You are on page 1of 99

1

Part
Part 1 Business Analysis
1 Business Analysis

Internal Controls
(15% - Level A)

PREPARED BY
sameh Y. El lithy, CMA, CIA.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Internal
Internal Controls
Controls (15%
(15% -- Level
Level A)
A)

3.Systems
3.Systems Controls
Controls and
and
Security
Security Measures
Measures
A. General accounting system controls
B. Application and transaction controls
C. Network controls
D. Flowcharting to assess controls
E. Backup controls
F. Disaster recovery procedures

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 1
3

A. General
General Accounting
Accounting System
System
Controls
Controls

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Introduction
Introduction

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 2
5

The use of computers in information systems has


fundamental effects on internal control but not on its
objectives or basic philosophy.
These effects flow from the characteristics that
distinguish computer-based from manual processing.
When a company uses computers extensively in its
operations and accounting systems, this can tend to
increase the companys exposure to inaccuracies
and fraud.
Since computers apply the same steps to similar
transactions, there should be no chance for clerical
(human) error in processing. However, if there is a
mistake in the program itself, there will be an error in
every transaction that is processed using that defective
program. And if a clerical error is made in input, it will of
course result in an output error.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Potential for fraud is always present in


organizations and is a serious problem, even
without computer processing of data.
The automatic processing of data, the volume of the
data processed and the complexity of the processing
are aspects of computer processing that can increase
both the risk of loss and the potential dollar loss from
exposures that would exist anyway.
 The concentration of data storage creates exposure,
as well. The potential for fraud is further increased
because of the fact that programs are used for the
processing.
There is potential for fraud to be committed within the
program itself. Without proper controls, this type of
fraud may go undetected for a long period of time.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 3
7
Transaction trails. A complete trail useful for
audit purposes might exist for only a short time or
in only computer-readable form.
Further complicating the situation is the fact that
because of the nature of the system, paper audit
trails may exist for only a short period of time, as
support documents may be periodically deleted.
The audit trail must include all of the documentary
evidence for the transaction and the control
techniques that the transaction was subjected to, in
order to provide assurance that the transaction was
properly authorized and properly processed. When an
audit trail is absent, the reliability of an accounting
information system is questionable.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

8
 Segregation of functions. Many controls once
performed by separate individuals may be
concentrated in computer systems.
Hence, an individual who has access to the computer
may perform incompatible functions. As a result,
other control procedures may be necessary to
achieve the control objectives ordinarily accomplished
by segregation of functions. Other controls may
include
1) Adequate segregation of functions within the computer
processing activities.
2) Establishment of a control group to prevent or detect
processing errors or fraud.
3) Use of password controls to prevent incompatible
functions from being performed by individuals with online
access to assets and records.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 4
9

Internal
Internal Control
Control For
For IS
IS
Internal control for an information system has the
same goals and components as overall
organizational internal control
The ultimate responsibility for internal control
lies with management and the board.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

10

The
The Classification
Classification of
of
Controls
Controls
General controls
Application controls

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 5
11

The
The Classification
Classification of
of Controls
Controls
Controls within a computer system are broken
down into two types.
General controls, which relate to the environment;
Application controls, which are controls that are
specific to individual applications and are designed to
prevent, detect and correct errors and irregularities in
transactions during the input, processing and output
stages.
Both general controls and application controls are
essential.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

12

General
General Controls
Controls

General controls concern all


computer activities.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 6
13

General
General Controls
Controls
General controls relate to the general
environment within which transaction processing
takes place.
They are designed to ensure that the companys
control environment is stable and well managed.
A stable and well-managed control environment
strengthens the effectiveness of the companys
application controls.
General controls include controls over the
development, modification and maintenance of
computer programs.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

14

Categories
Categories of
of General
General
Control
Control

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 7
15

Categories
Categories of
of General
General Control
Control
The plan of organization and operation of the
computer activity
including provision for segregation of duties
(preventive control).
General operating procedures
Equipment and hardware controls
Access controls to equipment and data

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

16

The
The Plan
Plan of
of Organization
Organization &
& Operation
Operation of
of
the Computer Activity
the Computer Activity

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 8
17

The
The plan
plan of
of organization
organization and
and operation
operation of
of the
the
computer activity
computer activity
Organizational controls are concerned with the
proper segregation of duties and responsibilities
within the computer processing environment.
There should be an IT Planning or Steering
Committee that will oversee the IT function. Members
should include senior management, user
management and representatives from the IT
function. The committee should have regular
meetings and report to senior management.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

18

The
The plan
plan of
of organization
organization and
and operation
operation of
of the
the
computer
computer activity
activity (contd)
(contd)
 Segregation of duties should be maintained between and among
the following functions:
 Systems analysts
 Information systems use
 Data entry
 Data control clerks
 Programmers
 Computer operation
 Network management
 System administration
 Librarian
 Systems development and maintenance
 Change management
 Security administration
 Security audit

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 9
19

The
The plan
plan of
of organization
organization and
and operation
operation of
of the
the
computer activity (contd)
computer activity (contd)
For example: The responsibilities of systems analysts,
programmers, operators, file librarians, and the control
group should be performed by different individuals, and
proper supervision should be provided.
Operating controls ensure efficient and effective
operation within the computer department.
These controls also assure proper procedures in case of data
loss because of error or disaster.
Typical operating controls include the proper labeling of all files
both internally (machine-readable file header and trailer labels)
and externally, halt and error procedures, duplicate files, and
reconstruction procedures for files.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

20

General
General Operating
Operating
Procedures
Procedures

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 10
21

The procedures for documenting, reviewing, testing, and


approving systems or programs and changes thereto.
In detail it consists of :
Definition of responsibilities
Reliability, Training, Competence of personnel
Rotation of duties.
Forms design.
Prenumbered forms.
Preprinted forms.
Simultaneous preparations.
Turnaround documents.
Documentation .
Labeling .

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

22

Program development and documentation


controls
Documentation is the collection of documents
that support and explain computer applications,
including systems development. It is helpful to
operators and other users, control personnel,
new employees, auditors, programmers, and
analysts.
Program development and documentation controls
are concerned with the proper planning, development,
writing, and testing of computer application programs.
These activities require proper documentation, including
flowcharts, listings, and run manuals for programs already
written.
Controls over proper authorization of any changes in
existing programs are also necessary.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 11
23
 Documentation should be secured in a library with access
controlled.
 It should be subject to uniform standards regarding flowcharting techniques,
coding, and modification procedures (including proper authorization).
 System documentation
 includes narrative descriptions, flowcharts, the system definition used for
development, input and output forms, file and record layouts, controls,
change authorizations, and backup procedures.
 Program documentation
 contains descriptions, program flowcharts and decision tables, program
listings of source code, test data, input and output forms, detailed file and
record layouts, change requests, operator instructions, and controls.
 Operating documentation (computer run manual)
 provides information about setup, necessary files and devices, input
procedures, console messages and responsive operator actions, run times,
recovery procedures, disposal of output, and controls.
 Procedural documentation
 includes the systems master plan and operations to be performed,
documentation standards, procedures for labeling and handling files, and
standards for systems analysis, programming, operations, security, and
data definition.
 User documentation
 describes the system and procedures for data entry, error checking and
correction, and formats and uses of reports.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

24

Documentation provides a basis for effective


operation, use, audit and future system
enhancements. It communicates among people
who are developing, implementing and
maintaining a system. A detailed record of the
systems design is necessary in order to install,
operate or modify an application. It is also
needed for diagnosing and correcting
programming errors; and it provides a basis for
reconstruction of the system in case of damage
or destruction.
Standard operating procedures should be
documented, distributed, and maintained using
knowledge management, workflow techniques and
automated tools.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 12
25

Systems and program development controls


Effective systems development requires participation
by top management. This can be achieved through a
steering committee composed of higher-level
representatives of system users. The committee
approves or recommends projects and reviews their
progress.
Studies of the economic, operational, and technical
feasibility of new applications will necessarily entail
evaluations of existing as well as proposed systems.
Another necessary control is the establishment of
standards for system design and programming.
These standards represent user needs and system
requirements determined during the systems
analysis.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

26
Changes in the computer system should be subject
to strict controls. For example, a written request for
an application program change should be made by a
user department and authorized by a designated
manager or committee.
The program should then be redesigned using a working
copy, not the version currently in use. Also, the systems
documentation must be revised.
Changes in the program will be tested by the user, the
internal auditor, and a systems employee who was not
involved in designing the change.
Approval of the documented change and the results of
testing should be given by a systems manager. The change
and test results may then be accepted by the user.
Unauthorized program changes can be detected by code
comparison. The version in use should be periodically
compared with a copy controlled by the auditors. Software
can be used to perform this procedure.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 13
27
Proposed programs should be tested with incorrect or
incomplete data as well as typical data to determine if
controls have been properly implemented in the
program.
a) Test data should test all branches of the program, including
the programs edit capabilities. The edit function includes
sequence checks, valid field tests, reasonableness checks,
and other tests of the input data.
b) Expected results should be calculated and compared with
actual performance. These results should include both
accurate output and error messages.
To avoid legal liability, controls should also be
implemented to prevent use of unlicensed software not
in the public domain.
A software licensing agreement permits a user to employ
either a specified or an unlimited number of copies of a
software product at given locations, at particular machines, or
throughout the company. The agreement may restrict
reproduction or resale, and it may provide for subsequent
customer support and product improvements.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

