GENERAL COMPUTER

CONTROLS
Mwamba Ally jingu: FCPA; PhD

1
 GENERAL COMPUTER
CONTROLS
The general control has six controls:
Organizational;
Operational;
terminal;
environmental;
file and software controls.
General (installation) Controls are applied at the level of the
computer Centre.
They ensure that the computer Centre is able to process the
work received in spite of risks from natural disasters (e.g., floods)
or from malicious or accidental human beings

2
3
 Environmental Controls
Those dealing with the risk of fire, flood, vandalism, sabotage,
theft and the adequacy of insurance cover
Audit Objectives
To ensure that there is adequate protection for:
• the staff, computer equipment and environment,
• data and documentation against accidental or deliberate
threat,

4
Areas of Loss
• Direct financial loss; Indirect financial loss

Areas of Control (Potential Hazards)

(i) Accidental damage from:-
• Natural disasters such as flood and fire, location disasters
caused by the proximity of neighbouring risk areas
• Disruption of essential services, e.g., power failure

(ii) Deliberate damage:-

• Vandalism and sabotage; Theft; Fraud and Unauthorised uses
of facilities
5
 Key Questions on Environmental Controls
1. Are there adequate controls over physical access to the
computer and the related equipment? Consider
i) The characteristics of the building housing the computer
ii) The strength of the wall around the secure area
iii) Door locking and unlocking mechanisms
iv) Use of security passes.
v) Presence of the functions of the security officer
vi) Written log of visitor
vii)Office cleaning and maintenance arrangements
viii)Inspection of cases and bags coming into or going out of the
building
6
ix) Unauthorised accesses detection
2. Are there adequate arrangements to reduce the risk of a
major disaster? Consider
i) Location of the building housing the computer
ii) Location of the computer within the building
iii) The structure of the computer room and the fire resistance of the
fixtures and fittings.
iv) No smoking rules
v) Tidiness of the computer area.
vi) Cleaning of the computer room especially the cavity floor
vii)Smoke detection and alarm systems
viii)Fire alarm system
ix) Location of storage tanks and water pipes
x)7 Necessity for flood warning systems
3. Are there adequate arrangements in the event of major
disaster? Consider
• Training of staff in the event of a disaster.
• Essential services: Standby electricity generators; alternator
• Gas flooding systems for fire extinguishing
• Maintenance agreements
• Standby/Recovery arrangements
Hardware
• Standby agreements
• Testing of the standby and recovery arrangements
• Security of the standby site
• Provision to cope with the prolonged of computing service
Software
•8 Back-up procedures; Data files; Programmes; Documentation;
File and Software Controls

Those governing the access to and protection of all physical

magnetic files and to the data contained on them both by way of
software controls and physical controls
Audit objectives:
To ensure that the controls and procedures adequately safeguard
files against:
• loss, misuse, theft, damage,
• unauthorised disclosure, and accidental corruption, and
• provide for the recovery of information held on files.
9
The auditor needs to cover the following aspects:-
1. Physical file custody: The auditor should identify:
• the various types of media used,
• where it is kept and
• who is responsible for its custody and maintenance
Software and access control: The auditor should identify:
• the software available in the installation and also,
• check on the access restrictions, to ensure that files are
safeguarded from unauthorised interference
10
 Back-up and archive routines:
The accidental and deliberate loss or theft of an organisation’s
data:
through hardware, software, data and operator errors may
have negative consequences.
The auditor should therefore check to see that there are back-
up copies kept in different (remote) and secure locations that
are tested periodically, on both the main and back-up sites
Programme change
The audit objective is to ensure that all production
programmes are:
authorised, and any amendments thereto are authorised,
11
tested, recorded, and checked
 Key Question on File and software controls
1. Are there adequate controls over physical custody of
files? Consider
i) Responsibilities and duties of data control personnel
ii) File librarian facilities
iii) , records, logs and registers of file custody
iv) Physical storage facilities
v) File retention criteria

12
 2. Are there controls to prevent unauthorised amendments
to data files? Consider
• Authorisation of jobs prior to processing.
• Records of changes and procedures for ensuring
completeness and accuracy of the record
• Supervisory review of record of changes to detect
unauthorised changes.
• Password protection and procedures for recording and
investigating unauthorised access attempts
• Physical protection of data files
• Restricted use of utility programs
• Segregation of duties: database; administration; programing;
operations
13
• Training and Supervision
 3. Are there controls to detect unauthorised changes to programs?
Consider for program maintenance
• Authorisation of jobs prior to processing
• Record of program changes by system/librarian software
• Supervisory review of record of program changes to detect
unauthorised changes:
 Authority of review
 Frequency of review
 Procedures for follow-up of unauthorised changes
i) Password protection of programs and procedure
ii) Physical protection of production programs stored off-line
iii) Comparison of production programs to controlled copies
iv) Segregation of duties: Programming; Authorisation; Operations;
14
Training and Supervision
File and Software Controls Continued

3. Are there controls to detect unauthorised changes to

programs? Consider for program execution
• Access restriction to program documentation
• Procedures to prevent access to load modules during
executions
• Restricted access to computer and remote terminals
• Review if job accounting reports, investigating unusual
delays
• Segregation of duties: programming; operations
• Training
• Supervision
15
 OPERATIONAL CONTROLS

Audit Objectives;
To ensure that operational controls provide the discipline and uniformity
necessary to cover all aspects of the day-to-day running of production
systems, from the reception of prime data through the data conversion
and processing to distribution of final output, That is,
• To assess the extent to which the operating system is used to control
access to the machine and an appropriate level of access to the
individual files and group of files

• To assess the adequacy of the operating system mechanisms for

dumping and restoring files for security purposes and as a basis for
off-site standby
16
• To appraise whether the operating system provide a means for
gathering and recording useful information on all jobs run which
can then be used for a variety of management purposes, ranging
from job accounting to control.

