INTERNAL CONTROL IN CIS ENVIRONMENT

A. AUDITOR’S RESPONSIBILITIES WITH RESPECT TO INTERNAL CONTROL

OVER CIS
AUDITING IN A CIS ENVIRONMENT
This part outlines the following:
How does the CIS Environment affects auditing
Auditor’s skill and competency
Risk assessment
Audit planning
Audit procedures

AUDIT APPROACH
Auditing takes place usually after the risk analysis or evaluation and the implementation of
internal controls.
The purpose is to ensure that all risks are adequately addressed, shortcomings and weaknesses are
duly reported on continuous basis.
 Identified and understood the environment.
 What are the risks and controls in such an environment?
 What are the specific application controls in such an environment?
 To review such risks and controls and plan an audit.
AUDITING IN CIS ENVIRONMENT

The auditor need to consider how CIS environment affects the audit. The overall audit objective and
scope does not change but the use of CIS have changed the processing, storage and communication of
financial information and also may affect internal control of an entity.

CIS may affect the audit process on the following:

 Skill and Competence
 Planning
 Risk assessment, i.e. assessment of inherent risk and control risk
 Audit procedures
Procedures in obtaining understanding accounting and internal control, i.e. audit around computer.
Performing test of control and substantive test, i.e. audit through computer.

AUDIT SKILL & COMPETENCY

Skill and Competence - Auditor should have sufficient knowledge of CIS to plan, direct, supervise
and review work performed. The auditor needs:-
 Obtain sufficient understanding of the accounting and internal control affected by the
CIS environment
 Determine the effect of CIS on the procedures to assess the audit risk
 Able to design and perform appropriate test of control and substantive test
 If required, auditor may seek for assistance of the expert.

In addition, according to The IIA’s International Standards for the Professional Practice of
Internal Auditing (Standards) —specifically Standards 1220 and 1210.A3 — internal auditors need to
apply the care and skill of a reasonably prudent and competent auditor, as well as have the necessary
knowledge of key IT risks, controls, and audit techniques to perform their assigned work, although not
all internal auditors are expected to have the expertise of an auditor whose primary responsibility is IT.

Design of Controls

Another valuable service internal auditors can provide during a new system implementation or
significant upgrade is an extension of the independent risk assessment.
 More specifically, auditors can assist management with the design of controls to mitigate the risks
identified during the risk assessment. The internal auditors assigned to this activity should be a part of
the implementation team, not an adjunct.
Therefore, the tasks, time, and number of internal audit resources required for the design of
application controls need to be built into the overall project plan.

Controls Testing

If the implementation team has designed and deployed controls based on the risk assessment, or
without the benefit of one, internal auditors can provide value by independently testing the application
controls.
This test should determine if the controls are designed adequately and will operate effectively once
the application is deployed. If any of the controls are designed inadequately or do not operate
effectively, auditors should present this information along with any recommendations to management
to prevent the presence of unmanaged risks when the application is fully deployed.

Application Reviews

Transactional and support applications require control reviews from time to time based on their
significance to the overall control environment. The frequency, scope, and depth of these reviews
should vary based on the application’s type and impact on financial reporting, regulatory compliance,
or operational requirements, and the organization’s reliance on the controls within the application for
risk management purposes.

AUDIT RISK ASSESSMENT

Assess Risk
The auditor should use risk assessment techniques to identify critical vulnerabilities pertaining
to the organization’s reporting, and operational and compliance requirements when developing the risk
assessment review plan.
These techniques include:
• The review’s nature, timing, and extent.
• The critical business functions supported by application controls.
• The extent of time and resources to be expended on the review.
In addition, auditors should ask four key questions when determining the review’s appropriate scope:
1. What are the biggest organization wide risks and main audit committee concerns that
need to be assessed and managed while taking management views into account?
2. Which business processes are impacted by these risks?
3. Which systems are used to perform these processes?
4. Where are processes performed
When identifying risks, auditors may find it useful to employ a top-down risk assessment to
determine which applications to include as part of the control review and what tests need to be
performed.

