The Objectives And Purpose Of Procedural Controls Information Technology Essay
Organizational, documental and systems controls are important to the auditor for proof of the operational checks used to defend and further information within the processing system. Procedural controls are also important to assure management and the auditor that the real performance of the procedures within the EDP department is correctly performed.
Procedural controls are methods adopted to assure that the whole series of processing data from the time when the transactions happen to the time reports are ready for management is being ready and processed in the most accurate and well-organized manner.
Operations in the data processing department usually involved two kinds of errors, errors in processing transaction data and errors in processing permanent or semi-permanent data. Frequently, an error involving the use of transaction data will have an effect on the resultant output only once. Permanent or semi-permanent data that is to be used each time the file is processed may have deep effects on the output of data if permitted to remain not corrected for any distance of time. Thus, permanent or semi-permanent data must have more strict controls placed upon the processing of transactions and file data.
Any type of check, comparison, or confirmation used to eradicate errors, mismatched informational data, and unlawful system entry causes increases in processing time and expenses of operation. Though, to obtain the highest, most dependable quality of data, it is necessary to sustain the cost of these controls, and internal checks should be combined in the design and programming of input, output, file, and processing operations.
Controls over Input
Probably the most critical time for error detection as far as data processing is concerned, is the time at which the data is recorded. If data are not accurately recorded at the actual occurrence of the transaction, it will never become reliable, useful information.
Input controls should govern the accuracy of the data to be used as input as well as the methods used to obtain the data. Data input control involves the recognition of the transaction data to be captured, the methods to capture the data, and the accuracy with which the data is recorded.
May, Phillip T. “System Control: Computers the Weak Link”
The Accounting Review. Vol. XLIV, No. 3 (July, 2008), pp. 583-593.
There are a great many situations in which control can only be exercised at the input stage. It is therefore necessary that input controls be adequately maintained and designed to ensure that:
Transactions should accurately be recorded on the proper source document as soon as possible to provide the earliest accountability;
Where possible, all source and originating documents should be standardized and correctly coded;
Control totals and renumbered documents counts established in operations manuals should be in effect; and
All submissions of data are to be sent to the data processing department in accordance with prescribed routines.
Input errors may occur under several circumstances. The general reasons for input errors are improper recording of transaction data, improper conversion from manually readable form to machine readable form, loss through handling, and faulty processing when being read by the computer.
4.1 Creation Errors
These input errors may seem obvious, but they require close attention and cognizance by the auditor if he is to detect and evaluate the client’s procedural controls. First, data may be incorrectly recorded from the onset of the transaction. Incorrectly recording the amounts, prices, stock numbers, and other information results in inaccurate data at the origination of the information flow.
4.2 Conversion Problems
Next, errors may result from the conversion of humanly readable documents to machine readable documents. This error creation will usually result from converting written documents to punched cards or punched paper tape. Also, the keypunch operator may punch the wrong key or may misinterpret illegible information, resulting in incorrect data transfers.
4.3 Data Loss Errors
Another input error that may occur is the loss of a data record during processing. Documents may be lost or mutilated, two documents may stick together, or any number of things may happen to eliminate all or a part of the source data.
Input data, correctly coded with the proper information, may result in incorrect output from the computer. This may result from an error in reading by the computer’s input device, an error in transmitting input data, the failure to process, or processing the correct data with the wrong program or file. The auditor should be aware of the points in the processing of data at which errors are likely to occur.
By knowing these points, adequate observation, inquiries, and verifications should pinpoint weaknesses in the system which the auditor should heed when evaluating the internal controls and performing the audit.
Controls Over Processing
Although input controls found in the user department and the data processing center are probably the most important checks in relation to the processing of data information, controls must also be adequately present in the data processing function. Controls not only shift from the user department to the data processing department, but shift their primary emphasis from human controls to computer controls. In effect, the evaluation and control of data is embodied in the computer programs.
4.5 Editing Input Manually
When the amount of input is small or when sufficient personnel are present, it is often possible to perform a considerable amount of editing without the use of the computer. These manual controls should be sufficient to provide effective safeguards over conversion of errors and the loss of documents.
