Audit and Control Considerations in A Minicomputer or Small Busin

University of Mississippi
eGrove
Industry Guides (AAGs), Risk Alerts, and American Institute of Certified Public
Checklists Accountants (AICPA) Historical Collection
1981
Audit and control considerations in a minicomputer or small

business computer environment; Computer services guidelines
American Institute of Certified Public Accountants. Auditing Minicomputer Task Force
Follow this and additional works at: https://egrove.olemiss.edu/aicpa_indev
Part of the Accounting Commons, and the Taxation Commons
Recommended Citation
American Institute of Certified Public Accountants. Auditing Minicomputer Task Force, "Audit and control
considerations in a minicomputer or small business computer environment; Computer services
guidelines" (1981). Industry Guides (AAGs), Risk Alerts, and Checklists. 712.
https://egrove.olemiss.edu/aicpa_indev/712
This Book is brought to you for free and open access by the American Institute of Certified Public Accountants
(AICPA) Historical Collection at eGrove. It has been accepted for inclusion in Industry Guides (AAGs), Risk Alerts,
and Checklists by an authorized administrator of eGrove. For more information, please contact
egrove@olemiss.edu.
COMPUTER SERVICES GUIDELINES
Audit and Control Considerations

in a Minicom puter or Sm all
Business Com puter Environment
American Institute of Certified Public Accountants AICPA

Notice to Readers
This publication is issued by the American Institute of Certified Public

Accountants for the information of its members and other interested
parties. However, it does not represent an official position of any of the
Institute’s senior technical committees.
Prepared by
Auditing Minicomputer Task Force (1979-1980)

Alan H. Nierenberg. Chairman Kenneth H. Sheibley
David M. Harris Lawrence J. Stallman
Christine P. Salter
AICPA Staff
Alan Frotman, Manager
Approved by
EDP Auditing Standards Subcommittee (1979-1980)

Robert S. Roussey. Chairman
Computer Services Executive Committee (1979-1980)

Karl G. King. Chairman Thomas J. Koger
Darold D. Brockhaus Fred L. Lilly
Jeffrey D. Green Alwyn Rougier-Chapman
Stanley D. Halper Richard D. Webb
John F. Hessenius Kent Yarnall
Elise G. Jancura
AICPA Staff
Donald L. Adams, Vice President
Administrative Services
Alan Frotman, Manager
COMPUTER SERVICES GUIDELINES
Audit and Control Considerations

in a Minicom puter or Small
Business Com puter Environment
American Institute of Certified Public Accountants AICPA

Copyright © 1981 by the
American Institute of Certified Public Accountants, Inc.
1211 Avenue of the Americas, New York, N.Y. 10036
1 2 3 4 5 6 7 8 9 0 PA 8 9 8 7 6 5 4 3 2 1
Contents
PREFACE v
THE MINICOMPUTER ENVIRONMENT

Characteristics and Definitions 1
Comparison of Minicomputers and Larger Computers 2
Relevance to the Auditor 2
CONTROL CONSIDERATIONS IN A MINICOMPUTER ENVIRONMENT

Lack of Segregation of Functions Between the EDP Department
and Users 3
Location of the Computer 4
Lack of Segregation of Functions Within the EDP Department 4
Limited Knowledge of EDP 5
Utility Programs 6
Diskettes 6
Terminals 6
Software Packages 7
Documentation 7
Summary 7
AUDIT CONSIDERATIONS
Planning the Audit 11
Obtaining Knowledge of the Entity 12
Study and Evaluation of Internal Accounting Controls 12
Substantive Audit Techniques 13
Computer-Assisted Audit Techniques 13
Summary 15
APPENDIX
A Minicomputer System 16
Hardware Features of a Minicomputer System 17
Software Features of a Minicomputer System 18
Using a DFU as an Adult Tool 23
Preface
Minicomputers are used in many companies to the audit and control considerations in that en
automate processing of financial data. An in vironment.
creasing number of auditors are encountering It may be helpful for the reader to be
the widespread use of minicomputers to pro aware of certain other AICPA publications that
cess financial information. provide basic information on internal controls
A u d it a n d C o n tro l C o n s id e ra tio n s in a M in i and audit considerations in computer systems.
c o m p u t e r o r S m a ll B u s in e s s C o m p u te r E n v ir o n These AICPA publications include
m e n t is intended to be a basic document for
• T h e A u d it o r ’s S tu d y a n d E v a lu a tio n o f In te r
the minicomputer environment. The reader
n a l C o n tro l in E D P S y s te m s (1977)
should already have a basic knowledge of
data processing concepts. Although prepared • M a n a g e m e n t, C o n tro l a n d A u d it o f A d
primarily for the independent CPA, this guide v a n c e d E D P S y s te m s (1977)
line can also be useful to internal auditors, EDP • A u d it C o n s id e ra tio n s in E le c tro n ic F u n d s
auditors, data processing managers, and man T ra n s fe r S y s te m s (1978)
agers of businesses that use minicomputers. • C o m p u te r - A s s is te d A u d it T e c h n iq u e s (1979)
The purposes of this publication are to define a • C o n tro ls O v e r U s in g a n d C h a n g in g C o m
minicomputer environment, to provide the p u t e r P ro g ra m s (1979)
reader with an understanding of that environ
• A u d it A p p r o a c h e s fo r a C o m p u te r iz e d In v e n
ment, and to offer guidelines for addressing
to ry S y s te m (1980)
v
The Minicomputer
Environment
The purpose of this guideline is to assist the • Control-related characteristics of the mini
auditor in planning and conducting an audit in computer environment.
an environment where a minicomputer is used • Risks and controls to reduce these risks.
to process significant accounting data. The fol • Audit considerations and substantive audit
lowing specific matters will be addressed: techniques.
Characteristics and Definitions

The term m in ic o m p u te r is often used to de • S o ftw a re p a c k a g e s . Purchased software
scribe a family of computers that includes packages are used extensively rather than
small business computers, microcomputers, internally developed application software.
and intelligent terminals. • D o c u m e n ta tio n . Available system, program,
The term m in ic o m p u te r e n v iro n m e n t, as operation, and user documentation may be
used in this document, does not refer to the limited or nonexistent.
type of hardware used; rather, it refers to the
organizational and operating characteristics Not all minicomputer installations have
commonly associated with a minicomputer. The these characteristics. For example, the mini
auditor will find this guideline applicable to computer may be located in a separate com
both minicomputer and large-scale computer puter room, or it may be operated by data
installations that exhibit some of the following processing personnel. In such cases, some of
characteristics: the special audit and control considerations
described in this guideline may not apply.
• L a c k o f s e g r e g a t io n o f fu n c tio n s b e tw e e n th e The minicomputer hardware forms the ba
E D P d e p a r t m e n t a n d u s e rs . Personnel in the sis for other types of environments, including
user department initiate and authorize multiple independent minicomputers and mini
source documents, enter data into the sys computers used for data entry only.
tem, operate the computer, and use the out
put reports.
• L o c a tio n o f th e c o m p u te r. The computer is Multiple Computers. The auditor may encoun
generally located in the same area as the ter organizations with one or more minicompu
user department. ters in each major department or division.
• L a c k o f s e g r e g a t io n o f fu n c tio n s w ith in th e When the processing performed by any one of
E D P d e p a r tm e n t. There is a limited number
these minicomputers is independent of that
of “technical” data processing personnel. performed by another minicomputer, the appli
cable audit considerations may fall within the
• L im it e d k n o w le d g e o f E D P . The supervisor scope of this guideline. However, when appli
responsible for data processing has limited cation systems require that minicomputers
knowledge of EDP. communicate with each other or with a host
In addition, the following characteristics computer, the control considerations regarding
are found in many minicomputer environments: data communications are not covered in this
guideline.
• U tility p r o g r a m s . Utility programs are used
For example, a large manufacturing com
extensively to enter and to change data. pany may have a minicomputer in each of its
• D is k e t te s . Diskettes are used extensively for divisions to maintain perpetual inventory rec
file storage. ords. Each division’s minicomputer may trans
• T e rm in a ls . Terminals are used for transaction mit inventory balances periodically to a host
data entry, inquiry, and other interactive computer located at a central processing facil
functions. ity. The data communication aspect of such a
1
system adds a new dimension that is not ad age media containing input transactions are
dressed in this document. generally used by another computer to process
and to update application master files. The
Data Entry. Some minicomputers are exclu minicomputer environment in which data entry
sively used to convert source transactions into is the only function performed is not covered in
machine-readable form, thereby replacing key this guideline.
punch machines and punched cards. The stor
Comparison of Minicomputers and Larger

