Please enable JavaScript.
Coggle requires JavaScript to display documents.
COMPUTERS - Coggle Diagram
COMPUTERS
General Computer Controls:
General computer controls are those which establish an overall framework of controls for computer activities. They are controls which should be in place before any processing of transactions gets underway and they span across all applications.
System Maintenance Controls:
Objective: To ensure changes to system is authorized, meet user’s needs and made effectively.
Ensure that changes that are made are complete, valid, properly tested & all information is backed-up and recovery procedures are in place
Examples:
Changes forms are to be pre-numbered & locked away when not required, changes requested by users approved by line manager, change forms to be signed by management or steering committee, IT expert to test changes
Completeness of changes:
To ensure all approved requests for changes are processed. Achieved by - Pre-numbered change request forms, regular sequence checks, enter change forms in register, outstanding requests reviewed by senior official
Validity of changes:
Requests should be approved by correct level of authority depending on importance, user requirements, reviewed by data processing department, documented
System Development & Implementation Controls:
Objective: To ensure self-developed/purchased system is properly developed, authorized and meet user’s needs.
Self-developed system
Project authorization & management
Project should be authorized and managed properly
Steering committee:
Ensure that project is authorized, timetables are adhered to, budgets are achieved, quality requirements are met
Involvement from following departments:
User department, Data processing department, Quality control department
A
feasibility study
should be performed to determine if the company should buy / self-develop a programme. A cost versus benefit analysis should also be done.
Appointed Project Team
Day-to-day management of project, project developed in stages, prepare timetables
Project should be authorised after feasibility study is conducted
System specification & user needs
Tradisional method: Written syste specification - discussions between data department & users
Prototype system: Design a prototype, user department try out, refine design through series of prototypes
System design & programming standards:
System ineracts properly, appropriate control-related programmed procedures, supervision, complies with standards, program library not live data
Testing of new system:
Program testing
System testing
Live testing:
Parallel running & Pilot running
Conversion to new system:
Control over conversion of data by data control group
Update system documentation
Planning & preparation
Testing
Post-implementation review
Back-up of new system
Purchased Package
4. Advantage of purchased systems
Less implementation time, lower cost and cost is predetermined, test thoroughly - thus very reliable
5. Disadvantages of purchased system
Dependent on vendors for maintenance, too general/inflexible to cater for needs, change maintenance difficult/impossible, written overseas (Vat & Tax differs)
3. General information to consider
Must meet user requirements, prepare statement of requirements, measure available packages against requirements, minimum changes should be made, possibility of future amendments, quality of maintenance service from supplier
2. implementation & testing of packages
Independent testing, review of experiences of users, Implementation - Invovement of user departments, data processing, management, quality assurance
1. Specification & selection of packages
Discussions with users, observing operation of package, questioning other users of package, facilities offered, freedom from errors, speed & efficiency, ease of use, quality of support
Access controls to data & programs
Objective: To prevent unauthorized changes to programs, data, terminals & files
Programmed access controls:
Communication lines & networks
Authorization of users
Programme libraries
Identification of users
Password control: Min 6 characters, Alpha/numerical, CAP letters & small caps and other !
#$%
Terminals
Monitor of access & processing
Utilities
Physical access controls:
Manual logs
Program libraries
Terminals
Distributable processing
Logs reviewed
Screening & training staff
Computer hardware
8 Emergency access controls
Computer Operating Controls:
Objective: To ensure the procedures are applied correctly & consistently during processing to limit the loss from bad debts and to encourage debtors to pay promptly
Scheduling of processing
Hardware functioning
Set-up & execution of programmes
Use correct programmes and data files
Operating procedures
Examples:
Continuous monitoring & review of the functioning of the computer hardware, scheduling of processing, competent person to assist, supervision & review, hardware checks, rotation of duties, logs, recovery procedures, backup of data
Organizational & Management Controls:
Objective: Organizational framework such as segregation of duties (SOD), supervision and review and virus protection.
Segregation of duties:
Functional, Operational, Normal SOD between transaction initiation, authorization, processing & safeguarding. Independent person to correct errors
Controls against computer viruses
Software prtection, data file protection, Staff, Supervision & review
Examples:
Computer department to be represented on BOD, rotation of operator duties, staff should take regular leave, training of staff and career development, supervision and review
System Software:
Objective: To ensure installation, development, maintenance of software packages are authorized and effective.
1. In the processing by users on personal(micro) computers, there must be:
Control over the software on the PC to ensure that it is not copied or pirated;
Programs which are written internally should be documented and tested to ensure
that the program has the integrity required by management.
2. Acquisition & development controls
3. Security over system software:
Integrity of staff, division of duties, employment policies o Supervision & review
4. Database systems:
Access control, documentation, supervision and review.
