Chapter 5 - Introduction to risks and controls in a computerised environment.pptx

Transcript

Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment

Chapter 5
Introduction to risks
and Internal controls
in a Computerised
environment
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.1 Introduction

5.1 Introduction
 Information and Communication Technology
(ICT) is an integral part of modern business
 ICT is a strategic resource
For example, It impacts how companies do
business, how they interact with clients, and
how business controls their processes.
 Internal controls must be implemented to
address risks
 The chapter addresses entry-level technology
and ICT principles.

Slide 2 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.1 Introduction

5.1 Introduction
Network – Two or more computers connected in one or
multiple locations.
Local Area Network (LAN) – Computers connected in one
location.
Wide Area Network (WAN) - Computers connected in
different locations.
Networks are formed by means of, for example, cables, wireless
connections or over the internet.,

Computer consists of hardware and software
 Software is the program that gives computer instructions to
perform tasks.
 Software types = system software (i.e. Microsoft Windows) and
application software (i.e. MS Word).

Accounting packages (application software)
 Databases consist of transaction files, data and transaction details
stored in master files or transaction files.
 Master files store permanent data or standing data such as
customer details.
 Transaction files are used to record transaction details.
Real-time vs batch processing systems.
Slide 3 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.2 How has Information Technology evolved?

5.2 Evolution of IT
 Traditionally
Personal computers were used on standalone
basis (i.e. not connected to each other)
Documents were printed
extensive manual controls

 Currently
Network allows for computers to be connected.
Many automated controls replaced manual
controls
Internet allowed on-line transacting

Slide 4 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.2 How has Information Technology evolved?

5.2 Evolution of IT
Trends changing the modern IT landscape
 Distributed networks (decentralisation, end-user)
 Mobility (and related risks)
 Open-source software
 Image processing (e.g. barcode, fingerprint scanning)
 Convergence (hardware, software integration)
 Cloud computing.

 Fourth industrial revolution examples include:
Artificial intelligence (AI) – a computer’s ability to mimic
or duplicate the functions of the human brain.
Machine learning – computers’ ability to learn from prior
activities.
Big Data, robotics and blockchain technology
Slide 5 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.3 How and why do companies have to govern their
computer information systems?

5.3 Information system
governance
 King IV, principle 12: IT governance framework,
risk management, internal controls
 IT impact both the business’ operational and
strategic levels.
 Advantages of good IT governance practices
include, for example:
Better risk management
Greater level of compliance with laws and obligations

 Risks from not implementing sound IT governance
include, for example:
Loss of information.
Inappropriate use of IT

Slide 6 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.3 How and why do companies have to govern their
computer information systems?

5.3 Information system
governance
 King IV: IT poses a significant risk to
businesses.
Five Components of internal controls.

 Components of internal controls
The board is responsible for control
environment, and Overseeing IT
governance implementation.
Ethics principles should be in place.

 Board can delegate:
IT governance (risk assessment) to Chief
Information Officer (CIO)
Slide 7 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.3 How and why do companies have to govern their
computer information systems?
5.3 Information system
governance
 Control activities enforce strategies and
policies to achieve control objectives.

 Two levels of control activities:
Entire system: “general controls”
Particular application: “application controls”
Impact financial information:
– Initiate, record, process, report.

 Monitoring of controls.

Slide 8 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.4 What is the impact of upgrading a manual
accounting system to an electronic accounting
system?
5.4 Impact of upgrading a manual
accounting system to electronic
accounting system
 Effect on business’s risk profile
i.e. Hackers

 Additional risks can arise

 Three principles in identifying IT risks:
Complexities that do not exist in a manual
system
Effect on management objectives
Controls Respond to risks to achieve control
objectives.

Slide 9 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.4 Manual accounting system to electronic
accounting system
Benefits and risks in
computerised system
Benefits Risks
Unwarranted reliance
Complex calculations Unauthorised data access
Consistency of Unauthorised data
processing changes

Data volumes Unintentional
amendments
Monitoring of Failure to make changes
Input, processing errors
activities Manual override
Less control Data loss: process,
circumvention transmit
Duplicate, incomplete
Segregation of duties data
Overreliance

Slide 10 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.4 Manual accounting system to electronic
accounting system
General characteristics of a
computer system
Increased risk (risk of error, omission or
fraud) in relation to:
 Easy to access data from multiple locations,
 data and functions are concentrated
 Breakdown of segregation of duties
 Lack of documentation trail
 Automatic initiation and processing of transactions.

Reduced risk in relation to:
 Consistency of processing,
 Minimal opportunity for user manipulation
 processing power (large volumes),
 assist in decision-making.
 Improve management monitoring and supervision.
Slide 11 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.5 What are the key components of a computer
information system?

5.5 Components of Computer
Information Systems (CIS)
Information systems can include:
 Hardware
Physical infrastructure (i.e. Keyboards and
printers)
 Software
Programs that exist in hardware (i.e. Pastel)
 People
Anyone that interacts with CIS
 Procedures
Instructions used to collect, store and process
data.
 Data.
All data stored in the hardware. I.e. list of
Slide 12
suppliers. (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.6 How does a computerised accounting system
operate?

Flow of transactions in a
computerised environment
Capture data
on manual
Initiate Transaction source
document

Input source
Record [Source document
document] into system

Accounting Process
Process
records: transaction Master file
Journals, amendme
general ledger, nt and
trial balance storage
Report etc. Output
Financial
statements
Slide 13 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.6 How does a computerised accounting system
operate?

Flow of transactions in a
computerised environment
Input
Capture data on the source document

Processing
Processing controls: computerised.
(checks, comparisons, calculations etc.)

Output
Stored in master files (standing data /
totals)
and transaction files (underlying
transactions).
Storage devices.
Slide 14 Print: manual output. (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.6 How does a computerised accounting system
operate?

Input and processing
environments
 Examples of Input and processing
environments
Batch entry and batch processing
Online entry, batch processing
Online entry, real-time processing
Shadow processing
 Any environment: errors/fraud can occur
 Implement controls to address risks in order to
achieve control objectives of validity,
accuracy and completeness.

Slide 15 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.7 How are computer controls classified?
5.7 Two broad categories in IT
environment
Accounting system consists of a manual and
computerized (IT) environment
IT environment controls are divided into two:
1. General information technology controls (ITGC)
(General controls)
 Framework of overall control for CIS
 Pervasive throughout CIS
 In place irrespective of whether any transactions
processed
 Includes Access controls, Application system acquisition,
System software acquisition controls, and data Centre
and network operations controls.

2. Information processing controls (Application
controls)
 Controls over manual or automated information
processing at the application level (I.E., Accounting
software).
Slide 16 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.7 How are computer controls classified?

General and application
controls
 Impact on the system when faulty general
controls vs faulty application controls
I.e. Faulty Inventory and debtors Application
system. – Issues limited on the two accounts

 Some controls are dual-purpose (either ITGC
and Application control), e.g. access controls

 Nature of controls:
 Preventative, i.e., Passwords.
 detective and corrective, i.e., Review of bank
reconciliation.

Slide 17 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

Categories of general
controls Organisatio
nal controls
and
personnel
practices
System
Access
developme
controls
nt controls

Operating Change
controls controls

Business
continuity
controls
Slide 18 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.1 Organisational controls and
personnel practices
 Controls on how the CIS department is structured
and managed
 Includes the IT staff practices
 Clear organisational structure in place.
Allocates/delegates responsibility (Segregation of
duties)
Clear reporting lines
Proper Appointment, ongoing staff development
 Risks if proper organisational structure is not in
place
Refer to examples in Auditing Fundamentals

 Top-down approach: ethical culture/control
Slide 19environment. (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.1 Organisational controls and
personnel practices
1. Delegation of responsibility
 King IV recommends that:
Ethical IT governance environment
Board take responsibility for IT and IT governance.
Action taken where all employees are non-compliant

 Delegation structure.
The board can delegate IT governance to the computer
steering committee.
The committee should have IT-skilled members.
Clear reporting lines and levels of Authority.

 The company must appoint a Chief Information Officer
(CIO).
Responsible for IT and reporting to the board.

 Day-to-day IT management delegated to the IT manager.
Slide 20 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.1 Organisational controls and
personnel practices
2. Segregation of duties
 Staff members should not perform incompatible
functions.
Incompatible functions –functions that would put a
person in a position to commit fraud or make
mistakes.

 Initiation, authorisation, execution, recording,
and assets control functions should be
segregated.

 Segregation of incompatible duties:
Between the IT department and user departments
Within the IT department

Slide 21 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?
5.8.1 Organisational controls and
personnel practices
3. Reporting, supervision and review
 Request to IT staff must be initiated by the user department.
 Users can perform the below check to ensure the integrity of the
data:
High-level review – i.e. Financial performance review
Analytical reviews and ratios
Reconciliation of data with independent or external data. i.e.
Bank recon.
Independent Review – Review of logs, registers and
transaction trails.
 Senior IT members should review system activity logs and
registers.

4. Personnel practices
 Appointment of Competent staff, training, performance reviews
 Employment policies and practices. i.e., Dismissals and training
policies.
 22Prevent overreliance.
Slide (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.2 System development and
change controls
 Controls for a new computer programme, or significant change
to existing systems
 Objective: new system or change meet users’ needs, and is
cost efficient
 Any system changes and system development must go through
five stages of system development life cycle (SDLC)
1. Request submission, needs assessment and selection
2. Planning and design
3. System development and testing
4. Implementation and
5. Post-Implementation review and training

 Consequences if controls not in place/fail…

 What if errors during development (impact)?
Ongoing impact.

Slide 23 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.2 System development
and change controls
Difference between concepts
 System development and acquisition
System developments – process followed when
new system is developed inhouse
System acquisition - process followed when new
system is acquired from the vendor
Usually large projects with high cost

 Program changes (program maintenance)
o Changes or amendments to an existing
system/program.
o Usually cost-effective.
Slide 24 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.2 System development and
change controls
System development and acquisition
 The nature of controls of System development and
acquisition and program changes are fundamentally
the same.
o But detailed controls may differ as
o Risk for System development and acquisition is higher
than program changes

SDLC (System development life cycle) phases
1. Request submission, needs assessment and
selection
 Project should originate from Written user request or
Business need (strategic in nature)
 Investigate and approve – by Board or committees
 Feasibility study.
Slide 25 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.2 System development and
change controls
SDLC phases (continued)
2. Planning and design
 Project team (team to manage the project)
 Made up of IT personnel and user department
affected.
 Work should follow programming standards and
control framework
 Project plan
 Monitor progress (Contains deadlines and
milestones).
 Users’ needs requirements
 Including Internal and external auditors needs
 Signed off by heads of users departments.
Slide 26 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.2 System development and
change controls
SDLC phases (continued)
3. System development and testing
Must be divided into three areas:
1. Development area
 Used to program and develop the system.
 Independent of live system
2. Test area
 Testing of the developed program
 Independent of live system
 Test include, program test user acceptance
testing, stress/tension test, system test, and
string/series test
3. Production area (live system)
Slide 27 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.2 System development
and change controls
SDLC phases (continued)
4. Implementation
 Controls: system conversion and transfer of data
– Conversion: parallel, direct shut down, and
phased (Modular)
 Senior experienced staff – Supervise the process
 Training of users
 System documentation.

Slide 28 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.2 System development
and change controls
SDLC phases (continued)
5. Post-implementation review
 After implementation review/assess whether:
 System meets objectives
 Controls have been implemented
 Errors detected and resolved
 System development process was effective. And
 System documentation and training material is
sufficient.

Slide 29 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.2 System development
and change controls
2. Change controls (program changes)
 Where a less significant change to the
existing system
 Objective: changes made are accurate in an
efficient manner and address user needs
 Also follow the five stages of SDLC. However:
o Less resource intensive
o Less time needed to implement the change
o Less levels of approvals are needed.
 More documentation and tracking of requests.
o High volume of request may be received
Slide 30 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.3 Access controls
 Controls (Physical or computerized) to:
 prevent unauthorised access
 Limit authorized persons to authorized areas.

 Information = asset
 Risk from hackers/other unauthorised access
 Consequences if risks materialize
 i.e., Loss of information

 Importance of the “least-privilege” principle
 Controls to prevent and detect
unauthorised access
 Physical and logical access controls.
Slide 31 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.3 Access controls
1. Preventative controls
 Security management policy
 Culture of security awareness.
 Policy should be widely distributed to all employees
 Physical access controls
 Access to the premises, computer terminals, sensitive
information and IT department
 i.e., use of security guards and locked doors
 Logical access controls
– Identification – i.e., username
– Authentication - i.e., unique Password, Password
controls.
– Authorisation i.e., Access on need basis
Slide 32 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.3 Access controls
2. Detective and corrective controls
 Logs, activity registers and security violation reports
 Logs, registers and reports must be reviewed by the senior
person.

