internal control iii computer related issues october 20, 2009
Post on 17-Dec-2015
218 Views
Preview:
TRANSCRIPT
Internal Control IIIComputer related issues
October 20, 2009
Today we will…
1. Review some of the control exposures that relate to computerized environments.
2. Comparison of computerized and non-computerized control issues.
3. Discuss some controls that are specific to computerized environments.
4. Discuss ERP systems and the control issues they present.
Exposures in a computerized environment
1.Errors in data entry.2.Natural catastrophes.3.Theft or fraud using a computer.4.Theft of equipment and
unauthorized use.5.Theft of data.6.Viruses.
Errors in data entry
Any time we have a human and a computer interact, there is a possibility of miscommunication because we don’t speak the same language.
1.Data entry personnel do not understand interface.2.Data entry personnel make “typing” mistakes.3.Data entry personnel enter incomplete information.
What can be done about these problems?
Reducing data entry errors
• Use encoded turnaround documents when possible. (preventive control)
• Make manual entry as intuitive as possible. (preventive control)
• Use UPC or RFID codes when possible. (preventive control)
• Include data checks and feedback - such as showing full customer name and address when a customer’s “number” is input. (detective control)
Natural catastrophes
• I include in this category all technical breakdowns that are not attributable to operator error or fraud. Power outages or network failure are examples.
• We need corrective plans here - since these are unintentional and unforseeable in a specific sense (you can forsee the possibility, but not the specific occurrence).
• We look for either backup and recovery plans or an alternative system. Many vendors offer downtimes of an hour or less (such as Oracle).
• How often do you save your files and how many “past” generations do you keep?
Theft or fraud using a computer
• The first two exposures related to unintentional errors or problems in a computerized environment. Now we will discuss theft and fraud in a computerized environment.
• Computerized environments are especially vulnerable to theft and fraud because you cannot “see” the data. With complex data structures, it is sometimes difficult to put the data back together (one of the tasks of the A523 project) in the desired way - because different components of a transaction are, perhaps, stored in different files - even different servers.
• In addition, access to the records may occur from another location.
How is theft perpetrated?
1. A programmer might include code that diverts money to them directly or that allows them re-entry (a trojan horse).
2. A hacker might, from a remote location, break into the system using stolen or guessed passcodes and steal company resources.
3. A user might steal cash or other assets and then find a way to alter the accounting database records to hide the theft.
How can theft be prevented?
1. Programs should be ‘tested’ and the original programs should be kept in a secure place for comparison. In other words, you can’t just audit around the computer. The programs themselves need to be periodically reviewed. This ensures the integrity of the programming and keeps programmers from successfully stealing from the company.
2. Sophisticated network security is essential for the protection of computerized systems. Have you noticed that your computer has to be registered in order to use it on campus? If you can control access to certain areas by requiring the access be obtained only by recognized computers, then you have created a responsibility chain. In addition, encrypted information transmission is essential for sensitive data.
3. Access to recording should be restricted to authorized personnel. Entries should never be able to be deleted without an audit trail. Each user should only see the “areas” for which they are authorized in menu-driven systems.
Theft of equipment and unauthorized use
Computer assets (the physical assets) are valuable and typically contain important information.
We used to be concerned about people using our hardware without being authorized - computer “time” was unbelievably expensive. An hour of CPU time used to cost many thousands of dollars. That has changed with the change in computer architecture.
Laptops are easy to steal, as are palm pilots and other equipment. It is independent now (stand alone equipment).
Preventing unauthorized access and equipment theft
1. Equipment should be locked up if possible (physical access should be restricted). In the case of laptops, responsibility for security should be assigned to an individual.
2. Access to files should be restricted by password and physical access requirements and limited to activities that leave a trail.
3. Many companies have “computer logs” generated to see if employees are misusing their computers (for pornography or playing games).
Theft of data
1. Theft of sensitive data is an important problem in the computerized environment - partially because it is not always evident that it was taken.
2. Hackers broke into a bank computer and stole customer credit information and used it to steal customer identities.
3. A company engaged in industrial espionage by stealing another company’s proprietary data.
Viruses
Viruses can shut down the availability of a computer (causing a business interruption). They can also destroy important files.
Comparison of computerized and non-computerized control
issues
Manual System
Element or
Activity
Characteristics Characteristics Risk Exposures Compensating Controls
Data recorded on
paper source
documents
Data sometimes
captured without
use of source
documents
Audit trail may be
partially lost
Printed copies of source
documents prepared by
computer system
Data reviewed for
errors by clerks
Data often not
subject to review
Errors, accidental or
deliberate, may be
entered for processing
Edit checks performed
by computer system
Computer-Based System
Data Collection
Comparison of computerized and non-computerized control
issuesManual System
Element or
Activity
Characteristics Characteristics Risk Exposures Compensating Controls
Processing steps
performed by
clerks who can
use judgment
Processing steps
performed by CPU
instructions - no
judgment
Errors may cause
incorrect results of
processing
Outputs reviewed by
users of computer
system, carefully
developed computer
processing programs
Processing steps
spread among
various clerks in
separate
departments
Processing steps
concentrated
Unauthorized
manipulation of data
and theft of assets can
occur on larger scale
Restricted access to
computer facilities; clear
procedure for
authorizing changes to
programs.
Computer-Based System
Data processing
Comparison of computerized and non-computerized control
issuesManual System
Element or
Activity
Characteristics Characteristics Risk Exposures Compensating Controls
Processing
requires use of
journals and
ledgers.