5. Networks:
(A computer network is a collection of computers connected by communication links that allow the network components to work together), Support department, Access controls, Disaster recovery plan.
6. Processing on microcomputers:
(A tiny little handheld computer device similar to a SmartPhone that has a central
microprocessor is an example of a microcomputer.) Control of software, Programs written internally tested and documented.
Business Continuity Controls:
Objective: To prevent/limit system interruption (Downtime)
2. Physical environment:
Protection against the elements:
Fire: extinguishers etc.,
Water: away from water pipes,
Power: backup supply,
Environment: air con etc
3. Emergency plan and disaster recovery procedures:
Establish procedures/Responsibilities, Prepare list of files and data to be recovered,
Provide alternative processing facilities, Plan, document and test the disaster recovery plan.
1. General controls:
Data is backed up regularly and kept off-site in a fireproof safe
UPS (Uninterrupted Power Supply)
The entity’s server room is air-conditioned
Plan, document and test the disaster recovery plan
5. Other Controls:
Adequate insurance,
No over reliance on staff,
Virus protection / prevention, Physical security;
Cable protection.
4. Back up:
Regular backups on rotational basis,
On-line/ Real time backups,
Store back-up files on separate premises,
Hardware backup facilities,
Store in fireproof safe,
Retention of files / records for required times.
6. Personnel Controls:
Segregation of duties,
Job rotation,
Hiring/firing procedures,
Employment contracts, Use of hardware/software, Confidentiality.
Application Controls:
Controls over input, processing & output of information relating to a specific application to ensure that such information is valid, accurate & complete. Application controls include both of user & programmed controls.
User Controls:
These are the controls that the entity has in place over the actual user of the computer system.
Programmed Controls:
These are the controls that are actually programmed into the system code of the operating system that the entity is using. These controls are any controls that are programmed into the system by the system developers.
Processing Controls:
Data processing controls are used to ensure the accuracy, completeness, and timeliness of data during either batch or real-time processing by the computer application.
Validity of processing:
Access controls
Librarian function - correct program & files
Files, labels and version numbers - correct version
Overrides - authorization by senior management
Manual intervention - disaster recovery plan
Matching by computer
Manual logs
Supervision & review - by senior management
Segregation of duties
Accuracy of processing:
Operator manuals & instructions
Controls over hardware - ensure accurate operating
Edit checks
Physical checking for accuracy by users
Review & follow up of exception reports
Recons & balancing - Through control totals
Scrutiny of users of processed info for accuracy
Checking postings by users - posted to correct accounting docs
Supervision & review - by senior management
Completeness of processing:
Control totals
Reconciliations of balances and accounts
Sequential testing by the computer
Processing logs
Breakpoint re-runs
Adequate back-up procedures
Output Controls:
Data output is the distribution of any output produced. Output can be in hardcopy form, in the form of files used as input to other systems, or information available for online viewing.
Validity of output:
Distribution should be controlled
Distribution list - specifies who the authorized users are
Distribution schedule - determine output
Distribution register
Output logs
Online output - controlled by CIS
Terminal located in secure area
Access controls
Accuracy of output:
Reconciliations - Inputs & outputs
Review of outputs - By CIS users, check for errors & accuracy of calculations
Completeness of output:
Reports
Reconciliations
Sequence checks
Review of reports
Input Controls:
Data input is the conversion from its original source into computer data, or entry into a computer application.
Validity of input
Authorization:
User of program & Computer
Overrides of system generated information: Specific authorization - senior management
Segregation of duties:
Same person cannot perform task
Changes of data:
Under supervision
Access Controls:
Programmed and physical controls
Accuracy of input
3. Edit checks
Dependency check
Field size check
Limit or reasonableness
Screen prompts
4.Validity or existence
Logic checks
Screen check
Sign check
Formatting check
Specific character check
Field presence checks
Arithmetic check
Matching by computer:
Input transactions with data on file
Staff training:
All users need to be given training
Control over documents:
Well designed documents
Control over screens:
User friendly screens
Review by users or senior staff:
Info that has been entered on screen
Completeness of input
Sequencing tester by the computer:
Numeric sequence
Review of output reports by users:
Follow up on missing numbers
Matching by computer:
Transactions enetered compared to nifo on master file
Examining of processing logs:
For missing entries
Stationary controls:
Form design should be easily understandable
6. Control total
1. Financial totals
2. Hash totals
3. Record counts
Master File Controls:
Files which are used to store only standing information (e.g. name, address and credit limits of debtors) and latest balances (e.g. outstanding balances of debtors). Changes to standing data on masterfile are referred to as materfile amendments.