The client’s personnel should edit the original transaction to prevent invalid data or unreasonableness of data, and they should check the input volume through the use of batch totals, hash totals, checking file labels, and verification of the data sequence.
The personnel performing these checks should, if necessary, verify the punched cards as to input totals. As an extra precautionary measure, the personnel could count the number of cards punched, examine the sequence, and have a print-out of the cards so that names, addresses, and other fields can be visibly examined.
4.6 Computer Editing
If the input to the computer is large, it may be impracticable to manually edit the data. Under these circumstances the computer may be used most effectively to edit data. Usually, the input data will be transferred to an external magnetic storage device for later retrieval by the computer. Editing the transfer of information from punched cards to magnetic tape is performed at this point to ensure the nature of the data and its transfer is valid.
The computer may examine the input data to ensure that they lie within a predetermined limit and that the proper format checks are operating. It also may compare input data codes with previously established codes to detect sequence failures or the existence of duplicate records.
4.7 Data Movement Controls
Another consideration with respect to procedural controls is the regulation of the data movement. These procedural controls usually involve the general batch control form and the direction of data flow within the system.
Batch controls provide for the completeness and accuracy of the movement of data from their source to the computer and the search for inconsistencies should be thorough when batch controls are at first instigated. As the causes of errors are eliminated, batches may be subject to only a sample examination determined by statistical techniques.
An item count is one technique of batch control. It is an actual count of the number of transactions in the batch. This control is used in conjunction with other devices such as a control total. The control total sums all the information of a particular field for all of the items in a batch. The control total might be used, for example, to manually add up the total dollar value of the charge sales slips for the day and compare to a total of accounts receivable printed out by the computer after posting to customers’ balances.
A hash total is similar to a control total in that it adds up all data in a particular field. However, hash totals do not have any intrinsic meaning. The hash total, and all the other batch control totals, should be manually prepared and compared with the computer developed controls at the end of the run.
One other data movement control is the use of a control group. The control group will consist of clerks who will handle all the data flow. The control group provides the scheduling requirements of the EDP department rather than control groups of the user departments.
The control group uses the batch and other related controls to review all the data coming into and leaving the data processing department. This group will check the predetermined totals against the processed totals with the computer to ensure accuracy and completeness of the data. Discrepancies uncovered by these comparisons are traced to their source and corrected.
4.8 Pre-Run Checks
Various checks pertaining to procedural controls are necessary before the actual operation run begins. There should be a physical examination of the program to determine that the proper program is about to be run and that the appropriate files are to be processed with the program.
A portion of the computer program should be allocated to print-out the main parts of the header-label on each file to be used. Also, the program should print-out the condition of the console switches and the program identity name.
4.9 Master File Controls
As noted earlier, standing or semi-permanent data may have data. To assure accuracy of program output when using master files with program runs, master files must be amended and processed properly.
4.10 Amendments to Master Files
There are many controls to provide accurate up-dating of standing information contained in master files. For instance, only designated persons should be authorized to make amendments to the master file, and amendments should be reviewed by some person independent of the up-dating process. Amendment forms are frequently used to date and describe fully the nature and purpose of all amendments.
Print-outs of the amendments should be made to provide a visual document for later review by the control group or the external auditor. To provide additional internal checks, independent control totals may be kept by the control section, the accounting department, and the interested user departments.
4.11 Processing Control
When master files are processed, care must be taken to ensure that all records appropriate to the particular computer run are processed. Sequence checks of the records held in the file and hash totals of data fields are two methods used to assure complete processing of the master file. Other methods assuring the completion of file processing are counting records present on the file and verifying the quantity or value total of the records in the file.
Controls Over Output
Up to this point in the informational flow of data, controls have been established over the segregation of the organization, the documentation and system design, and the input and processing function for the origination of a transaction to the ultimate output of meaningful and valuable data. With adequate internal controls for data input and processing, the resultant output should be accurate and complete to an acceptably determined standard. Next, it is necessary to ensure that the output documents and reports are presented to those authorized to receive such reports and in such form as to be useful.
