Internal Control IIIComputer related issues

October 20, 2009

Today we will…

1. Review some of the control exposures that relate to computerized environments.

2. Comparison of computerized and non-computerized control issues.

3. Discuss some controls that are specific to computerized environments.

4. Discuss ERP systems and the control issues they present.

Exposures in a computerized environment

1.Errors in data entry.2.Natural catastrophes.3.Theft or fraud using a computer.4.Theft of equipment and

unauthorized use.5.Theft of data.6.Viruses.

Errors in data entry

Any time we have a human and a computer interact, there is a possibility of miscommunication because we don’t speak the same language.

1.Data entry personnel do not understand interface.2.Data entry personnel make “typing” mistakes.3.Data entry personnel enter incomplete information.

What can be done about these problems?

Reducing data entry errors

• Use encoded turnaround documents when possible. (preventive control)

• Make manual entry as intuitive as possible. (preventive control)

• Use UPC or RFID codes when possible. (preventive control)

• Include data checks and feedback - such as showing full customer name and address when a customer’s “number” is input. (detective control)

Natural catastrophes

• I include in this category all technical breakdowns that are not attributable to operator error or fraud. Power outages or network failure are examples.

• We need corrective plans here - since these are unintentional and unforseeable in a specific sense (you can forsee the possibility, but not the specific occurrence).

• We look for either backup and recovery plans or an alternative system. Many vendors offer downtimes of an hour or less (such as Oracle).

• How often do you save your files and how many “past” generations do you keep?

Theft or fraud using a computer

• The first two exposures related to unintentional errors or problems in a computerized environment. Now we will discuss theft and fraud in a computerized environment.

• Computerized environments are especially vulnerable to theft and fraud because you cannot “see” the data. With complex data structures, it is sometimes difficult to put the data back together (one of the tasks of the A523 project) in the desired way - because different components of a transaction are, perhaps, stored in different files - even different servers.

• In addition, access to the records may occur from another location.

How is theft perpetrated?

1. A programmer might include code that diverts money to them directly or that allows them re-entry (a trojan horse).

2. A hacker might, from a remote location, break into the system using stolen or guessed passcodes and steal company resources.

3. A user might steal cash or other assets and then find a way to alter the accounting database records to hide the theft.

How can theft be prevented?

1. Programs should be ‘tested’ and the original programs should be kept in a secure place for comparison. In other words, you can’t just audit around the computer. The programs themselves need to be periodically reviewed. This ensures the integrity of the programming and keeps programmers from successfully stealing from the company.

2. Sophisticated network security is essential for the protection of computerized systems. Have you noticed that your computer has to be registered in order to use it on campus? If you can control access to certain areas by requiring the access be obtained only by recognized computers, then you have created a responsibility chain. In addition, encrypted information transmission is essential for sensitive data.

3. Access to recording should be restricted to authorized personnel. Entries should never be able to be deleted without an audit trail. Each user should only see the “areas” for which they are authorized in menu-driven systems.

Theft of equipment and unauthorized use

Computer assets (the physical assets) are valuable and typically contain important information.

We used to be concerned about people using our hardware without being authorized - computer “time” was unbelievably expensive. An hour of CPU time used to cost many thousands of dollars. That has changed with the change in computer architecture.

Laptops are easy to steal, as are palm pilots and other equipment. It is independent now (stand alone equipment).

Preventing unauthorized access and equipment theft

1. Equipment should be locked up if possible (physical access should be restricted). In the case of laptops, responsibility for security should be assigned to an individual.

2. Access to files should be restricted by password and physical access requirements and limited to activities that leave a trail.

3. Many companies have “computer logs” generated to see if employees are misusing their computers (for pornography or playing games).

Theft of data

1. Theft of sensitive data is an important problem in the computerized environment - partially because it is not always evident that it was taken.

2. Hackers broke into a bank computer and stole customer credit information and used it to steal customer identities.

3. A company engaged in industrial espionage by stealing another company’s proprietary data.

Viruses

Viruses can shut down the availability of a computer (causing a business interruption). They can also destroy important files.

Comparison of computerized and non-computerized control

issues

Manual System

Element or

Activity

Characteristics Characteristics Risk Exposures Compensating Controls

Data recorded on

paper source

documents

Data sometimes

captured without

use of source

documents

Audit trail may be

partially lost

Printed copies of source

documents prepared by

computer system

Data reviewed for

errors by clerks

Data often not

subject to review

Errors, accidental or

deliberate, may be

entered for processing

Edit checks performed

by computer system

Computer-Based System

Data Collection

Comparison of computerized and non-computerized control

issuesManual System

Element or

Activity

Characteristics Characteristics Risk Exposures Compensating Controls

Processing steps

performed by

clerks who can

use judgment

Processing steps

performed by CPU

instructions - no

judgment

Errors may cause

incorrect results of

processing

Outputs reviewed by

users of computer

system, carefully

developed computer

processing programs

Processing steps

spread among

various clerks in

separate

departments

Processing steps

concentrated

Unauthorized

manipulation of data

and theft of assets can

occur on larger scale

Restricted access to

computer facilities; clear

procedure for

authorizing changes to

programs.

Computer-Based System

Data processing

Comparison of computerized and non-computerized control

issuesManual System

Element or

Activity

Characteristics Characteristics Risk Exposures Compensating Controls

Processing

requires use of

journals and

ledgers.

Processing does not

require journals.

