General Controls:
Organisational controls
1. Responsibility delegation
• Computer Generating Committee (CGC) – manage IT , communication channel
between IT users and departments
• Chief Info Officer (CIO) – responsible for IT direction and communication with CGC
• IT manager – day to-day IT
2. Segmentation of duties
By segregation entity could mitigate risk of:
• Unauthorised or inaccurate transactions
• Staff adjusting records to cover up falsified entries
• Staff falsifying records to conceal theft
NB! IT should only be able to work on the computers and not have ability to
influence or change any transaction or statements
Should segregate between departments operations and security function
3. Staff Practices
• Policies
• Process and employing staff
• Staff scheduling and rotation of duties
• Ongoing training of staff
• Continuous evaluation of staff
• Staff dismissals and resignation
4. Supervision and Review
• High level review : management review financial performance periodically
compared to expectations
• Analytical reviews and ratios : relationships between data sets analysed for
deviations
• Recon of data on system with data from external source: info confirmed with another
set of info
• Independent review: unusual transactions identified for investigation
System development and change controls (same as development cycle)
• System development – developed in-house
• System acquisition - new one required from vendor
• System development life cycle (SDLC)
(a) Request submission , needs assessment
➡ objects come from written user request or genuine business need
➡ Feasible study conducted including:
➡ Comprehensive needs assessment
➡ Investigate resources required
➡ Investigate alternative solutions
➡ Cost benefit analysis
➡ Time planner showing all deadlines
(b) Planning and design
➡ Project team manages the project in accordance with preditrend
accepted programming standards and control frameworks
➡ once project plan set business analyst must perform detailed investigation
into user needs which is used to develop the system.
(c) System development and testing
➡ Development area – create versions of system
➡ Test area
➡ Program test
➡ String/series test
➡ System test
➡ Stress/ tension test
➡ User acceptance test
Organisational controls
1. Responsibility delegation
• Computer Generating Committee (CGC) – manage IT , communication channel
between IT users and departments
• Chief Info Officer (CIO) – responsible for IT direction and communication with CGC
• IT manager – day to-day IT
2. Segmentation of duties
By segregation entity could mitigate risk of:
• Unauthorised or inaccurate transactions
• Staff adjusting records to cover up falsified entries
• Staff falsifying records to conceal theft
NB! IT should only be able to work on the computers and not have ability to
influence or change any transaction or statements
Should segregate between departments operations and security function
3. Staff Practices
• Policies
• Process and employing staff
• Staff scheduling and rotation of duties
• Ongoing training of staff
• Continuous evaluation of staff
• Staff dismissals and resignation
4. Supervision and Review
• High level review : management review financial performance periodically
compared to expectations
• Analytical reviews and ratios : relationships between data sets analysed for
deviations
• Recon of data on system with data from external source: info confirmed with another
set of info
• Independent review: unusual transactions identified for investigation
System development and change controls (same as development cycle)
• System development – developed in-house
• System acquisition - new one required from vendor
• System development life cycle (SDLC)
(a) Request submission , needs assessment
➡ objects come from written user request or genuine business need
➡ Feasible study conducted including:
➡ Comprehensive needs assessment
➡ Investigate resources required
➡ Investigate alternative solutions
➡ Cost benefit analysis
➡ Time planner showing all deadlines
(b) Planning and design
➡ Project team manages the project in accordance with preditrend
accepted programming standards and control frameworks
➡ once project plan set business analyst must perform detailed investigation
into user needs which is used to develop the system.
(c) System development and testing
➡ Development area – create versions of system
➡ Test area
➡ Program test
➡ String/series test
➡ System test
➡ Stress/ tension test
➡ User acceptance test
