CHAPTER 21 INTERNAL CONTROL IN THE COMPUTER INFORMATION SYSTEM I Review Questions The proper installation of IT can lead to internal control enhancements by replacing manually-performed controls with computer-performed controls ITbased accounting systems have the ability to handle tremendous volumes of complex business transactions cost effectively Computer-performed controls can reduce the potential for human error by replacing manual controls with programmed controls that apply checks and balances to each transaction processed The systematic nature of IT offers greater potential to reduce the risk of material misstatements resulting from random, human errors in processing The use of IT based accounting systems also offers the potential for improved management decisions by providing more and higher quality information on a more timely basis than traditional manual systems IT-based systems are usually administered effectively because the complexity requires effective organization, procedures, and documentation That in turn enhances internal control When entities rely heavily on IT systems to process financial information, there are new risks specific to IT environments that must be considered Key risks include the following:      Reliance on the functioning capabilities of hardware and software The risk of system crashes due to hardware or software failures must be evaluated when entities rely on IT to produce financial statement information Visibility of audit trail The use of IT often converts the traditional paper trail to an electronic audit trail, eliminating source documents and paperbased journal and records Reduced human involvement The replacement of traditional manual processes with computer-performed processes reduces opportunities for employees to recognize misstatements resulting from transactions that might have appeared unusual to experienced employees Systematic versus random errors Due to the uniformity of processing performed by IT based systems, errors in computer software can result in incorrect processing for all transactions processed This increases the risk of many significant misstatements Unauthorized access The centralized storage of key records and files in electronic form increases the potential for unauthorized on-line access from remote locations 21-2 Solutions Manual - Assurance Principles, Professional Ethics…     Loss of data The centralized storage of data in electronic form increases the risk of data loss in the event the data file is altered or destroyed Reduced segregation of duties The installation of IT-based accounting systems centralizes many of the traditionally segregated manual tasks into one IT function Lack of traditional authorization IT-based systems can be programmed to initiate certain types of transactions automatically without obtaining traditional manual approvals Need for IT experience As companies rely to a greater extent on IT-based systems, the need for personnel trained in IT systems increases in order to install, maintain, and use systems General controls relate to all aspects of the IT function They have a global impact on all software applications Examples of general controls include controls related to the administration of the IT function; software acquisition and maintenance; physical and on-line security over access to hardware, software, and related backup; back-up planning in the event of unexpected emergencies; and hardware controls Application controls apply to the processing of individual transactions An example of an application control is a programmed control that verifies that all time cards submitted are for valid employee ID numbers included in the employee master file The most significant separation of duties unique to computer systems are those performed by the systems analyst, programmer, computer operator, and data base administrator The idea is that anyone who designs a processing system should not also the technical work, and anyone who performs either of these tasks should not also be the computer operator when real data is processed Typical duties of personnel: a b c d e Systems analysis: Personnel will design and direct the development of new applications Programming: Other personnel will actually the programming dictated by the system design Operating: Other people will operate the computer during processing runs, so that programmers and analysts cannot interfere with the programs designed and executed, even if they produce errors Converting data: Since this is the place where misstatements and errors can be made – the interface between the hardcopy data and the machinereadable transformation, people unconnected with the computer system itself the data conversion Library-keeping: Persons need to control others’ access to system and program software so it will be used by authorized personnel for authorized purposes Internal Control in the Computer Information System f 21-3 Controlling: Errors always occur, and people not otherwise connected with the computer system should be the ones to compare input control information with output information, provide for correction of errors not involving system failures, and distribute output to the people authorized to receive it Documentation differs significantly as to inclusion of program flowcharts, program listings, and technical operating instructions File security and retention differs because of the relatively delicate form of the magnetic media requiring fireproof vault storage, insulation from other magnetic fields, safeguards from accidental writing on data files, and so forth Auditors review documentation to gain an understanding of the system and to determine whether the documentation itself is adequate for helping manage and control the computer processing Responsibilities of the database administrator (DBA) function are: • • • • • Design the content and organization of the database, including logical data relationships, physical storage strategy and access strategy Protect the database and its software, including control over access to and use of the data and DBMS and provisions for backup and recovery in the case of errors or destruction of the database Monitor the performance of the DBMS and improve efficiency Communicate with the database users, arbitrate disputes over data ownership and usage, educate users about the DBMS and consult users when problems arise Provide standards for data definition and usage and documentation of the database and its software Five things a person must have access to in order to facilitate computer fraud are: a b c d e The computer itself Data files Computer programs System information (documentation) Time and opportunity to convert assets to personal use 10 Because many companies that operate in a network environment decentralize their network servers across the organization, there is an increased risk for a lack of security and lack of overall management of the network operations The decentralization may lead to a lack of standardized equipment and procedures In many instances responsibility for purchasing equipment and software, maintenance, administration, and physical security, often resides with key user groups rather than with features, including segregation of duties, typically 21-4 Solutions Manual - Assurance Principles, Professional Ethics… available in traditionally centralized environments because of the ready access to software and data by multiple users II Multiple Choice Questions c a d b d d 10 11 12 b b c a b a 13 14 15 16 17 18 c c c a b a 19 20 21 22 23 24 c c a c b c 25 26 27 