Processing does not
require journals.
Audit trail may be
partially lost
Printed journals and
other analyses.
Processing
performed rather
slowly
Processing
performed very
rapidly
Effect of errors may
spread rapidly
throughout files
Editing of all data during
input and processing
steps.
Computer-Based System
Data processing
Comparison of computerized and non-computerized control
issuesManual System
Element or
Activity
Characteristics Characteristics Risk Exposures Compensating Controls
Data stored in
file drawers
throughout
various
departments
Data compressed on
magnetic (or
optical) media
Data may be acessed
by unauthorized
persons or stolen
Security measures at
points of access and over
data library.
Data stored on
hard copies in
human readable
form
Data stored in
invisible, eraseable,
computer-readable
form.
Data are temporarily
unusable by humans and
might possibly be lost
Data files printed
periodically; backups of
files; protection against
sudden power losses
Computer-Based System
Data Storage and
retreival
Comparison of computerized and non-computerized control
issues
Manual System
Element or
Activity
Characteristics Characteristics Risk Exposures Compensating Controls
Stored data
accessible on a
piece-meal basis
at various
locations
Stored data often
readily accessible
from various
locations via
network
Data may be accessed
by unauthorized
persons
Security measures at
points of access.
Computer-Based System
Data Storage and
retreival
Comparison of computerized and non-computerized control
issuesManual System
Element or
Activity
Characteristics Characteristics Risk Exposures Compensating Controls
Outputs
generated
laboriously and
usually in small
volumes
Outputs generated
quickly and neatly,
often in large
volumes
Inaccuracies may be
buried in impressive-
looking ouptus that
users accept on faith.
Reviews by users of
outputs including the
checking of amounts.
Outputs usually in
hard-copy form.
Outputs provided in
various forms,
including soft-copy
displays and voice
responses.
Information stored on
magnetic media is
subject to modification
(only hard copy
provides permanent
record).
Backups of files; periodic
printing of stored files
onto hard-copy records.
Computer-Based System
Information
generation
Comparison of computerized and non-computerized control
issues
Manual System
Element or
Activity
Characteristics Characteristics Risk Exposures Compensating Controls
Usually
transmitted via
postal service and
hand delivery
Often transmitted
by communication
lines
Data may be accessed
or modified or
destroyed by
unauthorized persons.
Security measures over
transmission lines; coding
of data; verification of
transmitted data.
Computer-Based System
Translation of
data and
information
Comparison of computerized and non-computerized control
issuesManual System
Element or
Activity
Characteristics Characteristics Risk Exposures Compensating Controls
Relatively simple,
inexpensive and
mobile
Reltatively complex,
expensive and
(sometimes) in
fixed locations
Business operations
may be intentionally or
unintentionally
interupted; data or
hardware may be
destroyed or stolen;
operations may be
delayed through
inefficiencies.
Backup of data and power
supply and equipment;
preventative maintenance
of equipment; restriction
on access to facilities;
documentation of
equipment usage and
processing procedures.
Computer-Based System
Equipment
Controls in computerized environments
1.Data entry using prerecorded data2.Edit checks (data checks)3.Batch processing controls4.Access controls5.Computer generated (and numbered)
forms
Data entry using prerecorded data
• Data entry of turnaround documents, particularly if they are machine readable, is less prone to error. UPC codes at the grocery store are an example, as is a magnetically encoded remittance advice.
• In addition, when an item (a remittance advice or an item at the grocery store) are scanned in, some display containing reconcilable information is typically provided. Further minimizing the potential for erroneous data entry.
Edit checks
• When data are entered, the data codes frequently contain a check digit that makes sure that the data were entered (and stored) correctly. – When the number 42306 is stored in a database,
an additional digit might be added to the end - 6. 4+2+3+0+6=15, and 1+5=6, so the number would be stored as 432066 (this is an intuitive analogy to what is actually happening).
• This can be used for any data, since any data can be converted to a numeric value (we call the code ASCII).
• Also, we do “reasonableness” checks on the data - amount sizes, formats, etc.
Batch processing controls
• Batch totals– Record counts and line counts– Document counts– Dollar totals (the total of Cash
Receipts)– Hash totals (like an edit check)
• Sequence checks• Written approvals
Access controls
• We need to limit access to our access data. We do this 3 ways:– Limit physical access: only networked
computers can access the system.– Limit individual’s access using passwords– Prohibit direct access to the files
(require that all file access be through software that leaves an audit trail).
• You should never be able to delete journal entries!
Computer generated forms
• Whenever documents such as purchase orders or sales orders or invoices are computerized…– The numbering system is protected.
Individuals cannot manipulate the numbering system.
– Whatever information is on the document is in the database (by construction).
– Reconciliation is easier.
• Copies can be printed out for a permanent record.
ERPs
• Enterprise Resource Planning systems (ERPs) are the current technological frontier. They are basically a database that encompasses most or all of the organization’s information storage and processing.
• Indiana University uses such a system from a vendor called PeopleSoft. Other notable vendors are SAP and Oracle. OneStart is the student and faculty interface for this system. Your grades and my paycheck are both generated from this software package.
• ERPs are quite powerful tools, but they have their own control issues.
ERPs
• Employee buy-in and training are essential.• There is only one system and it is BIG.• Since everything is in this one system, if
someone were to find a way to compromise the system (get in where they are unauthorized), they would have unbelievable power to steal or do damage.
• The system is so big that it is impossible for most managers (or auditors) to really understand how it works.
top related