1

Chapter 4

Internal Controls considerations

in IT Environment
 Introduction
2
Computer application controls fall into three broad categories:
• Input controls,

• Process controls, and

• Output controls

Input controls are designed to ensure that

• Transactions are valid, accurate and complete
• Transactions are properly recorded
 Input control includes use of
3
 Pre-numbered documents
 Unique transaction identifier established by
the computer
 Batch control and batch control totals
 Procedures to limit access to transactions
 Formation of an audit trail
 Computerized input validation procedures
 Self-checking digits
 Use of stored data to minimize data input
 Cont’d.........
4

Input controls can be divided into the

following broad classes:
• Source document controls
• Data coding controls
• Batch controls
• Validation controls
• Input error correction
• Generalized data input systems
 Source Document Controls
5

 Control must be exercised over physical source

documents in systems that use them to initiate
transactions.
 An individual with access to purchase orders

and receiving reports could fabricate a

purchase transaction to a nonexistent
supplier.
 To control against this type of exposure,
control procedures must implement;
 Use Pre-numbered Source Document
 Use Source Documents in Sequence
 Periodically Audit Source Documents
 Cont’d………
6

Data Coding Controls

 Coding controls are checks on the integrity of

data codes used in processing.

 A customer’s account number, an inventory

item number, and a chart of accounts

number are all examples of data codes.
 One method for detecting coding errors is a

check digit
 It is a control digit added to the code when

it is originally assigned that allows the

integrity of the code to be established
 Cont’d…………
7

Batch controls
 They are an effective method of managing high

volumes of transaction data through a system.

 The objective is to reconcile output produced

by the system with the input originally entered

into the system.
 This provides assurance that:

 All records in the batch are processed.

 No records are processed more than once.

 An audit trail of transactions is created from

input through processing to the output stage.

 Cont’d………..
8
Validation Controls
 Input validation controls are intended to

detect errors in transaction data before the

data are processed.
 Validation procedures are most effective

when they are performed as close to the

source of the transaction as possible.
 There are three levels of input validation

controls:
 Field interrogation (cross-examination)

 Record interrogation

 File interrogation
 Cont’d…………
9

Field interrogation
 Involves programmed procedures that examine

the characteristics of the data in the field.

 Some common types of field interrogation;

 Missing data checks - examine the contents

of a field for the presence of blank spaces.

 Numeric-alphabetic data checks -
determine whether the correct form of data is
in a field.
 Zero-value checks - used to verify that

certain fields are filled with zeros.

 Cont’d…………
10

 Limit checks - determine if the value in

the field exceeds an authorized limit.
 Range checks - assign upper and lower
limits to acceptable data values.
 Validity checks - compare actual values
in a field against known acceptable
values.
 Check digit - controls identify keystroke
errors in key fields by testing the internal
validity of the code.
 Record interrogation
11

 Procedures validate the entire record by

examining the interrelationship of its field values.
 Some typical tests are;

 Reasonableness checks - determine if a value

in one field, which has already passed a limit

check and a range check, is reasonable when
considered along with other data fields in the
record.
 Sign checks - tests to see if the sign of a field is

correct for the type of record being processed.

 Sequence checks - used to determine if a

record is out of order.

 Cont’d………..
12
File interrogation
 To ensure that the correct file is being
processed by the system.
 These controls are particularly important for

master files, which contain permanent records

of the firm and which, if destroyed or
corrupted, are difficult to replace.
 Internal label checks - verify that the file

processed is the one the program is actually

calling for.
 Version checks - used to verify that the

version of the file being processed is correct.

 Expiration date check - prevents a file

from being deleted before it expires.

 Cont’d………
13

Input Error Correction

 When errors are detected in a batch, they

must be corrected and the records

resubmitted for reprocessing.
 The purpose is to ensure that errors are

dealt with completely and correctly.

