Information Technology Controls and General Technology Controls for Auditing (CPA exam)

Information Technology Controls

My video lectures about  information technology internal control, general controls, application controls and batch processing input controls are covered in my auditing course and CPA exam lessons.

Auditing and attestation course

Auditing and Attestation course

General controls apply to all aspects of the IT function, including IT administration; separation of IT duties; systems development; physical and online security over access to hardware, software, and related data; backup and contingency planning in the event of unexpected emergencies; and hardware controls. Because general controls often apply on an entity-wide basis and affect many different software applications, auditors evaluate general controls for the company as a whole.

Application controls typically operate at the business process level and apply to processing transactions, such as controls over the processing of sales or cash receipts. Auditors must evaluate application controls for every class of transactions or account in which the auditor plans to reduce assessed control risk, because IT controls will be different across classes of transactions and accounts. Application controls are likely to be effective only when general controls are effective.

General Controls

Similar to the effect that the control environment has on other components of internal control, the six categories of general controls have an entity-wide effect on all IT functions. Auditors typically evaluate general controls early in the audit because of their impact on application controls.

Administration of the IT Function

The board of directors’ and senior management’s attitude about IT affect the perceived importance of IT within an organization. Their oversight, resource allocation, and involvement in key IT decisions each signal the importance of IT to the organization. In complex environments, management may establish IT steering committees to help monitor the organization’s technology needs. In less complex organizations, the board may rely on regular reporting by a chief information officer (CIO) or other senior IT manager to keep management informed. In contrast, when management assigns technology issues exclusively to lower-level employees or outside consultants, an implied message is sent that IT is not a high priority. The result is often an understaffed, underfunded, and poorly controlled IT function.

Separation of IT Duties

To respond to the risk of combining traditional custody, authorization, and record-keeping responsibilities by having the computer perform those tasks, well-controlled organizations separate key duties within IT. For example, there should be separation of IT duties to prevent IT personnel from authorizing and recording transactions to cover the theft of assets.

  • IT management. The CIO or IT manager should be responsible for oversight of the IT function to ensure that activities are carried out consistent with the IT strategic plan. A security administrator should monitor both physical and online access to hardware, software, and data files and investigate all security breaches.

  • Systems development. Systems analysts are not only responsible for the overall design of each application system, but they also coordinate the development, acquisition, and changes to IT systems by the IT personnel (who are responsible for programming the application or acquiring software applications) and primary system users outside of IT (such as accounts receivable personnel). Programmers develop flowcharts for each new application, prepare computer instructions, test the programs, and document the results.

    Programmers should not have access to input data or computer operations to avoid using their knowledge of the system for personal benefit. They should be allowed to work only with test copies of programs and data so they can only make software changes after proper authorization.

  • Operations. Computer operators are responsible for the day-to-day operations of the computer, following the schedule established by the CIO. They also monitor computer consoles for messages about computer efficiency and malfunctions.

    A librarian is responsible for controlling the use of computer programs, transaction files, and other computer records and documentation. The librarian releases them to operators only when authorized. For example, programs and transaction files are released to operators only when a job is scheduled to be processed. Similarly, the librarian releases a test copy to programmers only on approval by senior management. Network administrators also affect IT operations because they are responsible for planning, implementing, and maintaining operations of the network of servers that link users to various applications and data files.

  • Data control. Data input/output control personnel independently verify the quality of input and the reasonableness of output. For organizations that use databases to store information shared by accounting and other functions, database administrators are responsible for the operation and access security of shared databases.

Systems Development

Systems development includes:

  • Purchasing software or developing in-house software that meets the organization’s needs. A key to implementing the right software is to involve a team of both IT and non-IT personnel, including key users of the software and internal auditors. This combination increases the likelihood that information needs, as well as software design and implementation concerns, are properly addressed. Involving users also results in better acceptance by key users.

esting all software to ensure that the new software is compatible with existing hardware and software and determining whether the hardware and software can handle the needed volume of transactions. Whether software is purchased or developed internally, extensive testing of all software with realistic data is critical. Companies typically use one or a combination of the following two test approaches:

  1. Pilot testing: A new system is implemented in one part of the organization while other locations continue to rely on the old system.

  2. Parallel testing: The old and new systems operate simultaneously in all locations.

Physical and Online Security

Physical controls over computers and restrictions to online software and related data files decrease the risk of unauthorized changes to programs and improper use of programs and data files. The information technology and internal control processes an organization has in place to protect computers, networks, programs, and data from unauthorized access is often referred to as cybersecurity. Security plans should be in writing and monitored. Security controls include both physical controls and online access controls.

