Page 1 of 7

EDP / IT CONTROL PART I

INTERNAL CONTROL OVER EDP / IT ACTIVITIES

PART I: EDP / IT CONTROL:

ORGANIZATIONAL CONTROLS AND COMPUTER-CENTERED

FRAUD
The history of computer-centered fraud shows that the persons responsible for frauds in many
situations set up the system and control its use as programmer and operator.
The number of personnel and the organizational structure will of course determine the extent to
which segregation of duties is possible. As a minimum, the function of programming should be
separated from the functions controlling input to the computer programs, and the function of the
computer operator should be segregated from functions requiring de-tailed knowledge or custody of
the computer programs. If one person is permitted to perform duties in several of these functions,
internal control is weakened, and the opportunity exists for fraudulent data to be inserted in the
system.
The rapid growth of electronic data processing (EDP) for business use is having a greater impact
on public accounting than perhaps any other event in the history of the
profession. No longer is the
challenge of auditing EDP activities limited to a few large clients. With
the advent of inexpensive
minicomputer systems and PC Network, even the smallest audit clients
are likely
REAL LIFE CASEto #1:
use a computer
A programmer for a large bank wrote a program for identifying and listing all
for many accounting functions. Thus, auditors must be prepared to work
overdrawn accounts. Later, as operator of the bank's computer, he was able to
in ana "patch"
insert ever-changing
in the program to cause the computer to igno e overd aftr rins his
environment
own in which the was
account. The programmer-operator client's
then ableaccounting
to overdraw his records
bank are maintained on
account at will, without the overdraft coming to management's atten ion. The t
anything from a personal
fraud was not discovered until the computer broke down and the li ting of s
computer to a multimillion dollar mainframe system.
overdrawn accounts had to be prepared manually.

Although the computer has created some challenging problems for professional accountants, it
has also broadened their horizons and expanded the range and value of the services they offer. The
computer is more than a tool for performing routine accounting tasks with unprecedented speed and
accuracy. It makes possible the development of information that could not have been gathered in the
past because of time and cost limitations. When a client maintains accounting records with a
complex and sophisticated EDP system, auditors often find it helpful, and even necessary, to utilize
Adapted from “Principles of Auditing” by
Meigs, Whittington, Pany, and Meigs
 Page 2 of 7
EDP / IT CONTROL PART I

the computer in performing many auditing procedures.

This section will consider some of the most significant ways in which auditing work is being
affected by EDP, but it cannot impart extensive knowledge of technical
computer skills.
Independent auditors will find additional familiarity with the computer,
Nature of an electronic data processing system
including technical skills
such
Beforeas programming,
considering to be of
the impact of electronic dataever-increasing value
processing systems on the work ofinthethe accounting
independent certified public accountant, some under-standing of the
profession.
nature of a computer and its
capabilities is needed. A business EDP system usually consists of a
digital
Hardwarecomputer and
The principal peripheral
hardware component of a digital computer is the central processing
equipment
unit (CPU). The known asofhardware
CPU consists and
a control unit, equally
which processesessential
a program ofsoftware, consisting
instructions for
manipulating data; a storage unit for storing the program of instructions and the data to be
of variousand
manipulated; programs and
an arithmetic unit capable of addition, subtraction, multiplication, division, and
comparison of data at speeds measured in microseconds, nanoseconds, or even picoseconds.
routines
Peripheral for
to theoperating a computer.
central processing unit are devices for recording input and devices for auxiliary
storage, output, and communications. Peripheral devices in direct communication with the CPU are
said to be online, in contrast to offline equipment not in direct communication with the CPU.
A first step in electronic data processing is to convert the data to machine-sensible form. This is
the role of recording and input devices, such as card readers, optical scanners, electronic cash
registers, and intelligent terminals. Each of these devices either records data in some medium for
later reading into the storage unit or communicates data direct to the CPU.
Secondary storage devices are utilized to augment the capacity of the storage unit of the CPU.
Examples of secondary storage devices are magnetic tape, magnetic drums, and magnetic disk
packs. Magnetic drums and disk packs have the advantage of direct access, which allows for faster
location and retrieval of data. Data on magnetic tapes must be stored sequentially and is retrieved by
a systematic search.
Digital computer circuitry has two states in that any given circuit may be "on" or " of f ." By using
an internal code, or machine language, capable of representing with two symbols any kind of data,
all data may be expressed internally by the computer by a combination of on and off circuits. An
example of a machine language is the binary number system.
Machines must also be used to translate the output of the computer back into a recognizable code
or language. Output equipment includes printers and display
terminals.
Software Computer systems use two major types of software: system software and
application software. System software consists of programs that control and coordinate hardware
components and provide other support to application software. Important components of system
software are utility programs for recurring tasks of data processing, such as sorting, sequencing, and
merging of data. The system software known as the operating system is important to the control of
computer operations be-cause it may be programmed to control access to programs and stored data
and to maintain a log of all system activities.

