Module: General Computer controls

FACULTY/COLLEGE College of Business and Economics

SCHOOL School of Accounting
DEPARTMENT Department of Accountancy
MODULE NAME Auditing 300 / Intermediate Auditing
MODULE CODE AUD 300 / S3BCTQ1

MODULE
GENERAL COMPUTER CONTROLS

Index:

A PRE-READING
B INTRODUCTION
C TYPES OF ON-LINE COMPUTER SYSTEMS
D CONTROLS IN A COMPUTERISED ENVIRONMENT
E QUESTIONS RELATING TO THE TOPIC
Module: General Computer controls

PART A: PRE-READING

Information technology (IT) plays a critical role in many businesses.

If you own or manage a business that makes use of IT, it is important to identify risks to your IT
systems and data, to reduce or manage those risks, and to develop a response plan in the event
of an IT crisis. Business owners have legal obligations in relation to privacy, electronic
transactions, and staff training that influence IT risk management strategies.

IT risks include hardware and software failure, human error, spam, viruses and malicious attacks,
as well as natural disasters such as fires, cyclones or floods. You can manage IT risks by
completing a business risk assessment. Having a business continuity plan can help your business
recover from an IT incident. This guide helps you understand IT risks and provides information
about ways to prepare for and respond to IT incidents. If your business relies on information
technology (IT) systems such as computers and networks for key business activities you need to
be aware of the range and nature of risks to those systems.

General threats to IT systems and data include:

 hardware and software failure - such as power loss or data corruption
 malware - malicious software designed to disrupt computer operation
 viruses - computer code that can copy itself and spread from one computer to another,
often disrupting computer operations
 spam, scams and phishing - unsolicited email that seeks to fool people into revealing
personal details or buying fraudulent goods
 human error - incorrect data processing, careless data disposal, or accidental opening of
infected email attachments.
Specific or targeted criminal threats to IT systems and data include:
 hackers - people who illegally break into computer systems
 fraud - using a computer to alter data for illegal benefit
 passwords theft - often a target for malicious hackers
 denial-of-service - online attacks that prevent website access for authorised users
 security breaches - includes physical break-ins as well as online intrusion
 staff dishonesty - theft of data or sensitive information, such as customer details.

Natural disasters such as fire, cyclone and floods also present risks to IT systems, data and
infrastructure. Damage to buildings and computer hardware can result in loss or corruption of
customer records/transactions.

Managing information technology (IT) risks is a structured process that involves a series of
activities designed to:
 identify risks
 assess risks
 mitigate risks
 develop response plans
 review risk management procedures.

An effective IT risk assessment identifies serious risks, based on the probability that the risk will
occur, and the costs of business impacts and recovery.
Module: General Computer controls

Business continuity planning

Having identified risks and likely business impacts, the development of a business continuity plan
can help your business survive and recover from an IT crisis. A business continuity plan identifies
critical business activities, risks, response plans and recovery procedures.

IT risk management policies and procedures

IT policies and procedures explain to staff, contractors and customers the importance of
managing IT risks and may form part of your risk management and business continuity plans.
Security policies and procedures can assist your staff training on issues such as:
 safe email use
 setting out processes for common tasks
 managing changes to IT systems
 responses to IT incidents.

A code of conduct can provide staff and customers with clear direction and define acceptable
behaviours in relation to key IT issues, such as protection of privacy and ethical conduct.

Threats and risks to information technology (IT) systems and data are an everyday reality for most
modern businesses. You should put in place measures to protect your systems and data against
theft and hackers.

Practical steps to improve IT security

To help protect your IT systems and data you should:

 secure computers, servers and wireless networks
 use anti-virus and anti-spyware protection, and firewalls
 regularly update software to the latest versions
 use data backups that include off-site or remote storage
 secure your passwords
 train staff in IT policies and procedures
 understand legal obligations for online business.

Create a secure online presence

If your business has an online presence, you should assess the security of your website, email
accounts, online banking accounts and social media profiles.

For example, secure socket layer (SSL) technology is used to encrypt transaction data and to
send customer and card details to the acquiring bank for authorisation. You should ensure any
web hosting solution you consider is capable of supporting the SSL protocol.

Induction and IT training for staff

Training new and existing staff in your IT policies, procedures and codes of conduct is an
important component of IT risk management strategies. Training can cover key business
processes and policies, such as:
 safe handling of infected email
 protecting the privacy of customer details
 priority actions in the event of an online security breach.
Module: General Computer controls

Business insurance

It is impossible for a business to prevent or avoid all IT risks and threats. This makes business
insurance an essential part of IT risk management and recovery planning. You should regularly
review and update your insurance, especially in light of new or emerging IT risks, such as the
increasing use of personal mobile devices for workplace activities.