The records and documents received from output should be edited for reasonableness by comparisons to past standards. Significant variations can be investigated and the causes for the errors may ultimately lead to correction of weak input controls.
Since output record loss is a low-risk hazard and usually does not cause particular alarm to management and the control group, it is not unusual to find that the controls over output are frequently nonexistent. And, there is less need for controls over output than with any other procedural control. However, for a complete and thorough system of internal control, checks and safeguards over output should be present. The auditor’s function includes identifying and evaluating the accuracy of output controls.
The control section of the data processing department should be responsible for computer output. A list of operations and functions of the control section include:
making an intelligent review of the output to ensure that it appears reasonable,
making checks on the random samples of the output;
checking totals with previously established control totals;
ensuring that all edit and other queries reported have been cleared;
investigating error reports and controlling the work of correction;
distributing the outputs to the correct departments when the scrutiny is complete.
The auditor should ascertain that personnel of the operations group in charge of output scan the output for reasonableness and make thorough checks on random samples of the print-outs. The operations personnel should check print-out totals with previously determined control totals ensuring proper editing and correction of errors. Finally, the information received from the computer should be delivered directly to the proper official of the user department.
Kaufman, Felix. Electronic Data Processing and Auditing. New York: The Ronald Press Company, 2008.
The audit plan for procedural controls should be to identify the controls already in existence and-then evaluate these controls in the light of the entire system.
The auditor should begin with the type and accuracy of documents used as input. All documents should be standardized, renumbered, and accounted for by the control unit. All source documents should be numbered, processed in serially numbered batches, and then canceled to prevent a rerun of the same data.
Controls over data given consideration by the auditor should include recording the total number of documents to be processed, the recording of documents run in a document register, and the uses of control and hash totals. The auditor should be sure someone in the control section has the responsibility for tracing, correcting, and properly recording input errors in the EDP system.
The auditor in performing his preliminary investigation of internal controls over the data processing department should pay particular attention to the computer programs being run. These programs should identify the types of input data to be used, and the program should test for acceptable data codes. Print-outs, keyed by incorrect codes, should be mandatory whenever the incorrect data is being processed with the program.
The auditor should observe that operators are not permitted to follow any unauthorized verbal instructions and are not permitted to notify programmers of disclosed errors. Errors that are discovered in the program should be recorded, traced, and corrected.
Also, all halts should be recorded on the program-run log to notify control personnel that the computer was inoperative and subject to unauthorized manipulation. The examination and inspection of organizational, systems, and documentary controls should have already been performed. By examining procedural controls last, the auditor has a good foundation for the quality of procedural controls he expects to find. The last step in the identification and evaluation of internal controls is the inspection of the controls over flow and the observation of the actual processing of data.
CHAPTER NO 5
Test decks and other similar devices are becoming increasingly popular with auditors, and many large national CPA firms are developing their own computer programs to audit their clients’ electronically processed records. This chapter describes some of the test methods used to audit clients’ systems and discusses general control techniques to be used with test decks and generalized computer audit programs.
Description of Test Decks
Test decks are composed of input data entered into the client’s EDP system to see how his system reacts to the submitted information. This information is designed to simulate all possible types of transactions the client may experience during processing and to test specific program controls.
Test decks, as defined above, are devices used to evaluate the quality of the client’s system, and should be used in conjunction with the client’s program to evaluate his system. The test deck will evaluate how effective his program is in dealing with all possible transactions relating to the program. The auditor’s generalized computer audit program is used in relation to the completeness and quality of the information that has been processed and is stored inside the system. These audit programs have been developed by several large national accounting firms and have similar objectives and purposes.
Purpose of Test Decks and Audit Programs
To identify the purpose of test decks, the objectives of the client’s EDP system must be established. Then an appropriate test deck may be developed to evaluate the system to determine, if and to what extent, the objectives of the client’s system are being met.
