Chapter 21

Internal Control in
the Computer
Information
System
 Factors affecting the study of internal
control in computer systems
1. Result in transaction trails that exist for a short period of time or only in computer
readable form

2. Include program errors that cause uniform mishandling of transactions – clerical errors
become less frequent

3. Include computer controls that need to be relied upon instead of segregation of functions

4. Involve increased difficulty in detecting unauthorized access

5. Allow increased management supervisory potential resulting from more timely reports

6. Include less documentation of initiation and execution of transactions

7. Include computer controls that affect the effectiveness of related manual control
procedures that use computer output
 Classification of Internal Controls over EDP
GENERAL CONTROLS APPLICATION CONTROLS
- All EDP applications and include such - Specific accounting tasks performed by
considerations as: EDP. It includes measure designed to
assure:
the organization of the EDP department
The reliability of input

Procedures for documenting, testing, and

Controls over processing
approving the original system and any
subsequent changes
Controls over output

Controls built into the hardware

(equipment controls)

Security for files and equipment

CATEGORIES OF GENERAL CONTROLS

A. Organizational and Operations Controls

B. Systems development and documentation
controls
C. Hardware and systems software controls
D. Access controls
E. Data and procedural controls
 A. Organizational and Operations Controls
(1) Controls
(a) Segregate functions between the EDP department and user
departments
(b) Do not allow the EDP department to initiate or authorize
transactions
(c ) Segregate functions within the EDP department
(2) Segregation of duties - provides the control mechanism for
maintaining an independent processing environment, thus meeting
the control objectives.
(a) Systems analyst – responsible for analyzing the present user
environment and requirements and
(1) recommending the specific changes which can be made
(2) recommending the purchases of a new system
(3) designing a new EDP system
A. Organizational and Operations Controls
(cont…)
(b) Applications programmer – responsible for writing, testing, and
debugging the application programs from the specifications (whether
general or specific) provided by the systems analyst.

(c) Systems programmer – responsible for implementing, modifying,

and debugging the software necessary for making the hardware work
(such as the operating system, telecommunications monitor, and the
data base management system)

(d) Operator – responsible for the daily computer operations of both

the hardware and the software. She/He mounts magnetic tapes on
the tape drives, supervises operations on the operator’s console,
accepts any required input, and distributes any generated output.
A. Organizational and Operations Controls
(cont…)

(e) Data librarian – responsible for the custody of the removable

media, i.e., magnetic tapes or disks, and for the maintenance of
program and system documentation.

(f) Quality assurance – new function established primarily to ensure

that new systems under development and old systems being
changed are adequately controlled and that they meet the user’s
specifications and follow department documentation standards.

(g) Control group – acts as liaison between users and the processing
center. This group records input data in a control log, follows the
processing, distributes output, and ensures compliance with control
totals.
A. Organizational and Operations Controls
(cont…)

(h) Data security – responsible for maintaining the integrity of the on-
line access control security software. Passwords and IDs are issued
to users and follow up is done on all security violations.

(i) Database administrator – responsible for maintaining the database

and restricting access to the database to authorized personnel.

(j) Network technician – Using the line monitoring equipment, they

can see each key stroke made by any user. This group must have
strict accountability controls.
 B. Systems development and documentation controls
(1) Controls
(a) User departments must participate in systems design.

(b) Each system must have written specifications which are reviewed and approved by
management and by user departments

(c ) Both users and EDP personnel must test new systems.

(d) Management, users, and EDP personnel must approve new systems before they
are placed into operations

(e) All master and transaction file conversion should be controlled to prevent
unauthorized changes and to verify the results on a 100% basis

(f) After a new system is operating, there should be proper approval of all program
changes.

(g) Proper documentation standards should exist to assure continuity of the system
 B. Systems development and documentation controls
(cont…)

(2) New systems are developed. Two controls over system change
include the following:

(a) Design methodology – All new systems being developed should

flow through a documented process that has specific control points
where the overall direction of the system can be evaluated and
changes, if needed, can be made.

(b) Change control process – To effect a change on a system that is

presently operating, a formal change process should exist that
requires formal approval before any change is implemented.
 C. Hardware and systems software controls
(1) Controls
(a) The auditor should be aware of control features inherent in the
computer hardware, operating system, and other supporting software
and ensure that they are utilized to the maximum possible extent.

