Please enable JavaScript.
Coggle requires JavaScript to display documents.
COMPUTERS, Application Computer Controls
the controls over your…
-
Application Computer Controls
the controls over your transaction data to ensure the data meets the relevant control objectives; controls over input, processing & output of info relating to a specific app to ensure that such info is valid, accurate & complete. App controls include both of user & programmed controls
General Computer Controls
overall framework of controls for computer activities; the controls that should be in place before any processing of transactions gets underway and they span across all applications
Overall Framework of General Comp Ctrl
- System Development and Implementation Controls
- System Maintenance Controls (change controls)
- Organisational and Management Controls
- Access Controls to Data and Programs
- Computer Operating Controls
- System Software Controls
- Business Continuity Controls
USER Controls
controls that entity has in place over the actual user of the computer system:
- all new empl req to attend training on the computer system prior to being granted access
- users need to attend regular training and update sessions to ensure that they have the required level of knowledge to perform their duties effectively
PROGRAMMED Controls
controls that are actually programmed into the system code of the operating system that the entity is using; any controls that are programmed into the system by the system developers.
Overall Framework of Application Comp Ctrl
- Input Controls: ensure data is valid, accurate, complete
- Processing Controls: ensure data is valid, accurate, complete
- Output Controls: ensure data is valid, accurate, complete
- Master File: to ensure any changes made to master file is valid, accurate, complete
AUDITING
in Information Technology Environment
- Objectives and Scope of audit do not change
- Methods for application of audit procedures and acquisition of audit evidence change
- may be necessary for the auditor to use the computer to obtain audit evidence - generally referred to as the use of audit software of computer-assisted audit techniques (CAATs)
- CAATs = audit software that can access the client's computerised system at high speed
- Two types of audit software:
a) System Orientated audit software - used to test computerised controls
b) Data Orientated software - used to assist in the performance of substantive audit procedures to access, retrieve and manipulate data from a computerised info system
System Development & Impl Ctrls
objective: to ensure self-developed/purchased system is properly developed, authorised and meet user's needs.
-
-
Project authorisation & mngt
- steering committee
- involved dpts: user dpt; data processing dpt; QC dpt
- feasibility study
- project team
System specification and user needs
- 2 methods of specifying systems: traditional method; prototype systems
System design & programming standards
- will ensure: interaction with existing systems; control-related programmed proc; supervision,etc.
Testing of new system
- 3 stages: program testing; system testing; live testing - paralled and pilot running
Conversion to new system
- planning and prep
- control over conversion of data by data control group
- update system docs
- testing
- backup of new system
- post-impl review
- Specs and selection of packages: discussions; observation; questioning; facilities; freedom; speed; ease; quality
- Implementation & testing of packages
- General important info to consider when purchasing a packaging - meet user requirements; prepare statement of requirements; measure available packaging against req; min changes to be made; possibility of future amendments; quality of maintenance service from supplier
- Advantages of purchased systems
- Disadvantages of purchased systems
System Maintenance Ctrls
objective: to ensure changes to system is authorised, meet user's needs and made effectively
To ensure that all changes we make to our systems are: complete; valid; properly tested and all info backed-up and recovery procedures are in place
Organisational & mngt Ctrls
objective: organisational framework such as segregation of duties (SOD), supervision and review and virus protection
computer dpt on board of directors; CIS mngr report to snr mngt; internal audit dpt; computer steering committee; rotation of duties; regular leave; more than one supervisor per shift; supervision and review
Access Ctrls to data and programs
objective: to prevent unauthorised changes to programs, data, terminals & files
Programmed access controls
- terminals
- ID of users
- authorisation of users
- monitor of access & processing
- communication lines & networks
- password control
- programme libraries
- utilities
Physical access controls
- terminals
- computer hardware
- manual logs
- programme libraries
- distributable processing
- logs reviewed
- screening & training of staff
- emergency access controls
Computer Operating Ctrls