28

Turnaround documents should be used


whenever appropriate. A turnaround document is
a computer-produced document that is
resubmitted into the system, such as the portion
of an invoice that a customer returns with
payment.
Staff of the user departments and the operations
group of the IT function should be trained in
accordance with the training plan.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 14
29

Equipment
Equipment Controls
Controls

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

30

Equipment
Equipment Controls
Controls
Controls built into the equipment by the manufacturer
(hardware controls)
Hardware controls assure the proper internal handling of data
as they are moved and stored.
Hardware controls include parity checks, echo checks, read-after-write
checks, and any other procedure built into the equipment to assure data
integrity.
A defined backup procedure should be in place, and the
usability of the backups should be verified regularly.
Transaction trails should be available for tracing the
contents of any individual transaction record backward
or forward, and between output, processing, and source.
Records of all changes to files should be maintained.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 15
31

Hardware
Hardware Controls
Controls
Boundary (storage) protection.
Diagnostic routines.
Dual read.
Dual read-write heads.
Duplicate circuitry.
echo check.
File protection.
parity check.
Preventive maintenance.
Read-write suppression.
Validity checks.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

32

Boundary (storage) protection protects programs or


data from interference (unauthorized reading and/or
writing) caused by activity related to other programs or
data stored on the same medium. Primary storage
locations in the CPU may be protected by features built
into the hardware, but boundary protection for disk
storage is affected through programming.
Diagnostic routines check for hardware problems. If
built into the equipment, they permit the system itself to
give notice of imminent failure.
Dual read-write heads. A dual head first writes on the
storage medium and then reads what was written. If the
comparison shows that the data written differ from the
data at the source of the transfer, the device will back up
and rewrite the data. This process provides a check on
recorded information.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 16
33

Dual read. An input device, such as a tape drive,


may read an input twice for comparison.
Duplicate circuitry. Dual circuits in the
arithmetic-logic unit of the CPU permit
calculations to be performed twice and
compared.
An echo check provides for a peripheral device
to return (echo) a signal sent by the CPU.
 For example, the CPU sends a signal to the printer,
and the printer, just prior to printing, sends a signal
back to the CPU verifying that the proper print
position has been activated.
File protection. All data storage media, except
hard disks, have a ring, tab, or notch that can be
used to prevent or allow writing.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

34

A parity check adds the bits in a character or message


and checks the sum to determine if it is odd or even,
depending on whether the computer has odd or even
parity. This check verifies that all data have been
transferred without loss.
 For example, if the computer has even parity, a bit will be
added to a binary coded character or message that contains
an odd number of bits. No bit is added if a character or
message in binary form has an even number of bits.
Preventive maintenance. Regular servicing avoids
equipment failure.
Read-write suppression. A control on a disk drive may
prevent reading from or writing on a disk,
 e.g., one containing production programs.
Validity checks. Hardware that transmits or receives
data compares the bits in each byte to the permissible
combinations in order to determine whether they
constitute a valid structure.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 17
35

Equipment
Equipment Access
Access and
and Data
Data Access
Access
Controls
Controls

The responsibility for logical security and


physical security should be assigned to
an information security manager who
reports to the organizations senior
management.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

36
 Logical security  Physical security
 Consists of access and ability to  Involves things such as keeping
use the equipment and data. servers and associated
 It includes Internet security peripherals in a separate, secure
(firewalls) and virus protection room with bars on the windows
procedures; access controls for and use of blinds or reflective
users to minimize actions they film on the windows for heat
can perform; authentication blocking as well as physical
processes to verify the identity of protection.
users; and cryptographic  Monitoring of hardware
techniques such as encryption of components to prevent them
messages and digital signatures. being removed from the
premises; security for offsite
backup tapes; and biometrics to
identify a person based on
physical or behavioral
characteristics (fingerprints,
voice verification, etc.).
 Physical security also involves
the locations of wiring that
connects the system, backup
media, and maintenance of
uninterruptible power supplies.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 18
37
 Logical security  Physical security
 Unauthorized personnel, dial-up  Media library contents should be
connections and other system protected. Responsibilities for
entry ports should be prevented storage media library
from accessing computer management should be
resources. Passwords should be assigned to specific employees.
changed regularly for all those Contents of the media library
authorized to access the data. should be inventoried
Procedures should be systematically, so any
established for issuing, discrepancies can be remedied
suspending and closing user and the integrity of magnetic
accounts, and access rights media is maintained. Policies
should be reviewed periodically. and procedures should be
established for archiving.
 Dual access and dual control
should be established to require
two independent, simultaneous
actions before processing is
permitted.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

38

Access
Access Controls
Controls
Access controls, such as
 ID numbers,
passwords,
access logs, and
device authorization tables,
prevent improper use or manipulation of data files and
programs.
They help ensure that only those persons with a bona fide
purpose and authorization have access to data processing.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 19
39
ID numbers and Passwords. The use of identification
numbers and passwords is an effective control in an
online system to prevent unauthorized access to
computer files.
Lists of authorized persons are maintained in the computer.
The entry of identification numbers and passwords, a
prearranged set of personal questions, and the use of badges,
magnetic cards, or optically scanned cards may be combined
to avoid unauthorized access.
A security card may be used with a microcomputer so
that users must sign on with an ID and a password. The
card controls the machines operating system and
records access data (date, time, duration, etc.).
Proper user authentication by means of a password
requires password generating procedures to assure that
valid passwords are known only by the proper
individuals. Thus, a password should not be displayed
when entered at a keyboard.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

40

A device authorization table may restrict file access to


those physical devices that should logically need
access. For example, because it is illogical for anyone to
access the accounts receivable file from a
manufacturing terminal, the device authorization table
will deny access even when a valid password is used.
Such tests are often called compatibility tests because
they ascertain whether a code number is compatible
with the use to be made of the information. Thus, a user
may be authorized to enter only certain kinds of data,
have access only to certain information, have access
but not updating authority, or use the system only at
certain times. The lists or tables of authorized users or
devices are sometimes called access control
matrices.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 20
41
 A system access log records all attempts to use the system. The
date and time, codes used, mode of access, and data involved
are recorded.
 Encryption involves using a fixed algorithm to manipulate plain
text. The information is sent in its manipulated form and the
receiver translates the information back into plain text.
 Although data may be accessed by tapping into the transmission line, the
encryption key is necessary to understand the data being sent.
 A callback feature requires the remote user to call the computer,
give identification, hang up, and wait for the computer to call the
users authorized number.
 This control ensures acceptance of data transmissions only from authorized
modems. However, call forwarding may thwart this control.
 Controlled disposal of documents. One method of enforcing
access restrictions is to destroy data when they are no longer in
use.
 Thus, paper documents may be shredded and magnetic media may be
erased.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

42
 Biometric technologies. These are automated methods of
establishing an individuals identity using physiological or
behavioral traits.
 These characteristics include fingerprints, retina patterns, hand geometry,
signature dynamics, speech, and keystroke dynamics.
 Automatic log-off (disconnection) of inactive data terminals may
prevent the viewing of sensitive data on an unattended data
terminal.
 Utility software restrictions. Utility software may have privileged
access and therefore be able to bypass normal security
measures.
 Performance monitors, tape and disk management systems, job
schedulers, online editors, and report management systems are examples
of utility software.
 Management can limit the use of privileged software to security personnel
and establish audit trails to document its use. The purpose is to gain
assurance that its uses are necessary and authorized.
 Security personnel. An organization may need to hire security
specialists.
 For example, developing an information security policy for the organization,
commenting on security controls in new applications, and monitoring and
investigating unsuccessful access attempts are appropriate duties of the
information security officer.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 21
43

More
More About
About Segregation
Segregation of
of
Duties
Duties

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

44

More
More About
About Segregation
Segregation of
of Duties
Duties
The most important organizational and operating
control is the segregation of duties.
Although the traditional segregation practiced in
accounting of separating the responsibilities of
authorization, record keeping and custody of
assets may not be practiced in the same manner
in Information Systems (since the work is quite
different), there are still specific duties in the IS
environment that should be separate from one
another.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 22
45

Separate
Separate Responsibilities
Responsibilities within
within the
the Information
Information
Systems
Systems Department
Department

Responsibilities within the Information Systems


Department should be separated from one another.
 An individual with unlimited access to a computer, its
programs, and its data could execute a fraud and at the same
time conceal it. Therefore, effective separation of duties should
be instituted by separating the authority for the function from
the responsibility for the function.
Although designing and implementing segregation of duties
controls makes it difficult for one employee to commit fraud,
remember that segregation of duties is not perfect insurance
against fraud because two employees could collude to override
the controls.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

46

Various
Various Positions
Positions within
within a
a Computer
Computer
System
System

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 23
47

Systems
Systems Analysts
Analysts

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

48

Systems analysts are responsible for reviewing the


current system to make sure that it is meeting the needs
of the organization, and when it is not, they will provide
the design specifications to the programmers of the new
system.
Systems analysts should not perform programming tasks or
have access to computer equipment, production programs,
data files, and input-output controls.
Systems analysts are specifically qualified to analyze
and design computer information systems.
 They survey the existing system, analyze the organizations
information requirements, and design new systems to meet
those needs.
These design specifications will guide the preparation of
specific programs by computer programmers.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 24
49

Programmers
Programmers

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

50

Programmers are the individuals who write, test


and document the systems.
 They are able to modify programs, data files and
controls, but should not have access to the
computers and programs that are in actual use
for processing.
For instance, if a bank programmer were allowed
access to actual live data, he or she could delete their
own loan balance while conducting a test.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 25
51

Computer
Computer (console)
(console)
Operators
Operators

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

52

Computer operators perform the actual operation of


the computers for processing the data.
They should not have programming functions and
should not be able to program.
Their job responsibilities should be rotated so no one
operator is always overseeing the running of the same
application.
The most critical separation of duties is between
programmers and computer operators.
Computer (console) operators are responsible for the
actual processing of data in accordance with the
program run manual and messages received from the
system (preferably in hardcopy form for review by the
control group).

