SESSION 12 – COMPUTER INFORMATION SYSTEMS OVERVIEW Objective To outline features, risks and controls in a computer information systems (CIS) environment and for e-commerce Meaning Impact on audit CIS PLANNING CONSIDERATIONS Skills and competence Complex activities Data availability Impact on internal controls Risks Risk assessment System changeover CONTROLS GENERAL CONTROLS APPLICATION CONTROLS Classification ELECTRONIC COMMERCE Classification Alternative classification IAPS 1013 Skills and knowledge Understanding the entity Risk assessment Security risks Legal and regulatory issues Internal control considerations Audit evidence Systems and infrastructure failures Outsourcing arrangements Going concern PARTICULAR SITUATIONS (ASSUMED KNOWLEDGE) MICRO-COMPUTERS Characteristics Audit implications Effective controls Spreadsheet packages ON-LINE SYSTEMS Definition User functions Terminal devices Types systems Characteristics systems Internal control Risk of fraud or error DATABASE SYSTEMS Elements Characteristics 1201 SESSION 12 – COMPUTER INFORMATION SYSTEMS CIS 1.1 Meaning Computer information system − a CIS environment exists when a computer of any type or size is involved in the processing by the entity of financial information of significance to the audit, whether that computer is operated by the entity or by a third party Virtually all business systems and financial systems involve computerised information systems to some degree or other In the examination, assume that the system is computerised (including internet applications) unless told specifically otherwise 1.2 Impact on audit The overall audit approach will be the same regardless of the balance between manual and computer based controls Understanding the entity, its environment and internal control (the control environment, risk assessment, information systems, control activities and control monitoring) are all essential procedures for any system Ethical considerations are the same, e.g the auditor has to be competent to conduct the audit – so they will have to be able to have the technical and practical knowledge to audit CIS Differences between manual and computer information systems arise when: assessing the forms of risk of material misstatement; assessing information systems, control activities (e.g general and application controls) and control monitoring (e.g embedded monitoring procedures); designing tests of control and substantive procedures; and in the tools auditors may use to achieve their objectives (e.g the use of computer assisted audit techniques, CAATS (see Session 21)) PLANNING CONSIDERATIONS 2.1 Skills and competence Depending on the complexity of the information system and use (e.g real-time processing, e-commerce) specialist skills may be needed to: obtain an understanding of the business environment, the entity’s objectives, strategies and business risks (e.g critical dependence on IT, risk of system failure, of inappropriate IT investment and/or project management, of data corruption); obtain a sufficient understanding of internal control (the control environment, risk assessment process, information systems, control activities, control monitoring, use of reporting facilities, use of automated monitoring systems); determine the audit risk assessment, including the assignment team discussion on audit risks; and design and perform appropriate audit tests 1202 SESSION 12 – COMPUTER INFORMATION SYSTEMS 2.2 Complex activities Examples that impact on planning include: Senior management and those charged with governance not fully understand the capabilities and processes of the system, e.g they leave it to the IS manager and their team Users find it difficult to identify and/or correct errors due to the nature of the systems and/or high volume of transactions Material transactions are automatically generated (e.g a sale reducing book inventory to below the re-order level generating a purchase requisition which is electronically communicated to the supplier – supply chain management) Automatic generation of transactions that are not independently validated (e.g interest/discounts) Electronic initiation of the transaction process, eg receipt of order through a website or by e-mail Electronic data interchange of transactions without manual review for propriety or reasonableness Audit trail invisible without the use of interrogation tools 2.3 Data availability and timing of audit procedures Source documents and certain computer files required for audit may exist only for a short period of time before being overwritten Either such data is stored for the auditor or the auditor carries out their testing at various stages throughout the year when the data is available Some systems may enable the use of embodied audit interrogation and process tracking (eg control operation is continuously checked) This will allow continuous audit monitoring by internal and/or external auditors (i.e real-time auditing) The use of computer-assisted audit techniques (CAATs) will often increase audit efficiency and enable economic application of certain procedures to entire populations of account balances or transactions CAATs are essential where systems are complex and the audit trail cannot