CLASSIFICATION OF INTERNAL

CONTROL PROCEDURES IN A
CIS ENVIRONMENT
 Internal Controls

measures taken to detect and prevent losses due to fraud

or negligence, and there several well established
procedures
policies and procedures put in place to ensure the
continued reliability of accounting systems.
 INTERNAL CONTROL PROCEDURES
Separation of Duties
involves splitting responsibility for bookkeeping,
deposits, reporting and auditing. The further duties are
separated, the less chance any single employee has of
committing fraudulent acts.
Access Controls
Controlling access to different parts of an accounting
system via passwords, lockouts and electronic access
logs can keep unauthorized users out of the system
while providing a way to audit the usage of the system to
identify the source of errors or discrepancies.
 INTERNAL CONTROL PROCEDURES
Physical Audits
Physical audits include hand-counting cash and any
physical assets tracked in the accounting system, such
as inventory, materials and tools.

Standardized Documentation
Standardizing documents used for financial
transactions, such as invoices, internal materials
requests, inventory receipts and travel expense reports,
can help to maintain consistency in record keeping over
time.
 INTERNAL CONTROL PROCEDURES
Trial Balances
Using a double-entry accounting system adds reliability
by ensuring that the books are always balanced.

Periodic Reconciliations
Ensures that balances in your accounting system match
up with balances in accounts held by other entities,
including banks, suppliers and credit customers.
 INTERNAL CONTROL PROCEDURES
Approval Authority
Requiring specific managers to authorize certain types
of transactions can add a layer of responsibility to
accounting records by proving that transactions have
been seen, analyzed and approved by appropriate a by
appropriate authorities
CLASSIFICATION OF GENERAL
CONROLS
 General Controls
Measures that ensure that a company's control
environment is stable and well managed.
These controls provide reasonable assurance that
development of and changes to computer programs
a programs are authoriz re authorized, teste ed,
tested and a d and approved prior pproved prior to
their usag to their usage.
 General Controls
1. ORGANIZATION AND OPERATION CONTROLS
2. SYSTEMS DEVELOPMENT AND DOCUMENTATION
CONTROLS
3. HARDWARE & SOFTWARE CONTROLS
 ORGANIZATION AND OPERATION
CONTROLS
Systems analysis
The systems analyst analyzes the present user environment
and requirements and may:
1. recommend specific changes,
2. recommend the purchase of a new system, or
3. design a new information system
A system flowchart is a tool used by the analyst to define the
system requirements.
 ORGANIZATION AND OPERATION
CONTROLS
Systems programming
The systems programmer is responsible for implementing,
modifying, and debugging the software necessary for
making the hardware work (such as the operating system,
telecommunications monitor, and the database
management system.
 ORGANIZATION AND OPERATION
CONTROLS
Applications programming
The applications programmer is responsible for writing,
testing, and debugging the application programs from
programs from the speci the specifications (whether
general or specific) provided by the system analyst. analyst.
A program flowchart is one tool used by the applications
programmer to define the program logic.
 ORGANIZATION AND OPERATION
CONTROLS
Database administration
In a database environment, a database administrator is
responsible for maintaining the database and restricting
access to the database to authorized personnel.
Data preparation
Data may be prepared by user departments and input by key
to magnetic disk or magnetic tape.
 ORGANIZATION AND OPERATION
CONTROLS
Operations
The operator is responsible for the daily computer
operations of both the hardware and the software.
Data library
The librarian is responsible for custody of the removable
media and for the maintenance of program and system
documentation.
 SYSTEMS DEVELOPMENT AND
DOCUMENTATION CONTROLS
Review, Testing and Approval of New Systems
The basic principles of these controls are that:
Systems design should include representatives of user
department, accounting department and internal audit.
Each proposed system should have written specifications
that are approved by management and user department.
Systems testing should involve both user and computer
department.
 SYSTEMS DEVELOPMENT AND
DOCUMENTATION CONTROLS
Review, Testing and Approval of New Systems
The basic principles of these controls are that:
The computer manager, the user department, database
administrator and the appropriate level of management
should give final approval to the new system before it is
placed under operation and offer reviewing the
completeness of documentation and results of testing.
 SYSTEMS DEVELOPMENT AND
DOCUMENTATION CONTROLS
Parallel Running
Parallel running refers to running the new and old system
along each other for a specified period of time say month.
This is important because:
1. It provides the users with the opportunity to familiarize
themselves with the new system while still having the old
system available to compare.
2. Provides for an opportunity for the programmers to sort
out any problems with the new system.
 SYSTEMS DEVELOPMENT AND
DOCUMENTATION CONTROLS
Documentation Procedures
Adequate documentation is important to both the auditor
and management. For management documentation
provides a basis for:
1. Reviewing the system, prior to authorization
2. Implementing smooth personal changes and avoiding the problem
that key employees might take with them all the knowledge on how
the system works.
3. Reviewing existing systems and programs.
4. For the auditor documentation is necessary for preliminary
evaluation of the system and its control.
 HARDWARE & SOFTWARE CONTROLS
Password management
Passwords are designed to be a security mechanism that is
simple enough for average users while being secure enough
for most applications. Passwords are used to protect data,
systems, and networks. It is typically combined with a
username.
Identification is the presentation of a user identity for the
system.
 HARDWARE & SOFTWARE CONTROLS
Password management
Forms of Password:
Personal identification Number (PIN) - is a short (4 – 6 digits),
numerical password.
Passphrase - sequence of words that serves as a password.
An example of a passphrase is “Wow!!!thisis#1clasatschooL.”

