INTERNAL CONTROL

IN THE COMPUTER
INFORMATION
SYSTEM
GROUP 2
Template from:
https://slidesgo.com/theme/data-center-business-plan#search-
Information+System&position-6&results-72&rs=search
AUDITOR’S
RESPONSIBILITY
AUDITOR’S
The auditor’s responsibility
RESPONSIBILITY
with respect to internal
control over EDP system
remains the same as with
manual system, that is to
obtain understanding
adequate
- to aid in planning the
remainder of the audit and
- to assess the control
risk.
AUDITOR’S RESPONSIBILITY
Yet, factors such as the following may affect the
study of internal control in that computer system
may:
1. result in transaction trails that exist for
a short period of time or in computer readable
form
2. include program errors that cause
uniform mishandling of transactions – clerical
errors become less frequent
3. include computer controls that need to
AUDITOR’S RESPONSIBILITY
4. involve increased difficulty in detecting
unauthorized access
5. allow increased management
supervisory potential resulting from more timely
reports
6. include less documentation of initiation
and execution of transactions
7. include computer controls that affect
the effectiveness of related manual control
procedures that use computer output
INTERNAL CONTROL

OVER EDP
ACTIVITIES
INTERNAL CONTROL OVER
EDP ACTIVITIES
General controls – relates to all EDP applications
and include such considerations as:
a. the organization of the EDP department
b. procedures for documenting, testing,
and approving the original system and any
subsequent changes
c. controls built into the hardware
(equipment controls)
d. security for files and equipment.
INTERNAL CONTROL OVER
EDP ACTIVITIES
Application controls – relate to specific
accounting tasks performed by EDP, such as the
preparation of payrolls.

Controls of this nature include measures

designed to assure the reliability of output,
controls over processing, and controls over
output.
GENERAL
CONTROLS
GENERAL CONTROLS
5 categories of general controls (presented by
AICPA audit quide)
• Organization and operation controls
• System development and documentation
controls
• Hardware and systems software controls
• Access controls
• Data and procedural controls
a. ORGANIZATIONAL AND
OPERATION CONTROLS
1. Controls
• Segregate functions between EDP
department and user departments.

• Do not allow the EDP to initiate or authorize

transactions

• Segregate functions within EDP department

a. ORGANIZATIONAL AND
OPERATION CONTROLS
2. Segregation of duties
- to maintain an independent processing
environment, thus meeting control objectives.
- key functions within EDP should be
segregated to ensure maximum separation of
duties.
a. ORGANIZATIONAL AND
OPERATION CONTROLS
Key functions are:

a. Systems analyst – responsible for analyzing the

present user environment and requirements and
• Recommending the specific changes which can
be made
• Recommending the purchase of a new system
• Designing a new EDP system
a. ORGANIZATIONAL AND
OPERATION CONTROLS
b. Applications programmer – responsible for
writing, testing, and debugging the application
programs for the specifications provided by the
systems analyst.

c. Systems programmer – responsible for

implementing, modifying, and debugging the
software necessary for making the hardware
work.
a. ORGANIZATIONAL AND
OPERATION CONTROLS
d. Operator – responsible for the daily computer
operations of both hardware and the software.

e. Data librarian – responsible for the custody of

the removable media, i.e., magnetic tapes or
disks, and for the maintenance of program and
system documentation.
a. ORGANIZATIONAL AND
OPERATION CONTROLS
f. Quality assurance – a relatively new function
established primarily to ensure that new
systems under development and old systems
being changed are adequately controlled, meet
the user’s qualifications, and follow department
documentation standards.

g. Control group – liaison between users and the

processing center.
a. ORGANIZATIONAL AND
OPERATION CONTROLS
h. Data security – responsible for maintaining
the integrity of the on-line access control
security software.

i. Database administrator – responsible for

maintaining the database and restricting access
to the database to authorized personnel.
a. ORGANIZATIONAL AND
OPERATION CONTROLS
j. Network technician – is fast becoming the
most powerful position in a MIS organization.
Using line monitoring equipment, they can see
each key stroke made by any user. This group
must have strict accountability controls.
a. ORGANIZATIONAL AND
OPERATION CONTROLS
All key functions must be segregated. In a small
number of employees, concentration of
functions is unavoidable, two key functions that
should be segregated are the applications
programmer and the operator.
b. SYSTEMS DEVELOPMENT
AND DOCUMENTATION
CONTROLS
1. Controls

a. Users department must participate in system

design

b. Each system must have written specifications

which are reviewed and approved by
management and by user departments.
b. SYSTEMS DEVELOPMENT
AND DOCUMENTATION
CONTROLS
c. Both users and EDP personnel must approve
test new systems.

d. Management, users, and EDP personnel must

approve new systems before they are placed
into operation.
b. SYSTEMS DEVELOPMENT
AND DOCUMENTATION
CONTROLS
e. All master and transaction file conversion
should be controlled to prevent unauthorized
chages and to verify the results on a 100%
basis.

f. After a new system is operating, there should

be proper approval of all program changes.