objective: to ensure the procedures are applied correctly & consistently during processing
Controls
- scheduling of processing
- hardware functioning
- set-up and execution of programmes
- use correct programmes and data files
- operating procedures (hardware checks, operating instructions & manuals, segregation of duties, rotation of duties, logs, supervision and review)
- competent assistance
- recovery procedures
System Software
objective: to ensure installation, development, maintenance of software packages are authorised and effective
Controls
- in the processing of users on personal (micro) computers there must be control over software on the PC; internal programs must be documented and comply
- acquisition and development controls
- security over system software
- database systems
- networks
- processing on microcomputers
-
Controls
- general controls - data back up; UPS; aircon in server room; test disaster recovery plan
- physical environment
- emergency plan and disaster recovery procedures
- back up
- other - insurance, no reliance on staff, virus protection, physical security, cable protection
- personnel ctrls
Input Ctrls
data input is the conversion from its original source into computer data, or entry into a computer app; data can be entered into a computer app from either manual online input or by batch processing (automated)
Processing Ctrls
used to ensure the accuracy, completeness and timeliness of data during either batch or real-time processing by the computer app; someone reviewing these ctrls should determine the adequacy of controls over app programs and realted computer operations to ensure thet data is accurately processed through the app and that no data is added. lost or altered during processing
Output Ctrls
the distribution of any output produced; output can be in hardcopy form, in the form of files used as input to other systems, or info available for online viewing
Master File Ctrls
the distribution of any output produced; output can be in hardcopy form, in the form of files used as input to other systems, or info available for online viewing
Validity
access controls
segregation of duties
authorisation
overrides of system generated info
changes in data
Accuracy
matching by computer
review by users of snr staff
edit checks
staff training
control over docs
control over screens
Completeness
stationary controls
matching by computer
sequential testing by computer
review of output reports by users
examining of processing logs
control totals
Validity
access controls
librarian function
files labels and version numbers
overrides
manual intervention
matching by the computer
manual logs
supervision and review
segregation of duties
Accuracy
operator manuals and instructions
controls over hardware
edit checks
physical checking for accuracy by users
review & follow up of exception reports
recons & balancing
scrutiny by users of processed info for accuracy
checking postings by users
supervision & review
Completeness
controls totals
reconciliations of balances and accounts
sequential testing by the computer
processing logs
breakpoint re-runs
adequate back up procedures
Validity
distribution should be controlled
distribution list
distribution schedule
distribution register
output logs
online output
terminal location in secure area
access controls
-
-
Definition
Files which are used to store only standing info and latest balances. Changes to standing data on masterfile are referred to as masterfile amendments
Biggest risk: changes to master file might not be valid, accurate and complete
Validity (of processing changes)
authorisation of changes
amendment forms file
checking changes to master file to logs of changes
follow up unauthorised changes
-
Completeness (of processing changes)
sequential numbered audit trail of master file changes
recon of master file amendment forms with changes register
General Controls
encryption; library function, record counts, recons, regular snr review of master file
AUDITING
Auditing around the computer: small business
Understanding and interrogating the MIS: larger, more complex companies
Auditor decides whether or not to use the CAATs when considering the audit strategy (scope, timing and direction) and the audit plan (nature, timing and extent of testing)
System Orientated audit software (system CAATs)
- Test Data
- Integrated test facility
- Parallel simulation
- Embedded audit facility
Data Orientated audit software (data CAATs)
- Generalized/customised audit software
- System utilities and report writers
- Data orientated audit software can be used to: re-perform calculations; perform investigations and analysis; select samples; extract summaries; perform comparisons
Factors that will influence decision to use CAATs
- complexity of the clients system
- volume of transactions/output
- data stored in electronic form
- availability of skills in the audit team
- potential loss of independence
- attitude of the client
- compatibility of the firm's hardware and software with the client's
- utilities available at the client which can assist