Internal Controls in a Computerized Information System

by
SUBSTANTIVE TESTING Notes
FRAUD & ERROR (iSA 240) Notes

Internal Controls in a Computerized Information System

To mitigate the risks occasioned by the features of a computerized information system, the management should design internal controls over the system. These controls are mainly classified into general controls and application controls.

1. General controls of Computerized Information System

These relate to the environment within which the computer based systems are developed, maintained and operated aimed at providing reasonable assurance that the overall objectives of internal controls are achieved e.g. completeness, accuracy and validity of financial information.

The objective of the general controls is to ensure the proper development and implementation of applications and the integrity of program files and information. These controls could either be manual or programmed and are classified into;

  • System development controls
  • access controls.
  • Computer operations and other controls.

a.            System development controls.

These relate to controls that must be exercised by the client when developing new systems or modifying existing systems. The controls that can be exercised during systems development can be discussed in the following groupings.

Appropriate review testing and approval of new systems.

The organization should set up a steering committee composed of senior management and high level representatives of system users who should the development and implementation of the new system.

Management should approve specifications of the new system after the steering committee has assessed the user needs. before the new system is commissioned for use, appropriate testing should be carried out to ensure that both the hardware and the application programs are operating effectively. The testing will provide assurance that the new system is reliable.

The information technology manager, user department and the appropriate management level should give appropriate approval of new system before being placed under operation and after reviewing completeness of system documentation and results of its testing.

Controls over program changes.

program changes refer to modifications made to existing programs. Changes in the computer system should be subject to strict controls e.g. a written request for an application program changes should be met by user department and authorized by designated manager or committee. once changes have been made, appropriate testing should be carried out to ensure that the modified system is reliable.

The system documentation should then be amended to reflect the changes and appropriate approval obtained for the modified system to start running.

User training should also be carried out as appropriate.

System documentation.

This involves putting together information that supports and explains computer applications. The documentation provides details of capability of the system and how it is operated.

System documentation is important in conducting user training and also enables the management to effectively review the system by considering whether appropriate controls have been put in place during system development.

Parallel running.

before switching to the new system, the whole system should be tested by running it alongside the old system for a specified period. This is important because it provides user with the opportunity to familiarize themselves with the new system before it is fully implemented and ensures that the new system is reliable and data is correctly carried forward from the old to the new system.

  • Access controls.

The success of computerized information systems is largely dependent on the accuracy, validity and credibility of the data processed by the system. access controls to computer hardware, software and data files is therefore vital.

access controls provide assurance that only authorized individuals use the system and that the usage is for authorized purposes only.

Access may be restricted to specified persons, files, functions or computer devices. This can be achieved using both physical and programmed controls. Examples of access controls include;

  • Physical restriction of access to computer facilities to specified persons only e.g. file servers should be maintained in a secure location where access is granted to only specified persons.
    • Controls over computers stored in the user department could be improved by making sure that vital data on programs are not left running when the computer is left unattended.
    • passwords should be used by all staff when accessing computer facilities.
    • passwords should be changed regularly and access to password data held in a computer system should be subject to stringent controls. This will ensure that some users do not gain access to other people’s passwords.
    • in granting user rights within the system, there should be appropriate segregation of duties to ensure that rights granted are not excessive. E.g. a user should not have right to post data and also make amendments on the same data.
    • When designing the user rights, sensitive data and programs should only be accessible to few individuals. In other cases, some files should be designed as ‘read only’ to avoid unauthorized amendments.
    • programs and data that do not need to be online should be stored in secure locations.
    • a system’s access log to record all attempts to log in the system should be maintained. This would record name of user, data accessed or entered, time of log in and mode of access.
    • When transmitting data over communication lines, it should be encrypted to make it difficult for persons with access to communication lines from being able to modify the contents.
    • There should be automatic log off i.e. the disconnection of active data terminal to prevent viewing of sensitive data on unattended terminals.

Computer Operations and other Controls.

The organization should have a reconstruction or disaster recovery plan that will allow it to regenerate impor6ant programs and data files incase of disasters or accidental destructions.

The recovery plan should create back up or duplicate copies of important data files and programs which should be stored off site.

The recovery plan should also be tested on regular basis to ensure that it indeed works. other issues that should be addressed include:

  • Undertaking protection measures against natural disasters such as setting up computer rooms in areas protected from floods and fitted with smoke or fire detectors.
    • There should be standby equipment to revert to incase of computer breakdown.
    • There should be adequate virus detection. procedures for dealing with virus infection are.
      • Establishing a formal security policy which requires only clean and certified copies of software are installed and checking data introduced from external sources for viruses.
      • The company can also install antivirus software.
      • Clean back up should be maintained and there should be adequate segregation of duties such that people with powers and knowledge in making amendments to the application programs should not have the responsibility for initiation and processing transactions and even making amendments to existing data.

