AIS Internal Control B.
Segregation of functions within EDP
General Controls
1. Organizational Controls (Plan of organization)
- relate to the segregation of duties in order to
reduce errors and fraud
A. Segregation of EDP and user functions
B. Segregation of functions within EDP
C. Segregation of functions among users
A. Segregation of EDP and user functions
a) Error detection, correction and resubmission
 Systems tests performed during systems
development ensures the elimination of
errors
 When error occurs, generally, they are
corrected and resubmitted at source
b) Segregation of incompatible functions
1. Authorization
- As a general rule, EDP should not be
permitted to authorize transactions;
however, some authorization functions
are incorporated in the computer
program (Ex: materials recording
system, custom order processing)
2. Execution
- Steps in the transaction processing cycle
and changes to master files are to be
performed by the users; today,
execution is done automatically through
instructions in the program (Ex: systems-
generated financial entries, automatic
reversing entries)
3. Accountability
- EDP should have not custody of non-EDP
assets
- Access is normally indirect, e.g. the
computer program contains the
instructions to release inventory for
shipments
a) Systems development
- System analysis
- Application programming
- Systems programming
b) Operations – application support
c) Data base administration
- Independent librarian function
C. Segregation of functions among users
Compensating controls
- If one of the controls is weak, there is
another control to compensate for the
internal control weakness arising from
the non-segregation of duties
- Generally, manual controls that are
performed to compensate for the
internal control weakness arising from
the non-segregation of duties
- Review and approval of purchasing
orders by purchasing department
- Review of exception lists from credit
approval runs
2. Sound personnel practices
- provide control over the quality of work by
ensuring that personnel are competent and honest
- provide policies that encourages compliance
1) Hiring and evaluation of personnel
I. Hiring test
- Mostly behavioral and personality test
II. Background check
- Checking of character references,
recommendations from previous
employers, NBI and police clearances
III. Fidelity bonds
- Kinds of insurance (honesty bonds)
2) Personnel scheduling
- Irregularities may be discovered during
an employee’s absence
3) Rotation of duties
- Enable the employee to master other
tasks, thus effectiveness is improved
- When a task is performed by another,
opportunities for improvement can be
identified
4) Performance evaluation
- A tool to identify strengths and areas of
improvement
- A good basis for rewards and
remunerations
5) Training and development
- Enhances employees performance and
potential for more responsible roles
- CPE (Continuing Professional Education)
 6) Career path
- A tool to formalize target positions
- Helps identify training needs
- Encourage loyalty and dedication
7) Rewards and remuneration
- Induces employees to perform their best
8) Formalization of personnel practices
- Conveys the company’s sincerity in its
commitments
9) Psychological control
- Employees ten to display positive
behavior if it goes with a reward or
punishment as the case may be.
Organizational controls: Audit procedures and Tests of
Controls
1. Review organizational charts
2. Review job descriptions of EDP and users
pertaining to error handling
3. Interview management and operating staff to
determine the degree of effectiveness of
supervision
4. Prepare a systems flowchart for each transaction
processing cycle and review the segregation of
duties
5. Review pre-processing controls, such as prior
approval of master file changes
6. Review the audit program of internal auditors to
determine the completeness and adequacy of
their review and test of internal control
Sound personnel practices: Audit procedures for Review
and Tests of Compliance
1. Review hiring and evaluation procedures, for
example, aptitude tests and background checks
2. Review performance appraisals and its link to
rewards and remuneration
3. Review staff development programs and
continuing professional education (CPE)
4. Review promotion policies and recent
promotions to ensure the movements post no
threats to control
5. Review staff turnover statistics and frequency of
staff firing to ensure that the attitude of staff
poses undue risk to control
3. Standard Operating Procedures (SOP) (hardware)
- identify procedures that ensure high quality
processing and limit the opportunity for errors, and
unauthorized use of files, programs, and reports
 Scheduling
- The operations of the computer should
follow realistic schedules to allow for
assembly and preventive maintenance
 Machine operations
- Include procedures for loading programs
and storage devices
- Requirement that console error
messages be responded to uniformly
 Machine performance
- Identification and correction of
equipment snags help reduce the
incidence of hardware-induced errors
- Standards are set for elapsed time
usage, maintenance time, expected
downtimes and other conditions
- Periodic review of equipment
maintenance and failure logs, and
comparison of actual equipment
performance with standards