(b) Systems software (e.g., the operating system) should be

subjected to the same control procedures as those applied to
installation of and changes to application programs.

(2) The reliability of EDP hardware has increased

dramatically over the last decade. The following are examples
of such controls:
(a) Parity check – A special bit is added to each character stored in memory
that can detect if the hardware loses a bit during the internal movement of a
character similar to a check digit.
 C. Hardware and systems software controls
(cont…)
(b) Echo check – Primarily used in telecommunications transmissions. During
the sending and receiving of characters, the receiving hardware repeats back
to the sending hardware what it received and the sending hardware
automatically resends any characters that it detects were received
incorrectly.

(c ) Diagnostic routines – Hardware or software supplied by the manufacturer

to check the internal operations and devices within the computer system.
These routines are often activated when the system is booted up.

(d) Boundary protection – Most CPU’s have multiple jobs running

simultaneously (multiprogramming environment). To ensure that these
simultaneous jobs cannot destroy or change the allocated memory of another
jobs, the system contains boundary protection controls.

(e) Periodic maintenance – The system should be examined

periodically(often weekly) by a qualified service technician. Such service can
help to prevent unexpected hardware failures.
(1) Controls
D. Access controls
(a) Access to program documentation should be limited to those persons who
require it in the performance of their duties.

(b) Access to data files and programs should be limited to those individuals
authorized to process data.

(c) Access to computer hardware should be limited to authorized individuals

such as computer operators and their supervisors.
(2) Access to EDP environment is affected both physically and
electronically. Controls over electronic access data are:
(a) Physical access controls
1) Limited physical access – the physical facility that houses EDP equipment, files,
and documentation should have controls to limit access only to authorized individuals.
2) Visitor entry logs – Any individual entering a secure area must be either pre-
approved by management and wearing an ID badge or authorized by an appropriate
individual, recorded in a visitor’s log, and escorted while in the secure area.
 D. Access controls
(cont…)

(b) Electronic access controls

1) Access control software (user identification) – The most used electronic
access control is a combination of a unique identification code and a
confidential password.

2) Call back – Call back is a specialized form of user identification that is

used in highly sensitive systems. In a call back system the user dials up
the system, identifies him/herself, and is disconnected from the system.

3) Encryption boards – Encryption boards are new devices that are

installed in the back of a microcomputer or stand alone devices for larger
systems. The board is programmed with a unique “key” that makes data
unreadable to anyone who might intercept a data transactions.
 E. Data and procedural control
(1) Controls
(a) A control group should:
1) Receive all data to be processed
2) Ensure that all data are recorded
3) Follow up in errors during processing, and determine that transactions
are corrected and resubmitted by the proper user personnel.
4) Verify the proper distribution of output

(b) A written manual of systems and procedures should be prepared for all
computer operations and should provide for management’s general or specific
authorization to process transactions.

(c ) Internal auditors (or another independent group in the organization; e.g.,

quality assurance) should review and evaluate proposed systems at critical
stages of development and review and test computer processing activities.
 E. Data and procedural control
(cont…)

(2) The EDP environment should be clearly defined in detail and

appropriately documented so each individual responsible for
processing knows what to do in each situation that may arise.
(a) Operations run manual – the operations manual specifies, in detail, the
“how to’s” for each application to enable the computer operator to respond to
any errors that may occur.

(b) Backup and recovery – To ensure the preservation of historical records

and the ability to recover from an unexpected error, files created within EDP
are backed up in a systematic manner.

(c ) Contingency processing – Detailed contingency processing plans should

be developed to prepare for natural disasters (such as a lightning strike), man-
made disasters (such as arson), or general hardware failures that disable the
data center.
 E. Data and procedural control
(cont…)
(d) Processing control – Processing controls should be monitored by the
control group to ensure that processing is completed in a timely manner
(controlled through a production schedule of the EDP department), all
hardware errors have been corrected (controlled through an operators log),
and output has been properly distributed (controlled through distribution logs).

