Professional Documents
Culture Documents
Measures
1|Page
The Primary Control have the following:
1) Preventive Controls- deter/prevent the occurrence of unwanted events. Therefore,
effective controls stop problems before they occur.
❖ Segregation of duties
❖ Storing petty cash in a locked safe
❖ Pre-numbered documents
❖ Designing a database so that users cannot enter a letter in a foiled that requires
a social security number
❖ Requiring the number of invoices in a batch to be entered before processing
begins
❖ Establishing a formal security policy
❖ Not using shareware software
❖ Checking new software with antivirus
❖ Restricting access
❖ Educating users
❖ Using edit (field) checks to prevent certain types of incorrect data from being
entered in a system
❖ Pre-formatting a data entry screen so that certain field must be filled before
processing
2) Detective Controls- alert the proper people after an unwanted event occurs. They are
effective when detection occurs before material (huge) harm occurs.
❖ Automatic reporting to the AP department of all rejected batches pf invoices
❖ Using hash totals to detected data entry errors OR test for completeness
❖ Installing burglar alarms OR fire alarms
❖ Examining system logs of actions that require scrutiny (inspection), such as
repeated failed login attempts and the use of powerful utility programs
2|Page
4) Directive Controls- cause OR encourage the occurrence of desirable events
❖ Policy and Procedures
❖ Operating manuals
The Secondary Control, used when the primary controls fail and have the following:
1) Compensatory (mitigative) Controls- these controls may reduce risks when the primary
controls are ineffective; however, by themselves they do not reduce risk to an acceptable
level.
❖ Warehouse counting the delivered goods if receiving function did not perform
their duties
❖ Supervisory review when segregation of duties is not feasible
2) Complementary Controls- controls that work with other controls to reduce risks to an
acceptable level.
❖ Both departments after the segregation of duties perform their completeness
checks before issuing payment.
❖ Segregating functions of recording and custody of cash receipts is
complemented by obtaining deposit slips validated by the bank
3) Feed forward (Preventive) Controls- anticipate and prevent problems. These controls
require a long-term perspective.
❖ Policies and procedures
❖ Segregation of duties
3|Page
The Financial VS Operating Controls have the following:
1) Financial Controls (accounting controls)- based on accounting principles used.
Objectives of financial controls may include proper authorization, appropriate
recordkeeping, safeguarding of assets, and compliance with laws.
NOTE
Compensating Controls- replace the normal controls, such as segregation of duties, when it
cannot be feasibly implemented. Providing oversight is an alternative to the performance of each
function by at least two people.
4|Page
3. Controls Procedures
There are several procedures/actions that can be taken, including:
1) Segregation of Duties- is vital because a separation of
functions (authorization, recording, and access to assets)
may not be feasible in an IT environment. It involves
assigning different employees to perform functions such that
an employee acting along is prevented from committing an
error or concealing a fraud in the normal course of his/her
duties.
a. Custody
b. Authorization
c. Record Keeping
d. Reconciliation
Segregation of duties can be compromised (failed) through collusion among employees.
4) Pre-Numbered Forms- sequential pre-numbered forms are the basis for a strong set of
internal controls. During the periodic reconciliation, missing documents could be
detected and such procedure can detected unrecorded and unauthorized transactions.
5|Page
5) Specific Document/Process Flow- as an organization conducts its business, documents
and other evidences should be created.
By searching for missing document flow, auditors can detect errors OR fraud.