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 26
53

They load data, mount storage devices, and


operate the equipment.
Console operators should not be assigned
programming duties or responsibility for systems
design and should have no opportunity to make
changes in programs and systems as they operate
the equipment.
Ideally, computer operators should not have
programming knowledge or access to documentation
not strictly necessary for their work.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

54

The
The Data
Data Control
Control Group
Group

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 27
55

The data control group receives user input, logs it,


monitors the processing of the data, reconciles input
and output, distributes output to authorized users, and
checks to see that errors are corrected.
 They also maintain registers of computer access codes
and coordinate security controls with other computer
personnel.
They must keep the computer accounts and access
authorizations current at all times. They should be
organizationally independent of computer operations.
The data control group must be independent of
systems development, programming, and operations. It
receives user input, logs it, transfers it to the computer
center, monitors processing, reviews error messages,
compares control totals, distributes output, and
determines whether error corrections have been made
by users.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

56

Transaction
Transaction Authorization
Authorization
Users should submit a signed form with each
batch of input data to verify that the data has
been authorized and that the proper batch control
totals have been prepared.
Data control group personnel should verify the
signatures and batch control totals before
submitting the input for processing.
This would prevent a payroll clerk, for instance, from
submitting an unauthorized pay increase for himself
or herself.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 28
57

Librarians
Librarians
Librarians should maintain control over and
accountability for documentation, programs, and
data files.
 They should have no access to equipment. The
librarian should restrict access to the data files
and programs to authorized personnel at
scheduled times.
Furthermore, the librarian maintains records of all
usage, and those records should be reviewed
regularly by the data control group for evidence
of unauthorized use.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

58

Data
Data Conversion
Conversion Operators
Operators
Data conversion operators perform tasks of
converting and transmitting data.
Data conversion operators perform the tasks of
data preparation and transmission,
for example, conversion of source data to magnetic
disk or tape and entry of transactions from remote
terminals.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 29
59

Database
Database Administrator
Administrator
The database administrator controls access to various
files, making program changes, and making source
code details available only to those who need to know.
The database administrator (DBA) is the individual
who has overall responsibility for developing and
maintaining the database and for establishing controls to
protect its integrity.
Thus, only the DBA should be able to update data
dictionaries.
 In small systems, the DBA may perform some functions of a
database management system (DBMS). In larger
applications, the DBA uses a DBMS as a primary tool.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

60

Other
Other
 The webmaster is responsible for the content of the
organizations website. (S)he works closely with programmers
and network technicians to ensure that the appropriate content is
displayed and that the site is reliably available to users.
 Help desks are usually a responsibility of computer operations
because of the operational nature of their functions. Help desk
personnel log reported problems, resolve minor problems, and
forward more difficult problems to the appropriate information
systems resources, such as a technical support unit or vendor
assistance.
 Network technicians maintain the bridges, hubs, routers,
switches, cabling, and other devices that interconnect the
organizations computers. They are also responsible for
maintaining the organizations connection to other networks, such
as the Internet.
 End users need access to applications data and functions only.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 30
61

File
File Security
Security Controls
Controls

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

62

File
File Security
Security Controls
Controls
 File Security Control procedures include:
 Labeling the contents of a disk or tape, both externally and internally as
part of the data file.
 The read-only file designation is used to prevent data from being altered
or written over by users.
 Database Management Systems use lockout procedures to prevent
two applications from updating the same record or data item at the same
time.
 Note: A deadly embrace occurs when two different applications
or transactions each have a lock on data that is needed by the
other application or transaction. Neither process is able to
proceed, because each is waiting for the other to do something. In
these cases the system must have a method of determining which
transaction goes first, and then it must let the second transaction
be completed using the updated information after the first
transaction.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 31
63

File
File Security
Security Controls
Controls
The librarians function is particularly critical,
because documentation, programs and data files
are assets of the organization and require
protection the same as any other asset would.
The data files contain information that is critical to
the enterprise, such as accounting records.
Although backup procedures could reconstruct
lost or damaged data, it is less costly to prevent a
data loss than to repair it. Furthermore,
confidential information is contained in the data
files and must be protected from misuse by
unauthorized individuals.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

64

B. Application
Application Controls
Controls

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 32
65

Application controls relate to tasks performed


by a specific system. They should provide
reasonable assurance that the recording,
processing, and reporting of data are properly
performed.
 Application controls relate to individual computerized
accounting applications, for example, programmed
edit controls for verifying customers account numbers
and credit limits.
Application controls focus on preventing,
detecting and correcting errors in transactions
that are processed within an information system.
Application controls are divided into input
controls, processing controls and output
controls.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

66

Input
Input Controls
Controls

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 33
67

Input controls provide reasonable assurance


that data received for processing have been
properly authorized, converted into machine-
sensible form, and identified, and that data
(including data transmitted over communication
lines) have not been lost, suppressed, added,
duplicated, or otherwise improperly changed.
Input controls also relate to rejection, correction,
and resubmission of data that were initially
incorrect.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

68

Input controls are the controls designed to


ensure that data is entered into the program
correctly. Input is the stage where there is the
most human involvement and, as a result, the
risk of errors is higher than in the processing and
output stages. If data is not entered correctly
there is no chance that the output will be correct.
There are three classifications of input controls:
 Data observation and recording
 Data transcription
 Edit tests

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 34
69

Data
Data Observation
Observation and
and Recording
Recording
 One or more observational control procedures may be practiced:
 1) Feedback mechanisms are manual systems that attest to the accuracy of a
document.
 For instance, a sales person might ask a customer to confirm their order with a
signature, attesting to the accuracy of the data in the sales order.
 Feedback mechanisms include authorization, endorsement and cancellation.
 2) Dual observation means more than one employee sees the input
documents.
 In some cases this might mean a supervisor reviews and approves the work.
 3) Point-of-sale devices used to encode data can decrease errors
substantially.
 In addition, point-of-sale devices eliminate the need to manually convert the data to
machine-readable format.
 4) Preprinted forms such as receipt and confirmation forms can ensure that all
the data required for processing has been captured.
 For example, if a form utilizes boxes for each character in an inventory part number,
it is more likely that the correct number of characters will be entered.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

70

Data
Data Transcription
Transcription
Data transcription is the preparation of the data for
processing. If data is entered from source documents,
the source documents should be organized in a way
that facilitates the input process.
The actual data input usually takes place at a
workstation with a display terminal.
A preformatted input screen can assist in the transcription
process.
For example, a date field to be filled in would be presented onscreen as
_/_/__.
 Format checks are used to verify that data is entered in the
proper mode: numeric data in a numeric field, a date in a date
field, etc.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 35
71
Edit
Edit Tests
Tests
 Edit programs or input validation routines are programs that
check the validity and accuracy of input data. They perform edit
tests by examining specific fields of data and rejecting
transactions if their data fields do not meet data quality standards.
 Edit checks are programmed into the software.
 Edit tests include:
 Completeness checks
 Limit and range checks
 Validity checks
 Overflow checks
 Check digits ,Self-checking digits
 Key verification
 Error listing
 Field checks
 Financial totals
 hash total
 Preformatting
 Reasonableness (relationship) tests
 Record count
 Sequence checks
 Sign checks
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

72
Completeness checks of transmission of data
determine whether all necessary information has been
sent.
The software notifies the sender if something is omitted.
Limit and range checks are based on known limits for
given information. These which ensure that only data
within predefined limits will be accepted by the system.
 For example, hours worked per week will not equal 200.
Validity checks, which match the input data to an
acceptable set of values or match the characteristics of
input data to an acceptable set of characteristics.
Validity checks are tests of identification numbers or
transaction codes for validity by comparison with items already
known to be correct or authorized.
For example, Social Security numbers on payroll input records can be
compared with Social Security numbers authorized by the personnel
department.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 36
73
Overflow checks, which make sure that the number of
digits entered in a field is not greater than the capacity
of the field.
An overflow test is a programmed control that checks
computational results and issues a warning if the result
exceeds the capacity of the storage location, which would
result in the loss of data.
 For example, if 5428 were stored as 542, the 8 lost on overflow would
be discovered.
Self-checking digits may be used to detect incorrect
identification numbers. The digit is generated by
applying an algorithm to the ID number. During the input
process, the check digit is recomputed by applying the
same algorithm to the code actually entered.
Check digits, which determine whether a number has been
transcribed properly. A check digit is a function of the other
digits within a set of numbers. If a typographical error is made
in input, the check digit will recognize that something has been
input incorrectly.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

