Aireyca Glenn G.
Lanaban BSA-3 WTh 5:15Pm-6:45 Pm
INTERNAL CONTROL IN THE COMPUTER INFORMATION SYSTEM
EVALUATION
CASES
1. At the meeting of the corporate audit committee attended by the general manager of
the products division and you, representing the internal audit department, the
following dialogue took place:
Joseph (Committee Chair): Mr. Markus had suggested that the internal audit
department conduct an audit of the computer activities of the products division.
Samonte (General Manager): I don’t know much about the technicalities of
computers, but the division has some of the best computer people in the company.
Joseph: Do you know whether the internal controls protecting the system are
satisfactory?
Samonte: I suppose they are. No one has complained. What’s so important about
control anyway, as long as the system works?
Joseph turns to you and asks you to explain computer control policies and
procedures.
Required:
Address your response on the following point
a. State the principal objective of achieving control over (1) input, (2) processing,
and (3) output.
b. Give at least three methods of achieving control over (1) source data, (2)
processing, and (3) output.
The principal objective of achieving control over the input is to make sure that the
data are properly authorized and approved. Making sure that the data to be inputted is
accurate and free from errors. Pre-printed form is one of the control to be used to make
sure that the input operator will not miss or ignore input data recorded by users. Another
is the Field size check, it gives an error message when an operator mistakenly input a
data like employee number. Record count can also be used in order to achieve control
over source data. This will ensure that all the records received are processed. In
processing the objective is making sure the control totals to be processed are reconciled
with the input control totals. In other words, the data to be processed should be accurate
and complete. Record count can still be used in processing step. Through this, we can
compare the data being inputted and the data to be processed. Next is checkpoint/
restart capacity, in which it provides fault tolerance for computing systems. It basically
consists of saving a snapshot of the application’s state so that applications can restart
from that point in case of failure. Also, Error resolution procedure should be established
because there are transactions that might be rejected during processing. In order to
control error resolution, logging of errors in a suspense file of suspended transaction is
often used. Lastly, to achieve control over the output, it should be reconciled with input
and in processing and compared to original source documents and making sure that
outputs are only distributed to authorized users. Control total can be used to ensure the
integrity of processing. It will frequently give the operator an expected result in order to
verify that processing was properly complete and check if the total is the same. Next is
� the limiting the quantity of output and total processing time and last control is error
message resolution and the operator should be trained to recognized codes and take
appropriate actions.
2. Assume that when conducting procedures to obtain an understanding of the control
structure in the Mark Company, you checked “No” to the following internal control
questionnaire items:
• Does access to online files require specific passwords to be entered to
identify and validate terminal user?
• Are control totals established by the user prior to submitting data for
processing? (Order entry application subsystem).
• Are input control totals reconciled to output control totals? (Order entry
application system).
Required:
Describe the errors, irregularities or misstatements that could occur due to the
weakness indicated by lack of controls.
Having a weak internal control especially having no data security will let an
unauthorized person to manipulate data that will result to data loss and leakage of
information. It is important to have data security to keep company’s information protected.
Moreover, control total not being submitted before processing will result to unreliable results.
Also, if the input control totals wasn’t reconciled to output control totals, the user will not
know if all data being inputted is still the same to the output data. If there’s an error, the
result to be distributed to authorized user will affect its decision to be made.
3. As more and more clients install complex EDP accounting systems, independent
auditors are participating to an increasing extent in systems design. At the same
time, the independent’s auditor’s use of computer audit specialists is growing.
Required:
a. What is “design phase” auditing and why is it important?
b. In what way does design phase auditing affect auditor independence?
c. What function does the “computer audit specialist” serve?
d. To what extent may the independent auditor rely on the computer audit
specialist?
a. Design phase auditing is an analysis of the design elements or system to be used by
the company. It is important to make sure that the system being used is consistent
among all channels and outlets since consistency helps build trust.
b. Design phase auditing affect auditor independence in a way that the auditor must
ensure that the system development is designed with user requirements
documented, that management approves the design and that the application is tested
before implementation.
c. According to careertrend website, computer audit specialist investigates the current
state of information technologies in the workplace and looks for gaps in security
controls or compliance risks pertaining to industry specific laws and regulations.
d. The independent auditor may rely on the computer audit specialist when testing a
specific control for reliability in computer software or to check financial records in the
computer.