Computers
In many respects a minicomputer is similar to a base management systems commonly used in
medium- or large-scale computer having disk large-scale computer environments are avail
(or diskette) and magnetic tape (or cassette) able for some minicomputers.
storage devices for recording and maintaining There are, however, significant differences
transactions, data files, and computer pro between minicomputers and larger computers.
grams. A minicomputer has a main memory for A minicomputer costs less than a larger sys
programs to process information and a central tem; in fact, some minicomputers can be pur
processing unit (CPU) that executes pro chased for less than the cost of one month’s
grammed instructions. Input transactions are rental of a large-scale computer. Special air
usually entered through cathode ray tube conditioning, humidity controls, and electrical
(CRT) terminals or through off-line data entry power circuits may not be necessary for the
devices. The processing power of many mini operation of minicomputers. Relatively little
computers often exceeds the capabilities of space is necessary for a minicomputer, and its
some current large-scale computer systems. small size makes it easy to move.
Preprogrammed applications, such as However, minicomputers do have certain
accounts receivable, accounts payable, pay limitations. Large-scale computers can perform
roll, and general ledger, are widely available a greater variety of technical and application-
for minicomputers as well as for other com related functions, and large-scale computers
puters. Utility software programs, such as pro provide greater storage capacity than even the
gram library maintenance and control pro largest minicomputers.
grams, generalized report writers, and data
Relevance to the Auditor

Auditors are encountering an increasing num complish these objectives may be influenced
ber of organizations that use minicomputers to by the method of data processing used.1
process accounting information. Many small or
ganizations now use minicomputers because of SAS no. 3, T h e E ffe c ts o f E D P o n th e A u d i
their comparatively low cost, and minicompu to r ’s S tu d y a n d E v a lu a tio n o f In te rn a l C o n tro l,
ters have proliferated throughout different divi adds:
sions of large organizations.
Statement on Auditing Standards (SAS) When EDP is used in significant accounting
applications, the auditor should consider the
no. 1 states:
EDP activity in his study and evaluation of ac
Since the definition and related basic concepts counting control. This is true whether the use of
of accounting control are expressed in terms of EDP in accounting applications is limited or ex
objectives, they are independent of the method tensive. . . .2
of data processing used; consequently, they
apply equally to manual, mechanical, and elec This caveat is valid regardless of the type
tronic data processing systems. However, the or size of the computer used to process signifi
organization and procedures required to ac cant accounting applications.
1AICPA, Statement on Auditing Standards 1, Codification of Auditing Standards and Procedures (New York: 1973), section
320, paragraph 33.
2AICPA, Statement on Auditing Standards 3, The Effects of EDP on the Auditor's Study and Evaluation of Internal Control
(New York: 1974), paragraph 3.
2
Control Considerations in a
Minicomputer Environment
The characteristics of the minicomputer envi extent to which the application is automated,
ronment described in the preceding section according to the type and significance of finan
may result in a weak overall control of that cial transactions being processed, and accord
environment. This section identifies and de ing to the application controls established
scribes several of the control characteristics within the system.
that may exist in the minicomputer environ Figure 1 summarizes the characteristics of
ment, the risks associated with these charac the minicomputer environment, lists the risks
teristics, and the controls required to reduce associated with each characteristic, and identi
these risks.3 fies some controls (see figure 1 at the end of
The impact of these characteristics and this section).
the associated risks will vary according to the
Lack of Segregation of Functions Between the

EDP Department and Users
In a minicomputer environment, the auditor distribution of output, processing errors may
may find that personnel in the user department result. Inadequate control over data movement
initiate and authorize source documents, enter may result in lost, added, or altered data. Un
data into the system, operate the computer, less the system can reduce these risks, the
and use the output reports. In such an environ auditor may be faced with a poorly controlled
ment, the EDP function generally is not segre accounting system.
gated from the user’s activities, and the per
sonnel initiating and authorizing transactions Controls. Controls may reduce the risks asso
may control the entire processing of those ciated with the lack of segregation of user and
transactions. EDP functions. The company may use an ef
fective system of transaction logs and batch
Risks. Lack of segregation of functions be controls. Personnel independent of transaction
tween the EDP department and users may per authorization and processing may maintain or
mit the perpetration and concealment of errors review processing logs, transaction logs, and
and irregularities—a situation analogous to a reports of batch control information. Effective
manual system in which the accounting depart supervision may be a control in some minicom
ment consists of only one or two people. puter environments, and passwords could be
Lack of segregation of functions also may introduced to control access to files and librar
result in unauthorized changes to master files, ies. In addition, the company may require per
which in turn can result in inaccurate and in sonnel periodically to take vacations and rotate
complete processing. If users also have ac duties. This latter requirement provides not only
cess to company assets, there is an additional some control but also cross-training.
risk of diversion of such assets. An organization may achieve some control
Without a control function, independent of by reconciling record counts or hash totals.
the user’s operation department, to receive all Additional control may be obtained by requir
data for processing, ensure all data are author ing that all master file changes be made by
ized and recorded, follow up all errors de application programs, not by utility programs
tected during processing, and verify the proper provided by the manufacturer. For example, all
3For a more complete discussion of controls see The Auditor's Study and Evaluation of Internal Control in EDP Systems (New
York: AICPA, 1977).
3
changes, additions, and deletions to the em processing. For example, these control totals
ployee payroll master file could be authorized could be recorded manually in batch control
in writing on prenumbered forms and posted to logs. The control log totals could then be rec
the master file by an application program. A onciled with input and output totals by the
control over the posting might be to compare same individual who enters and processes the
the record count and totals on the file mainte transactions, but it might be more effective if
nance listing with predetermined totals made the logs were maintained by another individual
from the source documents to ensure that only who is independent of the data entry and proc
authorized changes have been made and that essing functions.
all source documents have been accounted The lack of segregation of functions be
for. tween EDP and users has a pervasive effect on
Transaction counts and other batch-type the structure of internal accounting controls in
controls may be employed in minicomputer an organization. Many of the potential risks as
systems. Control totals may be established sociated with the other characteristics of the
over the number of transactions and other sig minicomputer environment are related to the
nificant numeric information to be entered for lack of segregation of functions.
Location of the Computer

In a minicomputer environment, the computer m enu is a list of items or jobs from which a
is often located in the same area as the user terminal operator may make a selection. A p r o
department rather than in a separate data c e d u r e is a set of control statements that
processing department. Because minicompu causes a series of programs or jobs to be
ters are not very sensitive to temperature, hu processed. By restricting access to specific
midity, and other environmental factors, man menus and procedures, management may
agement is not inclined to locate the control unauthorized computer processing. For
minicomputer in a physically secure area. Also, example, this technique allows management to
in many installations the computer can be ac prevent unauthorized personnel from executing
cessed through terminals located throughout specific applications, such as payroll and dis
the organization. bursements.
Some minicomputer systems may generate
Risks. The location of the minicomputer may reports that identify individuals using the sys
result in weaknesses in access controls, which tem, record the programs executed, and spec
may result in improper use or manipulation of ify other relevant information. Management re
data files, unauthorized use or modification of view of these reports may be an effective
computer programs, or improper use of com access control. Also, management may period
puter resources. ically compare these reports with a predeter
mined processing schedule to verify that only
Controls. System software in some minicom authorized processing has been performed. In
puters may enable management to control ac addition, some systems provide the option to
cess to programs and data files by restricting replace a minicomputer on/off switch with a
access to specific menus and procedures. A key lock to control use of the system.
Lack of Segregation of Functions Within the

EDP Department
The functions of programming and operating files are frequently resident on the system at all
the computer are normally not separated be times and are accessible to any individual who
cause of the limited number of personnel in the operates the minicomputer. Frequently, in a
minicomputer environment. Programs and data minicomputer environment, one nonmanage
4
ment individual is assigned primary responsi The availability of these library directories de
bility for the system, including dealing with the pends on the particular computer system and
hardware and software vendor, maintaining the its systems software. If library directories are
system, and training the operators. not available, management may periodically
compare the program in use with an authorized
Risks. Unrestricted access to program or data version to verify that the correct program is
files may result in unauthorized access to infor being used.
mation and in the perpetration and conceal Some minicomputers use interpretive lan
ment of errors or irregularities. guage programs that are stored in source
code and converted to machine-executable in
Controls. Controls over access to programs structions each time the instruction is exe
can vary considerably in a minicomputer envi cuted. Control over program changes may be
ronment. The form in which programs are a problem in such installations because
maintained (object code or source code) can changes can be made without leaving any evi
limit their exposure to unauthorized changes. dence of the change. Some manufacturers pro
Some programming languages (for example, vide the user with ability to lock the program
COBOL and RPG) require the use of a com files, making them inaccessible for unauthor
piler to convert the source code (programming ized modification.
language) into object code (machine-executa System software may provide an access
ble statements). When application programs control to program and data files similar to that
are not available to the user in source code of a librarian function by requiring the insertion
form, unauthorized changes are difficult to of a code or password into the system before
make, and this control may make certain an individual can gain access to files and data.
changes virtually impossible. Programs can be However, this control will be effective only if the
modified more easily if source code is avail code is restricted to individuals whose duties
able; in such cases, the compiler could be require access to program files and data.
maintained off-line in a secured area. The audi Systems software controls may permit em
tor should be aware, however, that copies of ployees with different levels of responsibility to
compilers can be obtained from outside have different access and inquiry capabilities.
sources and copied onto the system to perform For example, a “ read only” facility permits in
unauthorized programming activity. quiry of the master files and the execution of
Some minicomputers provide system- programs but prohibits modification. Through
generated library directories containing the this control, management could limit the payroll
date on which the object programs were cata clerk to processing only payroll functions and
logued to the system. Management may com could assign another individual, such as the
pare these directories with manually main personnel manager, to updating the employee
tained records to determine that only master files for processing other payroll
authorized program changes have been made. changes.
Limited Knowledge of EDP

