Computers (Questions are NB and should be the biggest source of learning – 70% of time)
NB!!
When answering questions, always write down the main headings and full out the detail as you go along.
Therefore, it is very important to learn the framework of each section in order to answer the questions. Required
parts are also very important, look specifically what is required to be answered – coverage versus detail.
COMPUTER INFORMATION SYSTEMS ENVIRONMENT (CIS):
Environment
Background & Introduction
Principles
Class examples
Assignments
Prescribed work: Auditing notes
Chapter 8
Refer to information page for complete list of references.
LEARNING OUTCOMES:
After studying the introduction, you are required to:
Discuss the terms of a CIS, general controls and application controls, as well as explain the relationship
between these concepts;
List the additional risks in a CIS.
After studying the textbook, you should be able to:
Discuss the basic components of a CIS; (Self study) Chapter 8
Understand the different kinds of computer systems. (Self study)
UNDERLYING PRINCIPLES:
General controls (around the computer)– provides a framework of override control of information
system activities:
o Control environment, security policy & organisational controls
o System development- and program change controls
o Access controls
o Business continuity
o Operating and System maintenance controls
Application controls (inside the computer) – Manual controls & automated controls over transactions:
o To initiate, record input
o To process and processing
o To report output
o As well as to change information master file changes
Computer information system environment (CIS or IS):
Exists where a computer
o Irrespective for type or size
Takes part in the processing of financial information of the entity,
Irrespective of whether the computer is operated by the entity or a third party.
The use of a computer impacts on the
o Generation of transactions,
o Processing thereof,
o Storage and/or
o Communication of information
Impacts on the accounting and system of internal control
Factors specific to CIS (NB Learn off by heart):
Every type of computer information system has its own additional risks
Concentration of functions and information
o Risk of errors
Lack of audit trail
, Lack of segregation of duties
Initiation and processing of transactions
Internal controls are dependent on the computer information system
Uniform processing of transactions
Potential for increased management supervision
Controls in computer information system:
GENERAL CONTROLS
o To ensure that the computer information system is developed, implemented, maintained and
operated adequately.
APPLICATION CONTROLS
o To ensure the validity, accuracy and completeness of transactions and data, including the
maintenance of master-file data
How? controls
Control objectives
General controls Environment
Overall control
Application Transactions & data
controls • Input
• Processing
• ML maintenance
• Output
COMPUTER INFORMATION SYSTEMS ENVIRONMENT
General controls:
LEARNING OUTCOMES:
Upon completion of this module you are required to:
To explain what can go wrong with the CIS environment (risks);
Identify together with potential consequences, the weaknesses in existing general controls in a CIS
environment
Make recommendations to improve weaknesses.
Design general controls
Required part will be challenging in term test 3. Very NB to take note of required parts in questions
See page 13 of note pack for summary/ overview of general controls
ORGANISATIONAL & PERSONNEL PRACTICES:
Establishing organisational framework for IS activities.
1. Levels of responsibility /structure
2. Segregation of duties Needs to be in place for organisational
3. Supervision & review structure
4. Personnel practices
, [Appoint candidate with proper skills and qualifications for the computer system]
Risks (if the above controls have not been put in place):
Conducting unauthorised transactions (1)
Collusion to commit and hide fraud (2)
Multiple functions performed by a single application (previously performed by separate individuals) (1 +
2)
Errors are not detected (2 + 3)
Untrustworthy or incompetent persons (4)
1. LEVELS OF RESPONSIBILITY / STRUCTURE (Look at diagram on chapter 8 pg. 9)
Establish responsibilities
o Directors’ meeting
o Computer Steering Committee
Must consist of the computer information systems manager and representatives of all user
departments (managers)
The committee shall serve as a communication channel between the users and the computer
information system department
The computer steering committee is responsible for:
Long-term planning of the CIS department
Setting systems development and operational standards
The approval of system development requests
o The information systems manager is responsible for the day-to-day active management as well as
reporting
o To the data control group the responsibility should be allocated for:
Receipt of work from the user departments;
Control over the distribution of data within the CIS department;
Control over the distribution of output; and
Follow up of user complaints.
o An individual must be responsible for the librarian function of the company.
A librarian has to be appointed to manage the physical storage and protection of
information.
Establishing reporting levels:
o The CIS department (management) should report directly to top management and the computer
steering committee. There should be no direct communication between users and programmers.
Clear communication channels and documentation of responsibility
o The CIS management (in consultation with the steering committee) should draft written personnel
practices and users manuals.
2. SEGREGATION OF DUTIES
Separation between IS & user department:
o Example: IS department may not authorise transactions
o IS department may not authorise master file’s
o IS department may not correct users’ errors
o Users’ department checks and reviews MF’s
o Financial manager must not be involved in the user department
Separate IS department
o Organisationally independent of users
o Report directly to top management
Separation within computer environment
o Segregation between initiation, authorisation, custody and the reporting functions
o The operating and development functions must be segregated
Separation within CIS department
o Minimum segregation of duties required
development/programming AND
operations
Ideal: separate individuals as:
NB!!