be manually followed Client’s internal reports may be useful in performing substantive procedures (e.g analytical procedures) 2.4 Impact on internal controls CIS internal controls will relate to those controls external to the system (basically manual controls) and those internal to the system (e.g operated by the system program, programmed controls) Manual controls are subject to the fact that they are operated by humans and thus errors can be deliberate, random, unexpected or just plain stupid (or very devious) Computer systems and controls will operate as programmed Programming will, for example: 1203 SESSION 12 – COMPUTER INFORMATION SYSTEMS consistently apply predefined rules and uniformity of processing (e.g eliminating manual processing errors; effective application of controls); consistently apply complex calculations in processing large volumes of transactions or data; enhance the timeliness, availability, and accuracy of information; facilitate the additional analysis of information, thus improving management supervision; enhance the ability to monitor the performance of the entity’s activities and its policies and procedures (eg control monitoring); reduce the risk that controls will be circumvented (the program will need to be manually changed); enhance the ability to achieve effective segregation of duties by implementing security controls in applications, databases, and operating systems These factors, as applied to the processing of data and the application of controls, must be taken into consideration when planning the audit to ensure an effective and efficient approach 2.5 Risks and risk assessment Business risks that are specific to CIS include: Reliance on systems or programs that are inaccurately processing data (e.g programming error resulting in all like transactions being incorrectly processed), processing inaccurate data (e.g incorrectly captured or transferred from a previous process) or both Unauthorized access (hacking) to transaction data that may result in the destruction, corruption or changes to that data, particularly where multi- access (internal and/or external) is allowed to the database, e.g − − − recording of unauthorized transactions recording transactions that have not occurred, or inaccurate recording of transactions IT personnel gaining unauthorised access privileges (e.g hacking) resulting in a breakdown of the IT segregation of duties, e.g an analyst gaining access to a programme being modified by a programmer Unauthorized changes to standing data in master files, e.g adding non-existent employees; changing salary details Unauthorized changes to systems or programs, e.g a programmer making unscheduled/unauthorised changes to a program Inappropriate controls within the systems development lifecycle, e.g failure to adequately test each development stage resulting in a program that does not meet user requirements Inappropriate or lack of manual intervention, e.g failure to act upon error reports produced by a system 1204 SESSION 12 – COMPUTER INFORMATION SYSTEMS Failure to make necessary changes to systems or programs when required (can be by management or IS personnel) e.g to meet customer needs; upgrading software to maintain competitive advantage Potential loss of data or inability to access data as required, e.g system crash, denial of service attack, prolonged downtime Automatic initiation or execution of transactions (e.g interest/discount calculations) Authorization may not be documented, but implicit in management’s acceptance of the design of the system The audit trail of the transactions may be fragmented, in that it may exist only for a short time Understanding the business risk faced by the entity’s reliance on CIS is essential Care must be taken by the auditor to ensure that management carry out appropriate risk assessment and have adequate policies and controls in place to minimise the IT/IS risk Inconsistencies between the entity’s IT strategy and its business strategies can impact going concern Changes in the IS environment that are unrecognised or are not correctly project managed will impact going concern Installation of significant new IT systems related to financial reporting that have not been correctly ‘thought through’, tested and implemented (including data transfer and staff/user training) may result in material misstatements in the financial statements (as well as potential going concern implications for incorrect decisions made by management based on incorrect information) The loss of a critical element of IT, even just for a matter of hours or a day, can have a going concern impact, e.g failure of online trading may damage the entity’s reputation (reputation risk) 1205 SESSION 12 – COMPUTER INFORMATION SYSTEMS At the assertion level, risk in a CIS environment may have an effect on the likelihood of material error which is: Pervasive Account-specific Deficiencies in certain activities (e.g program development, software support, physical security) that are considered pervasive in that they will impact a broad spectrum of CIS activity Potential for errors (or fraudulent activities) may be increased in specific applications, files or processing activities Examples as above: