Question

As an auditor, how would you ensure the different aspects of General EDP control and EDP application in an organization?

Provide examples in each scenario.   

Answer 1

General controls

This control covers the environment in which computer processing is conducted. Some of the objectives of general control include:
a) To ensure adequate segregation of duties, that is, division of functional responsibilities
b) To protect information contained in computer records etc. General controls can be subdivided into:
i) Systems development and control
ii) Administrative controls

Systems development and control

This covers the following areas:

Standards: There should be standard procedures to be followed anytime an application is introduced. This will include adequate feasibility studies covering investigation, fact recording and analysis of gathered facts. It also covers the design of new systems, implementation and most importantly systems change over procedure.

Documentation: There should be proper documentation using flow charts, decision tables, structured English etc and all these should be incorporated in a manual for use.
Testing: The new system should be fully tested before being used operationally. Programs should be checked with test and live data while the whole system should be tested using parallel running or pilot operation technique.

File conversion: Before the new system becomes operational, master files should be set up completely and accurately. This can be achieved by a complete print out of the contents of master files and crosschecking the results with manually maintained records. This process is referred to as conversion checks.

Authorization: Each system development stage should be reviewed by a responsible officer in the EDP department and it must be approved by the steering committee or board of directors but most importantly, it must be acceptable to user department.

Auditors ensure that sufficient control is present in the new system to maintain reliable accounting records.

Administrative Controls

This includes:
a) Division or segregation of duties: Data processing staff should not initiate transactions or authorize normal transactions while users should not operate the computer by self to process transactions. In modern system, this division is not practicable since some authorization function is implicitly transferred to computers. For example, a computer raising purchase requisition when stock reaches re-order levels. Also, the main functions within the data processing department should be carried out by separate persons. Only user department staff and data processing department staff should be allowed to amend input data while computer operators should have access to the machines during a processing run.

b) Control over computer operators.
There should be control over computer operators using manual with details of standard procedures to be followed always. There should be frequent and independent review of computer usage by references to clerical and machine logs.
There should be rotation of operators’ duty and a minimum of two operators per shift.

c) File control
This will cover:
i) File storage procedure: This involves the use of locks and keys on computer files and programs. These devices should be kept in a conducive atmospheric environment. A record of file usage should be maintained and ensure its prompt returns.

ii) File identification procedures: Which includes physical label by allocating unique identification no to the file which can be manually checked.

iii) Protection rings or written permit rings for magnetic tapes or disc files must be physically attached before any processing. Machine labels using header and trailer labels such as file name, identification number, retention period will be checked by a computer programmer on set up.

iv) File reconstruction procedures: This involves recreation when contents of computer files are lost, stolen or damaged. This can be achieved by retention of earlier generation of master file and related transaction data’s file such as Grand father, father son technique for magnetic tapes, dumping or copying for magnetic disc or diskette.

d) General security: There should be restriction of access to computer facilities by beating the equipment in a room with locks.Standby arrangements such as power generating plants supplemented by uninterrupted power supply (UPS) should be provided for. Adequate insurance policy should be obtained to cover risk of fire, flood etc.

Application or procedural control:

This includes:
Input, processing, output and master file controls. These controls are to ensure the completeness and accurate processing of data.
a) Input controls: There should be segregation of duties between users and EDP functionals. For example, input should be originated by users only, and amendments should be done by authorized personnel.

There should be segregation of duties between punching and verification when converting input into machine sensible form. There should be physical control over source documents (such as vouchers, sales invoices) input media (such as magnetic tapes, disc and diskettes). There should be procedures for recording investigating errors and resubmission for processing. Batch control (such as control total, batch total and hash or nonsense total) to be used in order to achieve completeness and accurate processing.

Batch total involves choosing a quantitative field and accumulating its value together for control purposes. Examples of quantitative fields are : total values of invoices, total value of overtime payments, total quantity sold etc. Harsh total involves choosing a field which has no quantitative meaning and accumulating its value together. Examples are: totals of invoice members, customer numbers, pay-roll numbers etc the total of which are meaningless but useful for control purpose; thus, the term or name harsh or nonsense total.

Also, validation checks or data vet or edit control can be built or programmed into input conversion to validate input for reasonableness. Examples are types or data vet or field or character check, limit or range check, existence check, reasonableness check, sequence check, completeness check.

Processing control
This relates to all arithmetic and logic operations or input carried out by programmed procedures such as edit controls or data vet.

Check digit verification
A check digit is a number which is added to a series of reference numbers for the purpose of producing a self checking number. Each check digit is derived mathematically and bears a unique mathematical relationship to the number to which it is attached. When the reference number is input into the system, the validation programme performs the same calculation and the resultant remainder should be zero. If not then the reference number is incorrect. The objective of the check digit verification is to prevent transposition and transcription errors.

Field|Characteristics|type|format|presence check
Under this, data is checked to ensure that all necessary fields are present and that the fields contain the correct type of characteristics; that is there are no letters in a numeric field.

Limit or range check
Numbers are checked to ensure that they are within the permissible range or limit and any data outside these limits will be rejected.

Completeness check
This includes control, batch and nonsense totals.

Sequence check
This is to check sequence failure and duplicate records

Screen check
This involves operators’ scrutiny before the data is processed by the computers. It also involves pre-formatting of screen to minimize operator error.

Existence check
This involves testing reference numbers with previously established list of valid numbers held on a computer file or in the programme in order to ensure that only valid general ledger codes are input.

Reasonableness check
This is to check whether the data is reasonable in relation to a standard or previous input. Examples are hours worked, interest rate, units of utility consumed and prices of goods received.

Output control
There should be reconciliation or matching of input totals established prior to processing to computer generated output totals. There should be manual checking through on a sample basis of the basic calculations carried out by the computer such as depreciation charges, direct debit etc. There should be a procedure for distributing output, that is, a list of authorized recipients should be maintained. An output register should be used to monitor distribution and confirm receipts. These should be independent review of exception reports.

Master file controls
There should be proper control over input, processing and output amendment. That is, once written; standing data or stable data should remain unaltered until an authorized change is made. There should be periodic print out of standing data (such as customer’s name & address, standard and overtime rates, employee name and location etc) For checking with manually held information. There should be regular print out of individual balances such as debtors, creditors etc for comparison with customer statement of account.