When answering questions, always write down the main headings and full out the detail as you go along.
Therefore, it is very important to learn the framework of each section in order to answer the questions. Required
parts are also very important, look specifically what is required to be answered – coverage versus detail.
COMPUTER INFORMATION SYSTEMS ENVIRONMENT (CIS):
Environment
Background & Introduction
Principles
Class examples
Assignments
Prescribed work: Auditing notes
Chapter 8
Refer to information page for complete list of references.
LEARNING OUTCOMES:
After studying the introduction, you are required to:
Discuss the terms of a CIS, general controls and application controls, as well as explain the relationship
between these concepts;
List the additional risks in a CIS.
After studying the textbook, you should be able to:
Discuss the basic components of a CIS; (Self study) Chapter 8
Understand the different kinds of computer systems. (Self study)
UNDERLYING PRINCIPLES:
General controls (around the computer)– provides a framework of override control of information
system activities:
o Control environment, security policy & organisational controls
o System development- and program change controls
o Access controls
o Business continuity
o Operating and System maintenance controls
Application controls (inside the computer) – Manual controls & automated controls over transactions:
o To initiate, record input
o To process and processing
o To report output
o As well as to change information master file changes
Computer information system environment (CIS or IS):
Exists where a computer
o Irrespective for type or size
Takes part in the processing of financial information of the entity,
Irrespective of whether the computer is operated by the entity or a third party.
The use of a computer impacts on the
o Generation of transactions,
o Processing thereof,
o Storage and/or
o Communication of information
Impacts on the accounting and system of internal control
Factors specific to CIS (NB Learn off by heart):
Every type of computer information system has its own additional risks
Concentration of functions and information
o Risk of errors
Lack of audit trail
, Lack of segregation of duties
Initiation and processing of transactions
Internal controls are dependent on the computer information system
Uniform processing of transactions
Potential for increased management supervision
Controls in computer information system:
GENERAL CONTROLS
o To ensure that the computer information system is developed, implemented, maintained and
operated adequately.
APPLICATION CONTROLS
o To ensure the validity, accuracy and completeness of transactions and data, including the
maintenance of master-file data
How? controls
Control objectives
General controls Environment
Overall control
Application Transactions & data
controls • Input
• Processing
• ML maintenance
• Output
COMPUTER INFORMATION SYSTEMS ENVIRONMENT
General controls:
LEARNING OUTCOMES:
Upon completion of this module you are required to:
To explain what can go wrong with the CIS environment (risks);
Identify together with potential consequences, the weaknesses in existing general controls in a CIS
environment
Make recommendations to improve weaknesses.
Design general controls
Required part will be challenging in term test 3. Very NB to take note of required parts in questions
See page 13 of note pack for summary/ overview of general controls
ORGANISATIONAL & PERSONNEL PRACTICES:
Establishing organisational framework for IS activities.
1. Levels of responsibility /structure
2. Segregation of duties Needs to be in place for organisational
3. Supervision & review structure
4. Personnel practices
, [Appoint candidate with proper skills and qualifications for the computer system]
Risks (if the above controls have not been put in place):
Conducting unauthorised transactions (1)
Collusion to commit and hide fraud (2)
Multiple functions performed by a single application (previously performed by separate individuals) (1 +
2)
Errors are not detected (2 + 3)
Untrustworthy or incompetent persons (4)
1. LEVELS OF RESPONSIBILITY / STRUCTURE (Look at diagram on chapter 8 pg. 9)
Establish responsibilities
o Directors’ meeting
o Computer Steering Committee
Must consist of the computer information systems manager and representatives of all user
departments (managers)
The committee shall serve as a communication channel between the users and the computer
information system department
The computer steering committee is responsible for:
Long-term planning of the CIS department
Setting systems development and operational standards
The approval of system development requests
o The information systems manager is responsible for the day-to-day active management as well as
reporting
o To the data control group the responsibility should be allocated for:
Receipt of work from the user departments;
Control over the distribution of data within the CIS department;
Control over the distribution of output; and
Follow up of user complaints.
o An individual must be responsible for the librarian function of the company.
A librarian has to be appointed to manage the physical storage and protection of
information.
Establishing reporting levels:
o The CIS department (management) should report directly to top management and the computer
steering committee. There should be no direct communication between users and programmers.
Clear communication channels and documentation of responsibility
o The CIS management (in consultation with the steering committee) should draft written personnel
practices and users manuals.
2. SEGREGATION OF DUTIES
Separation between IS & user department:
o Example: IS department may not authorise transactions
o IS department may not authorise master file’s
o IS department may not correct users’ errors
o Users’ department checks and reviews MF’s
o Financial manager must not be involved in the user department
Separate IS department
o Organisationally independent of users
o Report directly to top management
Separation within computer environment
o Segregation between initiation, authorisation, custody and the reporting functions
o The operating and development functions must be segregated
Separation within CIS department
o Minimum segregation of duties required
development/programming AND
operations
Ideal: separate individuals as:
