CONTROL IN THE COMPUTER

INFORMATION SYSTEM

OVERVIEW
Internal control in the computer information system is also known as systems
controls and security measures in an accounting information system. Without proper
safeguards, the use of computers can have negative results such as inconveniences
due to incorrect processing of data and transaction and lost money through computer
fraud.

In this module, we will study the auditor’s responsibilities with respect to the
internal control over EDP systems, and know the classification of the internal control
over the EDP system and overall control structure of an entity to aid in planning the
audit and assess the control risk.

LEARNING OUTCOMES
At the end of this module, you should be able to:
• Understand the auditor’s responsibilities with respect to internal control over
EDP systems.
• Know internal control over EDP activities.
• Describe the general controls and its categories.
• Understand application controls and its categories.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --

OVERVIEW ON SYSTEM OF INTERNAL CONTROL

A system of internal control is composed of all measures employed by an

organization for purposes of safeguarding its resources against waste, theft,
and inefficiency, promoting accuracy in the records maintained, measuring
compliance with policies, and evaluating the efficiency and effectiveness of
operations.
Controls refer to measures or techniques that prevent, detect and/or
correct conditions that may lead to loss or damage to the business firm.
AUDITOR’S RESPONSIBILITIES

The auditor’s responsibilities with respect

to internal control over EDP systems
remains the same as with manual
systems, that is to obtain an
understanding adequate
✓ To aid in planning the remainder of
the audit
✓ To assess control risk

Factors such as the following may affect the study of internal control in that
computer systems:
a. result in transaction trails that exist for a short period of time or only in
computer readable form.
b. include program errors that cause uniform mishandling of transactions –
clerical errors become less frequent.
c. include computer controls that need to be relied upon instead of
segregation of functions.
d. involve increased difficulty in detecting unauthorized access
e. allow increased management supervisory potential resulting from more
timely reports.
f. include less documentation of initiation and execution of transactions.
g. include computer controls that affect the effectiveness of related manual
control procedures that use computer output.

Observe that the factors enumerated above, presents the nature of

risk and the control characteristics necessary in a computer information
system environment. For example for letter (a) result in transaction trails that
exist for a short period of time or only in computer readable form. So in this
case audit trails may be undermined. A complete transaction trail is useful in
the conduct of audit, yet some EDP activities are designed transaction trail
that might exist for only a short period of time. Accordingly, errors embedded
may be difficult to detect on a timely basis by manual (user) procedures
because it’s no longer available. The same through for letter (b), computer
processing uniformly processes like transactions with the same processing
instructions. The clerical errors ordinarily associated with manual processing
are virtually eliminated. However, programming errors will ordinarily result in
all transactions being processed incorrectly. Thus, effects or errors may be
magnified
And so on and so forth with all the other factors. Those are some of
the reasons why computers can cause control problems.
CONTROLS OVER EDP ACTIVITIES (COMPUTER CONTROLS)

I. GENERAL CONTROLS are measures that ensure that a company’s

control environment is stable and well managed. These controls relate to
ALL EDP applications and provide reasonable assurance that development
of, and changes to computer programs are authorized, tested, and approved
prior to their usage.

A. Organizational or Personnel controls

✓ Controls
✓ Segregate functions between the EDP department and user
departments.
✓ Do not allow the EDP department to initiate or authorize
transactions.
✓ Segregate functions within the EDP department.
✓ Segregation of duties – provides the control mechanism for maintaining
an independent processing environment. The key functions within the
EDP should be segregated to ensure maximum separation of duties.

