Computers:
A) General computer controls
B) Application controls
Unit 6

A General Computer controls

Framework:

  1. System development and implementation controls;
  2. System Maintenance controls;
  3. Organizational- and management controls;
  4. Access controls to data and programs;
  5. Computer operating controls;
  6. System software controls;
  7. Business continuity controls.

B) Application controls

Framework:

  1. Input controls;
  2. Processing controls;
  3. Output controls;
  4. Mater files controls.

1A.

2 options of development:

  1. Self developed (SD);
  2. Purchased package (PP).

SDS 5 subsections:

a) Project authorization and management:

  • Project authorized + managed properly.
  • Include development plan
  • IT steering committee (senior management from user and computer dept.) authorizes project.
  • IT steering committee: authorizes; timetable adherence; Achieved budgets; Meet quality requirements.
    Involvement needed from:
    User dept - Ensure requirements are incorporated.
    Data processing dept - Assist with technical soundness.
    Quality control dept - Ensure correct std of design.
  • Conduct feasibility study
  • Project team: Day to day management; Project developed in stages; Prep timetables.

b) System specification and user needs:
2 Methods to specify systems:

  1. Traditional method - Written systems specs by discussions amongst data processing dept. and users.
  2. Prototype systems: Design prototype and allow users to try out; Refine design.

c) System design and programming std's
-STD's will ensure: system interacts with existing system; appropriate control related procedures; Supervision over design; Compliance with STD's.

d) Testing of new system
3 stages -

  1. Program testing;
  2. System testing;
  3. Live testing - Parallel testing and Pilot running.

e) Conversion to new system:

  1. Planning and preparation:
  • Prepare timetables; Define methods; Determine cut-off dates; training of staff; prepare premises.
  1. Control over conversion of data by data control group:
  • Supervision by senior management and auditor involvement.
  1. Update system docs:
  • System flowcharts, -descriptions; Operating manuals.
  1. Testing:
  • Balance old and new files; 3rd party confirmations; Follow up exceptions; manual data comparisons; approved by users.
  1. Backup new system
  2. Post-implementation review

PP 5 subsections:

a) Specs and selection of packages:

  • Discuss with other users; Observe operation of packages; Question other users; Freedom of errors; Speed and efficiency.
    b) Implement best package:
  • Testing; Independent testing; Review and experience; Implementation.
    c) General information when purchasing package:
  • Package must meet user requirements; Prepare statement of requirements; Measure available requirments; Min changes to be made; Possible future amendments.
    d) Advantages:
  • Less implementation time; Lower cost; Tested and reliable.
    e) Disadvantages:
  • Vendor maintenance dependence; Inflexible; Change difficult; Written overseas.

2A.

Objective is to ensure changes to systems are authorized and meets users needs

  • Systems change controls ensure that systems are: Complete; Accurate; Properly tested and all information is backed up.

Controls include:

  • Change forms should be prenumbered and locked away.
  • Change requests to be authorised by line manager and reason provided.
  • Change forms to be signed by management or computer steering committee.
  • IT expert to test system for operation after changes.

Completeness of change:

  1. Ensure all approved requests are processed.
  • Achieved by:
    Prenumbered change request forms; Regular sequence checks; Enter change forms into register;
    Review outstanding change requests by senior management.

Validity of changes:

  • Requests approved by correct level of authority; User requirements; Reviewed by data processing dept.; Documented.

3A.

Objective: To ensure frameworks for segregation of duties, supervision and review as well as virus protection.

Controls include:

  • Computer dept. represented on Board of Directors; CIS manager report to senior management; Computer Steering committee set policies and exercise control over IT activities; Two operators per shift; Staff regularly take leave; Training and development of staff; Supervision and review.

Segregation of duties

Functional: Seperate CIS dept.
Operational: Segregation of duties between - System analysts, programmers and operators.
Normal SOD between: Transaction initiation, authorization, processing and safeguarding.

  • Independent correction of errors.

Controls against computer viruses

Software protection:

  • Purchases to be done from reputable supplier; Don't use "free" or "public domain" programs; Don' lend out discs; Don't use illegal copies.

