ACF 302 EXAM PREP NOTES (Chapter 5):

Introduction to risks and internal controls in a computerised

environment.

5.1 Introduction
System Software

 Is the Program that gives the computer the instruction to perform task e.g. Microsoft
Windows 7 and Linux (they are called operating systems)
 Examples of system software are:
 Operating Systems
 Utility Programs
 Device drivers

Application Software
• Is software that performs specific functions required by users [apps] e.g.
 Pastel Accounting
 Microsoft Word
 Outlook
 Accounting packages

Masterfile

 Used to store permanent information or standing data such as customer‟s full name,
contact details and inventory descriptions
 Store information and cumulative totals
Transaction file

 Used to record transaction details of each individual transaction in both real-time and
batch processing systems.

MANUAL AND/ VS COMPUTERISED CONTROLS

MANUAL COMPUTERISED

 Focus on organizational controls  User changes from preparer to user of

 Managerial involvement output
 Review  Enhance controls
 Segregation of duties  BUT lead to additional risks concerning
 Stationery and document control the processing of information
5.3 How and why do companies have to govern their computer information
systems?

 Advantages/benefits of good IT governance:

 A company‟s reputation is improved, the trust of internal and external parties is
enhanced.
 Strategically aligning IT with business goals and processes makes business
operations more efficient and creates a competitive advantage.
 Non-IT executives gain a better understanding of IT and better decision-making
processes are possible due to timely and quality information being available.
 A greater level of compliance with laws and regulations.
 Risk management procedures are maximised by implementing good IT controls.

 Risks due to poor IT governance:

 The company may encounter problems in running its operations, machines, and
production lines.
 There may be a loss of confidentiality. e.g. Imagine what will happen when the salary
schedule of employees gets leaked.
 Systems become less available, less reliable, and less effective.
 Unauthorised use, access to, and changes to IT systems may take place.

• Key elements of a computerised system of internal control

 Manual controls >> Execution & recording process of business cycle

 Computer controls (General conts & Application Conts) >> Processing & Reporting

5.4 Impact of upgrading a manual system to an electronic system

• For some companies it has increased the business‟s risk profile for others it has
decreased it.
• Additional risks arise
• Potential severe consequences for a company where IT risks not properly addressed
Three principles in identifying IT risks:
 Complexities that are non-existent in manual system
 Effect on management objectives
 Respond to risks to achieve control objectives.

Benefits and risk in computerised systems

BENEFITS RISKS

 Computers apply predefined business  Unwarranted reliance

rules and perform complex calculations  Unauthorised data access
 Improves the availability and accuracy  Unauthorised data changes
of information  Unintentional amendments
 Facilitate extensive analysis of large  Failure to make changes
data volumes  Input, processing errors
 Monitoring of activities  Manual override
 Less control circumvention  Data loss: process, transmit
 Segregation of duties  Duplicate, incomplete data
 Overreliance
 Potential loss of data during processing

Advantages of a computerized accounting system

 Reduce error
 Reduce expenses
 Auto Report generate
 Accuracy
 Automation
 Reliability
 Easy document production
 Quick processing time
 User friendly
 Security of data
 Instant access to data
 Real-time transactions

General characteristics of a computer system

 Increased risk in relation to:

 Multiple locations,
 data concentration,
 segregation of duties,
 documentation trail,
 transaction initiation.
 Reduced risk in relation to:
 Consistency of processing,
 user involvement (where minimized- Improves management monitoring and supervision),
 processing power (large volumes),
 assist in decision-making.

 Increased Risk of errors, omissions, and fraud

 User can access data/programs from multiple locations / remotely.
 Data and functions in an IT system are concentrated which could result in a
breakdown in the segregation of duties.
 Lack of a clear documentation trail (e.g. very few hard-copy input and output
documents).
 Ability to initiate and process transactions automatically.

↓ Decreased Risk of errors, omissions and fraud

 Transactions are processed in a uniform manner updating multiple files and
programs consistently.
 Minimal opportunity for user manipulation.
 Can analyse and present large volumes of information.
 Assist in decision-making. Improve management monitoring and supervision.