  • Physical controls. Proper physical controls over computer equipment restrict access to hardware, software, and backup data files. Common examples to physically restrict unauthorized use include keypad entrances, badge-entry systems, security cameras, and security personnel. More sophisticated controls only allow physical and online access after employee fingerprints are read or employee retinas are scanned and matched with an approved database. Other physical controls include monitoring of cooling and humidity to ensure that the equipment functions properly and installing fire-extinguishing equipment to reduce fire damage.

  • Online access controls. Proper user IDs and passwords control access to software and related data files, reducing the likelihood that unauthorized changes are made to software applications and data files. Separate add-on security software packages, such as firewall and encryption programs, can be installed to improve a system’s security.

Backup and Contingency Planning

Power failures, fire, excessive heat or humidity, water damage, or even sabotage can have serious consequences to businesses using IT. To prevent data loss during power outages, many companies rely on battery backups or on-site generators. For more serious disasters, organizations need detailed backup and contingency plans such as off-site storage of critical software and data files or outsourcing to firms that specialize in secure data storage.

Backup and contingency plans should also identify alternative hardware that can be used to process company data. Companies with small IT systems can purchase replacement computers in an emergency and reprocess their accounting records by using backup copies of software and data files. Larger companies often contract with IT data centers that specialize in providing access to off-site computers and data storage and other IT services for use in the event of an IT disaster.

Hardware Controls

Hardware controls are built into computer equipment by manufacturers to detect and report equipment failures. Auditors are more concerned with how the client handles errors identified by the hardware controls than with their adequacy. Regardless of the quality of hardware controls, output will be corrected only if the client has provided for handling machine errors.

Application Controls

Application controls are designed for each software application and are intended to help a company satisfy the transaction-related management assertions discussed in previous chapters. Although some application controls affect one or only a few transaction-related assertions, most controls prevent or detect several types of misstatements. Other application controls concern account balance and presentation and disclosure assertions.

Application controls may be done by computers or client personnel. When they are done by client personnel, they are called manual controls. The effectiveness of manual controls depends on both the competence of the people performing the controls and the care they exercise when doing them. For example, when credit department personnel review exception reports that identify credit sales exceeding a customer’s authorized credit limit, the auditor may need to evaluate the person’s ability to make the assessment and test the accuracy of the exception report. When controls are done by computers, they are called automated controls. Because of the nature of computer processing, automated controls, if properly designed, lead to consistent operation of the controls.

Application controls fall into three categories: input, processing, and output. Although the objectives for each category are the same, the procedures for meeting the objectives vary considerably. Let’s examine each more closely.

Input Controls

Input controls are designed to ensure that the information entered into the computer is authorized, accurate, and complete. They are critical because a large portion of errors in IT systems result from data entry errors and, of course, regardless of the quality of information processing, input errors result in output errors. Typical controls developed for manual systems are still important in IT systems, such as:

  • Management’s authorization of transactions

  • Adequate preparation of input source documents

  • Competent personnel

Controls specific to IT include:

  • Adequately designed input screens with preformatted prompts for transaction information

  • Pull-down menu lists of available software options

  • Computer-performed validation tests of input accuracy, such as the validation of customer numbers against customer master files

  • Online-based input controls for e-commerce applications where external parties, such as customers and suppliers, perform the initial part of the transaction inputting

  • Immediate error correction procedures, to provide for early detection and correction of input errors

  • Accumulation of errors in an error file for subsequent follow-up by data input personnel

Processing Controls

Processing controls prevent and detect errors while transaction data are processed. General controls, especially controls related to systems development and security, provide essential control for minimizing processing errors. Specific application processing controls are often programmed into software to prevent, detect, and correct processing errors.

Output Controls

Output controls focus on detecting errors after processing is completed, rather than on preventing errors. The most important output control is review of the data for reasonableness by someone knowledgeable about the output. Users can often identify errors because they know the approximate correct amounts. Several common controls for detecting errors in outputs include:

  • Reconcile computer-produced output to manual control totals

  • Compare the number of units processed to the number of units submitted for processing

  • Compare a sample of transaction output to input source documents

  • Verify dates and times of processing to identify any out-of-sequence processing

For sensitive computer output, such as payroll checks, control can be improved by requiring employees to present employee identification before they receive their checks or by requiring the use of direct deposit into the employees’ pre-approved bank accounts. Also, access to sensitive output stored in electronic files or transmitted across networks, including the Internet, is often restricted by requiring passwords, user IDs, and encryption techniques.

The use of networks that link equipment such as desktops, midrange computers, mainframes, workstations, servers, and printers is common for most businesses. Local area networks (LANs) link equipment within a single or small cluster of buildings and are used only within a company. LANs are often used to transfer data and programs from one computer or workstation using network system software that allows all of the devices to function together. Wide area networks (WANs) link equipment in larger geographic regions, including global operations.

