Internal Control III Computer related issues
Download
Report
Transcript Internal Control III Computer related issues
Internal Control III
Computer related issues
March 4, 2010
Today we will…
1. Review some of the control exposures
that relate to computerized environments.
2. Comparison of computerized and noncomputerized control issues.
3. Discuss some controls that are specific to
computerized environments.
4. Discuss ERP systems and the control
issues they present.
Exposures in a computerized
environment
1.
2.
3.
4.
5.
6.
Errors in data entry.
Natural catastrophes.
Theft or fraud using a computer.
Theft of equipment and unauthorized use.
Theft of data.
Viruses.
Errors in data entry
Any time we have a human and a computer interact,
there is a possibility of miscommunication because
we don’t speak the same language.
1.Data entry personnel do not understand interface.
2.Data entry personnel make “typing” mistakes.
3.Data entry personnel enter incomplete information.
What can be done about these problems?
Reducing data entry errors
•
•
•
•
Use encoded turnaround documents when
possible. (preventive control)
Make manual entry as intuitive as possible.
(preventive control)
Use UPC or RFID codes when possible.
(preventive control)
Include data checks and feedback - such as
showing full customer name and address when a
customer’s “number” is input. (detective control)
Natural catastrophes
•
•
•
•
I include in this category all technical breakdowns that are
not attributable to operator error or fraud. Power outages
or network failure are examples.
We need corrective plans here - since these are
unintentional and unforseeable in a specific sense (you can
forsee the possibility, but not the specific occurrence).
We look for either backup and recovery plans or an
alternative system. Many vendors offer downtimes of an
hour or less (such as Oracle).
How often do you save your files and how many “past”
generations do you keep?
Theft or fraud using a computer
•
•
•
The first two exposures related to unintentional errors or
problems in a computerized environment. Now we will
discuss theft and fraud in a computerized environment.
Computerized environments are especially vulnerable to
theft and fraud because you cannot “see” the data. With
complex data structures, it is sometimes difficult to put
the data back together (one of the tasks of the A523
project) in the desired way - because different components
of a transaction are, perhaps, stored in different files even different servers.
In addition, access to the records may occur from another
location.
How is theft perpetrated?
1. A programmer might include code that diverts
money to them directly or that allows them reentry (a trojan horse).
2. A hacker might, from a remote location, break
into the system using stolen or guessed passcodes
and steal company resources.
3. A user might steal cash or other assets and then
find a way to alter the accounting database
records to hide the theft.
How can theft be prevented?
1.
2.
3.
Programs should be ‘tested’ and the original programs should be
kept in a secure place for comparison. In other words, you can’t
just audit around the computer. The programs themselves need to
be periodically reviewed. This ensures the integrity of the
programming and keeps programmers from successfully stealing
from the company.
Sophisticated network security is essential for the protection of
computerized systems. Have you noticed that your computer has
to be registered in order to use it on campus? If you can control
access to certain areas by requiring the access be obtained only
by recognized computers, then you have created a responsibility
chain. In addition, encrypted information transmission is essential
for sensitive data.
Access to recording should be restricted to authorized personnel.
Entries should never be able to be deleted without an audit trail.
Each user should only see the “areas” for which they are
authorized in menu-driven systems.
Theft of equipment and unauthorized use
Computer assets (the physical assets) are valuable and typically
contain important information.
We used to be concerned about people using our hardware
without being authorized - computer “time” was unbelievably
expensive. An hour of CPU time used to cost many thousands
of dollars. That has changed with the change in computer
architecture.
Laptops are easy to steal, as are palm pilots and other
equipment. It is independent now (stand alone equipment).
Preventing unauthorized access and
equipment theft
1. Equipment should be locked up if possible
(physical access should be restricted). In the
case of laptops, responsibility for security should
be assigned to an individual.
2. Access to files should be restricted by password
and physical access requirements and limited to
activities that leave a trail.
3. Many companies have “computer logs” generated
to see if employees are misusing their computers
(for pornography or playing games).
Theft of data
1. Theft of sensitive data is an important problem in
the computerized environment - partially because
it is not always evident that it was taken.
2. Hackers broke into a bank computer and stole
customer credit information and used it to steal
customer identities.
3. A company engaged in industrial espionage by
stealing another company’s proprietary data.
Viruses
Viruses can shut down the availability of a
computer (causing a business interruption).
They can also destroy important files.
Comparison of computerized and noncomputerized control issues
Element or
Activity
Data Collection
Manual System
Characteristics
Characteristics
Computer-Based System
Risk Exposures
Compensating Controls
Data recorded on Data sometimes
Audit trail may be
Printed copies of source
paper source
captured without
partially lost
documents prepared by
documents
use of source
computer system
documents
Data reviewed for Data often not
Errors, accidental or
Edit checks performed
errors by clerks
deliberate, may be
by computer system
subject to review
entered for processing
Comparison of computerized and noncomputerized control issues
Element or
Activity
Manual System
Characteristics
Characteristics
Computer-Based System
Risk Exposures
Compensating Controls
Processing steps Processing steps
performed by
performed by CPU
Errors may cause
incorrect results of
Outputs reviewed by
users of computer
clerks who can
use judgment
processing
system, carefully
developed computer
processing programs
Processing steps Processing steps
spread among
concentrated
Unauthorized
manipulation of data
Restricted access to
computer facilities; clear
various clerks in
separate
and theft of assets can procedure for
occur on larger scale authorizing changes to
instructions - no
judgment
Data processing
departments
programs.
Comparison of computerized and noncomputerized control issues
Element or
Activity
Manual System
Characteristics
Processing
requires use of
journals and
ledgers.