Risk Assessment
The nature of the risk in CIS environment includes:-
 Lack of transaction trail. Audit trail may available for the short period or not in the form of
computer readable form. Or if the transaction is too complex and high volume, errors may
embedded in application’s program logic and difficult to detect on a timely basis.
 Lack of segregation of duties. Many of control procedures are performed by separate individual
in manual systems but may not in CIS.
 Potential for errors and irregularities. Potential for human error and unable to detect the error
may be greater in CIS. Also the potential of unauthorised access to data without visible evidence
may be greater in CIS than manual system. Furthermore, decreased human involvement in
handling transaction in CIS can reduce “check and balance” activities that may cause error unable
to detect.
  Initiation or execution of transaction. CIS may have capabilities to execution transaction
automatically. For example calculation of depreciation. The authorization for transaction is not
available.
 Lack of visible output. Certain transaction or result may not be printed. Thus, the lack of
visible output may result in the need to access data retained on files readable only by computer.
 Ease of access to data and computer programs. Data and computer programs can be accessed
and altered at the computer or from the remote location. Therefore, auditor should review the
appropriate control measure to prevented unauthorised access and alteration of the data.

What can go wrong?

Availability, security, integrity, confidentiality, effectiveness and efficiency
Type of risks
 Pervasive: impact the enterprise as a whole
 Specific risks
Consider three dimensions
 Each company will have a unique risk profile
 IT-related risk is not static , but changing dynamically
 Proliferation: when evaluating IT-related risk, keep in mind its additive nature
Consider impact and likelihood
Traditional risk assessment process may not be suitable for IT risk assessment

IT Risk assessment process should

 Be performed in depth every year, not just an update of the prior year.
 Considers all the layers of the IT environment.
 Considers both static and dynamic risks.
 Not strictly be based on interviews, but use other discovery techniques.
 Be supplemented with the appropriate level of analysis after discovery.
 Be performed by the appropriate personnel.

AUDIT PLANNING

After completing the risk evaluation and determining the scope of the review, auditors need to
focus on the development and communication of the detailed review plan. The first step in developing
the detailed review plan is to create a planning memorandum that lists the following application control
review components:
• All review procedures to be performed.
• Any computer-assisted tools, techniques used & how they are used.
• Sample sizes, if applicable.
• Review items to be selected.
• Timing of the review.
When preparing the memorandum, all of the required internal audit resources need to be included on
the planning team. This is also the time when IT specialists need to be identified and included as part
of the planning process.
After completing the planning memorandum, the auditor needs to prepare a detailed review
program. When preparing the review program, a meeting should be held with management to discuss:
• Management’s concerns regarding risks.
• Previously reported issues.
• Internal auditing’s risk and control assessment.
• A summary of the review’s methodology.
• The review’s scope.
• How concerns will be communicated.
Planning
In Planning, auditor should obtain an understanding the significance and complexity of CIS
activities and the availability of data for use in the audit. The understanding include:-

1. The volume of transaction that would make users difficult to identify and correct
errors.
2. The computer automatically generates transactions direct from/to another application.
Example: From production department automatically inventory information.
3. The Computer performs complicated computations of financial information.
4. Transactions are exchanged electronically with other organization.
5. Organization structure of entity also may changed. For example: IT department as part of the
structure and responsible for control application of CIS as a whole.
6. The availability of data such as source document, computer data files and other evidential matter
that may required by the auditor.

The assessment of risk.

The auditor should obtain an understanding of CIS environment may influence the
assessment of inherent and control risk.
The potential for use of CAATs.
The case of processing large quantities of data using computers may provide the
auditor with opportunity to apply general or specialized CAAT in execution of audit test.

