The internal controls over computer processing, which help to achieve the overall objectives of internal control, include both manual procedures and procedures designed into computer programs. Such manual and computer control procedures comprise the overall controls affecting the CIS environment (general CIS controls) and the specific controls over the accounting applications (CIS application
controls).
General CIS Controls : The purpose of general CIS controls is to establish a framework of overall control over the CIS activities and to provide a reasonable level of assurance that the overall objectives of internal control are achieved. General CIS controls may include:
1. Organization and management controls—designed to establish an organizational framework over CIS activities, including:
- Policies and procedures relating to control functions.
- Appropriate segregation of incompatible functions (e.g. preparation of input transactions, programming and computer operations).
2. Application systems development and maintenance controls—designed to provide reasonable assurance that systems are developed and maintained in an authorized and efficient manner.
They also typically are designed to establish control over:
- Testing, conversion, implementation and documentation of new or revised systems.
- Changes to application systems.
- Access to systems documentation.
- Acquisition of application systems from third parties.
3. Computer operation controls—designed to control the operation of the systems and to provide reasonable assurance that:
- The systems are used for authorized purposes only.
- Access to computer operations is restricted to authorized personnel.
- Only authorized programs are used
- Processing errors are detected and corrected.
4. Systems software controls—designed to provide reasonable assurance that system software is acquired or developed in an authorized and efficient manner, including:
- Authorization, approval, testing, implementation and documentation of new systems software and systems software modifications.
- Restriction of access to systems software and documentation to authorized personnel.
5. Data entry and program controls—designed to provide reasonable assurance that:
- An authorization structure is established over transactions being entered into the system.
- Access to data and programs is restricted to authorized personnel.
- There are other CIS safeguards that contribute to the continuity of CIS processing. These may include:
- Offsite back-up of data and computer programs.
- Recovery procedures for use in the event of theft, loss or international or accidental destruction.
- Provision for offsite processing in the event of disaster.
CIS Application Controls : The purpose of CIS application controls is to establish specific control procedures over the accounting applications in order to provide reasonable assurance that all transactions are authorized and recorded, and are processed completely, accurately and on a timely basis. CIS application controls include:
1. Controls over input—designed to provide reasonable assurance that:
- Transactions are properly authorized before being processed by the computer.
- Transactions are accurately converted into machine readable form and recorded in the computer data files.
- Transactions are not lost, added, duplicated or improperly changed.
- Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a timely basis.
2.Controls over processing and computer data files—designed to provide reasonable assurance that:
- Transactions, including system generated transactions, are properly processed by the computer.
- Transactions are not lost, added, duplicated or improperly changed.
- Processing errors are identified and corrected on a timely basis.
3. Controls over output—designed to provide reasonable assurance that:
- Results of processing are accurate.
- Access to output is restricted to authorized personnel.
- Output is provided to appropriate authorized personnel on a timely basis
