EFFECTS ON

COMPUTERS ON
INTERNAL CONTROL
Internal Control System
- achieved the goals of asset
safeguarding,data integrity system effectiveness
and efficiency
- controls help to ensure that the financial
statement assertions are valid
 Major Components of an Internal Control
System:
 separation of duties
 clear delegation of authority and responsibility
 recruitment and training of high-quality personnel
 a system of authorization
 adequate document and record
 physical control over assets
 records management supervision
 independent checks on performance
 periodic comparison of recorded accountability with
assets.
Segregation of Duties

Manual or Mechanical System

 the combinations of functions may be
incompatible from a standpoint of
achieving strong internal control.
Computer system

incompatible combinations of functions

may be combined without weakening
internal control
 compensating sontrols are necessary to
prevent improper human intervention with
computer processing
The Organization of Information Systems
Department
 should prevent its personnel from having inappropriate
access to equipment, programs or data files
 provide definite lines of authority and responsibility,
segregation of functions, and clear definition of duties for
each employee in the department
 varies in terms of reporting responsibility, relationships with
other departments, and reponsibilities within the department
Delegation of Authority and Responsibility

Manual System

accounting personnel should not

prepare the initial record of a
business transaction, have custody of
nonaccounting-related assets, or
authorize transactions.
Computer System
 data processing personnel should not prepare the
initial record of business transaction, have custody
of asstes unrelated to data processing, or have the
authority to authorize transaction
 if done so, (a) they could enter transactions that
did not occur or alter and reverse transactions; (b)
they can take assets without approval; (c) they
could authorize fictitious transactions
 A clear line of authority and responsibility
is an essential control in both manual and
computer systems

 In a computer system, however,

delegating authority and responsibility in
an ambiguous way might be difficult
because some resources are share among
multiple users

 Authority and reponsibility lines have

been blurred due by the rapid growth in
end-user computing
Competent and Trustworthy Personnel

 systems analyst might be responsible for advising

management on the suitability of high-cost, high-
technology equipment
 computer operator takes responsibility for safeguarding
critical software and critical data during execution of or
backup of a system
 the power vested in personnel responsible for computer
systems often exceeds the power vested in personnel
responsible for manual systems
Adequate Documents and Records
Accounting records
 capture the economic essence of
transactions and provide an audit trail of
economic events

Audit trail
 enables the auditor to trace any transaction
through all phases of its processing from
the initiation of the event to the financial
statements.
Computer Systems

 Documents might not be used to support the

initiation, execution, and recording of some
transaction. Thus, no visible audit or management
trail would be available.
 The absence of audit trail is not a problem, if the
systems have been designed to maintain a record
of all events and it can be easily accessed.
Physical Control over Assets and Records

Purpose:
To ensure that only authorized personnel
have access to the firm's assets

* Data consolidation exposes the

organization to losses that can arise from
computer abuse or disaster.
Adequate Maintenance Supervision

Manual system
 management supervision of employee activities
is relatively straightforward
Computer system
 supervision of employees might have to be
carried out remotely
 make the activities of employees less visible to
management
In an IT environment, supevision must be more
elaborate than in manual system for the
following reasons:

1. It is difficult for management to assess the

competence of prospective employees.
2. Management's concern over the trustworthiness of
data processing personnel in high-risk areas.
3. Management's inability to adequately observe
employees in an IT environment.
Independent Checks on Performance

 Independent checks on the performance of

programss often have little value
 Auditors must evaluate controls for program
development, modification, operation and
maintenance
 Through independent verification procedures,
management can assess (1) the performance of
individuals, (2) the integrity of transaction
processing system, (3) the correctness of data
contained in accounting records
Comparing Recorded Accountability with Assets

Manual System
 independent staff prepare the basic data used
for comparison purposes

Computer System
 software is used to prepare this data

*Internal controls must be implemented to ensure

the veracity of program code.
Internal Control in Personal Computer
Environments (PAPS 1001)
Personal computers
- oriented to individual end-users
- the degree of accuracy and dependability
of financial information produced will
depend upon the internal controls
prescribed by management and adopted by
users