Adapted from “Principles of Auditing” by

Meigs, Whittington, Pany, and Meigs
 Page 3 of 7
EDP / IT CONTROL PART I

Programs designed to perform a specific data processing task, such as payroll processing, are
known as application software. Early application programs were
laboriously written in machine
language, but today, programming languages such as COBOL (common
business-oriented lan-
guage) are much like English. Programming in COBOL and other
In some ways, computer systems enhance the reliability of financial information. Computers
source
process languages
transactions is made
uniformly and eliminate the human errors that may occur in a manual system.
On the other hand, defects in hardware or programs can result in a computer processing all
possibleincorrectly.
transactions by another element
Also, errors of that
or irregularities software, the compiler,
do occur in computer processing maywhich
not is a
computer
be program
detected by the utilized
client's personnel in few people are involved with data processing. Thus,
be-cause
computer hardware precision does not assure that computer output will be reliable.
translating a source-language program into machine language. The
Internal control over
machine-language versionEDP of activities
a
program is the
Auditors have called an o b je inctan program.
same responsibility EDP system as in a manual system, which is to satisfy
themselves that the financial statements produced reflect the
interpretation and processing of
transactions
Good internal controlinstressed
conformity withdivision
the need for a proper generally accepted
of duties among accounting
employees operating
a manual accounting system. In such a system, no one employee has complete responsibility for a
principles.
transaction, and the work of one person is verified by the work of another handling other aspects of
the same transaction. The division of duties gives assurance of accuracy in records and reports and
protects the company against loss from fraud or carelessness.
When a company converts to an EDP system, however, the work formerly divided among many
people is performed by the computer. Consolidation of activities and integration of functions are to
be expected, since the computer can conveniently handle many related aspects of a transaction. For
example, when payroll is handled by a computer, it is possible to carry out a variety of related tasks
with only a single use of the master records. These tasks could include the maintenance of personnel
files with information on seniority, rate of pay, insurance, and the like; a portion of the timekeeping
function; distribution of labor costs; and preparation of payroll checks and payroll records.
Despite the integration of several functions in an EDP system, the importance of internal control is
not in the least diminished. The essential factors described in Chapter 5 for satisfactory internal
control in a large-scale organization are still relevant. Separation of duties and clearly de-fined
responsibilities continue to be key ingredients despite the change in organization of activities. These
traditional control concepts are augmented, however, by controls written into the computer
programs and controls built into the computer hardware.

In auditing literature, internal controls over EDP activities often are classified as either general
controls or application controls. General controls relate to all EDP applications and include such
considerations as: (a) the organization of the EDP department; (b) procedures for documenting,
testing, and approving the original system and any subsequent changes; (c) controls built into the
hardware (equipment controls); and (d) security for files and equipment. Application controls, on

