You are on page 1of 7

Page 1 of 7 EDP / IT CONTROL PART I

INTERNAL CONTROL OVER EDP / IT ACTIVITIES PART I: EDP / IT CONTROL:
ORGANIZATIONAL CONTROLS AND COMPUTER-CENTERED FRAUD
The history of computer-centered fraud shows that the persons responsible for frauds in many situations set up the system and control its use as programmer and operator. The number of personnel and the organizational structure will of course determine the extent to which segregation of duties is possible. As a minimum, the function of programming should be separated from the functions controlling input to the computer programs, and the function of the computer operator should be segregated from functions requiring de-tailed knowledge or custody of the computer programs. If one person is permitted to perform duties in several of these functions, internal control is weakened, and the opportunity exists for fraudulent data to be inserted in the system.

on public accounting than perhaps any other event in the history of the profession. No longer is the challenge of auditing EDP activities limited to a few large clients. With the advent of inexpensive minicomputer systems and PC Network, even the smallest audit clients REAL likely to #1: a computer are LIFE CASE use A bank wrote a forprogrammer for a largeas operator of program for identifying and listingtoall be prepared to work many accounting functions. Thus, auditors able must overdrawn accounts. Later, the bank's computer, he was in an ever-changing insert a "patch" in the program to cause the computer to igno e overd aft r s his r in environment in which the client's accounting bank own account. The programmer-operator was then able to overdraw his records are maintained on account at will, without the overdraft coming to management's atten ion. The t anything from a personal fraud was not discovered until the computer broke down and the li ting of s computer to a multimillion dollar mainframe system.
overdrawn accounts had to be prepared manually. Although the computer has created some challenging problems for professional accountants, it has also broadened their horizons and expanded the range and value of the services they offer. The computer is more than a tool for performing routine accounting tasks with unprecedented speed and accuracy. It makes possible the development of information that could not have been gathered in the past because of time and cost limitations. When a client maintains accounting records with a complex and sophisticated EDP system, auditors often find it helpful, and even necessary, to utilize
Adapted from “Principles of Auditing” by Meigs, Whittington, Pany, and Meigs

The rapid growth of electronic data processing (EDP) for business use is having a greater impact

.

all data may be expressed internally by the computer by a combination of on and off circuits. Pany.Page 2 of 7 EDP / IT CONTROL PART I the computer in performing many auditing procedures. An example of a machine language is the binary number system. and comparison of data at speeds measured in microseconds. Each of these devices either records data in some medium for later reading into the storage unit or communicates data direct to the CPU. electronicof ever-increasing the work of thethe accounting independent certified public accountant. Peripheral devices in direct communication with the CPU are said to be online. multiplication. such as card readers. A business EDP system usually consists of a digital computer and peripheral of a digital computer is the central processing Hardware The principal hardware component unit (CPU). electronic cash registers. magnetic drums. Machines must also be used to translate the output of the computer back into a recognizable code application software. Digital computer circuitry has two states in that any given circuit may be "on" or " of f ." By using an internal code. sequencing. or even picoseconds. and merging of data. Examples of secondary storage devices are magnetic tape. for recording input and devices for auxiliary Peripheral to the central processing unit are devices storage. capable of representing with two symbols any kind of data. System software consists of programs that control and coordinate hardware components and provide other support to application software. This is the role of recording and input devices. subtraction. such as sorting. or machine language. Independent auditors will find additional familiarity with the computer. The system software known as the operating system is important to the control of computer operations be-cause it may be programmed to control access to programs and stored data and to maintain a log of all system activities. but it cannot impart extensive knowledge of technical computer skills. Whittington. Important components of system software are utility programs for recurring tasks of data processing. Secondary storage devices are utilized to augment the capacity of the storage unit of the CPU. The known asof a control unit. consisting manipulating data. Nature of an electronic data processing system including technical skills Before considering the impact of to be data processing systems on value in such as programming. a storage unit for storing the program of instructions and the data to be of various programs and manipulated. some under-standing of the profession. Magnetic drums and disk packs have the advantage of direct access. which processesessentialof instructions for equipment CPU consists hardware and equally a program software. and magnetic disk packs. in contrast to offline equipment not in direct communication with the CPU. and intelligent terminals. A first step in electronic data processing is to convert the data to machine-sensible form. routines for operating a computer. Software Computer systems use two major types of software: system software and . which allows for faster location and retrieval of data. Output equipment includes printers and display terminals. This section will consider some of the most significant ways in which auditing work is being affected by EDP. and Meigs or language. optical scanners. output. division. Data on magnetic tapes must be stored sequentially and is retrieved by a systematic search. Adapted from “Principles of Auditing” by Meigs. nanoseconds. nature of a computer and its capabilities is needed. and an arithmetic unit capable of addition. and communications.