Data file protection:

  • Install virus detection software; Test files for viruses; Regular backups.
    Staff:
  • Inform staff against dangers; Train users of microcomputers; Report procedures in case of infection.

Supervision and review:

  • CIS manager, divisional managers, section heads; System investigations by internal- and external audit.

4A.

Goal is to prevent unauthorized changes to programs, data, terminals and files.

Programmed access controls:
Terminals:

  • TINS; limit access; auto log off after 5 minutes of non use; shut down after 3 attempts; single log on station; investigate disconnection.

ID of users:

  • User ID's and passwords; verify IP; Magnetic cards; voice recognition.

Authorization of users:

  • Logon ID's; passwords; user matrixes; passwords for specific levels.

Communication lines and networks:

  • Passwords; dial back; ID data; encryption of data

Monitor of access:

  • Audit trails reviewed; console logs; Application software; firewalls

Password controls:

  • Strength: minimum 6 characters; alpha/numerical; capital and small letters; special characters.


    Not easily guessed; changed regularly; Re-use prohibited; confidential; Use for authorization; authorization levels linked.


  • Programmed libraries:

  • Access to backups controlled by software; passwords; updating authorized.

Utilities:

  • Store separately; Use logged and reviewed.

Physical access controls:
Terminals:

  • Locked; located visible area; lockable room.

Computer hardware:

  • Supervision and review; removable mediums secure.

Program libraries:

  • Register; Access controlled.

Distributable processing:

  • Only executable programs; independent comparison of programs to source programs.

Logs reviewed
Screening and staff training
Emergency access controls.

5A.

Goal is to ensure procedures are applied correctly and consistenly to limit bad debt losses and encourage payments.

Controls include:

  • Schedule of processing; Hardware functioning; Set up and execution; Use correct programs; Operating procedures.

Examples include:

  • Continuous monitoring and review of computer functioning; Standardise procedures and operating procedures for users; Adequate user manuals;
    Competent person assisting;
    Procedure manuals;
    Supervision and review;
    Tests;
    Operating procedures (Hardware checks, Segregation of duties; Rotation of duties; Logs; Supervision and review); Recovery procedures

6A.

Objective to ensure installation, development, maintenance of software packages are authorized and effective

Examples of controls:

  • Users using personal microcomputers: control over software on PC, not copied or pirated; Internal programs documented and tested.
  • Acquisition and development of controls;
  • Security over software system: Integrity of staff; division of duties; employment policies; supervision and review.
  • Database systems: access controls; documentation; supervision and review.
  • Networks: Support dept. access control; disaster recovery plan.
  • Microcomputer processing: Control of software

7A.

Objective is to control/ prevent system interruption.

Controls include:
General controls:

  • Data backed up regularly; Uninterrupted power supply; Server room airconditioned; Plan, document and test disaster recovery.

Physical environment:

  • Protect against elements: fire extinguishers; water away from pipes; power and back up supply.

Emergency plan and disaster recovery procedure:

  • Establish procedure; prepare list of files to be recovered; provide alternative processing facilities; plan, document and test procedures.

Back up:

  • Do regularly; on line real time; store back up files separate premises; hardware backup facilities; fireproof safe.

Other:

  • Adequate insurance; no over reliance on staff; virus protection; physical security; cable protection.

Personnel controls:

  • SOD; job rotation; hiring and firing procedures; contracts; confidentiality.

1B.

Conversion of data from original source into computer, manually or batch processing.

Validity:

  • Access controls:
    Programmed controls: TINS, ID and authorization of users; passwords; comm lines and networking; program libraries.
    Physical controls: Terminals and comp hardware.
  • SOD:
    Same person cannot perform all tasks.
  • Authorization:
    User of program with signature or online password.
    Computer will verify data against codes/ data on master file.
  • Overrides of system generated info:
    Specific authorization by senior personnel; printed on exception report and followed up by senior management; review of authorization procedures by internal auditor.
  • Changes in data:
    Authorization by senior management; done by independent person; under supervision; tested and documented; printed on exception report.

2B.

