Module 2:

Introduction to risks and

internal controls in a
computerised environment

Chapter 5: Auditing Fundamentals

STUDY
MATERIAL
•

• Lecture slides
• Text Book: Auditing Fundamentals in a South Africa Context – Chapter
5
• Question Bank: Auditing Fundamentals in a South African Context:
Graded Questions
STUDY
MATERIAL
• This module will be divided into 3 parts namely:
• Part A- Introduction
• Part B- General Controls
• Part C- Application Controls
Introduction
• Information and technology has become an integral part of modern
business
• Most business enterprises in the modern world use at least some elements
of information technology
• Irrespective of the nature of the system, the general risks, related internal
controls and principles outlined in this chapter must be implemented by all
companies that use IT.
Introduction……continued
• Homework: Google terms and technologies in this chapter that are
unknown to you. E.g.:
• Networks (LAN vs. WAN)
• Hardware
• Software (system software vs. application software)
• Master files
• Transaction files
• Real-time systems vs. batch processing systems
• Data / Field / Record / File
• Database
 Introduction……continued
• System Software
• Is the Program that gives the
computer the instruction to
perform task e.g. Microsoft
Windows 7 and Linux (the are
called operating systems)
• Application Software
• Is software that performs specific
functions required by users e.g.
Pastel accounting, Microsoft
Word, Outlook
• Accounting packages are an
example of application software
Introduction…..continued
Masterfile
• Used to store permanent information or
standing data such as customer’s full
name, contact details and inventory
descriptions
Transaction file
• Used to record transaction details of
each individual transaction in both real
time and batch processing systems

• Store information and cumulative totals

How has technology evolved
 Mainframe, centralised • Computers earlier on were not
computer department connected to each other.
 Personal computers on
standalone basis • Documents were printed and
 Paper printing, extensive controls implemented by users.
manual controls
• Today the world is a global village
 LAN and WAN connecting
computers
where transactions occur in real-time
all over the world
 Many automated controls
replaced manual controls
 Internet allowed on-line
transacting
 Decentralization of computer
processing
 Risks with standalone computers and
network systems.
 MANUAL AND/ VS COMPUTERISED CONTROLS

MANUAL COMPUTERISED

• Focus on organizational • User changes from preparer

controls to user of output
• Managerial • Enhance controls
involvement • BUT lead to additional
Consist of: risks concerning the
• Review processing of information
• Segregation of
duties
• Stationery and
document control
Why and how do companies govern the computer information system

• In today’s advanced technology environment, IT is at the centre of any business activity and
has an impact at both operational and strategic levels in business.
• Advantages / benefits of good IT governance:
• A company’s reputation is improved, and the trust of internal and external parties is
enhanced.
• Strategically aligning IT with business goals and processes makes business operations
more efficient and creates a competitive advantage.
• Non-IT executives gain a better understanding of IT and better decision- making
processes are possible due to timely and quality information being available.
• A greater level of compliance with laws and regulations.
• Risk management procedures are maximised by implementing good IT controls.
Why and how do companies govern the computer information system?.....continued

• Risks due to poor IT governance:

• The company may encounter problems in running its operations, machines
and production lines.
• There may be loss of confidentiality.e.g. Imagine what will happen
when the salary schedule of employees gets leaked.
• Systems become less available, less reliable and less effective.
• Unauthorised use, access to and changes to IT systems may take place.
Why and how do companies govern the computer information system?.....continued

• Key elements of a computerised system of internal control

Control Environment

Risk Assessment process

Information System and Business Process

Initiate
execute Record Process

Report
Manual Controls Computer Controls

Application General
Controls Controls
Impact of upgrading a manual system to an electronic system

• Effect on business’s risk profile

• Additional risks arise
• Three principles in identifying IT risks:
– Complexities that are non-existent in manual system
– Effect on management objectives
– Respond to risks to achieve control objectives.