 Job-run procedures – programs to perform
specific tasks
- These procedures generally outline the
sequence of the programs to ensure that
the required processes are performed in
the correct order
- Example: Variance report preparation
 Update physical standards
 Input volume of production
 Enter actual quantities
consumed
 Calculate variances
 Console logs(list) and personnel time record
- Should be prepared by the operating
system to record all operating and
application system activities, maintain
an equipment utilization record and
identify operator and user initiated
actions
- It provides an important control over
unauthorized system use
 Housekeeping
- Procedures relating to the use of
supplies, storage of programs, and
handling of files are designed to reduce
the risk of loss or destruction of
programs and data
- It ensures that sensitive output does not
fall into unauthorized hands
 File control standards
- Standards for handling the files are
necessary to minimize opportunities for
misuse, damage or loss of files
- Standards include file names, retention
dates,reconstruction procedures(should
be kept in a standard period of time) and
storage location
 - Files are controlled by a librarian (library
is a database)
 Adequate supervision
- Control and review of operating
activities which include periodic
examination and comparison of console
logs, job records and personnel time
records
 Emergency and physical security procedures
- Plans and procedures to protect
programs, files and equipment from fire,
theft, natural disasters, power failure of
communications
- Emergency and physical security
procedures should be written and
included in the systems and procedures
manual.
Standard operating procedures: Audit procedures for
Review and Tests of Compliance
1. Review the operations section of the systems
and procedures manual to determine the
adequacy and completeness of written
standards
2. Observe computer operators to determine
whether they follow SOP for equipment
operation
3. Review supervisory comparisons of console logs
with personnel time records/to determine
whether schedules and procedures are being
followed by the computer operators
4. Review comparisons of equipment failure logs
and other performance measures with
equipment performance standards to ensure
that equipment performance is monitored
appropriately
5. Observe housekeeping procedures/and the
general tidiness of the computer room to ensure
that programs and files are unlikely to be lost
4. Systems Development Controls
- the best time to build-in the application
controls is during the development of a system
- it would be easier compared with doing the
program revisions later In order to incorporate the
control
1) Systems Development Methodology
2) Project Management
3) Programming Conventions and
Procedures
4) User, Accounting, and Audit
Participation
5) Technical, Management, User, Auditor
Review and Approval
6) System Testing
7) Final Approval
8) Conversion and Migration Control
9) Post-implementation Review
10) Program change control
1) Systems Development Methodology
a. SDLC (System Development Life Cycle)
- Planning, analysis, design, development
and implementation
- Building-in of required application
controls
- Users’ training and users procedures
manual
b. Post implementation optimization
- Was there an evolution that the new
system meets the business requirement
c. Documentation
- Provides control over the prevention,
detection and correction of errors
2) Project Management
- The systems development methodology
will of little value if development
projects are not adequately managed
3) Programming Conventions and Procedures
Conventions
- Refer to the agreed standards, for
example, in the use of symbols, charts,
texts, graphs or writing of manuals
- Also pertain to the uniform procedures
followed in order to ensure the same
accurate results every time a job is
performed
 Flowcharting Conventions
 Decision Table Conventions
 Coding Conventions
1. Computer-code or program
code
-the set of instructions forming a
computer program which is
executed by a computer
2. Data code
-a number, letter, character, or
any combination thereof used
to represent a data element or
data item
Data coding conventions provides a
common understanding of the meaning
of the codes
- Significant digit code
- Sequence code
- Mnemonic code
 - Last digit code
- Identifiers
- Check digit code
 Standards Glossary and Standard
Abbreviations
-terms and abbreviations that are
unique to a particular installation should
be carefully defined
-use of non-standard terms and
abbreviations should be prohibited to
make review of documentation easier
 Standard Program Routines
-a subroutine (also called procedure,
function, routine, method, or
subprogram) is a portion of code within
a larger program that performs a specific
task and is relatively independent of the
remaining code
-any sequence of code that is intended
to be called and used repeatedly during
the execution of the program. This
makes the program shorter and easier to
write (and also to react when necessary)
-the main sequence of logic in a program
can branch off to a common routine
when necessary. When finished, the
routine branches back to the next
sequential instruction following the
instruction that branched to it.