Examples include: Poor program development may result in the accounting records not reflecting actual transactions Poor access and physical security may result in data corruption leading to misstatements within the financial data 2.7 Systems that control cash disbursements may be susceptible to fraudulent actions by users or CIS personnel A specific exception report is not produced because of a programming error meaning that updates to the standing data of that function are not checked and authorised System changeover Whenever there is a change within a system during the year (e.g manual to computerised, pc network fileserver to mid-ware server) the impact on business risk, audit risk and the audit plan must be thought through, eg: Completeness and accuracy of transferring data from the old system to the new Two systems operating at different times during a financial year using different internal control functions Timing of the changeover and its impact on materiality 1206 SESSION 12 – COMPUTER INFORMATION SYSTEMS 2.7.1 Data controls Essential to ensure that the integrity of data is maintained during the changeover If the opening data of the new system is incorrect, so will be the closing data The whole project for data changeover should be reviewed (and tested as necessary) by the auditor to ensure that, for example: the old data is normalised (eg errors corrected, repeated data eliminated); data-mapping has taken place (eg the old and new data formats are reconciled to allow for transfer of data without error); data transfer programs tested (eg by internal audit); transferred data has been verified and validated (including use of control totals); appropriate backups of old and new data taken in case of system error or collapse 2.7.2 Direct changeover An “overnight” switch from one system to another Only adopted when there is insufficient similarity between the old and new systems to make an alternative method possible Has none of the cost and time overheads of parallel running and pilot implementation Requires very thorough testing, planned file creation and training strategies as there is no opportunity for gradual training and further testing once the new system has “gone live” It is the quickest and easiest implementation strategy, BUT has the highest business risk If the new system fails, the old system is usually not available to be re-instated 2.7.3 Parallel running Old and new systems are run simultaneously (therefore costly in terms of time and support) for an agreed period of time, the same data entered into both and their results compared (cross-checked) Sources of errors are located and the new system modified as necessary When appropriate, the old system is abandoned and transactions passed only through the new one The safest approach as the old system will not be closed down until the new system has been fully bedded in But the most costly 2.7.4 Stepped changeover A series of small immediate changeovers, e.g purchasing, then sales, then payroll May be by function or by location or a mix 1207 SESSION 12 – COMPUTER INFORMATION SYSTEMS Pilot operation is often used before direct or stepped changeover 2.7.5 Pilot operation Retrospective parallel running processes historic data and compares new system results with those already known This parallel running “out-of phase” is effectively a large test data exercise Alternatively, a limited number of transactions are processed live “in-phase” parallel Though less rigorous than above, it is less costly than duplicated entry Parallel running, out of phase Piecemeal introduction New system run on data from previous period and results checked Useful in businesses which have several branches (e.g retail stores) Easier to control than parallel running Unlikely to be suitable for an integrated system Changeover effected when results satisfactory GENERAL IT CONTROLS The policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued operational integrity and security of data and information systems They aim to establish a framework of overall control and commonly address the risks noted within section 2.5 above, eg controls over: the data centre and network operations; system software acquisition, change and maintenance; development of computer applications; access security; system acquisition, development, and maintenance; 1208 SESSION 12 – COMPUTER INFORMATION SYSTEMS 3.1 Classifications There are various classification of general controls, e.g Administration controls Systems development controls Segregation of duties** between development (analysts and programmers), maintenance (librarian) and operation Standard procedures and documentation – including feasibility study and systems specification with flowcharts or data flow diagrams Logical access controls (e.g passwords)** to enter systems System and program testing (test and actual data) Usually pilot operation Automatic computer log of program changes (independently reviewed by IT manager) File conversion – requires a complete print out and check of file contents before setting up operational master files Restricted physical access ** (e.g to computer room) Acceptance and authorisation procedures – e.g by a responsible official of