Audit trail may be

partially lost

Printed journals and

other analyses.

Processing

performed rather

slowly

Processing

performed very

rapidly

Effect of errors may

spread rapidly

throughout files

Editing of all data during

input and processing

steps.

Computer-Based System

Data processing

Comparison of computerized and non-computerized control

issuesManual System

Element or

Activity

Characteristics Characteristics Risk Exposures Compensating Controls

Data stored in

file drawers

throughout

various

departments

Data compressed on

magnetic (or

optical) media

Data may be acessed

by unauthorized

persons or stolen

Security measures at

points of access and over

data library.

Data stored on

hard copies in

human readable

form

Data stored in

invisible, eraseable,

computer-readable

form.

Data are temporarily

unusable by humans and

might possibly be lost

Data files printed

periodically; backups of

files; protection against

sudden power losses

Computer-Based System

Data Storage and

retreival

Comparison of computerized and non-computerized control

issues

Manual System

Element or

Activity

Characteristics Characteristics Risk Exposures Compensating Controls

Stored data

accessible on a

piece-meal basis

at various

locations

Stored data often

readily accessible

from various

locations via

network

Data may be accessed

by unauthorized

persons

Security measures at

points of access.

Computer-Based System

Data Storage and

retreival

Comparison of computerized and non-computerized control

issuesManual System

Element or

Activity

Characteristics Characteristics Risk Exposures Compensating Controls

Outputs

generated

laboriously and

usually in small

volumes

Outputs generated

quickly and neatly,

often in large

volumes

Inaccuracies may be

buried in impressive-

looking ouptus that

users accept on faith.

Reviews by users of

outputs including the

checking of amounts.

Outputs usually in

hard-copy form.

Outputs provided in

various forms,

including soft-copy

displays and voice

responses.

Information stored on

magnetic media is

subject to modification

(only hard copy

provides permanent

record).

Backups of files; periodic

printing of stored files

onto hard-copy records.

Computer-Based System

Information

generation

Comparison of computerized and non-computerized control

issues

Manual System

Element or

Activity

Characteristics Characteristics Risk Exposures Compensating Controls

Usually

transmitted via

postal service and

hand delivery

Often transmitted

by communication

lines

Data may be accessed

or modified or

destroyed by

unauthorized persons.

Security measures over

transmission lines; coding

of data; verification of

transmitted data.

Computer-Based System

Translation of

data and

information

Comparison of computerized and non-computerized control

issuesManual System

Element or

Activity

Characteristics Characteristics Risk Exposures Compensating Controls

Relatively simple,

inexpensive and

mobile

Reltatively complex,

expensive and

(sometimes) in

fixed locations

Business operations

may be intentionally or

unintentionally

interupted; data or

hardware may be

destroyed or stolen;

operations may be

delayed through

inefficiencies.

Backup of data and power

supply and equipment;

preventative maintenance

of equipment; restriction

on access to facilities;

documentation of

equipment usage and

processing procedures.

Computer-Based System

Equipment

Controls in computerized environments

1.Data entry using prerecorded data2.Edit checks (data checks)3.Batch processing controls4.Access controls5.Computer generated (and numbered)

forms

Data entry using prerecorded data

• Data entry of turnaround documents, particularly if they are machine readable, is less prone to error. UPC codes at the grocery store are an example, as is a magnetically encoded remittance advice.

• In addition, when an item (a remittance advice or an item at the grocery store) are scanned in, some display containing reconcilable information is typically provided. Further minimizing the potential for erroneous data entry.

Edit checks

• When data are entered, the data codes frequently contain a check digit that makes sure that the data were entered (and stored) correctly. – When the number 42306 is stored in a database,

an additional digit might be added to the end - 6. 4+2+3+0+6=15, and 1+5=6, so the number would be stored as 432066 (this is an intuitive analogy to what is actually happening).

• This can be used for any data, since any data can be converted to a numeric value (we call the code ASCII).

• Also, we do “reasonableness” checks on the data - amount sizes, formats, etc.

Batch processing controls

• Batch totals– Record counts and line counts– Document counts– Dollar totals (the total of Cash

Receipts)– Hash totals (like an edit check)

• Sequence checks• Written approvals

Access controls

• We need to limit access to our access data. We do this 3 ways:– Limit physical access: only networked

computers can access the system.– Limit individual’s access using passwords– Prohibit direct access to the files

(require that all file access be through software that leaves an audit trail).

• You should never be able to delete journal entries!

Computer generated forms

• Whenever documents such as purchase orders or sales orders or invoices are computerized…– The numbering system is protected.

Individuals cannot manipulate the numbering system.

– Whatever information is on the document is in the database (by construction).

– Reconciliation is easier.

• Copies can be printed out for a permanent record.

ERPs

• Enterprise Resource Planning systems (ERPs) are the current technological frontier. They are basically a database that encompasses most or all of the organization’s information storage and processing.

• Indiana University uses such a system from a vendor called PeopleSoft. Other notable vendors are SAP and Oracle. OneStart is the student and faculty interface for this system. Your grades and my paycheck are both generated from this software package.

• ERPs are quite powerful tools, but they have their own control issues.

ERPs

• Employee buy-in and training are essential.• There is only one system and it is BIG.• Since everything is in this one system, if

someone were to find a way to compromise the system (get in where they are unauthorized), they would have unbelievable power to steal or do damage.

• The system is so big that it is impossible for most managers (or auditors) to really understand how it works.