General Computer Controls

Governance and Control

 Cycles and how they integrate

1.Finance Risk management

2.Bank
and and Cash
Investment

Cycles in
a 3.Purchases
business 6.Payroll and
Payments

5.Revenue 4.Production
Computers –
and and
Inventory application controls
Receipts

2
General Computer Controls: Sources

• Pre-reading;
• Module;
• Question bank;
• Lectures;
• Objective tests on uLink.

3
Introduction
Why should you have knowledge of computers and controls? Because in a Computer Information
System (CIS) there are various risks and threats, and you will have to assist your client in
implementing controls to mitigate the risks.

Auditors/Internal Auditors must have knowledge on the use of computers to ensure they can
assess/evaluate general controls.

The controls we can implement can be either general controls or application controls.

General controls are basic controls that you can implement to ensure things like unauthorised
access cannot be obtained. Here you will implement access controls.

Application controls are the controls that you build into the computer programme to ensure you
have maximum controls.

4
CIS Environment
The CIS environment:

Computerised environment:
User changes from preparer / processor of data to user of output:
Computers are used to enhance controls;
Saves time and eases workload.
Create certain dangers:
Disasters;
Unauthorised access;
Intentional damage;
Unintentional errors;
controls needed.

5
CIS Environment
The CIS environment:
Potential threats:
Natural disasters:
Floods, Fire, Storms, Heat waves.
Man made disasters:
Terrorism, war.
Intentional damage:
Fraud, Hacking.
Unintentional error:
Human Error.

6
Computer crime definition
The act of using a computer to commit an illegal act.

“…any criminal activity involving the copy of, use of, removal of, interference with, access to,
manipulation of computer systems, and/or their related functions, data or programs.”

"crimes where the computer is a major factor in committing the criminal offense" ["FBI
Computer" ]

7
Forms of computer crime
Computer crime can take the form of:

Theft of money, i.e. the transfer of payments to the wrong account;

Theft of information, i.e. tapping into data transmission lines or databases;
Theft of goods by their diversion to the wrong destination;
Theft of computer time etc.

8
CIS Environment
General controls:

Expected in any CIS environment;

Umbrella controls under which each application will operate;
To provide assurance that overall objectives of internal control are achieved;
To ensure that the computer system is properly developed, implemented and maintained.

9
7 General controls and Objectives:
1. System development & implementation controls:
• To ensure self-developed/purchased system properly developed, authorised and meet
user’s needs.
2. Systems maintenance:
• To ensure changes to system is authorised, meet user’s needs and made effectively.
3. Organisational and management controls:
• Organisational framework such as SOD, supervision and review and virus protection.
4. Access controls:
• Prevent unauthorised changes to programs, data, terminals & files.
5. Computer operating controls:
• Ensuring procedures applied correctly & consistently during processing.
6. System software controls:
• To ensure installation, development, maintenance of software packages authorised and
effective.
7. Business continuity:
• Prevent/Limit system interruption (Downtime).
10
Explanation of each of these
controls (1-7) in detail:
1. System development and implementation controls
In terms of system development, you have 2 options:
1. Self developed system; or
2. Purchased package.

3. A self developed system consist of 5 sub-sections (as explained below from a-e):
a. Project authorisation and management;
b. System specification and user needs;
c. System design and programming standards;
d. Testing of new system;
e. Conversion to new system.

(These 5 sections will be discussed in detail in the following slides)

12
1. System development and implementation controls
a) Project authorisation and management:
• The project should be authorised and managed properly;
• There should be a development plan that is fully authorised;
• The IT Steering committee, that is made up of senior management from both user and computer
departments should authorise the project/development.
• The steering committee must ensure that :
• The project is authorised;
• Timetables are adhered to;
• Budgets are achieved;
• Quality requirements are met.

