MANAGEMENT CONSULTANCY - Solutions Manual CHAPTER 33 EFFECTS OF COMPUTERS ON INTERNAL CONTROL I Questions A computer system does not affect the overall objectives of internal control These objectives remain intact irrespective of the method of data processing Computer systems often make these objectives more important to achieve, however, and the specific controls used to achieve basic internal control objectives may change Computer data processing changes the ways in which functions must be separated to maintain control For example, whereas in a manual system separate individuals may have been responsible for initiating and recording transactions, in a computer system a program may perform both functions It now becomes important to separate responsibility for running the program in production mode from responsibility for modifying and maintaining the program This separation may be enforced physically; for example, computer operations staff may be separated from program maintenance staff With minicomputers and microcomputers, however, physical separation of duties becomes increasingly difficult to implement The person entering data into the system often has the capability to alter the program being used to capture the data In these types of situations, software-based access controls become more important as a means of enforcing separation of duties When resources in a computer system are shared, it is often difficult to assign responsibility for the various functions that must be performed to acquired, protect, use, and maintain the resource For example, if data is shared, it may be unclear whether each user of the data should be allowed to assign access and modification rights to new users who potentially are untrustworthy Similarly, if data is corrupted, disputes may arise over who must take responsibility for correcting the consequential errors that have occurred 33-1 Chapter 33 Effect of Computers on Internal Control In an environment of end-user computing, three types of problems can arise when attempting to specify clear lines of authority and responsibility First, it is difficult to specify clearly the types of systems that end users can develop without top management approval Some types of end-user systems are critical to the ongoing success of the organization, and they should be vetted by top management Second, it is difficult to specify clear lines of authority and responsibility with respect to hardware and software acquisition Many end users have been especially creative in their efforts to circumvent the controls that have been put in place Third, it may be difficult to differentiate the responsibilities of end users from the responsibilities of data processing personnel in terms of the many functions that must be performed to design, implement, operate, and maintain systems Substantial power is vested in an organization’s data processing personnel They have the in-depth technical knowledge that allows them to design, implement, operate, and maintain the organization’s data processing systems In addition, it is difficult to implement effective and efficient internal controls that restrict the actions they can undertake A malicious data processing employee can wreak havoc Consequently, greater reliance must be placed on the personal integrity of the individuals employed in the data processing department In a computer system, the general authorizations are often embedded within a program Thus, auditors must examine and test programs to evaluate compliance with general authorizations Since specific authorizations relate to high-value and critical actions undertaken by the organization, they are often still embedded within manual systems or the manual subsystems in a computer system Thus, auditors perform traditional manual auditing procedures to evaluate compliance with these authorizations With growth of expert systems, however, specific authorizations are also becoming increasingly embedded within computer systems The primary impact of computer systems on the audit trail is that the audit trail may no longer be visible in hard-copy form Thus, the computer system must be designed to capture and store the information needed for audit trail purposes In a well-designed computer system, the audit trail can often be more extensive than the audit trail in a manual system because the overheads associated with maintaining the audit trail in a computer system are less 33-2 Effect of Computers on Internal Control Chapter 33 The audit trail is disappearing in the sense that it is no longer visible in hard-copy form There is no evidence, however, that the quality of audit trails has been undermined because computer systems have been implemented Indeed, the audit trails in computer systems can be very comprehensive because the overheads associated with maintaining the audit trail are low Computer systems affect the concentration of assets in an organization in three ways First, the organization’s major data files, which are critical assets, are stored at a small number of locations Second, the hardware and software, which may represent substantial investments, are also located in only a few places Third, substantial knowledge about the organization and its systems is vested in the data processing staff who design, implement, operate, and maintain the computer systems The primary effect of this concentration of assets on the system of internal controls is to increase the importance of the individual internal controls being in place and working The consequences of a control failure can be more serious 10 In a computer system, management supervision of employees is harder to implement Often the tasks performed by employees are technically complex and difficult for management to understand In addition, many of the tasks performed are not visible The effects of these tasks occur internally to the systems on which the employees work Employees also might be using a computer system at a remote location As a result, management are unable to physically observe their actions 11 Many independent checks are carried out in manual systems to ensure that employees are following the procedures needed to safeguard assets and preserve data integrity In a computer system, procedures for safeguarding assets and preserving data integrity are often embedded in a program Thus, auditors must focus on the procedures in place to ensure program code is authentic, accurate, and complete 12 As with manual systems, auditors must prepare reports on the assets held and compare the control totals in the reports with physical counts of the assets that they undertake In a computer system, however, programs are used to prepare the reports for comparison purposes For example, a