AUDIT PROCEDURES

Business Process Method

In the previous chapter, the business process method was identified as being the most widely
used for application control review scoping. In today’s world, many transactional applications are
integrated into an ERP system. Because business transactions that flow through these ERP systems can
touch several modules along their life cycle, the best way to perform the review is to use a business
process or cycle approach (i.e., identifying the transactions that either create, change, or delete data
within a business process and, at a minimum, testing the associated input, processing, and output
application controls).

Documentation Techniques

In addition to the documentation standards used by internal auditors, the following are
suggested approaches for documenting each application control.

Flowcharts

Flowcharts are one of the most effective techniques used to capture the flow of transactions,
associated application and manual controls used within an end-to-end business process, because they
illustrate transaction flows.

Process Narratives

Process narratives are another technique available to document business process transaction
flows with their associated applications & best used as a documentation tool for relatively non-
complex business processes and IT environments.

Audit procedures

The auditor’s specific objective do not change whether the accounting data is processed manually
or by the computer. However, method of applying audit procedures to gather evidence may different.
Auditor may perform audit procedures manually or use CAAT or combination of both.
Auditing around the computer
Auditor does not examine the computer processing but perform procedures to obtain
understanding accounting and internal control:-
  Emphasis on ensuring the completeness, accuracy and validity of information by comparing the
output reports with the input documents
 To ensure the effectiveness of input controls and output controls
 To ensure the adequacy of segregation of duties

Auditing through the computer

 Auditor performing test of control and substantive test. For example: “test data” enable the
auditor to examine the computer processing, internal control of the client CIS.
 Auditor may use use CAAT in this procedures. CAAT – helps auditor in organizing, analyzing
and extracting computerized data and re-performing computation and other processing.

B. CLASSIFICATION OF INTERNAL CONTROL PROCEDURES IN A CIS

ENVIRONMENT

Internal controls are measures taken to detect and prevent losses due to fraud or negligence, and there
several well established procedures.

Internal controls are policies and procedures put in place to ensure the continued reliability of
accounting systems. Accuracy and reliability are paramount in the accounting world. Without accurate
accounting records, managers cannot make fully informed financial decisions, and financial reports can
contain errors. Internal control procedures in accounting can be broken into seven categories, each
designed to prevent fraud and identify errors before they become problems.

INTERNAL CONTROL PROCEDURES

A. Separation of Duties

Separation of duties involves splitting responsibility for bookkeeping, deposits, reporting and
auditing. The further duties are separated, the less chance any single employee has of committing
fraudulent acts. For small businesses with only a few accounting employees, sharing responsibilities
between two or more people or requiring critical tasks to be reviewed by co-workers can serve the same
purpose.

B. Access Controls

Controlling access to different parts of an accounting system via passwords, lockouts and
electronic access logs can keep unauthorized users out of the system while providing a way to audit the
usage of the system to identify the source of errors or discrepancies. Robust access tracking can also serve
to deter attempts at fraudulent access in the first place.

C. Physical Audits

Physical audits include hand-counting cash and any physical assets tracked in the accounting
system, such as inventory, materials and tools. Physical counting can reveal well-hidden discrepancies in
account balances by bypassing electronic records altogether. Counting cash in sales outlets can be done
daily or even several times per day. Larger projects, such as hand counting inventory, should be
performed less frequently, perhaps on an annual or quarterly basis.

D. Standardized Documentation

Standardizing documents used for financial transactions, such as invoices, internal materials
requests, inventory receipts and travel expense reports, can help to maintain consistency in record keeping
over time. Using standard document formats can make it easier to review past records when searching for
the source of a discrepancy in the system. A lack of standardization can cause items to be overlooked or
misinterpreted in such a review.
 E. Trial Balances

Using a double-entry accounting system adds reliability by ensuring that the books are always
balanced. Even so, it is still possible for errors to bring a double-entry system out of balance at any given
time. Calculating daily or weekly trial balances can provide regular insight into the state of the system,
allowing you to discover and investigate discrepancies as early as possible.

