INTERNAL

CONTROL IN THE
COMPUTER
INFORMATION
SYSTEM
Auditor’s
Responsibilities
1. result in transaction trails that exist for a
short period of time or only on computer
readable form
2. include program errors that cause
uniform mishandling of transactions –
clerical errors become less frequent
Auditor’s
Responsibilities
3. include computer controls that need to be
relied upon instead of segregation of
functions.
4. involve increased difficulty in detecting
unauthorized access
5. allow increased management supervisory
potential resulting from more timely
reports
Auditor’s
Responsibilities
6. include less documentation of initiation
and execution of transactions
7. include computer controls that affect the
effectiveness of related manual control
procedures that use computer output
Internal Control over EDP Activities

General controls Application controls

a. the organization of the EDP - relate to specific accounting tasks
department; performed by EDP, such as the
b. procedures for documenting, preparation of payrolls.
testing, and approving the
original system and any
subsequent changes;
c. controls built into hardware
(equipment controls); and
d. security for files and equipment
GENERAL CONTROLS
FIVE CATEGORIES
organization and hardware and
01 operation controls
03 systems software
controls

04 access controls
systems
02 development and
documentation
data and
controls 05 procedural
controls
01 A. Organization And Operation Controls

(1) Controls
(a) Segregate functions between the EDP department and user
departments
(b) Do not allow the EDP department to initiate or authorize
transactions
( c) Segregate functions within the EDP department

(2) Segregation of Duties – provides the control mechanism for maintaining

an independent processing environment.
01 A. Organization And Operation Controls

KEY FUNCTIONS:
a. Systems Analyst f. Quality Assurance
b. Applications Programmer g. Control Group
c. Systems Programmer h. Data Security
d. Operator i. Database Administrator
e. Data Librarian j. Network Technician
01 A. Organization And Operation Controls

a. Systems Analyst – The systems analyst is responsible for analyzing the

present user environment and requirements.

b. Applications Programmer - responsible for writing, testing, and

debugging the application programs from the specifications provided by
the systems analyst.

c. Systems Programmer – responsible for implementing, modifying and

debugging the software necessary for making the hardware work.
01 A. Organization And Operation Controls

d. Operator – responsible for the daily computer operations.

e. Data Librarian –responsible for the custody of the removable media.

f. Quality Assurance - established primarily to ensure that new system

under development and old systems being changed are adequately
controlled .
01 A. Organization And Operation Controls

g. Control Group –acts as liaison between users and the processing center

h. Data Security - responsible for maintaining the integrity of the on-line access
control security software.

i. Database Administrator - maintaining the database and restricting access to the

database to authorized personnel.

j. Network Technician - Using line monitoring equipment, they can see each key
stroke made by any user.
02 B. Systems
controls
development and documentation

(1) CONTROLS

(a) User departments must participate in systems design.

(b) Each system must have written specifications which are
reviewed and approved by management and by user
departments.
(c) Both users and EDP personnel must test new systems
02 B. Systems
controls
development and documentation

(1) CONTROLS

(d) Management, users and EDP personnel must approve new

systems before they are placed into operation.
(e) All master and transaction file conversion should be
controlled to prevent unauthorized changes and to verify the
results on a 100% basis.
(f) After a new system is operating, there should be proper
approval of all program changes.
02 B. Systems
controls
development and documentation

(1) CONTROLS

(g) Proper documentation standards should exist to assure

continuity of the system.
02 B. Systems
controls
development and documentation

(2) TWO COMMON CONTROL OVER SYSTEM CHANGE

 Design Methodology

 Change Control Process

 C. Hardware and systems software
03 controls
1. Controls

a. The auditor should be aware of control features inherent in

the computer hardware, operating system, and other
supporting software and ensure that they are utilized to the
maximum possible extent.

b. Systems software should be subjected to the same control

procedures as those applied to installation of and changes to
application programs.
 C. Hardware and systems software
03 controls
2. Reliability of EDP

a. Parity Check

b. Echo Check

c. Diagnostic Routines

d. Boundary Protection

e. Periodic Maintenance
 D. Access Controls

(1) Controls
- access to program documentation…
- access to data files and programs…
- access to computer hardware…
 D. Access Controls
(2) Access to the EDP environment is affected both
PHYSICALLY and ELECTRONICALLY.

(a) Physical access controls

1. Limited physical access
2. Visitor Entry Logs
(b) Electronic access controls
1. Access control software (user identification)
2. Call back
3. Encryption boards
(a) Physical
ACCESS access controls
CONTROL
1. Limited physical access 2. Visitor Entry Logs
 (b) Electronic
ACCESS CONTROL Access Controls
1. Access control software 2. Call back 3. Encryption boards
(user identification)
 E. Data and Procedural Controls
(1) Controls

(a) A control group should:

1. Receive all data to be processed.
2. Ensure that all data are recorded.
3. Follow up in errors during processing, and determine that
transactions are corrected and resubmitted by the proper user
personnel.
4. Verify the proper distribution of output.
 E. Data and Procedural Controls
(1) Controls
b.) A written manual of systems and procedures should be
prepared for all computer operations and should provide
for management’s general and specific authorization to
process transactions.

c.) Internal auditors (or another independent group in the

organization) should review and evaluate proposed systems at
critical stages of development and review and
test computer processing activities.
 E. Data and Procedural Controls
(2) The EDP environment should be clearly defined in detail and
appropriately documented.