The biggest risk regarding the master files is that any changes to the master file might not be valid, accurate and complete.
Accuracy of processing changes:
Recon of master file with amendment forms & 3rd party confirmation
Edit checks over data capture
Completeness of processing changes:
Sequential numbered audit trail of master file changes
Recon of master file amendment forms with changes register
Validity of processing changes:
Authorization of changes in writing by senior management on a master file amendment form
All the master file amendments forms should be captured in a register
Checking the changes of the master file to the logs of changes; and
Follow up of unauthorised changes.
General controls over master file:
Encryption
Library function
Record counts
Reconciliations
Regular senior review of master file
Weakness & Risk:
Even though a company may do back-ups of their computer system from time to time but store the back-ups on site, they are still vulnerable to huge data losses in the event of fire or flooding. Back-ups should be stored off site in a fire proof safe.
Weakness & Risk:
Without proper application control in regards to edit checks, programs and applications can be exposed to data corruption and extreme cases of fraud
Computer Audit Assist Techniques: (CAATs)
System Orientated Audit Software:
These CAATs concentrate on the accounting system & related control procedures - used predominantly to perform tests of controls
Known as:
Auditing through the computer
Integrated test facility
: An artificial (dummy) unit is created the client’s system. For example Company “X” or Cost Centre “Y”.
Feed test data through the dummy system
This type of CAAT reduces the risk of corrupting client’s information
The major disadvantage: Fictitious transactions may be muddled in with client’s data if not correctly coded or if the dummy unit is not separated out before reports are sent to users
Parallel simulation
: Running client’s transaction data & master file information through a “trusted” system set up by the auditor, as well as through the client’s normal system
Results of the two processing runs are then compared & any discrepancies are followed up
Embedded audit facility
: The auditor arranges to have an audit module inserted into the client’s application program
Designed to either identify transactions which might be of particular interest to the auditor, or to re-perform certain validation controls & report thereon, while the client is actually running the normal application programs
Test data
: This type of CAAT requires auditor to create a set of transactions (let us assume clock cards) 2b keyed in & processed
Design transactions to test any control
2B effective: auditor must be fully aware - controls in the system
Only tells the auditor that the control was working when tested
Programme tested is the one used in live runs
Run against "copy" of live programme
Test input validations, online password ^ data access controls
Processing of data by computer system
Data Orientated Audit software
: Obtaining evidence to support the assertions relating to balances in the statement of financial position and totals of transactions that underlie the statement of comprehensive income.
Data orientated audit software
Re-perform calculations
Perform investigations and analyses
Select samples
Extract summaries
Perform comparisons
2. System utilities and report writers
:
Utility programs can be used to manipulate and analyze data & test whether programs function correctly.
Report writing programmes enable users, including the auditor, to design and extract various reports
Advantages
Already loaded
Simple to use
Perform test that GAS packages offer
Cost generally lower tha GAS
Disadvantages
Auditor will have to assess how unfamiliar clients’ utilities and report writers function.
These forms of CAAT may not be as well documented as GAS packages, and may not
quite meet the auditor’s requirements.
Audit functions that can be performed using data-orientated CAAT’s:
Sorting and file re-organization;
Summarization, stratification and frequency analysis;
Extracting samples;
Exception reporting;
File comparison;
Analytical review;
Casting and recalculation; and
Examining records for inconsistencies, inaccuracies and missing data including sequential
numbers and duplicates (and creating reports thereon).
1. Generalized/customized audit software
:
Used to extract/analyse/reformat data extracted from client systems
Easily programmable to access various file formats and data fields
They are menu driven, which adds to their user-friendliness
Available for use on a wide range of hardware and systems software
Special security features are generally included
Factors that will influence the decision to use CAAT’s
Potential loss of independence
The attitude of the client
Availability of skills in the audit team
The utilities available at the client which can assist
Data stored in electronic form
Volume of transactions/output
Complexity of the clients system
Compatibility of the firm’s hardware and software with the clients hardware and software
In IT systems, tests of controls and substantive procedures can be performed using audit software that can access the client’s computerised system at high speed. This audit software is referred to as CAATs.
Auditing in an information technology environment
: Smaller firms - "off the shelf packages" replaces manual records:
Examine controls around data input to ensure the day-to-day input of transaction
information
Examine the standing or master file data, ensure it is properly authorized & currently used by the computer
Examine the output and relate it to the input 4.Examine the output with external verification
Where a computerized systems are more complex & the computer generates info internally through automated routines - auditor needs to adopt a different approach. Challenges:
In complex systems - organization’s own IT staff do not understand all the detail
Management may not understand the computer system and actively avoid becoming involved with its day-to-day operations