Internal control objectives
1-Effectiveness & efficiency of operation
2-Reliability of financial reporting
3-Compliance with laws &
regulations
4-Safeguarding Assets
Internal control 5 components CRIME
1- Environment 2-Risk 3-Activities 4-Monitoring
5-Information & communications
Classifications of system controls
|
General Controls
|
Application Controls
|
|
1-Organization & Operation
2-Procedures & Documentation
3-Hardware control
4-Access control
|
1-Input Controls
2-Processing Controls
3-Output Controls
4-Storage Controls
|
1st General
Controls
General control designed to ensure that
the company's control environment is stable and well managed. General controls include controls over the
development, modifications and maintenance
of computer programs.
1-Organization & Operation
Including Segregation of duties within computer Department and
from other Dept's as follows
System Analyst
Responsible for reviewing the
current system to make sure that it is meeting the needs of the organization.
Review current system and Provide design specification to programmer.
Should not do programming, nor should they have access to hardware
,software or data files.
Programmer
Write , test , document the system .he is able to modify programs ,data
files ,and control.
He should have No access for HW , SW that are in the actual use for
processing .
Computer Operator
Operate computer to process data
He should have No programming function and should not be able to
program.
Exam Note /:- The most
critical segregation of duties is between programmer & computer operators
Data control group
Monitor input , process , output
Have access codes & coordinate security controls with other computer
personnel.
Should be organizationally independent of computer operations.
Librarians
Maintain programs , documents , data files
He should have no access to equipment .
2-Procedures &
Documentations
including written
procedures and manuals. And also specify the process to be followed in system
development and system changes, in order to provide reasonable assurance that
development of, and changes to, computer programs are authorized, tested, and
approved prior to the use of the program.
A-SDLC System
Development Life Cycle Controls
1-Top management
commitment is needed for effective system development , this is normally
achieved through forming a ( steering committee ) for approvals and progress
review
2- Studies of Economic
, Operation , & Technical feasibility
to evaluate existing and proposed system
3- Establishing standards
for (System design and programming) stage – to match users needs
4-Changes controls
Changes
should be subject to strict controls :
Authorized written request from the user department and approved
Redesign the program using working copy (
not the original in use )
Tested by ( user , internal auditor , IT
rep )
Approval by system manager + acceptance by user .
5-The proposed program should be tested
using ( incorrect , incomplete ) and
real data to determine the proper implementation
6-Software licenses should be maintained
B-Documents
Controls
-Systems
documentation (narrative description, flowcharts, Input &output
forms ,authorizations for any changes and backup
procedures)
- programs
documentation( description of the program, program flowcharts, listings
of source code, operator instructions and controls.)
-operating documentation((information
about the performance of the program)
-
Procedural documentation(provide information about the master plan and
the handling of files)
-user documentation (all the
information a user will need to use the program)
3-Access controls(to equipment
and data)
A-Logical security
Control
access to equipment and data
Including
virus protection , firewalls , encryption
B-Physical security
For servers , , secured rooms , UPS , protection of
media library , insurance , personal badges , keys , magnetic ID cards
-File Security controls:
-External and internal file , disk , tape labeling
-Read only file attribute
-Data Base System uses (lockout ) to prevent ( deadly embrace )
Or ( preventing two applications
from updating the same record at same time )
Note: A deadly embrace occurs when two different applications or transactions
each have a lock on data that is needed by the other application or
transaction. Neither process is able to proceed, because each is waiting for
the other to do something. In these cases the system must have a method of
determining which transaction goes first, and then it must let the second
transaction be completed using the updated information after the first
transaction
-The librarian's function is
particularly critical, because documentation, programs and data files are assets of the organization
and require protection the same as any other asset would.
- Backup & contingency
In any computer system, it is essential that the
company have plans for the backup of data and the recovery of data, especially
disaster recovery. Several different processes and back-up plans function as
part of the back up and recovery plan.