How you respond to information technology (IT) incidents determines how well your business
recovers, and also influences customers' ideas about your reliability. An IT incident can be
confined to the IT components of your business, such as a denial of service attack that targets
your business. An IT incident can also be part of a wider business crisis, such as widespread
damage to networks due to natural disasters.

Your IT risk management plan and business continuity plan should include:
 IT incident response plans
 emergency response plans
 recovery plans.

IT incident response plans

IT incident response plans identify principal IT risks and the steps you need to take to mitigate
effects or damage. They may include details of key staff who need to be notified, priority actions,
communication plans, contact lists and an event log to record actions taken.

Emergency response plans

IT incidents may be the result of a wider crisis, such as an explosion, bushfire or flood. In any
emergency situation the safety of staff and members of the public are your first priority. An IT
incident response plan should integrate with and support emergency response plans.

IT incident recovery plans

A recovery plan will help you respond effectively if an IT incident or crisis affects your business.
A recovery plan can shorten recovery times and minimise losses, and should include:
 strategies to recover your business activities in the quickest possible time
 a description of key resources, equipment and staff required to recover your operations
 your recovery time objectives.

Available from: https://www.business.qld.gov.au/running-business/protecting-business/risk-

management/it-risk-management/checklist
Module: General Computer controls

16 common types of cyberattacks and how to prevent them

Today's cybercriminals are not part-time amateurs or script kiddies but rather state-sponsored
adversaries and professional criminals looking to steal information and make large amounts of
money. Disruption and vandalism are still prevalent, and espionage has replaced hacktivism as
the second main driving force behind cyberattacks -- after financial profit. With these different
motives and the increasing sophistication of attackers, many security teams are struggling to keep
their IT systems secure.

A variety of cyberattacks are launched against organizations every day. According to threat
intelligence provider Check Point Research, there was a weekly average of 1,158 attacks per
organization worldwide in 2023. Consulting services and software provider IT Governance
reported that a total of 8.2 billion records were breached in publicly disclosed attacks during the
year as a whole.

Research and publishing firm Cybersecurity Ventures has predicted that the global cost of
cybercrime would hit $8 trillion in 2023 and increase to $9.5 trillion in 2024. The average cost of
a data breach at 553 organizations worldwide in the 12 months ending in March 2023 was a
record high of $4.45 million, according to a report that IBM publishes annually. The costs of
cyberattacks are both tangible and intangible, including not only direct loss of assets, revenue and
productivity, but also reputational damage that can lead to loss of customer trust and the
confidence of business partners.

Cybercrime is built around the efficient exploitation of vulnerabilities, and security teams are
always at a disadvantage because they must defend all possible entry points, while an attacker
only needs to find and exploit one weakness or vulnerability. This asymmetry highly favors
attackers. The result is that even large enterprises struggle to prevent cybercriminals from
monetizing access to their networks, which typically must maintain open access and connectivity
while security professionals try to protect enterprise resources.

Not only large organizations are at risk of cyberattacks, though. Cybercriminals use any internet-
connected device as a weapon, a target or both, and SMBs tend to deploy less sophisticated
cybersecurity measures, opening them up to potential security incidents, too.

Security managers and their teams also need to be prepared for all the different attacks they might
face. To help with that, here are 16 of the most damaging types of cyberattacks and how they
work.

1. Malware attack
Malware, short for malicious software, is an umbrella term used to refer to a hostile or intrusive
program or file that's designed to exploit devices at the expense of the user and to the benefit of
the attacker. There are various forms of malware that all use evasion and obfuscation techniques
designed to not only fool users, but also elude security controls so they can install themselves on
a system or device surreptitiously without permission.

Currently, the most feared form is ransomware, a program that attackers use to encrypt a victim's
files and then demand a ransom payment in order to receive the decryption key. Because of
ransomware's prominence, it's covered in more detail below in its own section. The following are
some other common types of malware:
Module: General Computer controls

2. Ransomware attack
Ransomware is usually installed when a user visits a malicious website or opens a doctored email
attachment. Traditionally, it exploits vulnerabilities on an infected device to encrypt important files,
such as Word documents, Excel spreadsheets, PDFs, databases and system files, making them
unusable. The attacker then demands a ransom in exchange for the decryption key needed to
restore the locked files. The attack might target a mission-critical server or try to install the
ransomware on other devices connected to the network before activating the encryption process
so they're all hit simultaneously.