 There are three common error handling

techniques:
 Correct immediately,
 Create an error file, and
 Reject the entire batch
 Generalized Data Input Systems
14

 To achieve a high degree of control and

standardization over input validation
procedures, some organizations employ a
generalized data input system (GDIS).
 The GDIS approach has three advantages.

 It improves control by having one common

system perform all data validation.
 It ensures that each AIS application applies a
consistent standard for data validation.
 It improves systems development efficiency.
 It eliminates the need to recreate redundant
routines for each new application.
 Cont’d…………
15

 GDIS has five major components:

 Generalized validation module - performs
standard validation routines that are common to
many different applications.
 Validated data file - temporary holding file
through which validated transactions flow to
their respective applications.
 Error file - Error records detected during
validation are stored in the file, corrected, and
then resubmitted to the GVM.
 Error reports - Standardized error reports are
distributed to users to facilitate error correction.
 Transaction log - a permanent record of all
validated transactions.
 Processing Controls
16

 Processing controls designed to ensure that

 The correct program is used for
processing
 All transactions are processed
 The correct transactions update files

 Processing controls are divided into three

categories:
 Run-to-run controls
 Operator intervention controls
 Audit Trail Controls
17

Run-to-Run Controls
 Run-to-run controls use batch figures to

monitor the batch as it moves from one

programmed procedure (run) to another.
 These controls ensure that each run in

the system processes the batch correctly

and completely.
 Batch control figures may be contained in

either a separate control record created at

the data input stage or an internal label.
 Contniud……….
18

Specific uses of run-to-run control figures are;

 Recalculate Control Totals – after each run,

dollar amount fields, hash totals, and record

counts are accumulated and compared to the
corresponding values stored in the control
record.
 Transaction Codes - ensures that only the

correct type of transaction is being processed.

 Sequence Checks - compares the sequence of

each record in the batch with the previous

record to ensure that proper sorting took place.
 Cont’d…………
19

 Run-to-run controls in revenue cycle comprises 4 runs:

 Data input,

 Accounts receivable update,

 Inventory update, and

 Output

 At the end of the accounts receivable run, batch control

figures are recalculated and reconciled with the control
totals passed from the data input run.
 Batch control figures are then passed to the inventory
update run, where they are again recalculated, reconciled,
and passed to the output run.
 Operator Intervention Controls
20

 Systems sometimes require operator intervention to initiate

certain actions, such as;
 Entering control totals for a batch of records,

 Providing parameter values for logical operations, and

 Activating a program from a different point when

reentering semi-processed error records.

 Operator intervention increases the potential for human
error.
 Systems that limit operator intervention through operator
intervention controls are less prone to processing errors.
Audit Trail Controls
 The preservation of an audit trail is an important objective
of process control.
 Cont’d……….
21
 In an AIS, every transaction must be traceable through each stage
of processing from its economic source to its presentation in
financial statements.
 Techniques used to preserve audit trails;
 Transaction Logs - Every transaction successfully processed by
the system should be recorded on a transaction log, which serves
as a journal.
 Log of Automatic Transactions.- all internally generated
transactions must be placed in a transaction log.
 Listing of Automatic Transactions - To maintain control over
automatic transactions processed by the system, the responsible
end user should receive a detailed listing of all internally
generated transactions.
 Unique Transaction Identifiers - Each transaction processed
by the system must be uniquely identified with a transaction
number.
 Error Listing - A listing of all error records should go to the
appropriate user to support error correction and resubmission.
 Output controls
22
 Ensures that system output is not lost, misdirected, or corrupted
and privacy is not violated.
 Users are responsible for carefully reviewing the completeness and
accuracy of all computer output that they receive.
 Batch systems are more susceptible to exposure and require a
greater degree of control than real-time systems.
Controlling Batch Systems Output
 Batch systems usually produce output in the form of hard copy,
that requires the involvement of intermediaries in its production
and distribution.
 The output removed from the printer by the computer operator
reviews for correctness by data control clerk, and then sent to the
end user.
 Each stage is a point of potential exposure where the output

could be reviewed, stolen, copied, or misdirected.

