For all processing systems, including computerized systems, accuracy and reliability can be achievable only with conscious planning designed to assure satisfactory results. Information, protection, and control, the objective of internal control earlier, are equally applicable to computerized systems. In order to minimize the risks associated with special features in computerized the management is advised to design controls over computerized systems. These
controls usually consist of both manual systems and in – built procedures. These controls are classified as; General controls and Application controls
General Controls
A company designs general controls to ensure that its overall computer system is stable and well managed. General controls relate to the environment within which computerized systems are developed, maintained and operated. These controls are aimed at providing reasonable assurance overall objective of the internal controls are achieved. They at ensuring proper development and implementation of application are achieved and that the integrity of both data program is achieved. These are designed to make sure an organization’s control environment is stable and well managed. They apply to all sizes and types of systems.
General controls are usually classified into four categories. These are:
- System development controls
- The plan of organisation and operation of the computer activity
- Access controls
- Back – up and recovery procedures
Systems Development Controls
These controls relate those controls that must be exercised by the client when designing new systems or modifying existing systems. The top management is required to participate in the systems development for it to be effective. The controls that should be exercised during the systems development can be categorized into four: Review, testing and approval of new systems
The basic principles of these controls
- The user departments must be included in review and testing. The input for the user departments is vital in this stage. Once the user departments are have input considered then the systems can reflect the need for these user department
- For the proposed system should have a written specification that should be approved by this management
- Communication between the user department and the computer department should be established during testing. Testing of new system is as vital as actual development of the development.
Controls over program
Program change refers to modification made to application program. These changes should be done under strict controls. These changes must be check against incorrect or incomplete data input. Parallel running of the new and old system It is important that before switching to new system, the whole system must be tested by running it parallel to the old systems. It is important to run the two systems alongside for sometimes while the same time testing the input and output from the two systems Documentation procedures This is collection of information that support and describe the computer application, including development. The documentation should be secured in a library with access control. Plan of Organisation in Computer Activity The business should have proper segregation of duties and functions and policies and procedures relating to control within the computerized accounting systems.
Segregation of Duties within Systems Function
- In highly integrated AIS, procedures that used to be performed by separate individuals are combined.
- Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.
- To combat this threat, organizations must implement compensating control procedures.
- Authority and responsibility must be clearly divided among the following functions:
- Systems administration
- Network management
- Security management
- Change management
- Users
- Systems analysis
- Programming
- Computer operations
- Information system library
- Data control
- It is important that different people perform these functions.
- Allowing a person to perform two or more of these functions exposes the company to the possibility of fraud.
Physical Access Controls
- How can physical access security be achieved?
- Place computer equipment in locked rooms and restrict access to authorized personnel
- Have only one or two entrances to the computer room
- Require proper employee ID
- Require that visitors sign a log
- Use a security alarm system
- Restrict access to private secured telephone lines and terminals or PCs.
- Install locks on PCs.
- Restrict access of off-line programs, data and equipment
- Locate hardware and other critical system components away from hazardous materials.
- Install fire and smoke detectors and fire extinguishers that don not damage computer equipment
Logical Access Controls
- Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions.
- What are some logical access controls?
- passwords
- physical possession identification
- biometric identification
- compatibility tests
Application Controls
Application controls prevent, detect and correct errors in transactions as they flow through the various stages of a specific data processing program. These controls ensure that the system produces results that complete and accurate. Companies must establish control procedures to ensure that all source documents are authorized, accurate, and complete and properly accounted for, and entered into the system or sent to their intended destination in a timely manner. Source data controls include:
- Forms design
- Pre-numbered forms sequence test
- Turnaround documents
- Cancellation and storage of documents
- Authorization and segregation of duties
- Visual scanning
- Check digit verification
- Key verification
Application controls are generally categorized into four groups. These are:
- Input controls
- Processing controls
- Output controls
- Control over master files and standing data
1.Input Controls
Faulty data input will always results into error and wrong output. Control over the completeness, validity, data conversion and controls of rejection of input are therefore very vital. Completeness control ensures that all transactions are recorded. Validity control ensures that only validly authorized transactions are the only ones transacted and recorded. Data conversion controls ensures that all data on source documents is properly entered into the system.
2.Processing Controls
These controls ensure that transactions are processed by the right software and program and transferred to the right master file besides producing the right output. Other input may be put in place such check overdue transactions and even credit limit.
3.Output Controls
These controls ensure that the right output is received from the input and that the results are accurate and that the out is distributed to appropriate personnel.
4.Control Over Master Files and Standing Data
These controls ensure that amendments to master file and standing file are complete accurate and properly authorized. These controls are similar to control over input.