(e) File protection ring – A file protection ring is a processing control to ensure
that an operator does not use a magnetic tape as a tape to write on when it
actually has critical information on it.

(f) Internal and external labels – External labels are paper labels attached to a
reel of tape or other storage medium which identify the file. Internal labels
perform the same function through the use of machine readable identification
in the first record of a file.
 APPLICATION CONTROLS
- controls that relate to a specific application instead of
multiple applications.

Each accounting application that is processed in an EDP

system is controlled during three steps within EDP:
A.Input
B.Processing
C.Output
 A. Input Controls
(1) Controls
(a) Input data should be properly authorized and approved.
(b) The system should verify all significant data fields used to record
information (editing the data)
(c ) Conversion of data into machine-readable form should be controlled
and verified for accuracy
(d) Movement of data between processing steps and departments should
be controlled
(e) The correction of errors and resubmission of corrected transactions
should be reviewed and controlled.

(2) To ensure the integrity of the human readable data into a computer
readable format, there are many common controls that can be
used:
(a) Preprinted form – Information is pre-assigned a place and a format on
the input form used.
 A. Input Controls (cont…)
(b) Check digit – An extra digit is added to an identification number to
detect certain types of data transmission or transposition errors. It is used
to verify that the number was entered into the computer system correctly
(within the application program there is a software code that recomputes
the check digit), e.g., an extra number on an account number that is
calculated as a mathematical combination of the other digits.

(c ) Control, batch, or proof total – A total of one numerical filed for all the
records of a batch that normally would be added, e.g., total sales price.

(d) Hash totals – A total of one field for all the records of a batch where the
total is a meaningless total for financial purposes, e.g., a mathematical
sum of account numbers added together.

(e) Record count – A control total used for accountability to ensure all the
records received are processed.
 A. Input Controls (cont…)
(f) Reasonableness and limit tests – These tests determines if amounts are
too high, too low, or unreasonable (e.g., for a field that indicates auditing
exam scores, a limit check would test for scores over 100).

(g) Menu driven input – If input is being entered into a CRT, then the
operator should b e greeted by a menu and prompted as to the proper
response to make [e.g., What score did you get on the Auditing part of the
CPA Exam (75-100)?]

(h) Filed checks – Checks that make certain only numbers, alphabetical
characters, special characters, and proper positive and negative signs are
accepted into a specific data field where they are required.

(i) Validity check – A check which allows only “valid” transactions or data to
be entered into the system (e.g., a field indicating sex of an individual
where 1 = male and 2 = female; if coded with “3” would not be accepted)
 A. Input Controls (cont…)
(j) Missing data check – If blanks exist in input data where they should not
(e.g., an employee’s division number), an error message would result.

(k) Field size check – If an exact number of characters is to be inputted

(e.g., employee’s numbers all have six digits), an error message would
result.

(l) Logic check – Ensures that illogical combinations of inputs are not
accepted into the computer (e.g., the field total for raw material is validated
by footing price times quantity)
 B. Processing Controls
(1) Controls
(a) Control totals should be produced and reconciled with input control
totals – proof of batch totals
(b) Controls should prevent processing the wrong file and detect errors in
file manipulation – label checks
(c ) Limit and reasonableness checks should be incorporated into
programs to prevent illogical results such as reducing inventory to a
negative value.
(d) Run-to-run totals should be verified at appropriate points in the
processing cycle. This ensures that records are not added or lost during
the processing runs.

(2) Additional controls:

(a) Checkpoint/restart capacity – If a particular program requires a
significant amount of time to process, it is desirable to have software within
the application that allows the operator the ability to restart the application.
 B. Processing Controls (cont…)
(b) Error resolution procedure – Individual transactions may be rejected
during processing as a result of the error detection controls in place. There
should be complementary controls that ensure those records are corrected
and reentered into the system.
 C. Output controls
(1) Controls – visual review of the output should be done by the user or
an independent control group:
(a) Output control totals should be reconciled with input and processing
control totals.
(b) Output should be scanned and tested by comparison to original source
documents
(c ) Systems output should be distributed only to authorized users.

(2) Controls frequently used to maintain the integrity of processing:

(a) Control total
(b) Limiting the quantity of output and total processing time
(c) Error message resolution