Department of Accounting Education

Mabini Street, Tagum City

Davao del Norte
Telefax: (084) 655-9591, Local 116

Big Picture in Focus: ULOb. Explain the risk exposure and internal
structure know the general controls and application controls and the
management of the security of information.

Metalanguage
The terms used for this specific unit learning outcome are already discussed and explained
in the essential knowledge section as part of the discussion. Hence, having separate
presentation will mean redundancy.

Essential Knowledge
To perform the aforesaid big picture (unit learning outcomes), you need to fully understand
the following essential knowledge laid down in the succeeding pages. Please note that you
are not limited to exclusively refer to these resources. Thus, you are expected to utilize other
books, research articles and other resources that are available in the university’s library e.g.
ebrary, search.proquest.com etc., and even online tutorial websites.

SYSTEMS CONTROLS AND SECURITY MEASURES IN AN ACCOUNTING

INFORMATION SYSTEM

CONTROLS FOR COMPUTERIZED ACCOUNTING INFORMATION SYSTEM

CONTROLS
Refer to measures or techniques that prevent, detect, and/or correct conditions that may
lead to loss or damage to the business firm. Some of the reasons why computers can cause
control problems are:
1. Effects or errors may be magnified.
2. Inadequate separation of duties because of decreased manual involvement.
3. Audit trails may be undermined.
4. Human judgment is bypassed.
5. Changes to data and programs may be made by individuals lacking knowledge.
6. More individuals may have access to accounting data.

Computer controls can be classified as:

1. General Controls 2. Application controls

GENERAL CONTROLS

General controls are measures that ensure that a company’s control environment is stable
and well managed. These controls provide reasonable assurance that development of, and
changes to computer programs are authorized, tested and approved prior uses.

1
 Department of Accounting Education
Mabini Street, Tagum City
Davao del Norte
Telefax: (084) 655-9591, Local 116

1. Organizational or Personnel Controls

a) These will involve separation of incompatible duties at minimum, segregate programming,

operations, and library functions within the information systems department .One way to
separate key functions is as follows :

1. System analysis - The system analyst analyzes the present user environment and
requirements and may (1) recommend specific changes (2) recommend the purchase
of a new system, or (3) design a new information system.

2. System programming - The systems programmer is responsible for implementing,

debugging the software necessary for making the hardware work.

3. Applications programming - The applications programmer is responsible for

writing, testing and debugging the application programs for the specifications
provided by the system analyst.

4. Database administration - In a database environment, a database administrator

(DBA) is responsible for maintaining the database and restricting access to the
database to authorized personnel.

5. Data preparation - Data may be prepared by user departments and input by key to
magnetic disk or magnetic tape.

6. Operations - The operator is responsible for the daily computer operations of both
hardware and software.

7. Data library - The librarian is responsible for custody of the removable media and
for the maintenance of program and system documentation.

8. Data control- The control group act as liaison between users and the processing
center. b) Companies may use separate computer accounts that are assigned to
users on either a group or individual bases. This will also involve the use of
PASSWORDS and CALL-BACK PROCEDURES to restrict access from remote
terminals.

2. File security / Software Controls

a) These will require

1. Documentation of all programs (Flowcharts), procedures and operating
investments.
2. Segregation of duties as to:

2
 Department of Accounting Education
Mabini Street, Tagum City
Davao del Norte
Telefax: (084) 655-9591, Local 116

a. Systems design and operation

b. Testing of new systems and operations
3. Approval of new programs and changes to program by management, users and
information systems personnel.
4. Library control of all master and transaction file conversions to prevent
unauthorized changes and to verify the accuracy of the results.
5. Back-up storage of software off-premises.

3. Hardware Controls

a) These involve built-in controls in the computers by the manufacturer which will detect
machine malfunction.
b) Among the most common types of built-in controls are:
1. Parity check

2. Duplicate reading. Two read units to allow read after write and dual read
capabilities.

3. Echo check. Involves transmitting data received back to the source unit for
comparison with original communication. In essence, a feedback loop.

4. Dual circuitry. Double wiring to provide backup capability.

5. Interlock. Device which prohibits more than one peripheral unit to

communicate with the CPU at the same time

6. Boundary protection. Prohibits unauthorized entry (read or write) to storage

units

7. File protection ring. A removable ring designed to prevent the erasure of

data on a magnetic tape file, which physically prohibits writing in the file when
the ring is missing.

8. Validity test. Verification that each input character is one of a permissible

set of characters.

3
 Department of Accounting Education
Mabini Street, Tagum City
Davao del Norte
Telefax: (084) 655-9591, Local 116

c) The system should be examined periodically (often weekly) by a qualified service

technician.