F. Periodic Reconciliations

Occasional accounting reconciliations can ensure that balances in your accounting system match
up with balances in accounts held by other entities, including banks, suppliers and credit customers. For
example, a bank reconciliation involves comparing cash balances and records of deposits and receipts
between your accounting system and bank statements. Differences between these types of complementary
accounts can reveal errors or discrepancies in your own accounts, or the errors may originate with the
other entities.

G. Approval Authority

Requiring specific managers to authorize certain types of transactions can add a layer of
responsibility to accounting records by proving that transactions have been seen, analyzed and approved
by appropriate authorities. Requiring approval for large payments and expenses can prevent unscrupulous
employees from making large fraudulent transactions with company funds, for example.

C. CLASSIFICATION OF GENERAL CONROLS

General Controls

 Measures that ensure that a company's control environment is stable and well managed.

 These controls provide reasonable assurance that development of and changes to computer
programs are authorized, tested and approved prior to their usage.

1. ORGANIZATION AND OPERATION CONTROLS

– the plan of the organization and operation of the EDP activity

– These will involve separation of incompatible duties at a minimum segregate programming,
operations, and the library functions within the information systems department.

A. Systems analysis

The systems analyst analyzes the present user environment and requirements and may:

1. recommend specific changes,

2. recommend the purchase of a new system, or
3. design a new information system.

The analyst is in constant contact with user departments and programming staff to ensure the
user's actual and ongoing needs are being meet.

A system flowchart is a tool used by the analyst to define the system requirements.

B. Systems programming

The systems programmer is responsible for implementing, modifying, and debugging the
software necessary for making the hardware work (such as the operating system, telecommunications
monitor, and the database management system.

C. Applications programming
 The applications programmer is responsible for writing, testing, and debugging the application
programs from the specifications (whether general or specific) provided by the system analyst.

A program flowchart is one tool used by the applications programmer to define the program
logic.

D. Database administration

In a database environment, a database administrator is responsible for maintaining the

database and restricting access to the database to authorized personnel.

E. Data preparation

Data may be prepared by user departments and input by key to magnetic disk or magnetic tape.

F. Operations

The operator is responsible for the daily computer operations of both the hardware and the
software.

The operators mount magnetic tapes on the tape drives, supervise operations on the operator’s
console, accept any required input, and distribute any generated output.

The operator should have adequate documentation available to run the program (a"run
manual"), but should not have detailed program information.

G. Data library

The librarian is responsible for custody of the removable media and for the maintenance of
program and system documentation. In many systems, much of the library function is maintained and
performed electronically by the computer.

The control group acts as liaison between users and the processing center.

The said group records input data in a control log, follows the progress of processing,
distributes output, and ensures compliance with control totals.

Companies may use separate computer accounts that are assigned to users on either a group or
individual bases. This will also involve the use of PASSWORDS and CALL-BACK PROCEDURES to
restrict access from remote terminals.

2. SYSTEMS DEVELOPMENT AND DOCUMENTATION CONTROLS

These relate to:
a. Review, testing and approval of new systems.
b. Parallel running
c. Program changes
d. Documentation procedures.

A. Review, Testing and Approval of New Systems

The basic principles of these controls are that:

 Systems design should include representatives of user department, accounting department and
internal audit.
 Each proposed system should have written specifications that are approved by management
and user department.
 Systems testing should involve both user and computer department.
 The computer manager, the user department, dbase administrator and the appropriate level of
management should give final approval to the new system before it is placed under operation
and offer reviewing the completeness of documentation and results of testing.
B. Parallel Running

Before switching to the new system, the whole system should be tested by running it parallel with the
existing system. Parallel running refers to running the new and old system along each other for a specified
period of time say month. This is important because;
1. It provides the users with the opportunity to familiarise themselves with the new system while
still having the old system available to compare.
2. Provides for an opportunity for the programmers to sort out any problems with the new system.