74
Key verification is the process of inputting the
information again and comparing the two results.
Error listing. Editing (validation) of data should
produce a cumulative automated error listing that
includes not only errors found in the current
processing run but also uncorrected errors from
earlier runs. Each error should be identified and
described, and the date and time of detection
should be given. Sometimes, the erroneous
transactions may need to be recorded in a
suspense file. This process is the basis for
developing appropriate reports.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 37
75
 Field checks are tests of the characters in a
field to verify that they are of an appropriate type
for that field. For example, the field for a Social
Security number should not contain alphabetic
characters.
Financial totals summarize dollar amounts in an
information field in a group of records
A hash total is a control total without a defined
meaning, such as the total of employee numbers
or invoice numbers, that is used to verify the
completeness of data.
Thus, the hash total for the employee listing by the
personnel department could be compared with the
total generated during the payroll run.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

76
 Preformatting. To avoid data entry errors in online
systems, a screen prompting approach may be used
that is the equivalent of the preprinted forms routinely
employed as source documents.
The dialogue approach, for example, presents a series of
questions to the operator. The preformatted screen approach
involves the display of a set of boxes for entry of specified data
items. The format may even be in the form of a copy of a
transaction document.
Reasonableness (relationship) tests check the logical
correctness of relationships among the values of data
items on an input and the corresponding master file
record.
 For example, it may be known that employee John Smith
works only in departments A, C, or D; thus, a reasonableness
test could be performed to determine that the payroll record
contains one of the likely department numbers. In some texts,
the term reasonableness test is defined to encompass limit
checks.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 38
77
 Record count is a control total of the number of
records processed during the operation of a
program.
Sequence checks determine that records are in
proper order.
 For example, a payroll input file is likely to be sorted
into Social Security number order. A sequence check
can then be performed to verify record order.
Sign checks assure that data in a field have the
appropriate arithmetic sign.
 For example, hours worked in a payroll record
should always be a positive number.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

78
 A redundancy check requires sending
additional data items to serve as a check on the
other transmitted data;
for example, part of a customer name could be
matched against the name associated with the
transmitted customer number.
An echo check is an input control over
transmission along communications lines. Data
are sent back to the users terminal for
comparison with the transmitted data.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 39
79

(CMA
(CMA Adapted,
Adapted, June
June 1987)
1987)

 The online data entry control called preformatting is:


A. A check to determine if all data items for a transaction have
been entered by the terminal operator.
B. A program initiated prior to regular input to discover errors in
data before entry so that the errors can be corrected.
C. The display of a document with blanks for data items to be
entered by the terminal operator.
D. A series of requests for required input data that requires an
acceptable response to each request before a subsequent
request is made

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

80

(CMA
(CMA Adapted,
Adapted, June
June 1987)
1987)

c Preformatted input screens present a blank


field in the format that the input should take.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 40
81

(CMA
(CMA Adapted,
Adapted, June
June 1995)
1995)

 Data input validation routines include:


A. Passwords.
B. Terminal logs.
C. Backup controls.
D. Hash totals.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

82

(CMA
(CMA Adapted,
Adapted, June
June 1995)
1995)

d Hash totals are a method of validating the


input of data.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 41
83

Processing
Processing Controls
Controls

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

84

Processing controls provide reasonable assurance


that processing has been performed as intended for the
particular application, i.e., that all transactions are
processed as authorized, that no authorized
transactions are omitted, and that no unauthorized
transactions are added.
Processing controls are controls designed to ensure
that processing has occurred properly and that no
transactions have been lost or incorrectly added.
Some input controls are also processing controls, e.g., limit,
reasonableness, and sign tests.
Processing controls fall into two classifications:
 Processing controls at the time of data access
 Controls involving data manipulation later in the processing

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 42
85

Data
Data Access
Access Controls
Controls &
& Data
Data Manipulation
Manipulation Controls
Controls

Data
Data Access Controls
Transmittal documents
Batch control totals
hash total
record count
Data
Data Manipulation Controls
Examining software documentation,
System testing

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

86
Data
Data Access
Access Controls
Controls
Transmittal documents such as batch control tickets
are used to control movement of data from the source to
the processing point or from one processing point to
another. Batch sequence numbers are used to
number batches consecutively to make sure all batches
are accounted for.
A hash total is another type of control total.
 For instance, if a batch contains data on receipts from
accounts receivable customers, the sum of all the customers
account numbers might be computed to create a hash total.
This sum is useful only for control purposes, and it is
compared with the total computed during processing to make
sure nothing was lost or altered during processing.
A record count utilizes the number of transaction items
and counts them twice, once when preparing the
transactions in a batch and again when performing the
processing.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 43
87
Batch control totals are any type of control total or
count applied to a specific group of transactions, such
as total sales dollars in a batch of billings.
 Batch control totals are used to ensure that all input is
processed correctly by the computer.
In batch processing, items are batched in bundles of a preset
number of transactions. If a batch consists of financial
transactions, a batch control document that goes with the
batch includes the bundle number, the date and the total dollar
amount of the batch. As the computer processes the batch, it
checks the batch control total (the total dollar amount) for the
batch and compares the processed total with the batch control
total. If they match, the batch is posted.
If they do not, the posting is rejected, and the difference must
be investigated. Batch control totals can also be calculated and
used for nonfinancial fields in transactions. For instance, a
batch control total might be the total hours worked by
employees.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

88
Data
Data Manipulation
Manipulation Controls
Controls
Standard procedures should be developed and used for
all processing.
Examining software documentation, such as system
flowcharts, program flowcharts, data flow diagrams
and decision tables, can also be a control, because it
makes sure that the programs are complete in their data
manipulation.
Computer programs are error tested by using a
compiler, which checks for programming language
errors.
Test data can be used to test a computer program.
System testing can be used to test the interaction of
several different computer programs. Output from one
program is often input to another, and system testing
tests the linkages between the programs.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 44
89

There are a number of other tests of processing,


such as:
 Batch balancing is comparing the items actually
processed against a predetermined control total.
 Run-to-run totals are output control totals from one
process used as input control totals over subsequent
processing. The run-to-run totals tie one process to
another.
 Default option is the automatic use of a predefined
value when a certain value is left blank in input.
However, a default option may be correct, or it may
be an incorrect value for a particular transaction, so
the default should not be automatically accepted.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

90
Other tests of the logic of processing are posting, cross-
footing, and zero-balance checks.
a) Comparing the contents of a record before and after
updating is a posting check.
b) Cross-footing compares an amount to the sum of its
components.
c) A zero-balance check adds the positive and negative
amounts posted. The result should be zero.
Internal header and trailer labels ensure that incorrect
files are not processed.
a) A matching test should make certain an updating
transaction is matched with the appropriate master file.
An audit trail should be created through the use of
input-output control logs, error listings, transaction logs,
and transaction listings.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 45
91

Output
Output Controls
Controls

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

92

 Output controls provide assurance that the


processing result (such as account listings or
displays, reports, magnetic files, invoices, or
disbursement checks) is accurate and that only
authorized personnel receive the output.
Output controls are used to check that input
and processing has resulted in valid output. Their
objective is to assure the outputs validity,
accuracy, and completeness.
The data control group supervises output.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 46
93

There are two types of output application


controls:
Validating processing results
Activity, or proof, listings
Reconciliations
A suspense account
Upstream resubmission
Printed output controls
Forms control

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

94

Validating
Validating processing
processing results
results

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 47
95
Activity, or proof, listings that document processing
activity provide detailed information about all changes to
master files and create an audit trail.
Reconciliations are the analysis of differences between
values in two files that should be substantially the same.
The nature of the reconciling items is used to identify whether
differences are caused by errors or whether they are valid
differences.
A suspense account is used as a control total for items
awaiting further processing.
Output control also includes review of the error logs by the
control group and review of the output by the users. End-of-job
markers are printed at the end of the report and enable the
user to easily determine if the entire report has been received.
A discrepancy report is a listing of items that have violated
some detective control and need to be investigated.
Upstream resubmission is the resubmission of
corrected error transactions as if they were new
transactions, so that they pass through all the same
detective controls as normal transactions pass through.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

96

Printed
Printed Output
Output Controls
Controls

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 48
97
Forms control, such as physical control over company
checks, is one type of printed output controls. Checks
should be kept under lock and key, and only authorized
persons should be permitted access.
However, there is another control needed with checks,
because they are prenumbered.
The preprinted check number on the form must match the
computer-generated number that is also printed on the
check.
The preprinted numbers on the checks are sequential; the computer-
generated numbers also are sequential. The starting computer-
generated number must match the first check in the stack, or the
numbers in the whole check run will be off. If there is any discrepancy, it
must be investigated because the starting number in the computer
should be one more than the last check printed. If it does not match the
preprinted number on the check stock, one or more checks could be
missing.
Any form should be prenumbered and controlled in the same
manner as checks.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

