Professional Documents
Culture Documents
Internal Controls in A CIS Environment
Internal Controls in A CIS Environment
Internal Controls in A CIS Environment
Internal controls over computer processing include both manual procedures and
procedures built into the computer programs. These controls can be divided into:
a) General controls
b) Application controls
General controls
These are controls, which relate to the environment within which computer-based
accounting systems are developed, maintained and operated aimed at providing
reasonable assurance that the overall objectives of internal controls are achieved.
These controls could either be manual or programmed.
Program Changes
Similar requirement apply to changes as well as to new systems although the level
of testing and authorisation will vary with the magnitude of changes. It is
particularly important that the documentation be brought up to date. A common
cause of control breakdown is the unsuspecting reliance of new staff on out of date
documents.
Documentation Procedures
Adequate documentation is important to both the auditor and management.
For management documentation provides a basis for:
Parallel running
Before switching to the new system, the whole system should be tested by running
it parallel with the existing system. Parallel running refers to running the new and
old system along each other for a specified period of time say month. This is
important because;
a) It provides the users with the opportunity to familiarise themselves with the new
system while still having the old system available to compare.
b) Provides for an opportunity for the programmers to sort out any problems with
the new system.
b. Organisational controls
These relate to: -
a. Segregation of functions.
b. Policies and procedures relating to control functions.
Segregation of functions
The principal segregation in a centralised system is between the user and computer
departments. Those who process the data should have no responsibilities for
initiating or altering the data. The following segregation’s are important:
c. Access control
Computer systems are often dependent on accuracy and validity of data held on file
Access controls to the computer hardware, software and data files are therefore
vital. Access controls are both physical and programmed. Physical controls apply
to both hardware and data files stored in form of magnetic disks or diskettes.
Example of access controls.
d. Other controls
They include controls over:
i. Unauthorised use of computers.
ii. Back-up facilities in the event of breakdown. There should be adequate back
up procedures e.g. maintaining duplicate programs and information at
different locations, protection against natural disasters such as situating
computer rooms in rooms protected against floods. There should be maximum
possible physical security where computers are installed. Important files
should always be stored in duplicate. Standby procedures should be put in
place in the event of computer breakdown.
iii. File retention procedures e.g. retaining copies of essential data on separate.
● Input controls.
● Processing controls.
● Output controls.
● Controls over master files and standing data.
Input controls
Most errors in computer accounting systems can be traced to faulty input. Controls
over the completeness and validity of all input are therefore vital. Some controls
affect both completeness and validity and therefore will be considered separately.
These include controls over data conversion, controls over rejections and the
correction and the reprocessing of the rejections, batch controls and computer edit
controls.
Completeness
These controls ensure that all transactions are recorded. That all sales for example
are recorded in the cash register or all purchase invoices are posted to the
accounting records. They are particularly important over the recording of revenue
and receipt of assets.
Validity
Controls over validity ensure that only actual transactions that have been properly
authorised are recorded. These controls are most important over the recording of
liabilities such as wages, creditors etc. As in a manual system, control is
established by the written authorisation on input documents such as the
departmental managers signature on employees time cards. It is important that
there is adequate separation of duties such that those who initiate a transaction or
who have access to cash, cheques or goods as a result of the transaction being
entered should not have the responsibility for entering the transaction. As with
completeness, the computer can be programmed to assist in this control in which
case some of the requirements above can be relaxed for example the computer can
initiate purchases when stock levels reach a pre-determined re-order level. It can
then validate the payment by matching the invoice with the order and goods-
inward notes.
Access controls as discussed earlier play an important role in validity in that the
computer is programmed to accept input only from authorised users. The
computer can also be programmed to verify authority limits as well.
Data Conversion
There must be controls to ensure that all data on source documents is properly
entered into the computer. In the early days, when entry was by punched card,
each card was verified as punched by a second machine operator. But now that
most data is entered using a keyboard or a terminal other controls are more
common.
The most common input controls are edit controls. Examples of edit controls
include;
Type of edit control Description of control Objective
Missing field check Checks that all essential Ensures accuracy of the
data fields are present processed data.
and are of the right Transactions cannot be
length properly processed if
necessary data is missing
Valid character check Checks that data fields Ensures correctness of
appear to be of the right input data
type eg all alphabetic, all
numerical or mixed.
Limit/reasonableness Checks that data falls Ensures accuracy and
checks within predetermined validity of input data
reasonability limits e.g.
hours worked do not
exceed a certain limit,
maybe 8 hours a day.
Master file checks Checks that all codes Ensures that data is
match those on master processed against the
files e.g. employee’s correct master file.
number matches an
employee number on the
personnel file.
Check digit Applies an arithmetic To ensure accuracy of
operation to the code data by checking
number and compares keystroke errors.
the result to the check
digit
Document count Agrees the number of Ensures that all
input records in a batch documents are input
with the total on the
batch control form
Processing controls
Processing controls ensure that transactions are:
● Processed by the right programs.
● Processed to the right master files.
● Not lost, duplicated or otherwise improperly altered during processing.
● Processing errors are identified and corrected.
Processing controls include:
● Program file identification procedures, which enquire whether, the right master
files are in use.
