7.6b. Network and data center operation controls
Automatic rollback
Address the availability of information
processing facilities when needed.
Data Centers – an artifact of central site
management of large mainframe systems.
[Mainframe- A mainframe is a large, powerful
computer used for high-speed data processing
and critical applications1234. It can connect to
multiple users and devices simultaneously and
handle large amounts of data transactions]
Systems migrating to “client-server” and
distributed processing
Data center operation controls are also
appropriate for network operation
[Client-server - A server accepts the client’s
requests, processes them and provides the
required response.
- is a communication model that enables the
distribution of tasks within a network.]
Network and data service center operation
controls need to be implemented:
 Backup controls – All files should be backed up
routinely and the backup copies should be stored in a
secure, off-site location and tested regularly for
readability.
- It is necessary to backup program files only
one time – done aft the programs installed
and all custom work completed. Data files
should be backed up frequently. –Transaction
files - atleast once a day. Master files – once
per posting period. Files w/ real-time posting
– more often than once a day
 Downtime Controls
The repair of computer hardware may take several
days and, occasionally, several weeks. Therefore, to
reduce the amount of downtime, maintenance
schedules should be established for all computer
hardware.
 Recovery controls
deal with prompt recovery of equipment failure and
natural disasters that could put the information
processing facilities out of operation for an extended
period.
a.
This feature manages to backed out the
incomplete transactions, so the database is
returned to the state it was in before the
transaction began.
running program prematurely terminates - biglaang
namatay
b. Uninterruptible Power Supply
Uses batteries - to continue process during a
power outage.
Will supply long enough for files to be properly
closed and for users to log off
c. Alternative Processing Facility
Use during main channel downtime
d. Disaster Recovery Plan
documents detailed recovery procedures to
quickly and smoothly restore an organization's
processing capabilities after a catastrophic event.
to reduce "business risk"
7.6c. System software acquisition, implementation,
and maintenance controls
System software includes:
 Database management systems
 Communication software
 Operating system
 Utility programs
 Security software
These control activities also regulate:
 Logging
 Tracking
 Monitoring activities of the information system
7.6d. Application software section, implementation,
and maintenance controls
Control activities also should address the application
software selection, implementation, and maintenance of
application software.
Specifications for new applications should be drawn up
jointly by users and IT personnel
Application software such as: Accounting systems
 New applications and modifications to applications
should be properly:
 Authorized
 Tested
 Approved
 Documented
 Implementation of new software:
Representatives of user departments (Accounting and
Internal Auditing) should be involved in selection of new
application software
External Auditors should be consulted - to ensure the
auditability of the system
7.7 INFORMATION PROCESSING – APPLICATION
CONTROLS
Information processing general controls relate to the
reliability and consistency of the overall information
processing environment, application controls apply to the
flow.
Application controls can be separated into:
1. Input
2. Processing
3. Output
4. Master File
7.7a. Input Controls
refer to the authorization, entry, and verification of
data entering the system. Most of the errors in an
accounting system occur at the data-entry point.
 Data and Transaction Authorization Controls
Authorization is granted by the upper management
through general authorizations - cover a whole class
of transactions
specific authorizations - applies to a single
transaction and is granted on a case-by-case basis
 Input Screen Controls
Keyboard entry of data should be made through
computer screen forms that are supported with
controls
 Input Verification Controls
As data are entered in a screen form, they are verified
for correctness in numerous ways.
Some commonly used checks are:
- Valid codes
- Reasonableness of amounts
- Valid data type
- Valid field length
- Logical relationships
- Anticipated contents
- Valid date
 Correction of Data-Entry Errors
Error correction follows error detection. It may be
possible to rekey a transaction to correct it. Correcting
or reversing entries must be made.
7.7b. Processing Controls
Refer to accurate and complete processing of transactions
and other events.
These controls include:
 Written Procedures
All computerized accounting systems include some
manual procedure. They can serve as guide for
employees and ensure consistency of operations.
 Prenumbered Documents
Provides a means to ensure hat all authorized
transactions and other events are processed once and
only once.
 Batch Controls
Provide assurance that as a batch progresses through
the various processing stages it contains the same set
of records – no records have been lost or added.
o Record Count – can be made at different
points and remains the same. Helps guard
against the accidental loss of records.
o Control Total – the sum of amount in the
transaction records. This total is compared
with the change in the cash balance at the
terminal.
o Hash Total – is formed from data elements,
such as customer numbers. This has no
economic, accounting, or arithmetic
significance nevertheless is should remain the
same throughout processing.
 Visual Checking  Parallel simulation
Visual checking of reports and documents for  Integrated test facility (ITF)
reasonableness can detect errors in processing.  Embedded audit module
 Comparisons
Comparison of amounts can detect errors in
processing. The prices charged for individual items on 7.9 IT GOVERNANCE
sales order should be compared with the selling
prices for the items in the inventory master file.
7.9a. Expectations
7.7c. Output controls
Relate to providing output to the appropriate people 7.9b. Responsible Handling of transactions, events,
and using the output appropriately. and decision making

 Disclosure
7.7d. Master File Maintenance Controls  Independent review and continuous
Are designed into the master file maintenance improvement
function, which is used to add records, change the  Change management
contents of certain fields in records, and detect
records.
7.10 COMPUTER FORENSICS
- Prohibiting a user from duplicating or
changing an existing primary key field
- Probihiting a user from changing an account
 Computer forensics
balance
 Data fingerprints

7.8 MONITORING

*Explain the purpose of and approaches to maintaining

internal control, including IT auditing

Internal control needs to be monitored to determine

whether it is adequate and effective

Conducted on an

- Ongoing basis (
- Separate project
- Combination of both

IT auditing: COBIT (chap 6)

 Auditing around the computer

 Auditing with the computer / CAATS “computer-
assisted audit techniques”
 Auditing through the computer
 TECHNIQUES:
 Test data