98
Output control also concerns report distribution.
 For example, a payroll register with all the employees social
security numbers and pay rates is confidential information and
thus its distribution must be restricted.
There should be an authorized distribution list, and only
enough copies of the report to permit one report to be
distributed to each person on the list should be processed.
 For a confidential report, it is preferable to have a
representative pick the report up personally and sign for it. If
this is not possible, a bonded employee can be used to hand
deliver the reports. The employees supervisor should make
random checks on this distribution.
Confidential reports should be shredded when they are
no longer needed.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 49
99

Controls
Controls Classified
Classified as
as Preventive,
Preventive,
Detective
Detective and
and Corrective
Corrective

Just as financial controls can be classified


as preventive, detective and corrective,
information systems controls can be
classified in the same manner.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

100
 Preventive controls prevent errors and fraud before they occur.
Examples of preventive controls are segregation of duties, job
rotation, training and competence of personnel, dual access
controls, authorization, approval, endorsement and cancellation,
and preformatted input.
 Detective controls uncover errors and fraud after they have
occurred. Examples of detective controls are transmittal
documents, batch control totals and other batch transmittal
documents, completeness checks, hash totals, batch balancing,
check digits, limit checks, and validity checks.
 The use of a turnaround document is also a detective control, because it
checks on completeness of input. Completeness of processing detective
controls includes run-to-run totals, reconciliations, use of suspense
accounts, and error logs. Correctness of processing detective controls are
redundant processing, overflow checks and summary processing.
 Corrective controls are used to correct errors. Examples of
corrective controls are discrepancy reports and upstream
resubmissions.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 50
101

(CMA
(CMA Adapted,
Adapted, December
December 1984)
1984)

 An advantage of having a computer maintain an


automated error log in conjunction with computer
edit programs is that:
Less manual work is required to determine how to
correct errors.
 Better editing techniques will result.
 The audit trail is maintained.
 Reports can be developed that summarize the errors
by type, cause and person responsible.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

102

43. d Computer generated reports can be


designed to provide more specific, and sorted,
information about the errors.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 51
103

(CMA
(CMA Adapted,
Adapted, December
December 1987)
1987)
 An employee in the receiving department keyed
in a shipment from a remote terminal and
inadvertently omitted the purchase order number.
The best systems control to detect this error
would be:
 Completeness test.
 Batch total.
 Reasonableness test.
 Sequence check.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

104

 a A completeness test would not let the


processing proceed if the item is not complete.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 52
105

(CMA
(CMA Adapted,
Adapted, June
June 1991)
1991)
 Preventive controls are:
 Usually more cost beneficial than detective controls.
 Usually more costly to use than detective controls.
 Found only in accounting transaction controls.
 Found only in general accounting controls.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

106

 a Preventive controls are the most cost


effective controls.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 53
107

(CMA
(CMA Adapted,
Adapted, June
June 1991)
1991)
 Edit checks in a computerized accounting
system:
 Are preventive controls.
 Must be installed for the system to be operational.
 Should be performed on transactions prior to
updating a master file.
 Should be performed immediately prior to output
distribution.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

108

 c Edit tests are an input control. They are used


to check whether data has been input correctly.
Thus they should be performed on transaction
files before those files are used to update the
master file in a posting run, because it is much
easier to correct errors before posting has taken
place than it is afterwards.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 54
109

Auditing
Auditing

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

110

Auditing
Auditing
In a computer system there is still a need for auditing, or
checking the data and processing that occurs within the
system. Outlined below are brief explanations of the
different types of audit testing methods used to test the
processing of information and data within the system.
Test Data
Integrated Test Facility (ITF)
Parallel Simulation
Embedded Audit Data Collection
Mapping
Generalized Audit Software Package (GASP)
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 55
111

Test
Test Data
Data
 Test data is used to determine
 whether control procedures in a particular computer application are working
properly;
 whether the computer is processing transactions correctly;
 whether all transaction files and master files are fully and correctly being updated;
and
 whether program changes have been made correctly.
 The auditor prepares input that contains both valid and invalid data for
processing by the computer.
 Before it is processed by the computer, the data is manually processed.
 After processing, the output of the test is compared with the manually processed
results to determine whether they are the same.
 If not, the auditor tries to find out what caused the difference.
 Test data must be processed in a special test run, because a
fictitious master file is used to run the test transactions against so
that the actual master files will not be affected. Test data may also
consist of a review of actual data. Real transactions are selected
in advance for processing as test data

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

112

There
There are
are several
several limitations
limitations to
to using
using test
test data
data

Because test data must be processed in a separate test


run, the use of test data must be announced ahead of
time. Therefore, the auditor cannot be sure that the
program being used to run the test data is the same
program that is used for real data.
 Test data cannot test every possible situation that a
program might encounter in processing real data.
Test data tests only the application program, not the
clerical part of the application. Thus there is no way to
detect errors that may be taking place in clerical input.
Test data can be prepared by persons with little
technical background.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 56
113

Integrated
Integrated Test
Test Facility
Facility (ITF)
(ITF)
 An Integrated Test Facility (ITF) involves the use of test data but
also the creation of fictitious entities, such as fictitious employees,
vendors, products, and accounts, within the master files of the
computer system. Or alternatively, a separate, fictitious company
may be used. The major difference between test data and an
ITF is that the test data in an ITF is processed along with real
data.
 No one knows that the data being processed includes these fictitious
entries to fictitious records. In this way, the auditor can be sure that the
programs being checked are the same programs as those used to process
the real data.

 Advantages
 Enables testing of the system as it routinely operates
 Low processing costs
 No special processing
 Disadvantages
 Effects of transactions on operations (books) must be nullified.
 Quantity of live data inputs may be limited when submitted with regular runs.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

114

Integrated
Integrated Test
Test Facility
Facility (ITF)
(ITF)
 The difficulty with using the ITF approach is that the fictitious
transactions have to be excluded from the normal outputs of the
system in some way. This may be done manually, or it may be
done by designing or modifying the application programs.
 Either way, the fictitious transactions must be identified by means of
special codes so they can be segregated from the real data. Careful
planning is required to make sure that the ITF data does not become mixed
in with the real data, corrupting the real data.
 If this careful planning is done, the costs of using ITF are minimal,
because there is no special processing required and thus no
interruption of normal computer activity. There are costs involved
in developing an ITF, either while the application is being
developed or as a later modification to it. However, once the initial
costs are past, the ongoing operating costs are low.
 ITF is normally used to audit large computer systems that use
real-time processing.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 57
115

Parallel
Parallel Simulation
Simulation
 In a parallel simulation the auditor will run a set of actual data through some
type of generalized audit program that processes data and produces output in
the same manner as the program being audited. Then the results as processed
by both programs are compared.
 Parallel simulation is expensive and time-consuming and is usually limited to
sections of an audit that are of major concern and are important enough that
they require an audit of 100% of the transactions. Parallel simulation uses
actual data rather than test data. Furthermore, it can be performed off-site
because it does not use the clients computer system.
 Advantages
 Testing can be done on a surprise basis.
 Cost of preparing test data is eliminated.
 Can process many of auditees transactions, eliminating need for small samples
 More thorough than sampling
 Disadvantages
 Cost of developing program may be prohibitive.
 Auditor may need special skills.
 Does not have broad application

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

116

Embedded
Embedded Audit
Audit Data
Data Collection
Collection
Use of embedded audit routines involves modifying
computer programs by building special auditing routines
into them so that transaction data can be analyzed for
audit purposes.
Embedded audit data collection is one such
technique. It uses one or more specially programmed
modules within the regular program code to select data
for subsequent analysis by the auditor. To do this, the
programmed modules are embedded as in-line code in
the regular program code. When in-line code is used,
the application program will perform the audit data
collection function while it is processing the normal data.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 58
117

Embedded
Embedded Audit
Audit Data
Data Collection
Collection
Advantages
All system activity is subject to review.
Can be used with online systems
Not limited to input transactions
Disadvantages
Additional processing cost of extra audit module
program steps that must be executed
Difficult to implement unless it can be developed
along with the system

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

118

Generalized
Generalized Audit
Audit Software
Software Package
Package (GASP)
(GASP)

Involves the use of computer software packages


(programs) that may allow not only parallel simulation
but also a variety of other processing functions, such as
extracting sample items, verifying totals, developing file
statistics, retrieving specified data fields
Advantages
Can process several files (and file types)
Enables use with limited training
Packages interface with many types of hardware and software.
Decreases auditor dependence on data processing personnel
and time
Disadvantages
Limited application in online, real-time systems
Limited logical and mathematical capabilities
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 59
119

Mapping
Mapping
Involves monitoring the execution of an application
program to determine certain statistical information
about the run, e.g., program lines not executed, CPU
time for certain program lines, and the number of times
certain lines were executed
Advantages
Can aid in evaluating how well test data tested a run
Can indicate lines of code which are extraneous or not often
used
Disadvantages
High cost
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

120

(CMA
(CMA Adapted,
Adapted, June
June 1995)
1995)

 In auditing computer-based systems, the integrated


test facility (ITF):
A. Is a concurrent audit technique that establishes a special set
of dummy master files and enters transactions to test the
programs using the dummy files during regular processing
runs.
B. Uses an audit log to record transactions and data having
special audit significance during regular processing runs.
C. Allows the auditor to assemble test transactions and run
them through the computer system to test the integrity of
controls on a sample database.
D. Is a set of specialized software routines that are designed to
perform specialized audit tests and store audit evidence.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 60
121

(CMA
(CMA Adapted,
Adapted, June
June 1995)
1995)

A. An ITF runs false (dummy) information


through the system along with real transactions,
and the computer operator does not know that
some of the transactions are false.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

122

Source:
Source: CMA
CMA 1284
1284 5-
5--28
5
5- 28

The use of a generalized audit software package

 A. Relieves an auditor of the typical tasks of


investigating exceptions, verifying sources of information,
and evaluating reports.

