TYPES OF CONTROL IN CIS

ENVIRONMENT
CONTENTS
GENERAL CONTROL
DATA CENTRE AND NETWORK OPERATION
SYSTEM SOFTWARE ACQUISITION, CHANGE AND
MAINTENANCE CONTROLS
ACCESS SECURITY CONTROL
APPLICATION SYSTEM ACQUISITION, DEVELOPMENT AND
MAINTENANCE CONTROL
APPLICATION CONTROL
GENERAL VS. APPLICATION
RELATIONSHIP BETWEEN GENERAL &
APPLICATION
TYPES OF
CONTROL
GENERAL
CONTROL
APPLICATION
CONTROL
GENERAL CONTROL
These control relate to the environment
within which computer-based accounting
systems are developed, maintained and
operated aimed at providing reasonable
assurance that the overall objectives of
internal controls are achieved.
These controls could either be manual
or programmed.
To ensure proper
development and
implementation of
applications and the
integrity of program
and data files and of
computer operations.
OBJECTIVE OF
GENERAL CONTROL
GENERAL
CONTROL
DATA CENTRE
AND NETWORK
OPERATION
SYSTEM
SOFTWARE
ACQUISITION,
CHANGE AND
MAINTENANCE
CONTROLS
ACCESS
SECURITY
CONTROL
APPLICATION
SYSTEM
ACQUISITION,
DEVELOPMENT
AND
MAINTENANCE
CONTROL
DATA CENTRE AND
NETWORK OPERATION
These are primarily controls that relate to
data processing security and controls.
relate to the security of the data centre,
batch processing of data, backups and
custody of storage media.
It is also important that such an
environment is not accessed by
unauthorized persons such as programmers
and hackers as this could compromised the
data integrity.


DATA CENTRE AND NETWORK OPERATION

Prevent loss of data
The backup copy is a duplicate of the original that
is store at a different location
data backup
procedure
A formal document that describe procedure to be
used
This plan should provide adequate insurance
coverage, designate alternative location for
processing and data storage
Contingency
plan
Proper segregation of duties requires that critical
functions performed at the data center be
separated
System analysis & programming, machine
operation and data maintenance
Segregation
of duties
SYSTEM SOFTWARE ACQUISITION,
CHANGE AND MAINTENANCE CONTROL
System software computer system that
control the computer function & allow the
application program to run
e.g windows allows Microsoft office to run
The entity should have strong control to
ensure proper approval for purchase of new
system, changes and maintenance of
existing software
SYSTEM SOFTWARE ACQUISITION, CHANGE AND
MAINTENANCE CONTROL

Responsibilities on network
administration, PC technical
support, database & web
administration
Responsibilities
Involve screening personnel
for system software
maintenance activities,
reviewing the acquisition of
new system software and
establish software standards
Control policies
and procedure
Physical protection of computer equipment,
software and data and also loss of assets and
information through theft and unauthorised use.
E.g. Financial instution and Bank
1) Special room for computer
and equipments or separate
building
3) Recovery procedure
for lost data
2) Accessible is limited to
the authorised personal
only
Access Security Control (System Security Controls)
Implementation of Access Security Control
Make sure that vital data or
programs are not left running
when the computer in the
user department is left
unattended
Password should be issued to all staff, whether for access to
mainframe or single microcomputers. Limited access to files may
further be designated as Read Only or Read and Write. The
identity of the authorised users can be identified for purpose of
adding, altering or deleting data.
Users should be issued with
machine readable evidence e.g.
magnetic stripped cards to avoid
unauthorised users of a
particular password may access
the computer.
Access to computers is
usually via telephone
lines. Computers should
be programmed with
telephone numbers of
such users.
Programs and data files which need be on-
line should be stored in a secure location
with a computer department librarian.
Systems programs and documentation
should be locked away with limited access.
Application System Acquisition, Development and
Maintenance Controls
Controls on these is critical for ensuring the reliability of information
processing. It might be better to have involvement of internal and
external auditors in early stage to design the system to ensure proper
control incorporate to the system e.g. accounting system
Control over
input source
or primary data
Control over
processing
processing data
and updating
masterfiles
Control over
output results
of processing or
updating, e.g.
change in total,
balances,
transactions
APPLICATION CONTROL
Apply to the processing of
individual accounting
application such as sales or
payrol
Purpose;
to ensure the completeness and
accuracy of the accounting
records and the validity of the
entries made therein resulting
from both manual and
programmed processing
is to provide assurance that all
transactions are authorized,
recorded and processed,
completely, accurately and on a
timely basis
Example of application control that need to be implemented
in operation from issuing Purchase Requisition to the
acceptance of the Purchase Invoice:
Segregation of duties between the user department
ordering the goods, the goods received department, the
procurement department and the accounts department
Before issuing the purchase order, the buying
department should check that the user department is
authorized to purchase the goods that have requested.
Goods are only purchased from authorized supplier. If
it is a new supplier, validation of that supplier should
be done before the order.
Must be independent check from buying department
on the quality, price and service of the supplier.
The purchase order should be keyed into computer
by procurement department, sent to supplier, user
department and accounts department.
Accounts department upon receipt of purchase
invoice, match with purchase order.
User department check the goods against
requisitions and specifications.
Application controls are generally divided
into:

Control over
Input
Control over
Processing
& Computer
Data Files
Control over
Output
Most errors in computer accounting systems
can be traced to faulty input
It is controls over source documents and can
be in both physical and virtual forms
Input control include;
COMPLETENESS -To ensure that all
transactions are
recorded, not lost, added,
duplicated and modified
VALIDITY -To ensure transaction properly
authorized before being process
by computer
DATA CONVERSION -To ensure
transaction are
accurately converted into
machine readable form
and recorded in computer
data files
REJECTIONS & CORRECTION -To
ensure
incorrect
transaction are
rejected,
corrected and
re-submit
Control
Over
Input
To ensure that all transactions key in being
processed by the computer & data files properly
closed
Processing errors are identified & corrected in a
timely basis
To ensure that the right files are in use (physical
file identification procedures in the form of labels
physically attached to files or diskettes)
Not lost, duplicated or otherwise improperly
altered during processing
Limit and reasonableness tests applied to data
arising as a result of processing

Control
Over
Processing
&
Computer
Data Files
Output is received from input
Output controls include;
Logging of all output
Matching or agreeing all output to input, such
as for one matching, or control totals
Noting distribution of all the output
Output checklists aimed at ensuring that all
expected reports are processed and forwarded
to the relevant department or personnel
It is designed to provide reasonable assurance
that;
Result of processing are accurate
Access to output is restricted to authorized
personnel
Output is provided to appropriate authorized
personnel on a timely basis
Control
Over
Output
It is important to understand the relationship and
difference between application controls and General
Controls .
Otherwise, an application control review may not be
scoped appropriately, thereby impacting the quality of
the audit and its coverage.
General Controls apply to all systems components,
processes, and data present in an organization or
systems environment.
The objectives of these controls are to ensure the
appropriate development and implementation of
applications, as well as the integrity of program and
data files and of computer operations.
GENERAL CONTROL VS. APPLICATION CONTROL
Relationship Between
General and Application Controls
General controls are considered general because they are usually
implemented to function consistently across all applications while application
controls are built into specific programs or user procedures and would vary from
application to application.
The relationship between application controls and general controls can be
quite complex, especially in distributed information processing systems where
users of the information system share data and processing facilities over
networks of computers of various types and sizes.
Application controls are often critically dependent on controls that are not
immediately obvious, such as controls over system development,
implementation, and maintenance, controls over physical and electronic access.