Question

Question 3

Identify and describe a minimum of four internal controls in a computer lab classroom.

Required

1. Classify each control as being preventive, corrective and/or detective. If the control is an information technology control, also classify the control as a general or application control.
2. Describe the risk(s) each control is intended to address.
3. Describe the operation of each control.
4. Identify and discuss a potential deficiency in at least one of the controls you have identified.

Answer 1

Internal controls over computer processing include both manual procedures and procedures built into the computer programs. These controls can be divided into:

1. General controls
2. Application controls

General controls

These are controls, which relate to the environment within which computer-based accounting systems are developed, maintained and operated aimed at providing reasonable assurance that the overall objectives of internal controls are achieved. These controls could either be manual or programmed.

The objectives of general controls are to ensure proper development and implementation of applications and the integrity of program and data files and of computer operations. General controls will be considered under the headings of:

1. Systems development controls
2. Organisational controls.
3. Access controls
4. Other controls

Systems development controls                       

These relate to:

1. Review, testing and approval of new systems.
2. Parallel running
3. Program changes
4. Documentation procedures.

Review, testing and approval of new systems

The basic principles of these controls are that:-

1. Systems design should include representatives of user department, accounting department and internal audit.
2. Each proposed system should have written specifications that are approved by management and user department.
3. Systems testing should involve both user and computer department.
4. The computer manager, the user department, dbase administrator and the appropriate level of management should give final approval to the new system before it is placed under operation and offer reviewing the completeness of documentation and results of testing.

Program Changes

Similar requirement apply to changes as well as to new systems although the level of testing and authorisation will vary with the magnitude of changes. It is particularly important that the documentation be brought up to date. A common cause of control breakdown is the unsuspecting reliance of new staff on out of date documents.

Documentation Procedures

Adequate documentation is important to both the auditor and management.

For management documentation provides a basis for:

1. Reviewing the system, prior to authorisation
2. Implementing smooth personal changes and avoiding the problem that key employees might take with them all the knowledge on how the system works.
3. Reviewing existing systems and programmes.
4. For the auditor documentation is necessary for preliminary evaluation of the system and its control

Parallel running

Before switching to the new system, the whole system should be tested by running it parallel with the existing system. Parallel running refers to running the new and old system along each other for a specified period of time say month. This is important because;

1. It provides the users with the opportunity to familiarise themselves with the new system while still having the old system available to compare.
2. Provides for an opportunity for the programmers to sort out any problems with the new system.

Organisational controls

These relate to: -

1. Segregation of functions.
2. Policies and procedures relating to control functions.

Segregation of functions

The principal segregation in a centralised system is between the user and computer departments. Those who process the data should have no responsibilities for initiating or altering the data. The following segregation’s are important:

1. The computer department manager should report to an executive who is not regularly involved for authorising transactions for computer processing.
2. Computer staff should not correct errors in input data.
3. Computer staff should not initiate transactions or have custody of resulting assets.
4. Within the computer department there should be segregation of duties along the Following lines.

Job title and responsibilities

1. The computer department manager responsibility exercises overall control over running of the department.
2. Systems analyst responsibility: Monitors existing systems, designs new systems and prepare specifications for programmers.
3. Programmer: Responsibility: Develops, debugs and documents programs.
4. Computer operator: Operates the computer in accordance with operating instructions.
5. Data entry operator: Keys input data into the computer.
6. Librarian: Maintains custody of systems documentation and off line programs and files.
7. Data control group: This co-ordinates activities between the computer department and the user department and monitor and control input and output.
8. Database administrator: Designs the contents and organisation of the dbase and access to the dbase.

Policies and Procedures relating to control functions

A particular worry is that the operation of program controls could be interfered with during the running of the system by someone with necessary skills. For these reasons:

• Programmers and systems analysts should not be allowed to operate the computer except for testing purposes.
• Operators duties should be rotated so that the same operator is not responsible for the same procedure.
• For similar reasons, the computers operating system should be set up and keep a record of programs and files operated on. This record should be checked regularly by the computer department manager and the internal audit. There should also be procedures ensuring the completeness and validity of all input and output. In a centralised system, the data control group may be established for this function.

Access control

Computer systems are often dependent on accuracy and validity of data held on file Access controls to the computer hardware, software and data files are therefore vital. Access controls are both physical and programmed. Physical controls apply to both hardware and data files stored in form of magnetic disks or diskettes. Example of access controls.

• Only authorised personnel should be permitted access to the computer which should be in a secure room. This may not be possible with single microcomputers or even terminals.
• Control over computers located in the user department should be improved by making sure that vital data or programs are not left running when the computer is left unattended.
• Passwords should be issued to all staff, whether for access to mainframe or single microcomputers. This is supported by requirement that each user can only log into the computer by keying-in their passwords, the computer then knows the identity of the user and it is programmed so as to only accept instructions only from authorised users. System of passwords makes it possible for each user to have limited access to files and that access may further be designated as Read Only or Read and Write. In this way employees are given access to information contained in files only. Computers should also be programmed to record names of all those accessing the computer for purpose of adding, altering or deleting data. Passwords should be changed regularly and access to password data held in the computer should be subject to stringent controls.
• The computer has no way of knowing whether the user is the authorised user of a particular password. Hence users should be issued with machine readable evidence e.g. magnetic stripped cards. For access then the user will have to use the card and the password.
• Access to computers is usually via telephone lines. Computers should be programmed with telephone numbers of such users. On receiving a call, the computer should be required to call back on the authorised number and not receive calls directly.
• Programs and data files which need not be on-line should be stored in a securelocation with a computer department librarian. Systems programs and documentation should be locked away with limited access.