13
1. System development and implementation controls
a) Project authorisation and management:
There should be involvement from the following departments during development:
• User department:
• To ensure that departmental requirements are incorporated into the new system;
• Internal / external auditors must be involved in the process to ensure proper controls are
implemented.
• Data processing department:
• To assist/ensure technical soundness;
• To ensure the system is compatible with other systems;
• To test all operational aspects.
• Quality control department:
• Ensure the correct standard of design is used;
• To ensure proper testing is done;
• To ensure that the programme is documented. 14
1. System development and implementation controls

a) Project authorisation and management:

• A feasibility study should be performed to determine if the company should buy / self-develop a
programme. A cost versus benefit analysis should also be done.
• A project team will do the following:
• The day to day management of the project;
• Ensure the project is developed in stages;
• Prepare timetables for each stage of the development.
• Project should be authorised after feasibility study is conducted.

15
1. System development and implementation controls
b) System specification and user needs
Here you will define the way the system must work to ensure it will meet the specifications of the
users and the business.

There are two methods of specifying systems:

1. Traditional method:
• Written systems specification by means of discussions between the data processing department
and users.
2. Prototype systems:
• Design a prototype;
• Allow the user department to try it out;
• Refine the design through a series of prototypes.

16
1. System development and implementation controls

c) System design and programming standards:

These standards will:

• Ensure system interacts properly with existing systems and system software;
• Ensure that appropriate control-related programmed procedures are built in;
• Ensure there is supervision over system design;
• Ensure the system complies with predetermined standards;
• It should always be done on a program library and not live data.

17
1. System development and implementation controls
d) Testing
Testing of a self-developed system should be carried out in 3 stages:
1. Program testing
Checking the logic of the program to their specs.
2. System testing
Ensure the logic of various individual programs links together to form a system in-line with the
detailed system description.
3. Live testing:
Parallel running:
• New system in parallel with old system;
• Problem: cost of double processing, difficulty of comparison (e.g. additional info).
Pilot running:
• Introduce system for only small portion.
18
1. System development and implementation controls
e) System conversion:
General controls during conversion to the new system (self developed / purchased):
I. Planning and preparation;
II. Control over conversion of data by data control group;
III. Update system documentation;
IV. Testing;
V. Backup of new system;
VI. Post-implementation review.
Explanation of the above to follow on the following slides.

19
1. System development and implementation controls
e) System conversion:
I. Planning and preparation:
• Prepare timetables for conversion;
• Define methods used (e.g. parallel / pilot);
• Determine cut-off dates;
• Prepare data files for conversion (e.g. Standing data);
• Training of staff;
• Balance files on old system ;
• Prepare premises (constant power / air-con).

II. Control over conversion of data by data control group:

• Supervision by senior management;
• Auditor involvement.

III. Update system documentation:

• System flowcharts;
• System descriptions;
• Operating manuals.

20
1. System development and implementation controls
e) System conversion:

IV. Testing:
• Balancing old files with new files;
• Third party confirmations;
• Follow up of exception reports;
• Comparison with data run on old system (parallel);
• Manual comparison of data;
• Approval by users.

V. Backup of new system.

VI. Post-implementation review.

21
1. System development and implementation controls
2. A purchased package system consist of 2 sub-sections (as explained below from a-b):
a) Specification and selection of packages;
b) Implementation and testing of packages.

General important information to consider when purchasing a package:

Package must meet user requirements:
Prepare statement of requirements;
Measure available packages against requirements.
Keep in mind:
Minimum changes should be made to package;
If modifications is necessary, use normal rules w.r.t. system development;
Possibility of future amendments (e.g. tax updates);
Quality of maintenance service from supplier.
22
 Purchased Package.
Explanation of each of these controls (a - b)
in detail:
1. System development and implementation controls

a) Specification and selection of package:

• Discussions with other users;
• Observing operation of package;
• Questioning other users of package:
• Facilities offered by program;
• Freedom from program errors;
• Speed and efficiency;
• Ease of use;
• Quality of support.

24
1. System development and implementation controls

b) Implementation and testing of package:

• Testing:
• Independent testing;
• Review of experiences of other users.
• Implementation:
• Involvement of:
• User departments;
• Data processing;
• Management;
• Quality assurance.

25
1. System development and implementation controls

Advantages of purchased systems:

• Less implementation time (immediate implementation);
• Lower cost and cost is predetermined;
• Tested thoroughly – thus very reliable.

Disadvantages of purchased systems:

• Dependent on vendors for maintenance;
• Too general /inflexible to cater for needs;
• Change maintenance difficult/impossible;
• Written overseas (Vat and Tax differs).