Paragraphs 17-36 of PAPS 1001 describe

security and control procedures that can
help improve the overall level of internal
control.
Management Authorization for Operating Personal
Computers
Management's policy statement may include:
 management responsibilities
 instructions on personal computer use
 training requirements
 authorization for access to programs and data
 policies to prevent unauthorized copying of programs and
data
 security, back-up and storage requirements
 application development and documentation standards
 standards of report format and report distribution
controls
 personal usage policies
 data integrity standards
 responsibility for programs, data and error correction
 appropriate segregation of duties
Physical Security-Equipment

 using door locks or other security

protection
 fastening the personal computer to a table
using security cables
 locking the microcomputer in a protective
cabinet or shell
 using an alarm system that is activated any
time the personal computer is disconnected
or moved from its location
Physical Security- Removable and Non- Removable
Media

Removable storage media

- placing responsibility for such media under
personnel whose responsibilities include duties of
software custodians or librarians
- designated storage locations are locked

Non-removable storage media

- physical control is best established with locking
devices
Program and Data Security

Techniques which limit access to programs

and data:
 segregating data into files organized
under separate file directories
 using hidden files and secret file names
 employing passwords
 using cryptography
 using antivirus software programs
 Use of file directory allows user to segregate
information on removable and non-removable
storage media
 Passwords and access control enables secure use
of a single resource by multiple users
 Cryptography provide an effective control for
protecting confidential or sensitive programs and
information from unauthorized acess and
modification by users
 Cryptography is the process of transforming
programs and information into an unintelligible
form
Software and Data Integrity
- ensure that processed information is free of errors
and that software is not susceptible to
unauthorized manipulation
- strengthened by incorporating internal control
procedures such as format and range checks and
cross checks of results
- adequate written documentation of applications
including step-by-step instructions, description of
reports prepared, source of data processed,
description of individual reports, files and other
specifications
Hardware, Software and Data Back-up

Back-up
 refers to plans made by the entity to obtain
access to comparable hardware, software and
data in the event of their failure, loss or
destruction
 it is important for users to perform on a regular
basis
The Effect of Personal computers on the Accounting
System and Related Internal Controls

It will depend on:

i. the extent to which the personal computer is
being used to process accounting applications
ii. the type and significance of financial
transactions being processed
iii. the nature of files and programs utilized in the
applications
General CIS Controls- Segregation of Duties

Users perform two or more of the following functions

in the accounting system:

 initiating and authorizing source docments

 entering data into the system
 operating te computer
 changing programs and data files
 using or distributing output
 modifying the operating system
The lack of segregation of functions in a
personal computer environment may:

 allow errors to go undetected

 permit the perpetration and concealment of
fraud
CIS Application Controls

Effective controls may include:

- a system of transaction logs and batch
balancing
- direct supervision
- reconciliation of record counts or hash
totals
Control may be established by an independent
function which would normally:

- receive all data for processing

- ensure that all data are authorized and recorded
- follow up all errors detected during processing
- verify the proper distribution of output
- restrict physical access to application programs
and data files
Internal Control in an On-line Computer
System (PAPS 1002)
These include:
1. Access controls - procedures designed to restrict access to
programs and data, designed to prevent or detect:
* unauthorized access to on-line workstations, programs and
data
* entry of unauthorized transactions
* unauthorized changes to data files
* use of operational computer programs by unauthprized
personnel
* use of computer programs that have not been authorized
Access control procedures include:

* use of passwords
* specilized access control software and
devices (firewalls, authorization tables,
biometrics)
* physical controls such as cable locks on
workstations
2. Controls over users IDs and passwords
- procedures for the assignment and maintenance
of passwords to restrict access to authorized users

3. System development and maintenance controls

- additional procedures to ensure that controls
essential to on-line applications are included in the
system during its development and maintenance
4. Programming Controls
- procedures designed to prevent or detect
improper changes to computer programs

