INTERNAL CONTROL IN

CIS
GROUP 2
Auditors Responsibilities
Obtain understanding of the entities internal
control system
To assess control risk
Factors Affecting the Study of
Internal Control in CIS
Lack of visible transaction trails
Consistency of performance
Concentration of duties
Ease of access to data and computer programs
Vulnerability of data and program storage media
Systems generated transactions
Classification of Internal Control
Procedures
1. GENERAL CONTROL
. Control policies and procedures that relate to the
overall CIS
1. Organizational controls
2. Systems development and documentation controls
3. Hardware and systems software controls
4. Access controls
5. Data and procedural controls
2. APPLICATION CONTROLS
. Policies and procedures that relate to specific use
of the systems
1. Controls over input
2. Controls over processing
3. Controls over output
A. Organizational and Operation
Controls

Controls

i. Segregate functions between EDP department and user

departments

ii. Do not allow the EDP department to initiate or authorize

transactions

iii. Segregate functions within the department

Key Functions (within EDP):

a. Systems analyst responsible for analyzing the

present user environment and requirements and:
Recommending specific changes which can be made;
Recommending the purchases of a new system; and
Designing a new EDP system
b. Applications programmer responsible for
writing, testing, and debugging the application
programs from the specification (whether general or
specific) provided by the systems analyst.

c. Systems programmer responsible for

implementing, modifying, and debugging the
software necessary for making the hardware work

d. Operator responsible for daily computer

operations of both the hardware and the software
e. Data librarian responsible for:
Custody of the removable media (magnetic tapes or disks),
and;
Maintenance of program and system documentation

f. Quality assurance ensure that new systems under

development and old systems being changed are adequately
controlled and that they meet the users specifications and
follow department documentation standards.

g. Control group
Acts as liaison between users and the processing center;
Records input data in a control log, follows the progress of
processing, distributes output, and ensures compliance with
control totals
h. Data security responsible for maintaining the
integrity of the on-line access control security software

i. Database administrator responsible for

maintaining the database and restricting access to the
database to authorized personnel

j. Network technician Using line monitoring

equipment, they can see each key stroke made by any
user.
B. Systems development and
documentation controls
(1) Controls
a) User departments must participate in systems design.

b) Each system must have written specification which are

reviewed and approved by management and by user
departments.

c) Both users and EDP personnel must approve new

systems.
d) Management, Users, and EDP personnel must approve
new systems before they placed into operation.

e) All master and transaction file conversion should be

controlled to prevent unauthorized changes and to
verify the results on 100% basis.

f) After a new system is operating there should be proper

approval of all programs changes.

g) Proper documentation standards should exist to assure

continuity of the system.
(2) Two common controls over system changes
Design Methodology All new systems being developed should flow
through a documented process that has specific control point where
the overall direction of the system can be evaluated and changes.
Change control process To effect a change on a system that is
presently operating , a formal change process should exist that
requires formal approval before any change is implemented. All
program changes and maintenance should be done with copies of the
program using test data only. This control process applies to any
system or program changes, as well as any changes to a file structure
or file content.
C. HARDWARE AND SYSTEMS
SOFTWARE CONTROLS
1. Controls

a) The auditor should be aware of control features inherent

in the computer hardware , operating system, and other
supporting software and ensure that they are utilized to
the maximum possible extent.

b) Systems software should be subjected to the same

control procedures as those applied to installation of
changes to application programs.
2. The reliability of EDP hardware has increased
dramatically over the last decade.

a) Parity check A special bit is added to each character stored

in memory that can detect if the hardware loses a bit during
the internal movement of a character similar to a check digit.

b) Echo check - It is primarily used to telecommunications

transmissions.

c) Diagnostic routines hardware or software supplied by the

manufacturer to check the internal operations and devices
within the computer system.
d) Boundary protection - to ensure that these
stimulation jobs cannot destroy or change the
allocated of another job , the systems contains
boundary protection controls.

e) Periodic maintenance - The system should be

examined periodically by a qualified service
technician. Such service can help to prevent
unexpected hardware failures.
D. ACCESS CONTROLS
Controls
a. Access to program documentation should be limited to
those persons who require it in the performance of
their duties.

b. Access to data files and programs should be limited to

those individuals authorized to process data.

c. Access to computer hardware should be limited to

authorized individuals such as computer operators
and their supervisors.
Physical access controls
1. Limited physical access the physical facility that
houses EDP equipment, files, and documentation
should have controls to limit access only to the
authorized individuals.

2. Visitor entry logs any individual entering a secure

area must be either pre-approved by management and
wearing an ID badge or authorized by an appropriate
individual, recorded in a visitors log, and escorted
while in the secure area.
Electronic access controls
1. Access control software (user identification)
use a combination of unique identification code and
a confidential password
Passwords should either be reissued periodically or
periodically expire and force users to change their
passwords.
Access control can be used to:
Limit access to the entire system; and
Limit what the individual can look at once she/he
is inside the system
The system should place restrictions on the level of
information that a user can read and/or change.
2. Call back
Specialized form of user identification that is used in
highly sensitive systems
Under this system, user dials up the system, identifies
him/herself, and is disconnected from the system.
Then either:
An individual manually looks up the authorized
telephone number for the individual; or
The system automatically looks up the authorized
telephone number of that individual, calls back the
individual, and reestablishes communications.
This is the primary preventive technique for stopping
unauthorized dial-up access to EDP by an individual trying
to masquerade as an authorized user from an
unauthorized telephone number.
3. Encryption boards
new devices that are installed in the back of a
microcomputer or stand alone devices for larger
systems
the board is programmed with a unique key that
makes the data unreadable to anyone who might
intercept a data transmission.
E. DATA AND PROCEDURAL
CONTROL
1. Controls
A control group should:
Receive all data to be processed
Ensure that all data are recorded
Follow up in errors during processing, and
determine that transactions are corrected and
resubmitted by the proper user personnel.
Verify the proper distribution of output.
The following specific controls
should be implemented:
1. Operations run manual the operations manual
specifies, in detail, the how to 's for each
application to enable the computer operator to
respond to any error that may occur

2. Backup and recovery to ensure the preservation

of historical records and the ability to recover
from an unexpected error, files created within
EDP are backed up in a systematic manner.
3. Contingency processing detailed contingency
processing plans should be developed to prepare for
natural disasters, man-made disasters, or general
hardware failures that disable the data center.
4. Processing control processing controls should be
monitored by the control group to ensure that
processing is completed in a timely manner, all
hardware errors have been corrected, and output has
been properly distributed.
5. File protection ring a file protection ring is a
processing control to ensure that an operator does
not use a magnetic tape as a tape to write on when
it actually has critical information non it.
6. Internal and External Labels

External labels are paper labels attached to a reel of tape

or other storage medium which identify the file.
Internal labels performs the same function through the
use of machine readable identification in the first record of
a file.
Case Study
You are engaged to examine the financial
statements of Fanta-C Incorporated which has its
own computer installation. During the preliminary
understanding work, you found that Fanta-C lacked
proper segregation of the programming and
operating functions. As a result, you intensified
the evaluation of the internal control structure
surrounding the computer and concluded that the
existing compensating general control procedures
provided reasonable assurance that the objectives
of internal control were being met.
Requirements:
In a proper functioning computer environment,
how is the separation of the programming and
operating functions achieved?

What are the compensating general control

procedures that you most likely found?