In many minicomputer installations, the individ limited knowledge and experience in EDP may
ual responsible for data processing has a lim not conform to management requirements, and
ited knowledge of EDP. Supervisors may have the review and approval of test results by these
a thorough knowledge of the operations of their individuals after program modification may be
department, but they may not have the training an ineffective control. As a result, the systems
necessary to understand and to supervise implemented may not meet management ob
computer operations effectively. In practice, jectives or operate according to management
the minicomputer location, not personnel quali specifications.
fications, often determines the assignment of
supervisory responsibility. Controls. Operations, programs, and systems
documentation may be required and main
Risks. Because the experience and level of tained. In addition, management may engage a
knowledge of the person assigned primary third party to review new or modified programs
EDP responsibility may be limited, programs and systems before they are implemented.
and procedures developed by individuals with
5
Utility Programs
Many minicomputer systems have utility pro used to fraudulently modify significant financial
grams that allow nontechnical personnel to data. Since they are designed for general use,
build, change, and access data files. These utility programs may not contain all the controls
utility programs are frequently used for routine that are desirable for a particular function.
functions, such as data capture and file main
tenance. Controls. Using passwords to limit access to
data files may prevent an unauthorized individ
Risks. Utility programs provide opportunities ual from updating or changing the contents of
for unauthorized access and changes to data a file. Also, the company may use application
files. For example, they can be used to add programs rather than utility programs to update
unauthorized employees to a payroll master file transaction or master files.
without leaving an audit trail, or they can be
Diskettes
Diskettes—also known as floppy disks—are a The use of diskettes as the storage me
direct access magnetic storage medium with dium for master files creates the risk of data
limited storage capacity used in some mini manipulation through data entry devices as
computers to maintain both master files and well as through computer programs. Informa
transaction files. They are not normally used on tion on diskettes may be modified by data en
large-scale computers for this purpose. try devices without producing a record of the
change.
Risks. If the system software does not include
the capability to perform effective internal label Controls. These risks may be decreased by
checking on diskettes, the identification of the restricting access to diskettes to authorized in
correct version of the file is largely the respon dividuals only. A control feature on some mini
sibility of the operator who, in some cases, computers allows the user to store data on
may also be the user. As a result, there are no diskettes in a format that is not readable by
controls to prevent the processing of wrong data entry devices. Manual logs may also be
files, to detect errors in file changes, or to maintained to control the library of diskette
highlight operator errors. files.
Terminals
In a minicomputer environment, terminals are grams creates the risk of improper use or ma
generally used for transaction data entry, in nipulation of those files or programs. Also, the
quiry, and other interactive functions. Because individual who is responsible for entering trans
transaction entry usually accounts for the larg actions into the system may also be the indi
est volume of activity, it usually accounts for vidual who is authorized to approve them.
the greatest number of potential errors. In a
minicomputer environment, transactions are Controls. The control of data entered through
frequently entered through on-line terminals a terminal may be established by using soft
and edited as part of the entry process. ware that will allow only certain terminals to be
used for specific transactions and by using a
Risks. Some minicomputer environments may combination of physical access controls, such
lack adequate provisions for ensuring that as key locks and locked rooms. In addition, the
transactions are properly authorized. This may entry of identification or passwords may be re
result in erroneous or fraudulent data. The un quired for an operator to execute specific func
restricted use of terminals can result in weak tions. For example, the terminal located in the
access controls over programs and data files, payroll department could be restricted to pay
and unauthorized access to data files and pro roll transactions only.
6
Controls over on-line entry procedures tion of program and data files. E n c ry p tio n is
may be designed into the system to provide a the process of converting data into uninterpret
means to reduce data entry errors. For exam able representation that can be read only by
ple, in an inventory application, the system use of the algorithm. If this technique is used,
could check to determine that a sales transac the access to the algorithm should be re
tion contains a valid part number, that the stricted to authorized personnel only. In many
sales quantity does not exceed the quantity on systems, passwords are encrypted to prevent
hand, and that the unit of measure is appropri users from accessing the password file and
ate. reading the contents.
Another control technique involves encryp
Software Packages
Companies using minicomputers frequently do Controls. Management may use a third party
not develop application software internally but to review and evaluate proposed software
acquire the software from outside sources. packages before they are implemented.
On the other hand, there may be control
Risks. If management lacks EDP knowledge, advantages in using application software ac
the acquired systems may not be properly re quired from outside sources. In some cases,
viewed and tested to ensure that they meet software vendors do not provide source pro
management and user objectives and that they gram versions, which makes it difficult to mod
have adequate application controls. ify the programs.
Documentation
Available system, program, operation, and user during data entry, processing, and system
documentation may be limited or nonexistent. maintenance.
Controls. A company may employ a number of

Risks. A company that does not have ade application controls over access, data entry,
quate documentation may not have an under transaction balancing, program change, and
standing of the flow of transactions through the output to reduce the risks associated with lack
system. This may result in undetected errors of adequate documentation.
Summary
The characteristics described in this section transactions. The combination of manual and
have accompanying risks that the auditor EDP application controls for specific applica
should consider in the study and evaluation of tions may be sufficient to achieve control ob
internal accounting controls in organizations jectives and to offset risks associated with
using minicomputers. Many of these risks result weaknesses in general controls. Effective con
from the lack of segregation of functions and trols, appropriately tested, may enable the aud
the inadequate access controls established itor to reduce substantive testing procedures.
within the system. When controls are not in place to reduce the
In the minicomputer environment, as else risks discussed, the auditor would be limited to
where, the auditor reviews the system of inter performing substantive procedures to gain rea
nal accounting controls established by an or sonable assurance that material errors and ir
ganization over the processing of financial regularities are not present.
7
FIGURE 1
CONTROL CONSIDERATIONS IN A MINICOMPUTER ENVIRONMENT
Lack of Segregation of Functions Between the EDP Department and Users

(Personnel in the user department initiate and authorize source documents, enter data into the system, operate
the computer, and use the output reports.)
Risks
Perpetration and concealment of errors or irregularities.
Unauthorized changes to master files.
Inaccurate and incomplete processing of data.
Processing errors.
Incomplete or erroneous data.
Uncorrected errors.
Lost, added, or altered data.
Controls
Maintenance of transaction logs and batch controls by user department.
Independent review of processing logs, transaction logs, and batch control information.
Management supervision.
Passwords to control access to files and libraries.
Required vacations and rotation of duties.
Reconciliation of record counts or hash totals.
Use of application programs to make changes in master files.
Independent reconciliation of transaction totals recorded in batch control logs with input and output totals.
Comparison of system manufacturer’s utility program with authorized application version.
Location of the Computer

(The computer is located in the same area as the user department.)
Risks
Improper use or manipulation of data files.
Unauthorized use or modification of computer programs.
Improper use of computer resources.
Controls
Menus and procedures to control processing access.
Management review of usage reports (history logs).
Periodic comparison of usage reports with processing schedule.
Physical control over data entry devices.
Lack of Segregation of Functions Within the EDP Department

(There is no segregation between programmers and operators.)
Risks
Unauthorized access to information and programs.
Errors caused by improper use or manipulation of data files or unauthorized or incorrect use of computer
program.
Application programs that do not meet management's objectives.
Controls
Use of a compiler to convert the source code into object code.
Comparison of library directories with manual records.
Comparison of program in use with an authorized version.
Use of interpretive language programs.
Passwords to control access to libraries and files.
Software controls to limit system access capabilities according to employee function.
Test libraries.
Management review of usage reports (history logs).
Systems of transaction logs, batch controls, processing logs, and run-to-run controls.
Limited Knowledge of EDP