program sorts an inventory file by warehouse location and prepares control totals by inventory type Again, auditors must ensure that controls are in place to ensure the authenticity, accuracy and 33-3 Chapter 33 Effect of Computers on Internal Control completeness of the programs used to prepare the control totals needed for comparison purposes 13 Compared to a manual systems environment, auditors face a greater number of controls to be evaluated in a computer systems environment These controls are also more complex and diverse Some controls have become important only with the emergence of computer technology; for example, the cryptographic controls used to preserve the integrity of controls in electronic funds transfer systems With the rapid evolution of computer technology, auditors find it increasingly difficult to keep up with the technology and to have sufficient understanding of the controls to be able to carry out a competent audit The ongoing, rapid evolution of computer technology also makes the evidence-collection task harder As a result of new technology, manual evidence-collection techniques may no longer be useful Inevitably the development of new automated audit evidence collection techniques lags the emergence of the technology Auditors must use some type of stop-gap measure in the interim 14 The use of computers has two effects on the conduct of the evidence evaluation function First, given the increased complexity of computer control technology, it is also more difficult to evaluate the consequences of individual control strengths and weaknesses and to perform a global evaluation of the reliability of controls Second, because the consequences of control weaknesses are often more serious in a computer systems environment, auditors are under greater stress to make accurate assessments of the reliability of controls in computer systems 15 A control is a system that prevents, detects, or corrects unlawful events 16 We must focus on controls as a system because a failure to perform one function reliably may undermine the overall reliability of the control For example, if management does not check the log of failed passwords, attempts to enter a system illegally may not be detected 17 Controls reduce expected loses by (a) reducing the probability of events occurring that lead to a loss, and/or (b) reducing the amount of a loss if the loss does, in fact, eventuate II Multiple Choice 33-4 Effect of Computers on Internal Control C B D A B 11 12 13 14 15 C B C A A 10 C B A D C 16 17 18 19 20 A B A B D 21 22 23 Chapter 33 D D B III Problems Problem The following controls might have prevented or detected Cruz’s activities: (a) Cash box control procedures should have been stronger It seems as if Cruz had free access to the cash box A log of deposits and withdrawals should have been kept, which might have triggered an investigation of Cruz’s activities (b) In the case of terminal having special access to privileges (such as supervisory terminals), a log of transactions should have been kept and examined regularly by an independent person (e.g., Cruz’s manager) (c) Accounts having little activity are always a special cause for concern in banks because of the possibility of fraud A sample of transactions for low activity accounts should have been investigated (d) Customer complaints should have been handled by a special section, not by Cruz Investigations of complaints should have detected Cruz’s activities (e) Checking the correspondence between deposits and the documentation for two-year certificate accounts would have revealed that Cruz had not recorded deposits (f) Controls over the issue of passbooks should have been stronger Again, it seems that Cruz had easy access to new passbooks Periodically, the documentation supporting the issue of a new passbook should have been examined (g) Confirmation of customer account balances should have detected discrepancies between customer records and bank records 33-5 Chapter 33 Effect of Computers on Internal Control Problem (a) General control features in most computer-based accounting systems are classified as follows: The plan of organization and operation of data processing activity The procedures for documenting, reviewing, testing, and approving systems or programs and changes thereto Controls built into the equipment (i.e., hardware controls) Controls over access to equipment and data files Other data and procedural controls affecting overall data processing operations Security controls address the physical security of data processing and disaster recovery (b) The purposes of the categories of application controls are as follows: Input controls are designed to provide reasonable assurance that data received for computer processing have been properly authorized and converted into machine-readable form and identified, and that data (including data transmitted over communication lines) have not been lost, suppressed, added, duplicated, or otherwise improperly changed Processing controls are designed to provide reasonable assurance that data processing has been performed as intended for the particular application (i.e., that all transactions are processed as authorized, that no authorized transactions are omitted, and that no unauthorized transactions are added) Output controls are designed to ensure the accuracy of the processing result (such as account listings or displays, reports, magnetic files, invoices, or disbursement checks) and to ensure that only authorized personnel received the output Problem In auditing Nico Corporation, Rain may be able to rely on the well-known accounting software based on her previous experience Using a control copy, she can determine that an unmodified copy is being used In the case of Tower, Rain will have to perform extensive testing of the software or 33-6 Effect of Computers on Internal Control Chapter 33 perform a code review or other tests of the design process to determine whether the software results in the financial statement assertions are valid Indeed, Tower’s need to be calling the developer on a regular basis should cause Rain some concern 33-7 ... inventory file by warehouse location and prepares control totals by inventory type Again, auditors must ensure that controls are in place to ensure the authenticity, accuracy and 3 3- 3 Chapter 33 Effect... a computer system are less 3 3- 2 Effect of Computers on Internal Control Chapter 33 The audit trail is disappearing in the sense that it is no longer visible in hard-copy form There is no evidence,... between customer records and bank records 3 3- 5 Chapter 33 Effect of Computers on Internal Control Problem (a) General control features in most computer-based accounting systems are classified