In networks, application software and data files used to process transactions are included on several computers that are linked together. Access to the application from desktop computers or workstations is managed by network server software or other interfaces with cloud computing technology. Even small companies can have several computer servers linked together on a network, while larger companies may have hundreds of servers in dozens of locations networked together. It is common for networks to consist of various combinations of equipment and procedures, which may not have standard security options. Lack of equipment compatibility across a network may occur when responsibility for purchasing equipment and software, maintenance, administration, and physical security resides with key user groups rather than with a centralized IT function. Sometimes network security may be compromised when networks consist of equipment with incompatible security features.

Database management systems allow clients to create databases that include information that can be shared across multiple applications. In nondatabase systems, each application has its own data file, whereas in database management systems, many applications share files. Clients implement database management systems to reduce data redundancy, improve control over data, and provide better information for decision making by integrating information throughout functions and departments. For example, customer data, such as the customer’s name and address, can be shared in the sales, credit, accounting, marketing, and shipping functions, resulting in consistent information for all users and significant cost reductions. Companies often integrate database management systems within the entire organization using enterprise resource planning (ERP) systems that integrate numerous aspects of an organization’s activities into one accounting information system. ERP systems share data across accounting and nonaccounting business functions of the organization. For example, customer order data may be used by accounting to record a sale, by production to meet increased production demand, by purchasing to order additional raw materials, and by human resources to arrange labor schedules.

Controls often improve when data are centralized in a database management system by eliminating duplicate data files. However, database management systems also can create internal control risks. Risks increase when multiple users, including individuals outside of accounting, can access and update data files. To counter the risks of unauthorized, inaccurate, and incomplete data files, companies must implement proper database administration and access controls. With the centralization of data in a single system, they must also ensure proper backup of data on a regular basis.

Companies using e-commerce systems to transact business electronically link their internal accounting systems to external parties’ systems, such as customers and suppliers. As a result, a company’s risks depend in part on how well its e-commerce partners identify and manage risks in their own IT systems. To manage these interdependency risks, companies must ensure that their business partners manage IT system risks before conducting business with them electronically. Some of the assurance services discussed in

A firewall protects data, programs, and other IT resources from unauthorized external users accessing the system through networks, such as the Internet. A firewall is a system of hardware and software that monitors and controls the flow of e-commerce communications by channeling all network connections through controls that verify external users, grant access to authorized users, deny access to unauthorized users, and direct authorized users to requested programs or data. Firewalls are becoming increasingly sophisticated as the frequency and severity of cyberattacks grow.

Encryption techniques protect the security of electronic communication when information is transmitted and when it is stored. Computerized encryption changes a standard message or data file into one that is coded (encrypted), requiring the receiver of the electronic message or user of the encrypted data file to use a decryption program to decode the message or data. A public key encryption technique is often used, where one key (the public key) is used for encoding the message and another key (the private key) is used to decode the message. The public key is distributed to all approved users of the e-commerce system. The private key is distributed only to internal users with the authority to decode the message.

To authenticate the validity of a trading partner conducting business electronically, companies may rely on external certification authorities, who verify the source of the public key by using digital signatures. A trusted certification authority issues a digital certificate to individuals and companies engaging in e-commerce. The digital signature contains the holder’s name and its public key. It also contains the name of the certification authority and the certificate’s expiration date and other specified information. To guarantee integrity and authenticity, each signature is digitally signed by the private key maintained by the certification authority.

Many clients outsource some or all of their IT needs to an independent organization commonly referred to as a computer service center, including application service providers (ASPs) and cloud computing environments, rather than maintain an internal IT center. Cloud computing is a computer resource deployment and procurement model that enables an organization to obtain IT resources and applications from any location via an Internet connection. Depending on the arrangement, all or parts of an entity’s IT hardware, software, and data might reside in an IT service center shared with other organizations and managed by a third-party vendor. The name cloud computing comes from the use of a cloud-shaped symbol in systems diagrams to represent complex IT infrastructures.

Smaller companies often outsource their payroll function because payroll is reasonably standard from company to company, and many reliable providers of payroll services are available. Companies also outsource their e-commerce systems to external Web site service providers, including those that offer cloud computing services as described above. Like all outsourcing decisions, companies decide whether to outsource IT on a cost-benefit basis.

When outsourcing to a computer service center, the client submits input data, which the service center processes for a fee and then returns the agreed-upon output and the original input. For payroll, the company submits data from time records, pay rates, and W-4s to the service center. The service center returns payroll checks, journals, and input data each week and W-2s at the end of each year. The service center is responsible for designing the computer system and providing adequate controls to ensure that the processing is reliable.

Outsourcing can provide challenges from an internal control perspective. Management is responsible for the design and operating effectiveness of internal controls, and this includes controls that are outsourced to a service provider. The ethics and integrity of service providers, as well as the design and functioning of their internal controls, need to be considered by management when selecting a service provider, and evaluated regularly.\