(Supervisor responsible for data processing has limited knowledge of EDP.)
8
R isks
Failure of systems to meet management objectives or operate according to management specifications.
Lack of adequate application controls.
Inadequate testing and review of systems.
Controls
Operations documentation.
Program documentation.
Systems documentation.
Use of third party to review new and modified programs and systems.
Utility Programs
(Utility programs are used extensively to enter and to change data.)
Risks
Unauthorized access and changes to data.
Undetected errors in file manipulation.
Processing of unauthorized transactions and omitting of authorized transactions.
Controls
Use of passwords to control access to data files.
Use of application programs to update files.
Independent control over transaction and master file changes, such as item count, control total, and hash totals.
Limited access to utilities.
Removal of utilities from system when practical to do so.
Diskettes
(Diskettes are used extensively for file storage.)
Risks
Processing of the wrong file.
Inability to detect errors in file changes.
Inability to highlight operator errors.
Controls
Control over access to diskettes.
Storage of data in format not readable by key entry devices.
Use of manual logs to control diskette library.
Terminals
(Terminals are used for transaction data entry, inquiry, and other interactive functions.)
Risks
Unauthorized input.
Erroneous or fraudulent data.
Errors caused by improper use or manipulation of data files or computer programs.
Erroneous or incomplete data.
Controls
Use of software that will allow only certain terminals to be used for specific functions.
Use of physical controls to limit access to data files.
Use of passwords to control access to data files.
Encryption of data and programs.
On-line computer edit procedures.
Record counts, batch controls, run-to-run controls, verification.
Error handling control procedure and error logs.
Use of menus and procedures.
Software Packages
(Purchased software packages are used extensively rather than internally developed application software.)
9
R isks
Failure of systems to meet management and user objectives.
Inadequate testing of systems.
Controls
Use of third party to review and evaluate proposed software packages.
Documentation
(Available system program, operation, and user documentation may be limited or nonexistent.)
Risks
Undetected errors during processing and system maintenance.
Controls
User-based controls.
10
Audit Considerations
The preceding section described the internal procedures to be applied in an examination of
accounting controls in a minicomputer environ the financial statements. Planning and conduct
ment. This section describes audit and plan ing the audit in this environment may require
ning considerations contained in SAS 1, C o d if i special skills, and the auditor may find the fol
c a tio n o f A u d it in g S ta n d a rd s a n d P ro c e d u re s , lowing knowledge helpful:
SAS 3, T h e E ffe c ts o f E D P o n th e A u d it o r ’s
• A general understanding of computer sys
S tu d y a n d E v a lu a tio n o f In te rn a l C o n tro l, and
tems including equipment components and
SAS 22, P la n n in g a n d S u p e rv is io n . It also de
scribes substantive audit techniques and pro their capabilities.
vides guidance in selecting computer-assisted • A general understanding of computer oper
audit techniques appropriate to particular cir ating systems and software.
cumstances. • Familiarity with file processing techniques
The use of a minicomputer to process ac and data structures.
counting applications generally affects the • Knowledge of program and systems docu
planning of an audit. SAS 3 states, “When EDP mentation.
is used in significant accounting applications, • Working knowledge of EDP accounting con
the auditor should consider the EDP activity in trols to identify and evaluate the controls in
his study and evaluation of accounting control. the organization’s installation.
This is true whether the use of EDP in account • Familiarity with the process of developing
ing applications is limited or extensive. . . .” and modifying programs.
The auditor’s considerations of internal ac
counting controls may be an important part of • A general understanding of the risks inherent
the examination. The existence of a minicom in using computers to process significant
puter also may have an impact upon the plan financial information.
ning of the nature, timing, and extent of audit
Planning the Audit

The use of a minicomputer may affect the na • With proper controls in place, EDP systems
ture, timing, and extent of audit procedures. can provide a greater degree of reliability
The conditions that distinguish a computer sys than manual systems because they uniformly
tem from a manual system and that, in turn, subject all data to the same controls.
affect the planning of an audit are described • An auditor ordinarily must obtain special
briefly below. knowledge of EDP (SAS 3, paragraph 4) to
• Many control procedures in manual systems develop an understanding of complex EDP
leave documentary evidence of perform systems (used in some minicomputer instal
ance. Since comparable control procedures lations) and to perform tests of compliance
in computer systems often leave no docu and other necessary audit procedures,
mentary evidence of performance, special which requires a significant amount of train
ized compliance tests may be required. ing beyond that needed for working with
manual systems.
• Information in manual systems is visible,
whereas files and records in EDP systems • An auditor may want to become familiar with
are usually recorded in machine-sensible the design and testing of new EDP systems
form that cannot be read without the use of at an early stage in the development proc
the computer. ess in order to anticipate possible problems
in future audits of those systems because of
• The decrease of human involvement in the
the difficulty in making changes after an EDP
handling of transactions in EDP systems can
system has been implemented.
obscure errors that might have been caught
in a manual system.
11
Obtaining Knowledge of the Entity
The auditor should understand the nature of financial applications, including the organiza
the business and the accounting system being tion of the EDP function within the entity and
audited, as well as the features of the minicom the nature of the accounting applications being
puter environment.4 The auditor should under processed.
stand the use of the minicomputer in significant
Study and Evaluation of Internal

Accounting Controls
The study of internal accounting controls in be adequate to allow the auditor to rely on
cludes both the EDP and non-EDP features of them to determine the nature, timing, and ex
the minicomputer system and should provide tent of audit procedures. A combination of
the auditor with an understanding of the flow of manual and EDP internal accounting controls
transactions through the accounting system, a for specific applications may be adequate to
grasp of the extent to which EDP is used in achieve internal accounting control objectives.
each significant accounting application, and When internal accounting controls are not ade
the knowledge of the procedures designed to quate to reduce the risks inherent in the envi
achieve the objectives of internal accounting ronment, the auditor would not rely on those
controls. An auditor’s study and evaluation of a controls in planning the nature, timing, and ex
company's system of internal accounting con tent of substantive procedures.
trols should encompass all significant manual, The techniques which are appropriate for
mechanical, and EDP activities, as well as the testing internal accounting controls in a mini
relation between EDP and the departments us computer environment are essentially the same
ing the information. as in other computer environments. However,
In a minicomputer environment, as else the design of many minicomputer applications
where, the auditor should consider the system can have an impact upon the auditor’s ap
of internal accounting controls, reliance on proach to the review of application controls.
which may allow restriction of substantive pro Some of the elements of an accounting appli
cedures. In this environment, the system in cation that would be of interest to the auditor
cludes both the general EDP controls and the during the review of application controls are
manual and EDP application controls.
Because general EDP controls are fre • Identification of transactions
quently weak in a minicomputer environment, • Flow of transactions
the auditor may find it more effective to con
centrate on application controls in the study of • Computer processing steps
internal accounting controls. The auditor, how • Output reports
ever, should consider the effect of weaknesses
in general EDP controls and should be aware Minicomputer systems are frequently de
of the potential impact of specific weaknesses signed for on-line transaction entry. Since writ
in these controls upon application controls. ten documentation of minicomputer systems
With an understanding of these weaknesses, may be poor, the auditor’s approach to identi
the auditor should be able to anticipate the fying significant transactions may vary. The dis
errors and irregularities that could occur in the play of transaction categories and types on the
individual applications and be alert to potential terminal screen may be the only source of
application controls to reduce the risks inherent transaction identity available to the auditor. In
in the minicomputer environment. In some minicomputer systems that perform on-line in
cases, weaknesses in general EDP controls teractive editing of transactions, the only evi
may reduce the reliability of application con dence of these edits might be error messages
trols. In other cases, application controls and displayed on the terminal. Consequently, the
controls independent of the EDP function may auditor might observe the entry of valid and
4AICPA, Statement on Auditing Standards 22, Planning and Supervision (New York: 1978).
12
invalid transactions to determine the existence independent activities exist to control these
of edit controls. The auditor should then con processes.
sider the need to determine if these edit con In many minicomputer environments, the
trols were functioning throughout the period un specific processing steps performed by the
der examination. system may be transparent to the user-opera
The flow of transactions through the ac tor. When application software has been ac
counting system includes the procedures for quired from outside sources, it may be neces
authorizing and originating data, controlling in sary for the auditor to obtain additional
put to the system, editing and capturing data information from the supplier to obtain an ade
within the system, and assuring that rejected quate understanding of computer processing
transactions are corrected and re-entered steps. An understanding of the computer proc
promptly. When the auditor finds that a single essing steps and the information retained by
individual has responsibility for all these func the system helps the auditor to design appro
tions, it may be necessary to determine what priate audit procedures.
Substantive Audit Techniques

