To mitigate the risks occasioned by the features of a computerized information system, the management should design internal controls over the system. These controls are mainly classified into general controls and application controls.
1. General controls.
These relate to the environment within which the computer based systems are developed, maintained and operated aimed at providing reasonable assurance that the overall objectives of internal controls are achieved e.g. completeness, accuracy and validity of financial information.
The objective of the general controls is to ensure the proper development and implementation of applications and the integrity of program files and information. These controls could either be manual or programmed and are classified into;
- System development controls
- Access controls.
- Computer operations and other controls.
1. System development controls.
These relate to controls that must be exercised by the client when developing new systems or modifying existing systems. The controls that can be exercised during systems development can be discussed in the following groupings.
Appropriate review testing and approval of new systems.
The organization should set up a steering committee composed of senior management and high level representatives of system users who should the development and implementation of the new system. Management should approve specifications of the new system after the steering committee has assessed the user needs. Before the new system is commissioned for use, appropriate testing should be carried out to ensure that both the hardware and the application programs are operating effectively. The testing will provide assurance that the new system is reliable. The information technology manager, user department and the appropriate management level should give appropriate approval of new system before being placed under operation and after reviewing completeness of system documentation and results of its testing.
Controls over program changes.
Program changes refer to modifications made to existing programs. Changes in the computer system should be subject to strict controls e.g. a written request for an application program changes should be met by user department and authorized by designated manager or committee. Once changes have been made, appropriate testing should be carried out to ensure that the modified system is reliable. The system documentation should then be amended to reflect the changes and appropriate approval obtained for the modified system to start running. User training should also be carried out as appropriate.
This involves putting together information that supports and explains computer applications. The documentation provides details of capability of the system and how it is operated. System documentation is important in conducting user training and also enables the management to effectively review the system by considering whether appropriate controls have been put in place during system development.
Before switching to the new system, the whole system should be tested by running it alongside the old system for a specified period. This is important because it provides user with the opportunity to familiarize themselves with the new system before it is fully
implemented and ensures that the new system is reliable and data is correctly carried forward from the old to the new system.
2. Access controls.
The success of computerized information systems is largely dependent on the accuracy, validity and credibility of the data processed by the system. Access controls to computer hardware, software and data files is therefore vital. Access controls provide assurance that only authorized individuals use the system and that the usage is for authorized purposes only. Access may be restricted to specified persons, files, functions or computer devices. This can be achieved using both physical and programmed controls. Examples of access controls include;
- Physical restriction of access to computer facilities to specified persons only e.g. file servers should be maintained in a secure location where access is granted to only specified persons.
- Controls over computers stored in the user department could be improved by making sure that vital data on programs are not left running when the computer is left unattended.
- Passwords should be used by all staff when accessing computer facilities.
- Passwords should be changed regularly and access to password data held in a computer system should be subject to stringent controls. This will ensure that some users do not gain access to other people‘s passwords.
- In granting user rights within the system, there should be appropriate segregation of duties to ensure that rights granted are not excessive. E.g. a user should not have right to post data and also make amendments on the same data.
- When designing the user rights, sensitive data and programs should only be accessible to few individuals. In other cases, some files should be designed as ‘read only’ to avoid unauthorized amendments.
- Programs and data that do not need to be online should be stored in secure locations.
- A system‘s access log to record all attempts to log in the system should be maintained. This would record name of user, data accessed or entered, time of log in and mode of access.
- When transmitting data over communication lines, it should be encrypted to make it difficult for persons with access to communication lines from being able to modify the contents.
- There should be automatic log off i.e. the disconnection of active data terminal to prevent viewing of sensitive data on unattended terminals.
3. Computer operations and other controls.
The organization should have a reconstruction or disaster recovery plan that will allow it to regenerate important programs and data files in case of disasters or accidental destructions. The recovery plan should create back up or duplicate copies of important data files and programs which should be stored off site. The recovery plan should also be tested on regular basis to ensure that it indeed works. Other issues that should be addressed include:
- Undertaking protection measures against natural disasters such as setting up computer rooms in areas protected from floods and fitted with smoke or fire detectors.
- There should be standby equipment to revert to in case of computer breakdown.
- There should be adequate virus detection. Procedures for dealing with virus infection are.
- Establishing a formal security policy which requires only clean and certified copies of software are installed and checking data introduced from external sources for viruses.
- The company can also install antivirus software.
- Clean back up should be maintained and there should be adequate segregation of duties such that people with powers and knowledge in making amendments to the application programs should not have the responsibility for initiation and processing transactions and even making amendments to existing data.
The objective of application controls which may be manual or programmed is to ensure completeness and accuracy of accounting records and the validity of transactions processed. Application controls are therefore important in providing assurance that all transaction are recorded on timely basis and that only valid transactions are captured by the system.
Application controls are divided into;
1. Input controls.
2. Processing controls.
3. Output controls
4. Controls over master files and standby data
However, some of the controls management implement would cut across the four categories mentioned above. E.g. some edit checks could provide comfort over the completeness and accuracy of the input data by the way the data is processed and output information obtained and also provide protection over standby data.
Most errors in data processed by computerized information systems can be traced to errors made when the data was being input into the system. Controls over input fulfil the following objectives.
Completeness of input. This ensures that all transactions that took place have been processed.
Accuracy. This ensures that the recorded transactions have been captured accurately.
Validity. This ensures that only valid or genuine transactions appropriately authorized have been recorded. It also ensures credibility and reliability of recorded transactions. To achieve the above objectives the most common types of input controls that management
can implement are called edit controls and examples include:
Field checks. These controls check that all data fields required to process the transactions have been filled with correct information. The controls also ensure accuracy of processed data and its completeness because transactions cannot be properly processed if necessary data is missing.
Valid character checks. These check that data fields are filled with data of the correct type. E.g. that amounts column is filled with numerical variables. This also ensures correctness of input data.
Reasonableness or limit checks. These verify that data falls within predetermined reasonable limits. E.g. if the authorized discount is 10%, the system would seek to verify that no customer is awarded discounts beyond this limit without approved authorization. These
controls ensure accuracy and validity of the input data.
Master file checks. These verify that the codes used in processing transactions match with those from master files. E.g. that customer identification code keyed in matches with what is on sales master file. These controls ensure that data is processed against correct master file.
Document count. This agrees number of input records if what is expected as per batch control. This control ensures that all transactions are processed.
Sign checks. These ensure that data has been keyed in with correct arithmetic sign. E.g. a positive sign for debit entry and a negative sign for credit entry. The objective is to check validity and accuracy of the processed data.
Zero balance checks. These verify that for every transaction process, debit entries equal credit entries and any mismatches found are reported through an exception report. This control ensures accuracy of input data.
Other input controls include;
Generation of exception reports to capture transactions that have been rejected for failing various control checks.