To increase the pressure on victims, attackers also often threaten to sell or leak data exfiltrated
during an attack if the ransom isn't paid. In fact, in a shift in ransomware tactics, some attackers
are now relying solely on data theft and potential public disclosures to extort payments without
even bothering to encrypt the data. That change might have contributed to record-breaking
numbers of ransomware attacks reported in 2023 by cybersecurity vendors and researchers.
Check Point Research said 10% of organizations worldwide were targeted by attempted attacks.

Everyone is a possible ransomware target, from individuals and small businesses to large
organizations and government agencies. The attacks can have a seriously damaging impact. In a
well-known incident, the WannaCry ransomware attack in 2017 affected organizations in over 150
countries with the disruption to hospitals costing the U.K.'s National Health Service alone around
$111 million. More recently, the U.K.'s Royal Mail fell victim to a ransomware attack in 2023 that
encrypted crucial files, preventing international shipments for six weeks. Royal Mail refused to pay
the initial ransom demand of $80 million or subsequent reduced amounts but said it spent almost
$13 million on remediation work and security improvements. In addition, data stolen in the attack
was posted online.

Also in 2023, a ransomware attack on MGM Resorts International cost the hotel and casino
company an estimated $100 million, disrupted its operations and resulted in the theft of personal
information on customers. Caesars Entertainment negotiated a ransom payment of $15 million
after a similar attack in an effort to prevent stolen data from being published online, according
to The Wall Street Journal. Ransomware is such a serious problem that the U.S. government in
2021 created a website called StopRansomware that provides resources to help organizations
prevent attacks, as well as a checklist on how to respond to one.
Module: General Computer controls

3. Password attack

Despite their many known weaknesses, passwords are still the most common authentication
method used for computer-based services, so obtaining a target's password is an easy way to
bypass security controls and gain access to critical data and systems. Attackers use various
methods to illicitly acquire passwords, including these:
 Brute-force attack. An attacker can try well-known passwords, such as password123,
or ones based on information gathered from a target's social media posts, like the
name of a pet, to guess user login credentials through trial and error. In other cases,
they deploy automated password cracking tools to try every possible combination of
characters.
 Dictionary attack. Similar to a brute-force attack, a dictionary attack uses a
preselected library of commonly used words and phrases, depending on the location or
nationality of the victim.
 Social engineering. It's easy for an attacker to craft a personalized email or text
message that looks genuine by collecting information about someone from their social
media posts and other sources. As a form of social engineering, these messages can
be used to obtain login credentials under false pretenses by manipulating or tricking
the person into disclosing the information, particularly if they're sent from a fake
account impersonating someone the victim knows.
 Keylogging. A keylogger is a software program that secretly monitors and logs every
keystroke by users to capture passwords, PIN codes and other confidential information
entered via the keyboard. This information is sent back to the attacker via the internet.
 Password sniffing. A password sniffer is a small program installed on a network that
extracts usernames and passwords sent across the network in cleartext. While still
used by attackers, it's no longer the threat it used to be because most network traffic is
now encrypted.
 Stealing or buying a password database. Hackers can try to breach an
organization's network defenses to steal its database of user credentials and then
either use the data themselves or sell it to others.

In a 2023 survey by TechTarget's Enterprise Strategy Group research division, 45% of the 377
respondents said they knew user accounts or credentials had been compromised in their
organization during the past 12 months, while 32% suspected they had been. Of all those
respondents, 59% said such compromises led to successful cyberattacks. Also, Verizon's "2023
Data Breach Investigations Report" found that using stolen credentials was by far the top way in
which attackers accessed systems in breached organizations with 49% of 4,291 documented
breaches involving their use.