In a minicomputer environment, the techniques results of the evaluation of internal accounting
used to accomplish substantive procedures controls, the information that is needed to ac
may differ from those used in a large-scale complish substantive auditing objectives, and
computer environment. Some of the conditions the source of this information. The auditor may
in the minicomputer environment contributing also consider the cost-effectiveness of manual
to the differences are the following: as opposed to computer-assisted audit tech
niques. If a complete and documented audit
• Manual procedures may be cost-justified by trail is available or if the volume of data subject
lower data volumes. to review and testing is relatively small, it may
be more cost-effective to use manual tech
• Generalized audit software may not be avail
niques. On the other hand, if the audit trail is
able for some minicomputers.
obscured or if data volumes are very large, the
• Minicomputers frequently have utility pro use of computer-assisted audit techniques may
grams that can be used by the auditor. be more effective and efficient.
If the auditor determines that manual audit
In determining the appropriateness of ing procedures are appropriate, the same
manual substantive procedures in a minicom types of procedures used in a manual system
puter environment, the auditor considers the generally apply to a minicomputer environment.
Computer-Assisted Audit Techniques

The use of a minicomputer to perform audit stantly changing, the auditor should make prior
tests is another important consideration. Some arrangements with the company to obtain a
computer-assisted audit techniques are avail copy of the appropriate data files as of a spec
able for use on minicomputer systems, and the ified date.
AICPA audit and accounting guide, C o m p u te r -
A s s is te d A u d it T e c h n iq u e s , describes com Generalized Audit Software. Generalized au
monly used techniques and their applicability. dit software is a computer program or a series
The auditor can determine the feasibility of of programs designed to perform certain data
these techniques by reviewing the minicompu processing functions. The software can read
ter’s software capabilities and data file struc computer files, select desired information, per
tures and contents. form calculations, and print reports in a format
Computer-assisted audit techniques gen specified by the auditor. The use of software
erally require the use of computer data files. does not normally require knowledge of a pro
Planning for their use includes obtaining de gramming language, and it facilitates audit
tailed information about the required files. documentation.
Since data in machine-sensible files are con If generalized audit software is available
13
for a minicomputer system, the auditor should ified parameters. Using this type of software, it
consider using it. If it is not available, the audi may be possible to develop the source pro
tor may be able to process minicomputer-gen gram for the minicomputer application at an
erated files on large-scale computers for which other computer installation and then, with some
generalized audit software is available. In eval further changes, to compile and execute the
uating such an approach, the auditor should generated program on the minicomputer. This
consider the following conditions: approach requires more EDP expertise than is
typically needed to use a generalized audit
• Compatibility of the minicomputer's data file software package in its native environment.
media with those of the large-scale com The use of generalized audit software to
puter. process minicomputer data files may be cost-
• Compatibility of the minicomputer’s data rep justified in certain circumstances. If general
resentation with that of the large-scale com ized audit software contains needed special
puter. audit routines not available from other sources,
• Confidentiality of client data. it may be more cost-effective to use the gener
• Cost of using a large-scale computer. alized audit software on another computer than
to perform the task manually or through other
Most minicomputer systems use disks and computer-assisted audit techniques.
diskettes for storing data. Disk files used by
minicomputers are generally not compatible Utility Programs. Utility programs are usually
with the disk units installed on large-scale com available on minicomputers and can be used
puters. Minicomputers may also use fixed for certain audit tasks. The more widely used
disks, which cannot be removed from the sys minicomputers may provide utility programs
tem and taken elsewhere for processing. The with extended capabilities to access data files,
most compatible media between minicompu to perform mathematical and logical opera
ters and large-scale computers are diskettes tions, and to generate output files. While these
and magnetic tape. Facilities may be available utilities do not provide all of the functions that
to convert minicomputer files into media that can be performed by a programming lan
are compatible with large-scale computers. guage, they are less complex and easier to
Data representation compatibility is an use.
other consideration associated with processing The inquiry-language utility programs avail
minicomputer data on a large-scale computer. able on some minicomputers may be used to
D a ta re p r e s e n ta tio n is the data code used to perform audit procedures. Applications include
represent information on computer-sensible accessing a client data file, printing a sample
media. The two most frequently used data rep of records for review and testing, and develop
resentation conventions available on minicom ing control totals. For example, the auditor may
puters, ASCII and EBCDIC, can be read by use a utility program to accumulate totals from
most large-scale computers. The tasks for the an accounts payable file and to print details for
auditor are to identify the minicomputer data audit testing. The auditor may also use a utility
representation convention and to determine its program to print the details of invoices that
compatibility with the computer on which the contain the date of goods received on or near
data are to be processed. the end of the year to assist in reviewing inven
If it is necessary to remove the organiza tory and payable cut-offs.
tion’s information for processing at an outside The use of utility programs in the audit
installation, the confidentiality of the organiza should be carefully coordinated with the client
tion’s information becomes a consideration in to minimize the risk that the auditor might intro
deciding whether to use generalized audit soft duce errors into the data file under review. The
ware. To ensure the confidentiality of the infor control concerns regarding utilities described
mation, the auditor might obtain a confidential in the preceding section also apply to the audi
ity agreement with the outside organization, be tor’s use of them. In this regard, the auditor
present to control the processing, and ensure should consider the application of typical audit
that data generated during processing are de control considerations as described in the
leted upon completion. AICPA audit and accounting guide, C o m p u te r -
The auditor may use certain types of gen A s s is te d A u d it T e c h n iq u e s .
eralized audit software packages known as
source program generator packages that are Specialized Audit Programs. Specialized au
compatible only with large-scale computers to dit programs are written to perform specific
generate programs that can be processed on audit tasks, and they may provide a cost-effec
a minicomputer. Such packages generate cus tive approach for applying certain audit proce
tomized source programs based on user-spec dures in a minicomputer environment. Special
14
ized audit programs require more technical criteria, the auditor can review and verify the
knowledge and documentation effort than gen selection program logic, observe the process
eralized audit software packages. The consid ing of the program, and determine that the
erations for using specialized audit software in master file corresponds to the population being
a minicomputer environment are the same as tested. Another approach would be to deter
in any computer environment. mine the validity of the selection criteria ap
A potentially cost-effective method of ob plied by comparing the confirmation requests
taining specialized audit software is the use of with a listing of the total population that had
existing client programs. Modifying existing been footed and agreed with an account bal
programs can be more cost-effective than in ance.
dependently developing special audit pro
grams. This approach requires the auditor to Other Computer-Assisted Audit Techniques.
verify that the modified program functions as The AICPA audit and accounting guide, C o m
intended and to exercise control over process describes
p u te r - A s s is t e d A u d it T e c h n iq u e s ,
ing before the auditor can rely on the output. other techniques, such as test data, program
This approach can be particularly appro logic review, and timesharing, that can be ap
priate for accounts receivable. An accounts re plicable in a minicomputer environment. The
ceivable system installed on a minicomputer primary factors in evaluating the desirability of
may include the capability of selecting and such techniques are their cost-effectiveness,
generating accounts receivable confirmation the auditor’s proficiency in EDP, and the ef
requests. The system may have the capability fects of weaknesses in internal accounting con
of selecting accounts according to various cri trols. If there are weaknesses in general con
teria, such as by every nth item, by specified trols, such as controls over changes to
account numbers, or by correspondence of a production programs, then certain techniques,
specified number to one digit of the account such as using test data, reviewing program
number. To determine that the confirmation re logic, and employing audit modules, may not
quests correspond to the specified selection yield reliable audit information.
Summary
The use of a minicomputer may affect the na ductivity by using the computer to perform
ture and timing of the audit and may require audit tests.
skills in addition to those necessary in auditing The appendix describes a small business
financial statements from manual systems. computer and identifies the features relevant to
Auditors assigned should be knowledgeable control and audit procedures. Examples of us
about the features and capabilities of minicom ing such features to accomplish audit proce
puters. Participation by knowledgeable individ dures are also presented.
uals in audit planning can improve audit pro
15
Appendix
There are numerous minicomputers and small the auditor should obtain an understanding of
business computers used to process financial the features available on the specific minicom
applications. Although many minicomputer sys puter.
tems have similar features and capabilities, the Some of the material presented was com
IBM System/34 is used to illustrate the con piled from information provided by the IBM
cepts presented in this guideline. This appen Corporation. Because changes in hardware
dix describes the System/34 environment, lists and systems software are continually being
its hardware and software features exclusive of made, the specifications contained herein
application programs, and provides examples might not represent current specifications, and
of the use of a software utility to perform audit no effort has been made to verify the accuracy
tasks. (The aspects of the System/34 relevant or completeness of the information provided by
to internal controls are shaded in gray.) When IBM.
auditing in other minicomputer environments,
A Minicomputer System
The System/34 is a general purpose, small receivable, inventory control, sales analysis,
business system with the capability of using payroll, general ledger, and accounts payable.
several programming languages. The system is To show the capability of the system, the data
used in a variety of industries. For example, in provided below was selected from the records
a small distributing enterprise, the small busi of several "average” System/34 users in hard-
ness system can be used to process applica goods.
tions that perform order entry, billing, accounts
Range
Average Low High
Number of accounts receivable 3,500 1,000 20,000
Inventory item master records 15,000 1,000 40,000
Inventory item balance records (one record per 18,000 1,000 80,000
item per warehouse)
Special or contract prices 3,400 2,000 12,000
Invoices per day 200 80 900
Open orders (including backorders) 800 400 4,000
Vendors 300 150 500
General ledger accounts 300 200 400
Employees 25 10 60
There may be two members of the data and management may often rely on this indi
processing staff in the System/34 environment, vidual to make the daily decisions related to
a programmer/operator and a data entry oper data processing activities.
ator. The major function of the programmer/ Personnel in the user department may not
operator may be to operate the system and to understand EDP concepts either. As a result,
perform maintenance on standard application they rely on the vendor or the in-house pro
packages. The data entry function may also be grammer/operator for assistance in doing their
performed by users through work stations lo jobs. The programmer/operator may not have
cated in their areas. The individual with primary an understanding of accounting and user
responsibility for the system typically may not needs, and this lack of communication may
have had previous EDP experience or training, result in productivity and control problems.
16
Hardware Features of a Minicomputer System
The basic System/34 configuration consists of
The Work Station Controller contains
a processing unit (CPU), memory, Work Station
logic that can be used to detect certain in
Controller, disk storage, and printer. The proc
put errors based upon criteria established in
essing unit, memory, disk storage, and diskette
the application programs. Editing that can
drive are contained in a single enclosure
be performed by the Work Station Controller
known as the system unit. Exhibit F (on page
includes tests for completeness of data, self-
34) is an illustration of a minicomputer configu
checking digit calculation, and alpha
ration.
numeric validation. Other program editing
may be performed by the CPU based upon
Processing Unit. The processing unit provides the design of the application program. When
the logic function and control for memory, an error is detected, further input through
which ranges from 32K to 256K bytes. The the CRT terminal may be inhibited until the
data is represented internally as extended bi condition is corrected.1
nary coded decimal interchange code
(EBCDIC).
CRT terminals, called display or work sta
Whenever the system unit is turned on, tions, are the primary means through which
the system performs a test of the hardware users enter data, make inquiries, and issue
by a program known as the initial program system and control commands.
load (IPL), which includes a sequence of
steps that loads the system programs and Display stations may be equipped with
prepares the system for the execution of a keylock or a magnetic stripe badge reader
jobs. When an application program is exe to control access to the system. Because
cuted, the system continually verifies that the these are optional control features, the audi
hardware and systems software are function tor should not assume they are installed.2
ing. If an error is detected, the processing Three levels of capabilities may be as
unit will alert the user and either issue a signed to a display station during system
request for action or terminate processing. configuration:
The error is then recorded on the diagnostic • System console
log (a reserved area on the disk), which
stores information used for subsequent hard • Command
ware maintenance. The power supply of the • Transaction entry
system unit can prematurely sense a reduc Only one system console display station
tion of voltage and retract the read/write is active at any given time. Other local dis
heads automatically to prevent damage to play stations can be identified as alternates,
data on the disk. but only one becomes active if the system
console malfunctions or is turned off. The
Work Station Controller. The Work Station system console can perform any function (if
Controller is commonly known as the input/ the appropriate ID and password are in
output controller in this system. Up to 16 local serted), and its uses should be restricted.
devices (display stations or printers) are sup A command display station can access
ported by the Work Station Controller in the menus (the list of functions available to the
system unit, and these devices may be located operator) and initiate programs and proce
up to 1500 meters (5000 cable feet) from the dures based on the user ID and password.
system unit. Up to 64 additional devices can However, a command display station cannot
communicate with the system by means of perform system functions, such as library
telecommunications. The polling (interrogation) manipulations or system configuration
of local devices is performed by the Work Sta changes.
tion Controller without CPU interference. Polling A transaction entry display station can
of remotely attached devices is accomplished be used only to enter transaction data. It has
through the binary synchronous communica no command capability or program and pro
tions adaptor and systems support programs. cedure initiation capability. At sign-on time,
1See “ Lack of Segregation of Functions Between the EDP Department and Users” and “Terminals" in this guideline.
2See “ Location of the Computer” in this guideline.
17
user to implement backup procedures, such as
a transaction entry display station is not copying programs or data files on diskettes
available for transaction entry until another and storing them in a secure location, in order
display station with command capability or to prevent loss of programs and data.
instructions in an application program au
thorizes the transaction entry station to enter Diskette Drive. A diskette drive is a standard
data.3 feature of the system unit used both as an
Designation of a work station as a trans alternate means of data input and as a means
action entry display station, along with other for writing information on diskette for off-line
security features, can limit entry of specific storage.
transactions to designated terminals. For ex
ample, a transaction entry display station in
an isolated location, such as a warehouse, Backup of files is performed by diskette
could be restricted to the entry of only ware since the disk is nonremovable. Adequate
house-related transactions. backup procedures should exist to allow re
covery in the event that the data stored on
the disk becomes unusable. Recovery nor
Disk Storage. The system unit contains a fixed mally becomes necessary as a conse
direct access storage device with a capacity quence of errors or loss of data files or pro
from 8.6 to 257.4 million bytes. Since the disk grams.4
is not removable, it will be necessary for the
Software Features of a Minicomputer System