2 . Application Controls

The objective of application controls which may be manual or programmed is to ensure completeness  and accuracy of accounting records and the validity of transactions processed.

application controls are therefore important in providing assurance that all transaction are recorded on timely basis and that only valid transactions are captured by the system. application controls are divided into;

  1. input controls.
  2. processing controls.
  3. output controls
  4. Controls over master files and standby data however, some of the controls management implement would cut across the four categories mentioned above. E.g. some edit checks could provide comfort over the completeness and accuracy of the input data by the way the data is processed and output information obtained and also provide protection over standby data.

input controls.

most errors in data processed by computerized information systems can be traced to errors made when the data was being input into the system. Controls over input fulfill the following objectives.

Completeness of input. This ensures that all transactions that took place have been processed. accuracy. This ensures that the recorded transactions have been captured accurately.

validity. This ensures that only valid or genuine transactions appropriately authorized have been recorded. it also ensures credibility and reliability of recorded transactions.

To achieve the above objectives the most common types of input controls that management can implement are called edit controls and examples include:

Field checks. These controls check that all data fields required to process the transactions have been filled with correct information. The controls also ensure accuracy of processed data and its completeness because transactions cannot be properly processed if necessary data is missing.

valid character checks. These check that data fields are filled with data of the correct type. E.g. that amounts column is filled with numerical variables. This also ensures correctness of input data.

reasonableness or limit checks. These verify that data falls within predetermined reasonable limits. E.g. if the authorized discount is 10%, the system would seek to verify that no customer is awarded discounts beyond this limit without approved authorization. These controls ensure accuracy and validity of the input data.

Master file checks. These verify that the codes used in processing transactions match with those from master files. E.g. that customer identification code keyed in matches with what is on sales master file. These controls ensure that data is processed against correct master file.

Document count. This agrees number of input records if what is expected as per batch control. This control ensures that all transactions are processed.

Sign checks. These ensure that data has been keyed in with correct arithmetic sign. E.g. a positive sign for debit entry and a negative sign for credit entry. The objective is to check validity and accuracy of the processed data.

zero balance checks. These verify that for every transaction process, debit entries equal credit entries and any mismatches found are reported through an exception report. This control ensures accuracy of input data.

Other input controls include;

Generation of exception reports to capture transactions that have been rejected for failing various control checks.

measures to ensure that the reasons behind rejected transactions are investigated and corrective action taken.

There may be need for manual controls to for instance, a check to reveal that all purchase orders have been appropriately authorized before a transaction is submitted for processing.

Processing controls.

These controls seek to ensure that transactions are processed by the right programs and against the correct master files. They also seek to ensure that data is not lost, duplicated or altered during processing and that errors are identified ad corrected.

Some of the controls in input could help in meeting the above objectives of processing controls. 

In addition to those, processing controls include;

Physical file identification procedures. This is in form of labels which are physically attached to files or diskettes to ensure right files are used during processing of transactions.

Sequence tests over pre-numbered documents. This ensures that all transactions are being processed.

Comparing the contents in files before and after processing a transaction to ensure that the expected processing results have been achieved.

zero balance checks that add up debits and credits of the transactions posted to ensure that the result is zero as an indication that double entry has been completed.

an audit trail should be created through use of input and output control logs and maintenance of transaction listing. This trail will facilitate an attempt to trace a transaction as a way of verifying that it has been correctly processed.

Output controls.

These are necessary to ensure that:

  • Expected reports are received from input data processed.
  • results of processing are accurate.
  • output is distributed to appropriate users promptly.

Controls over output include;

  • matching and agreeing output information to the input data e.g. for input data related to journal processed to create an additional provision for bad and doubtful debts, one may want to compare or match the balance appearing in the ledger after the transaction is processed  as a way of verifying that output matches the input.
  • noting distribution of all output information to verify that this information is accessible to and is distributed to the list of authorized users only.
  • Error listing or exception reports should be generated on a daily basis and reviewed by an independent person to ensure that the transactions summarized in these reports are investigated and where appropriate resubmitted for processing.

Controls over master files and standby data.

Standing data refers to the data that is required during processing of the transactions but which does not vary or change with every transaction. E.g. customer details such as name and address do not change with every transaction although they are required in processing every transaction with the customer.

Controls over master files and standing data are aimed at ensuring completeness, accuracy and credibility of the information maintained. These controls include;

  • restrictive access to standing data and ensuring that only few individuals have the user rights within the system to make adjustments to the standing data.
  • before any changes are made to the standing data, appropriate authorization should be obtained. E.g. before any changes are made on selling prices in the master file, appropriate authorization should be obtained from the responsible officials.
  • once amendments have been made on standing data, a print out should be obtained from the system such that an independent person can verify that the correct amendments have been made.
  • Where necessary, the organization should print out all the standing data and an independent check be carried out to verify that this data is accurate and complete.
  • an exception report should be generated on a regular basis providing details of any unauthorized amendments made on standing data.