    Other controls

They include controls over:

1. Unauthorised use of computers.
2. Back-up facilities in the event of breakdown. There should be adequate back up procedures e.g. maintaining duplicate programs and information at different locations, protection against naturaldisasters such as situating computer rooms in rooms protected against floods. There should be maximum possible physical security where computers are installed. Important files should always be stored in duplicate. Standby procedures should be put in place in the event of computer breakdown.
3. File retention procedures e.g. retaining copies of essential data on separate.

(ii) APPLICATION CONTROLS

The objectives of application controls which may be manual or programmed are to ensure the completeness and accuracy of the accounting records and the validity of the entries made therein resulting from both manual and programmed processing. These relate to the transactions and standing data pertaining to each computer based accounting system and are therefore specific to each such application. With the increasing sophistication of computer operating systems it is becoming more common for controls to be programmed as part of each application. Application controls are generally divided into:

• Input controls.
• Processing controls.
• Output controls.
• Controls over master files and standing data.

Input controls

Most errors in computer accounting systems can be traced to faulty input. Controls over the completeness and validity of all input are therefore vital. Some controls affect both completeness and validity and therefore will be considered separately. These include controls over data conversion, controls over rejections and the correction and the reprocessing of the rejections, batch controls and computer edit controls.

Completeness

These controls ensure that all transactions are recorded. That all sales for example are recorded in the cash register or all purchase invoices are posted to the accounting records. They are particularly important over the recording of revenue and receipt of assets.

Validity

Controls over validity ensure that only actual transactions that have been properly authorised are recorded. These controls are most important over the recording of liabilities such as wages, creditors etc. As in a manual system, control is established by the written authorisation on input documents such as the departmental managers signature on employees time cards. It is important that there is adequate separation of duties such that those who initiate a transaction or who have access to cash, cheques or goods as a result of the transaction being entered should not have the responsibility for entering the transaction. As with completeness, the computer can be programmed to assist in this control in which case some of the requirements above can be relaxed for example the computer can initiate purchases when stock levels reach a pre-determined re-order level. It can then validate the payment by matching the invoice with the order and goods-inward notes.Access controls as discussed earlier play an important role in validity in that the computer is programmed to accept input only from authorised users. The computer can also be programmed to verify authority limits as well.

Data Conversion

There must be controls to ensure that all data on source documents is properly entered into the computer. In the early days, when entry was by punched card, each card was verified as punched by a second machine operator. But now that most data is entered using a keyboard or a terminal other controls are more common.

The most common input controls are edit controls. Examples of edit controls include;

Type of edit control	Description of control	Objective
Missing field check	Checks that all essential data fields are present and are of the right length	Ensures accuracy of the processed data. Transactions cannot be properly processed if necessary data is missing
Valid character check	Checks that data fields appear to be of the right type eg all alphabetic, all numerical or mixed.	Ensures correctness of input data
Limit/reasonableness checks	Checks that data falls within predetermined reasonability limits e.g. hours worked do not exceed a certain limit, maybe 8 hours a day.	Ensures accuracy and validity of input data
Master file checks	Checks that all codes match those on master files e.g. employee’s number matches an employee number on the personnel file.	Ensures that data is processed against the correct master file.
Check digit	Applies an arithmetic operation to the code number and compares the result to the check digit	To ensure accuracy of data by checking keystroke errors.
Document count	Agrees the number of input records in a batch with the total on the batch control form	Ensures that all documents are input

Processing controls

Processing controls ensure that transactions are:

1. Processed by the right programs.
2. Processed to the right master files.
3. Not lost, duplicated or otherwise improperly altered during processing.
4. Processing errors are identified and corrected.

Processing controls include:

1. Program file identification procedures, which enquire whether, the right master files are in use.
2. Physical file identification procedures in the form of labels physically attached to files or diskettes to ensure that the right files are in use.
3. Control totals which are progressively expanded as the data is processed, for example the hash total of quantities shipped can be expanded to a gross sales total as items are priced and to a net sales total as customer discounts are determined. These totals should be carried forward with the transaction data as run-to-run totals.
4. Limit and reasonableness tests applied to data arising as a result of processing.
5. Sequence tests over pre-numbered documents.

c) Output controls

Are necessary to ensure that:-

1. Output is received from input.
2. Results of processing are accurate
3. Output is distributed to appropriate personnel.

These controls include:

1. Logging of all output.
2. Matching or agreeing all output to input, such as for one matching, or control totals.
3. Noting distribution of all the output.
4. Output checklists aimed at ensuring that all expected reports are processed and forwarded to the relevant department or personnel.

Controls over master files and standing data

These are aimed at ensuring completeness, accuracy and authorisation of amendments to master files and standing data files. These controls are similar to controls over input. E.g. controls to prevent the deletion of any account, which contains a current running balance. Once standing data has been written onto a master file, it is important that there are adequate controls to ensure that the data remains unaltered until an authorised change is made.

1. Preventive — Some of the best controls prevent fraud, theft, misstatements, or ineffective organizational functioning. For example, we saw in a previous post the effectiveness of segregation of duties to prevent fraud. Preventive controls can be as simple as locks and access codes to sensitive areas of a building or passwords for confidential information.
2. Detective — A security camera is a good example of a detective control. A store manager who notices a pattern of a cash drawer coming up short when attended by a particular clerk can easily look at video of the clerk’s actions throughout the day to detect potential theft. An access log and an alert system can quickly detect and notify management of attempts by employees or outsiders to access unauthorized information or parts of a building.
3. Corrective — Coupled with preventive and detective controls, corrective controls help mitigate damage once a risk has materialized. An organization can document its policies and procedures, enforcing them by means of warnings and employee termination when appropriate. When managers wisely back up data they can restore a functioning system in the event of a crash. If a disaster strikes, business recovery can take place when an effective continuity and disaster management plan is in place and followed.