The security of passwords depends entirely on the inability of

intruders to guess passwords.
 HARDWARE & SOFTWARE CONTROLS
Password management
Two sets of password guidelines:
Complexity of the password itself.
Diversity of passwords so that passwords stolen from one
resource cannot be used at another resource

Password management is the process of defining, implementing,

and maintaining password policies throughout an enterprise.
Effective password management reduces the likelihood that
systems using passwords will be compromised.
 HARDWARE & SOFTWARE CONTROLS
Password Threats
Password capturing is the ability of an attacker to acquire a
password from storage, transmission, or user knowledge and
behavior.
Password guessing - an intruder make In password guessing,
an intruder makes repeated a s repeated attempts ttempts to
authenticate using possible passwords such as default
passwords and dictionary words. It can be attempted by any
attacker with access to the login prompt on the target system
 HARDWARE & SOFTWARE CONTROLS
Password Threats
Password cracking is the process of generating a character
string that matches any existing password string on the
targeted system. It can only be attempted by an attacker who
already has access to encrypted versions of saved
passwords.
Password replacing is the substitution of the user's existing
password with a password known to the attacker.
 HARDWARE & SOFTWARE CONTROLS
Password Threats
Compromised passwords are passwords on the system known
to unauthorized users. Once such a password is known, it may
be exploited to launch other social engineering attacks,
changing file permissions on sensitive files, etc.
 HARDWARE & SOFTWARE CONTROLS
Password Management Recommendations
Password policy is a set of rules for using passwords. For
users, the password policy specifies what kinds of passwords
are allowed. For example, passwords, length, and complexity
rules fall in this category.
Password expiration specifies the duration for which the
password may be used before it is required to be changed .
Password expiration reduces the likelihood that a
compromised password can be used productively
 HARDWARE & SOFTWARE CONTROLS
Password Management Recommendations
Password policy is a set of rules for using passwords. For
users, the password policy specifies what kinds of passwords
are allowed. For example, passwords, length, and complexity
rules fall in this category.
Password expiration specifies the duration for which the
password may be used before it is required to be changed .
Password expiration reduces the likelihood that a
compromised password can be used productively
 CLASSIFICATION OF
APPLICATION CONTROLS
 Application controls
The objectives of application controls which may be manual
or programmed are to ensure the completeness and
accuracy of the accounting records and the validity of the
entries made therein resulting from both manual and
programmed processing. These relate to the transactions
and standing data pertaining to each computer based
accounting system and are therefore specific to each such
application.
 Application controls
Application controls are generally divided into:

INPUT CONTROLS
Most errors in computer accounting systems can be
traced to faulty input. Controls over the completeness and
validity of all input are therefore vital. These include controls
over data conversion, controls over rejections and the
correction and the reprocessing of the rejections, batch
controls and computer edit controls.
 Application controls
INPUT CONTROLS

Completeness
These controls ensure that all transactions are recorded.
That all sales for example are recorded in the cash register or
all purchase invoices are posted to the accounting records.
They are particularly important over the recording of revenue
and receipt of assets.
 Application controls
INPUT CONTROLS

Validity
Controls over validity ensure that only actual transactions
that have been properly authorised are recorded. These
controls are most important over the recording of liabilities
such as wages, creditors etc. As in a manual system, control is
established by the written authorisation on input documents
such as the departmental managers signature on employees
time cards.
 Application controls
INPUT CONTROLS

Data Conversion
There must be controls to ensure that all data on source
documents is properly entered into the computer. In the
early days, when entry was by punched card, each card was
verified as punched by a second machine operator. But now
that most data is entered using a keyboard or a terminal
other controls are more common.
 Application controls
Application controls are generally divided into:

PROCESSING CONTROLS
Processing controls ensure that transactions are:
Processed by the right programs.
Processed to the right Processed to the right master
files. master files.
Not lost, duplicated or otherwise improperly improperly
altered during processing.
Processing errors are identified and corrected.
 Application controls
PROCESSING CONTROLS

Processing controls include:

Program file identification procedures, which enquire
whether, the right master files are in use.
Physical file identification procedures in the form of labels
physically attached to files or diskettes to ensure that the
right files are in use.
Limit and reasonableness tests applied to data arising as a
result of processing.
Sequence tests over pre-numbered documents.
 Application controls
PROCESSING CONTROLS

Processing controls include:

Control totals which are progressively expanded as the data
is processed, for example the hash total of quantities
shipped can be expanded to a gross sales total as items are
priced and to a net sales total as customer discounts are
determined. These totals should be carried forward with
the transacti transaction data on data as run-to-run as run-
to-run totals. totals.
 Application controls
Application controls are generally divided into:

OUTPUT CONTROLS
Are necessary to ensure that:
Output is received from input
Results of processing are accurate
Output is distributed to appropriate personnel.
Output checklists ensures that all expected reports are
processed and forwarded to the relevant department or
personnel.
 Application controls
Controls over master files and standing data
These are aimed at ensuring completeness, accuracy and
authorization of amendments to master files and standing
data files. These controls are similar to controls over input.

E.g. controls to prevent the deletion of any account, which

contains a current running balance. Once standing data has
been written onto a master file, it is important that there are
adequate controls to ensure that the data remains unaltered
until an authorised change is made.