5. Transaction logs
- reports, which are designed to create an audit
trail for each on-line transaction

6. Use of anti-virus software programs

CIS application controls to on-line processing:

a. Pre-processing authorization - permission to initiate

transaction before making a cash withdrawal through an ATM

b. Edit, reasonableness and other validation tests -

programmed routines that check the input data and
processing results for completeness, accuracy and
reasonableness

c. Cut-off procedures - procedures which ensure that

transactions are processed in the proper accounting period
d. File controls - procedures which ensure that the
correct data files are used for on-line processing

e. Master file controls

f. Balancing - the process of establishing control

totals over data being submitted for processing
through workstations and comparing the control
totals during and after processing
g. Rejected data - procedures to ensure
that rejected items are complete prior
to their reprocessing into the system
Effect of On-line Computer Systems on the
Accounting System and Related Internal Controls

It will depend on:

* the extent to which on-line system is being used
to process accounting applications
* the type and significance of financial transactions
being processed
* the nature of files and programs utilized in the
applications
Risk of fraud or error may be reduced:

1. If on-line data entry is performed at or near point where

transactions originate
2. If invalid transactions are corrected and re-entered
immediately
3. If data entry is performed on-line by individuals who
understand the nature of the transactions involved
4. If transactions are processed immediately on-line
Risk of fraud or error may be increased:

1. If workstations are located throughout the entity

2. Workstations may provide the opportunity for

unauthorized uses such as modification of
previously entered transactions or balances,
modification of computer programs, and access to
data and programs from remote locations
3. If on-line processing is interrupted
for any reason

4. On-line access to data and programs

through telecommunications
Internal Control in a Database Environment
(PAPS 1003)

General CIS controls over the database, the

DBMS and the activities of the database
administration function have a pervasive
effect on application processing.
The general CIS controls of particular importance in a database
environment can be classified into the following groups:
1. Standard Approach for Development and Maintenance of
Application Programs
 This includes following formalized, step-by-step approach
that requires adherence by all individuals developing or
modifying an application program

2. Data Ownership
 A single data owner should be assigned responsibility for
defining access and security rules, such as who can use the
data (access) and what functions they can perform (security)
3. Access to the Database

 can be resticted through the use of passwords

 access controls in a database system seek to prevent

unauthorized access to the use of data.

 access controls are imlemented by first specifying a

security policy for the system and then choosing an
access control mechanism that will enforce the policy
chosen.
2 Types of Access Control Policies (Database Systems)

a. discretionary access control policies

- allow users to specify who can access data
they own and whac action privileges they
have with respect to tha data
Some important types of restricting user access:
* Name-dependent restrictions: Users either have
access to a named data resource or they do not
have access to the resource
*Content-dependent restrictions: Users are
permitted or denied access to a data resource
depending on its contents
*Context-dependent restriction: Users are permitted
or denied access to data resource depending on the
context in which they are seeking access
*History-dependent restriction: Users are permitted
or denied access to data resource
Segregation of Duties

 Standard approach is used

 Includes a formalized, step-by-step
approach
 A technique that can help improve the
accuracy, integrity and completeness of
database
The Effect of Databases on the Accounting System
and Related Internal Controls

It will depend on:

- the extent to which databases are being used by
accounting applications
- the type and significance of financial transactions
being processed
- the nature of database, the DBMS, the database
administration tasks and the applications
- the general CIS controls which are particularly
important in a database environment
The following factors that contribute to the improved
reliability of data:

 Improved consistency of data is achieved

 Integrity of data will be improved by effective use
of facilities
 Other functions available with the DBMS can
facilitate control and audit procedures
Internal Control in E-Commerce
Environment (PAPS 1013)

The following aspects of internal control are releveant

when entity engages in e-commerce:

* Maintaining the integrity of control procedures in

the quickly changing e-commerce environment
* Ensuring access to relevant records for the entity's
needs and for audit purposes
Security

Auditor's considerations:

 The effective use of firewalls and virus

protection software
 The effective use of encryption including
maintaining the privacy and security of
transmissions and preventing the misuse of
encryption technology
 Controls over the development and
implementation of systems
- Whether security conrols in place continue
to be effective as new technologies that can
be used to attack Internet security become
available

- Whether the control environment supports

the control procedures implemented
Transaction Integrity
In an e-commerce environment, controls relating to transaction
integrity are often designed to, for example:
 Validate input
 Prevent duplication or omission of transactions
 Rethink their view of their job and the way in which they
perform their job
 Develop a fundamental appreciation of the analytical
approach used by the system to solve a problem