Characteristics
Computer-Based System
Risk Exposures
Compensating Controls
Processing does not Audit trail may be
require journals.
partially lost
Printed journals and
other analyses.
Data processing
Processing
Processing
performed rather performed very
slowly
rapidly
Effect of errors may
spread rapidly
throughout files
Editing of all data during
input and processing
steps.
Comparison of computerized and noncomputerized control issues
Element or
Activity
Manual System
Characteristics
Characteristics
Computer-Based System
Risk Exposures
Compensating Controls
Data stored in
Data compressed on Data may be acessed
Security measures at
file drawers
throughout
various
magnetic (or
optical) media
points of access and over
data library.
by unauthorized
persons or stolen
Data Storage anddepartments
retreival
Data stored on
hard copies in
Data stored in
Data are temporarily Data files printed
invisible, eraseable, unusable by humans and periodically; backups of
human readable
form
computer-readable might possibly be lost
form.
files; protection against
sudden power losses
Comparison of computerized and noncomputerized control issues
Element or
Manual System
Characteristics
Computer-Based System
Risk Exposures
Compensating Controls
Characteristics
Stored data
accessible on a
Stored data often
readily accessible
Data may be accessed Security measures at
by unauthorized
points of access.
from various
locations via
network
persons
Activity
Data Storage andpiece-meal basis
at various
retreival
locations
Comparison of computerized and noncomputerized control issues
Element or
Manual System
Characteristics
Characteristics
Computer-Based System
Risk Exposures
Compensating Controls
Activity
Outputs
Outputs generated Inaccuracies may be
Reviews by users of
generated
quickly and neatly, buried in impressive-
outputs including the
laboriously and
often in large
looking ouptus that
checking of amounts.
usually in small
volumes
users accept on faith.
volumes
Information
generation
Outputs usually in Outputs provided in Information stored on Backups of files; periodic
hard-copy form. various forms,
magnetic media is
printing of stored files
including soft-copy subject to modification onto hard-copy records.
displays and voice
responses.
(only hard copy
provides permanent
record).
Comparison of computerized and noncomputerized control issues
Element or
Manual System
Characteristics
Characteristics
Computer-Based System
Risk Exposures
Compensating Controls
Usually
Often transmitted
Data may be accessed Security measures over
transmitted via
by communication
or modified or
transmission lines; coding
postal service and lines
destroyed by
of data; verification of
hand delivery
unauthorized persons.
transmitted data.
Activity
Translation of
data and
information
Comparison of computerized and noncomputerized control issues
Element or
Activity
Manual System
Characteristics
Characteristics
Computer-Based System
Risk Exposures
Compensating Controls
Relatively simple, Reltatively complex, Business operations
Backup of data and power
inexpensive and expensive and
may be intentionally or supply and equipment;
mobile
Equipment
(sometimes) in
unintentionally
preventative maintenance
fixed locations
interupted; data or
of equipment; restriction
hardware may be
on access to facilities;
destroyed or stolen;
operations may be
documentation of
equipment usage and
delayed through
processing procedures.
inefficiencies.
Controls in computerized environments
1.
2.
3.
4.
5.
Data entry using prerecorded data
Edit checks (data checks)
Batch processing controls
Access controls
Computer generated (and numbered)
forms
Data entry using prerecorded data
•
•
Data entry of turnaround documents, particularly
if they are machine readable, is less prone to
error. UPC codes at the grocery store are an
example, as is a magnetically encoded remittance
advice.
In addition, when an item (a remittance advice or
an item at the grocery store) are scanned in,
some display containing reconcilable information
is typically provided. Further minimizing the
potential for erroneous data entry.
Edit checks
•
When data are entered, the data codes frequently contain
a check digit that makes sure that the data were entered
(and stored) correctly.
–
•
•
When the number 42306 is stored in a database, an
additional digit might be added to the end - 6.
4+2+3+0+6=15, and 1+5=6, so the number would be stored as
432066 (this is an intuitive analogy to what is actually
happening).
This can be used for any data, since any data can be
converted to a numeric value (we call the code ASCII).
Also, we do “reasonableness” checks on the data - amount
sizes, formats, etc.
Batch processing controls
• Batch totals
–
–
–
–
Record counts and line counts
Document counts
Dollar totals (the total of Cash Receipts)
Hash totals (like an edit check)
• Sequence checks
• Written approvals
Access controls
•
We need to limit access to our access data. We
do this 3 ways:
–
–
–
•
Limit physical access: only networked computers can
access the system.
Limit individual’s access using passwords
Prohibit direct access to the files (require that all file
access be through software that leaves an audit trail).
You should never be able to delete journal
entries!
Computer generated forms
•
Whenever documents such as purchase orders or
sales orders or invoices are computerized…
–
–
–
•
The numbering system is protected. Individuals
cannot manipulate the numbering system.
Whatever information is on the document is in the
database (by construction).
Reconciliation is easier.
Copies can be printed out for a permanent record.
ERPs
•
•
•
Enterprise Resource Planning systems (ERPs) are the
current technological frontier. They are basically a
database that encompasses most or all of the organization’s
information storage and processing.
Indiana University uses such a system from a vendor called
PeopleSoft. Other notable vendors are SAP and Oracle.
OneStart is the student and faculty interface for this
system. Your grades and my paycheck are both generated
from this software package.
ERPs are quite powerful tools, but they have their own
control issues.
ERPs
•
•
•
•
Employee buy-in and training are essential.
There is only one system and it is BIG.
Since everything is in this one system, if someone were to
find a way to compromise the system (get in where they are
unauthorized), they would have unbelievable power to steal
or do damage.
The system is so big that it is impossible for most managers
(or auditors) to really understand how it works.