6|Page
4. Transaction Cycles
There are several accounting / transactions cycles involved in a business including:
1) Sales – Receivables Cycle
2) Cash – Receipts Cycle
3) Purchases – Payables Cycle
4) Cash Disbursements Cycle
5) Payroll Cycle
8|Page
2) Cash – Receipts Cycle
9|Page
Function Authorization Custody Recording
Department Customer Bank Mail Room Cash Accounts General
Receipts Receivables Ledger
10 | P a g e
3) Purchases – Payables Cycle
11 | P a g e
Functions Authorization Custody Recording
Department Inventory Purchasing Vendor Receiving Warehouse Accounts General
Control Payables Ledger
12 | P a g e
4) Cash Disbursements Cycle
13 | P a g e
Function Authorization Custody Receivables
Department Vendor Purchasing Cash Accounts General Ledger
Disbursement Payables
14 | P a g e
5) Payroll Cycle
15 | P a g e
Function Authorization Custody Recording
Department Human Production Cash Bank Time- Cost Payroll Accounts General
Resources Disbursement Keeping Accounting Payables Ledger
16 | P a g e
14.2 Information Security and System Controls
4) Data Theft- is the surreptitious (secret) copying of critical data elements from the
organization’s database. (Ex- copy credit card number)
5) Sabotage- is the disruption of an organization’s system, not for personal gain, but for
simple for revenge or in the spirit of vandalism (damage). (Ex- changing a company’s
website to include incorrect information that is not immediately noticeable)
17 | P a g e
6) Viruses- are computer programs that propagate (spread) themselves from one computer
to another without the knowledge of the user. A common way of spreading a virus is by
an email attachments and downloads. A virus can cause an annoying message to appear
on the screen. A symptom of virus is that programs load OR execute slowly.
7) Logic Bombs- also destroy data, but unlike viruses, they remain on a single computer
and do not replicate itself. The do not copy themselves or spread from one computer to
the other. They lie dormant until triggered by arrival of a certain date.
8) Worms- are pieces of code that do not threaten the data on the computer (unlike viruses
and logic bombs) but are destructive as they rapidly replicate themselves. A released
worm can propagate (spread) from network to the other, they eventually slow down the
processing speed of the computer.
9) Trojan Horse- are voluntarily installed on a computer by the user because they are
misunderstood as a program that the user wants. While the program may seem like a
video game, it contains codes that a hacker can activate later to take over the computer,
retrieving sensitive information or using it to launch proxy (indirect) attacks on the
computer.
10) Back Doors- are means of obtaining access to a system while bypassing the usual
password controls. IT personnel often design a back door to allow the access to the
system in unusual circumstances.
11) Spyware- spies on a user without their knowledge and collects data. Programs that
capture keystrokes are called keylogger software. (Ex- keystroking apps)
12) Ransom-ware- holds a computer or file storage as a hostage and demand a random
payment. Ransom ware distributors do not really want to cause major trouble, but they
want a quick payment from the computer user.
13) Phishing- is the attempt to acquire sensitive information by being a trustworthy entity
(Ex- creating a fake amazon website to obtain credit card details)
14) Malware- is a short for malicious software (sabotage, viruses, logic bombs, worms,
Trojan horse, back doors, ransom ware, phishing)
18 | P a g e
3. System Development Controls
All information systems, automated OR manual perform 4 basic functions:
1) Input
2) Processing
3) Output
4) Storage
Proper management of system development process can enhance the accuracy, validity, safety,
security, and adaptability of the controls over these functions.
Effective system development requires the setting of priorities. This can be achieved through a
steering committee composed of managers from IT functions and end users. The committee
approves development projects, assigns resources, and reviews progress. The steering committee
also ensures that requests for news systems are aligned with the overall strategic plan of the
organization.
The most critical separation of duties in an information system is between the computer
operators, files, equipment and production programs AND programmers and system analysts.
Furthermore, computer operators and system analysis should be separated and none of them
should be allowed to perform programming duties. In addition, an operator should not have
custody of files.
Changes to an existing system should be subject to strict controls. Requests for changes should
be initiated by an end user and authorized by the management OR steering committee. All
changes should be made to a working copy of the program. Production code should never be
directly altered by a programmer.
All changes should be adequately tested before being place in production environment. The test
results should indicate the acceptance by the end user, who requested the change. Adequate
testing must involve using incorrect data. The program must be able to appropriately handle data
that do not confirm. Unauthorized program changes can be detected by code comparison.
19 | P a g e
4. Physical Controls
Physical controls limit physical access and environmental damage to computer equipment and
important documents.
There are 2 types of physical controls:
I. Access Controls
II. Environmental Controls
I. Access Controls
Access controls prevent improper use OR manipulation of data files and programs. They ensure
that only those people with purpose and authorization have access.