Once the objectives are known, then test transactions may be submitted to the EDP system to determine if errors can occur under certain conditions that may go unobserved, and as a result, test the ability of the system to detect non-compliance with prescribed methods and procedures.
The use of the test deck enables the auditor to examine the treatment of invalid data or logic used by the computer and the ability of the computer to process the correct data.
Controls With Test Decks
Once the auditor has scanned the objectives of the client’s EDP system, he has many controls to consider in the use of test decks to evaluate the quality of the data processing system.
5.1 Determining Test Deck Transactions
The auditor should determine which test data are to be entered and the types of transactions to be included in the test deck. The client should be consulted and the program reviewed to determine these software controls claimed to be present in the system are, infact , present since this will provide a basis for constructing a test deck that will challenge the programmed controls.
5.2 Contents of the Test Deck
The resulting test deck constructed should be developed to ensure that the following conditions are being correctly processed and controlled:
Out of sequence conditions.
Out of limits conditions
Routines arising from a major decision point where alternative processing takes place as a result of the comparison of transaction records with master records; i.e., where the transaction identification number can be greater, equal to, or less than the identification number on the master record
Units of measure differences
Incomplete or missing input information
Wrong tape files
Numeric characters in fields where alphabetic characters belong and vice versa
Characters in certain fields which exceed prescribed length (an overflow condition)
Illogical conditions in fields where programmed consistency checks test the logical relationship in the same fields
Conditions where transaction codes or amounts do not match the codes or amounts established in tables stored in internal memory
Porter, W. Thomas. “Evaluating Internal Controls in EDP Systems.” The Journal of Accountancy, August, 1964, pp. 34-40
Test decks which perform these checks constitute a valuable review of internal controls used within the client’s hardware and software systems. Although all of the conditions cannot be tested with each type of transaction located within the test deck, usually each condition may be tested and proved when all transactions included in the test deck are processed.
A helpful review device is a listing of all transactions contained within the test deck. This listing should be present in the audit work papers and will indicate a code sequence of the information recorded on the input record for the transaction. The listing may include the objective and description of the test and what expected output should result from the test processing.
5.3 Program Control
Although the auditor may expend considerable effort in developing the contents of a test deck, even the most thorough and complete test deck is worthless if not used with the proper program. To ensure that he actually used his test deck with the appropriate program, the auditor should examine the controls over programs and program changes the client had in effect during the period covered by the audit. Satisfactory controls may be further enhanced by a surprise observation of the client’s program run to determine the actual operation of the appropriate program applicable to the test data.
The auditor on a surprise basis may also request that the client leave his program in the computer after his routine operations have been performed so that the test deck and the corresponding program may be processed by the auditor. This, in effect, removes the possibility of intervention by the client’s personnel.
5.4 Master Records
Once the auditor has the proper program under his control or is assured that the client is using the appropriate program, the auditor should obtain the master records in both machine-readable form and in visible form. The visible form will allow the auditor to calculate a predetermined result and compare it with the output resulting from the test deck processing.
When master files are maintained on magnetic tape or other sequentially-accessed storage devices, there is usually no trouble in obtaining the stored information in machine readable form. However, the very nature of random access equipment presents a problem with respect to record retrieval.
With random access, master records are destroyed by processing information or instructions. The auditor must therefore be careful when using the test decks with random access master files so that he may obtain the information without destroying the valuable documents. To protect the records, the auditor should “dump” the information maintained in random access storage onto magnetic tape providing duplication of the master records. Then the auditor may run the prepared tape against the test data.
The auditor should be considerate of his client’s interests throughout the test deck processing of the master file. The auditor should consider the effects of any test deck procedures and all pre-cautionary measures should be taken by the auditor to preclude undesirable results or effects to the client’s EDP system.
5.5 Value of Test Decks
Test decks have been widely used by auditors for several years for the purpose of gaining a better understanding of what the client’s EDP system does. Test decks have been used to check the conformity of the system to desired objectives and to test the accuracy of the client’s program by comparing computer results with predetermined manual results. Auditors have also employed test decks to determine whether errors can occur without detection, thus testing the system ‘ability to follow prescribed procedures.
