1

Chapter Three

Administrative Controls
 Introduction
2

 Administrative controls are formalized standards, rules,

procedures, and control disciplines to ensure that the
organization's
 General and application controls are properly
executed and enforced.

 The most important administrative controls are;

 Segregation of functions,

 Written policies and procedures, and

 Supervision
 Cont’d…… Segregation of functions
3

 It is a fundamental principle of internal control in

any organization.
 Job functions should be designed to minimize the
risk of errors or fraudulent manipulation of assets.
 Individuals responsible for operating systems
should not be the same ones who can initiate
transactions that change the assets in the systems.
 Responsibilities for input, processing, and output
are usually divided among different people to
restrict what each one can do with the system.
 Cont’d……..
4

 For example, the individuals who operate the

system should not have the authority to initiate
payments or to sign checks.

A typical arrangement is to have an information

systems department responsible for data and
program files and end users responsible for initiating
input transactions or correcting errors.
 Within the information systems department, the
duties of programmers and analysts are segregated
from those of computer equipment operators.
 Cont’d…. Written policies & procedures
5

 Policies and procedures establish formal standards for

controlling information system operations.
 Procedures must be formalized in writing and
authorized by the appropriate level of management.
 Accountabilities and responsibilities must be clearly
specified.
 Cont’d…… Supervision
6

 Supervision of personnel ensures that the controls for

information system are performing as intended.
 With supervision;
 Weaknesses can be spotted,

 Errors can be corrected, and

 Deviations from standard procedures can be

identified.
 Without adequate supervision, the best-designed set
of controls may be bypassed, short-circuited, or
neglected.
 EDP Steering Committee
7

 Firms that aims to develop systems establish a steering

committee to provide guidance and oversight it.
 The committee may include chief executive officer,
chief financial officer, chief information officer,
senior management, and internal auditor.
 External parties, such as management consultants
and external auditors may also supplement the
committee.
 The committee is involved not only in developing
system strategy but in every major phase of SDLC.
 Systems Development Process
8

 One of the most valuable assets of the modern

business organization is a responsive, user-oriented
information system.
 Organizations usually acquire IS in two ways:
 Develop customized systems in-house and

 Purchase commercial systems from vendors.

 A properly functioning systems development process

ensures that only needed applications are created,
properly specified, possess adequate controls, and
thoroughly tested before implementation.
 Cont’d……….
9

 IS must be auditable.
 Some computer audit techniques require special
features that must be designed into the system.
 The auditor has a stake in such systems and must
be involved early in the design.

 The segregation of systems development and

operations activities is of the greatest importance.
 Operations staff who run these systems should have
no involvement in their design and implementation.
 Cont’d………..
10

 Consolidating these functions invites fraud.

 With detailed knowledge of an application logic and
control parameters along with access to computer
operations, an individual could make unauthorized
changes to application logic during execution.
 Auditing the System Development Process
11

 Auditors may evaluate system development process in

two ways;
 As a member of the system development team

 In an ex-post review when the system development

process, in general.
 When the auditor participates in system development
process, the objectives are to ensure that a specific
application controls are built to;
 Safeguard assets,

 Ensure data integrity, and

 Achieve system effectiveness and efficiency.

 Cont’d……….
12

 The auditor collects evidence primarily by observing

activities of the other members of development team.
 Auditors must be capable of evaluating
 The choices made on system development approach
to be used and
 The activities to be carried out in each phase.
 Cont’d………
13

 When the auditor carries out an ex-post audit, the

objectives are to
 Reduce the extent of substantive testing needed for
application systems and
 Make recommendations for improving the system
development process
 The general approaches used to audit;
 Interviews, observations, and a review of standards
to obtain general and detailed information on the
system development process.
 Cont’d………
14

 Hypothesizing strengths and weaknesses that may

exist and designing compliance tests.
 The auditor selects a sample of application systems
to determine whether the hypothesized strengths and
weaknesses do, in fact, exist.
 The auditor seeks answers to two basic questions when
auditing the system development process.
 Do system design personnel perform all activities
necessary for the design and implementation of high
quality IS?
 Are these activities performed well?
 Cont’d……….
15

 Activities perform in system development process;

 Problem definition
 Management of the change process
 Entry and feasibility assessment
 Analysis of the existing system
 Organizational and job design
 Information processing system design
 Software acquisition and development
 Procedures development
 Acceptance testing
 Conversion
 Operational and maintenance
 Post-audit
 Cont’d……….
16

Auditors responsibility in the process;

 Problem definition – describes the factors that
motivate the need for change.
 Evaluate whether top management has established a
system of authority and responsibility for project
approval
 Assess the documentation which formally approves
intervention by a designer and sets out the problem
and terms of reference for the designer
 Concerned about who initiated the intervention
 Cont’d……..
17

 Management of the change process – has two

aspects;
 Formal project control aspects
 Change facilitating aspects
 The auditor can obtain evidence by reviewing
standards, examining the minutes of meeting and
workshops, interviewing designers and users,
determining the role of project steering committee
 Cont’d……….
18

Entry and feasibility assessment

 The auditor’s primary objectives;

 Determine whether a new system or a modification

to an existing system was imposed upon users, and
 Ensure that an application is converted to the
computer only if benefits exceed costs.
Analysis of the existing system
 It provides the basis for

 Managing the change process

 Determining the strategic requirements for the new
system
 Cont’d………….
19

Organizational and job design

 State the shape of the information

Information processing system design

 Audits whether the design meets strategic requirements
from a system effectiveness viewpoint
 Concerned with the resources that will be needed to
run the system from a system efficiency viewpoint
 Concerned with the controls designed into the system
from an asset safeguarding and data integrity viewpoint
 Evaluates the ongoing auditability of the system.
 Cont’d……..
20

Software acquisition and development

 If the audit software is to be purchased, auditors must
specify the tasks that the software must accomplish and
test the software to ensure its suitability.
 If audit program must be developed, auditors must be
involved in at least the design and testing phases.

Procedure development
 Well-documented user and operator manuals provide a
sound basis for the day-to-day control over system
operations.
 Cont’d………
21

Acceptance testing
 The auditor should check that test documentation
shows
 How the testing process was developed

 How test data was designed and developed

 What test data was used

 What results were obtained

 What action taken as a result of errors identified

 What subsequent modifications taken to test data

 Cont’d…………
22

Conversion
 Data being converted from one storage to other is
not corrupted
Operational and maintenance
 A formal change process exists to authorize and
control needed changes to the system
Post-audit
 Periodically the system needs to be reviewed and

evaluated to determine how well it is meeting its

objectives
23

The End!

Thank you!