4. DDoS attack

A distributed denial-of-service (DDoS) attack involves the use of numerous compromised

computer systems or mobile devices to target a server, website or other network resource. The
goal is to slow it down or crash it completely by sending a flood of messages, connection requests
or malformed packets, thereby denying service to legitimate users.
Almost 7.9 million DDoS attacks were launched in the first half of 2023, a 31% year-over-year
increase, according to a report by performance management and security software vendor
Netscout. Political or ideological motives are behind many of the attacks, but they're also used to
seek ransom payments -- in some cases, attackers threaten an organization with a DDoS attack if
it doesn't meet their ransom demand. Attackers are also harnessing the power of AI tools to
improve attack techniques and direct their networks of slave machines to perform DDoS attacks
accordingly. Worryingly, AI is now being used to enhance all forms of cyberattacks, although it
has potential cybersecurity uses, too.
Module: General Computer controls

5. Phishing

In phishing, an attacker masquerades as a reputable organization or individual to trick an

unsuspecting victim into handing over valuable information, such as passwords, credit card details
and intellectual property. Based on social engineering techniques, phishing campaigns are easy to
launch and surprisingly effective. Emails are most commonly used to distribute malicious links or
attachments, but phishing attacks can also be conducted through text messages (SMS phishing,
or smishing) and phone calls (voice phishing, or vishing).
Spear phishing targets specific people or companies, while whaling attacks are a type of spear
phishing aimed at senior executives in an organization. A related attack is the business email
compromise (BEC) in which an attacker poses as a top executive or other person of authority and
asks employees to transfer money, buy gift cards or take other actions. The FBI's Internet Crime
Complaint Center puts phishing and BEC attacks in separate categories. In 2022, the last year for
which data has been released, it received 21,832 complaints about BEC attacks with total losses
of more than $2.7 billion and 300,497 phishing complaints that generated $52 million in losses.

6. SQL injection attack

Any website that is database-driven -- and that's the majority of websites -- is susceptible to SQL
injection attacks. A SQL query is a request for some action to be performed on a database, and a
well-constructed malicious request can create, modify or delete the data stored in the database. It
can also read and extract data such as intellectual property, personal information of customers or
employees, administrative credentials and private business details.

SQL injection continues to be a widely used attack vector. It was third on the 2023 Common
Weakness Enumeration (CWE) Top 25 list of the most dangerous software weaknesses, which is
maintained by The Mitre Corp. In 2023, according to the website CVEdetails.com, more than
2,100 SQL injection vulnerabilities were added to the CVE database, a separate catalog of
common vulnerabilities and exposures that Mitre also manages. In a high-profile example of a
SQL injection attack, attackers used one of those new vulnerabilities to gain access to Progress
Software's MoveIt Transfer web application, leading to data breaches at thousands of
organizations that use the file transfer software.

7. Cross-site scripting

This is another type of injection attack in which an attacker adds a malicious script to content on a
legitimate website. Cross-site scripting (XSS) attacks occur when an untrusted source is able to
inject code into a web application and the malicious code is then included in webpages that are
dynamically generated and delivered to a victim's browser. This enables the attacker to execute
scripts written in languages such as JavaScript, Java and HTML in the browsers of unsuspecting
website users.
Attackers can use XSS to steal session cookies, which lets them pretend to be victimized users.
But they can also distribute malware, deface websites, seek user credentials and take other
damaging actions through XSS. In many cases, it's combined with social engineering techniques,
such as phishing. A constant among common attack vectors, XSS ranked second on the CWE
Top 25 list for 2023.

8. Man-in-the-middle attack

In a man-in-the-middle (MitM) attack, the attacker secretly intercepts messages between two
parties -- for example, an end user and a web application. The legitimate parties believe they're
communicating directly with each other, but in fact, the attacker has inserted themselves in the
middle of the electronic conversation and taken control of it. The attacker can read, copy and
change messages, including the data they contain, before forwarding them on to the unsuspecting
recipient, all in real time.
Module: General Computer controls

A successful MitM attack enables attackers to capture or manipulate sensitive personal

information, such as login credentials, transaction details, account records and credit card
numbers. Such attacks often target the users of online banking applications and e-commerce
sites, and many involve the use of phishing emails to lure users into installing malware that
enables an attack.

9. URL interpretation/URL poisoning

It's easy for attackers to modify a URL in an effort to access information or resources. For
example, if an attacker logs in to a user account they've created on a website and can view their
account settings at https://www.awebsite.com/acount?user=2748, they can easily change the URL
to, say, https://www.awebsite.com/acount?user=1733 to see if they can access the account
settings of the corresponding user. If the site's web server doesn't check whether each user has
the correct authorization to access the requested resource, particularly if it includes user-supplied
input, the attacker likely will be able to view the account settings of every other user on the site.

A URL interpretation attack, also sometimes referred to as URL poisoning, is used to gather
confidential information, such as usernames and database records, or to access admin pages that
are used to manage a website. If an attacker does manage to access privileged resources by
manipulating a URL, it's commonly due to an insecure direct object reference vulnerability in which
the site doesn't properly apply access control checks to verify user identities.