Accuracy:

  • Matching by computer:
    Input transactions with data on file; info generated by computer; follow up on unmatched items printed on exception report and followed up.
  • Senior/ user review
    Info entered.
  • Edit checks:
    Field presence check; formatting check; screen check; validity check; limit check; dependency check; field size check; screen prompts; logic check; sign check; specific character check; arithmetic check.
  • Staff training
  • Control over documents:
    Well designed minimizing errors,
  • Control over screens:
    User friendly minimizing erros.

Completeness:

  • Stationary control:
    Easily understandable; pre-numbered documents.
  • Matching by computer:
    Transactions entered compared to info on master file; unmatched items printed and reviewed by senior personnel.
  • Sequential testing
    Numeric sequence; follow up missing numbers.
  • Review of output reports:
    Ensure numeric sequence; follow up missing numbers; balance input with output.
  • Control totals:
    Controls built into system:
    Financial totals = ensure totals of fields holding monetary value is equal to total entered;
    Hash totals = ensures totals of fields with numeric values equal numeric fields entered.
    Record counts = ensures total number of records equal total records submitted.

Used to ensure accuracy, completeness and timeliness of data during batch or real-time processing by computer application.

Validity:

  • Access controls;
  • Librarian function:
    Correct program usage ensured.
  • Files, labels and version numbers:
    Ensure correct version used.
  • Overrides:
    Authorized by senior management; printed on exception report and followed up by management.
  • Manual intervention:
    Obtain authorization from management if system breaks down; disaster recovery plan important.
  • Matching by computer:
  • Manual logs:
    Review unscheduled processing/ unauthorized use; printed on exception report and followed by management
  • Supervision and review
  • SOD

Accuracy:

  • Operator manuals to be in place
  • Controls over hardware
  • Edit checks
  • Physical checking for accuracy by users
  • Review and follow up on exception reports
  • Recons and balancing:
    Through control totals
  • Scrutiny by users of processed info
  • Checking postings by users
  • Supervision and review.

Completeness:

  • Control totals
  • Recons of balances and accounts:
    To ensure subsidiary ledgers recon with GL
  • Sequential testing by computer:
    Numeric sequence; missing numbers followed up
  • Processing logs
    -Breakpoint re-runs:
    If processing stops function will ensure starting at correct point.
  • Adequate backup procedures:
    Regular backups; Online/ real-time; Store in separate premises; fireproof safe.

3B.

Distribution of any output produced.

Validity:

  • Distribution controlled:
    CIS dept. responsible to control distribution of output.
  • Distribution list:
    Specifies authorized users.
  • Distribution schedule:
    Which outputs will be received and when.
  • Distribution register:
    User should sign for output received.
  • Output logs:
    Reviewed for unauthorized output.
  • Online output:
    Controlled by CIS; terminals in secure area.
  • Access controls.

Accuracy:

  • Recons
    Input to output
  • Review of outputs:
    CIS users; check for errors; calculation accuracy; posting from sub ledgers to gen. ledgers.

Completeness:

  • Reports:
    Sequentially numbered; contain end of report messages; page counts.
  • Recons:
    Input to output.
  • Sequence checks:
    Page numbers or doc numbers
  • Review of reports:
    By users; Inspect numerical sequence, missing items, senior management follow up.

4B.

Files used to store only standing info and latest balance.

Validity:

  • Authorization of changes in writing by senior management on master file amendment form; forms captured in register; checking changes of master file to logs of changes; follow up unauthorized changes.

Accuracy:

  • Recon of master file with amendment forms and 3rd party confirmation; Edit checks over data capture.

Completeness:

  • Sequential numbered audit trail of master file changes; Recon of master file amendment forms with changes register.

General controls over master file:

  • Encryption; library function; record counts; recons; regular senior review of master file.

Objective is to ensure self developed/ purchased system is properly developed, authorized and meet users needs.

Example of weakness and risk:
If a company seeks to develop a new system but does not conduct a feasibility study to determine cost vs benefit. This is a weakness.


The company stands the risk of developing a very expensive new system with many stages, were they could've purchased a system which would have met all their user needs at a much lower price.

Audit 31
Dean Fensham
220015316