Systems Analyst – is responsible for analyzing the present user

environment and requirements and recommending the specific changes
which can be made. Another recommending the purchases of a new
system and designing new EDP system.
Applications programmer – is responsible for writing, testing and
debugging the application programs from the specifications provided by
the systems analyst.
Systems programmer – is responsible for implementing, modifying and
debugging the software necessary for making hardware work.
Operator – is responsible for the daily computer operations of both the
hardware and software.
Data librarian – is responsible for the custody of the removable media,
i.e., magnetic tapes or disks, and for the maintenance of program and
system documentation.
Quality assurance – is a relatively new function established primarily to
ensure that new systems under development and old systems being
changed are adequately controlled and that they meet the user’s
specifications and follow department documentation standards.
Control group – acts as liaison between users and the processing center.
Data security – is responsible for maintaining the integrity of the on-line
access control security software.
Database administrator – is a responsible for maintaining the database
and restricting access to the database to authorize personnel.
Network technician – using line monitoring equipment, they can see
each key stroke made by any user.
 From an ideal standpoint, all of the key functions should be
segregated; however, in a small EDP environment, many of the key
functions are concentrated in a small number of employees. When these
functions are not segregated, irregularities in EDP can be perpetrated and
concealed and the auditor should not rely on the controls within EDP.
The auditor’s tests of controls of the organization and operation
controls should include inquiry, observation, discussion, and review of an
appropriate organization chart, responsibility for initiating and authorizing
transactions. Discrepancies should be reported and the appropriate
controls recommended.

B. System development and documentation controls

✓ Controls
(a) User departments must participate in systems design.
(b) Each system must have written specifications which are reviewed and
approved by management and by user departments.
(c) Both users and EDP personnel must test new systems.
(d) Management, users, and EDP personnel must approve new systems
before they are placed into operation.
(e) All master and transaction file conversion should be controlled to prevent
unauthorized changes and to verify the results on a 100% basis.
(f) After a new system is operating, there should be proper approval of all
program changes.
(g) Proper documentation standards should exist to assure continuity of the
system.
✓ Within EDP, new systems are developed that either replace old systems or
enhance present systems. This environment requires unique controls to
ensure that the integrity of the overall system is maintained. Two common
controls over system change include the following:
(a) Design methodology – all new systems being developed should flow
through a documented process that has specific control points where the
overall direction of the system can be evaluated and changes, if needed,
can be made.
(b) Change control process – to effect a change on a system that is
presently operating, a formal change process should exist that requires
formal approval before any change is implemented.
 The auditor should use tests of control to determine that the system
development procedures that exist are properly functioning and are
adequately documented. All documentation pertaining to procedures,
programs, or methodologies, should be up to date and written in clear,
concise language.

C. Hardware and systems software controls

✓ Controls
a. The auditor should be aware of control features inherent in the
computer hardware, operating system, and other supporting software
and ensure that they are utilized to the maximum possible extent.
b. Systems software should be subjected to the same control procedures
as those applied to installation of and changes to application programs.
✓ The reliability of EDP hardware has increased dramatically over the
decade. This is primarily due to the chip technology. However, it is also due
to the controls built into the mechanism to detect and prevent equipment
failures. Most common types of built-in controls are:
a. Parity check – a special bit is added to each character stored in memory
that can detect if the hardware loses a bit during the internal movement
of a character similar to a check digit.
b. Echo check – involves transmitting data received back to the source
unit for comparison with original communication (feedback loop).
c. Boundary protection – prohibits unauthorized entry (read or write) to
storage units.
d. Validity test – verification that each input character is one of a
permissible set of characters.

The auditor should use tests of control that cover hardware and system
software controls test whether the controls are functioning as intended. In
addition, audit software can be used to analyze the data collected by the
diagnostic routines (A routine designed to locate a computer malfunction
or a mistake in coding) and detect significant trends.

D. Access controls - access to computer and data files controls or controls over
access to equipment and data files

✓ These will include the following segregation controls as follows:

a. Access to program documentation should be limited to those persons
who require it in the performance of their duties.
 b. Access to data files and programs should be limited to those individuals
authorized to process data.
c. Access to computer hardware should be limited to authorized
individuals such as computer operators and their supervisors.
✓ Physical access to computer facility controls which may involve the use of
guards, automated key cards, manual key locks as well as the new access
devices that permit access through fingerprints, palm prints, voice patterns
and retina prints.
✓ Use of visitor entry log which document those who have had access to the
area.
✓ Use of identification code and a confidential password to control access to
software.
✓ Use of “call back” which is a specialized form of user identification in which
the user dials the system, identifies him/herself and is disconnected from
the system.
✓ Use of “encryption” where data is encoded when stored in computer files
and/or from remote locations.