C. Program Changes

Similar requirement apply to changes as well as to new systems although the level of testing and
authorization will vary with the magnitude of changes. It is particularly important that the
documentation be brought up to date. A common cause of control breakdown is the unsuspecting
reliance of new staff on out of date documents.

D. Documentation Procedures

Adequate documentation is important to both the auditor and management. For management
documentation provides a basis for:
1. Reviewing the system, prior to authorization
2. Implementing smooth personal changes and avoiding the problem that key employees might
take with them all the knowledge on how the system works.
3. Reviewing existing systems and programs.
4. For the auditor documentation is necessary for preliminary evaluation of the system and its
control.

3. HARDWARE & SOFTWARE CONTROLS

A. Password management
We have defined passwords as a secret series of characters that only the owner of the identity
knows and uses it to authenticate identity. Passwords are designed to be a security mechanism that is
simple enough for average users while being secure enough for most applications. Passwords are used to
protect data, systems, and networks. A password is typically combined with a username. The username
serves as identification. Identification is the presentation of a user identity for the system. Authentication
establishes confidence in the validity of a claimed identity. Successful use of a username and associated
password provides a user access to restricted resources such as email, websites, and sensitive data
according to the permissions associated with the identity.
Passwords are known by a few different names depending upon the context. A personal
identification number (PIN) is a short (4–6 digits), numerical password. PINs are used when small
keypads are necessary (ATM machines), or when regular passwords could potentially create human safety
problems (airport fire suppression systems). Since they are short, PINs can be easily guessed and only
provide limited security. In general, the use of PINs assumes the existence of other security mechanisms.
These include daily withdrawal limits and security cameras in ATMs and physical security at airports.
Another form of passwords is the passphrase. A passphrase is a sequence of words that serves as
a password. An example of a passphrase is “Wow!!!thisis#1clasatschooL.” The motivation for using
passphrases is that though the human brain can only retain up to about seven chunks of information in
short-term memory, each chunk can be fairly large.2 Passphrases can therefore be longer than passwords
but easier to remember than an arbitrary sequence of characters. However, it is important to remember
that simple passphrases such as “thisisthe#1classatschool” can be predictable and easily guessed by
attackers compared to passwords such as “TiT#`CaS.” A long passphrase is not necessarily more secure
than passwords or a shorter passphrase.
The security of passwords depends entirely on the inability of intruders to guess passwords.
Earlier, we have discussed two sets of password guidelines. The first guideline is related to the
complexity of the password itself. The second is related to the diversity of passwords so that passwords
stolen from one resource cannot be used at another resource.
The above is the end user's perspective on passwords – a password gets you access to a secure
system. However, as a system administrator or security professional, you are responsible to make the
system work. In particular, you are responsible for ensuring that the passwords in your custody are safe.
This is accomplished through password management. Password management is the process of defining,
implementing, and maintaining password policies throughout an enterprise. Effective password
management reduces the likelihood that systems using passwords will be compromised.
Password management reintroduces the CIA triad because organizations need to protect the
confidentiality, integrity, and availability of passwords. Passwords are restricted because a loss of
confidentiality or integrity of passwords can give intruders improper access to information. Passwords are
essential because nonavailability of a password can make the underlying protected resource unavailable.
The National Institute for Standards and Technology (NIST), in furtherance of its responsibilities,
has published guidelines for the minimum recommendations regarding password management. We use
these minimal guidelines as the basis for the information in this section. Organizations with more
stringent security requirements may impose additional requirements, including requiring mechanisms
other than passwords for authentication.
Password management begins with the recognition of the ways in which passwords can be
compromised and takes actions to minimize the likelihood of these compromises. NIST recognizes four
threats to passwords – password capturing, password guessing and cracking, password replacing, and
using compromised passwords.

