3900-IT Audits--System Control Guidelines
Basic
Control Guidelines For Application Systems
Introduction:
There are
strong incentives to incorporate control procedures in computer-based
application systems. Not only will the system possess a higher degree of
reliability, but the resulting accuracy and orderliness can lead to greater
processing efficiency by reducing the number of errors that require manual
intervention and reprocessing.
Objectives:
As stated
in the Systems Auditability and Control
research study published by the Institute of Internal Auditors Research
Foundation in 1991,
The
objective of an audit of information technology is to review and evaluate the
controls intended to mitigate risks related to information and process
integrity.... The responsibility of the internal auditor is to identify
controls over information and process integrity and to test such controls for
evidence of ongoing compliance and effectiveness.
Application
controls should provide reasonable assurance that the recording, processing and
reporting of data are properly performed. To do this, the design of an
application system should assure that:
1. All authorized transactions are completely processed once
and only once.
2. Transaction data is complete and accurate.
3. Transaction processing is correct and appropriate to the
circumstances.
4. Processing results are utilized for the intended purpose.
5. The application can continue to function.
I.
Input Control Guidelines
Input
controls are designed to provide reasonable assurance that data received for
processing have been properly authorized, converted into machine sensible form
and identified, and that data (including data transmitted over communication
lines) has not been lost, suppressed, added, duplicated, or otherwise improperly
changed. Input controls include controls that relate to rejection, correction
and resubmission of data that were initially incorrect ("The Effects of
EDP on the Auditor's Study and Evaluation of Internal Control", Statements
on Auditing Standards (SAS NO.3), American Institute of Certified Public
Accountants.).
The chart
below lists the general function (input-related control areas) that requires
control. Within each control area are control types that address specific
functions. Specific controls are listed for each control type.
|
Control Area |
Control Type |
Specific Controls |
|
Source document origination |
Written procedures |
Control documentation |
|
|
|
User Procedures and manuals |
|
|
Source document design |
Special purpose forms |
|
|
|
Source document numbers |
|
|
|
Transaction identification |
|
|
|
Cross reference |
|
|
|
Sequence log |
|
|
Source document handling |
Dual custody |
|
Authorization |
Source document preparation |
Separation of duties |
|
|
|
Signatures |
|
|
Written procedures |
Written authorization |
|
|
Approval of source documents |
Evidence of approval |
|
|
|
Transaction conflicts matrix |
|
Data processing input preparation |
Transaction identification |
Transaction numbering Schedule desk |
|
|
|
User identification |
|
|
User review of input |
Manual review |
|
|
Batching |
Batch serial number |
|
|
|
Limit the number of transactions |
|
|
|
Batch and balance source data at point of origin |
|
|
Logging |
Logs of source document transmittal between organization |
|
|
Transmittal |
Transmittal document |
|
|
|
Retention dates on source documents |
|
|
|
Source document storage index |
|
|
Filing of source documents |
File of source documents |
|
|
|
Batch storage |
|
|
|
Source documents maintained at origin |
|
|
Retention storage |
Filing in user areas |
|
|
|
Limited access to retention facilities |
|
|
|
Removal from retention |
|
Source document error handling |
Error procedures |
Source document correction procedures |
|
|
|
Written error handling procedures |
|
|
|
Responsibility for error correction |
|
|
Error detection |
Error logging |
|
|
|
Visual review of source documents |
|
|
Error correcting processing |
Error notification |
|
|
|
Identification of error correction |
|
|
Corrected data resubmission |
Verification of reentered data |
|
|
|
Monitoring of error corrections |
|
Transaction data entry |
Written procedures |
Control documentation |
|
|
|
User procedures |
|
|
Physical hardware |
Location of data conversion operation |
|
|
|
Simultaneous recording |
|
Terminal data entry |
Terminal software features |
Security of data entry terminal |
|
|
|
Preformatting |
|
|
|
Interactive display |
|
|
|
Computer-aided instruction |
|
|
|
User application system access |
|
|
|
Terminal sign-on procedures |
|
|
|
Review of terminal assignments |
|
|
Hardware control features |
Terminal features |
|
|
|
Intelligent terminals |
|
Transaction data |
Transaction verification |
Key verification |
|
|
|
Preprogrammed keying formats |
|
|
Data content validation techniques |
Editing and validating routines Transaction data cutoff |
|
|
|
Passwords |
|
Batch proof and balancing |
Data input controls |
Processing schedules |
|
|
|
Turnaround documents |
|
|
|
Cancellations of source documents |
|
|
|
Logging |
|
|
Proof and balancing methods |
Manual check of control figures |
|
|
|
Batch control |
|
|
|
Batch header records |
|
Transaction entry error handling |
Error detection |
Error display Unauthorized access attempts |
|
|
|
Error listings |
|
|
Error |
Warning messages |
|
|
|
Error message |
|
|
Corrected data resubmission |
Corrected data editing |
|
|
|
*Control totals and rejects |
* Susan H.
Russell, Tom S. Eason, J.M. Fitzgerald, Systems Auditability and Control -
Control Practices, The Institute of Internal Auditors, Inc., 1977, pg. 59
II.
Processing Control Guidelines
Processing
controls are designed to provide reasonable assurance that electronic data
processing has been performed as intended for the particular application; i.e.,
that all transactions are processed as authorized, that no authorized transactions
are omitted or improperly changed and that no unauthorized transactions are
added (SAS No. 3, Op. cit., p. 3-4).
The
following lists the general function (processing related control area) that
requires control. Within each control area are control types that address
specific functions. Specific controls are listed for each control type.
|
Control Area |
Control Type |
Specific Controls |
|
Computer process integrity |
Transaction identification |
Transaction codes |
|
|
|
Monitoring of computer generated transaction |
|
|
Computation and logic |
Control totals |
|
|
|
Default option |
|
|
|
Anticipation control |
|
|
|
Dual fields |
|
|
|
Arithmetic accuracy |
|
|
|
Exception reporting |
|
|
|
File control totals |
|
|
|
File completion check |
|
|
File maintenance |
Balancing the computer file |
|
|
|
Dummy records |
|
|
|
Operator instructions |
|
|
|
Computer program run books |
|
|
|
Computer console |
|
|
|
Display messages |
|
Computer processing error handling |
Error reporting |
Error reporting |
|
|
|
Batch control header |
|
|
|
Production report of rejected conditions |
|
|
Error correction |
Automated error suspense file |
|
|