26
2. System maintenance controls
Why do we need system change controls? To ensure that all changes we make to our
systems are:
Complete;
All changes are valid;
All changes are properly tested;
All information is backed-up and recovery procedures are in place.

27
2. System maintenance controls

Objective: To ensure changes to the system is authorised and meet the user’s needs.

Some examples of these types of controls are (See this as a process):

• Change forms are to be pre-numbered and locked away when not required;
• Any change requests made by the users of the system must be approved by the Line Manager of the
user and a reason as to why the change is necessary must be provided;
• All change forms need to be signed by Management or the Computer Steering Committee prior to
the change being effected;
• After the change has been made, an IT expert is to test the change to determine if it has been made
as per the approved change request and is working effectively.

28
3. Organisational and management controls
There should be proper reporting levels;
IT Governance (King IV) should be adhered to/implemented;
Management should be committed to controls such as:
Segregation of duties;
Controls against viruses;
Data file protection;
Staff should be informed of dangers;
Supervision and Review.

29
3. Organisational and management controls
Objective: Organisational framework such as segregation of duties (SOD), supervision and review and virus
protection.

Examples of these types of controls include, but are not limited to the following:
• Computer department is to be represented on the Board of Directors/Governing Body;
• CIS manager should report to senior management;
• Top Management should be committed to controls and to implement management controls such as establishing
an Internal Audit department;
• Computer steering committee set IT policies and exercise control over IT activities;
• The rotation of operator duties;
• System development staff not assigned to operator duties;
• At least two operators per shift (scheduling of staff);
• Staff should take regular leave;
• Training of staff and career development;
• Supervision and review. 30
3. Organisational and management controls
Controls against computer viruses
• Software protection:
• Software purchases from should be done from a reputable supplier;
• Take care with use of “free” of “public domain” programs;
• Do not lend out program disks;
• Do not use illegal copies.
• Data file protection:
• Install virus detection software;
• Test data files for viruses before use;
• Regular backups.

31
3. Organisational and management controls
Staff:
• Inform staff members against dangers;
• Train users of microcomputers;
• Reporting procedures in case of infection;
• Limit the use of microcomputers to authorised staff.

Supervision and review:

• By CIS manager, divisional managers, section heads;
• System investigations by internal and external audit.

32
4. Access controls
Objective: Restrict unauthorised access to terminals and data

Programmed access controls:

1. Terminals
2. Identification of users
3. Authorisation of users
4. Monitor of access & processing
5. Communication lines & networks
6. Password control
7. Programme libraries
8. Utlilities

Explanation of the above on the following slides.

33
4. Access controls
Programmed controls: Programmed controls:
1. Terminals: 2. Identification of users:
• TINS (Terminal identification numbers) • User ID’s & passwords;
(Username); • Verify IP address;
• Limited access to system (to specific • Magnetic cards;
applications); • Voice recognition / fingerprints (use of biometric
• Automatic log off after 5 minutes of non- data).
use;
• Shut down after 3 unsuccessful login
attempts;
• Limited to 1 workstation log on;
• Investigation into each disconnection;
• Simultaneous login prohibited.

34
4. Access controls
Programmed controls continue:
3. Authorisation of users: 5. Communication lines and
• Logon ID’s; networks:
• Passwords; • Passwords;
• Multilevel passwords; • Dial & dial back;
• User matrixes; • Identification data;
• Passwords for specific authorised levels. • Different routes for sensitive data;
• Encryption of data.
4. Monitor access and processing:
• Audit trails reviewed for daily activities;
• Console logs and activity registers;
• Application software (unauthorised
access);
• Firewalls.
35
4. Access controls
Programmed controls continue:
6. Password control:
• Password strength:
• Minimum 6 characters (Minimum length);
• Alpha /numerical;
• CAPITAL LETTERS AND small caps;
• and other - ! @ # *;
• Not easily guessed not shown on screen;
• Changed regularly;
• Automatic system request;
• Re-use of password prohibited.
Programmed controls continue:
6. Password control:
• Confidentiality emphasised;
• Cancelled on resignation/ dismissal;
• Cancelled after period of inactivity;
• Use for authorisation;
• Limit access to part of system;
• Limit access to certain times of day;
• Authorisation levels linked.
36
4. Access controls
7. Program libraries:
• Access to backup programs controlled by access software;
• Passwords;
• Updating authorised.
8. Utilities:
(These include antivirus, backup, disk repair, file management, security, and networking
programs)
• Stored separately;
• Use logged and reviewed.