System software consists of a manufacturer-
provided group of programs that control all The system software is provided by the
processing by the computer. System software vendor on diskettes which normally are re
also includes programs to facilitate functions tained by the user. Because these diskettes
such as sorting data, copying information from can be used to circumvent essentially all
one media to another, and converting pro controls provided by system software, ac
grams into machine-executable form. Available cess to them should be controlled. The audi
system software for the System/34 includes tor should be aware that diskettes containing
system software are readily available.
• System support programs
■ Job and main storage management
■ Operation control language
System Support Programs. There are a num
ber of system support programs available for
■ System history area
use with the System/34. Several of these sup
■ Multiple user library support
port programs are described below.
■ Security
J o b a n d M a in S to ra g e M a n a g e m e n t. The
■ Interactive communication feature
■ Backup System/34 can operate in a single or multi-pro
gramming mode. In the multi-programming
• Utilities mode, multiple programs are executed concur
■ Data file utility rently under the control of the system support
■ Sort utility program task dispatcher. If a program is re
■ Source entry utility quested for execution but sufficient storage is
■ Screen design aid not available, the system support program will
■ Work station utility swap one or more programs out of memory
■ Patch procedure and insert the requested program into memory
• Compilers and linkage editor for execution.
3See “Terminals” in this guideline.