Access controls are tested by attempting to violate the system,

either physically or electronically, or reviewing any unauthorized
access that has been recorded. The auditor must use tests of
controls to ensure that all security violations are followed up on to
ensure they are errors.

E. Other data and procedural controls – including security and disaster controls (
Fault-tolerant systems, backup, and contingency planning)

(a) Physical Security

1. Fireproof storage
2. Backup for the vital documents, files and programs. The backup and
reconstruction procedure typically used under batch processing is the
grandfather-parent-child procedure. Also through electronic vaulting, data
on backup tapes can be electronically transmitted to remote sites.

(b) Contingency planning – which includes the development of a formal disaster

recovery plan. This plan describes procedures to be followed in the case of an
emergency, the alternate processing sites as well as the rate of each member
in the disaster recovery team. Its goal is to recover processing capability as
soon as possible. Disaster recovery sites can be either “hot sites” or “cold sites”.

“Hot site” is a facility that is configured and ready to operate within a few hours
“Cold site” is a facility that provides everything necessary to quickly install
computer equipment, but doesn’t have the computer installed.
 (c) Insurance should also be obtained to compensate the company for losses
(theft, fire or other calamities) when they occur.

These controls are tested mainly through identification,

observation, and inquiry. While some of these controls, such as
protection rings and labels, are easily implemented, other
controls, such as contingency processing, are more difficult and
costly to implement. The auditor should determine that these
controls are either present or that management has accepted the
related risks and that all expectations are scrutinized.

II. APPLICATION CONTROLS – pertains directly to the transaction processing

systems. Their objectives are to prevent, detect and correct errors and
irregularities in transactions that are processed in an IT environment.

A. Input Controls – attempt to ensure the validity, accuracy and

completeness of the data entered into the system. Four categories of input
controls include
1. Data observation and recording - this involves visual review of source
documents. Example are feedback mechanisms, dual observation,
point-of-sale (POS) devices and preprinted recording forms.
2. Data transcription – this involves key encoding machine specification
especially the critical fields and preparation of data for computerized
processing. An important feature of this control procedure is the use of
preformatted screens that use “masks”.
3. Programmed (source program) edit checks – basic types of checks
include routines for examining record fields.
These include
a. Control batch or proof totals - field of numbers is totaled on source
documents and the program totals the same field or records
processed and compares the two totals (e.g., total cash
disbursement on accounts payable).
b. Completeness check - program checks input record for missing data
is part of the record.
c. Hash total - a meaningless control total in itself other than for control,
e.g., summation invoice numbers in a batch of sales invoices, used
to determine if data have been lost.
d. Limit check - program compares data with predetermined limits as a
reasonable test (e.g., a calendar month cannot be numbered higher
than 12).
e. Logical (consistency) check - data is compared with other data when
a relationship should exist (e.g., employee name and social security
number).
f. Self-checking digit
 An extra digit is added to a number. The new digit is computed from
the other digits in the number. The program can then check the input
by recomputing and comparing the check digit (used for account
numbers).
g. Record count
A control total using a count of records processed during the various
phases of operation of a program.
h. Sequence check – when source document have a sequence, the
program checks input in order to see if any items are omitted.
i. Validity check – data is compared with type of data to be included in
each field input, e.g., only letters in a name field.
j. Reasonableness check – for example, it is not reasonable for certain
classes of employees to have very large gross pay.