 B. Is a major aid in retrieving information from


computerized files.

 C. Overcomes the need for an auditor to learn much


about computers.

 D. Is a form of auditing around the computer.


Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 61
123

Source:
Source: CMA
CMA 1284
1284 5-
5--28
5
5- 28
 Answer (A) is incorrect because the auditor must still use audit
judgment.
 Answer (B) is correct. The primary use of generalized
computer programs is to select and summarize a client's
records for additional testing. Generalized audit software
packages permit the auditor to audit through the computer,
to extract, compare, analyze, and summarize data and
generate output as part of the audit program. They allow the
auditor to exploit the computer to examine many more
records than otherwise possible with far greater speed and
accuracy.
 Answer (C) is incorrect because an auditor must have a
knowledge of computer auditing to use a generalized software
package.
 Answer (D) is incorrect because using a generalized software
package is a means of auditing through the computer.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

124

C. Network
Network controls
controls

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 62
125

Internet
Internet Security
Security
Once a company is connected to an outside network
(usually the World Wide Web) there are a number of
additional security issues that must be properly
addressed.
 The policies that are put in place need to ensure that the
intended and authorized users of the network have access to it
as needed.
However, accessibility also creates vulnerability.
 So organizations must be certain that information sent over
the network is properly protected to maintain the confidentiality
of company information and ensure that the files within the
company cannot be accessed or changed without
authorization.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

126

Internet
Internet Security
Security
At a minimum, the system should include user
account management, a firewall, antivirus
protection and encryption.
User account management is the simple
process of giving people accounts and
passwords.
For this to be as effective as possible, it must be kept
up to date. Inactive accounts need to be eliminated,
and active passwords need to be changed frequently

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 63
127
Virus
Virus
 A computer virus is a program that alters the way another
computer operates. Viruses may damage programs, delete files
or reformat the hard disk. Other viruses do not do damage but
replicate themselves and present text, video and audio
messages. Although these viruses may not cause damage
directly, they create problems by taking up computer memory and
causing erratic behavior and system crashes that can lead to data
loss. In order to be considered a virus, a virus must meet two
criteria:
 1) It must execute itself. It often places its own code in the path of the
execution of another program.
 2) It must replicate itself. It may replace other executable files with a copy
of the virus-infected file.
 A virus may be received from an infected disk, a downloaded file
or from an electronic bulletin board. Anti-virus software
recognizes viruses before they can do damage and incapacitates
them. Anti-virus software must be kept up to date, however, as
new viruses appear constantly.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

128

Trojan
Trojan Horse
Horse
A Trojan horse is different from a virus. A very
important distinction between Trojan horses and viruses
is that Trojan horses do not replicate themselves,
whereas viruses do. Trojan horses appear to be
something desirable but in fact they contain malicious
code that, when triggered, can cause loss or even theft
of data. You can get a Trojan horse only by inviting it
into your computer.
Two examples of ways to get a Trojan horse include
(1) opening an email attachment, or
 (2) downloading and running a file from the Internet.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 64
129

Worm
Worm
A worm is a program that replicates itself from system
to system without the use of any host file. The difference
between a worm and a virus is that the worm does not
require the use of an infected host file, while the virus
does require the spreading of an infected host file.
Worms generally exist inside of other files, often Word
or Excel documents. However, worms use the host file
differently from viruses. Usually the worm releases a
document that has the worm macro inside the
document. This entire document spreads from computer
to computer, so the entire document is considered to be
the worm.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

130

Virus
Virus Hoax
Hoax
A virus hoax is an e-mail that tells you a file on
your computer is a virus when it isnt. These often
tell you to look on your system for a file by a
specific name and, if you see it, delete it because
it is a virus that your anti-virus program cant
recognize. Everyone will find that file on their
system, because it is a system file that is needed
for the computer to operate correctly. If you
believe this e-mail and delete the file, your
computer may malfunction.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 65
131

Note:

The difference between a virus and a Trojan is


that the virus replicates itself, while the Trojan
does not.

The difference between a virus and a worm is


that the virus requires an infected host file to
replicate itself, while the worm can replicate
itself without a host file.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

132

Firewall
Firewall
A firewall is a barrier between the internal and
the external networks. This firewall prevents
unauthorized access to the internal network. A
firewall will usually also prepare a report of
Internet usage and then report any abnormal or
excessive usage, as well as attempts to gain
unauthorized entry to the network. A firewall can
be in the form of software directly installed on a
computer; or it can be in the form of a piece of
hardware that is installed between the computer
and its connection to the Internet. A firewall is a
good Internet security control, but it is not
foolproof.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 66
133

Proxy
Proxy Server
Server
 An organization may also use a proxy server. A proxy server is a
computer and software that creates a gateway to and from the
Internet.
 The proxy server contains an access control list of approved
websites and handles all web access requests, limiting access to
only those IP addresses contained in the access control list. This
enables an employer to deny its employees access to websites
that are unlikely to have any productive benefits.
 The proxy server also examines all incoming requests for
information and tests them for authenticity. In this way, a proxy
server functions as a firewall. The proxy server can also limit the
information that is stored on it to information that the company
can afford to lose.
 Thus, if this server is broken into, the organizations main servers
remain functional.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

134

Encryption
Encryption
Encryption is the technology that converts data
into a code and then requires a key to convert the
code back to data. Unauthorized people may
receive the coded information, but without the
proper key they will be unable to read the
information. The encryption process may be
either in the hardware or the software. There are
two methods of software encryption.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 67
135

In a secret-key system, each pair of sender and


recipient has a single key that is used to encrypt
and decrypt the messages. The disadvantage to
this method is that every pair of senders and
receivers has to have a separate set of keys that
match. If several pairs all used the same set,
then anyone having the key could decrypt
anyone elses message, and it wouldnt be a
secret. This is impractical over the Internet,
because any one company could need to receive
messages from thousands of potential customers
and other individuals.
However, it is used in some government
communications.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

136

A better system for companies to use is the


public key/private key encryption system.
In this system, each entity that needs to receive
encrypted data publishes a public key that can be
used to encrypt data while keeping to itself a
private key that is the only way to decrypt that
data. Anyone can encrypt and send data to the
company using its published public key. But only
the companys private key can be used to decrypt
the data, and only the company that published
the public key has the private key.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 68
137
A company gets a public key and the private key
to go with it by applying to a Certificate Authority,
which validates its identity and then issues it a
certificate and its own unique public key and
private key. The certificate may be used to
identify a company, an employee or a server
within a company. The certificate includes the
name of the entity it identifies, an expiration date,
the name of the Certificate Authority that issued
the certificate, a serial number, and other
identification. The certificate always includes the
digital signature of the issuing Certificate
Authority, which permits the certificate to function
as a letter of introduction from the Certificate
Authority.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

138

E. Backup
Backup and
and Contingency
Contingency
Planning
Planning

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 69
139
In any computer system, it is essential that the company
have plans for the backup of data and the recovery of
data, especially disaster recovery.
Program files, as well as data files, should be backed up
regularly.
Copies of all transaction data are stored as a transaction log
as they are entered into the system. Should the master file be
destroyed during processing, computer operations will roll
back to the most recent backup; recovery takes place by
reprocessing the data transaction log against the backup copy.
Backups should be stored at a secure, remote location, so that
in the event data is destroyed due to a physical disaster, it can
be reconstructed. It would do very little good to have a backup
tape in the same room as the computer if that area were
destroyed by fire.
 Backup data can be transmitted electronically to the backup site,
through a process called electronic vaulting. The security of the
remote location needs to be evaluated periodically.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

140
Grandparent-parent-child processing is used
because of the risk of losing data before, during or
after processing work. Files from previous periods are
retained, and if a file is damaged during updating, the
previous files can be used to reconstruct a new
current file. These files should be stored off-premises.
Computers should be on an Uninterruptible Power
Supply (UPS) to provide some protection in the event
of a power failure. While these do not always work,
they may save data by providing a short period of
power.
Fault-Tolerant Systems are systems designed to
tolerate faults or errors. They often utilize
redundancy in hardware design, so that if one
system fails, another one will take over.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 70
141
Computer
Computer networks
networks can
can be
be made
made redundant
redundant in
in several
several ways
ways
 Computer networks can be made redundant in several ways:
 A CPU could have two disks, and all data on the first disk is mirrored on the
second disk.
 This is called disk mirroring or disk shadowing. Should one disk fail, the
processing continues on the good disk.
 Rollback processing may be used to prevent any transactions being written to
disk until they are complete. If there is a power failure or another fault during
processing, the program automatically rolls itself back to its pre-fault state at its
first opportunity.
 Duplicate circuitry is the double wiring of key hardware elements to ensure
that if one program malfunctions, the other will take over.
 A redundancy check is the process of sending repeated sets of data to confirm
the original data sent.
 Summary processing is a redundant process using a sum, which is compared with
the control total from the processing of the detailed items.
 An echo check is the process of sending the received data back to the sending
computer to compare what was actually sent to make sure that it is the same.
 In a dual read check, data is read twice during input and compared.
 Boundary protection is protection against unauthorized entry (read or write) to
a tape, disk or other storage device.
 Graceful degradation means that if a part of the system malfunctions, other
components can be programmed to continue the processing, although on a less
efficient basis.
 Overflow check means that the data is checked and an error message
activated if data is lost through arithmetic operations that exceed the planned
capacity of the receiving fields or registers.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