4See “ Diskettes” in this guideline.
18
Print spooling is supported by the system S y s te m H is to ry A re a . A history area that
support program in either single or multiple contains all executed OCL statements and
mode. Spooling is the process of recording messages is available on disk. This information
output on disk that is, in turn, printed inde may be retrieved, displayed, printed, or copied
pendently of application program processing. onto diskette for later access. Individual dis
The system operator can start, stop, restart, play station operators can only display or print
cancel, hold, release, display, and change the entries created from their display stations. En
priority of jobs in the print spool. tries in the history area are stamped to indicate
the time of the entries and are labeled by the
Resource security to control access to job identification generated by the system sup
spool files is not available. An operator can port program to assist in determining the se
not directly change the contents of a spool quence of activity in the system.
file. For the jobs they control, operators can
only copy the spool file onto a data file. The system history area contains a re
However, any changes made to this data file cord of all attempts to use an invalid pass
cannot be transferred back onto the spool word and of all system halts and the opera
file; therefore, compensating controls should tor responses to these halts. This information
be developed to prevent unauthorized ac can be used by management to monitor and
cess to information on spool files. control the use of the system.6 History logs
may be examined to reconstruct the com
O p e r a tio n C o n tro l L a n g u a g e . The opera plete sequence of events during a given pe
tion control language (OCL) provides the major riod. This procedure could be useful in de
communication between the user and the sys termining whether the user is complying with
tem. The OCL statements provide the system prescribed operating procedures.
support programs with all the information re When the disk file space reserved for
quired to execute jobs, such as the names and the history area is full, it will begin to write
locations of files to be processed and the pro over itself (wraparound), which will result in
grams to be executed. a loss of history information. The user can
OCL procedures, which are stored in li prevent wraparound by specifying a halt at
braries on disk, are groups of OCL statements system configuration time, which will allow
defined by the user and executed by com the printing of the contents of the history log.
mands entered through the keyboard. The sys Through the system console, the user can
tem support program provides the user with a delete the contents in the history area with
set of pre-existing procedures that allows the out leaving a record of the deletion. There
operator to allocate files, rename files, copy fore, procedures should be developed to
files, build display formats, build job menus, prevent unauthorized deletion.
condense a program library, and perform li M u ltip le U s e r L ib r a r y S u p p o rt. Library
brary maintenance. Certain commands can be structures within the system provide for mul
entered from the system console, some can be tiple user libraries. This feature can be used
entered only from display stations (including to establish program test libraries to provide
the system console when it is being used as a control over the integrity of programs in the
display station), and others can be entered production library.7
from either the system console or a display
station.
S e c u rity . Three types of access controls
are available:
OCL commands permit users to request
a broad range of functions from the system. • Operator ID and password
Controls should exist to prevent unauthorized • Menu
changes in system programs and data, and • Resource
access controls should be maintained at the
library and file level. OCL procedures can pro These security features are optional and
vide a control over the sequence and nature are established during system configuration.
of application program processing.5 Once the system has been configured to pro
vide security support, the supports cannot be
5See “ Lack of Segregation of Functions Between the EDP Department and Users” and “Terminals” in this guideline.
6See “ Lack of Segregation of Functions Between the EDP Department and Users,” “ Location of the Computer,” and “ Lack of
Segregation of Functions Within the EDP Department” in this guideline.
7See “ Lack of Segregation of Functions Within the EDP Department" and “ Utility Programs” in this guideline.
19
changed so long as the password and re
source files exist. The master security officer is console; however, a display station opera
the only authorized individual who can execute tor cannot run the security utility pro
the utility programs that save, restore, or delete grams.
the security files. Password security is an effective control
only if display stations are signed off when
O pe ra to r ID a n d p a s s w o rd —Each oper unattended.
ator who signs on to a display station is M enu —Transactions that are available
prompted for an identifier (ID), and option for execution are identified in a menu dis
ally a password, which is verified by the play.
system support program before the operator A security officer assigns menu restric
is allowed further access to the system. tion based on user ID. When a specific user
An operator is allowed to make an un signs on, the authorized menu will automati
limited number of attempts to sign on the cally appear. The operator may be restricted
system. The attempts are recorded on the to executing only those functions established
system history area, which can provide man in the menu. Menu security is effective only
agement with the information necessary to when password controls are maintained.
R esource —Resource security can be
monitor unauthorized access attempts.
Passwords are stored in the password used to prevent access to files and libraries
security file that contains a profile for each if password security is active. The resource
person who is authorized to use the system. security file contains a record for each pro
Each profile contains a user ID and the 4- tected file and library, the user IDs of the
character password assigned to the user. authorized users of the file or library, and an
The password is not displayed on the access code that identifies the user cate
screen when entered but is encrypted in the gory. Security violations are logged to the
password security disk file. The password system console and recorded in the system
security file contains codes that identify the history area. Resource security is an effec
classifications of users. The list below de tive control only if work stations are signed
scribes the classification and function for off when unattended.
each person authorized to use the system. The level of authority a user has over a
file or library can be limited to any of the
• M aster se cu rity o ffice r (MSO). Assigned following access codes.
during the initial definition of password se
curity. The MSO can define password and • Owner. Can grant file access to others;
magnetic stripe badge security; add, de
rename the file or library; read, display,
lete, or edit profiles of security officers,
and change information in the file or
system operators, and display station op
library; or delete the file or library. The
erators; change its own password and
owner of a file or library can be any oper
badge ID; and act as a system operator
ator who is authorized to sign on to the
or display station operator.
system.
• S ecurity officer. Assigned by the master
• C hange. Can read, display, delete, or
security officer. A security officer can add,
change the contents of the file or library.
delete, or edit profiles of system operators
and display station operators; change its • Read. Can read or display the information
own password and badge ID; and act as in the file or library but cannot change its
a system operator or display station oper contents.
ator, • Execute. (Applies to libraries only.) Can
• System operator. Assigned by the master only execute library contents.
security officer or by a security officer. A Listed below are some questions that
system operator can operate any display relate to the effectiveness of system software
station, including the display station des access controls.
ignated as the system console; however,
a system operator cannot run the security • Has security been established during sys
utility programs. tem configuration?
• D isp la y station operator. Assigned by the • Is a master security officer and an alter
master security officer or by a security nate (in case of sickness or accident) as
officer. A display station operator can op signed? Who are the security officers?
erate any display station except the dis • Are IDs and passwords changed fre
play station designated as the system quently?
20
diskette file permanent so that a warning is
• Are authorized users maintaining the se given if an attempt is made to delete the file.
crecy of their IDs and passwords?
• Are programmers restricted from access Utilities. Utilities are computer programs writ
to all data files? ten and provided by the hardware manufac
• Are system operators and display station turer that enable the user of the system to
operators restricted from changing the perform a variety of functions. The following
contents of all libraries? utilities are provided on the System/34: data file
• Is the menu restriction applied properly, or utility, sort utility, source entry utility, screen
do display station operators have com design aid, work station utility, and patch pro
mand capability? cedure.
• Who has access to the system support D a ta F ile U tility . A data file utility (DFU) is a
program and utilities? utility program that provides the user with the
• Are work stations left unattended while ability to create, maintain, display, query, and
signed on? (Users should be required to print data files.9 The four distinct functions of a
use the off command when leaving a work DFU are the
station.) • Enter function. Used to create indexed or
• Are the system support program diskettes direct access files.
and their backup copies in a secure • Update function. Used to maintain and add
place? Who has access to them? to existing indexed or direct files and to
• Are the backup diskettes containing the maintain existing records in sequential files.
password and resource security files in a • Inquiry function. Used to locate and display
safe place? Who has access to them? a specific record in indexed, sequential, or
• Are terminated employees immediately de direct files.
leted from the security system? • List function. Used to print sorted or
unsorted reports.
In te r a c tiv e C o m m u n ic a tio n F e a tu re . Inter A DFU can select detail records from re
active communication feature is an optional lated master files. It can also select records
component of the system support program that based on a field value of E Q (equal to), N E
allows users on remote System/34s to interact (not equal to), G T (greater than), L T (less than),
with the application programs and the data G E (greater than or equal to), or L E (less than
bases of other intelligent devices. In addition, or equal to) a predefined value. Up to ten ac
application programs in another system can cumulator fields, five control breaks (group to
activate programs on the remote System/34s. tals), and twenty-four result fields are available.
This guideline does not address the distributed A DFU can be used by the auditor to
processing environment. achieve limited but very useful audit proce
B a c k u p . Backup procedures protect dures, such as footing a file, comparing the
against the loss of data files and programs. content of two files, or testing the accuracy of
data. The section of the appendix entitled
The two commands for backup are save and "Using DFU as an Audit Tool” shows how a
restore. The save command transfers disk DFU can be used as a computer-assisted audit
files to diskettes in a condensed format technique.
readable only by the System/34 restore com
mand. (There are other system commands
that will copy files onto diskettes in a stand The existence of a DFU may result in
ard interchange format.) If files are copied in weaknesses in internal control. A DFU is
the standard interchange format, they can easy to use since it does not require pro
be manipulated through the use of data en gramming skills and allows the user to add,
try devices.8 change, or delete records in a file without
leaving an audit trail. Here are some tech
niques for preventing the unauthorized use
Whenever the save command is invoked, a of a DFU.10
retention date is recorded on the diskette. The
• Create a separate library for the DFU and
insertion of all 9s in the date field makes the
8See “ Lack of Segregation of Functions Between the EDP Department and Users” in this guideline.
10See “Utility Programs” in this guideline.
21
restrict access to the library through re over production programs and OCL pro
source security. cedure library and data files,
• Remove the enter and update modules • Remove source programs from the system
from the system. Changes to files should except when they are needed for modifi
occur through application programs only. cation.
• Use program test libraries for program de
velopment.
S o rt U tility . The sort program provides se
• Remove the SEU from the system except
lection and sorting capability based on record
when needed to perform authorized func
codes or field contents. The input needed to
process a sort program includes the OCL tions.
statements, sort fields, sequence (ascending or • Maintain object programs in libraries sepa
descending), and the input file name to be rate from source programs.
sorted. The output is the sorted file. The sort • Create a separate library for the SEU and
program has an option to print messages on restrict access to that library through re
the printer or on the display screen. These source security.
messages are issued during the generation
An SEU could be used by the auditor to
phase of the sort program and include
review source code logic and OCL proce
• The number of records in the input file. dures.14 A function of the SEU that could be
• The number of records in the sorted output helpful to the auditor is the scan feature,
file. which allows the user to scan programs or
procedures for a specific string of charac
ters, such as a field name. The system will
These totals may be used as run-to-run display all source statements containing the
controls over the processing of data.11 specified string of characters so the instruc
tions that affect key data fields can be iden
tified and reviewed.
S o u rc e E n try U tility . A source entry utility S c re e n D e s ig n A id . Screen design aids