1-Primary ( Backup )
►For programs and data
Using ( rollback ) to get most recent backup of
transaction log
► Backups should be stored at a
secure, remote location, so that in the event data is destroyed due to a
physical disaster, it can be reconstructed. Transmitting data electronically to
a secured backup site is called ( electronic vaulting )
►( Grand / Parent / Child ) during or after processing
work. Files from previous periods are
retained, and if a file is damaged during updating the previous
files can be used to reconstruct a new current file
-UPS (uninterruptible power supply )
For protection
in the event of power failure
2-Secondary
( Disaster recovery)
an organization should have a formal disaster recovery
plan specifies:
Which employees will participate in disaster recovery
and what their responsibilities will be ,What hardware, software, and
facilities will be used. The priority of applications that should be processed.
The different locations should be a good
distance away from the original processing site. and recovery team should each
keep a current copy of the plan at home.
Disaster recovery sites may be either
-A hot site: is a backup facility
that has a computer system similar to the one used regularly. The hot site must
be fully operational and immediately available.
- A cold site is a facility where
power and space are available to install processing equipment, but it is not
immediately available.
A mobile recovery" centers.
On a contracted basis, in the event of a disaster that destroys operations
facilities, they arrive within hours with their client's platform requirements,
to assist in recovery.
4- Hardware
control
Fault
tolerant system
Fault-Tolerant Systems are systems designed to tolerate
faults or errors. They often
utilize redundancy in hardware design, so that
if one system fails, another one will take over. Computer networks can be made
redundant in several ways:
-With two processors, the second processor can serve as
a watchdog processor. If
something happens to the primary processor, the
watchdog processor takes over.
-With multiple processors, consensus-based
protocols specify that if one processor disagrees with the others,
it should be ignored.
-A CPU could have two disks, and all data on
the first disk is mirrored on the second disk. This is called disk mirroring
or disk shadowing. Should one disk fail, the processing continues
on the good disk.
Rollback
processing may be used to prevent any transactions being written to
disk
until they are complete. If there is a power failure or
another fault during processing,
the program automatically rolls itself back to its
pre-fault state at its first opportunity.
Duplicate circuitry
is the double wiring of key hardware elements to ensure that if one program
malfunctions, the other will take over.
A redundancy check is the process
of sending repeated sets of data to confirm the
original data sent.
An echo check is
the process of sending the received data back to the sending computer to
compare what was actually sent to make sure that it is the same.
In a dual read check, data is read
twice during input and compared.
Boundary protection is
protection against unauthorized entry (read or write) to a
tape, disk or other storage device.
Graceful degradation means that if
a part of the system malfunctions, other components can be programmed to
continue the processing, although on a less efficient basis.
Overflow check means that the data
is checked and an error message activated if
data is lost through arithmetic operations that exceed
the planned capacity of the
receiving fields or registers.
D – HW controls for networks
Check point:-
( like
rollback & recovery )
To enable recovery in case of failure using check point
, taking backups several times per hour , this is recorded in a separate media
Routing verification procedures:-
Protect
against routing to wrong receiver, using header label to identify message
destination (for verification), through matching the destination code and the
message header
Message Acknowledgement
To assure message completion and sequence , using
trailer labels ( to assure receiving all parts of message )
Exam note:- Both above 2 techniques – route verification , message
acknowledgement – are used to prevent
Eavesdropping
2nd Applications controls
A – Input controls
1-Data
observation & recording
Feedback mechanism
Are manual systems like ( authorization , endorsement …..
Dual observation More than one employee sees the input
Point of sale device To encode
data automatically ( with no error )
Preprinted forms
To ensure filling all data –ex ( confirmation & receipt )
2-Data
transcription
Is preparation of data for processing ( organizing
source documents )
Preformatted input screen ex :
date filed -/ - /-
Format check ( for entering data
at proper mode ) exLnumeric data in a numeric field)
1- Edit tests
( built in programs )
Too many tests to check validity / completeness /
accuracy as follows
Completeness check All
required fields are filled
Limits Check Only
data within limit accepted
Validity check Match
input with acceptable sets
Overflow check No
of digits is below field capacity
Check digits Is
a function of other digits – to recognize errors
Key verifications inputting
again – mainly for accuracy
B ) Processing controls
1-
Data access controls
Transmittal
documents to control movement of data like batch sequence numbers (
used to number data to make sure all batches are accounted for )
Batch controls totals
to ensure that all inputs are processed correctly
Hash total A kind of sums , useful only for control
purposes , like summing customer accounts numbers.
