CHAPTER 21

INTERNAL CONTROL IN THE

COMPUTER INFORMATION SYSTEM

I. Review Questions

1. The proper installation of IT can lead to internal control enhancements by

replacing manually-performed controls with computer-performed controls. IT-
based accounting systems have the ability to handle tremendous volumes of
complex business transactions cost effectively. Computer-performed controls
can reduce the potential for human error by replacing manual controls with
programmed controls that apply checks and balances to each transaction
processed. The systematic nature of IT offers greater potential to reduce the risk
of material misstatements resulting from random, human errors in processing.

The use of IT based accounting systems also offers the potential for improved
management decisions by providing more and higher quality information on a
more timely basis than traditional manual systems. IT-based systems are usually
administered effectively because the complexity requires effective organization,
procedures, and documentation. That in turn enhances internal control.

2. When entities rely heavily on IT systems to process financial information, there

are new risks specific to IT environments that must be considered. Key risks
include the following:

 Reliance on the functioning capabilities of hardware and software. The

risk of system crashes due to hardware or software failures must be
evaluated when entities rely on IT to produce financial statement
information.
 Visibility of audit trail. The use of IT often converts the traditional paper
trail to an electronic audit trail, eliminating source documents and paper-
based journal and records.
 Reduced human involvement. The replacement of traditional manual
processes with computer-performed processes reduces opportunities for
employees to recognize misstatements resulting from transactions that
might have appeared unusual to experienced employees.
 Systematic versus random errors. Due to the uniformity of processing
performed by IT based systems, errors in computer software can result in
21-2 Solutions Manual - Principles of Auditing and Other Assurance
Services
incorrect processing for all transactions processed. This increases the risk
of many significant misstatements.
 Unauthorized access. The centralized storage of key records and files in
electronic form increases the potential for unauthorized on-line access from
remote locations.
 Loss of data. The centralized storage of data in electronic form increases
the risk of data loss in the event the data file is altered or destroyed.
 Reduced segregation of duties. The installation of IT-based accounting
systems centralizes many of the traditionally segregated manual tasks into
one IT function.
 Lack of traditional authorization. IT-based systems can be programmed to
initiate certain types of transactions automatically without obtaining
traditional manual approvals.
 Need for IT experience. As companies rely to a greater extent on IT-based
systems, the need for personnel trained in IT systems increases in order to
install, maintain, and use systems.

3. General controls relate to all aspects of the IT function. They have a global
impact on all software applications. Examples of general controls include
controls related to the administration of the IT function; software acquisition and
maintenance; physical and on-line security over access to hardware, software,
and related backup; back-up planning in the event of unexpected emergencies;
and hardware controls. Application controls apply to the processing of
individual transactions. An example of an application control is a programmed
control that verifies that all time cards submitted are for valid employee ID
numbers included in the employee master file.

4. The most significant separation of duties unique to computer systems are those
performed by the systems analyst, programmer, computer operator, and data
base administrator. The idea is that anyone who designs a processing system
should not also do the technical work, and anyone who performs either of these
tasks should not also be the computer operator when real data is processed.

5. Typical duties of personnel:

a. Systems analysis: Personnel will design and direct the development of new
applications.
b. Programming: Other personnel will actually do the programming dictated
by the system design.
c. Operating: Other people will operate the computer during processing runs,
so that programmers and analysts cannot interfere with the programs
designed and executed, even if they produce errors.
d. Converting data: Since this is the place where misstatements and errors can
be made – the interface between the hardcopy data and the machine-
 Internal Control in the Computer Information System 21-3
readable transformation, people unconnected with the computer system
itself do the data conversion.
e. Library-keeping: Persons need to control others’ access to system and
program software so it will be used by authorized personnel for authorized
purposes.
f. Controlling: Errors always occur, and people not otherwise connected with
the computer system should be the ones to compare input control
information with output information, provide for correction of errors not
involving system failures, and distribute output to the people authorized to
receive it.

6. Documentation differs significantly as to inclusion of program flowcharts,

program listings, and technical operating instructions. File security and
retention differs because of the relatively delicate form of the magnetic media
requiring fireproof vault storage, insulation from other magnetic fields,
safeguards from accidental writing on data files, and so forth.

7. Auditors review documentation to gain an understanding of the system and to

determine whether the documentation itself is adequate for helping manage and
control the computer processing.

8. Responsibilities of the database administrator (DBA) function are:

• Design the content and organization of the database, including logical
data relationships, physical storage strategy and access strategy.
• Protect the database and its software, including control over access to
and use of the data and DBMS and provisions for backup and recovery
in the case of errors or destruction of the database.
• Monitor the performance of the DBMS and improve efficiency.
• Communicate with the database users, arbitrate disputes over data
ownership and usage, educate users about the DBMS and consult users
when problems arise.
• Provide standards for data definition and usage and documentation of
the database and its software.

9. Five things a person must have access to in order to facilitate computer fraud
are:
a. The computer itself.
b. Data files.
c. Computer programs.
d. System information (documentation).
e. Time and opportunity to convert assets to personal use.

10. Because many companies that operate in a network environment decentralize

their network servers across the organization, there is an increased risk for a lack
21-4 Solutions Manual - Principles of Auditing and Other Assurance
Services
of security and lack of overall management of the network operations. The
decentralization may lead to a lack of standardized equipment and procedures.
In many instances responsibility for purchasing equipment and software,
maintenance, administration, and physical security, often resides with key user
groups rather than with features, including segregation of duties, typically
available in traditionally centralized environments because of the ready access to
software and data by multiple users.