No person except operators should be allowed un-monitored access to the processing facility.
This can be done by guard desks, keypads, and a magnetic reader.
Access controls include:
1) Passwords and ID Numbers
2) Devise Authorization Table
3) System Access Log
4) Encryption
5) Callback
6) Controlled Disposal of documents
7) Biometric Technologies
8) Automatic Log-off
9) Security Personnel
20 | P a g e
3) System Access Log
This log records all uses and attempted uses of the system. The date, time, codes used, mode of
access, data involved, and interventions by operators are recorded.
4) Encryption
Encoding the data before transmission over communication lines makes it more difficult for
someone with access to the transmission to understand OR modify its contents. Encryption
technology converts data into a code.
Unauthorized users may still be able to access the data, but with the encryption key, they will be
unable to decode the information.
5) Callback
This feature requires a remote user to call, give identification, hang up, and wait for an
authorization number. This control ensures acceptance of data only from the authorized modems.
However, a call-forwarding device may thwart (prevent) this control by transferring access from
an authorized to an unauthorized number.
7) Biometric Technologies
These are automated methods of establishing an individual’s identify using physiological OR
behavioral traits. These include fingerprints, retina patters, hand geometry, signature dynamic,
speech, and keystroke dynamic.
8) Automatic Log-off
The dis-connection of inactive data terminals may prevent the viewing of sensitive data on an
un-attended workstation.
9) Security Personnel
An entity may hire security specialists. (Ex- developing an information security policy,
commenting on new controls, monitoring, and investigating unsuccessful attempts)
21 | P a g e
II. Environmental Controls
The processing facility should be equipped with both cooling and heating system to maintain a
constant level of temperature and humidity, as well as a fire suppression system,
5. Logical Controls
Logical Controls are established to limit system access to authorized people and to the extent
necessary to perform their duty. (Ex- database access lists should be reconciled with current
payroll lists)
There are 2 items involved in logical controls:
1) Authentication
2) Authorization
1) Authentication- is the act of ensuring that the person attempting to access the system is
in fact who he says he is. The most widespread means of achieving this is through the
use of IDs and passwords.
The elements of users account management include:
❖ Anyone attempting to access the organization’s system must supply a unique identifier
and a password, which must not be stored anywhere on the system.
❖ Password fatigue results when users must log on a system several time during a day.
Single sign on must be established in the organization, as well as high level of
maintenance and security awareness is required.
2) Authorization- is the act of ensuring that once in the system, the user can only access
those programs and data elements necessary to carry out their duties. (Ex- AR clerk can
only view customer’s credit limits but cannot change them. AND only the head of AR is
allowed to execute the program that updates the AR in the master file)
22 | P a g e
6. Function Controls
Operations is part of information system involved in daily processing of data and producing
results. Controls apply to input, processing, output, and storage.
1) Input Controls- provide reasonable assurance that data submitted for processing are
authorized, complete, and accurate.
There are 2 types of input controls:
❖ Online Input
❖ Batch Input
❖ Online Input Controls can be used when data are in keyed into an input screen.
1) Pre-formatting- the data entry screen mimics (represents) the old hardcopy document,
forcing data entry in all fields.
2) Edit (field) checks- the data entry screen prevents certain types of incorrect data from
entering in the system. (Ex- the system rejects any attempts to enter a number in the name
field.) Dropdown menus can restrict the user’s choice to only valid selections.
4) Check Digits- an algorithm is applied to any kind of serial identifier to derive a check
digit. During the entry of data, the check digit checks the data to ensure proper entry.
Check digits also eliminates the possibility of dropped OR transposed digits. However, if
check digit is a sum of digit, errors will not be detected (Ex- 1,3,6 is same as 3,6,1)
❖ Batch Input Controls can be used when data are grouped for processing in batches.
1) Management Release- a batch is not released for processing until a manager reviews and
approves it.
2) Record Count- a batch is not released for processing unless the number of records in
batch is same as reported by the system (matching the number calculated by the user).
23 | P a g e
3) Control Total Validation Routines- a batch is not released for processing unless the
sum of the dollar amounts of the individual items is the same as reported by the system
(matching the number calculated by the user).