142

F. Disaster
Disaster Recovery
Recovery

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 71
143

Disaster
Disaster Recovery
Recovery
Not many firms could survive for long without
computing facilities. Therefore, an organization
should have a formal disaster recovery plan to
fall back on in the event of a hurricane, fire,
earthquake, flood, or criminal or terrorist act. A
disaster recovery plan specifies:
Which employees will participate in disaster recovery
and what their responsibilities will be. One person
should be designated in charge of disaster recovery,
and another should be second in command.
What hardware, software, and facilities will be used.
The priority of applications that should be processed.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

144

Disaster
Disaster Recovery
Recovery
Arrangements for alternative facilities as a
disaster recovery site and offsite storage of the
companys databases are also part of the
disaster recovery plan. An alternative facility
might be a different facility owned by the
company; or it might be a facility contracted by a
different company.
The different locations should be a good distance
away from the original processing site.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 72
145

Disaster
Disaster Recovery
Recovery Sites
Sites
Disaster recovery sites may be either hot sites or cold
sites.
A hot site is a backup facility that has a computer
system similar to the one used regularly. The hot site
must be fully operational and immediately available.
A hot site is a service bureau. It is a fully operational
processing facility that is immediately available
A cold site is a facility where power and space are
available to install processing equipment, but it is not
immediately available. If an organization uses a cold
site, its disaster recovery plan must include
arrangements to get computer equipment installed there
quickly.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

146

Mobile
Mobile Recovery
Recovery
There are also several companies that operate mobile
recovery centers.
On a contracted basis, in the event of a disaster that destroys
operations facilities, they arrive within hours in a tractor-trailer
or van that is fully equipped with their clients platform
requirements, 50 to 100 workstations, and staffed with
technical personnel to assist in recovery.
Personnel should be trained in emergency procedures,
and re-training should be done regularly to keep their
knowledge fresh.
The disaster recovery plan should be tested periodically by
simulating a disaster, in order to reveal any weaknesses in the
plan.
The disaster recovery plan should be reviewed regularly and
revised when necessary; and the members of the disaster
recovery team should each keep a current copy of the plan at
home.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 73
147

(CMA
(CMA Adapted,
Adapted, June
June 1996)
1996)

A critical aspect of a disaster recovery plan is to


be able to regain operational capability as soon
as possible. To accomplish this, an organization
can have an arrangement with its computer
hardware vendor to have a fully operational
facility available that is configured to the user's
specific needs. This is best known as a(n):
 Hot site.
 Uninterruptible power system.
 Cold site.
 Parallel system.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

148

(CMA
(CMA Adapted,
Adapted, June
June 1996)
1996)

a A hot site is a backup facility with a computer


system similar to the one used regularly which is
fully operational and immediately available.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 74
149

In any information processing environment,


losing or otherwise destroying data must be
avoided. Not only is the loss of data a problem,
but the organization may also require continuous
processing without disruptions. For these
reasons, all systems must have adequate backup
and recovery procedures in the event of system
failure, power loss, or other potential corruption of
data.
The procedures implemented will normally be a
function of the specific computer environment,
type of processing, or storage mode.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

150

Sequential processing - Random processing --


- magnetic tape, magnetic magnetic disks, online
disks, and batch processing
processing Rollback and recovery
Checkpoint procedures involve the dumping of the
involve capturing all the master files contents and
values of data and program associated data structures
indicators at specified onto a backup file. In the
points and storing these event of a faulty run, the
values in another file. dump is used together with
the transaction log or file to
If processing is interrupted, reconstruct the file.
it can be resumed at the
last checkpoint rather than
at the beginning of the run.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 75
151

What
What are
are the
the Goals
Goals of
of Internal
Internal Control
Control in
in an
an
Information System?
Information System?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

152

Even though a company may use computers extensively


in its operations and accounting systems, this does not
change the fundamental goals of and need for internal
controls in that system. It will, however, change the
practical implementation of controls and the types of
controls that are needed. Internal control for an
information system has the same goals as overall
organizational internal control:
 Promoting effectiveness and efficiency of operations in
order to achieve the companys objectives;
 Maintaining the reliability of financial reporting through
checking the accuracy and reliability of accounting data;
 Assuring compliance with all laws and regulations that the
company is subject to, as well as adherence to managerial
policies; and
 Safeguarding assets.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 76
153

What
What Documents
Documents Provide
Provide Information
Information
System
System Internal
Internal Control
Control Guidelines?
Guidelines?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

154

Information system internal control guidelines are


based upon two documents:
The report of the Committee of Sponsoring
Organizations, Internal Control Integrated
Framework, and Control Objectives for
Information and Related Technology (COBIT), a
document published by the Information Systems
Audit and Control Foundation (ISACF).

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 77
155

How
How does
does the
the Internal
Internal Control
Control Integrated
Integrated
Framework define Internal Control and
Framework define Internal Control and What
What are
are
its Components?
its Components?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

156
In Internal Control Integrated Framework,
internal control is defined as:
a process, effected by an entitys board of
directors, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories: effectiveness and efficiency
of operations, reliability of financial reporting, and
compliance with applicable laws and regulations.
According to that document, the internal control
system should consist of five interrelated
components:
(1) the control environment, (2) risk assessment, (3)
control activities, (4) information and communication,
and (5) monitoring.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 78
157

What
What are
are the
the General
General Controls?
Controls?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

158

 Controls within a computer system are broken down into two


types. They are general controls and application controls.
 General controls relate to all computer activities and include
controls over the development, modification and maintenance of
computer programs.
 They are designed to ensure that the companys control
environment is stable and well managed. This strengthens the
effectiveness of its application controls.
 General controls are broken down into the following categories:
 Program development and documentation to provide reasonable
assurance that development of, and changes to, computer programs are
authorized, tested, and approved prior to their usage;
 Access controls to restrict access to data files to authorized users and
programs;
 Organizational and operating controls segregation of duties, other
controls such as file security controls; and
 Hardware controls to ensure that the computer itself is operating
correctly.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 79
159

What
What are
are Systems
Systems and
and Program
Program
Development
Development Controls?
Controls?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

160

Systems development controls during the development


stage of an information system enhance the ultimate
accuracy, validity, safety, security and adaptability of the
new systems input, processing, output and storage
functions.
Controls are instituted at this stage for multiple reasons:
 To ensure that all changes are properly authorized and are
not made by individuals who lack sufficient understanding of
control procedures, the proper approvals, and the
understanding of the need for adequate testing.
 To prevent errors in the resulting system, which could cause
major processing errors in data.
 To limit the potential for a myriad of other problems during the
development process and after it is complete.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 80
161

What
What are
are System,
System, Program
Program and
and
Operating
Operating Documentation?
Documentation?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

162

System documentation includes narrative descriptions,


flowcharts, input and output forms, file and record
layouts, controls, the authorizations for any changes,
and backup procedures.
Program documentation includes the description of
the programs, program flowcharts, program listings of
source code, input and output forms, change requests,
operator instructions and controls.
Operating documentation provides the information
about the actual performance of the program, and
procedural documentation provides information about
the master plan and the handling of files.
User documentation includes all of the necessary
information for a user to be able to use the program.
The documentation should be in a limited and controlled
access area. There should be set standards for the
coding, modification and flowcharting procedures.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 81
163

What
What are
are Access
Access
Controls?
Controls?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

164

Access involves both physical access to the hardware


and the logical (ability to use) access to it. The various
types of access controls are given below:
 Password and ID numbers.
 Device authorization table.
 System access logs.
 Security personnel.
 Encryption.
 Callback.
 Controlled disposal of documents.
 Biometric technologies.
 Automatic log off.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 82
165

What
What are
are the
the Organizational
Organizational and
and
Operating
Operating Controls?
Controls?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

166

The most important organizational and operating


control is the segregation of duties.
Though the traditional segregation practiced in
accounting of separating the responsibilities of
authorization, record keeping and custody of assets
may not be appropriate in a computer department
(since the work is quite different),
there are still specific duties in the Information
Systems environment that need to be separated from
one another:
 Separate Information Systems from Other Departments;
 Separate responsibilities within the Information Systems
department (systems analysis, programming, data control,
computer operation, transaction authorization, data
conversion, and file security controls (librarianship).
An important organizational control is computer facility
controls.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 83
167

What
What are
are the
the Hardware
Hardware
Controls?
Controls?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

168

Hardware controls are given below:


 Boundary (storage) protection.
 Diagnostic routines.
 Dual read.
 Dual read-write heads.
 Duplicate circuitry.
 Echo check.
 File protection.
 Parity check.
 Preventive maintenance.
 Read-write suppression.
 Validity checks.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 84
169

What are the Hardware


Controls for Networks?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

170

Hardware controls for networks include:


