To respond to the risk of combining traditional custody, authorization, and record-keeping responsibilities by having the computer perform those tasks, well-controlled organizations separate key duties within IT. For example, there should be separation of IT duties to prevent IT personnel from authorizing and recording transactions to cover the theft of assets.
esting all software to ensure that the new software is compatible with existing hardware and software and determining whether the hardware and software can handle the needed volume of transactions. Whether software is purchased or developed internally, extensive testing of all software with realistic data is critical. Companies typically use one or a combination of the following two test approaches:
Physical controls over computers and restrictions to online software and related data files decrease the risk of unauthorized changes to programs and improper use of programs and data files. The information technology and internal control processes an organization has in place to protect computers, networks, programs, and data from unauthorized access is often referred to as cybersecurity. Security plans should be in writing and monitored. Security controls include both physical controls and online access controls.
Hardware controls are built into computer equipment by manufacturers to detect and report equipment failures. Auditors are more concerned with how the client handles errors identified by the hardware controls than with their adequacy. Regardless of the quality of hardware controls, output will be corrected only if the client has provided for handling machine errors.
Application controls are designed for each software application and are intended to help a company satisfy the transaction-related management assertions discussed in previous chapters. Although some application controls affect one or only a few transaction-related assertions, most controls prevent or detect several types of misstatements. Other application controls concern account balance and presentation and disclosure assertions.
Application controls may be done by computers or client personnel. When they are done by client personnel, they are called manual controls. The effectiveness of manual controls depends on both the competence of the people performing the controls and the care they exercise when doing them. For example, when credit department personnel review exception reports that identify credit sales exceeding a customer’s authorized credit limit, the auditor may need to evaluate the person’s ability to make the assessment and test the accuracy of the exception report. When controls are done by computers, they are called automated controls. Because of the nature of computer processing, automated controls, if properly designed, lead to consistent operation of the controls.
Application controls fall into three categories: input, processing, and output. Although the objectives for each category are the same, the procedures for meeting the objectives vary considerably. Let’s examine each more closely.
Input controls are designed to ensure that the information entered into the computer is authorized, accurate, and complete. They are critical because a large portion of errors in IT systems result from data entry errors and, of course, regardless of the quality of information processing, input errors result in output errors. Typical controls developed for manual systems are still important in IT systems, such as:
Controls specific to IT include:
Adequately designed input screens with preformatted prompts for transaction information
Pull-down menu lists of available software options
Computer-performed validation tests of input accuracy, such as the validation of customer numbers against customer master files
Online-based input controls for e-commerce applications where external parties, such as customers and suppliers, perform the initial part of the transaction inputting
Immediate error correction procedures, to provide for early detection and correction of input errors
Accumulation of errors in an error file for subsequent follow-up by data input personnel
Processing controls prevent and detect errors while transaction data are processed. General controls, especially controls related to systems development and security, provide essential control for minimizing processing errors. Specific application processing controls are often programmed into software to prevent, detect, and correct processing errors.
Output controls focus on detecting errors after processing is completed, rather than on preventing errors. The most important output control is review of the data for reasonableness by someone knowledgeable about the output. Users can often identify errors because they know the approximate correct amounts. Several common controls for detecting errors in outputs include:
Reconcile computer-produced output to manual control totals
Compare the number of units processed to the number of units submitted for processing
Compare a sample of transaction output to input source documents
Verify dates and times of processing to identify any out-of-sequence processing
For sensitive computer output, such as payroll checks, control can be improved by requiring employees to present employee identification before they receive their checks or by requiring the use of direct deposit into the employees’ pre-approved bank accounts. Also, access to sensitive output stored in electronic files or transmitted across networks, including the Internet, is often restricted by requiring passwords, user IDs, and encryption techniques.
The use of networks that link equipment such as desktops, midrange computers, mainframes, workstations, servers, and printers is common for most businesses. Local area networks (LANs) link equipment within a single or small cluster of buildings and are used only within a company. LANs are often used to transfer data and programs from one computer or workstation using network system software that allows all of the devices to function together. Wide area networks (WANs) link equipment in larger geographic regions, including global operations.
In networks, application software and data files used to process transactions are included on several computers that are linked together. Access to the application from desktop computers or workstations is managed by network server software or other interfaces with cloud computing technology. Even small companies can have several computer servers linked together on a network, while larger companies may have hundreds of servers in dozens of locations networked together. It is common for networks to consist of various combinations of equipment and procedures, which may not have standard security options. Lack of equipment compatibility across a network may occur when responsibility for purchasing equipment and software, maintenance, administration, and physical security resides with key user groups rather than with a centralized IT function. Sometimes network security may be compromised when networks consist of equipment with incompatible security features.