 Processing or printing goes wrong and produces output that is
unacceptable to the end user.
 Cont’d………
23

 Techniques for controlling the output process;

Output Spooling
 In large-scale data-processing operations, output devices
such as line printers can become backlogged with many
programs at once demanding these limited resources.
 To ease this burden, applications are often designed to

direct their output to a magnetic disk file rather than to

the printer directly, called output spooling.
 Later, when printer resources become available, the

output files are printed.

 The creation of an output file as an intermediate step in
the printing process presents an added exposure.
 A computer criminal may use this opportunity to perform
any of the following unauthorized acts:
 Cont’d……….
24
 Access the output file and change critical data values
 Access the file and change the number of copies
 Make copy of the output file to produce illegal reports
 Destroy the output file before printing takes place
 The auditor should be aware of these potential exposures and ensure that
proper access and backup procedures are in place to protect output files.
Print Programs
 Print programs require operator intervention.

 The common types of operator actions:

 Pausing the print program to load the correct type of output documents
 Entering parameters needed by the print run, such as the number of
copies to be printed.
 Restarting the print run at a prescribed checkpoint after a printer
malfunction.
 Removing printed output from the printer for review and distribution.
25

 Print program controls are designed to deal with:

 The production of unauthorized copies of output &

 Employee browsing of sensitive data

Bursting (separating)
 When output reports are removed from the printer, they go to

the bursting stage to have their pages separated and collected.

 The concern here is that the bursting clerk may make an

unauthorized copy of the report, remove a page from the

report, or read sensitive information.
 Primary control against these exposures is supervision.

Waste
 Output waste represents a potential exposure.

 It is important to dispose of aborted reports and the carbon

copies from multipart paper removed during bursting properly.

26

 Computer criminals have been known to filter through trash cans

searching for carelessly discarded output that is presumed by
others to be of no value.
 Computer waste is also a source of technical data, such as
passwords and authority tables, which a perpetrator may use to
access the firm’s data files.
Data Control
 The data control group is responsible for verifying the accuracy of
computer output before it is distributed to the user.
 The data control clerk will
 Review the batch control figures for balance;
 Examine the report body for distorted, illegible, and missing
data; and
 Record the receipt of the report in data control’s batch control
log.
 Cont’d………….
27
Report Distribution
 Risks include reports being lost, stolen, or misdirected in

transit to the user.

 Maintaining adequate access control over this file becomes

highly important.
 For highly sensitive reports, distribution techniques:

 Reports may be placed in a secure mailbox to which only the

user has the key.

 User may be required to appear in person at the distribution

center and sign for the report.

 A security officer may deliver the report to the user.

End User Controls

 Once in the hands of the user, output reports should be
reexamined for any errors that may have evaded the data
control clerk’s review.
 Cont’d……….
28

 Errors may be signs of an improper systems design,

incorrect procedures, errors inserted by accident during
systems maintenance, or unauthorized access to data
files or programs.
 Once a report has served its purpose, it should be stored in
a secure location until its retention period has expired.
Controlling Real-Time Systems Output
 Real-time systems direct their output to the user’s computer
screen, terminal, or printer.
 It eliminates the various intermediaries in the journey from
the computer center to the user.
 The primary threat to real-time output is the interception,
disruption, destruction, or corruption of the output message
as it passes along the communications link.
 The Importance of Output Controls
29

 This threat comes from two types of exposures:

 Exposures from equipment failure; and

 Exposures from subversive acts, whereby a computer

criminal intercepts the output message transmitted

between the sender and the receiver.
 Data is accurate, complete and properly distributed on

output
 Checks on totals to catch errors

 Review processing logs

 Track recipients of data

 Designed to ensure
 All data is completely processed

 Output is distributed only to authorized recipients

30

End of chapter four

Thank you