conversion (e.g. Standing data)
 Training of staff
 Balance files on old system
 Prepare premises (constant power / air-con)

o Control over conversion of data by data control group

 Supervision by senior management
 Auditor involvement

o Update system documentation

 System flowcharts
 System descriptions
 Operating manuals

o Testing
 Balancing old files with new files
  Third party confirmations
 Follow up of exception reports
 Comparison with data run on old system (parallel)
 Manual comparison of data
 Approval by users

o Backup of new system

o Post-implementation review

2. System Maintenance Controls/ System Change Controls

o Objective: To ensure changes to system is authorised, meet user’s needs and

made effectively.

These controls exist to ensure that any maintenance that takes place on the newly
developed system is done accurately and in accordance with the requisite level of
authority. The changes would be made to ensure that the system meets the needs
of the users. Some examples of these types of controls are:

o Change forms are to be pre-numbered and locked away when not required;
o Any change requests made by the users of the system must be approved by the
Line Manager of the user and a reason as to why the change is necessary must
be provided;
o All change forms need to be signed by Management or the Computer Steering
Committee prior to the change being effected;
o After the change has been made, an IT expert is to test the change to determine
if it has been made as per the approved change request and is working
effectively.

o Completeness of changes
o To ensure all approved requests for changes are processed
o Achieved by:
 Pre-numbered change request forms
 Do regular sequence checks; or
 Enter change forms in a register
 Outstanding requests reviewed by senior official

o Validity of changes
o Requests should be approved by correct level of authority depending on
importance
o User requirements
o Reviewed by data processing department
o Documented
3. Organisational & Management Controls

o Objective: Organisational framework such as segregation of duties (SOD),

supervision and review and virus protection

These controls would be implemented to ensure that an organisational framework

over the computerised information system (CIS) activities is in place, and to ensure
that the basic principles of segregation of duties, review and virus protection are
met. Examples of these types of controls include, but are not limited to the following:

o Computer department is to be represented on the Board of Directors;

o CIS manager should report to senior management;
o Top Management should be committed to controls and to implement
management controls such as establishing an Internal Audit department.
o Computer steering committee set IT policies and exercise control over IT
activities
o CIS manager reports directly to senior management
o Staff practices/ processing
 the rotation of operator duties
 system development staff not assigned to operator duties
 at least two operators per shift(scheduling of staff)
 staff take regular leave
o Employment practices
 training of staff and career development
 supervision and review

Segregation of duties

o Functional
 Separate CIS Department
o Operational
 SOD between:
 System analysts
 Programmers
 Operators
o Normal SOD between:
 Transaction initiation
 Authorisation
 Processing
 Safeguarding
 o Independent person must correct errors

Controls against computer viruses

o Software protection
 Software purchases from reputable suppliers
 Take care with use of “free” of “public domain” programs
 Do not lend out program disks
 Do not boot up from a disk
 Do not use illegal copies

o Data file protection

 Install virus detection software
 Test data files for viruses before use
 Regular backups
 Keep disks on write protect

o Staff
 Inform staff members against dangers
 Train users of microcomputers
 Reporting procedures in case of infection
 Limit the use of microcomputers to authorized staff

o Supervision and review

 By CIS manager, divisional managers, section heads
 System investigations by internal and external audit

4. Access Controls to Data & Programs

o Objective: To prevent unauthorised changes to programs, data, terminals &

files.

As the name suggests, these controls would ensure that access to and editing of
data and programs should be restricted to only those users who have the authority
to use the data. Examples of these types of controls include:

o Passwords are to be changed regularly and must be alphanumeric;

o Passwords are to be kept confidential;
o User matrixes must exist in order to restrict database information to the users
on a least privileges basis;
o The terminal should shut down after 3 unsuccessful log-in attempts and
generate an exception report for management to review & investigate.

Programmed controls
o Terminals
 TINS (Terminal identification numbers)
 Limited access to system (to specific applications)
 Automatic log off after 5 minutes of non-use
 Shut down after 3 unsuccessful login attempts
 Limited to 1 workstation log on
 Investigation into each disconnection
 Simultaneous login prohibited

o Identification of users
 User ID’s & passwords
 Verify IP address
 Magnetic cards
 Voice recognition / fingerprints (use of biometric data)

o Authorisation of users
 Logon ID’s
 Passwords
 Multilevel passwords
 User matrixes
 Passwords for specific authorised levels

o Monitor access and processing

 Audit trails reviewed for daily activities
 Console logs and activity registers
 Application software (unauthorized access)
 Firewalls

o Communication lines & networks

 Passwords
 Dial & dial back
 Identification data
 Different routes for sensitive data
 Encryption of data