4) Hash Total- is arithmetic sum of the numeric field, it has no meaning by itself and can
serve as a check that the same records should have been processed, were actually
processed. (Ex- sum of all social security numbers).
2) Processing Controls- provides reasonable assurance that all data submitted for
processing are actually processed AND only approved data are processed. These controls
are built into the application code by programmers during the development process of the
system.
Furthermore, some processing controls repeat the steps performed in the input controls,
such as limit checks and control totals.
1) Validation- identifiers are matched against master files to determine existence. (Ex- any
AP transaction is rejected if the vendor’s number does not match the master file).
3) Arithmetic Controls- cross footing compares an amount to the sum of its components.
Zero balance checking adds the debt and credit in a transaction to ensure the sum is zero.
(Dr = Cr)
4) Sequence Check- computer effort is expended most efficiently when data are processed
in logical order (Ex- customer number). This check ensures the batch is sorted in this
order before processing begins. Therefore, it is not appropriate for real-time environment.
5) Run to Run Control Totals- the control associated with a given batch are checked after
each stage of processing to ensure all transactions have been processed.
6) Key Integrity- a record’s key is the group of values in the fields that uniquely identify
the record. No application should be able to alter the data in these key fields.
24 | P a g e
3) Output Controls- provides assurance that processing was complete and accurate.
1) Audit Trail- a complete audit trail should be generated by each process; batch number,
time of submission, time of completion, number of records in batch, total dollars in batch,
number of records rejected, total dollars rejected, etc. The audit trail is immediately
submitted to reasonableness check to the suer, who is the most qualified to judge the
adequacy of processing and the proper treatment of erroneous (incorrect) transactions.
2) Error Listing- is a report with all transactions rejected by the system. These should be
corrected and re-submitted by the user.
4) Storage Controls
2) Dual Writes Routines- the data can be stored on two separate physical devices (hard
drives) so that a mishap (accident) to one does not destroy the organization’s data.
Spooling is sending data to an intermediate storage that is accessible by device when
needed.
3) Validity Checks- hardware that transmits OR receives data, compares bytes to the
permissible (allowed) combinations to determine whether they constitute a valid
structure.
4) Physical Controls- mounting hard drives in physical, securing rooms, and storing
portable media in locked storage areas are vital to preventing the compromising of
confidential data.
5) Snapshot- it copies often used data files and allows the file to be used while it is being
backed up. However, the risk is that this file may not be current.
6) Cloud Computing- the standardized IT capability delivered via the internet in a pay per
use service. Advantages of cloud computing include a lower infrastructure investment,
lower maintenance costs, increased mobility, and lower personnel costs. Disadvantages
of cloud computing include less control over than an internal IT department, more
difficulty in data security, and less compatibility.
25 | P a g e
Input Controls
26 | P a g e
Processing Controls
27 | P a g e
Output Controls
28 | P a g e
7. System Audit Techniques
There are 2 methods for auditing:
I. Auditing around the computer- is not appropriate when the system is sophisticated OR
the major controls are included in the computer programs. It may be appropriate for very
simple systems that produce appropriate printed output.
The auditor manually processes the transactions and compares it with the results of the
client’s computer results. Since small number of transactions can be tested, the
effectiveness of the tests of controls must be questioned.
II. Auditing through the computer (con-current auditing)- uses the computer to test the
processing logic and controls within the system and the produced records.
(from 1 to 5 are con-current auditing techniques)
Computer Assisted Audit Techniques (CAAT) can be used for a system based on
transaction based and can provide automated methods for extracting and analyzing data.
1) Test Data- consists of set of dummy inputs containing both good and bad data elements.
This approach tests the client’s program. The auditor can assess the controls embedded in
the application by observing how the system treats good and bad data elements.
Test data must never be mingled (mixed) with the real data and test data must not
interfere with the production processing.
2) Parallel Simulation- subjects the client data to auditor created programs. The goal is to
determine whether the data is what the client claims is or not. Parallel simulation requires
the auditor to have some technical knowledge. The auditor must also have an extensive
communication with the client to learn about the functions of the applications being
imitated (copied).