B. Password Threats
Password capturing is the ability of an attacker to acquire a password from storage,
transmission, or user knowledge and behavior. If passwords are stored improperly in memory by an
application, or on the hard drive by the operating system, a user with appropriate credentials on the
system may be able to steal the password. Similarly, if passwords are not encrypted during transmission,
they can be sniffed by anyone on the network. User knowledge and behavior can be exploited in social
engineering attacks.
Password guessing is another threat. In password guessing, an intruder makes repeated attempts
to authenticate using possible passwords such as default passwords and dictionary words. Password
guessing can be attempted by any attacker with access to the login prompt on the target system. Password
cracking is the process of generating a character string that matches any existing password string on the
targeted system. Password cracking can only be attempted by an attacker who already has access to
encrypted versions of saved passwords. These encrypted versions of passwords are called hashes and will
be covered in the chapter on encryption.
Password replacing is the substitution of the user's existing password with a password known to
the attacker. This generally happens by exploiting weaknesses in the system's password reset policies
using various social engineering techniques.
Compromised passwords are passwords on the system known to unauthorized users. Once such a
password is known, it may be exploited to launch other social engineering attacks, changing file
permissions on sensitive files, etc. If the compromised password is of a privileged user, say an IT
administrator, the attacker may even be able to modify applications and systems for later exploitation. For
example, the attacker may be able to create a privileged account for himself (most attackers are indeed
men!).
Effective password management attends to these threats. NIST recommendations for minimal
measures for password management are creating a password policy, preventing password capture,
minimizing password guessing and cracking, implementing password expiration as required.
Password threats demonstrate the recursive nature of information security threats. We have
already discussed threats to assets. Ostensibly, in this chapter, we are trying to develop safeguards against
the common threats. But we find that these safeguards may themselves be compromised. For example,
passwords are a safeguard, but passwords may themselves be compromised. And therefore, specific
measures must be taken to keep the safeguards safe.

C.Password Management Recommendations

A password policy is a set of rules for using passwords. For users, the password policy specifies
what kinds of passwords are allowed. For example, passwords, length, and complexity rules fall in this
category. For administrators, the password policy specifies how passwords may be stored, transmitted
issued to new users, and reset as necessary. The password policy must take into account any regulations
that are specific to the industry in which the organization operates.
Minimizing password guessing and cracking requires attention to how each technology in the
organization stores passwords. Access to files and databases used to store passwords should be tightly
restricted. Instead of storing the passwords, it is recommended that password hashes are saved (this is
discussed in more detail in Chapter 7). All password exchange should be encrypted so that passwords
cannot be read during transmission. The identity of all users who attempt to recover forgotten passwords
or reset passwords must be strictly verified. Finally all users must be made aware of password stealing
attempts through phishing attacks, shoulder surfing, and other methods.
To prevent password guessing and password cracking, passwords must be made sufficiently
complex, and accounts must be locked after many successive failed login attempts. This minimizes the
opportunities for hackers to guess a password. Placing strict limitations on access to password files and
databases reduces the opportunities for password cracking.
Password expiration specifies the duration for which the password may be used before it is required
to be changed. Password expiration reduces the likelihood that a compromised password can be used
productively. Often, passwords are collected through automated procedures, and it can be a while before
an attacker actually tries to use a compromised password. If the password is changed before the attacker
attempts to use it, the password compromise may not be very damaging. However, password expiration
has its problems, particularly if the organization requires different passwords for different systems. Users
forget passwords, requiring costly IT support to recover forgotten passwords. In general, therefore,
password expiration should be used judiciously, with longer durations for systems with lower security
needs.

