General computer controls

General computer controls

· Computer controls in context.

· Confidentiality

· As accountants, we want to understand the risk and controls in our software. How likely is it that someone can break in and make changes?

· Application Audit

· An app, something that processes information, takes inputs, puts them into accounts, ledgers, shipping activity, payroll activity.

· We programmed it ourselves, self developed software, or it came out of a can, Oracle, canned software, Quickbooks.

· ITGC Audit

· IT General Controls

· Keep the bad stuff out of the machine

· Mostly concerns with things that affect the machine we use to do our work.

· Application controls: how the software checks itself as it is doing its job.

· GCCs

· General Computer Controls is the same as ITGC

· Administrative

· Baseline

· Risk assessment

· Approvals of projects/budgets/steering committee

· Coordination between business and IT

· Training, background checks, evaluations

· Documented policies and procedures

· Segregation of IT duties

· Over finance:

· Record

· Authorization

· Custody

· In I.T.

· Programmers/coders

· Developers

· Production

· Launched version of the software developed by programmers

· Users

· Security professionals

· Logical security/logical controls

· Access

· Minimize principal (few users, few rights)

· Approvals

· Terminations/transfers

· Review of rights (data owners)

· Special rights (admins, DBA, etc.)

· Applications, OS, Database

· Passwords

· What you know

· What you have-token based, RSA cards, USB drives, swipe cards

· Change them often

· Be mysterious

· Don’t leave them lying around

· Don’t share

· The longer, the better

· Change control


· Authorization

· Steering committee

· Tested

· Approved

· Back outs

· Segregation of duties

· Network operations

· Help desk

· Executables

· Monitoring

· Hardening

· Incident management

· Malware

· Destruction of info

· Backups

· Rotation

· Offsite

· Restorations

· Access

· Encryption

· Physical/Environmental security

· Colocation

· Stopping the environment or physical factors from doing something to your machines

· Redundancy

· Security

· Biometrics, key cards, mantraps, cameras, motion sensors

· Environmental

· Temperature, humidity, fire, water, dust, airflow

· Power

· UPS, generators, conditioners

· Recovery/Continuity

· DRP (Disaster recovery plan)

· Hot sites

· Warm sites

· Cold sites

· BCP (Business Continuity plan)

· Risk Assessment

· Test

· Refine

· Levels within GCC

· Internet

· Getting information out to external users

· Networks

· By which employees move information

· Database

· Storing files

· Application

· Operating System

· Hardware

· Background information

· How are controls within GCCs and BCCs integrated?

· Network security-browser transfer security

· Monitoring

· Zones


· Wireless


· E-commerce

Application Controls:

1. Input

a. E-commerce; entering order information

2. Processing

a. Affects shipping, invoicing

3. Output

a. Affects reporting – invoice, bill of lading

b. Reports are linked to queries, those queries have to be created correctly – i.e. new information/column but query is not aware of it


1. All input data is accurate, complete, authorized, and correct

2. All data is processed as intended

3. All data stored is accurate and complete

4. All output is accurate and complete

5. A record is maintained to track the process of data from input to storage, and to the eventual output

6. Access to data is limited based on business need

7. Incompatible duties within an application are systematically prevented

It is important to track who is performing transactions, journal entries, etc, in a “black box.” Limiting access goes back to general controls, duties, determining who can do what within the system.

Input Controls:

1. Designed by an organization to ensure that the info being collected for processing is authorized, accurate, and complete

2. Controlling the users

3. These controls are used to check the integrity of the data entered into a business application

a. Users limited to selecting values in a pre-populated dropdown, radio buttons, etc.

b. System validates that a valid # is entered into a field where a $amount is expected

4. Five components

a. Validation

i. Has someone looked at the data and “approved it?”

ii. Matching of data

1. Matching input to existing valid/authorized data

2. Customer number matches to existing/active customer

3. Order entry – match to inventory levels for availability

4. Purchasing – match vendor ID to an approved vendor lists prior to payment

iii. Programmed check

1. Program matches input with pre-established rules or data held in a reference table or master file

a. i.e. sales tax auto populated based on zip code

b. Stops unauth discounts

2. Matching transactions to another file

a. SKU: shop keeping unit, # references price table

b. Helps calc tax, shipping, lower inventory

b. Authorization i. username and password

i. Modular with access restrictions

1. Enter prices

2. Enter vendors

3. Enter employees

4. Enter customer credit approval (or programmed)

5. Enter sales orders

6. Enter adjustments

7. Enter useful lives

8. Triggers approvals based on user before processing requests

ii. Approve journal entries

c. Completeness

i. Pertinent, key data has to be entered into the fields, no open fields

ii. Batching – pieces of paper, filled in by hand, catalog orders, making sure everything in a stack was put in the system

iii. Sequence check – chronological ordered checks

iv. Match with previously processed data

1. completeness check

v. Batch controls

1. Financial total – foot/total every one of the financial dollar amounts in that batch

2. Hash total – nonsensical number processed to check for accuracy, i.e. adding up customer IDs as numerical values

3. Record count – hand count of batch quantities

vi. Completeness of Input – computer matching with previously processed documents

1. Invoice is created based on completed sales order number and valid shipping doc #

2. In the input stage, not letting something process unless all the relevant input fields are filled – testing stage

3. Payment of invoice will not take place until certain matching occurs between previously processed documents

· invoice will be matched to

· previously processed P.O.

· previously processed receipt of goods

d. Accuracy

i. Ensuring the data is right as you put it in, no extra zeros

1. Edit checks

a. Reasonableness (be concerned) limit/arraigned

i. Checking to see if input falls within reasonable range of limits

ii. Prevents possible mistakes or manipulation activities

iii. Applied to data fields

iv. Example: New inventory cost exceeds previous price by more than 10%

v. System warns user of unusual input

1. Prevents entry altogether

2. Asks for approval code

3. Warns, then allows

b. Dependency

i. Looking for logical relationships

ii. Comparing 2+ elements or fields on a transaction for correct logical relationships

iii. Example: Inventory quantity ordered does not exceed 120% of average quantity ordered for prior year

c. Format

i. Checks the existence of expected numeric or alphabetic characters

ii. Ex: only allows numerical input in a field, only allow text, do not allow blanks.

d. Mathematical Accuracy checks

i. Re-footing live

e. Check Digits

i. Using algorithms to check validity of entered data

f. Existence

i. Look to see what’s been populating

ii. Matches data codes with other files for validity

iii. Ex: purchase orders are processed, GL & AP codes used, program checks for matching or existence.

iv. Supplement with check digits

g. Processing Controls

i. Provide automated means to ensure processing is complete, accurate, and authorized

ii. Ex: transactions exceeding a specific dollar amount must be approved by an exec before being applied in the system

iii. Automated file id and validation

iv. Automated functionality and calculations controls

v. Audit trails and overrides controls

vi. Duplicate controls – no duplicate checks

h. Output controls

i. reconciliation for completeness and accuracy

ii. Focus on detecting errors after processing is completed rather than on preventing errors

iii. Security over reports

iv. Ex: system generated POs, reports, invoices

e. Integrity

i. No changes in form from input to output

ii. Exceptions; payroll, etc.

Comments are closed.