-a routine may also be useful in more
than one program and save other
programmers from having to write code
that can be shared.
 Standard Job Control
Routines/Procedures
-provides the interface between the
application program and the operating
system
 Debugging
-standard technique for debugging
increase the chance that errors will be
found and provide a trail if program
changes thereby, reducing the
opportunity for unauthorized program
change
 Auditing Conventions
-the programming standards manual
should include a list of required controls
and audit features
4) User, Accounting and Audit Participation
- Ensures that users’ requirements are met by
the system
- User participation represents commitment
and approval
- Users recognize their responsibility and their
dependence on the output
- Audit participation provides the opportunity
to make suggestions regarding
improvements in internal control
5) Technical, Management, User, and Auditor
Review and Approval
- Review and approval ensures that the
system has adequate controls
Technical level (systems and programming
supervisors)
- Work outputs for each phase should be
reviewed and approved by the systems and
programming supervisors before submission
to users, auditors and management for
approval
Output level (users,auditors and management)
- requires that users, auditors, and
management review and approve the wok
output at the end of each phase
6) System Testing
- An important control because it is the last
opportunity to discover and correct
problems before implementation of the
system
Purpose:
 to ensure that the system will operate in
conformance with the design
specifications
 to determine whether the systems
operations meets users requirements
 to test all application controls if they will
work as intended
 to verify that errors in input, processing,
and output will be detected.
List of System Testing:
1. Program tests
o Testing of the processing logic of the
programs
2. String tests
o Instead of a single program, they are
applied to a string of logically related
programs
3. System tests
o Applied to all programs in the
systems to check if they will function
if they run at the same time
4. Pilot tests
o Involve the processing of actual
transaction on the new system on an
 after the fact basis, then comparing
the results from the existing system
5. Parallel tests
o The old and the new systems are ran
simultaneously using the same
inputs and the outputs are
compared to detect system errors
7) Final Approval
- Provides an opportunity to examine the final
test results to make a final judgment
- Final approach should be given by
management, users, and EDP personnel
before the system is implemented
8) Conversion and Migration control
Data Conversion
- The translation of computer data from one
format to another
Data migration
- The process of transferring data from one
system to another: generally, migration
requires data conversion
Conversion and migration control
- Controls to prevent and detect errors when
converting and migrating files to the new
systems
Control Procedures
- Confirmation requests may be set to third
parties asking them to confirm the data that
relates to them
- Operational approval should be obtained
from the users after they had used the
system a few times which serve as the
“acceptance tests” (beta test)
 Approval that indicates their
satisfaction with the way the system
is operating
9) Post-implementation review
- Conducted to:
 Determine if the system is operating
as intended
 Evaluate the effectiveness of the
entire process of developing the
system
“The feedback from this review is useful to the
external auditor as it indicates that controls are
either functioning as desired or not”
10) Program Change control
- Strong systems development controls are
negated if subsequently, unauthorized
modifications to the programs are
performed due to inadequate program
change control
- Program changes result from a desire to
improve the system, the need to adjust the
changing business conditions or the need to
incorporate new operating, accounting and
control policies. These changes are referred
to as program maintenance
- The objective of program change control is
to ensure that all program change requests
are approved and authorized and that all
approved and authorized program change
requests are completed
Controls:
1. Program changes should be in
accordance with the established
systems, programming and
documentation standards.
2. Program changes should be restricted
from systems personnel, operating
personnel should not make changes to
programs – even temporary changes to
facilitate the running of a program
3. The changes should be reviewed and
approved by the user to ensure
conformity with the purpose of the
change
4. Changes should be made to the test
program and not the production
program to limit the opportunities to
make unauthorized changes to the
production program
5. Changes should be tested thoroughly
before implementation
6. Program changes and test results should
be reviewed and approved
7. User and operating personnel should be
restrained, if needed to handle new
procedures
8. All documentation affected by the
change should be updated
9. Control should be established over the
conversion to the new program; the
conversion is accomplished by:
 changing the new program to a
production status
 copying the old program to a
back-up file and deleting it from
the library of production
programs
10. Conversion should not be permitted
before approval of the test results and
competition of changes to
documentations
11. Final approval should be given by data
processing management and the user