the project steering committee Firewall and virus update protection Regular file copying (“dumping”) Training of user staff Job scheduling Back up power resources Disaster recovery procedures Maintenance and insurance ** Often classified as Physical controls Alternatively: ORGANIZATION AND MANAGEMENT Policies & procedures Segregation of incompatible functions (eg preparing input, programming) APPLICATION SYSTEMS DEVELOPMENT COMPUTER OPERATION Testing, conversion, documentation Authorisation – personnel and programs Restricted access Processing errors are detected and corrected SYSTEMS SOFTWARE DATA ENTRY AND PROGRAM Authorisation and testing Authorisation structure Restricted access to utilities that may not leave an audit trail Off-site back-up Recovery procedures 1209 SESSION 12 – COMPUTER INFORMATION SYSTEMS APPLICATION CONTROLS Manual or automated procedures that typically operate at a business process level Can be preventative or detective in nature and are designed to ensure the integrity of the accounting records Relate to procedures used to initiate, record, process and report transactions or other financial data Provide reasonable assurance that all transactions are authorised and recorded, and are processed completely, accurately and on a timely basis 4.1 Classification Input Processing Passwords (to terminals) Output Checking control totals Check digits Validation checks Reasonableness (“range”) checks Verification checks Existence checks Batch totals ⇒ mis-match reports (“file no data” or “data no file”) Error investigation and feedback procedures Document counts Investigating rejected items Reviewing accounts and trial balances Sequence checks Periodic print-out of standing data and compa- rison to inde- pendent control totals and data Authorization of master file standing data updates Exception reporting (and authorisation) of all changes made to standing data Format checks “Run-to-run” controls to ensure no data lost 4.2 Master file Alternative classification types Transaction controls Aim to ensure completeness accuracy validity 1210 File controls Aim to ensure file continuity asset protection, eg – keys, security-coded entry – approval and recording – data security (eg library) procedures SESSION 12 – COMPUTER INFORMATION SYSTEMS 5.5 Security risks 5.5.1 Recording and processing e-com transactions When a private network is used for commercial activities (e.g EDI), transactions are transmitted between trading partners through a dedicated “pipeline” with secure access provided only to trading partners However, when commercial activities are carried out over the Internet, the “pipeline” is a “public highway” and, if appropriate security controls are not established, the information in the “pipeline” might be intentionally or accidentally accessed by unauthorized parties There are pervasive security risks associated with e-com because, for example: internet protocols may carry no identity, so anyone can hold themselves out to be someone else; the network, transport and data layers of the Internet may not having been designed with security in mind; there is no central management of the Internet Further security risks arise from processing transactions over the Internet For example: reliance on relevant and adequate systems design to prevent or detect and report exceptions for human intervention; reliance on programmed controls dealing with large volumes of transactions at fast processing speeds, with adequate controls to prevent errors or abuses being detected; and risks arising from remote transactions initiated by users, including controls to distinguish between a customer or supplier, an employee and a hacker Management may be particularly concerned with the adequacy of security measures where: there is direct access via a public network to the entity’s systems and to customer information; payments (e.g electronic funds transfers and credit card payments) are processed via the Internet; failure of encryption-based security could allow crimes to be carried out more easily over the Internet 5.5.2 Security infrastructure and related controls Some business risks arising in e-com should be addressed through the implementation of an appropriate security infrastructure and related controls to: confirm the identity of customers and suppliers; ensure the integrity of transactions; 1214 SESSION 12 – COMPUTER INFORMATION SYSTEMS obtain payment from, or secure credit facilities for, customers; facilitate the return of goods and claims under product warranties; establish privacy and information protection protocols; meet taxation and other legal and regulatory compliance issues; agree terms of trade including transaction tracking and non-repudiation procedures (i.e procedures to ensure a party to a transaction cannot later deny having agreed to specified terms) 5.6 Legal and regulatory issues Currently there is no international legal framework for e-com nor an efficient international infrastructure to support such a framework (e.g electronic signatures, document registries, dispute mechanisms, consumer protection, etc) However, various jurisdictions have been (and are in the process of) introducing the necessary legislation to support