INTRODUCTION TO INTERNAL CONTROLS IN COMPUTERIZED INFORMATION


The main features of a computerised information system which requires the implementation of adequate alternative controls, which could pose additional challenges to the auditor include:

  •  Consistency

If properly programmed computer will process transactions consistently accurately and likewise if there is a programming error this will affect all transactions processed.

The auditor must test the system to ensure that it is processing transaction correctly.

  • Concentration of function and controls

Due to the use of computers few people are involved in the processing of financial information. This results in weak internal controls and in particular poor segregation of duties. Certain data processing personnel maybe in a position to alter programs or data while stored or during processing. Many control procedures that would be performed by separate individuals in a manual system may be concentrated under one person in CIS.

  • Programs and data are held together increasing the potential for unauthorized access and alteration.

Computer information systems are designed to limit paper work. This results in less visible evidence. Data may be entered directly into the computer system without supporting documents e.g. in some online systems a sales transaction may be initiated through the computer without a sales order being raised, the amount is then directly charged to the customer’s account without a physical invoice being raised.

  • Lack of visible transaction trail/ loss of audit trail.

An audit trail refers to the ability to trace transactions through the system by examining source documents, books of accounts and the financial statements. This is possible in a a manual system where various stages of a transaction are evidenced by physical documents are maintained in magnetic files which are overwritten over time. This results in loss of visible audit trail.

  • Lack of visible output

In some CIS systems the results of transaction processing are not printed out, only the summary data maybe printed. This data can only be accessed through the machine.

  • Ease of access of data and computer programs

Where there are no proper controls over access to computers at remote terminals there is increased danger for unauthorized access to and alteration of data and programs. This could result in fraud or manipulation of accounting records.

  • Programmed control in CIS environment controls are programmed together with data processing instructions. E.g. protection of data against unauthorized access maybe by way of passwords or computer programs containing limit checks.
  • A single input to the accounting system may automatically update all records associated with the transaction e.g. when a credit sale is made on line the system will credit the sales account, reduce the stock levels and debit the debtors account simultaneously. Thus an erroneous entry in a system creates errors in the various affected ledgers.
  • Data and programmes are usually stored in portable magnetic disks and tapes, which are vulnerable to theft, loss, and intentional and accidental destruction.
  • Systems generated transactions
    many systems are capable of generating transactions automatically without manual intervention e.g. calculation of interest on customers’ accounts maybe done and charged to income automatically. This lack of authorization and documentation can result in significant misstatement or errors in financial statements.