(c) controls built into the hardware (equipment controls). on Adapted from “Principles of Auditing” by Meigs. errors or irregularities that do occur in computer processing may not be detected by the client's personnel be-cause few people are involved with data processing. Early application programs were laboriously written in machine language. Programming in COBOL In some process transactions uniformly made source languages is and eliminate the human errors that may occur in a manual system. and preparation of payroll checks and payroll records. defects in hardware or programs can result in a computer processing all possible by another element of software. insurance. the importance of internal control is not in the least diminished. Application controls. testing. and the like. The Internal control over EDP activities machine-language version of a program is the same responsibility in an program. The essential factors described in Chapter 5 for satisfactory internal control in a large-scale organization are still relevant. the work formerly divided among many people is performed by the computer. These traditional control concepts are augmented.Page 3 of 7 EDP / IT CONTROL PART I known as application software. Thus. When a company converts to an EDP system. Despite the integration of several functions in an EDP system. In auditing literature. and the work of one person is verified by the work of another handling other aspects of the same transaction. Consolidation of activities and integration of functions are to be expected. but today. Computers and other are much like English. These tasks could include the maintenance of personnel files with information on seniority. programming languages such as COBOL (common business-oriented language) ways. internal controls over EDP activities often are classified as either general controls or application controls. General controls relate to all EDP applications and include such considerations as: (a) the organization of the EDP department. For example. computer program utilized in computer hardware precision does not assure that computer output will be reliable. The division of duties gives assurance of accuracy in records and reports and protects the company against loss from fraud or carelessness. a portion of the timekeeping function. however. Also. rate of pay. and (d) security for files and equipment. the compiler. Whittington. it is possible to carry out a variety of related tasks with only a single use of the master records. On the other hand. however. such as payroll processing. distribution of labor costs. in a manual system. and Meigs Programs designed to perform a specific data processing task. by controls written into the computer programs and controls built into the computer hardware. since the computer can conveniently handle many related aspects of a transaction. Separation of duties and clearly de-fined responsibilities continue to be key ingredients despite the change in organization of activities. which is a transactions incorrectly. no one employee has complete responsibility for a principles. transaction. Pany. (b) procedures for documenting. when payroll is handled by a computer. are . and approving the original system and any subsequent changes. which is to satisfy Auditors have called an o b je ct EDP system as themselves that the financial statements produced reflect the interpretation and processing of Good internal control transactions instressed the need for a proper division of duties among employees operating conformity with generally accepted accounting a manual accounting system. computer systems enhance the reliability of financial information. translating a source-language program into machine language. In such a system.

controls Because of the ability of the computer to process data efficiently. the organization plan of an EDP department should prevent EDP personnel from having unauthorized access to EDP equipment. and controls over output. With EDP equipment. A properly programmed computer. programs. The organizational structure of a well-staffed EDP department. and clear definition of duties for each employee in the department. For example. should include the following separation of responsibilities: Vice President Data Processing or Controller Data Processing Manager Systems Analysis Programming Computer Operations Data Preparation Adapted from “Principles of Auditing” by Meigs. what appears to be an incompatible combination of functions may be combined in an EDP department without weakening internal control. a computer program used to process accounts payable may be designed to approve a vendor's invoice for payment only when that invoice is supported by a purchase order and receiving report. or data files. EDP programs and data files cannot be changed without the use of EDP equipment. In a manual or mechanical system. Whittington. For example. Controls of this nature include measures designed to assure the Organizational controls in an electronic data processing system reliability of input. there is a tendency to combine many data processing functions in an EDP department. relate to specific accounting tasks performed by EDP. When apparently incompatible functions are combined in the EDP department. they can be changed without leaving any visible evidence of the alteration. An employee able to make unauthorized changes in that program could cause unsubstantiated payments to be made to specific vendors. these combinations of functions may be considered incompatible from a standpoint of achieving strong internal control. compensating controls are necessary to prevent improper human intervention with computer processing. has no tendency or motivation to conceal its errors. however. assigning both functions to one employee would enable the employee to conceal his own errors. the function of recording cash disbursements is incompatible with the responsibility for reconciling bank statements. over processing. Therefore. as below illustrated. Since one of these procedures serves as a check upon the other. segregation of functions. such as the preparation of payrolls. Thus. A person with the opportunity to make unauthorized changes in computer programs or data files is in a position to exploit the concentration of data processing functions in the EDP department. however. This is accomplished by providing definite lines of authority and responsibility. Pany.Page 4 of 7 EDP / IT CONTROL PART I the other hand. and Meigs .