37
5. Computer operating controls
Controls include:
Scheduling of processing;
Hardware functioning;
Set-up and execution of programmes;
Use correct programmes and data files;
Operating procedures.

38
5. Computer operating controls
Objective: Ensuring procedures applied correctly and consistently during processing.

Examples of these types of controls include, but are not limited to the following:
• There must be continuous monitoring and review of the functioning of the computer hardware;
• There must be standardised procedures and operating procedures for the users of the system
to follow;
• The must be adequate user manuals in place;
• Scheduling of processing.

39
5. Computer operating controls
Examples of controls continue:
• Set-up and execution of programs;
• Competent person to assist;
• Procedure manuals for staff;
• Test against processing log;
• Supervision and review;
• Use correct programs and data
files.
Examples of controls continue:
• Operating procedures:
• Hardware checks;
• Operating instructions and manuals;
• Segregation of duties;
• Rotation of duties;
• Logs;
• Supervision and review.
• Recovery procedure:
• Emergency plan and instructions;
• Backup of data and hardware.
40
6. System software controls
Objective: To ensure installation, development, maintenance of software packages are authorised
and effective.
Examples of these types of control include:
In the processing by users on personal(micro) computers, there must be:
• Control over the software on the PC to ensure that it is not copied or pirated;
• Programs which are written internally should be documented and tested to ensure that the program
has the integrity required by management.
• Acquisition and development controls;
• Security over system software:
• Integrity of staff
• Division of duties
• Employment policies
• Supervision & review
41
6. System software controls
Examples of controls continue:
• Database systems
• Access control;
• Documentation;
• Supervision and review.
• Networks
(A computer network is a collection of computers connected by communication links that allow the
network components to work together)
• Support department;
• Access controls;
• Disaster recovery plan.

42
6. System software controls
Examples of controls continue:
• Processing on microcomputers
(A tiny little handheld computer device similar to a SmartPhone that has a central microprocessor is
an example of a microcomputer.)
• Control of software;
• Programs written internally tested and documented.

43
7. Business continuity controls
Controls include:

• General controls;
• Physical environment:
• Protection against the elements.

• Emergency plan and disaster recovery procedures:

• Establish procedures/Responsibilities;
• Prepare list of files and data to be recovered;
• Provide alternative processing facilities;
• Plan, document and test the disaster recovery plan.

• Back up;
• Other Controls.

Explanation of the above to follow on the next slides.

44
7. Business continuity controls
Objective: Prevent/Limit system interruption (Downtime)
General controls:
• Data is backed up regularly and kept off-site in a fireproof safe;
• The entity has UPS (Uninterrupted Power Supply) to ensure that it can continue doing business in the event of
a power failure;
• The entity’s server room is air-conditioned to ensure that the servers do not overheat resulting in the loss of
vital data;
• Plan, document and test the disaster recovery plan to ensure that it will be effective in the event of a disaster.

Physical environment:
• Protection against the elements:
• Fire: extinguishers etc.;
• Water: away from water pipes;
• Power: backup supply;
• Environment: air con etc.
45
7. Business continuity controls
Emergency plan & disaster recovery procedures:
• Establish procedures/Responsibilities;
• Prepare list of files & data to be recovered;
• Provide alternative processing facilities;
• Plan, document & test the disaster recovery plan.

Backups:
• Regular backups on rotational basis;
• On-line/ Real time backups;
• Store back-up files on separate premises;
• Hardware backup facilities;
• Store in fireproof safe;
• Retention of files / records for required times.

46
7. Business continuity controls
Other controls:
• Adequate insurance;
• No over reliance on staff;
• Virus protection / prevention;
• Physical security;
• Cable protection.

Personnel Controls:
• Segregation of duties;
• Job rotation;
• Hiring/firing procedures;
• Employment contracts;
• Use of hardware/software;
• Confidentiality. 47
Questions?

48