The general controls that need to be incorporated into the data processing system are divided into two types of controls:
(a) General controls which are further divided into administrative controls and systems developments controls
(b) Application controls
General controls: Administrative controls:
These arise from the risks implicit in the concentration of power in the EDP department, the carrying of a large number of files of important data centrally stored and storing data in a form which is highly inflammable concentrated, sensitive to temperature and atmospheric conditions and dependant for processing on machinery which is susceptible to break down. The measures that will have to be taken to minimise the possibility of loss from these problems include:
i. Physical facilities such as a specially designed fire proof room whose temperature is properly controlled and entry is restricted to only authorised personnel.
ii. Maintaining back up copies of all important programmes and files. This includes the grand father and son configuration whereby three files are maintained at different levels and at different locations to enable reconstruction to take place should the need arise.
iii. Having standby arrangements like uninterrupted power supply units to deal with power blackouts and having arrangements with other users of similar machines to allow processing of urgent information should the machines breakdown. These procedures should be subjected to regular checks to confirm that they do work in practice.
iv. The maintenance of a library to ensure that access to programmes and files is properly controlled.
v. Adequate division of duties. The presence of computers does not dispense with the need to observe that fundamental aspect of internal control i.e. the division of responsibilities in such a way as to ensure that:
(a) Those in a position of responsibility do not themselves become involved in executing the routine of the procedures they have authorised.
(b) Those occupied with recording functions do not have control over or access to the assets whose movements they are controlling and recording.
(c) That the work of one person is automatically checked for authority, accuracy, completeness and procedural adherence by another independent member of staff preferably in a different department. The clerical responsibilities that need to be taken into consideration in the user departments can be allocated in relation to collection and sorting of input data, creation of batches and batch totals, retention of control data for comparison with outputs, authorisation of inputs to be transmitted to the EDP department, collection and distribution of outputs, comparison of output received e.g. schedules, statistical summary, exception reports, error reports and reprocessing requirements.
Within the computer area itself, the principles of this aspect of internal control must be observed. Systems development staff and programmers should play no part in actual processing in fact, ideally they should have no access to the computer room. This is because having written the programs they will be aware of the controls that have been written into the programs and will therefore be capable of by-passing them. Development staff should not even be allowed to test their programs. The EDP manager and his supervisors who between them are responsible for all activity in the EDP area must maintain their independence of all detailed procedures and they should therefore have no active part in day to day routine processing. A suitable log for recording the movement of all files, their safe custody when not in use, their clear identification at all time should be maintained and this should be the responsibility of the librarian who should have no routine duties in the EDP section. In addition, a console log is needed as an important security function for making permanent records of every operator intervention.