electronic commerce, especially across boarders ISA 250 Consideration of Laws and Regulations in an Audit of Financial Statements requires that an auditor recognize that non-compliance with laws and regulations may materially affect the financial statements, when planning and performing audit procedures For example, the charging and collection of value added (VAT) and sales taxes on cross-boarder internet sales is an issue that the auditor must ensure clients comply with 5.7 Internal control considerations The auditor should consider the effectiveness of the control environment and control procedures which can mitigate many of the risks associated with e-com activities (to the extent they are relevant to the financial statement assertions) in accordance with ISA 315 Identifying and assessing the risks of material misstatement through understanding the entity and its environment The following aspects of internal control, which are described below, are particularly relevant: security; transaction integrity; and process alignment Also maintaining the integrity of control procedures in a rapidly changing technological environment; ensuring access to relevant records to meet the entity’s needs and for audit purposes 1215 SESSION 12 – COMPUTER INFORMATION SYSTEMS 5.7.1 Security The security infrastructure and related controls may include: an information security policy; an information security risk assessment; physical measures; and logical and other technical safeguards (e.g user identifiers, passwords and firewalls) Security risks related to the recording and processing of e-com transactions will usually be addressed through the security infrastructure and related controls To the extent they are relevant to the financial statement assertions the auditor considers, for example: the use of firewalls to protect systems from unauthorized or harmful software, data or other material in electronic form; the use of encryption to maintain the privacy and security of transmissions (e.g through authorized decryption keys); controls over the development and implementation of systems used to support ecom activities; whether existing security controls continue to be effective as new technologies that can be used to attack Internet security become available; whether the control environment supports the control procedures implemented − as with any system, even sophisticated control procedures may not be effective if they operate within an inadequate control environment 5.7.2 Transaction integrity The nature and extent of risks related to the completeness, accuracy, timeliness and authorization of information provided for recording and processing in the financial records (transaction integrity) depends on the nature and the level of sophistication of ecom activities Audit procedures regarding transaction integrity seek to evaluate the reliability of the systems in use for capturing and processing information to the accounting records Manual or poor interfaces between e-com and the accounting records may result in incomplete or otherwise inaccurate data capture and/or transfer 1216 SESSION 12 – COMPUTER INFORMATION SYSTEMS Example The receipt of a customer order over the Internet is an originating transaction for Mazona, which sells cosmetics This transaction automatically initiates all other stages in processing the transaction Required: Suggest six objectives of automated controls that relate to the integrity of transactions as they are captured and then immediately and automatically processed Solution 5.7.3 Process alignment The way different IT systems are integrated with one another so as to operate as one system (i.e process alignment) is particularly important for e-com Transactions generated on a web site must be properly processed by internal “back office” systems (e.g accounts, customer relationships and inventory management) Many web sites are not automatically integrated with such systems The way e-com transactions are captured and transferred to the entity’s accounting system may affect: the completeness and accuracy of transaction processing and information storage; the timing of revenue recognition (also purchases and other transactions); identification and recording of disputed transactions When it is relevant to the financial statement assertions, the auditor considers the controls over: the integration of e-com transactions with internal systems (e.g full integration with accounting systems is relatively rare); and systems changes to automate process alignment (including the entity’s ability to facilitate change management and to train existing staff) 1217 SESSION 12 – COMPUTER INFORMATION SYSTEMS 5.8 Audit evidence 5.8.1 Effect of electronic records There may not be any paper records for e-com transactions (and electronic records may be more easily destroyed or altered than paper records without leaving evidence of destruction or alteration) The auditor must therefore consider whether security of information policies and the security controls implemented are adequate to prevent unauthorized changes to the accounting system When considering the integrity of electronic evidence the auditor may test automated controls including: record