o Password control
 Password strength
o Minimum 6 characters (Minimum length)
o Alpha /numerical
o CAPITAL LETTERS AND small caps
o and other - ! @ # *
 Not easily guessed not shown on screen
 Changed regularly
o Automatic system request
o Re-use of password prohibited
 Confidentiality emphasised
  Cancelled on resignation/ dismissal
 Cancelled after period of inactivity
 Use for authorisation
o Limit access to part of system
o Limit access to certain times of day
o Authorisation levels linked

o Program libraries
 Access to backup programs controlled by access software
 Passwords
 Updating authorised
o Utilities
 Stored separately
 Use logged and reviewed

Physical controls

o Terminals
o Physically locked
o Located in visible area
o Situated in lockable room
o Computer hardware
o Lockable room
o Supervision & review
o Removable mediums secure
o Manual logs

o Program libraries
o Register (REGULAR REVIEW)
o Access controlled

o Distributable processing
o Only executable programs (instead of production programs) at branches
o Independent comparison of exec. Programs to source programs (e.g.
internal auditor)
o Logs reviewed
o Screening & training of staff
o Emergency access controls

5. Computer Operating Controls

o Objective: Ensuring procedures applied correctly & consistently during processing

 These are those controls that actually deal with how the user of the computer
operates the computer and to ensure that programmed procedures are applied
correctly and consistently during the processing of data. Examples of these types of
controls include, but are not limited to the following:
o There must be continuous monitoring and review of the functioning of the
computer hardware;
o There must be standardised procedures and operating procedures for the
users of the system to follow;
o The must be adequate user manuals in place.
o Scheduling of processing
o Set-up and execution of programs
 Competent person
 Procedure manuals
 Test against processing log
 Supervision & review
o Use correct programs & data files
o Operating procedures
 Hardware checks
 Operating instructions & manuals
 Segregation of duties
 Rotation of duties
 Logs
 Supervision and review
o Recovery procedure
 Emergency plan & instructions
 Backup of data & hardware

6. System Software Controls

o Objective: To ensure installation, development, maintenance of software

packages authorised and effective.

The controls are put in place for programs that process data to ensure that they are
installed or developed and maintained in an authorised and effective manner, and
that access to the system software is limited. Examples of these types of control
include:

o In the processing by users on personal(micro) computers, there must be:

 Control over the software on the PC to ensure that it is not copied or
pirated;
 Programs which are written internally should be documented and
tested to ensure that the program has the integrity required by
management.
o Acquisition & development controls
 See previous notes
 o Security over system software
 Integrity of staff
 Division of duties
 Employment policies
 Supervision & review
o Database systems
 Access control
 Documentation
 Supervision & review
o Networks
 Support department
 Access controls
 Disaster recovery plan
o Processing on microcomputers
 Control of software
 Programs written internally tested & documented

7. Business Continuity Controls

o Objective: Prevent/Limit system interruption (Downtime)

These are the controls that the entity would put in place to ensure that it would be
able to continue as a going concern, even in the event of a disaster that the
company might experience. Examples of these types of controls include:

o Data is backed up regularly and kept off-site in a fireproof safe;

o The entity has UPS (Uninterrupted Power Supply) to ensure that it can
continue doing business in the event of a power failure;
o The entity’s server room is air-conditioned to ensure that the servers do not
overheat resulting in the loss of vital data;
o Plan, document and test the disaster recovery plan to ensure that it will be
effective in the event of a disaster.

o Physical environment:
 Protection against the elements
 Fire: extinguishers etc
o Water: away from water pipes
o Power: backup supply
o Environment: air con etc

o Emergency plan & disaster recovery procedures

 Establish procedures/Responsibilities
 Prepare list of files & data to be recovered
 Provide alternative processing facilities
 Plan, document & test the disaster recovery plan
 o Backups
 Regular backups on rotational basis
 On-line/ Real time backups
 Store back-up files on separate premises
 Hardware backup facilities
 Store in fireproof safe
 Retention of files / records for required times

o Other controls
 Adequate insurance
 No over reliance on staff
 Virus protection / prevention
 Physical security
 Cable protection

o Personnel Controls
 Segregation of duties
 Job rotation
 Hiring/firing procedures
 Employment contracts
 Use of hardware/software
 Confidentiality
 PART E: QUESTIONS RELATING TO THE TOPIC

QUESTION BANK

Refer to the question bank at the back of the module.

SOLUTIONS TO QUESTION BOOK QUESTIONS

These are included at the end of each module. The solutions will also be available on
Edulink NextGen after the completion of the module.