 Checkpoint control procedures to back up all the
data and other information needed to restart the
system. This checkpoint is recorded on separate
media. Then, if a hardware failure occurs, the system
reverts to the last saved copy and reprocesses only
the transactions that were posted after that
checkpoint.
 Routing verification procedures protect against
transactions being routed to the wrong computer
network system address. Any transaction must have
a header label identifying its destination. The system
verifies that the message did go to the destination
code in the header.
 Message acknowledgment procedures check a
trailer label, attached to a message to verify its
completeness and correct sequence.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 85
171

What
What are
are the
the Application
Application
Controls
Controls

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

172

Application controls relate to the specific tasks


that are performed by the system and the
programs. They are designed to prevent, detect
and correct errors in transactions as they flow
through the input, processing and output stages
of work. Thus, they are broken down into these
three main categories:
 Input controls,
 Processing controls, and
 Output controls.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 86
173

What
What are
are Input
Input Controls?
Controls?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

174

Input controls are the controls that are in place


to ensure that the data is entered into the
program correctly. Input is the stage where there
is the most human involvement and, as a result,
the risk of errors is higher in this stage than in the
processing and output stages. If the data is not
entered correctly there is no chance that the
output will be correct.
There are four classifications of input controls:
 Data observation and recording,
 Data transcription,
 Edit tests, and
 Additional input controls.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 87
175

What
What are
are Data
Data Observation
Observation
and
and Recording
Recording Controls?
Controls?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

176

One or more observational control procedures


may be practiced:
 Feedback mechanisms are manual systems that
attest to the accuracy of a document.
For instance, a sales person might ask a customer to
confirm their order with a signature, attesting to the
accuracy of the data in the sales order.
 Dual observation means more than one employee
sees the input documents. In some cases this might
mean a supervisor reviews the work.
 Point-of-sale devices used to encode data can
decrease errors substantially.
 Preprinted forms such as receipt and confirmation
forms can ensure that all the data required for
processing have been captured.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 88
177

What
What are
are Data
Data
Transcription
Transcription Controls?
Controls?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

178

Data transcription is the preparation of the data for


processing. The actual data input usually takes place at
a workstation with a display terminal. A preformatted
input screen can assist in the transcription process.
Edit tests or input validation routines are programs
that check the validity and accuracy of input data. They
perform edit tests by examining specific fields of data
and rejecting transactions if their data fields do not meet
standards.
Key verification is the process of inputting the
information again and comparing the two results.
A redundancy check is the process of sending
additional sets of data to confirm the original data sent.
An echo check is the process of sending the received
data back to the sending computer to compare with
what was actually sent.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 89
179

What are Specific Input


Controls?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

180

Additional Input Controls include:


 Error listing.
 Field checks.
 Hash total.
 Validity checks.
 Overflow test.
 Limit and range checks.
 Preformatting.
 Reasonableness (or compatibility) tests.
 Record count.
 Self-checking digits.
 Sequence checks.
 Sign checks.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 90
181

What
What are
are Processing
Processing Controls
Controls
and
and Data
Data Access
Access Controls?
Controls?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

182

Processing Controls are those controls that are in


place to monitor and check the processing of the data.
Processing controls fall into two classifications:
 Data Access Controls
 Data Manipulation Controls
Data Access Controls are a processing control
procedure that attempts to ensure that all input is
processed correctly by the computer. In batch
processing, items are batched in bundles of a preset
number of transactions. As the computer processes the
batch, it checks the batch control total (the total dollar
amount) for the batch and compares the processed total
with the batch control total. Batch control totals can also
be used for nonfinancial transactions.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 91
183

What
What are
are Data
Data
Manipulation
Manipulation Controls?
Controls?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

184

Data Manipulation Controls are one of two types of


Processing Controls.
Examining software documentation, such as system
flowcharts, program flowcharts, data flow diagrams and
decision tables can also be a control because it makes
sure that the programs are complete in their data
manipulation.
Computer programs are error tested by using a
compiler, which checks for programming language
errors. Test data can be used to test a computer
program.
System testing can be used to test the interaction of
several different computer programs. Output from one
program is often input to another, and system testing
tests the linkages between the programs.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 92
185

What
What are
are Other
Other
Processing
Processing Controls?
Controls?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

186

There are a number of other processing controls:


 Posting check compares the record before and after
updating.
 Cross-footing compares the sum of the individual
components to the total.
 Zero-balance check is used when a sum should be 0.
 Run-to-run control totals check critical information for
correctness.
 Internal header and trailer labels allow processing of only
correct data.
 End-of-file procedures is the process of not closing the
processing when the end of the master file is reached.
 Concurrency controls manage access to data by two or
more programs.
 Key integrity checks insure that keys are not changed
during processing.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 93
187

What are Output


Controls?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

188

Output controls relate to the result of the processing.


Their objective is to assure the outputs validity,
accuracy and completeness. The output is supervised
by the data control group.
There are two types of output application controls:
 Validating processing results is an activity, or proof, listing
that documents processing activity. This provides detailed
information about all changes to master files and create an
audit trail.
 Printed output controls such as physical control over
company checks. Checks should be kept under lock and key,
and only authorized persons should be permitted access.
Output control also concerns report distribution.
Confidential reports should be shredded when they are
no longer needed.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 94
189

What
What is
is Internet
Internet Security
Security
and
and How
How isis it
it Maintained?
Maintained?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

190

Once a company is connected to the Internet a number


of additional security issues must be properly
addressed. Electronic eavesdropping can occur if
computer users are able to observe transmissions
intended for someone else. At a minimum, the system
should include the following:
 User account management is process of giving people
accounts and passwords.
 Anti-virus software must be kept up to date.
 A firewall is a barrier between the internal and the external
networks. This firewall prevents unauthorized access to the
internal network.
 A proxy server, which is a computer and software that
create a gateway to and from the Internet. Encryption is the
technology that converts data into a code and then requires a
key to convert the code back to data.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 95
191

How are Computer


Systems Audited?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

192
In a computer system there is still a need for auditing.
Test data is the use of a prepared set of input data that
are then run through the system being audited. The
results from this system are compared to the
predetermined results.
An integrated test facility is the process of setting up
artificial transactions that are then run through the
computer system as it is normally operating. This may
be done without the knowledge of the computer
operator.
 In a parallel simulation the auditor will run a set of actual data
through another computer system that is known to be working.
The results from the test computer and the actual computer are
then compared.
Embedded data collection is a process whereby a
program within the system identifies specific types of
transactions for further testing.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 96
193

What
What is
is Backup
Backup and
and
Contingency
Contingency Planning?
Planning?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

194
In any computer system, it is essential that the company
has plans for the backup and recovery of data
(especially disaster recovery).
Programs, as well as data files, should be backed up regularly.
Copies of all transaction data are stored as a transaction log
as they are entered into the system. Should the master file be
destroyed, computer operations will roll back to the most
recent backup; recovery takes place by reprocessing the data
transaction log against the backup copy.
Backups should be stored at a secure remote location,
so that in the event data is destroyed due to a physical
disaster, it can be reconstructed. Backup data can be
transmitted electronically to the backup site, through a
process called electronic vaulting.
Computers should be on an Uninterruptible Power
Supply (UPS) to provide some protection in the event of
a power failure.

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 97
195

What
What are
are Grandparent-
Grandparent--parentchild
Grandparent
Grandparent- parentchild
Systems,
Systems, Fault-
Fault--tolerant
Fault
Fault- tolerant systems
systems and
and Disk
Disk
Mirroring?
Mirroring?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

196
In grandparent-parent-child processing, files from
previous periods are retained, and if a file is damaged
during updating, the previous files can be used to
reconstruct the current file.
These files should be stored off-premise.
Fault-tolerant systems are designed to tolerate faults
or errors.
They often utilize redundancy, so that if one system fails,
another one will take over. With multiple processors,
consensus-based protocols specify that if one processor
disagrees with the others, it is to be ignored; with two
processors, the second processor can serve as a watchdog
processor. If something happens to the primary processor, the
watchdog processor takes over.
A CPU could have two disks, and all data on the first
disk is mirrored on the second disk.
This is called disk mirroring or disk shadowing.
Rollback processing may be used to prevent any
transactions from being written to disk until they are
complete.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 98
197

What
What is
is Disaster
Disaster
Recovery?
Recovery?

Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

198

A disaster recovery plan specifies who participates,


what hardware and software will be used, and the
applications to recover in case of a disaster.
Disaster recovery sites may be either hot or cold.
A hot site is a backup facility that has a computer system fully
operational and thus immediately available.
 A cold site is a facility ready to install processing equipment,
but it is not immediately available.
Mobile recovery centers are used on a contracted
basis, in the event of a disaster that destroys operations
facilities. They arrive within hours fully equipped with
their clients platform requirements and staffed with
technical personnel.
The disaster recovery plan should be reviewed regularly
and revised when necessary; and each member of the
disaster recovery team should keep a current copy of
the plan at home.
Sameh . Y.El lithy, CMA, CIA . U.12.CMA, Part 1

Sameh Y. El lithy,CMA, CIA. E-mail: Sameh.Youssef@Givaudan.com


Cell : 016 688 49 85
U.12 Part 1 CMA
U.12. - 99