Professional Documents
Culture Documents
INFORMATION SYSTEM
OVERVIEW
Internal control in the computer information system is also known as systems
controls and security measures in an accounting information system. Without proper
safeguards, the use of computers can have negative results such as inconveniences
due to incorrect processing of data and transaction and lost money through computer
fraud.
In this module, we will study the auditor’s responsibilities with respect to the
internal control over EDP systems, and know the classification of the internal control
over the EDP system and overall control structure of an entity to aid in planning the
audit and assess the control risk.
LEARNING OUTCOMES
At the end of this module, you should be able to:
• Understand the auditor’s responsibilities with respect to internal control over
EDP systems.
• Know internal control over EDP activities.
• Describe the general controls and its categories.
• Understand application controls and its categories.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --
Factors such as the following may affect the study of internal control in that
computer systems:
a. result in transaction trails that exist for a short period of time or only in
computer readable form.
b. include program errors that cause uniform mishandling of transactions –
clerical errors become less frequent.
c. include computer controls that need to be relied upon instead of
segregation of functions.
d. involve increased difficulty in detecting unauthorized access
e. allow increased management supervisory potential resulting from more
timely reports.
f. include less documentation of initiation and execution of transactions.
g. include computer controls that affect the effectiveness of related manual
control procedures that use computer output.
✓ Controls
(a) User departments must participate in systems design.
(b) Each system must have written specifications which are reviewed and
approved by management and by user departments.
(c) Both users and EDP personnel must test new systems.
(d) Management, users, and EDP personnel must approve new systems
before they are placed into operation.
(e) All master and transaction file conversion should be controlled to prevent
unauthorized changes and to verify the results on a 100% basis.
(f) After a new system is operating, there should be proper approval of all
program changes.
(g) Proper documentation standards should exist to assure continuity of the
system.
✓ Within EDP, new systems are developed that either replace old systems or
enhance present systems. This environment requires unique controls to
ensure that the integrity of the overall system is maintained. Two common
controls over system change include the following:
(a) Design methodology – all new systems being developed should flow
through a documented process that has specific control points where the
overall direction of the system can be evaluated and changes, if needed,
can be made.
(b) Change control process – to effect a change on a system that is
presently operating, a formal change process should exist that requires
formal approval before any change is implemented.
The auditor should use tests of control to determine that the system
development procedures that exist are properly functioning and are
adequately documented. All documentation pertaining to procedures,
programs, or methodologies, should be up to date and written in clear,
concise language.
✓ Controls
a. The auditor should be aware of control features inherent in the
computer hardware, operating system, and other supporting software
and ensure that they are utilized to the maximum possible extent.
b. Systems software should be subjected to the same control procedures
as those applied to installation of and changes to application programs.
✓ The reliability of EDP hardware has increased dramatically over the
decade. This is primarily due to the chip technology. However, it is also due
to the controls built into the mechanism to detect and prevent equipment
failures. Most common types of built-in controls are:
a. Parity check – a special bit is added to each character stored in memory
that can detect if the hardware loses a bit during the internal movement
of a character similar to a check digit.
b. Echo check – involves transmitting data received back to the source
unit for comparison with original communication (feedback loop).
c. Boundary protection – prohibits unauthorized entry (read or write) to
storage units.
d. Validity test – verification that each input character is one of a
permissible set of characters.
The auditor should use tests of control that cover hardware and system
software controls test whether the controls are functioning as intended. In
addition, audit software can be used to analyze the data collected by the
diagnostic routines (A routine designed to locate a computer malfunction
or a mistake in coding) and detect significant trends.
D. Access controls - access to computer and data files controls or controls over
access to equipment and data files
E. Other data and procedural controls – including security and disaster controls (
Fault-tolerant systems, backup, and contingency planning)
“Hot site” is a facility that is configured and ready to operate within a few hours
“Cold site” is a facility that provides everything necessary to quickly install
computer equipment, but doesn’t have the computer installed.
(c) Insurance should also be obtained to compensate the company for losses
(theft, fire or other calamities) when they occur.
COMPUTER FRAUD
It is estimated that several hundred million pesos and dollars are lost annually
through computer crime. There have been cases like computer “hacker” and
computer break-in reported, as well as stories of viruses spreading throughout vital
networks.
Type of Fraud Explanation Protection/Prevention
SUMMARY
Additional information:
https://www.youtube.com/watch?v=bafb1IyUKUU&t=39s
REFERENCES