Record Count
Counting number of transaction twice.
2-
Data manipulation controls
Software documentation like all
kind of flow charts
Compilers used to check
program language errors
Test data to test computer programs
System test to test interaction of
different program
Batch balancing Compare with predetermined control total
Run to run totals
output of one process used as input to other process
Default option Auto
use of predefined value where certain value is left blank
C-Output controls
used to check that input and processing has resulted in
valid output.
1-Validating processing results
Proof listings for all changes to
master file This provides detailed information about all changes to master
files .
Reconciliations Analysis of differences between 2 files
that should be substantially the same.
Suspense Account is used as a
control total for items awaiting further processing.
Discrepancy
report is a listing of items that have violated some detective
control and need to be investigated.
Upstream
resubmission is a Submitting corrected errors again to pass by all
controls
2-Printing
output controls
Forms control like physical controls
over checks – prenumbered forms
Authorized distribution list (for
reports distribution)
Shredding Machine (when doc. No
longer needed)
D-Storage controls
Are controls that are designed to ensure that only the
data that an organization desires to be stored is actually stored – as storing
too little data is ineffective and storing too much data is inefficient
Also to ensure that data stored is accurate , valid
& virus free
Note
Preventive controls like segregation of duties ,
dual access controls , preformatted inputs ,
Detective controls like transmittal documents ,
batch control totals , check digit , limit check , validity check ,
completeness check , hash totals , turnaround documents
Corrective controls like discrepancy reports ,
upstream resubmission
Internet Security
At a minimum the
system should include
1- User Account giving
every employee account no. and password
2- Anti virus
|
Virus
|
Trojan horse
|
Worm
|
|
Program that execute itself
And replicate itself
Using host file
|
Hidden in something desirable
Do not replicate itself
|
Replicate itself but without using host file
|
Virus Hoax false
email asking you to delete system file
3-
Firewall Barrier between internal & external
network Prevent unauthorized access.
It provide protection if the hackers attempt to
misuse the data.
Proxy
server is HW + SW that creates gateway
to and from Internet
4-
Intrusion detection system is a centralized system designed to prevent
hackers from penetrating the network .
5-
Password: protect system from
unauthorized person to enter the network
6-
Encryption Convert data to code ,
then requires a key to convert back to data
Two types Secret key system
Public key / private key
The major types. of software
encryption
 |
Public-key /private -key secret-key
use two keys as follow
:-
use one key for each pair of parties.
. Public-key widely known ex: data
encryption standards (DES)
. Private-key kept secret by recipient. is the
most prevalent secret key method
that developed by the US
. Flowcharting
One of the methods
available to an internal auditor for documenting his understanding of the
company's internal controls is describing them by means of a flowchart. A
flowchart also enables the auditor to identify areas in which internal controls
are required and necessary for the company.
A flowchart is used not
only to understand and describe a firm's internal controls, but also to assess
the effectiveness of those internal controls.
The main elements that are shown in a flowchart are:
Data sources (where the information comes from);
Data destinations (where the information goes);
Data flows (how the data gets there);
Transformation process (what happens to the data); and
Data storage (how the
data is stored for the long term)
There are two main types of flowcharts.
1)A systems, or horizontal flowchart,
shows the different
departments or functions involved in a process, horizontally .It documents the
manual processes as well as the computer processes and the input, output and
processing steps.
2)A program, or vertical flowchart:
depicts the specific steps in a process and
how they will be executed. It does not, however, usually show the system
components as clearly as a horizontal flowchart. This type of flowchart is not
used much now.
A
data flow diagram is a
graphic illustration (symbolic) of a system's processes and data flows.-
Note:
Computers have made the
process of initially creating a flowchart and updating a flowchart much easier.
Because of this, you do not need to be familiar with the drawing of or the
symbols used in a flowchart.
المشاركات
Comments (0)
إرسال تعليق