Beruflich Dokumente
Kultur Dokumente
c) The system should be examined periodically (often weekly) by a qualified service technician.
4. Access to computer and data files controls or controls over access to equipment and data
files
a) These will include the following segregation controls as follows:
1. Access to program should be limited to those persons who require it in the performance of their duties.
2. Access to data files and programs should be limited to those individuals authorized to process data.
3. Access to computer hardware should be limited to authorized individuals such as computer operators and their
supervisors.
b) Physical access to computer facility controls which may involve the use of guards , automated
key cards, manual key locks as well as the new access devices that permit access through
fingerprints, palm prints, voice patterns and retina prints.
c) Use of visitor entry log which document those who have had access to the area.
1. Input Controls
a) Input controls attempt to ensure the validity, accuracy and completeness of the data entered into the system.
Four Categories of Input Controls
1) Data observation and recording – This involves visual review of source documents.
2) Data transcription – This involves key encoding machine specification especially the critical fields and preparation of data
for computerized processing.
3) Programmed (source program) edit checks – Basic types of checks include routines for examining record files.
a) Control batch or proof totals
b) Completeness check
c) Hash total
d) Limit check
e) Logical (consistency) check
f) Self-checking digit
g) Record count
h) Sequence check
i) Validity check
j) Reasonableness check
b) Control procedures that should be followed in the preparation of input data
are:
1. Systems specifications documenting all necessary steps in the preparation should be written and
used.
2. Serial controls should be logged.
3. Signature approvals should be received and accounted for.
4. A peso-value unit or hash totals should be prepared for a batch or a processing period and
compared by the computer with the totals processed.
5. Data to be entered into the system should be verified.
6. An editing procedure should be followed whereby all input information is compared with tables of
valid codes, tested for the presence of certain alpha or numeric characters, and so forth.
7. Check digits should be used whenever possible.
8. All rejected items in the editing procedure should be listed with references and their disposition
accounted for.
9. Specific procedures should be established for the delivery of data to the computer department.
2. Processing Controls
- these controls focus on the manipulation of accounting data after they are input to the computer system.
a) File labels – designed to avert accidental erasure of live data and to ensure that proper files are used.
External labels – can be read visually and are attached to the exterior of containers holding the files.
Internal labels – are located as the first record at the beginning of a file and are machine readable.
b) Trailer labels – are program-generated control totals and predetermined controls that are printed out on
labels at the end of a processing run for verification.
b) Sequence tests – are generally used to determine that files to be merged are arranged in the same order; and
to detect any numbers missing from batches of sequentially number items.
b) Proof totals – generally used in batch-processing systems, used to detect whether data are lost.
▪ Monetary totals
▪ Document or records counts
e) Cross-footing tests are used to check the interrelationships of various totals.
f) Exception listings are used when data are rejected for processing.
g) Transmittal record should be logged so that the flow of data to be processed
can be controlled.
h) A record should be logged for each processing run showing the files used,
time consumed, machine halts, operator actions, and other relevant data.
i) Console messages should be written into the source program to alert the
operator to conditions that need attention.
3. Output Controls
- these govern the accuracy and reasonableness of the output of data processing and
prevent authorized use of output.
a) Error log
b) Follow-up control totals
c) Distribution log (transmittal log)
d) Audit trail storage
e) Visual review for apparent reasonableness and completeness.
f) Exceptions should be properly handled.
g) Complete resubmission of corrected errors should be assured.
h) Provision should be made to see that all output reports are delivered on time and to authorized
destinations.
i) Users should be periodically queried for the continued needs for the output
j) Shred sensitive documents.
1. Input Manipulation
- Input documents are improperly altered or revised without authorization.
Prevention:
a) Data input formats properly documented and authorized.
b) Programs designed to accept only certain inputs from designated users, locations, terminals and/or times of the
day
2. Program Alteration
- The program coding is revised for fraudulent purposes.
Prevention:
a) Programmers should only make changes to copies of production sources programs and data files, never to the
actual production files.
b) Computer operators should not have direct access to production programs or data files.
c) Internal audit or some independent group should have copies of the official programs, or access to master
programs, so as to periodically process actual data and compare the output with output obtained from normal
operations. Any output changes would be indicative of unauthorized program changes.
d) Periodic comparisons of on-line programs to off-line backup copies to detect changes.
3. File Alteration
- occurs when the defrauder revises specific data or manipulates data files.
Prevention:
a) Restrict access to the computer center.
b) Programmers, analysts, and computer operators should not have direct access to production data files.
c) Production data files are maintained in a library under the control of a librarian or database administrator.
d) Computer operators should not have access to applications documentation, except where needed to perform
their duties, to minimize their ability to modify programs and data files.
4. Data Theft
- can be accomplished by data interception or smuggling out computer data files or hard
copies of reports/files.
Prevention:
a) Electronic sensitization of all library materials for detection if unauthorized removal from the library is
attempted.
b) Tapping transmitted data minimized by encrypting sensitive data transmissions.
5. Sabotage
- The physical destruction to hardware or software.
Prevention:
a) Terminated employees immediately denied across to all computer equipment and
information to prevent their ability to destroy or alter equipment or files.
b) Maintain back-up files at secure off-site locations.