Professional Documents
Culture Documents
INTERNALCONTROLINTHE
COMPUTERINFORMATIONSYSTEM
Questions
1.
2.
27-2
incorrect processing for all transactions processed. This increases the risk
of many significant misstatements.
Unauthorized access. The centralized storage of key records and files in
electronic form increases the potential for unauthorized on-line access from
remote locations.
Loss of data. The centralized storage of data in electronic form increases
the risk of data loss in the event the data file is altered or destroyed.
Reduced segregation of duties. The installation of IT-based accounting
systems centralizes many of the traditionally segregated manual tasks into
one IT function.
Lack of traditional authorization. IT-based systems can be programmed to
initiate certain types of transactions automatically without obtaining
traditional manual approvals.
Need for IT experience. As companies rely to a greater extent on IT-based
systems, the need for personnel trained in IT systems increases in order to
install, maintain, and use systems.
3.
General controls relate to all aspects of the IT function. They have a global
impact on all software applications. Examples of general controls include
controls related to the administration of the IT function; software acquisition and
maintenance; physical and on-line security over access to hardware, software,
and related backup; back-up planning in the event of unexpected emergencies;
and hardware controls. Application controls apply to the processing of
individual transactions. An example of an application control is a programmed
control that verifies that all time cards submitted are for valid employee ID
numbers included in the employee master file.
4.
The most significant separation of duties unique to computer systems are those
performed by the systems analyst, programmer, computer operator, and data
base administrator. The idea is that anyone who designs a processing system
should not also do the technical work, and anyone who performs either of these
tasks should not also be the computer operator when real data is processed.
5.
Systems analysis: Personnel will design and direct the development of new
applications.
Programming: Other personnel will actually do the programming dictated
by the system design.
Operating: Other people will operate the computer during processing runs,
so that programmers and analysts cannot interfere with the programs
designed and executed, even if they produce errors.
Converting data: Since this is the place where misstatements and errors can
be made the interface between the hardcopy data and the machine-
e.
f.
27-3
6.
7.
8.
9.
Five things a person must have access to in order to facilitate computer fraud
are:
a.
b.
c.
d.
e.
27-4
c
a
d
b
d
d
7.
8.
9.
10.
11.
12.
b
b
c
a
b
a
13.
14.
15.
16.
17.
18.
c
c
c
a
b
a
19.
20.
21.
22
23.
24.
c
c
a
c
b
c
25.
26.
27.
28.
29.
30.
b
c
c
d
b
d
Cases
1.
2.
a.
1.
2.
27-5
b.
3.
a.
3.
1.
2.
3.
27-6
b.
4.
a.
b.
c.
27-7
a.
b.
c.
d.
The auditor may rely on the computer audit specialist to whatever degree
considered necessary to assure proper control installation and
implementation. The in-charge field auditor must keep in mind, however,
that use of a computer audit specialist does not compensate for the field
auditors lack of understanding of the internal control, including the EDP
applications.