10. DNS spoofing

The DNS enables users to access websites by mapping domain names and URLs to the IP
addresses that computers use to locate sites. Hackers have long exploited the insecure nature of
DNS to overwrite stored IP addresses on DNS servers and resolvers with fake entries so victims
are directed to an attacker-controlled website instead of the legitimate one. These fake sites are
designed to look exactly like the sites that users expected to visit. As a result, victims of a DNS
spoofing attack aren't suspicious when asked to enter their account login credentials on what they
think is a genuine site. That information enables the attackers to log in to user accounts on the
sites being spoofed.

Full article available form: https://www.techtarget.com/searchsecurity/tip/6-common-types-of-

cyber-attacks-and-how-to-prevent-them
 PART B: INTRODUCTION

1. INTRODUCTION OF THE TOPIC

This module introduces you to the basic concepts regarding computers and their
significance in an organisation. The more complex issues regarding computers will be
dealt with at post graduate diploma/honours level.
The use of computers is part of everyday life (as you would all know)!
This module will aim to explain the basic concepts in computers, which an audit
professional is expected to have knowledge of.

2. PRIOR KNOWLEDGE

Computers will not be new to you as you have dealt with its basic operations in AUD
nd
200 (2 year) as well as all your other subjects.

With regards to auditing specifically you have already been introduced to general
controls, in AUD 200. This module will pick general controls from where you left it and
you will also be introduced to application controls.

3. RESOURCES

In order to master this topic you should make use of the following resources

3.1 Pre-reading
3.2 Module
3.3 Question Banks
3.4 Lecture Slides
3.5 Lecture attendance and consultation

4. STUDY OUTCOMES

After you have completed your studies of this topic you must be able to:

4.1 Provide definitions of computers and be able to identify these in a

given scenario.
4.2 Identify the types of controls that should be implemented.
4.3 Recommend any possible improvements to be implemented in a
computerised environment.
4.4. Be able to apply the concepts of computers to any given scenario.
 PART B: INTRODUCTION
5. EXAMINATION POSSIBILITIES

You can expect theory based questions that include

 Practical application
 Scenario based questions
 PART C: DEFINITIONS OF THE TYPES OF ON-LINE COMPUTER SYSTEMS

TYPES OF ON-LINE SYSTEMS

On-Line Entry with Real-Time Processing:

Transactions are entered via terminals, automatically authorised by the system and the
relevant files on the system are updated immediately. Thus, the transaction and the
master file are updated immediately.

On-Line Entry with Batch Processing:

Transactions are entered via a terminal, authorised and written to a transaction file. The
transaction is then updated in batch mode.

This system provides the opportunity for good control over the input and processing of
transactions ensuring the completeness and accuracy of the data through batch (control)
totals and audit trails.

It is obvious from the above that the transaction and master file in this type of system is
not updated immediately, but only after a batch has been entered correctly and is in
balance.

Shadow Processing:

A copy of the master file is used during the day and is updated continuously using on-line
entry with real time processing. The computer simultaneously creates batch files for the
day’s transactions. These batch files are used to update the original master file overnight
in batch mode.

A new copy of the master file is then made for use during the following day.

Shadow processing provides the benefits of both real time processing and batch
processing while affording better protection to the data in the original master file.

On-Line Entry with Memory Update:

Transactions are entered, authorised and written to a memory file which contains
information drawn from the master file.
This process is similar to shadow processing and insinuates that:
o Enquiries are made from the memory master file (which is fully up to date);
o The original master file is updated at a later stage from the transaction files.
On-Line Enquiry Facilities:

Users are limited to enquiry of information on master files which are updated from other
systems.

On-Line Downloading/Uploading:

This involves data being downloaded from a master file onto an intelligent terminal such
as a personal computer. This data can then be updated & uploaded to another computer
e.g. The mainframe computer.
 PART D: CONTROLS IN A COMPUTERISED ENVIROMENT

GENERAL CONTROLS DEFINITION:

General controls are those which establish an overall framework of control for computer
activities. They are controls which should be in place before any processing of transactions
gets underway and they span across all applications.

OVERALL FRAMEWORK OF GENERAL COMPUTER CONTROLS:

The following framework is an outline of the controls to be covered in this module. These
controls will be discussed in detail throughout the module.