integrity checks; electronic date stamps; digital signatures; and version controls Depending on the auditor’s assessment of the appropriateness of design and effectiveness of these controls, the auditor may also consider the need for external confirmation of transaction details or account balances (ISA 505) 5.9 Systems and infrastructure failures When e-com activities are significant the auditor should consider the measures taken by the entity: to prevent systems failures; and to ensure business continuity in the event of a system or infrastructure failure Example Suggest causes of systems and infrastructure failures and their consequences 1218 SESSION 12 – COMPUTER INFORMATION SYSTEMS Solution Systems failures Either at the entity or at a service organization (used for outsourced functions) Infrastructure failures Infrastructure failures are not ordinarily within the direct control of the entity and may be caused by: Consequences 5.10 Outsourcing arrangements Entities which not have the necessary technical expertise may depend on service organizations, e.g.: Internet Service Providers (ISPs); Application Service Providers (ASPs); and Data hosting companies Service organizations may also be used for e-com related activities (e.g order fulfilment, delivery of goods, call centre operations and some accounting functions) Certain policies, procedures and records maintained by the service organization may then be relevant to the audit of the entity’s financial statements 1219 SESSION 12 – COMPUTER INFORMATION SYSTEMS The auditor considers how the entity responds to risks arising from the outsourced activities in accordance with ISA 402 Audit Considerations Relating to Entities Using Service Organizations including business continuity plans and service level agreements (e.g security response times and back-up), if relevant (see Session 14) 5.11 Going concern Many businesses report losses on e-com activities (which can be expensive to implement and support) when starting up Significant losses may cast doubt on the going concern basis When e-com is particularly important to an industry in which an entity’s own e-com activities are not well developed, questions about the entity’s business prospects may cast significant doubt on its ability to continue as a going concern − especially when cash is spent more quickly than it is earned When significant doubt exists, the auditor considers ISA 570 Going Concern and the need to obtain information concerning the entity’s liquidity position and its financing arrangements MICROCOMPUTERS 6.1 Characteristics 6.2 Audit implications Lack of segregation of duties (between data preparation, computer operation, distribution of output and systems modification) ⇒ Control risk increased relative to an equivalent manual system – errors may go undetected and/or fraud may be perpetrated Inadequate physical security No need for specially controlled environment, ∴ access rarely restricted ⇒ Increased risk of corruption, damage, loss or theft Ease of access (e.g via terminals) People with little computer knowledge may gain unauthorized access to master files and programs ⇒ Risk of misuse or corruption Inadequate staff training Limited specialist knowledge may result in insufficient training, e.g in recovery procedures ⇒ Users lack expertise to make modifications therefore risk of program errors is reduced ⇒ Danger that ‘amateur’ approach to ‘I can fix it’ will corrupt program and data Lack of computer expertise/ technically qualified staff ⇒ Auditor’s involvement at selection/implementation stages is crucial Lack of program testing – package software may not be entirely suitable for client’s purposes ⇒ Review application software prior to purchasing 1220 SESSION 12 – COMPUTER INFORMATION SYSTEMS Lack of computer control facilities – e.g operations logs and reconstruction facilities ⇒ It is more effective to perform preimplementation review to suggest additional facilities Shortage of computer time ⇒ May limit use of CAATs On-line (or real-time) and controlled by menus displayed on terminals ⇒ Risk of error or fraud may be increased Integrated ledgers ⇒ Risk of certain errors (e.g "single entry") eliminated 6.3 Effective controls 6.3.1 Policies and procedures Policies and procedures that will enhance the overall control environment, include: Acquisition, implementation and documentation standards User training Physical security, data back-up and storage guidelines Password management Personal usage policies Software acquisition and usage standards Data protection standards Program maintenance and technical support Appropriate level of segregation of duties and responsibilities Virus protection 6.3.2 Application controls A system of transaction logs and batch balancing Direct supervision Reconciliation of record counts or hash totals An independent function to receive all data for processing ensure that all data are authorized and recorded follow up all errors detected during processing verify the proper distribution of output restrict physical access to application programs and data files 1221 SESSION 12 – COMPUTER INFORMATION SYSTEMS 6.4 Spreadsheet packages 6.4.1 Advantages Widely used for production of financial accounts