D. Password Limitations
While passwords are ubiquitous in information security, they do have many significant limitations.
Users often forget passwords, requiring either expensive help desks to respond to user requests or
password reset mechanisms. Password reset mechanisms introduce their own vulnerabilities because the
challenge questions may not be strong enough. Users often save passwords in locations where other users
can see them. Finally, relatively simple social engineering attacks such as phishing can be remarkably
successful at stealing passwords.4
For all these reasons, there has been considerable interest in developing alternatives to passwords for
authentication. However, coming up with a good alternative is not trivial. Users know how to use
passwords and managers are reluctant to ask employees to change work methods unless absolutely
necessary. It does not help that there is limited data available on actual losses suffered by organizations
due to password theft.

E. The Future Of Passwords

Various authentication mechanisms have been proposed to replace passwords. One of these is
Passfaces, where a user preselects a set of human faces and the user selects a face from this set among
those presented during a login attempt. Another is draw-a-secret, where users draw a continuous line
across a grid of squares. While passwords are likely to continue to be in use for a while, it would not be
surprising if these or other similar mechanisms become more popular in the coming years.
Passwords and the more general concern of managing identities is such an important area of
information security in practice that we have an entire chapter on identity and access management later in
the book.

4. ACCESS TO COMPUTER AND DATA FILES CONTROLS

These will include the following segregation controls as follows:
 Access to program documentation should be limited to those persons who require it
in the performance of their duties.
 Access to data files and programs should be limited to those individuals authorized to
process data.
 Access to computer hardware should be limited to authorized individuals such as
computer operators and their supervisors
Physical access to computer facility controls which may involve the use of guards, automated key
cards, manual key locks as well as the new access devices that permit access through fingerprints, palm
prints, voice patterns and retina prints.
Use of visitor entry log which document those who have had access to the area.
Use of identification code and a confidential password to control access to software.
Use of “call back” which is a specialized form of user identification in which the user
 1. Dials the system
2. Identifies him/herself
3. Is disconnected from the system

Then either
1. An individual manually finds the authorized telephone number, or
2. The system automatically finds the authorized telephone number of the individual and
calls back
Use of encryption where data is encoded when stored in computer files and/or from remote locations
(e.g., through use of modems and telephone lines). This coding protects data since to use the data,
unauthorized users must not only obtain access, but must also translate the coded form of the data. Data
encryption transforms plaintext messages into unintelligible cyphertext using an encryption key.

5. OTHER DATA AND PROCEDURAL CONTROLS INCLUDING SECURITY AND DISASTER

CONTROL (FAULT-TOLERANT SYSTEMS, BACKUP, AND CONTINGENCY PLANNING)
A. Physical Security
1. Fireproof Storage
2. Backup for the vital documents, files and programs. The backup and reconstruction procedure
typically used under batch processing is the grand-father-child procedure. Also through
electronically transmitted to remote sites.
B. Contingency planning which includes the development of a formal disaster recovery plan. This plan
describes procedures to be followed in the case of an emergency, the alternate processing sites as well as
the rate of each member in the disaster recovery team. Its goal is to recover processing capability as soon
as possible. Disaster recovery sites can be either “hot sites” or “cold sites”.
a. “Hot site”” is a facility that is configured and ready to operate within a few hours while
“Cold site” is a facility that provides everything necessary to quickly install computer equipment,
but does not have the computer installed.
b. Insurance should also be obtained to compensate the company for losses (theft, fire or other
calamities) when they occur.

C. CLASSIFICATION OF APPLICATION CONTROLS

Application controls

The objectives of application controls which may be manual or programmed are to ensure the
completeness and accuracy of the accounting records and the validity of the entries made therein resulting
from both manual and programmed processing. These relate to the transactions and standing data
pertaining to each computer based accounting system and are therefore specific to each such application.
With the increasing sophistication of computer operating systems it is becoming more common for
controls to be programmed as part of each application. Application controls are generally divided into:.

1. Input controls

Most errors in computer accounting systems can be traced to faulty input. Controls over the
completeness and validity of all input are therefore vital. Some controls affect both completeness and
validity and therefore will be considered separately. These include controls over data conversion, controls
over rejections and the correction and the reprocessing of the rejections, batch controls and computer edit
controls.
  Completeness. These controls ensure that all transactions are recorded. That all sales for example
are recorded in the cash register or all purchase invoices are posted to the accounting records.
They are particularly important over the recording of revenue and receipt of assets.