General Computer Controls

1. System Development and Implementation Controls
2. System maintenance Controls (Change Controls)
3. Organisational and Management Controls
4. Access Controls to Data and Programs
5. Computer Operating Controls
6. System Software Controls
7. Business Continuity Controls

UNDERSTANDING THE GENERAL CONTROL ENVIRONMENT

1. Systems Development & Implementation Controls

Objective: To ensure self-developed/purchased system properly developed,

authorised and meet user’s needs.

These are the controls in place over the actual development of a new system the entity
intends on using. This could be a purchased package or a system developed in-house.
In a question, you need to ensure that you know what type of system you are dealing with
to ensure that you suggest the relevant controls. Examples of the types of controls over
the development of a system in-house include, but are not limited to the following:
o The client should develop a system with a clear view of its strategic business plan to
ensure that the system will aid the process of achieving the business objectives;
o A steering committee should conduct a feasibility study and define the selection
criteria;
o Projects should be authorised after analysing the users’ needs and performing a
proper systems analysis;
o Project authorisation & management;
o System design and programming standards;
o Testing of new system;
o Conversion to new system.
 Please take note of the following controls over a self-developed system:

1. Project authorisation and management

o Development plan authorized
o Steering committee
 Made up of senior management from both user and computer
departments
o Steering committee must ensure that :
 Project authorized
 Timetables are adhered to
 Budgets are achieved
 Quality requirements
o Involvement from :
o User department
 Departmental requirements
 Internal / external auditors
o Data processing department
 Technical soundness
 Compatibility with other systems
 Operational aspects
o Quality control department
 Standard of design
 Testing
 Documentation
o Perform feasibility study
 Buy / self-developed
 Cost / benefit
analysis
o Project team
 Day to day management of project
 Ensure project is developed in stages
 Prepare timetables for each stage
o Project authorised after feasibility study/analysis before commence
2. System specification & user needs
o Definition
 Defining the way the system must work
 To meet the specification of users and business

Two methods of specifying systems

o Traditional method
 Written systems specification by means of discussions between the
data processing department and users
o Prototype systems
 Design prototype
 User department try out
 Refine the design through a series of prototypes

3. System design and programming standards

o System design and programming standards needed to :
 Ensure system interacts properly with existing systems and system
software;
 Ensure that appropriate control-related programmed procedures are built
in;
 Ensure there is supervision over system design;
 Comply with predetermined standards;
 Done on program library not live data.

4. Testing
Testing of in-house systems should be carried out in 3 stages
4.1 Program testing
o Checking the logic of the program to their specs
o Methods used :
 Test data
 Desk checking (program code analysis)
4.2 System testing
o Ensure the logic of various individual programs links together to form a
system in line with the detailed system description
o Methods used
 Test data
 User testing
4.3 Live testing
o Tested under operational conditions
 Parallel running
 Pilot running

o Parallel running
 New system in parallel with old system
 Problem: cost of double processing, difficulty of comparison (e.g.
additional info)
o Pilot running
 Introduce system for only small
portion
Take note of the following controls over a purchased package:

Purchased package:

Important information to consider when purchasing a package:

o Package must meet user requirements
 Prepare statement of requirements
 Measure available packages against requirements
o Keep in mind :
 Minimum changes should be made to package
 If modifications is necessary, use normal rules i.r.o system development
 Possibility of future amendments (e.g. tax updates)
 Quality of maintenance service from supplier

The above information has to be applied to the selection of a package and the
implementation of a package. This can be done as follows:

1. Specification and selection of package

o Discussions with other users
o Observing operation of package
o Questioning other users of package re:
 Facilities offered by program
 Freedom from program errors
 Speed & efficiency
 Ease of use
 Quality of support

2. Implementation and testing of package

o Testing
o Independent testing
o Review of experiences of other users
o Implementation
o Involvement of:
 User departments
 Data processing
 Management
 Quality assurance

Advantages of purchased systems:

o Less implementation time (immediate implementation)

o Lower cost and cost is predetermined
o Tested thoroughly – thus very reliable

Disadvantages of purchased systems:

o Dependent on vendors for maintenance o

Too general /inflexible to cater for needs o
Change maintenance difficult/impossible o
Written overseas (Vat and Tax differs)
A conversion from an old system to a new system often takes place an
organisations, thus it is important to implement controls for these conversions.

