CHAPTER 30

Presented by: Merrill O. Saflor, 5-BSA

Controls – refer to measures or techniques that prevent, detect and/or correct conditions that
may lead to loss or damage to the business firm.
Reasons why computers can cause controls problems
1. Effects or errors may be magnified
2. Inadequate separation of duties because of decreased manual involvement
3. Audit trails maybe undermined
4. Human judgment is bypassed
5. Changes to data and programs may be made by individuals lacking knowledge
6. More individuals may have access to accounting data

Classification of Computer Controls

1. General Controls
2. Application Controls
 - are measures that ensure that a company’s control
environment is stable and well managed.

1. Organizational or Personnel Controls

- the plan of the organization and operation of the EDP
activity.
a) These will involve separation of incompatible duties at a minimum,
segregate programming, operations, and the library functions within
the information systems department.
One way to separate key functions is as follows:
1.Systems analysis
2.Systems programming
3.Applications programming
4.Database administration
5.Data preparation
6.Operations
7.Data library
8.Data control
 b) Companies may use separate computer accounts that are assigned to users on either a group or individual
bases. This will also involve the use of PASSWORDS and CALL-BACK PROCEDURES to restrict access
from remote terminals.

2. File Security/ Software Controls

- the procedures for documenting, reviewing, testing and approving systems for
programs and changes thereto to protect computer files from other accidental or
intentional abuse.
These will require:
1. Documentation of all programs, procedures and operating investments.
2. Segregation of duties as to
a. Systems design and operation
b. Testing of new systems and operations
3. Approval of new programs and changes to program by management , users and information systems personnel.
4. Library control of all master and transaction file conversions to prevent unauthorized changes and to verify the
accuracy of the results.
5. Back-up storage of software off-premises.
3. Hardware Controls
a) These involve built-in controls in the computers by the manufacturer which will detect machine
malfunction.

b) Most common types of built-in controls

1. Parity check
2. Duplicate reading
3. Echo check
4. Dual circuitry
5. Interlock
6. Boundary protection
7. File protection ring
8. Validity test

c) The system should be examined periodically (often weekly) by a qualified service technician.
4. Access to computer and data files controls or controls over access to equipment and data
files
a) These will include the following segregation controls as follows:
1. Access to program should be limited to those persons who require it in the performance of their duties.
2. Access to data files and programs should be limited to those individuals authorized to process data.
3. Access to computer hardware should be limited to authorized individuals such as computer operators and their
supervisors.

b) Physical access to computer facility controls which may involve the use of guards , automated
key cards, manual key locks as well as the new access devices that permit access through
fingerprints, palm prints, voice patterns and retina prints.

c) Use of visitor entry log which document those who have had access to the area.

d) Use of identification code and a confidential password to control access to software.

e) Use of “call back” which is a specialized form of user identification
in which the user
1) Dials the system
2) Identifies him/herself
3) Is disconnected from the system
Then either
1) An individual manually finds the authorized telephone number, or
2) The system automatically finds the authorized telephone number of the
individual and call back.
f) Use of “encryption” where data is encoded when stored in computer
files and/or from remote locations.
5. Other data and procedural controls including security and
disaster controls (Fault-tolerant systems, backup, and contingency
planning)
a) Physical Security
1. Fireproof storage
2. Backup for the vital documents, files and programs.

b) Contingency planning which includes the development of a formal

disaster recovery plan.

c) Insurance should also be obtained to compensate the company for losses

when they occur.
- pertaindirectly to the transaction processing systems. Their objectives are to prevent, detect and correct errors
and irregularities in transactions that are processed in an IT environment.

