Selda, Lennier Arvin A.

BAC 317-1M 1900-2000

Information Technology Controls – it addresses the risk that is related to technology.

Categories of IT Controls

1. General Controls – it is a control that applies to all aspects of the IT function before

transactions are processed.

In general, there are six categories of General Controls:

a. Administration of the IT Function

It is the tone of the top regarding IT Function and is the equivalent of Control

Environment. The tone of the top is related to the attitude of the Board of Directors and

Senior Management towards IT. And we can know the attitude of them towards this on

the resources allocated to the IT. In this category, we can also look out on the

involvement of IT in the decision making of a company/organization. Sometimes, the IT

Steering Committee is created to help the Board of Directors and Senior Management to

manage their IT. But for a smaller company/organization, they have Chief Information

Officer (CIO) in the absence of a steering committee. Lastly, we can also know the

importance given to IT by the higher-ups if they assign IT duties to higher-level

employees.

b. Separation of IT Duties

 Chief Information Officer (CIO)/IT Manager - they are responsible for the

oversight of the IT Function and are carrying the IT strategic plan.

 Security Administrator - they are in charge of security, such as, help monitor

both physical and online/logical security.

Selda, Lennier Arvin A.
BAC 317-1M 1900-2000

c. Physical and Online Security - this is the job of those security

administrators for them to protect their assets that are in the physical or online

database.

d. System Development - they are responsible for purchasing/developing

software that is needed by the company and the ones who test (pilot or

parallel testing) that software.

Under this department are:

 System Analysts - They design the system that is needed by the

company.

 System Programmers - They are the ones who put the design created by

the analyst into a program/software and also they document the

program.

Note: Programmers cannot be the users of the system.

Under the Operations Department, there are:

 Librarian - they are the one who controls the use of the computer

program and the documentation.

 Network Administration - they are the one who maintains the network

that serves the person who uses the system.

 Computer Operators - they are the people who input data and

information into the computer system.

Under the Data Control Group, there are:

Selda, Lennier Arvin A.
BAC 317-1M 1900-2000

 Database Administrator - they are the one who holds the keys to the

kingdom, meaning they have all the login information for the company.

 Data Input/Output Control - they are the one who verifies the quality of

input and reasonableness of the output.

To summarize the separation of duties in IT, it is divided into three:

 System Development

 Operations

 Data Control

e. Backup and Contingency Planning - It is a backup plan in case of

emergencies, such as fire, power failures, excessive heat or humidity or etc. that

have a serious effect on the businesses using IT.

f. Hardware Controls - this is built into computer equipment by manufacturers

to detect and report equipment failures.

2. Application Controls – it is a control that operates at the process level and applies to

process transactions. They are designed for each software application.

Controls may be manual or automated and include the following:

a. Input Controls - it is designed to that information entered is authorized, accurate

and complete.

 Typical control for a manual system that is still relevant to IT:

 Management authorization

 Adequate preparation of input source documents

 Competent Personnel
Selda, Lennier Arvin A.
BAC 317-1M 1900-2000

The controls that are specific to IT are Input Screens, External Parties, Check

Digit, Validity Check, Edit Checks and Limit Test.

Batch Processing Input Controls

 Financial Total - it is a summary total of field amounts for all records in a batch

that represent a meaningful total such as dollars or amounts.

 Hash Total - it is a summary total of codes from all records in a batch that does

not represent a meaningful total.

 Record Count - it is a summary total of physical records in a batch.

b. Processing Controls - it is the control who prevent and detect errors while

transaction data are processed.

General controls (during development stage) provide essential control for

minimizing processing errors.

Specific application processing controls are often programmed into software to

prevent, detect, and correct processing errors.

 Types of processing controls

 Validation Test - this ensures that a particular type of transaction is

appropriate for processing.

 Sequence Test - this determines that the data submitted for processing are in

the correct order.

 Arithmetic Accuracy Test - this checks the accuracy of processed data

 Data Reasonableness Test - this determines whether data exceed

prespecified amounts.
Selda, Lennier Arvin A.
BAC 317-1M 1900-2000

 Completeness Test - this determines that every field in a record has been

completed.

c. Output Controls - it is a control that focuses on detecting errors after processing is

completed (post-processing) and review of the data for reasonableness by someone

knowledgable about the output.

 Common controls for detecting errors in outputs include:

 Reconcile computer-produced output to manual control totals.

 Compare the number of units processed to the number of units for

processing.

 Compare a sample of transaction outputs to input source documents.

 Verify dates and times of processing to identify any out-of-sequence

processing.

Relationship between General Controls and Application Controls

General Controls is the one who protects the outside of the system. If the general control is no

good, it means that the application control is no good.