Application controls

Chapter 10:
Computer Controls
• Introduction
• General Controls for Organizations
• General Controls for Information Technology
• Application Controls for Transaction Processing
Surveys of accountings and finance executives consistently
show that IT is one of their top concerns regarding
operational risks and internal controls (what keeps them
awake at night!).
Reasons Why Computers Can
Cause Control Problems
• Effects or errors may be magnified.
• Computers can complicate proper separation
of duties
• Audit trails may be reduced, eliminated, or
exist only for a brief time.
• Changes to data and programs may be made
by individuals lacking knowledge or
• More individuals may have access to
accounting data.
Computer Control Procedures
Computer controls are frequently classified into two
• General controls ensure that a company’s control
environment is stable and well managed in order
to strengthen the effectiveness of application
controls. Applies to all IT systems.
• Application controls are designed to prevent,
detect, and correct errors and irregularities in
transactions as they flow through the input,
processing, and output stages of data processing.
General Controls within IT
1. Personnel Controls
2. Contingency Planning, Fault-Tolerant
Systems, Backup
3. Physical & Logical Security Controls
4. Computer Facility Controls
5. Access to Computer Files
6. Controls Over Micro-Devices
1. Personnel Controls Separation of Duties
Effective separation of duties is important:
Over 36% of fraud cases involve collusion. The median loss in
these cases is $500k, vs. $115k in fraud cases involving one
person. (See Case 10.6, p 318)
In IT, separation of duties should include:
• Accounting separate from IT and from other subsystems
• Programmers should not have access to live data (e.g. bank
programmer lapping accounts or giving himself a “loan”)
• Systems analysts should not do programming
• Data control group should be independent of computer operations
• Computer operators should not have access to code and should be
• Librarian should not have computer access
More Personnel Controls
• Use separate computer accounts assigned to users
on either a group or individual basis.
– Accounts allow access only to authorized portions of
the program (e.g. QuickBooks, create user ID)
– Passwords are checked against a master list.
– Call-back procedures restrict access from remote
terminals (access only granted to known terminals)
• Have an informal knowledge of employees
– 69% of fraud is done by insiders. 38% of fraudsters have financial
troubles at home, 20% have wheeler-dealer attitudes, 19% are
unwilling to share duties, 17% are in the middle of a divorce, 29%
worked in the accounting dept.
2. Contingency Planning
• Contingency planning includes the development of a formal
disaster recovery plan.
• This plan describes procedures to be followed in the case of an
emergency as well as the role of each member of the disaster
recovery team.
• The goal is to recover processing capability as soon as possible.
• A disaster recovery site can either be a:
– Cold site (have space set up to install computers quickly)
– Hot site (have computers set up and ready to process)
– Flying-start site (have computers plus up-to-date
backup and software ready to go).
• On 9/11, two offices in the WTC were destroyed
– Dean Witter had cold site; it took 2 days to get up to speed again
– Visa had a flying-start site; it took 3 min. to get up to speed
Fault-Tolerant Systems
• Fault-tolerant systems are designed to tolerate faults or
errors and are based on the concept of redundancy (having
two of the same thing).
• Two major approaches to redundant CPU processing are:
– consensus-based protocols (odd # of processors, if one disagrees it
is ignored) and
– watchdog protocols (a 2nd processor will take over if the 1st one
• Disk mirroring (disk shadowing) is when data is saved to
two disks simultaneously
• Under roll-back processing transactions are never saved
until they are complete (so if there’s a power outage, it
rolls back to its original state; e.g. deep freeze)
3. Physical & Logical Security
4. Computer Facility Controls
• Locate the Data Processing Center in a safe
location, away from windows.
• Limit employee access with electronic security,
surveillance, badges, and a mantrap. Use
biometric ID.
• Buy insurance to compensate for any loss.
5. Access to Computer Files
• Strong password - at least 8 digits that include
numbers, letters (lower & uppercase), symbols. Note
that a 15-character password is 33k times stronger than
a 8-character one.
• Change passwords periodically
• Biometric identification devices identify distinctive
user physical characteristics such as voice patterns,
fingerprints, facial patterns, odor, vein pattern, gait and
retina prints.
File Security Controls
• The purpose of file security controls is to protect
computer files from either accidental or intentional
abuse. Examples:
• External file labels
• Internal file labels
• Lock-out procedures (3 tries
to login and you’re out!)
• Read-only file designations
• All companies should regularly backup their vital
documents, files and programs offsite.
• Grandfather-parent-child procedure is used during
batch processing.
• For real-time processing -- through electronic
vaulting, data on backup can be electronically
transmitted to remote sites.
• An uninterruptible power system
(UPS) is an auxiliary power supply
that can prevent the loss of data due
to momentary surges or dips in power.
Security Controls
• Security for wireless technology
– Virtual Private Networks (VPNs)
– Data encryption
• Controls for hard-wired network systems
– Checkpoint, routing verification, and message
acknowledgement procedures
• ISO 17799 certification, assures that systems are
in place to safeguard data
6. Control Procedures for
Take inventory
Keyboard locks or cable locks
Anti-virus software
Back-up files
Laptops (encryption, authentication,
GPS, exit inspections)
• USB drives
Application Controls within IT
• Application controls pertain directly to the
transaction processing systems.
• The objectives of application controls are to
prevent, detect and correct errors and irregularities
in transactions that are processed in an IT
• Application controls are subdivided into input,
processing and output controls.
Application Controls
for Transaction Processing
Input Controls
• Input controls attempt to ensure the validity,
accuracy and completeness of the data
entered into an AIS.
• The categories of input controls include
1) data observation and recording
2) data transcription (input forms and masks)
3) edit tests
4) unfound record test
5) check digits (Modus 11)
Data Observation and
Recording Controls
Feedback mechanism
Dual observation (video cameras!)
Point-of-sale (POS) devices
Preprinted recording forms
Data Transcription
• Data transcription refers to the preparation
of data for computerized processing.
• Preformatted screens that
use input “masks” are an
important control
Edit Tests
• Input validation routines (edit programs) check the validity
and accuracy of input data after the data have been entered
and recorded on a machine-readable file.
• Edit tests examine selected fields of input data and reject
those transactions whose data fields do not meet the preestablished standards of data quality.
• Real-time systems use edit checks during data-entry.
• In QB try to create a check for $100m or a negative
amount. Try to create two identical accounts
Examples of Edit Tests
Tests for:
• Numeric field
• Alphabetic field
• Alphanumeric field
• Valid code
• Reasonableness
• Sign
• Completeness
• Sequence
• Consistency
Additional Input Controls
• Unfound-Record Test
– Transactions matched with master data files
– Transactions lacking a match are rejected
• Check-Digit Control Procedure
Processing Controls
• Processing controls focus on the
manipulation of accounting data after they
are input to the computer system.
• Two kinds:
1) Data-access controls (e.g. batch
control total, hash total, record count)
2) Data manipulation controls
(e.g. test data)
Data-Access Control Totals
• Batch control total
– Financial control total
– Non-financial control total
• Hash total
• Record count
Data Manipulation Controls
Once data has been validated by earlier portions
of data processing, they usually must be
manipulated in some way to produce useful
output. Data manipulation controls include:
Software documentation
Test Data (or test deck)
System testing
(e.g. parallel simulation)
Output Controls
• The objective of output controls is to assure the output’s
validity, accuracy and completeness.
• Activity (or proof) listings provide complete, detailed
information about all changes to master files.
• Forms control is vital for forms associated with
– Prenumbered forms are the most common
type of control utilized with computergenerated check-writing procedures.
• Shred sensitive documents (security
companies will pick up paper and
shred for you.)