28 29 30 b c c d b d III Comprehensive Cases Case Does access to on-line files require specific passwords to be entered to identify and validate the terminal user? POSSIBLE ERRORS OR IRREGULARITIES – unauthorized access may be obtained to processing programs or accounting data resulting in the loss of assets or other company resources Are control totals established by the user prior to submitting data for processing? POSSIBLE ERRORS OR IRREGULARITIES – sales transactions may be lost in data conversion or processing, or errors made in data conversion or processing Are input totals reconciled to output control totals? POSSIBLE ERRORS AND IRREGULARITIES – (same as above) Control totals are useless unless reconciled to equivalent controls created during processing Case a Input control objectives Transactions have been recorded properly (neither double-counted nor omitted – that is, control over validity and completeness) Transactions are transmitted from recording point to processing point Transactions are in acceptable form Processing control objectives Loss or nonprocessing of data is detected Arithmetic functions are performed accurately Transactions are posted properly Errors detected in the processing of data are controlled until corrected and processed Output control objectives Processed data are reported correctly and without unauthorized alteration Internal Control in the Computer Information System 21-5 Output is required by the user Output is distributed only to persons authorized to receive it b Case a Control procedures – input source data Registration at point of entry Sequential numbering Grouping (batching) with control totals Key verification Programmed edits Edits for completeness and reasonableness Checklists to ensure input arrived and on time Control procedures – processing controls Prevention of loss or nonprocessing of data (e.g., control totals) Performance of arithmetic functions Assurance of proper posting (sample test of postings) Correction of errors Exclusion of unauthorized persons from operating areas (e.g., programmers) Control procedures – output controls Review performed by originating area of the reports and other output data Sampling and testing of individual transactions Use of control totals obtained independently from prior processing or original source data Distribution lists used to route output only to authorized persons Making inquiries as to whether the output is desired by the recipient The primary internal control objectives in separating the programming and operating functions are achieved by preventing operator access to the computer or to input or to output documents, and by preventing operator access to operating programs and operating program documentation, or by preventing operators from writing or changing programs Programmers should not be allowed in the computer room during production processing They should submit their tests to be scheduled and run by the operators as any other job b Operators should not be allowed to interfere with the running of any program If an application fails, the operators should not be allowed to attempt to fix the programs The failed application should be returned to the programmers for correction Compensating controls usually refer to controls in user departments (departments other than computer data processing) In a small computer installation where there are few employees, segregation of the programming 21-6 Solutions Manual - Assurance Principles, Professional Ethics… and operating functions may not be possible (as in a microcomputer or minicomputer environment) An auditor may find compensating controls in the user department such as: (1) manual control totals compared to computer output totals and (2) careful inspection of all output Such compensating controls in a simple processing system could provide reasonable assurance that all transactions were processed, processing was proper and no unauthorized transactions were processed An auditor may find the following compensating controls that are particularly important when the programming and operating functions are not separate: Case a b Joint operation by two or more operators Rotation of computer duties Comparison of computer times to an average or norm Investigation of all excess computer time (errors) Adequate supervision of all computer operations Periodic comparison of a program code value to a control value Required vacations for all employees Input editing is the process of including, in EDP systems, programmed routines for computer checking as to validity and accuracy of input Types of input editing controls are: tests for valid codes; tests for reasonableness; completeness tests; check digits; and tests for consistency of data entered in numeric and alphabetic fields Examples of payroll input editing controls are: Test for validity of employee number; Test for proper pay rate; Test for reasonableness of hours worked Examples of sales input editing controls are: Test for validity of customer number; Test for credit approval; Credit limit test; Sales price list c As EDP system complexity increases, documentation, as well as manual checking decreases To provide reasonable assurance as to completeness, existence, and accuracy of processed transactions under these circumstances, input editing becomes increasingly necessary Case a Most commonly associated with supervisory programs contained in on-line real-time systems, design phase auditing involves the auditor in system design The goal is to ensure inclusion of controls that will detect exceptions or unusual conditions and record and log information about the Internal Control in the Computer Information System 21-7 initiating transactions Once the necessary controls have been designed and incorporated into the system, frequent visits by the auditor to the client’s premises are necessary to determine that the controls are functioning properly b Some individuals and groups have suggested that independence may be impaired, given auditor monitoring and reviewing a system which he/she has helped to design The AICPA has taken the position that making control recommendations during system design is no different from auditor recommendations for control improvements after the fact and documented in the management letter c In some complex EDP systems, a computer audit specialist may be needed to assist in designing the necessary controls, as well as monitoring and reviewing the control functions A computer audit specialist is an employee of the CPA firm who, typically, will have served on the audit staff for a period of time, followed by specialized training in computer system design and control, and EDP auditing d The auditor may rely on the computer audit specialist to whatever degree considered necessary to assure proper control installation and implementation The in-charge field auditor must keep in mind, however, that use of a computer audit specialist does not compensate for the field auditor’s lack of understanding of the internal control, including the EDP applications  ... typically 21-4 Solutions Manual - Assurance Principles, Professional Ethics… available in traditionally centralized environments because of the ready access to software and data by multiple users... segregated manual tasks into one IT function Lack of traditional authorization IT-based systems can be programmed to initiate certain types of transactions automatically without obtaining traditional manual. ..21-2 Solutions Manual - Assurance Principles, Professional Ethics…     Loss of data The centralized storage