Professional Documents
Culture Documents
Chapter 12
Chapter 12
Computer controls replace manual controls Higher quality information available faster Hardware and software and therefore all the companys information is a risk when computer malfunctions Loss of hard copy audit trail Systematic vs random errors (make the same error every time.
General Controls
Administration of the IT Function
Must be given importance in organization Chief Information Officer IT steering Committees
General Controls
Segregation of IT duties
Separate custody, authorization, recordkeeping in traditional controls Separate IT Management, Systems Development, Operations, Data Control
IT Functions
IT Management
CIO Security Administrator
System Development
Systems Analysts Programmers
cannot have access to input data or operations
(use test copies of programs and data)
IT Functions
Operations
Computer Operators- Day to day operations
execute jobs according to schedule monitoring computer consoles for messages on efficiency and malfunctions
Librarian
Maintains programs and transaction files
Network administrator
planning, implementing and maintaining network
IT Functions
Data Control
Data input/output control verify quality of input and reasonableness of output Database administrator controls operation and access security of shared databases
General Controls
Systems Development
Controls = system development methodology procedures
Involve IT and non IT personnel in development testing of software
Pilot testing- one part of organization Parallel testing - both systems operate
General Controls
Physical and Online Security
Physical control over computer equipment restricts access to hardware, software, backup files, hard drives, CDs, thumb drives, laptops etc.
keypad entry badge-entry systems security cameras security personnel
General Controls
Physical and Online Security (cont.)
Online access controls
User IDs passwords key cards bio-id
General Controls
Backup and Contingency Planning
Several copies of backup, some stored off premises battery backups for temporary power outages
General Controls
Hardware Controls
Built into computer equipment to detect and report equipment failures Someone must review and act on these reports
Application Controls
Exist to satisfy the 6 transaction related audit objectives
Existence Completeness Accuracy Classifications Timing Posting/Summarization
Application Controls
Performed by people Performed by computers
Application Controls
Input Controls- Entering Data
Design of screens Pull-down lists Valid combinations Batch totals Record counts
Application Controls
Processing Controls
Validation Sequence Test Math Reasonableness Completeness
Application Controls
Output Controls
Review by human eyes for reasonableness
Parallel simulation- Auditor software, client data using Generalized Audit software (ACL or IDEA)
PC Environments
General Controls less effective in smaller companies Auditors audit around the computer Access is a greater risk Loss of data (viruses)
Network Environments
LAN - Local area networks
single or small cluster of buildings
Network risks
lack of security
Network Environments
Internal Controls over Financial Reporting
network configuration network software Access controls Change controls
Risks
Improper Access loss of data
E-Commerce Systems
Linking your network to outside networks for business purposes increases risk
firewall (filters data) hardware and software encryption techniques- change message into code
use decryption program to decode Public key to code, private key to decode
Outsourcing IT
Application Service Providers (ASPs) and Computer service centers
Difficulty in obtaining understanding of internal controls of the service center Rely on report done on Service Center by other auditors
report on controls placed in operation report on controls placed in operations and tests of operating effectiveness