4. Access to computer and data files controls or controls over access to equipment
and data files

a) These will include the following segregation controls as follows:

1. Access to program documentation should be limited to those persons who
require it in the performance of their duties.
2. Access to data files and programs should be limited to those individuals
authorized to process data.
3. Access to computer hardware should be limited to authorized individuals such as
computer operators and their supervisors.

b) Physical access to computer facility controls.

c) Use of visitor entry log which document those who have had access to the area.
d) Use of identification code and a confidential password to control access to software
e) Use of “call back” which is a specialized form of user identification in which the user dial
the system, identifies him/herself and disconnected from the system.
f) Use of “encryption” where data is encoded when stored in computer files and/or from
remote locations. Data encryption transforms plaintext messages into unintelligible
cyphertext using an encryption key.

5. Other data and procedural controls including security and disaster controls (Fault-
tolerant systems, backup, and contingency planning)

a) Physical Security
1. Fireproof storage
2. Backup for the vital documents, files and programs

b) Contingency planning - which includes the development of a formal disaster recovery.

Hot sites - is a facility that is configured and ready to operate within few hours.
Cold sites - is a facility that provides everything necessary to quickly install computer
equipment, but doesn’t have the computer installed.

c) Insurance - should also be obtained to compensate the company for losses when they
occur.

APPLICATION CONTROLS
1) Input Controls
a) Attempt to ensure the validity, accuracy and completeness of the data entered into the
system.

Four Categories:

4
 Department of Accounting Education
Mabini Street, Tagum City
Davao del Norte
Telefax: (084) 655-9591, Local 116

1. Data observation and recording. This involves visual review of source

documents. Examples are feedback mechanisms, dual observation , point - of
- sale ( POS ) devices and preprinted recording forms.

2. Data transcription. This involves key encoding machine specification

especially the critical fields and preparation of data for computerized
processing. An important feature of this control procedure is the use of
preformatted screens that use "masks".

3. Programmed (source program) edit checks. Basic types checks include

routines for examining record fields. These include

a. Control batch or proof totals. Field of numbers is totalled on source

documents and the program totals the same field or records processed
and compares the two totals (e.g. , total cash disbursement on accounts
payable).

b. Completeness check. Program checks input record for missing data

is part of the record.

c. Hash total. A meaningless control total in itself other than for control
e.g. , summation invoice numbers in a batch of sales invoices, used to
determine if data have been lost

d. Limit check. Program compares data with predetermined limits as a

reasonable test (e.g. , a calendar month cannot be numbered higher
than 12).

e. Logical (consistency) check. Data is compared with other data when

a relationship should exist (e.g . , employee name and social security
number).

f. Self - checking digit. An extra digit is added to a number. The new digit
is computed from the other digits in the number. The program can then
check the input by recomputing and comparing the check digit (used for
account numbers).

g. Record count. A control total using a count of records processed

during the various phases of operation of a program.

h. Sequence check. When source document have a sequence, the

program checks input in order to see if any items are omitted.

i. Validity check. Data is compared with type of data to be included in

each field of input, e.g., only letters in a name field.

j. Reasonableness check. For example, it is not reasonable for certain

classes of employees to have very large gross pay.

5
 Department of Accounting Education
Mabini Street, Tagum City
Davao del Norte
Telefax: (084) 655-9591, Local 116

B. Control procedures that should be followed in the input data are:

1) Systems specifications documenting all necessary steps in the preparation should be

written and used.
2) Serial controls should be logged.
3) Signature approvals should be received and accounted for.
4) A peso-value unit or hash totals should be prepared for a batch or a processing period and
compared by the computer with the totals processed.
5) Data to be entered into the system should be verified.
6) An editing procedure should be followed whereby all input information is compared with
tables of valid codes.
7) Check digits should be used whenever possible.
8) All rejected items in the editing procedure should be listed with references and their
disposition accounted for.
9) Specific procedures should be established for delivery of data to the computer department.

2. Processing Controls
Included in the processing controls are:
a) File labels designed to avert accidental erasure of live data and to ensure that
proper files are used.
• External labels can be read visually and are attached to the exterior of
containers holding the files.
• Internal (header) labels are located as the first record at the beginning of a
file and are machine readable.

b) Trailer labels program - generated control totals and predetermined controls

that are printed out on labels at the end of a processing run for verification.

c) Sequence tests are generally used to determine that files to be merged are
arranged in the same order, and to detect any numbers missing from batches of
sequentially numbered items.

d) Proof totals, generally used in batch - processing systems, used to detect

whether data are lost. Principal types include:
• Monetary totals, such as the total sales pesos for a batch of sales invoices.
• Hash totals, such as the total of all invoice numbers in a batch of sales
invoices. The summation of data is not usually added.
• Document or records counts, which are simply tallies of the number of items
included in a batch to be processed.

e) Cross - footing tests are used to check the interrelationships of various totals.
For example, in accounting the ledgers should balance.

f) Exception listings are used when data are rejected for processing.

g) Transmittal record should be logged so that the flow of data to be processed

can be controlled.