B. Processing Controls – these controls focus on the manipulation of

accounting data after they are input to the computer system. Included in
processing controls are
a. File labels designed to avert accidental erasures of live data and to
ensure that proper files are used.
• External labels can be read visually and are attached to the
exterior of containers holding the files.
• Internal (header) labels are located as the first record at the
beginning of a file and are machine readable.
b. Trailer labels are program-generated control totals and
predetermined controls that are printed out on labels at the end of a
processing run verification.
c. Sequence tests are generally used to determine that files to be
merged are arranged in the same order; and to detect any numbers
missing from batches of sequentially numbered items.
d. Proof totals generally used in batch-processing systems, used to
detect whether data are lost. Principal types include
• Monetary totals such as the total sales pesos for a batch of sales
invoices.
• Hash totals such as the total of all invoice numbers in a batch of
sales invoices.
• Document or records counts which are simply tallies of the
number of items included in a batch to be processed.
e. Cross-footing tests are used to check the interrelationships of various
totals. For example, in accounting the ledgers should balance.
f. Exception listings are used when data are rejected for processing.
g. Transmittal record should be logged so that the flow of data to be
processed can be controlled.
h. A record should be logged for each processing run showing the files
used, time consumed, machine halts, operator actions, and other
relevant data.
 i. Console messages should be written into the source program to alert
the operator to conditions that need attention.

C. Output Controls – these govern the accuracy and reasonableness of

the output of data processing and prevent authorized use of output.
Important measures include
a. Error log when an error is discovered, it is entered into a log which
must be updated when the error is corrected, to insure that it is
processed once and only once.
b. Follow-up control totals control clerk reconciles totals printed out by
the computer with total computed independently.
c. Distribution log (transmittal log) when output is sensitive, a log is kept
to show that output reaches correct designations.
d. Audit trail storage one output from the program should be from
intermediate points to the processing to allow tracing of final output
to original source documents.

COMPUTER FRAUD

It is estimated that several hundred million pesos and dollars are lost annually
through computer crime. There have been cases like computer “hacker” and
computer break-in reported, as well as stories of viruses spreading throughout vital
networks.
Type of Fraud Explanation Protection/Prevention

Input manipulation Input documents are a. Data input formats properly

improperly altered or documented and authorized.
revised without b. Programs designed to accept
authorization (e.g., only certain inputs from
payroll time cards can designated users, locations,
be altered to pay terminals and/or times of the
overtime) day.

Program alteration Program alteration a. Programmers should only

requires make changes to copies of
programming skills production sources programs
and knowledge of the and data files, never to the
program. The actual production files.
program coding is b. Computer operators should
revised for fraudulent not have direct access to
purposes, e.g., production programs or data
ignore certain files.
transactions such as
overdrafts against
 the programmers
account.
Explanation Protection/Prevention
Type of Fraud

File Alteration File alteration occurs a. Restrict access to the

when the defrauder computer center.
revises specific data b. Programmers, analysts, and
or manipulates data computer operators should not
files have direct access to
production data files.

Data Theft Data theft can be a. Electronic sensitization of all

accomplished by data library materials for detection if
interception or unauthorized removal from the
library is attempted.
b. Tapping transmitted data
minimized by encrypting
sensitive data transmissions.

Sabotage The physical a. Terminated employees

destruction to immediately denied across to
hardware or software. all computer equipment and
information to prevent their
ability to destroy or alter
equipment or files.
Theft of computer Theft of computer time a. Assigning blocks of time to
Time means unauthorized processing jobs with operating
use of a company’s system blockage to the user
computer. Employees once the allocated time is
can use the computer
exhausted. Any additional time
to perform personal or
would require special
outside business
authorization.
activities which result
in the computer being
fully utilized which
could lead to
unnecessary
computer capacity
upgrades if
management is not
aware of the
unauthorized usage.

Although the threat to security is seen as external, through outside penetration,

the more dangerous threats are of internal origin.
 Management must recognize these problems and commit to the development
and enforcement of security programs to deal with the many types of fraud
that computer systems are susceptible to on a daily basis.

SUMMARY

Overview on system of internal control and auditor’s

responsibilities.
Factors that may affect the study of internal control
computer systems
The two classifications of controls such as the
General and Application controls.
The areas covered by general controls.
The input, processing and output controls.
The primary types of computer systems fraud and
their basic prevention.

Additional information:

https://www.youtube.com/watch?v=bafb1IyUKUU&t=39s

REFERENCES

Hall, James (3rd Edition). Information technology Auditing. 3rd Edition

Cabrera, Ma. Elenita B (2020). Management Consultancy. Manila: Conanan

Educational Supply