Adapted from “Principles of Auditing” by

Meigs, Whittington, Pany, and Meigs
 Page 4 of 7
EDP / IT CONTROL PART I
the other hand, relate to specific accounting tasks performed by EDP,
such as the preparation of
payrolls. Controls of this nature include measures designed to assure the
Organizational controls in an electronic data processing system
reliability of input, controls
over processing,
Because of the ability ofand controls
the computer overdataoutput.
to process efficiently, there is a tendency to combine
many data processing functions in an EDP department. In a manual or mechanical system, these
combinations of
functions may be considered incompatible from a standpoint of achieving strong internal control.
For example, the function of recording cash disbursements is incompatible with the responsibility
for reconciling bank statements. Since one of these procedures serves as a check upon the other,
assigning both functions to one employee would enable the employee to conceal his own errors. A
properly programmed computer, however, has no tendency or motivation to conceal its errors.
Therefore, what appears to be an incompatible combination of functions may be combined in an
EDP department without weakening internal control.
When apparently incompatible functions are combined in the EDP department, compensating
controls are necessary to prevent improper human intervention with computer processing. A person
with the opportunity to make unauthorized changes in computer programs or data files is in a
position to exploit the concentration of data processing functions in the EDP department. For
example, a computer program used to process accounts payable may be designed to approve a
vendor's invoice for payment only when that invoice is supported by a purchase order and receiving
report. An employee able to make unauthorized changes in that program could cause
unsubstantiated payments to be made to specific vendors.
EDP programs and data files cannot be changed without the use of EDP equipment. With EDP
equipment, however, they can be changed without leaving any visible evidence of the alteration.
Thus, the organization plan of an EDP department should prevent EDP personnel from having
unauthorized access to EDP equipment, programs, or data files. This is accomplished by providing
definite lines of authority and responsibility, segregation of functions, and clear definition of duties
for each employee in the department. The organizational structure of a well-staffed EDP
department, as below illustrated, should include the following separation of responsibilities:

Vice President Data Processing or Controller

Data Processing Manager

Systems Analysis Programming Computer Operations Data Preparation

Adapted from “Principles of Auditing” by

Meigs, Whittington, Pany, and Meigs
 Page 5 of 7
EDP / IT CONTROL PART I

Program and File Library

Control Group

Data processing management A manager should be appointed to supervise the operation of

the data processing department. The data processing manager should report to an officer who does
authorize transactions for computer processing, perhaps to a vice president of data processing.
When EDP is a section within the accounting department, the controller should not have direct
contact with computer operations.

Systems analysis Systems analysts are responsible for designing the EDP system. After
considering the objectives of the business and the data processing needs of the various departments
using the computer output (user groups), they determine the goals of the system and the means of
achieving these goals. Utilizing system flowcharts and detailed instructions, they outline the data
processing system.