g. Proper documentation standards should exist

to assure continuity of the system.
b. SYSTEMS DEVELOPMENT
AND DOCUMENTATION
CONTROLS
2. Within EDP, new systems are developed that
either replace old system or enhance present
systems.

a. Design methodology – All new systems being

developed should flow through a documented
process that has a specific control points where
the overall direction of the system can be
evaluated and changes, if needed, can be made.
b. SYSTEMS DEVELOPMENT
AND DOCUMENTATION
CONTROLS
b. Change control process – To affect a changes
on a system that is presently operating, a formal
change process should exist that requires formal
approval before any change is implemented.
c. HARDWARE AND SYSTEMS
SOFTWARE CONTROLS
1. Controls

a. The auditor should be aware of control

features inherent in the computer hardware,
operating system, and other supporting software
and ensure that they are utilized to the
maximum possible extent.
c. HARDWARE AND SYSTEMS
SOFTWARE CONTROLS
b. Systems software should be subjected to the
same control procedures as those applied to
installation of and changes to application
programs.

2. The reliability of EDP hardware has increased

dramatically, it is also due to the controls built
into the mechanism to detect and prevent
equipment failures.
c. HARDWARE AND SYSTEMS
SOFTWARE CONTROLS
The following are examples of such controls:

a. Parity check – A special bit is added to each

character stored in memory that can detect if
the hardware loses a bit during the internal
movement of a character similar to a check
digit.
c. HARDWARE AND SYSTEMS
SOFTWARE CONTROLS
b. Echo check – Primarily used in
telecommunications transmission.

c. Diagnostics routines – Hardware or software

supplied by the manufacturer to check the
internal operations and devices within the
computer system.
 LS
c. HARDWARE AND SYSTEMS
SOFTWARE CONTROLS
d. Boundary protection – To ensure that
simultaneous jobs cannot destroy or change the
allocated memory of another job, the system
contains boundary protection controls.

e. Periodic maintenance – The system should be

examines periodically by a qualified service
technician.
d. ACCESS CONTROLS
1. Controls
a. Access to program documentation should be
limited to those persons who require it in the
performance of their duties.

b. Access to data files and programs should be

limited to those individuals authorized to
process data.
d. ACCESS CONTROLS
c. Access to computer hardware should be
limited to authorized individuals such as
computer operators and their supervisors.
d. ACCESS CONTROLS
2. Access to the EDP environment is affected
both physically and electronically.

a. Physical access controls

1. Limited physical access
2. Visitor entry logs
d. ACCESS CONTROLS
1. Limited physical access – The physical facility
that houses EDP equipment, files, and
documentation should have controls to limit
access only to authorized individuals.
d. ACCESS CONTROLS
2. Visitor entry logs – Any individual entering a
secure area must be either pre-approved by
management and wearing an ID badge or
authorized by an appropriate individual,
recorded in a visitor’s log, and escorted while in
the secure area.
d. ACCESS CONTROLS
b. Electronic access controls
1. Access control software – The most used
electronic access control is a combination of a
unique identification code and a confidential
password.
- limit access to the entire system
- limit what the individual can look at
once she/he is inside the system.
d. ACCESS CONTROLS
2. Call back – a specialized form of user
identification that is used in highly sensitive
systems.
- an individual manually looks up the
authorized telephone number for the individual
- the system automatically looks up
the authorized telephone number of that
individual, calls back the individual, and
reestablishes communication.
d. ACCESS CONTROLS
3. Encryption boards – are new devices
that are installed in the back of a microcomputer
or stand alone devices for larger systems.
 LS
e. DATA AND PROCEDURAL
CONTROLS
1. Controls
a. A control group should
1. Receive all data to be processed.
2. Ensure that all data are recorded.
3. Follow up in errors during processing,
and determine that transactions are corrected
and resubmitted by the proper user personnel.
4. Verify the proper distribution of output.
e. DATA AND PROCEDURAL
CONTROLS
b. A written manual of systems and procedures
should be prepared for all computer operations
and should provide for management’s general or
specific authorization to process transactions,
e. DATA AND PROCEDURAL
CONTROLS
c. Internal auditors should review and evaluate
proposed systems at critical stages of
development and review and test computer
processing activities.

2. To prevent unnecessary stoppages or errors in

processing, the following specific controls should
be implemented:
e. DATA AND PROCEDURAL
CONTROLS
a. Operations run manual – The operations
manual specifies, in detail, the “how to’s” for
each application to enable the computer
operator to respond to any errors that may
occur.
e. DATA AND PROCEDURAL
CONTROLS
b. Backup and recovery – To ensure the
preservation of historical records and the ability
to recover from an unexpected error, files
created within EDP are backed up in a
systematic manner.
e. DATA AND PROCEDURAL
CONTROLS
c. Contingency processing – Detailed
contingency processing plans should be
developed to prepare for natural disasters, man-
made disasters, or general hardware failures
that disable the data center.
e. DATA AND PROCEDURAL
CONTROLS
d. Processing control – Processing controls
should be monitored by the control group to
ensure that processing is completed in a timely
manner, all hardware errors have been
corrected, and output has been properly
distributed.
e. DATA AND PROCEDURAL
CONTROLS
e. File protection ring – A file protection ring is a
processing control to ensure that an operator
does not use a magnetic tape as a tape to write
on when it actually has critical information on it.
e. DATA AND PROCEDURAL
CONTROLS
f. Internal and external labels –

External labels are paper labels attached to a

reel of tape or other storage medium which
identify the file.

