Computer Issues

1
Computer Issues Controls

• ACCT 310

2
Introduction Basic Terms

• Error unintentional misstatement
• Fraud intentional alteration or misstatement of
  data
• Risk likelihood that a system will experience
  errors or fraud
• Controls mechanisms or procedures designed to
  prevent, detect or correct errors or fraud

3
IT can decrease risk

• Speed
• Accuracy in calculations
• Accuracy in other tasks
• Exception reporting
• Consistency

4
IT can increase risk

• Storage problems
• Knowledge challenges
• Dependencies, compression
• Security, audit trail

5
Storage Problems

• Unintelligible data
• Compact volume
• Susceptibility to damage
• Ease of erasure

6
Knowledge Challenges

• Accounting cycle
• Appear to delete steps
• Add steps
• Computer knowledge
• Training

7
Dependencies Compression

• Dependencies ? exposures
• Reliance on DP dept or technology person
• Reliance on technology
• Compression of tasks creates inadequate
  separation of duties

8
Security and Audit Trail

• More people have access to accounting data
• Extra measures to secure data
• Lack of paper audit trail
• Reliance on technology
• Reliance on expert
• Monitoring

9
Summary Risks of Automation

• Computers make some things easier and quicker but
  are not without risks.

10
Internal Controls

• WHY should a company employ internal controls?
• To manage risks of errors or fraud

11
Internal Control -- Review

• FIVE components
• Information Communications
• Control Activities
• Risk assessment
• Monitoring
• Control Environment

12
Information Communications Computers

• Information must be identified, captured,
  communicated
• Usually involves computer software and hardware

13
Information Communications Computers

• Accounting info system
• Current
• Training, user manuals
• Tested
• Reports
• Designed effectively
• From accurate data sources

14
Control Activities -- Computers

• Policies and procedures to ensure mgt. directives
  are carried out
• Controls over computer function
• Controls over computer processes
• More later

15
Risk Assessment -- Computers

• Management is responsible for Identifying risks
  of errors and fraud
• Performing cost/benefit analysis in risk areas
• Implementing internal controls appropriate for
  level of risk assessed
• Responsibilities regardless of source of risk
  (people or computers)
• Includes risk to IT assets, data programs

16
Monitoring Computers

• Assessing the quality of the I/C systems
  performance over time

17
Monitoring Computers

• Error logs
• Data control group
• Unsuccessful logins
• Intrusion detection
• System availability
• IT audit function

18
Control Environment Computers

• Tone of an organization, influencing the control
  consciousness of its people
• Remember other 4 components need a strong
  control environment

19
Control Environment Computers

• Appropriate funding levels for IT
• BOD understanding IT risks
• Training of personnel on IT issues
• Hiring qualified IT personnel

20
More on Control Activities

• Divided into two kinds
• General controls affect all information systems
  and sub-systems
• Application controls focused on individual
  systems or sub-systems
• General controls must be strong for application
  controls to be strong

21
General Controls

• Policies Procedures
• Asset Protection
• Hardware/Transmission

22
General Controls Cont.

• Policies Procedures
• Separation of duties in IT
• Control over IT personnel with processing
  permissions
• Console log
• Daily processing schedule
• Personnel practices
• hiring/firing
• Forced vacations
• Systems development practices

23
General Controls Cont.

• Asset Protection
• Physical access protection
• Locks
• Guards
• ID badges
• Prop insurance
• Hot/cold sites
• Fireproof storage

• Logical access protection
• Authorization
• Authentication
• Backup of files
• Backup power
• BCP
• File labels
• Write protection
• Tape protection rings

Focus is on fault-tolerance
24
General Controls Cont.

• Hardware/Transmission
• Hardware processes all programs and data
• Data is transmitted over internal and external
  networks
• Is data integrity protected from hardware
  failures?
• Is data integrity protected from transmission
  failures?
• Focus is on fault-tolerance

25
General Controls Cont.

• Hardware/Transmission
• Disk mirroring (write-twice)
• Dual read (read twice)
• Reach after write
• Echo check (peripherals)
• Encryption (transmission, storage)

Focus is on fault-tolerance
26
Application Controls

• Controls applied at the application (program or
  routine)
• Most application controls are focused on input,
  since that is the area where most errors occur
• Data input occurs at the field level

PROCESSING
INPUT
OUTPUT
27
Application Controls Cont.

• Input
• Batch total
• Hash total
• Key verification
• Completeness test
• Prompting
• Length test
• Range and sign tests

• Formatted input
• Masking
• System-generated data
• Validity test
• Check digit
• Valid combinations test
• Closed-loop verification

Batch vs. Online (real-time) processing
28
Application Controls Cont.

• Processing
• Run-to-run totals
• Data reconciliation (mid-processing)
• Data matching
• Exception reporting

29
Application Controls Cont.

• Output
• Date/time stamps
• Report distribution lists
• Secure output areas
• Destruction of sensitive reports
• User review and correction

30
Terminology Classification

• Controls Exercise
• Given a list of control procedures, categorize
  them as
• General
• Application
• Given a list of control procedures, match to the
  definitions