● Physical file identification procedures in the form of labels physically attached
to files or diskettes to ensure that the right files are in use.
● Control totals which are progressively expanded as the data is processed, for
example the hash total of quantities shipped can be expanded to a gross sales
total as items are priced and to a net sales total as customer discounts are
determined. These totals should be carried forward with the transaction data as
run-to-run totals.
● Limit and reasonableness tests applied to data arising as a result of processing.
● Sequence tests over pre-numbered documents.
c) Output controls
Are necessary to ensure that:-
● Output is received from input.
● Results of processing are accurate
● Output is distributed to appropriate personnel.
● Read magnetic files and to extract specified information from the files.
● To carry out audit work on the contents of the file.
These programs are sometimes known as Inquiry or Integration programs.
Timing of audit visits: More frequent visits may be required because there
may be changes in systems and programs, print outs are often shredded and
magnetic files overwritten. Frequent changes occur in filing order and the
audit trail has to be followed while it still exists.
Systems review: This follows the normal way of using a questionnaire but is
more difficult because CIS systems are more complex, technical language is
used, too much documentation is available, many controls are program
controls meaning that their evaluation may require detailed study of programs
which are written in high level languages or in machine code, and frequent
changes are made to systems and programs.
Audit tests: These will have to differ from those used in manual systems to
reflect the new records being examined.
(a) Copies of all the forms which source documents might take, and details
of the checks that have been carried out to ensure their accuracy.
(b) Details of physical control over source documents, as well as of the
nature of any control totals of numbers, quantities or values, including
the names of the persons keeping these controls.
(c) Full description of how the source documents are to be converted into
input media, and the checking and control procedures.
(d) A detailed account of the clerical, procedural and systems development
controls contained in the system (e.g. separation of programmers from
operators; separation of control of assets from records relating thereto).
(e) The arrangements for retaining source documents and input media for
suitable periods. This is of great importance, as they may be required for
reconstructing stored files in the event of error or mishap.
(f) A detailed flow diagram of what takes place during each routine
processing run.
(g) Details of all tapes and discs in use, including their layout,
labelling, storage and retention arrangements.
(h) Copies of all the forms which output documents might take, and
details of their subsequent sorting and checking.
— The auditor's own comments on the effectiveness of the controls.
However, problems arise when it is discovered that management can use the
computer more efficiently in running the business. This is usually done by the
production of exception reports rather than the full records. For example, the
management is interested in a list of delinquent debtors, therefore producing the
whole list of debtors means the list has to be analyzed again to identify delinquent
debtors and act upon them. This is inefficient and time consuming as the printer is
the slowest piece of equipment in any computerised system. From the auditor's
view, exception reports which provide him with the very material he requires for
his verification work raise a serious problem because he cannot simple assume that
the programs which produce the exception reports are:
i. Doing so accurately;
ii. Printing all the exception which exists;
iii. Are authorised programs as opposed to dummy programs specially created for
a fraudulent purpose or out of date programs accidentally taken from the
library and;
iv. That they contain programs control parameters which do in fact meet the
company's genuine internal control requirements.
Test data
These are designed to test the performance of the clients' programs. What it
involves is for the auditor either using dummy data i.e. data he has created himself
or live data i.e. the client's data that was due for processing to manually work out
the expected output using the logic and steps of the program. This data is
then run on the computer using the program and the results are compared. A
satisfactory outcome gives the auditor a degree of assurance that if that programme
is used continuously throughout the year, then it will perform as required. You can
see that this technique of test data falls under compliance testing work/tests of
controls.
i. If the data is included with normal data, separate test data totals cannot be
obtained. This can sometimes be resolved by the use of dummy branches or
separate codes to report the program's effects on the test data.
ii. Side effects can occur. It has been known for an auditor's dummy product to
be included in a catalogue.
iii. Client's files and totals are corrupted although this is unlikely to be material.
iv. If the auditor is testing procedures such as debt follow up, then the testing has
to be over a fairly long period of time. This can be difficult to organise.
Disadvantages:
1. Can be expensive to set up or acquire.
2. Some technical knowledge is required.
3. A variety of programming languages is used in business. Standard computer
audit programs may not be compatible.
4. Detailed knowledge of systems and programs is required. Some auditors would
dispute the need for this detailed knowledge to be gained.
5. Difficulty in obtaining computer time especially for testing.
Use of audit software raises the visibility of the auditor in the eyes of the company.
It makes the audit more credible. Deficiencies in the system are often discovered
and can be reported to management. This also makes the audit more credible.
Packages are not however usually available for small machines.
What differentiates an on-line system from a real-time system is that the on-
line system has a buffer store where input data is held by the central processor
before accessing the master files. This enables the input from the remote
terminals to be checked by a special scanning program before processing
commences. With real time systems however, action at the terminal causes an
immediate response in the central processing where the terminal is online.
Security against unauthorised access and input is even more important in real-
time systems because the effect of the input is that it instantaneously updates
the file held in the central processor and any edit checks on the input are
likely to be under the control of the terminal operators themselves. In view of
these control problems, most real time systems incorporate additional controls
over the scrutiny of the master file for example, logging the contents of the
file before look and after look.