There are also certain disadvantages to be overcome when using test decks that cannot be ignored when an audit of the client’s EDP system is necessary. These disadvantages are substantial and usually involve the following considerations:
Test decks are difficult and time-consuming to create.
They may distort the master file.
They may require testing of all related master runs.
They may use valuable computer time.
They suffer because of the absence of true operating conditions.
Management Services, 2008, p. 56.
When considering the use of test decks to audit the client’s system, controls over the use of test decks must be considered to ensure that the master file is not distorted, programs are accurately prepared and serve their intended purpose, a minimum amount of computer time is used, there is no interference with the client’s normal operations, and there is an accurate simulation of the client’s true operating conditions. The value of test decks then, must be considered in the light of these disadvantages, and controls must be designed and evaluated in the light of the particular circumstances of the client’s EDP system.
Description of Generalized Computer Audit Programs
Generalized computer audit programs are versatile systems that enable auditors, both internal and external, to audit through an EDP system. These programs are based on the idea of adaptability to many systems and that specific routines and functions are similar among different clients.
Generalized computer audit programs are used by the auditor to evaluate the quality of information processed by the system through selection, and classification, techniques. These generalized computer audit programs are used by auditors unfamiliar with programming techniques to retrieve information from a client’s EDP system.
5.6 Functions of Generalized Computer Audit Programs
Since accounting routines are similar among clients in most instances, the functions necessary to audit the client’s accounts through the use of a generalized computer audit program are:
Testing extensions and footings
Summarizing data and performing analyses useful to the auditor
Examining records for quality completeness, consistency, invalid conditions, etc.
Selecting and printing confirmations
Selecting and printing audit samples
Comparing the same data maintained in separate files for correctness and consistency.
Comparing audit data with company records.
5.7 Controls with Generalized Computer Audit Programs
Controls with generalized computer audit programs are necessarily quite simple. The entire audit program system usually consists of operating and instruction manuals, specification sheets, and a set of programs and routines contained on a series of magnetic tapes.
Instructions in the manuals are for computer operators to use in the execution of the audit according to the requirements for the system given in the specification sheets. Specification sheets are used to identify the particular system being used and adapt the particular system to the needs of the auditor.
Since the routines contained within the generalized computer audit program are established before application to a particular audit, the auditor has only a few controls to consider.
Porter, W. Thomas. “Generalized Computer-Audit Programs.” The Journal of Accountancy, Vol. 127, No. 1 (,2008), pp. 54-62.
Physical control over the generalized computer audit program, for example, should always be maintained by the auditor and never subject to manipulation by the client or his staff. The actual control over the magnetic tapes used in the audit prevent alteration of the machine language instructions used by the generalized computer audit system.
Another important control consideration is that the auditor and his staff should observe all processing concerning the audit system. This control feature prevents alteration of the computer memory core contents during the run, and requires that someone familiar with the audit system be present at all times during processing. Security provisions should be provided for the auditor’s program and the program documentation while on the client’s computer location.
5.8 Value of Generalized Computer Audit Programs
While test decks have been used for several years, generalized computer audit programs have been developed by only a few large national CPA firms. However, extensive development of these programs is being carried on at the present time and all large national CPA firms are likely to have their own generalized computer audit program.
These advantages are leading to generalized computer audit programs becoming more attractive to both auditors and their clients. In their present stage of development there are some disadvantages, however, to generalized computer audit programs:
Generalized computer audit programs are expensive and time consuming to develop.
The staff of CPA firms must be trained and oriented toward a new system.
When generalized computer audit programs become common place, it is conceivable that auditors will lose sight of the controls and functions within the computer.
It is also conceivable that there will be a lessening of professional judgment with the use of generalized computer audit programs.
The advantages of using a generalized computer audit program, however, appear to outweigh the disadvantages. With controls over EDP operations receiving more emphasis today, these programs enhance the opportunity for further control development and help assure the auditor that the client’s EDP system processes information as intended.Order Now