Internal labels perform the same function

through the use of machine readable
identification on the first record of a file.
e. DATA AND PROCEDURAL
CONTROLS

The auditor should determine that these controls

are either present of that management has
accepted the related risks and that all
exceptions are scrutinized.
APPLICATION
CONTROLS
APPLICATION CONTROLS
Application controls are controls that relate to a
a. INPUT CONTROLS

specific application instead of multiple

applications.

Each accounting application that is processed in

an EDP system is controlled during three steps
within EDP: input, processing, and output.
a. INPUT CONTROLS
1. Controls

a. Input data should be properly authorized and

approved.

b. The system should verify all significant data

fields used to record information.
a. INPUT CONTROLS
c. Conversion of data into machine-readable
form should be controlled and verified for
accuracy.

d. Movement of data between processing steps

and departments should be controlled

e. The correction of errors and resubmission of

corrected transactions should be reviewed and
controlled.
a. INPUT CONTROLS
2. To ensure the integrity of the human readable
data into a computer readable format, there are
many common controls that can be used.

a. Printed form – information is pre-assigned a

place and format on the input form used.

b. Check digit – an extra digit is added to an

identification number.
a. INPUT CONTROLS
c. Control, batch, or proof total – a total of one
numerical field for all the records of a batch that
normally would be added.

d. Hash totals – a total of one field for all the

records of a batch where total is a meaningless
total for financial purposes.
a. INPUT CONTROLS
e. Record count – a control total used for
accountability to ensure all the records received
are processed.

f. Reasonableness and limit tests – these tests

determine if amounts are too high, too low, or
unreasonable.

g. Menu driven output – if input is being enterer

into a CRT, then the operator should be greeted
a. INPUT CONTROLS
h. Field checks – check that make certain only
numbers, alphabetical characters, special
characters, and proper positive and negative
signs are accepted into specific data field where
they are required.

i. Validity check – a check which allows only

“valid” transactions or data to be entered into
the system.
 OL
S
a. INPUT CONTROLS
j. Missing data check – if blanks exist in input
data where they should not, an error message
would result.

k. Field size check – if an exact number of

characters is to be inputted, an error message
would result if < 6 or > 6 characters are
inputted.

l. Logic check – ensures that illogical

b. PROCESSING CONTROLS
1. Controls

a. Control totals should be produced and

reconciled with input control totals – proof of
batch totals.

b. Controls should prevent processing the wrong

file and detect errors in file manipulation – label
checks.
b. PROCESSING CONTROLS
c. Limit and reasonableness checks should be
incorporated into programs to prevent illogical
results such as reducing inventory to a negative
value.

d. Run-to-run totals should be verified at

appropriate points in the processing cycle. This
ensure that record are not added or lost during
the processing runs.
b. PROCESSING CONTROLS
2. Inputs are processed through multiple steps,
that is why processing controls are essential to
ensure the integrity of the data through all of the
processing steps.

Examples of processing controls that are

established during the input step and are
revised or checked during processing include
record control, hash totals, and control totals.
b. PROCESSING CONTROLS
Two additional controls that should be
established are:

a. Checkpoint / Restart capacity – allows the

operator the ability to restart the application at
the last checkpoint passed as opposed to
restarting the entire application.
b. PROCESSING CONTROLS
b. Error resolution procedure – Individual
transactions may be rejected during processing
as a result of the error detection controls in
place. There should be complementary controls
that ensure those records are corrected and
reentered into the system.
c. OUTPUT CONTROLS
1. Controls – visual review of the output should
be done by the user or an independent control
group:

a. Output control totals should be reconciled

with input and processing control totals.
c. OUTPUT CONTROLS
b. Output should be scanned and tested by
comparison to original source documents.

c. Systems output should be distributed only to

authorized users.
c. OUTPUT CONTROLS
2. Prior to the release of output to the user,
there should be appropriate controls in the place
to ensure that processing was accomplished
according to specifications.
c. OUTPUT CONTROLS
The following controls are frequently used to
maintain the integrity of processing:

a. Control total – allow the operator to verify that

processing was completed properly and to notify
the user if the totals did not agree.
c. OUTPUT CONTROLS
b. Limiting the quantity of output and total
processing time – Time restraints and output
page generation constraints are often
automated within the job being run to ensure
that, if processing is being done in error, the job
will not utilize resources needlessly.
c. OUTPUT CONTROLS
c. Error message resolution – following each job
the system provides technical codes indicating
the perceived success of the job run. The
operator should be trained to recognize these
codes and take the appropriate actions detailed
in the operations run manual.
THANK YOU!