• To appraise whether installation management, technical staff and

operators implement and tune the system and monitor the
machine resources in order to maximise job output, providing an
equitable and efficient service to users.

• To consider the processing overhead which the operating system

imposes.
17
 Auditing procedures and techniques
The auditor must establish whether the structure and control
techniques are adequate regarding:
• Receipt and conversion of data:- Authenticity of prime data;
Movements of documents; Verification and validation of data

• Control of access files:- User structure; Catalogue soft ware;

User identity; Passwords; Permissions; Alien file;
Development and production program libraries

• Control of data during processing:- Job scheduling (long and

18
short term)
 Key Questions – Operational controls

1. Are there controls to prevent or detect errors during

programme execution? Consider:
• Operational controls included in systems software
 Maintenance of program version numbers
 Checking of program version numbers
 Label checking
• Operations manual detailing procedures for set-up and
execution
• Details of job requirements; Job scheduling
• Distribution of paper; Distribution of magnetic output
• Training; Supervision
19
 1. Are the arrangements for the receipt and conversion
of data adequate?
Consider
• Responsibility for receipt of data
• Recording of receipt of data
• Confirming the authority for processing of data
• Control over movement of data within computer division
• Verification and validation of data

20
 TERMINAL CONTROLS
Those governing the access to and processing performed by all terminals
connected to the computer installation
Audit Objectives:
To ensure that all terminal activity is properly authorised, inaccurate and
inefficient processing is minimised
The auditor should review the following:
1. Physical restrictions on access:
 Authorisation to use terminal
 Suitability of location of terminals
 Provision of locks and identification devices
Methods
21 of connection to mainframe
 1. Software restrictions on access:
 Identify the terminals
 Identify the user of the terminal
 Identify the file required
 Time restriction
 Encryption

2. Facilities for recording terminal activity

 Recording terminal processing to provide a historical record.
Copies of selected terminal job initiated may be routed to the
mainframe printer for collection and inspection by computer
manager and audit
22
 Key Questions – Terminal controls
1. Are the physical restrictions on terminal activity
adequate? Consider
i) Activity to use terminal
ii) Responsibility for terminal security
iii) Location of terminal (privacy)
iv) Use of physical locking devices
v) Method of connection to mainframe (use of substitute
connections)
vi) Security of files held at remote sites
vii)Characteristics of terminal usage.
23
2. Are the software restrictions on terminal activity adequate?
Consider
i) Ability of the software to identify each terminal
ii) Ability of the software to identify user of the terminal
iii) Control over design, issue and use of user’s identification codes
iv) Control over access to data and programs for each:
 Terminal
 User
v) Time restrictions on users

3. Are there adequate records of terminal proceedings? Consider

vi) Clerical records of activity relating to each terminal
vii)Software records of above
viii)Supervisory review of above records
24
 ORGANISATIONAL CONTROLS
Those dealing with the organisation of the responsibilities of all involved in the
computer process and the standards established for their efficient working

Audit objectives:
To ensure that the procedure adopted within the computer departments provide
a good separation of the various disciplines within the department together with
the presence of comprehensive written standards

The auditor should satisfy himself or herself of the following:

1) Separation of duties:-
 Preparation of and compliance with job description
 Establishment of chain command
 Adequate considerations given to the location of staff
2) Standards:-
Written
25 standards adopted and adhered to
Key questions on Organisational Controls

1. Is the overall organisation structure conducive to adequate internal

controls? Consider:
i) Is the accounting function segregated from the operating and asset
custodianship functions
ii) Is there adequate division of duties within the accounting function

2. Do employee appear competent in arrears critical to internal controls?

Consider
iii) Job description define the scope and key tasks of each post
iv) Procedure manuals document all systems
v) Existence and implementation of a staff development programme
vi) Existence of personnel specifications and adequate screening before hiring
vii)Prior years’ experience of errors which may have an impact on view of
26 competence
2. Is the computer department organisation structure
conducive to adequate internal control? Consider:
i) Clear reporting and accountability relationship
ii) Separation of computer department from users
iii) Separation of key functions within the computer departments
 Systems design and development
 Support and maintenance
 Operations
 Media storage
 Data preparation
 Control section
iv) Provision for supervision and quality control checks
27
 Thank You for Your Attention

Questions and Answers

28
 Master file controls
The purpose of master file controls is to ensure the ongoing integrity of the
standing data contained in the master files. It is vitally important that stringent
‘security’ controls should be exercised over all master files. These include:

―Appropriate use of passwords, to restrict access to master file data

―The establishment of adequate procedures over the amendment of data,
―Comprising appropriate segregation of duties, and authority to amend
being restricted to appropriate responsible individuals
– Regular checking of master file data to authorised data, by an independent
responsible official
―Processing controls over the updating of master files, including the use of
record
29 counts and control totals