6
 Department of Accounting Education
Mabini Street, Tagum City
Davao del Norte
Telefax: (084) 655-9591, Local 116

h) A record should be logged for each processing run showing the files used , time
consumed , machine halts , operator actions , and other relevant data.

i) Console messages should be written into the source program to alert the
operator to conditions that need attention.

Some selected rules:

• Machine operators should not have access to source programs - only the
object programs.
• Access to the machinery should be limited to operators.
• Programmers and systems analysts should not have access to the
equipment, files or source records under normal operating conditions.
• Supervisors should respond to any unprogrammed halts.
• Operator intervention should be made a matter of record.
• Where economically feasible, backup operators should be available on a
short - notice basis.

3. Output Controls
These govern the accuracy and reasonableness of the output of data processing and prevent
unauthorized use of output.
Important measures includes:
a) Error log. When an error is discovered , it is entered into a log which must
be updated when the error is corrected , to insure that it is processer once and
only once.

b) Follow - up control totals. Control clerk reconciles totals printed out by the
computer with total computed independently.

c) Distribution log (transmittal log). When output is sensitive, a log is kept to

show that output reaches correct designations.

d) Audit trail storage. One output from the program should be from
intermediate points to the processing to allow tracing of final output to original
source documents.

e) Visual review for apparent reasonableness and completeness.

f) Exceptions should be properly handled.

g) Complete resubmission of corrected errors should be assured.

h) Provision should be made to see that all output reports are delivered on time
and to authorized destinations.

i) Users should be periodically queried for the continued needs for the output.

j) Shred sensitive documents.

7
 Department of Accounting Education
Mabini Street, Tagum City
Davao del Norte
Telefax: (084) 655-9591, Local 116

COMPUTER CONTROL ACTIVITIES

Computer General Control activities-
Computer Application Control activities-User Control Activities to test the Completeness and
accuracy of computer Processed Transactions

COMPUTER FRAUD
Type of Fraud Explanation Protection/Prevention
1. Input 1. Input documents are 1.a. Data input formats
manipulation improperly altered or revised properly documented and
without authorization (e.g., authorized.
payroll time cards can be
altered to pay overtime ) 1.b.Programs designed to
accept only certain inputs
from designated users ,
locations terminals and / or
times of the day
2. Program 2. Program alteration 2.a.Programmers should
alteration requires programming skills only make changes to
and knowledge of the copies of production
program. The program sources programs and
coding is revised for data files, never to the
fraudulent purposes , e.g. , actual production files.
ignore certain transactions
such as overdrafts against 2.b.Computer operators
the programmers account ; should not have direct
draw checks and have them access to production
sent to a falsely constructed programs or data files.
account ; grant excessive
discounts to certain 2.c. Internal audit or some
specified trade accounts , other independent group
etc. should have copies of the
official programs , or
access to the master
programs , so as to
periodically process actual
data and compare the
output with output obtained
from normal operations.
Any output changes would
be indicative of
unauthorized program
changes.

2.d.Periodic comparisons
of on - line programs to off

8
 Department of Accounting Education
Mabini Street, Tagum City
Davao del Norte
Telefax: (084) 655-9591, Local 116

- line backup copies to

detect changes.

3. File 3. File alteration occurs 3.a. Restrict access to the

alteration when the defrauder revises
occurs specific data or computer
center manipulates data
files, e.g., fraudulently
changing the rate of pay of
an employee in the payroll
master file via a program
instruction ; or transferring
balances among dormant
accounts to conceal
improper withdrawals of
funds.
3.b.Programmers, analysts
, and computer operators
should not have direct
access to production data
files .
3.c.Production data files
are maintained in a library
under the control of a
librarian or database
administrator.

3.d.Computer operators
should not have access to
applications
documentation , except
where needed to perform
their duties , to minimize
their ability to modify
programs and data files
4. Data Theft 4. Data theft can be 4.a.Electronic sensitization
accomplished by data of all library materials for
interception or smuggling detection if unauthorized
out computer data files or removal from the library is
hard copies of reports/files. attempted
With the considerable
amount of information being 4.b.Tapping transmitted
transmitted by long distance data minimized by
lines, the data is vulnerable encrypting sensitive data
to being tapped or transmissions.
intercepted. Magnetic tapes,
minireels, or microcomputer
disks can be smuggled out in
briefcases, employees '
pockets, etc.