from trial balances produced by larger CISs 6.4.2 Disadvantages Entries can be easily altered/ manipulated Relatively easy to corrupt/erase data (deliberately or accidentally) Rudimentary password system Data may be moved from one place to another within spreadsheet Little or no audit trail Very difficult to verify computer generated totals (no edit checks in software) Relatively easy to access data Standing data can be altered because access cannot be prevented No log showing unauthorized attempts to access standing data ON-LINE SYSTEMS 7.1 Definition Computer systems that enable users to access data and programs directly through terminal devices 7.2 User functions Entering transactions (e.g sales transactions in a retail store, cash withdrawals in a bank) Making inquiries (e.g current customer account or balance information) Requesting reports (e.g a list of inventory items with negative “on hand” quantities) Updating master files (e.g setting up new customer accounts and changing general ledger codes) 1222 SESSION 12 – COMPUTER INFORMATION SYSTEMS 7.3 Terminal devices General purpose terminals Increasing technological sophistication Basic keyboard and screen Intelligent terminal (has additional functions of validating data and maintaining transaction logs) Microcomputers (have additional local processing and storage capabilities) 7.4 Types of on-line computer systems 7.4.1 On-Line/Real Time (OLRT) processing Special purpose terminals Point of sale (POS) devices e.g on-line cash registers and optical scanners used in the retail trade Automated teller machines (ATM, bank-a-mat) – used to initiate, validate, record, transmit and complete various banking and other transactions, e.g top up of mobile phone credit Individual transactions are entered at terminal devices, validated and used to update related computer files immediately E.g cash receipts applied directly to customers’ accounts, issues of inventories, airline booking systems 7.4.2 On-line/batch processing Individual transactions are entered at a terminal device, subjected to certain validation checks and added to a transaction file Later, the transaction file (which may be validated further) is used to update the relevant master file 7.4.3 On-line/inquiry Restricts users at terminal devices to making inquiries of master files (e.g customer credit status) 7.4.4 On-line downloading/uploading processing Transfer of data from a master file to an intelligent terminal device for further processing (e.g from head office to a branch) 7.5 Characteristics of on-line computer systems On-line data entry and validation – data failing validation would not be accepted On-line access by users – to enter transactions and to read, change or delete programs and data files through the terminal devices 1223 SESSION 12 – COMPUTER INFORMATION SYSTEMS Possible lack of visible transaction trail – where supporting documents are not provided for all transactions entered (e.g telephone mail order and cash point withdrawals) Potential programmer access – to develop new programs and modify existing ones 7.6 Internal control 7.6.1 Access controls To restrict access to programs and data Specifically, to prevent or detect unauthorized access to terminal devices, programs and data entry of unauthorized transactions unauthorized changes to data files use of operational computer programs by unauthorized personnel use of computer programs that have not been authorized Includes: passwords (need procedures for assignment/maintenance) on-line monitors that control what users are permitted to access physical controls (e.g key locks on terminal devices) 7.6.2 Transaction logs Reports designed to create an audit trail for each on-line transaction (often document the terminal, time and user as well as the transaction’s details) 7.6.3 Application controls Pre-processing authorization – permission to initiate a transaction (e.g use of a bank card and a “PIN” before making a cash withdrawal) Terminal device edit, reasonableness and other validation tests – programmed routines that check input data and processing results for completeness, accuracy and reasonableness Cut-off procedures – to ensure that transactions are processed in the proper accounting period File controls – to ensure that correct data files are used for on-line processing Master file controls – similar to those used for controlling other input transaction data Balancing – establishing control totals over data being submitted for processing and comparing with control totals during and after processing 7.7 Risk of fraud or error Example Identify which of the following circumstances may increase the risk of fraud and error 1224 SESSION 12 – COMPUTER INFORMATION SYSTEMS Solution (1) On-line terminal devices (2) On-line data entry is performed at or near the point where transactions originate (3) On-line processing is interrupted (4) Invalid transactions are corrected and re-entered immediately (5) Data entry is performed on-line by individuals who understand the nature of the transactions involved (6) On-line access to data and programs through telecommunications (7) Transactions are processed immediately on-line (8) On-line terminal devices are located throughout