Systems analysis Systems analysts are responsible for designing the EDP system. In an online. master files. The data processing manager should report to an officer who does authorize transactions for computer processing. To assure adequate control. generally making use of specialized programming languages. They test the programs with test data composed of genuine or dummy records and transactions and perform the necessary debugging. They then code the required programs in computer language. After considering the objectives of the business and the data processing needs of the various departments using the computer output (user groups). real-time system. and utility programs. Pany. the librarian maintains a formal checkout system for making records availablePersonnel involved with this function prepare and verify input data for to authorized users. damage. The Keypunching is primarily associated with batch processing systems. the computer operators may have to intervene through the computer console during a run in order to correct an indicated error. Computer operations The computer operators manipulate the computer in accordance with the instructions developed by the programmers. data may be entered directly intocode numbers groups through remote terminals and computer files are special the computer by user or passwords to gain access to programs and files immediately updated to reflect the new data. The computer's operating system should be programmed to maintain a de-tailed log of all operator intervention. such as assemblers. Whittington. however. Adapted from “Principles of Auditing” The computer automatically maintains bya log showing when these Meigs. processing. and Meigs programs and files are used.Page 5 of 7 EDP / IT CONTROL PART I Program and File Library Control Group Data processing management A manager should be appointed to supervise the operation of the data processing department. stored within the system. such as the computer operator instructions. they determine the goals of the system and the means of achieving these goals. in which a group (batch) of computer operators use trans-actions is processed at one time. the library function of aperformed by the computer. and unauthorized use or alteration. Program and file library The purpose of the file library is to protect computer programs. . such as COBOL. the programmers prepare necessary documentation. transaction (detail) tapes. Finally. and other records from loss. the controller should not have direct contact with computer operations. the programmers design program flowcharts for computer pro-grams required by the system. A systems. perhaps to a vice president of data processing. On occasion. Even in the most sophisticated systems. Programming Guided by the specifications provided by the systems analysts. The separation of computer operations from programming is an important one from the standpoint of achieving internal control. they outline the data processing system. When EDP is a section within the accounting department. An employee perfor ming both functions would have an opportunity to make unauthorized changes in computer pro-grams. Data preparation In many keypunch operation is a traditional example is data preparation department. compilers. Utilizing system flowcharts and detailed instructions. and software elements.

another department Adapted frombe responsible by authorizing the preparation should “Principles of Auditing” for Meigs. Whittington. Besides of the related assets are combined. assets. that the company was able to deceive auditors and keeping function. Rather. It was not assignments. it is and adequate mandatory vacations. several members Whenever the responsibilities for record keeping and custody segregation of functions. highly government investigators. and Meigs Meigs.errors detected by the reprocessing of many applications are still handled by batch processing of transactions the Perhaps the most startling revelation of distributes scandal was that computer. In smaller integrated into the company's computer-based accounting system. if fraudulently misleading for a period of years. Whittington.a Since EDPoperator Thus. When the fraud was entered policies to by the user disco ered. disclosure of the activities. For the company had EDP per-forms the function of printing checks. . EDP is used to personnel indirect access in achieving strong internal control. EDP. far exceeding the $75 million net income reported over the 13computer processing. monitors data processing department re-views andhandles input assets. however. and Meigs of the checks. the fraudulent activities were successfully concealed for a numdesirable to limit the access of EDP aAt least of company officersassets. Equity Funding's balance sheet included more than $120 million in tests all v Control group The control group of a groups. procedures. the data processing organization plan of criminal charges. Pany. the opportunities for an employee to conceal the should provide for rotation abstraction of assets areoften describedrotation of fraud. Careful screening present whenever the EDP activity includes the preparation of signed checks. large number to company and employees to participate in the scheme. EDP personnel may procedures in the hiring of EDP also have are also importantto assets if. The authorizing department should maintain a record of the total number and dollar amount of checks authorized. EDP personnel have be processing system of internal control would render any personnel should ineffective. direct access to cash if computer facility is in use. If key weakens internal control unless personnel have access to assets. present. and reviews andthe Equity Fundingall computer output. Pany. but they do not prevent fraud involving collusion. is basically a recordof programmer scandal is in-creased. generate shipping orders It is difficult for compensating risk that results from EDP authorizing the release ofcontrols to eliminate entirely the Auditors should therefore personnel having access inventory. One type of compensating control is the use of REAL LIFE CASE #2: predetermined batch America went into bankruptcy after it was counts and totals of totals. as computer-based because of the use of computers. This group numerous officers and employees of the company had worked togethe for yea s r r also reviews the computer log to perpetrate and con ealcthe fraud. Collusion of the magnitude existing at Equity Funding ever. prepared in discovered that the company's financial statements had been grossly and departments independent of A subsidiary of example. The fictitiou t ansactions had been carefully sr of operator interventions and the library logAof program usage. fictitious year life of the company. wide organizations. to company realize that the risk of The combination of record greatest with access to assets seriously keeping in those preventing individual Management fraud Organizational is computer-centered fraud controls are reasonably effective inareas inanwhich EDP employee from perpetrating a fraud. Howber of years because of the unprecedented willingness of personneltwo of the qualified data fidelity bonds for EDP employees. These independently prepared batch totals should then be compared with the computer output before the checks are released.Page 6 of 7 7 EDP / IT CONTROL PART I been manufacturing bogus insurance policies on fictitious persons and then selling these directlyother insurance companies. employees or company officers conspire in an effort to commit fraud. internal controls that rely adequate compensating controls are upon separation of duties can be rendered inoperative. the Equity Funding assignments. for example. control variety of fraudulent supporting documents had been prepared for the sole purpose of deceiving auditors and govern-mental regulatory agencies. Upon group functions by EDPbe performed by the were convicted Access to assets may personnel of top management user groups. such as document Equity Funding Corporation of significant data fields.