5. Sabotage 5. The physical destruction 5.a.Terminated employees

to hardware or software . immediately denied across
to all computer equipment
and information to prevent
their ability to destroy or
alter equipment or files.

9
 Department of Accounting Education
Mabini Street, Tagum City
Davao del Norte
Telefax: (084) 655-9591, Local 116

5.b.Maintain back - up files

at secure off - site
locations.

6. Theft of 6. Theft of computer time 6. Assigning blocks of time

Computer means unauthorized use of to processing jobs with
Time a company's computer. operating system blockage
Employees can use the to the user once the
computer to perform allocated time is
personal or outside business exhausted. Any additional
activities which result in the time would require special
computer being fully utilized authorization.
which could lead to
unnecessary computer
capacity upgrades if
management is not aware of
the unauthorized usage.

Self-Help: You can also refer to the sources below to help you
further understand the lesson:

* Cabrera, M. B. (2015).Management consultancy: Principles and Engagement (2015),

Philippines: GIC Enterprises & CO., Inc.

Note:
The content of this manual is based on the textbook for MAS 3 titled “Management
Consultancy: Concepts and Application” by Cabrera, Ma. Elenita B.

Let’s Check

Activity 1. True or False. Write “TRUE” if the statement is true otherwise write “FALSE” if
the statements is incorrect.

1) Security refers to measures or techniques that prevent, detect, and/or correct

conditions that may lead to loss or damage to the business firm.
2) File labels are part of output controls.
3) Processing controls include shredding of sensitive documents.
4) The use of visitor entry log document those who have had access to the area.
5) Control procedures that should be followed in the input data include Specific
procedures that should be established for delivery of data to the computer
department.
6) Input manipulation is not a computer fraud.
7) The two types of controls are general control and software control.

10
 Department of Accounting Education
Mabini Street, Tagum City
Davao del Norte
Telefax: (084) 655-9591, Local 116

Activity 2. Multiple Choice Questions. Encircle the letter that corresponds to your answer.

1. An employee in the receiving department keyed in a shipment from a remote terminal and
inadvertently omitted the purchase order number. The best systems control to detect this
error would be.
a. batch total c. sequence check
b. completeness test d. reasonableness check

2. Some of the more important controls that relate to automated accounting information
systems are validity checks, limit checks, field checks, and sign test. These are classified
as
a. control total validation routines
b. hash totaling
c. data access validation routines
d. input validation routines

3. The use of a header label in conjunction with magnetic tape is most likely to prevent errors
by the
a. Computer operator
b. Keypunch operator
c. Computer programmer
d. Maintenance technician

4. For control purposes, which of the following should be organizationally segregated from
computer operations function?
a. Data conversion
b. Surveillance of CRT messages
c. Systems development
d. Minor maintenance according to a schedule

5. Which one of the following terms best describes a decision support system (DSS)?
a. Management reporting system
b. Formalized system
c. Interactive system
d. Accounting information system

Let’s Analyze

Activity 1. In this activity, you are required once again to elaborate your answer to each of
the questions below.

1. Explain brief the concept and importance of system controls.

________________________________________________________
________________________________________________________
________________________________________________________

11
 Department of Accounting Education
Mabini Street, Tagum City
Davao del Norte
Telefax: (084) 655-9591, Local 116

2. Distinguish briefly between general controls and application controls.

________________________________________________________
________________________________________________________
________________________________________________________

3. Enumerate and explain in your own words the components of General controls.
________________________________________________________
________________________________________________________
________________________________________________________

4. Give some examples of computer frauds.

________________________________________________________
________________________________________________________
________________________________________________________

In a Nutshell
In this part you are going to jot down what you have learned in this unit. The said
statement of yours could be in a form of concluding statements, arguments, or perspective
you have drawn from this lesson.
1. ________________________________________________________.
2. ________________________________________________________.
3. ________________________________________________________.
4. ________________________________________________________.
5. ________________________________________________________.

Q&A List
In this section you are going to list what boggles you in this unit. You may indicate your
questions but noting you have to indicate the answers after your question is being raised and
clarified. You can write your questions below.

Questions/Issues Answers

1.

2.

12
 Department of Accounting Education
Mabini Street, Tagum City
Davao del Norte
Telefax: (084) 655-9591, Local 116

3.

4.

5.

Keyword Index
• General Control
• Application Control
• Computer Fraud

13