the entity DATABASE SYSTEMS A collection of records and files designed in such a way that all (different) users can search and obtain a wide range of data and process it into standard and ad hoc reports It is organised and accessed through a Data Base Management System 8.1 Elements D A T A BA SE A collection of data that is organized to permit users to share it in different application programs May be single-user in microcomputer environments D A TA BA SE M A N A G EM E N T SY STE M (D B M S) Creates, maintains and operates the database Facilitates physical storage of data Makes data available to application programs 1225 SESSION 12 – COMPUTER INFORMATION SYSTEMS 8.2 Characteristics Data sharing – data is recorded only once, keeping data redundancy to a minimum For example, an inventory item’s unit cost may be used by one application to produce a cost of sales report and by another application to prepare an inventory valuation Data independence – from application programs to facilitate sharing 8.3 Control considerations Security and integrity of data Authorised access and updating of data Exception reporting including failed access attempts and details of all data changed FOCUS You should now be able to: appreciate the planning considerations associated with CISs; provide examples of computer system controls; list examples of application controls and general IT controls; recognise the audit implications of microcomputers, on-line systems and database systems 1226 SESSION 12 – COMPUTER INFORMATION SYSTEMS EXAMPLE SOLUTION Solution — Systems and infrastructure failures and their consequences Systems failures Server failure; Disk system failure; or Software failure Either at the entity or at a service organization (used for outsourced functions) Infrastructure failures Infrastructure failures are not ordinarily within the direct control of the entity and may be caused by: major trunk line failure; or power failure Consequences Damage to an entity’s reputation with potential loss of customers; Loss of data; and Loss of payment subsequent to the delivery of a product or service Solution — Increased risk of fraud and error Risk is increased by circumstances 1, 3, & (and reduced by other circumstances) On-line terminal devices – may provide opportunity for unauthorised uses and access to data and programs from remote locations On-line data entry is performed at or near the point where transactions originate ⇒ less risk that the transactions will not be recorded On-line processing is interrupted (e.g due to faulty telecommunications) ⇒ greater chance that transactions or files may be lost and that the recovery may not be accurate and complete Invalid transactions are corrected and re-entered immediately ⇒ less risk that transactions will not be corrected and re-submitted on a timely basis Data entry is performed on-line by individuals who understand the nature of the transactions involved ⇒ fewer errors than if individuals unfamiliar with transactions On-line access to data and programs through telecommunications ⇒ greater opportunity for access by unauthorised persons 1227 SESSION 12 – COMPUTER INFORMATION SYSTEMS Transactions are processed immediately on-line ⇒ less risk that they will be processed in the wrong accounting period On-line terminal devices are located throughout the entity ⇒ opportunity for unauthorised use of a terminal device and entry of unauthorised transactions may increase Solution — Automated controls To validate input To prevent duplication or omission of transactions To ensure transactions are recorded in the correct accounting period (i.e correct cut-off) To confirm that the terms of trade have been agreed before an order is processed (e.g if payment is required when an order is placed) To distinguish between customer browsing and orders placed (so that browsing is not incorrectly treated as an order) To ensure non-repudiation (i.e a party to a transaction cannot later deny having agreed to specified terms) To ensure transactions are with approved parties (when appropriate) To address issues that might cause any part of the transaction to fail (e.g credit card authorization failure) To prevent incomplete processing by ensuring all steps are completed and recorded or otherwise rejecting the order (e.g order accepted, payment received, goods/services dispatched and accounting system updated) To ensure the proper distribution of transaction details (e.g when data is collected centrally and communicated to others to execute the transaction) To ensure records are properly retained and accounts balance after each transaction 1228 ... needs and for audit purposes 1215 SESSION 12 – COMPUTER INFORMATION SYSTEMS 5.7.1 Security The security infrastructure and related controls may include: an information security policy; an information... will operate as programmed Programming will, for example: 1203 SESSION 12 – COMPUTER INFORMATION SYSTEMS consistently apply predefined rules and uniformity of processing (e.g eliminating manual... documents and certain computer files required for audit may exist only for a short period of time before being overwritten Either such data is stored for the auditor or the auditor carries out their