 Validity. Controls over validity ensure that only actual transactions that have been properly
authorised are recorded. These controls are most important over the recording of liabilities such
as wages, creditors etc. As in a manual system, control is established by the written authorisation
on input documents such as the departmental managers signature on employees time cards. It is
important that there is adequate separation of duties such that those who initiate a transaction or
who have access to cash, cheques or goods as a result of the transaction being entered should not
have the responsibility for entering the transaction. As with completeness, the computer can be
programmed to assist in this control in which case some of the requirements above can be relaxed
for example the computer can initiate purchases when stock levels reach a pre-determined re-
order level. It can then validate the payment by matching the invoice with the order and goods-
inward notes.Access controls as discussed earlier play an important role in validity in that the
computer is programmed to accept input only from authorised users. The computer can also be
programmed to verify authority limits as well.

 Data Conversion. There must be controls to ensure that all data on source documents is properly
entered into the computer. In the early days, when entry was by punched card, each card was
verified as punched by a second machine operator. But now that most data is entered using a
keyboard or a terminal other controls are more common.

The most common input controls are edit controls. Examples of edit controls include:

Type of edit control Description of control Objective

Missing field check
Valid character check
Limit/reasonableness checks
Master file checks
Check digit
Document count
Checks that all essential data Ensures accuracy of the
fields are present and are of the processed data. Transactions
right length cannot be properly processed if
necessary data is missing
Checks that data fields appear to Ensures correctness of input
be of the right type eg all data
alphabetic, all numerical or
mixed.
Checks that data falls within Ensures accuracy and validity of
predetermined reasonability input data
limits e.g. hours worked do not
exceed a certain limit, maybe 8
hours a day.
Checks that all codes match those Ensures that data is processed
on master files e.g. employee’s against the correct master file.
number matches an employee
number on the personnel file.
Applies an arithmetic operation To ensure accuracy of data by
to the code number and compares checking keystroke errors.
the result to the check digit
Agrees the number of input Ensures that all documents are
records in a batch with the total input
on the batch control form

2. Processing controls

Processing controls ensure that transactions are:

 Processed by the right programs.

 Processed to the right master files.
 Not lost, duplicated or otherwise improperly altered during processing.
 Processing errors are identified and corrected.
Processing controls include:

 Program file identification procedures, which enquire whether, the right master files are in use.
 Physical file identification procedures in the form of labels physically attached to files or
diskettes to ensure that the right files are in use.
 Control totals which are progressively expanded as the data is processed, for example the hash
total of quantities shipped can be expanded to a gross sales total as items are priced and to a net
sales total as customer discounts are determined. These totals should be carried forward with the
transaction data as run-to-run totals.
 Limit and reasonableness tests applied to data arising as a result of processing.
 Sequence tests over pre-numbered documents.

3. Output controls

Are necessary to ensure that:-

 Output is received from input.

 Results of processing are accurate
 Output is distributed to appropriate personnel.
 These controls include:
 Logging of all output.
 Matching or agreeing all output to input, such as for one matching, or control totals.
 Noting distribution of all the output.

Output checklists aimed at ensuring that all expected reports are processed and forwarded to the
relevant department or personnel.

Controls over master files and standing data

These are aimed at ensuring completeness, accuracy and authorisation of amendments to master files and
standing data files. These controls are similar to controls over input. E.g. controls to prevent the deletion
of any account, which contains a current running balance. Once standing data has been written onto a
master file, it is important that there are adequate controls to ensure that the data remains unaltered until
an authorised change is made.

Examples of controls

Periodic printouts of standing data for checking with manually held information.

Establishment of independent control totals for periodic verification with computer generated totals