Database management systems allow clients to create databases that include information that can be shared across multiple applications. In nondatabase systems, each application has its own data file, whereas in database management systems, many applications share files. Clients implement database management systems to reduce data redundancy, improve control over data, and provide better information for decision making by integrating information throughout functions and departments. For example, customer data, such as the customer’s name and address, can be shared in the sales, credit, accounting, marketing, and shipping functions, resulting in consistent information for all users and significant cost reductions. Companies often integrate database management systems within the entire organization using enterprise resource planning (ERP) systems that integrate numerous aspects of an organization’s activities into one accounting information system. ERP systems share data across accounting and nonaccounting business functions of the organization. For example, customer order data may be used by accounting to record a sale, by production to meet increased production demand, by purchasing to order additional raw materials, and by human resources to arrange labor schedules.
Controls often improve when data are centralized in a database management system by eliminating duplicate data files. However, database management systems also can create internal control risks. Risks increase when multiple users, including individuals outside of accounting, can access and update data files. To counter the risks of unauthorized, inaccurate, and incomplete data files, companies must implement proper database administration and access controls. With the centralization of data in a single system, they must also ensure proper backup of data on a regular basis.
Companies using e-commerce systems to transact business electronically link their internal accounting systems to external parties’ systems, such as customers and suppliers. As a result, a company’s risks depend in part on how well its e-commerce partners identify and manage risks in their own IT systems. To manage these interdependency risks, companies must ensure that their business partners manage IT system risks before conducting business with them electronically. Some of the assurance services discussed in
A firewall protects data, programs, and other IT resources from unauthorized external users accessing the system through networks, such as the Internet. A firewall is a system of hardware and software that monitors and controls the flow of e-commerce communications by channeling all network connections through controls that verify external users, grant access to authorized users, deny access to unauthorized users, and direct authorized users to requested programs or data. Firewalls are becoming increasingly sophisticated as the frequency and severity of cyberattacks grow.
Encryption techniques protect the security of electronic communication when information is transmitted and when it is stored. Computerized encryption changes a standard message or data file into one that is coded (encrypted), requiring the receiver of the electronic message or user of the encrypted data file to use a decryption program to decode the message or data. A public key encryption technique is often used, where one key (the public key) is used for encoding the message and another key (the private key) is used to decode the message. The public key is distributed to all approved users of the e-commerce system. The private key is distributed only to internal users with the authority to decode the message.
To authenticate the validity of a trading partner conducting business electronically, companies may rely on external certification authorities, who verify the source of the public key by using digital signatures. A trusted certification authority issues a digital certificate to individuals and companies engaging in e-commerce. The digital signature contains the holder’s name and its public key. It also contains the name of the certification authority and the certificate’s expiration date and other specified information. To guarantee integrity and authenticity, each signature is digitally signed by the private key maintained by the certification authority.
Many clients outsource some or all of their IT needs to an independent organization commonly referred to as a computer service center, including application service providers (ASPs) and cloud computing environments, rather than maintain an internal IT center. Cloud computing is a computer resource deployment and procurement model that enables an organization to obtain IT resources and applications from any location via an Internet connection. Depending on the arrangement, all or parts of an entity’s IT hardware, software, and data might reside in an IT service center shared with other organizations and managed by a third-party vendor. The name cloud computing comes from the use of a cloud-shaped symbol in systems diagrams to represent complex IT infrastructures.
Smaller companies often outsource their payroll function because payroll is reasonably standard from company to company, and many reliable providers of payroll services are available. Companies also outsource their e-commerce systems to external Web site service providers, including those that offer cloud computing services as described above. Like all outsourcing decisions, companies decide whether to outsource IT on a cost-benefit basis.
When outsourcing to a computer service center, the client submits input data, which the service center processes for a fee and then returns the agreed-upon output and the original input. For payroll, the company submits data from time records, pay rates, and W-4s to the service center. The service center returns payroll checks, journals, and input data each week and W-2s at the end of each year. The service center is responsible for designing the computer system and providing adequate controls to ensure that the processing is reliable.
Outsourcing can provide challenges from an internal control perspective. Management is responsible for the design and operating effectiveness of internal controls, and this includes controls that are outsourced to a service provider. The ethics and integrity of service providers, as well as the design and functioning of their internal controls, need to be considered by management when selecting a service provider, and evaluated regularly.