Controls during conversion to the new system (self-developed /

purchased)
o Planning and preparation
 Prepare timetables for conversion
 Define methods used (e.g. parallel / pilot)
 Determine cut-off dates
 Prepare data files for conversion (e.g. Standing data)
 Training of staff
 Balance files on old system
 Prepare premises (constant power / air-con)
o Control over conversion of data by data control group
 Supervision by senior management
 Auditor involvement
o Update system documentation
 System flowcharts
 System descriptions
 Operating manuals
o Testing
 Balancing old files with new files
 Third party confirmations
 Follow up of exception reports
 Comparison with data run on old system (parallel)
 Manual comparison of data
 Approval by users
o Backup of new system
o Post-implementation review
2. System Maintenance Controls/ System Change Controls

Objective: To ensure changes to system is authorised, meet user’s needs and made
effectively.

These controls exist to ensure that any maintenance that takes place on the newly
developed system is done accurately and in accordance with the requisite level of
authority. The changes would be made to ensure that the system meets the needs of the
users. Some examples of these types of controls are:
o Change forms are to be pre-numbered and locked away when not required;
o Any change requests made by the users of the system must be approved by the
Line Manager of the user and a reason as to why the change is necessary must
be provided;
o All change forms need to be signed by Management or the Computer Steering
Committee prior to the change being effected;
o After the change has been made, an IT expert is to test the change to determine if
it has been made as per the approved change request and is working effectively.

o Completeness of changes
o To ensure all approved requests for changes are processed
o Achieved by:
 Pre-numbered change request forms
 Do regular sequence checks; or
 Enter change forms in a register
 Outstanding requests reviewed by senior official

o Validity of changes
o Requests should be approved by correct level of authority depending on
importance
o User requirements
o Reviewed by data processing department
o Documented
3. Organisational & Management Controls

Objective: Organisational framework such as segregation of duties (SOD),

supervision and review and virus protection

These controls would be implemented to ensure that an organisational framework over the
computerised information system (CIS) activities is in place, and to ensure that the basic
principles of segregation of duties, review and virus protection are met. Examples of these
types of controls include, but are not limited to the following:
o Computer department is to be represented on the Board of Directors;
o CIS manager should report to senior management;
o Top Management should be committed to controls and to implement
management controls such as establishing an Internal Audit department.
o Computer steering committee set IT policies and exercise control over IT
activities
o Staff practices/ processing
 the rotation of operator duties
 system development staff not assigned to operator duties
 at least two operators per shift(scheduling of staff)
 staff take regular leave
o Employment practices
 training of staff and career development
 supervision and review

Segregation of duties

o Functional
 Separate CIS Department
o Operational
 SOD between:
 System analysts
 Programmers
 Operators
o Normal SOD between:
 Transaction initiation
 Authorisation
 Processing
 Safeguarding
o Independent person must correct errors

Controls against computer viruses

o Software protection
 Software purchases from reputable suppliers
 Take care with use of “free” of “public domain” programs
  Do not lend out program disks
 Do not boot up from a disk
 Do not use illegal copies

o Data file protection

 Install virus detection software
 Test data files for viruses before use
 Regular backups
 Keep disks on write protect

o Staff
 Inform staff members against dangers
 Train users of microcomputers
 Reporting procedures in case of infection
 Limit the use of microcomputers to authorized staff

o Supervision and review

 By CIS manager, divisional managers, section heads
 System investigations by internal and external audit

4. Access Controls to Data & Programs

Objective: To prevent unauthorised changes to programs, data, terminals & files.

As the name suggests, these controls would ensure that access to and editing of data and
programs should be restricted to only those users who have the authority to use the data.
Examples of these types of controls include:
o Passwords are to be changed regularly and must be alphanumeric;
o Passwords are to be kept confidential;
o User matrixes must exist in order to restrict database information to the users
on a least privileges basis;
o The terminal should shut down after 3 unsuccessful log-in attempts and
generate an exception report for management to review & investigate.

Programmed controls

o Terminals
 TINS (Terminal identification numbers)
 Limited access to system (to specific applications)
 Automatic log off after 5 minutes of non-use
 Shut down after 3 unsuccessful login attempts
 Limited to 1 workstation log on
 Investigation into each disconnection
 Simultaneous login prohibited
o Identification of users
 User ID’s & passwords
 Verify IP address
 Magnetic cards
 Voice recognition / fingerprints (use of biometric data)

o Authorisation of users
 Logon ID’s
 Passwords
 Multilevel passwords
 User matrixes
 Passwords for specific authorised levels

o Monitor access and processing

 Audit trails reviewed for daily activities
 Console logs and activity registers
 Application software (unauthorized access)
 Firewalls

