Professional Documents
Culture Documents
PAPS 1001
Introduction
1
6/14/2013
These include:
2
6/14/2013
Example: when there are several users of a single computer, without appropriate
controls, programs and data stored on non-removable storage media by one user
may be susceptible to unauthorized access, use, alteration or theft by other users.
3
6/14/2013
• management responsibilities;
• instructions on personal microcomputer use;
• training requirements;
• authorization for access to programs and data;
• policies to prevent unauthorized copying of programs and
data;
• security, back-up and storage requirements;
• application development and documentation standards;
• standards of report format and report distribution
controls;
• personal usage policies;
• data integrity standards;
• responsibility for programs, data and error correction, and
• appropriate segregation of duties.
Physical Security—Equipment
Because of their physical characteristics, micro personal computers are
susceptible to theft, physical damage, unauthorized access or misuse.
This may result in the loss of information stored in the personal
microcomputer, for example, financial data vital to the accounting
system.
Control over removable storage media can be established by placing responsibility for
such media under personnel whose responsibilities include duties of software
custodians or librarians. Control can be further strengthened when a program and data
file check-in and check-out system is used and designated storage locations are locked.
Such internal controls help ensure that removable storage media are not lost, misplaced
or given to unauthorized personnel. Physical control over non-removable storage media
is probably best established with locking devices.
Depending on the nature of the program and data files, it is appropriate to keep current
copies of diskettes, compact disks or back-up tapes and hard disks in a fireproof
container, either on-site, off-site or both. This applies equally to operating system and
utility software and backup copies of hard disks.
4
6/14/2013
Viruses now represent the most common threat to any computer security. Users may
allow their e-mail programs or their operating systems to load and execute
attachments. As such, antivirus software programs should be installed in personal
computers and updated continuously to include new virus definitions that are
detected. Virus scans should be run on every workstation daily and set to scan all
files. Screen saver based virus scanners can help with this task. Consideration should
be given to disabling the ability of workstations to boot from diskette or compact
disk to avoid boot-sector viruses.
Because many macro viruses are shared through e-mail, a virus solution should be
installed to scan incoming e-mail attachments including the ability to scan
compressed and archived compressed files. All programs installed should be scanned
before installation and before initial execution.
5
6/14/2013
The effect of micro personal computers on the accounting system and the
associated risks will generally depend on:
6
6/14/2013
A summary of some of the key considerations and their effects on general CIS and CIS
application controls is described below.
General CIS Controls—Segregation of Duties
In a personal computer environment, it is common for users to be able to
perform two or more of the following functions in the accounting system:
• initiating and authorizing source documents;
• entering data into the system;
• operating the computer;
• changing programs and data files;
• using or distributing output; and
• modifying the operating systems.
In other CIS environments, such functions would normally be segregated through
appropriate general CIS controls. This lack of segregation of functions in a personal
computer environment may:
• allow errors to go undetected; and
• permit the perpetration and concealment of fraud.
In this situation, the auditor may find it more cost-effective, after obtaining an
understanding of the control environment and flow of transactions, not to make a
review of general CIS controls or CIS application controls, but to concentrate the
audit efforts on substantive tests at or near the end of the year. This may entail
more physical examination and confirmation of assets, more tests of details,
larger sample sizes and greater use of computer-assisted audit techniques, where
appropriate.
7
6/14/2013
The following are examples of control procedures that an auditor may consider
when he intends to rely on internal accounting controls related to stand-alone
personal computers:
(a) Segregation of duties and balancing controls:
• Segregation of functions
• Rotation of duties among employees.
• Reconciliation of system balances to general ledger control accounts.
• Periodic review by management of the processing schedule and reports
which identify individuals that used the system.