Microcomputers a. The proliferation of microcomputers (e.g.

, personal computers [PC], laptop computers) has had a profound effect on both information systems and on auditors. A small business client will probably use a PC to run a commercially purchased general ledger package (off-the-shelf software). Segregation of duties becomes especially difficult in such an environment because one individual may perform all recordkeeping (processing) as well as maintain other nonrecordkeeping responsibilities. b. A larger client may use a network of PCs which may or may not be linked to a large corporate mainframe computer. In all systems, management policies should be in place regarding the development and modification of programs and data files. c. Regardless of the system, the control objectives remain the same. When small computers are involved, the following points need to be considered: (1) SecuritySecurity over small computers, while still important, may not be as critical as security over the data and any in-house developed software. Most companies can easily replace the hardware, but may suffer a severe setback if the data and/or in-house developed software is lost. Access to the software diskettes should be controlled and backup copies should be made. Access to the hard drive must be restricted since anyone turning on the power switch can read the data stored on those files. Also, a control problem may exist because the computer operator often understands the system and also has access to the diskettes. The management of the company may need to become more directly involved in supervision when a lack of segregation of duties exists in data processing. (2) Verification of processingPeriodically, an independent verification of the applications being processed on the small computer system should be made to prevent the system from being used for personal projects. Also, verification helps prevent errors in internally developed software from going undetected. Controls should be in operation to assure the accuracy of in-house created spreadsheets and databases. (3) Personnel

Centralized authorization to purchase hardware and software should be required to ensure that appropriate purchasing decisions are made, including decisions that minimize software and hardware compatibility difficulties. Software piracy and viruses may be controlled by prohibiting the loading of unauthorized software and data on company-owned computers.

1.

Segregation controls

a. Segregate functions between information systems department and user departments

(1) User departments are the other departments of the company that utilize the data prepared by the information systems department.

b. Do not allow the information systems department to initiate or authorize transactions. c. At a minimum, segregate programming, operations, and the library function within the information systems department.

(1) Systems analysisThe systems analyst analyzes the present user environment and requirements and may (1) recommend specific changes, (2) recommend the purchase of a new system, or (3) design a new information system. The analyst is in constant contact with user departments and programming staff to ensure the users actual and ongoing needs are being met. A system flowchart is a tool used by the analyst to define the systems requirements. (2) Systems programmingThe systems programmer is responsible for implementing, modifying, and debugging the software necessary for making the hardware work (such as the operating system, telecommunications monitor, and the database management system). For some companies the term software engineer is viewed as similar or identical to that of systems programmer. For others, the software engineer is involved with the creation of designs used by programmers. (3) Applications programmingThe applications programmer is responsible for writing, testing, and debugging the application programs from the specifications (whether general or specific) provided by the systems analyst. A program flowchart is one tool used by the applications programmer to define the program logic. (4) Database administrationIn a database environment, a database administrator (DBA) is responsible for maintaining the database and restricting access to the database to authorized personnel. (5) Data preparationData may be prepared by user departments and input by key to magnetic disk or magnetic tape. (6) OperationsThe operator is responsible for the daily computer operations of both the hardware and the software. The operator mounts magnetic tapes on the

tape drives, supervises operations on the operators console, accepts any required input, and distributes any generated output. The operator should have adequate documentation available to run the program (a run manual), but should not have detailed program information.

a] Help desks are usually a responsibility of operations because of the operational nature of their functions (for example, assisting users with systems problems and obtaining technical support/vendor assistance).

(7) Data libraryThe librarian is responsible for custody of the removable media (i.e., magnetic tapes or disks) and for the maintenance of program and system documentation. In many systems, much of the library function is maintained and performed electronically by the computer. (8) Data controlThe control group acts as liaison between users and the processing center. This group records input data in a control log, follows the progress of processing, distributes output, and ensures compliance with control totals.

Ideally, in a large system, all of the above key functions should be segregated; in a small computer environment, many of the key functions are concentrated in a small number of employees. For purposes of the CPA exam remember that, at a minimum, an attempt should be made to segregate programming, operations, and the library functions. Large organizations typically have a chief information officer (CIO) that oversees all information technology and activities.

e. Electronic commerce has resulted in a number of new Web-related positions, including

(1) Web administrator (Web manager)Responsible for overseeing the development, planning, and the implementation of a Web site. Ordinarily a managerial position. (2) Web masterResponsible for providing expertise and leadership in the development of a Web site, including the design, analysis, security, maintenance, content development, and updates. (3) (4) Web designerResponsible for creating the visual content of the Web site Web coordinatorResponsible for the daily operations of the Web site

(5) Internet developerResponsible for writing programs for commercial use. Similar to a software engineer or systems programmer. (6) Intranet/Extranet developerResponsible for writing programs based on the needs of the company
a disaster recovery plan should include both backup and downtime controls.

Methods of Data Structure a. (1) Data organization for computer operations BitA binary digit (0 or 1) which is the smallest storage unit in a computer

(2) ByteA group of adjacent bits (usually 8) that is treated as a single unit by the computer. Alphabetic, special and some numeric characters can be represented by a bit. A numeric character that is used in computations may use more than one byte. (3) CharacterA letter, number, or other symbols; a character is ordinarily printable as a symbol (e.g., the character "a" or ";") (4) AlphanumericAlphabetic, numeric, and special characters (special characters are pluses, minuses, dollar signs, etc.) (5) FieldA group of related characters (e.g., a social security number)

(6) RecordAn ordered set of logically related fields. For example, all payroll data (including the social security number field and others) relating to a single employee. (7) ArrayIn a programming language, an aggregate that consists of data objects with attributes, each of which may be uniquely referenced by an index (address). For example, an array may be used to request input of various payroll information for a new employee in one step. Thus an array could include employee name, social security number, withholdings, pay rate, etc.for example (John Jones, 470-44-5044, 2, $18.32, ). Name would be indexed as 1 (or zero), with each succeeding attribute receiving the next higher number as an address. Also arrays may be multidimensional. They are often used with object-oriented programming such as C++ and Java. (8) FileA group of related records (e.g., all the weekly pay records year-todate) which is usually arranged in sequence (9) Master fileA file containing relatively permanent information used as a source of reference and periodically updated with a detail (transaction) file (e.g., permanent payroll records) (10) Detail or transaction fileA file containing current transaction information used to update the master file (e.g., hours worked by each employee during the current period used to update the payroll master file) Structured query language (SQL)The most common language used for creating and querying relational databases (see (b)3] below), its commands may be classified into three types

a] Data definition language (DDL)Used to define a database, including creating, altering, and deleting tables and establishing various constraints.
The data definition language defines the database structure and content, especially the schema and subschema descriptions, including the names of the data elements contained in the database and their relationship to each other.

b] Data manipulation language (DML)Commands used to maintain and query a database, including updating, inserting in, modifying, and querying (asking for data) c] Data control language (DCL)Commands used to control a database, including controlling which users have various privileges (e.g., who is able to read from and write to various portions of the database).