3. Other important security controls
 Library function: Appointing data librarian

 Data communication controls:
 Encryption
 Firewalls
 Call back facility
 Assurance logos
 Antivirus and malware programs

 Regular software updates
Slide 33 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.4 Business continuity
controls
Business continuity controls:
 Ensure the continuity of processing (and
operations)
 Prevent system interruptions
 Limit the impact of interruptions

1. Preventative controls
Controls to prevent:
 Non-physical dangers
i.e., unauthorised access to data (logical access
controls).
 Physical dangers
I.e., Fire (control – Fire Alarms)
Slide 34 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.4 Business continuity
controls
2. Detective and corrective controls
 To limit interruptions, an entity should have:
i. Data backups
 Formal data backup policy, regular backups -
stored securely and tested frequently.
ii. Emergency Disaster Recovery plan
 Plan to recover information after a disaster.
iii. Mitigating the impact
 i.e., Insurance

Slide 35 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.8 How are general controls classified?

5.8.5 Operating and system
maintenance controls
Sets standards for how to manage IT
resources by:
 Scheduling for effective use
 Maintenance, use of assets
 Ensuring that library controls are in place
 Maintaining Logs and registers of
software/hardware usage and review by
management
 Implementing policies on best user practices.

Slide 36 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Which controls relate to the computerised
processing of business transactions?

5.9.1 Application controls:
Background
Application controls defined
 What is an application?
 Manual and automated controls
 Within a particular application (e.g. sales,
debtors)

 Provide reasonable assurance that recorded
transactions are:
Valid
Accurate
Complete
Slide 37 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions
5.9.1 Application controls:
Background
The primary objective of application
controls
 To prevent or detect and correct
misstatements arising when a transaction is:
Input
Processed
Output generated

Thus, application controls implemented
around:
 Input: capturing and recording of information
 Processing of data within computer
 Distribution of output
Slide 38 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions

5.9.2 Manual vs computer
controls
 Three types of application controls in this
context:
Independent manual e.g. Authorizing hard
copy order.
IT-dependent manual e.g. Authorizing order
online.
Programmed (Automated) e.g. validation
controls.

 Both (manual and computer control) strive to
achieve same control objectives

Slide 39 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions

5.9.3 Overview of application
controls
 Chapters 6 to 10 (Business cycles): practical
application of detailed application controls
 Never viewed in isolation to general controls!
 Application controls are dependent on general IT
controls.
 Key areas in application controls:
Processi
Input Output
ng

Master file changes

Slide 40 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions

5.9.3 Overview of application
controls
1. Input controls
 Objective: data entered and Masterfile
amendments are valid, accurate and complete
 E.g. correct information, no duplications, not
fictitious, all input entered.
 Must also address rejected input.
 Rejected information must be identified,
investigated and corrected and re-entered.
 Consequences if input controls fail, includes i.e.:
 Unauthorized transactions
 Information/data loss
 Errors

Slide 41 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions

5.9.3 Overview of application
controls
1. Input controls (continued)
 Recording of data
Input controls are necessary over:
– Data capturer (person)
– Input documentation (including hard-copy
documents)
– Computer “screen” (Screen aids)
– Checking of validity, accuracy, and completeness
of input (logical programmed controls)
– Management review of captured data.

Slide 42 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions
5.9.3 Overview of application
controls
1. Input controls (continued)
 Input controls are achieved through the
following:
User-related controls (i.e. training, dedicated
employees doing specific job, segregation of
duties and logical access)
Documentation (Doc custody and acceptable
doc standards)
Screen aids (i.e. drop down list, and compulsory
field)
Logical programmed controls
─ Test the input of data against predetermined
rules, to validate the input.
─ E.g. validity test, limit, alphanumeric,
Slide 43 reasonability etc. (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions

5.9.3 Overview of application controls
1. Input controls (continued)
 Error correction process
Ways to correct an error:
Error Made while capturing data
 Immediate correction, use of logical
programmed controls.
Error identified on the original source
document
 System must delete the rejected transaction
 Review and correction of rejected transaction
Control total on batch control sheet differs
from control total calculated by the computer
 Control totals = batch control sheet totals
 Review of transactions (each)
Slide 44 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions
5.9.3 Overview of application
controls
2. Processing controls
 Occurs in computer: little/no user intervention
 Objectivity: Ensure Integrity of data while being
processed
 Consequences if processing controls fail could
include i.e.:
Data being lost
Duplicated data
Calculation/accounting errors
Logical and rounding errors
Invalid data added during processing
Incorrect version of the program or data file being
used.
Slide 45 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions
5.9.3 Overview of application
controls
2. Processing controls (continued)
Controls to be implemented
 User-related controls
 Correct program and file (i.e. backups,
appointing data librarian, etc.)
 Computer control totals and reports (i.e.
financial fields, hash totals and record counts)
 Controls during processing (i.e. completeness
test and file sequence investigation)
 Review, reporting and exception monitoring
 Error correction process