To prevent unnecessary stoppages or errors in processing, the

following specific control should be implemented:

a. Operations run manual d. Processing control

b. Backup and recovery e. File protection ring
c. Contingency processing f. Internal and external labels
 E. Data and Procedural Controls

a.) Operations run manual – the operations manual specifies, in

detail, the “how to’s” for each application

b.) Backup and recovery – backed up in systematic manner

- Grandfather-Father-Son method
 E. Data and Procedural Controls

c.) Contingency processing – detailed contingency processing

plans should be developed to prepare for natural
disasters, man-made disasters, or general hardware
failures that disable the data center.

d.) Processing control – should be monitored by the control

group
E. Data and Procedural Controls

- To ensure that processing is completed in a timely manner (controlled

through a production schedule of the EDP department)

- All hardware errors have been corrected (controlled through an operators

log)

- Output has been properly distributed (controlled through distribution logs)

 E. Data and Procedural Controls

e.) File protection ring – a processing control to ensure that an

operator does not use a magnetic tape as a tape to write on
when it actually has critical information on it.

f.) Internal and external labels – the use of labels allows the
computer operator to determine whether the correct file has been
selected for processing.
Application Controls
Application controls are controls that relate to a specific application instead of multiple
applications.

Each accounting application that is processed in an EDP system is controlled during three steps:

Input Converts human readable information into computer readable information.

Processing Ensures the integrity of information in the computer.

Output Presentation of the results of processing to the user and retention of data.
A. Input controls
(2) To ensure the integrity of the human readable data into a computer readable format.

• information is pre-assigned a place and a format on the input form used.

(a) Preprinted form
• used when a large quantity of repetitive data is inputted.

• an extra digit is added to an identification number to detect certain types of

(b) Check digit data transmission or transposition errors.
• used to verify that the number was entered into is correct.

(c) Control, batch or • total of one numerical field for all the records of a batch that normally
proof total would be added.

• a total of one field for all the records of a batch where the total is a
(d) Hash totals
meaningless total for financial purposes.
A. Input controls
(2) To ensure the integrity of the human readable data into a computer readable format.

• a control total used for accountability to ensure all the records received are
(e) Record count
processed.

(f) Reasonableness • determine if amounts are too high, too low, or unreasonable
and limit tests • reasonableness check is similar to a validity check.

(g) Menu driven • input is being entered into a CRT, the operator should be greeted by a menu
input and prompted as to the proper response to make.

• make certain only numbers, alphabetical characters, special characters and

(h) Field Checks proper positive and negative signs are accepted into a specific data field
where they are required.
A. Input controls
(2) To ensure the integrity of the human readable data into a computer readable format.

(i) Validity check • which allows only “valid” transactions or data to be entered into the system.

(j) Missing data

• blank exist in input data where they should not
check

(k) Field size check • an exact number of characters is to be inputted

(l) Logic check • illogical combinations of inputs are not accepted into the computer.
B. Processing controls
(1) Controls

Control totals should be produced and reconciled with input control totals – proof of batch
(a)
totals

Controls should prevent processing the wrong file and detect errors in file manipulation –
(b)
label checks

Limit and reasonableness checks should be incorporated into programs to prevent illogical
(c)
results such as reducing inventory to a negative value.

Run-to-run totals should be verified at appropriate points in the processing cycle. This ensures
(d)
that records are not added or lost during the processing runs.
B. Processing Controls
(2) Processing controls are essential to ensure the integrity of the data through all the processing
steps.

• If a particular program requires a significant amount of time to process, it is

(a) Checkpoint desirable to have software within the application that allows the operator
/restart capacity the ability to restart the application at the last checkpoint passed as opposed
to restarting the entire application.

(b) Error resolution • Individual transactions may be rejected during the processing as a result of
procedure the error detection controls in place.
C. Output controls
(1) Controls – visual review of the output should be done by the user or an independent control
group.

(a) Output control totals should be reconciled with input and processing control totals.

(b) Output should be scanned and tested by comparison to original source documents.

Systems output should be distributed only to authorized users.

(c)
C. Output controls
(2) Prior to the release of output to the user, there should be appropriate controls in place to
ensure that processing was accomplished according to specifications.

• the user of the application will frequently give the operator the expected
(a) Control total
result of processing ahead of time.

(b) Limiting the

• time restraints and output page generation constraints are often automated
quantity of output
within the job being run to ensure that, if processing is being done in error,
and total processing
the job will not utilize resources needlessly.
time

(c) Error message • the system provides technical codes indicating the perceived success of the
resolution job run.