(SEU) can be used to create and maintain OCL provide an interactive approach to designing,
procedures, RPG II, BASIC, COBOL, FOR creating, displaying, and maintaining screen
TRAN IV, and assembler source statements; it formats. One of the primary uses of a screen
can also be used to sort statements and work design aid is to develop menus.15
station utility statements. An SEU allows the
user to enter and update in free-form state W o rk S ta tio n U tility . A work station utility
ments that do not have a constant or rigid provides features such as self-checking dig
format, such as source code comments.12 its, alpha-numeric edit, and completeness of
Some of the features of an SEU include provi data checks to incorporate controls in the
sion for on-line developing and changing of data entry programs.16
programs and OCL procedures, interactive
syntax checking and developing, and modify
P a tc h P ro c e d u re . This procedure displays
ing of display station edit routines.
selected disk or diskette sectors and allows the
user to modify the data in those sectors. The
This utility is generally used by pro user can modify disk or diskette information by
grammers to create and maintain programs. replacing data displayed on the display screen
If the use of an SEU is not controlled, the with the new data. The patch procedure can
integrity of production programs may be im be executed only from the system console.
paired. Listed below are some techniques to
control the use of an SEU.13 The patch procedure is not restricted by
resource security. The existence of a patch
• Provide password and resource security may result in weaknesses in internal control
11See “ Lack of Segregation of Functions Between the EDP Department and Users,” “ Lack of Segregation of Functions Within
the EDP Department," and “ Utility Programs” in this guideline.
12See “ Documentation” in this guideline.
13See “ Lack of Segregation of Functions Within the EDP Department” in this guideline.
14See "Documentation" in this guideline.
15See “ Documentation” in this guideline.
22
must be assigned relative memory addresses
because its use leaves no evidence.17 How by a program known as the overlay linkage
ever, there are techniques for preventing the editor.
unauthorized use of a patch:
• Remove the patch program from the Because compilers and the linkage edi
system. tor can be used to make unauthorized modi
• Establish the patch procedure in a sepa fications to production programs, access to
rate library and restrict accesses compilers and linkage editors should be
through resource security. controlled.18 To control access
• Remove the compilers and linkage editor
from the system and store in a secure
location.
Compilers and Linkage Editor. Compilers are • Use password and resource security over
programs provided by the manufacturer which libraries.
are used to convert source language state • Restrict access to programs and system
ments into machine-executable form. Before documentation.
they can be executed, the compiled programs
Using a DFU as an Audit Tool

To illustrate the use of a data file utility (DFU) 2. Testing extensions on the inventory status
as a computer-assisted audit technique, this report.
section presents an audit environment, the 3. Selecting items for test counts and price
sample audit objectives, and the approaches tests.
using DFU specifications that are required to 4. Completing test counts and price tests,
accomplish these objectives. The following in comparing data with the inventory status re
formation is required to use a DFU as an audit port, and documenting results.
tool:
• The files on which the audit tests are to be A u d it P r o c e d u r e O n e . Extend and foot the
performed. These files must be on line at the inventory file and generate a summary report in
time the DFU is used and must be refer class sequence showing total cost.
enced by file name. D F U A p p r o a c h . Use the list, s o rt, accumu
• The RPG II input source specifications for all late, and arithmetic facilities of the DFU. Exhibit
fields to be used in the DFU application. If B (on pages 26-30) shows the display screens
these do not exist in the source program used to define the DFU specifications. The re
library, they may be created through the port generated appears in exhibit C on page
source entry utility (SEU). 31.
• The name of the library in which the source A u d it P ro c e d u r e T w o. Select and print all
specifications are stored. items having an average cost per item greater
than $1.00 or a quantity on hand greater than
Audit Environment. The company is a retail 5,000.
D F U A p p r o a c h . Use the list, sort, accumu
electric supplier which uses a System/34 to
process perpetual inventory. The inventory late, and select facilities of the DFU. The report
consists of a large volume of low-value items. generated appears in exhibit D on page 32.
A u d it P ro c e d u r e T h re e . Print a report iden
The contents of the inventory file are described
in exhibit A on page 25. tifying differences between current costs con
The inventory audit procedures in the past tained on the inventory master file and current
were performed manually and included the fol costs documented on recent invoices.
D F U A p p r o a c h . Use all features of the
lowing steps:
DFU. The data entry feature is used to create a
1. Footing the computer-generated inventory file containing costs, as taken from invoices.
status report (approximately 9,000 items). The master file feature is used to compare the
17See “ Lack of Segregation of Functions Between the EDP Department and Users" and “ Lack of Segregation of Functions
Within the EDP Department" in this guideline.
18See “ Lack of Segregation of Functions Within the EDP Department" in this guideline.
23
costs on both files. Exhibit E (on page 33) display station, and the system would provide
shows the report that results. all the necessary screens for generating a DFU
Based upon the availability of information application. The display screens for audit pro
contained in the inventory master file, these cedure one are presented on pages 26-30.
audit procedures could be performed using the Input required from the user is highlighted in a
DFU. box. At the end of the screen displays, a sam
ple report is presented. For the purposes of
Creation of a DFU Application. The user must this document, a small sample of the total in
identify the DFU functions to be used. For ex ventory file is used, and sample reports are
ample, the user would key in “List” on the presented for audit procedures two and three.
24
EXHIBIT A
25
EXHIBIT B
Input the name of the file, the name of the RPG II source member where the input specs are
stored, and the library where they are stored. Specify if the file is to be sorted. Also, if this
application is to be saved for future use, provide the necessary information.
Select the type of report to be generated. Specify the title and spacing required on the report.
26
EXHIBIT B (c o n tin u e d )
The RPG II input source specs from the source program specified on the first screen are
shown. Select the record type to be processed.
Select the fields to be presented on the report in the order they are to be presented. Define
the heading name if different from the field name and specify if the field is to be accumu
lated.
27
A plus under “Field” indicates a result field and will cause the next screen to be shown.
Describe the result field. In this example, the result is 9 digits in length with 2 decimal places.
The result is quantity on hand times average cost.
28
Since “Sort” was selected on the first screen, define how the file is to be sorted. In this
example, the file is sorted by item number within class.
On the data field specification screen (see p. 28), the result field—“Total Cost”—is to be
accumulated. Specify here if interim totals are presented. In this example, present totals after
each class.
29
Select specific records for processing. In this example, process all records in the file.
Final screen displaying all DFU specifications defined on previous screens.
30
EXHIBIT C
31
EXHIBIT D
32
EXHIBIT E
33
EXHIBIT F
34
M0 47577

Audit and Control Considerations in A Minicomputer or Small Busin

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Audit and Control Considerations in A Minicomputer or Small Busin

Uploaded by

Copyright:

Available Formats

University of Mississippi

Audit and control considerations in a minicomputer or small

Follow this and additional works at: https://egrove.olemiss.edu/aicpa_indev

Part of the Accounting Commons, and the Taxation Commons

Audit and Control Considerations

American Institute of Certified Public Accountants AICPA

This publication is issued by the American Institute of Certified Public

Auditing Minicomputer Task Force (1979-1980)

EDP Auditing Standards Subcommittee (1979-1980)

Computer Services Executive Committee (1979-1980)

Audit and Control Considerations

American Institute of Certified Public Accountants AICPA

THE MINICOMPUTER ENVIRONMENT

CONTROL CONSIDERATIONS IN A MINICOMPUTER ENVIRONMENT

Characteristics and Definitions

Comparison of Minicomputers and Larger

Relevance to the Auditor

Lack of Segregation of Functions Between the

Location of the Computer

Lack of Segregation of Functions Within the

Limited Knowledge of EDP

Controls. A company may employ a number of

Lack of Segregation of Functions Between the EDP Department and Users

Location of the Computer

Lack of Segregation of Functions Within the EDP Department

Limited Knowledge of EDP

Planning the Audit

Study and Evaluation of Internal

Substantive Audit Techniques

Computer-Assisted Audit Techniques

Software Features of a Minicomputer System

3See “Terminals” in this guideline.

S o u rc e E n try U tility . A source entry utility S c re e n D e s ig n A id . Screen design aids

Using a DFU as an Audit Tool

Final screen displaying all DFU specifications defined on previous screens.

You might also like