Slide 46 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions

5.9.3 Overview of application
controls
3. Output controls
 Involves distribution of data from stored to
viewed
 i.e. Hard-copy document, email format or on-
screen display etc.
 Objective: Output valid, prepared accurately
and completely; distributed to authorised
parties only.
 Consequences, if output controls fail, could
include i.e.:
 Output distributed to unauthorised persons
 Output being incomplete or inaccurate

Slide 47 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions
5.9.3 Overview of application
controls
3. Output controls (continued)
Controls over output includes:
 User-related controls (i.e. Access controls)
 Controls around the distribution of output (i.e.
Written policy)
 Controls applicable when receiving output (i.e.
reconcile input to output, etc.)
 Review, reporting and exception monitoring
 Error correction process.

Slide 48 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions

5.9.3 Overview of application
controls
4. Master file change controls
 When standing data changed, added, deleted
 E.g.: Debtors/creditors details, price lists,
inventory details
 Requested by user, not computer
 Master file data is captured once, and then
 used repeatedly when transactions processed
 If data error in master file: data errors in all
affected transactions
 i.e. error in price list = incorrect sales value
 Consequences if master file change controls
fail.
Slide 49 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions

5.9.3 Overview of application
controls
4. Master file change controls
(continued)
Controls over master file amendments
 User-related controls (i.e. Senior person
approval)
 Request forms (i.e. Masterfile amendments
request form)
 Input controls
 Review, reporting and exception monitoring
(i.e. Review of logs and registers)

Slide 50 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.9 Controls over computerised processing of
business transactions
5.9.3 Overview of application
controls
5. Other controls
 Data communication
Electronic data transmission from sender to
receiver.
Fixed-line, wireless (Wi-Fi and Bluetooth), etc.

Controls that should be in place over data
communication
 Similar controls to processing control
 Specialized software (i.e., encryption and
firewalls)
 Specialized communication management
software that manages communication
 Physical cable protection
Slide 51 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.10 How are controls identified in advanced
technologies?

5.10 Controls for advanced
technologies
 Substance of controls remains same in advanced
system
 Process to follow when implementing/evaluating
controls over any form of technology:
Understanding Technology
Identify Risks
Identify and evaluate Existing controls
Break down technology into components (i.e.
input, processing and reviews)
Actual vs theoretical
Evaluate impact of existing controls and risk
Select suitable controls to mitigate remaining risks.
Slide 52 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.10 How are controls identified in advanced
technologies?
5.10.1 Electronic commerce,
electronic funds transfers
and other data
communication
 Electronic commerce (online trading):
buying/selling over electronic platform
Electronic Communications and Transactions
Act, 2002.

 Examples of primary risks with electronic
communication.
 Authenticating users
 Correct and accurate capturing of data
 Communication between the internet service
provider and the company.

Slide 53 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.10 How are controls identified in advanced
5.10.1 Electronic commerce,
technologies?

electronic funds
transfers and other data
communication
 Controls:
Input controls (at capturing)
Restricting, authenticating user
Data transfer internet
Legal matters
Continuity
Logs and reviews
Other.

Slide 54 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
5.10 How are controls identified in advanced
technologies?
5.10.2 Service organisations,
outsourcing and data
warehousing
 Outsourcing: performed by 3rd party
(“service organisation” - SO) rather than
company itself

 Data warehousing: Data stored on third
party’s server for a fee

 Most important issues relating to data:
Transfer from company to SO
Ownership
Security, protection at SO
Losses.
Slide 55 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment
Appendix: Electronic Funds Transfer controls

EFT controls: Components
 Capturing of data
 Restricting access of users and authenticating
users
 Transfer of data over the internet
 Protecting against losses
 Policies and procedures
 Logs and reviews
 Other specialised controls.
Refer to Appendix of Auditing Fundamentals for
risks, objectives and detailed controls.

Slide 56 (C) Oxford University Press Southern Africa (Pty) Ltd 2014
 Chapter 5: Intro to Risks and Internal Controls in a
Computerised Environment

Any questions?