• IT Controls- To minimize errors, disaster, computer crime, and

breaches of security, special policies and procedures must be

incorporated into the design and implementation of information
systems. The combination of manual and automated measures that
safeguard information systems and ensure that they perform
according to management standards is termed controls.
• COBIT – framework of best practices of IT controls
• CIO (chief information officer) has the primary responsibility to
maintain IT controls
• General controls- Overall controls that establish a framework for
controlling the design, security, and use of computer programs
throughout an organization.
• Determine the control environment
IT General Controls
• Administration of the IT function
• Separation of IT duties
• System development
• Physical and online security
• Backup and contingency planning
• Hardware controls
Administration of IT function
• Tone at the top ! Control environment
• BOD and senior management attitude
• Resource allocation (under/over funded)
• Involvement of IT personnel in business decision making
• Smaller organization (BOD relies on CIO)
• Assigning IT duties to lower level employees (no authority) or outside
consultant (temporary issue) may signal less importance
 CIO/ IT manager

System
Operations Data control
development

System analyst librarian data input/output

Programmers network administrator data administrator
computer programmer
• Power failures, fire, excessive heat or humidity water damage or even
sabotage cab have serious consequences to business using IT
• On site generators and battery backups
• Disaster recovery plans offsite storage of critical software and data files.
• Hot site- has all the equipment needed for the enterprise to continue
operation, including office space and furniture, telephone jacks and
computer equipment.
• Cold site- it is less expensive but it takes longer to get the enterprise in
full operation after the disaster
• Physical and logical access- restrict access to hardware or software.
• Finger prints, scans, use of passwords, firewalls, encryption
• Encryption involves coding of data into a form that is not understandable to a
casual reader. So if a hacker intercepts into the system. Data is converted into a
coded form for transmission and is decoded when received at the other end. For
instance for sending an individual’s bank details via internet.
• A firewall typically establishes a barrier between a trusted internal network and
untrusted external network, such as the Internet. It prevents or detects any
attempt to gain authorized entry thrugh the internet into the user’s computer or
intranet. It may block suspicious message from the internet or show a message on
the screen whenever it has blocked the message so that the user is aware of it.
They can be hardware and software firewalls.
• Application controls- designed for each software application
• Controls may be manual or automated and may include the following:
• Input (including batch input controls)
• Processing
• Output
• Input controls- information eneterd is authorizeds, accuate and
complete
• Typical controls for manual system that are still relevant to IT include:
Management authorization
Adequate preparation of input source documents
Competent personnel
• Input Controls specific to IT
• Adequately designed input screens with performatted prompts for
transaction information
• Processing controls- Prevent and detect errors while transactions are being processed
• Validation test- ensures that a particular type of transaction is appropriate for processing.
( does the transaction code for the processing of a recent purchase match predetermined
inventory code)
• Sequence test- determines of the data submitted for processing is correct
• Arithmetic accuracy test- checks the accuracy of processed data (does the sum of net pay
plus withholding equal gross pay for the entire payroll)
• Data reasonableness test- determines if data exceeds pre specified amounts (for instance if
there is an upper limit on employee pay checks of $500 it would detect amounts exceeding
that)
• Completeness test- determines that every field in a record has been completed (valid
employee no, no of hours days taken off) until all the details have not been input it will not
process the transaction)
• Output Controls Output controls ensure that the results of computer
processing are accurate, complete, and properly distributed.
• Typical output controls include the following:
• Balancing output totals with input and processing totals
• Reviews of the computer processing logs to determine that all of the
correct computer jobs were executed properly for processing
• Audits of output reports to make sure that totals, formats, and critical
details are correct and reconcilable with input
• Formal procedures and documentation specifying authorized recipients
of output reports, checks, or other critical documents
• Batch control totals can be established beforehand for transactions grouped
in batches. These totals can range from a simple document count to totals for
quantity fields such as total sales amount (for the batch). Computer programs
count the batch totals from transactions input. Batches that do not balance
are rejected. Online, real-time systems can also utilize batch controls by
creating control totals to reconcile with hard copy documents that feed input.
• Financial total- summary total of field amounts for all records in a batch that
represent a meaningful total such as dollars or amounts
• Hash total- summary total of codes from all records in a batch that do not
represent a meaningful total
• Record count- summary total of physical records in a batch.