Testing the Internal Controls in a Computerized Environment

The auditor tests the internal controls when he wishes to place reliance on the controls to determine whether the accounting records are reliable.

a computerized information system may differ from a manual system by having both manual and programmed controls. The manual controls are tested in exactly the same way as in a manual system. The programmed controlled in the following ways:

  • by examination of exception reports and rejection reports. but there is no assurance that the items on the exception reports were the only exceptions or that they actually met the parameters set by the management. The auditor must seek for ways to test the performance of the programs by auditing.
  • Use of CaaTs (computer assisted audit techniques). Test data is mainly applied in testing computerized information systems.

Substantive tests in computerized environment

Substantive testing of computer records is possible and necessary. The extent depends on the degree of reliance the auditor has placed on the internal controls. Substantive testing includes two basic approaches both of which would be used.

Manual testing techniques.

  • Review of exception reports. The auditor attempts to confirm these with other data. e.g. comparison of an outstanding dispatch note listing with the actual dispatch notes.
  • Totaling. relevant totals for example for debtors and creditors can be manually verified.
  • re-performance. The auditor may re-perform a sample of computer generated calculations. E.g. for depreciation and interest expense.
  • reconciliations. These will include reconciliations for computer listings with creditor’s statements, bank statements, actual stock and personnel records.
  • Comparison with other evidence such as results of debtor’s circularization, attendance at stock take and physical inspection of fixed asset.

Computer audit programs sometimes generalized audit software. These programs are also called inquiry or interrogation programs. Computer audit programs are computer programs used by the auditor to;

  • Read magnetic files and to extract specified information from the files.
  • To carry out audit work on the contents of the files.

Uses of Computer Audit Programs.

  • in the selection of representative or randomly chosen transactions or items for audit tests.
  • The scrutiny of files and selection of exceptional items for testing. E.g.  On wages payments over Shs.1000 or all stock items worth more than Shs.100,000 in total.
  • Comparison of two files and printing out the difference. E.g. payrolls at two selected dates.
  • preparing exception reports. E.g. overdue debts.
  • Stratification of data such as stock items or debtors with a view to examine only the material items.
  • Carrying out detailed tests and calculations.
  • Verifying data such as stock or fixed assets at the interim stage and then comparing the examined file with the end file so that only changed items need to be examined at the final audit.

The Control file

When auditing computerized information systems, it will be found that much reliance is placed within the system upon standard forms and documentation in general, as well as upon strict adherence to procedures laid down. This is no surprise, of course, since the ultimate constraining factor in the system is the computers own capability and all users are competitors for its time. it is therefore important that an audit control file be built as part of working papers and the auditor must that he is on the distribution list for notifications of all new procedures, documents and system changes in general.

The following should be included in the control file;

  • Copies of all the forms which source documents might take and details of the checks that have been carried out to ensure their accuracy.
  • Details of physical controls over source documents as well as of the nature of any control totals of numbers, quantities or values including the names of persons keeping these controls.
  • Full description of how the source documents are to be converted into input media and the checking of control procedures.
  • a detailed account of the clerical, procedural and systems development controls contained in the system. E.g. separation of programs from operators and separation of controls over assets from records relating to the assets.
  • The arrangements for retaining source documents and input media for suitable periods. This is of great importance as they may be required for reconstructing stored files in event of error or mishap.
  • A detailed flow diagram of what takes place during each routine processing run.
  • Details of all tapes and discs in use including their layout, labeling, storage and retention arrangements.
  • Copies of all the forms which output documents might take and details of their sorting and checking.

SUMMARY

  • internal controls over computer processing include both manual procedures and procedures built into the computer programs.
  • The use of computers does not affect the auditor’s primary responsibility of reporting on the accounts but the way in which the auditor carries out his substantive and compliance procedures to arrive, at his opinion will be considerably different.
  • The objectives of application controls which may be manual or programmed are to ensure the completeness and accuracy of the accounting records and the validity of the entries made therein resulting from both manual and programmed processing.
  • There are basically two techniques available to the auditor for auditing through the computer.  These are a use of test data and the use of computer audit programs.
  • Substantive testing of computer records is possible and necessary.  The extent depends

COMPUTERIZED INFORMATION SYSTEMS Notes

AUDITORS’ REPORT (iSA 700) NOTES

THE AUDITOR AND THE COMPANIES ACT-Principles of Good Corporate Governance