3) Generalized Audit Software (GAS)- allows the auditor to lead a copy of the client’s
production data onto the auditor’s computer and perform the analysis. The auditor can
search for duplicate records, gaps in numbers, and high-monetary transactions. The issue
is making sure that the data obtained is the correct data being tested. (Ex- IDEA and
ACL)
4) Spreadsheet Analysis- permit easy analysis of huge amounts of client’s data and
performing the what if scenarios (Ex- Excel)
5) Integrated Test Facility (ITF)- the auditor creates dummy files on the client’s live
production system. The objective is to determine whether a read time system contains
adequate controls or not. ITF requires great care to ensure no transactions of the dummy
files are included in the production reports and output files.
29 | P a g e
6) Embedded Audit Module- is an integral part of an application system. It is designed to
identify and report actual transactions and other information that meets the criteria of
having an audit significance. An advantage is that it permits continuous monitoring of
online, real time systems. A disadvantage is that audit hooks must be programed into the
system to permit inserting audit modules.
30 | P a g e
14.3 Security Measures and Business Continuity Planning
1. Risks of Internet
The use of internet has several risks including:
1) Brute-Force Attack- uses password cracking software to try large number of letter and
number combinations to access a network. A simple variation is the use of password
cracking software that tries all the words in the dictionary
3) Sniffing- is the use of software to eavesdrop (spy) on information sent by a user to the
host computer of a website. (Ex- a hacker viewing information exchanged between 2
users)
4) Man in the Middle (sniffing) - attacks that take advantage of networking sniffing. These
attacks may be used to steal data, obtain access, OR analyze the traffic in the network and
learn about its operations.
31 | P a g e
2. Segregation of Duties in an IT Department
Computer operators, programmer, analysts and librarians should not have overlapping
responsibilities. These functions should be segregated (not combined by one person). The
segregation of accounting duties can enhanced system security, as it involves separation of
functions to minimize the opportunity for a person to be able to penetrate and conceal errors or
fraud in the normal course of his/her duties.
➢ Network and Information Security- these people protect and monitor the company’s
network and information (Ex- LAN, firewall internet)
➢ System Analysts- they provide the design specification to the programmers of the new
system. System analysts should not do the programming or even have access to hardware,
software or data files.
➢ Programmers- are the individuals who write, test, revise and document system. They
should not have access to computers and programs that are in actual use by employees
foe processing.
➢ Librarians- maintain the documentation. Programs and data files. They should have no
access to equipment or servers.
➢ Computer Operators- oversee the running of computer systems, ensuring that the
machines and computers are running properly. They can either run it remotely or in the
server room.
➢ Data Control Group- receives input, logs it monitors the processing of data, reconciles
input and output, distributes output to authorized users and check to see that errors are
corrected.
➢ Help Desk- provides IT support to the various systems and application users
32 | P a g e
3. Encryption
Encryption technology converts data into a code. Unauthorized users may still be able to access
the data, but with the encryption key, they will be unable to decode the information.
33 | P a g e
4. Firewalls
A firewall is a combination of hardware and software that
separates an internal network from an external network,
such as the internet and prevents the passage of specific
types of traffic. A firewall alone is not an adequate defense
against computer virus. So anti-virus software is very
crucial.
Network firewalls- regulate traffic to an entire network
(Ex- LAN). The firewall examines each query and
depending on the rules set up by the network security it gives and denies access.
34 | P a g e
6. Business Continuity Planning
Disaster Recovery is the process of resuming normal information processing operations after the
occurrence of a major interruption. (Information was recovered)
Business Continuity Planning is the continuation of business by other means during the period
in which the computer processing is unavailable or less than the normal. (Operation after
recovering the data lost)
b. Natural Disaster
The most extreme disaster is when the organization main facility is not accessible
due to floods, fires, hurricanes, earthquakes. The firm must prepare to operate
from through another physical location.
❖ WARM SITE- has limited hardware, but is already installed and lacks servers and client
terminals
❖ COLD SITE- is a shell facility that lacks most infrastructure, but readily available for
quick installation of hardware.
35 | P a g e