Chapter 21 Internal Control in The Computer Information System
Chapter 21 Internal Control in The Computer Information System
Internal Control in
the Computer
Information
System
Factors affecting the study of internal
control in computer systems
1. Result in transaction trails that exist for a short period of time or only in computer
readable form
2. Include program errors that cause uniform mishandling of transactions – clerical errors
become less frequent
3. Include computer controls that need to be relied upon instead of segregation of functions
5. Allow increased management supervisory potential resulting from more timely reports
7. Include computer controls that affect the effectiveness of related manual control
procedures that use computer output
Classification of Internal Controls over EDP
GENERAL CONTROLS APPLICATION CONTROLS
- All EDP applications and include such - Specific accounting tasks performed by
considerations as: EDP. It includes measure designed to
assure:
the organization of the EDP department
The reliability of input
(g) Control group – acts as liaison between users and the processing
center. This group records input data in a control log, follows the
processing, distributes output, and ensures compliance with control
totals.
A. Organizational and Operations Controls
(cont…)
(h) Data security – responsible for maintaining the integrity of the on-
line access control security software. Passwords and IDs are issued
to users and follow up is done on all security violations.
(b) Each system must have written specifications which are reviewed and approved by
management and by user departments
(d) Management, users, and EDP personnel must approve new systems before they
are placed into operations
(e) All master and transaction file conversion should be controlled to prevent
unauthorized changes and to verify the results on a 100% basis
(f) After a new system is operating, there should be proper approval of all program
changes.
(g) Proper documentation standards should exist to assure continuity of the system
B. Systems development and documentation controls
(cont…)
(2) New systems are developed. Two controls over system change
include the following:
(b) Access to data files and programs should be limited to those individuals
authorized to process data.
(b) A written manual of systems and procedures should be prepared for all
computer operations and should provide for management’s general or specific
authorization to process transactions.
(e) File protection ring – A file protection ring is a processing control to ensure
that an operator does not use a magnetic tape as a tape to write on when it
actually has critical information on it.
(f) Internal and external labels – External labels are paper labels attached to a
reel of tape or other storage medium which identify the file. Internal labels
perform the same function through the use of machine readable identification
in the first record of a file.
APPLICATION CONTROLS
- controls that relate to a specific application instead of
multiple applications.
(2) To ensure the integrity of the human readable data into a computer
readable format, there are many common controls that can be
used:
(a) Preprinted form – Information is pre-assigned a place and a format on
the input form used.
A. Input Controls (cont…)
(b) Check digit – An extra digit is added to an identification number to
detect certain types of data transmission or transposition errors. It is used
to verify that the number was entered into the computer system correctly
(within the application program there is a software code that recomputes
the check digit), e.g., an extra number on an account number that is
calculated as a mathematical combination of the other digits.
(c ) Control, batch, or proof total – A total of one numerical filed for all the
records of a batch that normally would be added, e.g., total sales price.
(d) Hash totals – A total of one field for all the records of a batch where the
total is a meaningless total for financial purposes, e.g., a mathematical
sum of account numbers added together.
(e) Record count – A control total used for accountability to ensure all the
records received are processed.
A. Input Controls (cont…)
(f) Reasonableness and limit tests – These tests determines if amounts are
too high, too low, or unreasonable (e.g., for a field that indicates auditing
exam scores, a limit check would test for scores over 100).
(g) Menu driven input – If input is being entered into a CRT, then the
operator should b e greeted by a menu and prompted as to the proper
response to make [e.g., What score did you get on the Auditing part of the
CPA Exam (75-100)?]
(h) Filed checks – Checks that make certain only numbers, alphabetical
characters, special characters, and proper positive and negative signs are
accepted into a specific data field where they are required.
(i) Validity check – A check which allows only “valid” transactions or data to
be entered into the system (e.g., a field indicating sex of an individual
where 1 = male and 2 = female; if coded with “3” would not be accepted)
A. Input Controls (cont…)
(j) Missing data check – If blanks exist in input data where they should not
(e.g., an employee’s division number), an error message would result.
(l) Logic check – Ensures that illogical combinations of inputs are not
accepted into the computer (e.g., the field total for raw material is validated
by footing price times quantity)
B. Processing Controls
(1) Controls
(a) Control totals should be produced and reconciled with input control
totals – proof of batch totals
(b) Controls should prevent processing the wrong file and detect errors in
file manipulation – label checks
(c ) Limit and reasonableness checks should be incorporated into
programs to prevent illogical results such as reducing inventory to a
negative value.
(d) Run-to-run totals should be verified at appropriate points in the
processing cycle. This ensures that records are not added or lost during
the processing runs.