o Communication lines & networks

 Passwords
 Dial & dial back
 Identification data
 Different routes for sensitive data
 Encryption of data

o Password control
 Password strength
o Minimum 6 characters (Minimum length)
o Alpha /numerical
o CAPITAL LETTERS AND small caps
o and other - ! @ # *
 Not easily guessed not shown on screen
 Changed regularly
o Automatic system request
o Re-use of password prohibited
 Confidentiality emphasised
 Cancelled on resignation/ dismissal
 Cancelled after period of inactivity
 Use for authorisation
o Limit access to part of system
o Limit access to certain times of day
o Authorisation levels linked

o Program libraries
 Access to backup programs controlled by access software
  Passwords
 Updating authorised
o Utilities
 Stored separately
 Use logged and reviewed

Physical controls

o Terminals
o Physically locked
o Located in visible area
o Situated in lockable room
o Computer hardware
o Lockable room
o Supervision & review
o Removable mediums secure
o Manual logs

o Program libraries
o Register (REGULAR REVIEW)
o Access controlled

o Distributable processing
o Only executable programs (instead of production programs) at branches
o Independent comparison of exec. Programs to source programs (e.g.
internal auditor)
o Logs reviewed
o Screening & training of staff
o Emergency access controls

5. Computer Operating Controls

Objective: Ensuring procedures applied correctly & consistently during processing

These are those controls that actually deal with how the user of the computer operates the
computer and to ensure that programmed procedures are applied correctly and
consistently during the processing of data. Examples of these types of controls include,
but are not limited to the following:
o There must be continuous monitoring and review of the functioning of the
computer hardware;
o There must be standardised procedures and operating procedures for the
users of the system to follow;
o The must be adequate user manuals in place.
o Scheduling of processing
o Set-up and execution of programs
 Competent person
  Procedure manuals
 Test against processing log
 Supervision & review
o Use correct programs & data files
o Operating procedures
 Hardware checks
 Operating instructions & manuals
 Segregation of duties
 Rotation of duties
 Logs
 Supervision and review
o Recovery procedure
 Emergency plan & instructions
 Backup of data & hardware

6. System Software Controls

Objective: To ensure installation, development, maintenance of software packages

authorised and effective.

The controls are put in place for programs that process data to ensure that they are
installed or developed and maintained in an authorised and effective manner, and that
access to the system software is limited. Examples of these types of control include:
o In the processing by users on personal(micro) computers, there must be:
 Control over the software on the PC to ensure that it is not copied or
pirated;
 Programs which are written internally should be documented and tested
to ensure that the program has the integrity required by management.
o Acquisition & development controls
 See previous notes
o Security over system software
 Integrity of staff
 Division of duties
 Employment policies
 Supervision & review
o Database systems
 Access control
 Documentation
 Supervision & review
o Networks
 Support department
 Access controls
 Disaster recovery plan
o Processing on microcomputers
 Control of software
  Programs written internally tested & documented

7. Business Continuity Controls

Objective: Prevent/Limit system interruption (Downtime)

These are the controls that the entity would put in place to ensure that it would be able to
continue as a going concern, even in the event of a disaster that the company might
experience. Examples of these types of controls include:
o Data is backed up regularly and kept off-site in a fireproof safe;
o The entity has UPS (Uninterrupted Power Supply) to ensure that it can continue
doing business in the event of a power failure;
o The entity’s server room is air-conditioned to ensure that the servers do not
overheat resulting in the loss of vital data;
o Plan, document and test the disaster recovery plan to ensure that it will be
effective in the event of a disaster.

o Physical environment:
 Protection against the elements
 Fire: extinguishers etc
o Water: away from water pipes
o Power: backup supply
o Environment: air con etc

o Emergency plan & disaster recovery procedures

 Establish procedures/Responsibilities
 Prepare list of files & data to be recovered
 Provide alternative processing facilities
 Plan, document & test the disaster recovery plan

o Backups
 Regular backups on rotational basis
 On-line/ Real time backups
 Store back-up files on separate premises
 Hardware backup facilities
 Store in fireproof safe
 Retention of files / records for required times

o Other controls
 Adequate insurance
 No over reliance on staff
 Virus protection / prevention
 Physical security
 Cable protection
o Personnel Controls
 Segregation of duties
 Job rotation
 Hiring/firing procedures
 Employment contracts
 Use of hardware/software
 Confidentiality
 PART E: QUESTIONS RELATING TO THE TOPIC

QUESTION BANK