II. Multiple Choice Questions

1. c 7. b 13. c 19. c 25. b

2. a 8. b 14. c 20. c 26. c
3. d 9. c 15. c 21. a 27. c
4. b 10. a 16. a 22 c 28. d
5. d 11. b 17. b 23. b 29. b
6. d 12. a 18. a 24. c 30. d

III. Comprehensive Cases

Case 1. Does access to on-line files require specific passwords to be entered to

identify and validate the terminal user?
POSSIBLE ERRORS OR IRREGULARITIES – unauthorized access may be obtained to
processing programs or accounting data resulting in the loss of assets or other
company resources.

Are control totals established by the user prior to submitting data for processing?
POSSIBLE ERRORS OR IRREGULARITIES – sales transactions may be lost in data conversion
or processing, or errors made in data conversion or processing.

Are input totals reconciled to output control totals?

POSSIBLE ERRORS AND IRREGULARITIES – (same as above). Control totals are useless
unless reconciled to equivalent controls created during processing.

Case 2. a. 1. Input control objectives

Transactions have been recorded properly (neither double-counted nor
omitted – that is, control over validity and completeness)
Transactions are transmitted from recording point to processing point
Transactions are in acceptable form
2. Processing control objectives
Loss or nonprocessing of data is detected
Arithmetic functions are performed accurately
Transactions are posted properly
Errors detected in the processing of data are controlled until corrected
and processed
 Internal Control in the Computer Information System 21-5

3. Output control objectives

Processed data are reported correctly and without unauthorized
alteration
Output is required by the user
Output is distributed only to persons authorized to receive it

b. 1. Control procedures – input source data

Registration at point of entry
Sequential numbering
Grouping (batching) with control totals
Key verification
Programmed edits
Edits for completeness and reasonableness
Checklists to ensure input arrived and on time
2. Control procedures – processing controls
Prevention of loss or nonprocessing of data (e.g., control totals)
Performance of arithmetic functions
Assurance of proper posting (sample test of postings)
Correction of errors
Exclusion of unauthorized persons from operating areas (e.g.,
programmers)
3. Control procedures – output controls
Review performed by originating area of the reports and other output
data
Sampling and testing of individual transactions
Use of control totals obtained independently from prior processing or
original source data
Distribution lists used to route output only to authorized persons
Making inquiries as to whether the output is desired by the recipient

Case 3. a. The primary internal control objectives in separating the programming

and operating functions are achieved by preventing operator access to the
computer or to input or to output documents, and by preventing operator
access to operating programs and operating program documentation, or by
preventing operators from writing or changing programs.

Programmers should not be allowed in the computer room during

production processing. They should submit their tests to be scheduled and
run by the operators as any other job.

Operators should not be allowed to interfere with the running of any

program. If an application fails, the operators should not be allowed to
21-6 Solutions Manual - Principles of Auditing and Other Assurance
Services
attempt to fix the programs. The failed application should be returned to
the programmers for correction.
b. Compensating controls usually refer to controls in user departments
(departments other than computer data processing). In a small computer
installation where there are few employees, segregation of the programming
and operating functions may not be possible (as in a microcomputer or
minicomputer environment). An auditor may find compensating controls in
the user department such as: (1) manual control totals compared to
computer output totals and (2) careful inspection of all output. Such
compensating controls in a simple processing system could provide
reasonable assurance that all transactions were processed, processing was
proper and no unauthorized transactions were processed.

An auditor may find the following compensating controls that are

particularly important when the programming and operating functions are
not separate:
1. Joint operation by two or more operators.
2. Rotation of computer duties.
3. Comparison of computer times to an average or norm.
4. Investigation of all excess computer time (errors).
5. Adequate supervision of all computer operations.
6. Periodic comparison of a program code value to a control value.
7. Required vacations for all employees.

Case 4. a. Input editing is the process of including, in EDP systems, programmed

routines for computer checking as to validity and accuracy of input. Types
of input editing controls are: tests for valid codes; tests for reasonableness;
completeness tests; check digits; and tests for consistency of data entered in
numeric and alphabetic fields.

b. Examples of payroll input editing controls are:

Test for validity of employee number;
Test for proper pay rate;
Test for reasonableness of hours worked.

Examples of sales input editing controls are:

Test for validity of customer number;
Test for credit approval;
Credit limit test;
Sales price list.

c. As EDP system complexity increases, documentation, as well as manual

checking decreases. To provide reasonable assurance as to completeness,
 Internal Control in the Computer Information System 21-7
existence, and accuracy of processed transactions under these
circumstances, input editing becomes increasingly necessary.

Case 5. a. Most commonly associated with supervisory programs contained in on-

line real-time systems, design phase auditing involves the auditor in system
design. The goal is to ensure inclusion of controls that will detect
exceptions or unusual conditions and record and log information about the
initiating transactions. Once the necessary controls have been designed and
incorporated into the system, frequent visits by the auditor to the client’s
premises are necessary to determine that the controls are functioning
properly.

b. Some individuals and groups have suggested that independence may be

impaired, given auditor monitoring and reviewing a system which he/she
has helped to design. The AICPA has taken the position that making
control recommendations during system design is no different from auditor
recommendations for control improvements after the fact and documented
in the management letter.

c. In some complex EDP systems, a computer audit specialist may be needed

to assist in designing the necessary controls, as well as monitoring and
reviewing the control functions. A computer audit specialist is an
employee of the CPA firm who, typically, will have served on the audit
staff for a period of time, followed by specialized training in computer
system design and control, and EDP auditing.

d. The auditor may rely on the computer audit specialist to whatever degree
considered necessary to assure proper control installation and
implementation. The in-charge field auditor must keep in mind, however,
that use of a computer audit specialist does not compensate for the field
auditor’s lack of understanding of the internal control, including the EDP
applications.