• Potential severe consequences for company where IT risks not properly

addressed
Impact of upgrading a manual system to an electronic system
…continued

Benefits and risk in computerised systems

Benefits
– Computers apply predefined business
rules and perform complex calculations
– Consistency of processing:
Improves the availability and
accuracy of information
– Facilitate extensive analysis of large data
volumes
– Monitoring of activities
– Less control circumvention
– Segregation of duties
Risks
– Unwarranted reliance
– Unauthorised data access
– Unauthorised data changes
– Unintentional amendments
– Failure to make changes
– Input, processing errors
– Manual override
– Data loss: process, transmit
– Duplicate, incomplete data
– Overreliance
– Potential loss of data during
processing
Advantages of a
computerised accounting
system…..continued
General characteristics of a computer system

• Increased risk in relation to:

 Multiple locations, data concentration, segregation of duties,
documentation trail, transaction initiation.

• Reduced risk in relation to:

 Consistency of processing, user involvement (where
minimised), processing power (large volumes), assist in decision making.

Improves
management
monitoring and
supervision
General characteristics of a computer system…….CONTINUED
Risk of errors, omissions and
fraud
 User can access data / programs
from multiple locations / remotely.
 Data and functions in an IT system
is concentrated which could result
in a breakdown in segregation of
duties.
 Lack of a clear documentation trail
(e.g. very few hard-copy input and
output documents).
 Ability to initiate and process
transactions automatically.
 Risk of errors, omissions and
fraud
 Transactions are processed in an
uniform manner updating multiple
files and programs consistently.
Minimal opportunity for user
manipulation.
 Can analyse and present large
volumes of information.
 Assist in decision making.
_ Improve management monitoring
and supervision.
Components of a
computerised
accounting system
How does a computerised accounting system
Document
operate can be put
manually or
using a
Capture data on
Initiate manual source barcode
Transaction
document scanner

[Source Input source Viewed on-

document] document into screen or
Record system
printed and
distributed

Accounting
records: Journals,
Process
general ledger,
Process transaction
trial balance etc.

Master file
amendment
and storage
Report Output
Financial
statements
Flow of transactions in a computerised system

Output Stored
Input
in master files
Input controls (checks, Processing (standing data /
comparisons, calculations totals)
etc.)
Processing controls: and transaction
ensure integrity of data: files (underlying
manual/computerised. computerised.
transactions).
Storage devices.
Print: manual
output
CONTROLS IN AN INFORMATION TECHNOLOGY ENVIRONMENT
Classification of computer controls
General Controls
• Defined as policies and procedures that
relate to many applications and that support
the effective functioning of application
controls by helping to ensure the continued
proper operation of information systems
• General IT controls include controls
over:
• Data centre and network operations.
• System software acquisition, changes and
maintenance.
• Application system acquisition,
development and maintenance.
• Access security
Application controls
• Defined as manual or automated
procedures that typically operate at a
business process or application level.
• Application controls are designed to ensure
the integrity of the accounting records (i.e.
relates to procedures that are used to initiate,
record, process and report transactions and
other financial data).
• Application controls relate to specific
transactions within an application and
business cycle
• NB Some controls are dual purpose
e.g. access control (is both a general and
application control)
Classification of computer controls……continued
Classification of computer controls………continued

General controls Application controls

System development &
Transaction data
implementation controls
Objective
Systems maintenance
 Input *validity
controls
 Processing *completeness
Organisational and
 Master file *accuracy
management controls
(standing data)
 Access controls
 Output
Computer operating
 User controls
controls
 Programmed controls
System software
controls
 Business
 Classification of computer controls………continued

Preventative Controls Detective and Corrective

• Prevents either the user or the system
from making errors or committing fraud
(i.e. before they happen)
• Examples :passwords, drop-down
menus and validation test
Controls
• Detect errors and fraud after a
transaction has been processed, report
the misstatement and take corrective
action.
• Examples: management review of audit
trails, transaction logs or pop- up error.
INTRODUCTION TO GENERAL CONTROLS

 Umbrella controls under which each application will operate

 Applies to mainframes, micro frame and end-user environments

 Objective of GC
 Encompass the framework of overall controls over IT activities

providing a reasonable level of assurance that the overall objective of

internal controls are achieved.