Programming Guided by the specifications provided by the systems analysts, the

programmers design program flowcharts for computer pro-grams required by the system. They then
code the required programs in computer language, generally making use of specialized
programming languages, such as COBOL, and software elements, such as assemblers, compilers,
and utility programs. They test the programs with test data composed of genuine or dummy
records and transactions and perform the necessary debugging. Finally, the programmers prepare
necessary documentation, such as the computer operator instructions.
Computer operations The computer operators manipulate the computer in accordance with
the instructions developed by the programmers. On occasion, the computer operators may have to
intervene through the computer console during a run in order to correct an indicated error. The
computer's operating system should be programmed to maintain a de-tailed log of all operator
intervention. The separation of computer operations from programming is an important one from
the standpoint of achieving internal control. An employee perfor ming both functions would have an
opportunity to make unauthorized changes in computer pro-grams.
Program and file library The purpose of the file library is to protect computer programs,
master files, transaction (detail) tapes, and other records from loss,
damage, and unauthorized use or
alteration. To assure adequate control, the librarian maintains a formal
checkout system for making
records available to authorized users.
Data preparation Personnel involved with this function prepare and verify input data for
In manyA systems,
processing. the library
keypunch operation function
is a traditional example ofisaperformed
data preparationby the computer. The
department.
Keypunching is primarily associated with batch processing systems, in which a group (batch) of
computer operators use
trans-actions is processed at one time. In an online, real-time system, data may be entered
special
directly intocode numbers
the computer or passwords
by user groups through remoteto gain and
terminals access tofiles
computer programs
are and files
immediately updated to reflect the new data. Even in the most sophisticated systems, however,
stored within the system.
Adapted from “Principles of Auditing” by
The computer automatically Meigs, Whittington,maintains
Pany, and Meigs a log showing when these
programs and files are used.
 Page 76 of 7
EDP / IT CONTROL PART I
many applications are still handled by batch processing of transactions
been manufacturing bogus insurance policies on fictitious persons and then
entered
selling these directly by insurance
policies to other the usercompanies. When the fraud was
disco ered, Equity Funding's balance sheet included more than $120 million in
groups.
input
v Control group The control group of a data processing department re-views and tests all
procedures, monitors computer processing, handles the
fictitious assets, far exceeding the $75 million net income reported over the 13-
reprocessing
year of errors detected by the
life of the company.
computer,
Perhaps the most and reviews
startling and
revelation of thedistributes
Equity Fundingall computer
scandal was that output. This group
also reviews
numerous officers andthe computer
employees log had worked togethe for yea s r r
of the company
to perpetrate and con ealcthe fraud. The fictitiou t ansactions s r had been carefully
of operator interventions and the library
integrated into the company's computer-based accounting system. A wide
log of program usage. In smaller
organizations,
variety controldocuments had been prepared for the sole
of fraudulent supporting
purpose of deceiving auditors and govern-mental regulatory agencies. Upon
groupAccess
disclosure
functions
of thetoactivities,
assets by mayEDPbe
several
performed
personnel
members Whenever
bythethe
of top management
user groups.
responsibilities for record keeping and
were convicted
custody
Besides
of of the related assets are
segregation of functions, the data processing
criminal charges. combined, the opportunities
organization forplan
an
employee
should provide to conceal the
for rotation
abstraction
ofThus,programmer of assets
the Equity Funding scandal
are
assignments,in-creased.
is often describedrotation
Since of EDPfraud.
as a computer-based
is Itbasically
operator a record-
was not assignments,
keeping
because of thefunction,
mandatory use of computers,
vacations, it ishowever,
highly
and that the company was able to deceive auditors and
adequate
government investigators. Rather, the fraudulent activities were successfully concealed for a num-
desirable
fidelity
ber to limit
bonds
of years because of the the access
forunprecedented
EDP of EDPof personnel
employees.
willingness aAt
largeleast
numbertwotocompany
of company
of the assets.
qualified
officers and How-
data
ever,
employees EDP personnel have
processing to participate in the scheme. Collusion of the magnitude existing at Equity Funding
would render any personnel
system of internal should be
control ineffective.
direct
presentaccess whenever to cash theif computer
EDP activity includes
facility is intheuse. preparation of signed
Careful screening
checks.
procedures EDPinpersonnel
the hiringmay of EDP
also have are
personnel indirect access toin assets
also important achieving if, for
strongexample,
internalEDP control. is used to
generate shipping orders
authorizing the
It is difficult
personnel having
for release
compensating
access ofcontrols
inventory.
to eliminate entirely the risk that results from EDP
to company assets. Auditors should therefore
realize that the risk of
The combination offraud
computer-centered
Management fraud Organizational
record keeping
is greatest
controls
with access
in effective
are reasonably those to assets
inareas
preventinginanwhich seriously
individual EDP
weakens
employee
personnel
frominternal
perpetratingcontrol
have officers
a fraud, butunless
access
they do not prevent fraud involving collusion. If key
to assets.
employees or company conspire in an effort to commit fraud, internal controls that rely
adequate compensating controls
upon separation of duties can be rendered inoperative. are present. One type of compensating
control is the use of
predetermined
REAL LIFE CASE #2: batch totals, such as document counts and totals of
Equity Funding Corporation of America went into bankruptcy after it was
significant data fields, prepared in
discovered that the company's financial statements had been grossly and
departments
fraudulently independent
misleading of EDP.
for a period of years. Forof the
A subsidiary example,
company hadif EDP per-forms the
function of printing checks,
another department Adapted should
Meigs,
from “Principles of Auditing” by
be responsible
Meigs,Whittington,
Whittington, Pany,
Pany,and Meigsfor authorizing the preparation
andMeigs

of the checks. The

authorizing department should maintain a record of the total number and
dollar amount of checks
authorized. These independently prepared batch totals should then be
compared with the computer
output before the checks are released.