1. Input Controls
a) Input controls attempt to ensure the validity, accuracy and completeness of the data entered into the system.
Four Categories of Input Controls
1) Data observation and recording – This involves visual review of source documents.
2) Data transcription – This involves key encoding machine specification especially the critical fields and preparation of data
for computerized processing.
3) Programmed (source program) edit checks – Basic types of checks include routines for examining record files.
a) Control batch or proof totals
b) Completeness check
c) Hash total
d) Limit check
e) Logical (consistency) check
f) Self-checking digit
g) Record count
h) Sequence check
i) Validity check
j) Reasonableness check
b) Control procedures that should be followed in the preparation of input data
are:
1. Systems specifications documenting all necessary steps in the preparation should be written and
used.
2. Serial controls should be logged.
3. Signature approvals should be received and accounted for.
4. A peso-value unit or hash totals should be prepared for a batch or a processing period and
compared by the computer with the totals processed.
5. Data to be entered into the system should be verified.
6. An editing procedure should be followed whereby all input information is compared with tables of
valid codes, tested for the presence of certain alpha or numeric characters, and so forth.
7. Check digits should be used whenever possible.
8. All rejected items in the editing procedure should be listed with references and their disposition
accounted for.
9. Specific procedures should be established for the delivery of data to the computer department.
2. Processing Controls
- these controls focus on the manipulation of accounting data after they are input to the computer system.

a) File labels – designed to avert accidental erasure of live data and to ensure that proper files are used.
 External labels – can be read visually and are attached to the exterior of containers holding the files.
 Internal labels – are located as the first record at the beginning of a file and are machine readable.

b) Trailer labels – are program-generated control totals and predetermined controls that are printed out on
labels at the end of a processing run for verification.

b) Sequence tests – are generally used to determine that files to be merged are arranged in the same order; and
to detect any numbers missing from batches of sequentially number items.

b) Proof totals – generally used in batch-processing systems, used to detect whether data are lost.
▪ Monetary totals
▪ Document or records counts
e) Cross-footing tests are used to check the interrelationships of various totals.
f) Exception listings are used when data are rejected for processing.
g) Transmittal record should be logged so that the flow of data to be processed
can be controlled.
h) A record should be logged for each processing run showing the files used,
time consumed, machine halts, operator actions, and other relevant data.
i) Console messages should be written into the source program to alert the
operator to conditions that need attention.
3. Output Controls
- these govern the accuracy and reasonableness of the output of data processing and
prevent authorized use of output.
a) Error log
b) Follow-up control totals
c) Distribution log (transmittal log)
d) Audit trail storage
e) Visual review for apparent reasonableness and completeness.
f) Exceptions should be properly handled.
g) Complete resubmission of corrected errors should be assured.
h) Provision should be made to see that all output reports are delivered on time and to authorized
destinations.
i) Users should be periodically queried for the continued needs for the output
j) Shred sensitive documents.
1. Input Manipulation
- Input documents are improperly altered or revised without authorization.
Prevention:
a) Data input formats properly documented and authorized.
b) Programs designed to accept only certain inputs from designated users, locations, terminals and/or times of the
day

2. Program Alteration
- The program coding is revised for fraudulent purposes.
Prevention:
a) Programmers should only make changes to copies of production sources programs and data files, never to the
actual production files.
b) Computer operators should not have direct access to production programs or data files.
c) Internal audit or some independent group should have copies of the official programs, or access to master
programs, so as to periodically process actual data and compare the output with output obtained from normal
operations. Any output changes would be indicative of unauthorized program changes.
d) Periodic comparisons of on-line programs to off-line backup copies to detect changes.
3. File Alteration
- occurs when the defrauder revises specific data or manipulates data files.
Prevention:
a) Restrict access to the computer center.
b) Programmers, analysts, and computer operators should not have direct access to production data files.
c) Production data files are maintained in a library under the control of a librarian or database administrator.
d) Computer operators should not have access to applications documentation, except where needed to perform
their duties, to minimize their ability to modify programs and data files.

4. Data Theft
- can be accomplished by data interception or smuggling out computer data files or hard
copies of reports/files.
Prevention:
a) Electronic sensitization of all library materials for detection if unauthorized removal from the library is
attempted.
b) Tapping transmitted data minimized by encrypting sensitive data transmissions.
5. Sabotage
- The physical destruction to hardware or software.
Prevention:
a) Terminated employees immediately denied across to all computer equipment and
information to prevent their ability to destroy or alter equipment or files.
b) Maintain back-up files at secure off-site locations.

6. Theft of Computer Time

- means unauthorized use of a company’s computer.
Prevention:
a) Assigning blocks of time to processing jobs with operating system blockage to the
user once the allocated time is exhausted. Any additional time would require special
authorization.