Components of a computerised accounting system

Flow of transactions in a computerised system

Classification of computer controls
General Controls
• Defined as policies and procedures that relate to many applications and that support the
effective functioning of application controls by helping to ensure the continued proper
operation of information systems
• General IT controls include controls over:
 Data centre and network operations.
 System software acquisition, changes and maintenance.
 Application system acquisition, development and maintenance.
 Access security
Application controls
• Defined as manual or automated procedures that typically operate at a business process
or application level.
• Application controls are designed to ensure the integrity of the accounting records (i.e.
relates to procedures that are used to initiate, record, process and report transactions
and other financial data).
• Application controls relate to specific transactions within an application and business
cycle
• NB Some controls are dual purpose e.g. access control (is both a general and
application control)

Classification of computer controls

Preventative Controls
• Prevents either the user or the system from making errors or committing fraud (i.e.
before they happen)
• Examples: passwords, drop-down menus and validation test
Detective and Corrective Controls
• Detect errors and fraud after a transaction has been processed, report the misstatement
and take corrective action.
• Examples: management review of audit trails, transaction logs or pop-up errors.

GENERAL CONTROLS

INTRODUCTION TO GENERAL CONTROL

Objective of GC

IMPORTANCE OF GC
• Have a profound influence over the environment within which application controls
operate.
• Prerequisite for reliance on application controls = existence of satisfactory general
controls.

Categories of General Controls

A: Organisational controls and personnel practices
• Polices on how changes are to be made are key
• Organisational framework such as Segregation Of Duties, reviews and virus protection
B: System development & implementation controls
• To ensure self-developed/purchased systems are properly developed, authorised and
meet user‟s needs.
C: Systems change controls
• To ensure changes to system is authorised, meet user‟s needs and made effectively.
D: Business continuity
• Prevent/Limit system interruptions through fire or cyber attacks
E: Computer operating controls
• Ensuring procedures applied correctly & consistently during processing
F: Access controls
• Prevent unauthorised changes to programs, data, terminals & files

GENERAL CONTROLS
A: Organisational and management controls

Organisational controls and personnel practices

• How CIS department structured; IT staff practices
• Organisational structure allocates/delegates responsibility
• Reporting lines-must delegate to appropriate people
• Appointment, ongoing staff development
• Risks if proper organisational structure not in place (Proper Segregation of Duty between It and
User Department)
• Top-down approach: ethical culture/control environment.
• Necessitates a process where all work is supervised and reviewed by senior staff
members

Risk if Organisational Controls fail

• Unauthorised transactions and activities being initiated by unauthorised persons.
• Collusion that could result in theft and fraud.
• Multiple functions that were previously performed by separate individuals are now being
performed by a single application (i.e. lack of segregation of duties).
• Misstatements going unnoticed because there is not sufficient supervision and review in
place.
• Untrustworthy or incompetent persons being employed because of poor staff practices,
resulting in errors or fraud, and also negatively affecting staff morale

B: System development
• System development and change controls are the controls that must be implemented:
 when a new computer program is developed or acquired and
 where a significant change is made to a computer program or its functionality.

• The objectives of these controls are to ensure that the new system or a change made to
the system is affected to meet users‟ needs and is cost-efficient.

• To achieve this, controls must be implemented in each of the stages in the system
development life cycle. Failure to do so could result in:
 System errors.
 Incorrect or fraudulent processing.
 Cost overruns
 Non-compliance with development and quality standards, reporting requirements and
legislation.
• Further differences between the following:

SYSTEM DEVELOPMENT  Refers to the process followed when a new system is

developed in-house

SYSTEM ACQUISITION  System acquisition refers to the process when a new

system is acquired from a vendor.

PROGRAM CHANGE  Refers to changes or amendments to an existing

program e.g. adding a new module to a program or
updating or adding features to a program

System development life cycle stages

• Must go through five stages of system development life cycle (SDLC) (Apply for both in-house or
packaged software)

1. Request submission, needs assessment and selection

2. Planning and design
3. System development and testing
4. Implementation
5. Post-implementation review and training

• Phase 1: Request submission, needs assessment and selection

 All projects should originate from either a written user request or a genuine business
need identified by management.
 All requests should be documented and presented to the board of directors or
delegated committee. To investigate and approve
 A feasibility study must be carried out (cost-benefit analysis)

A feasibility study will include

 Comprehensive user needs assessment
 Resources required
 Consideration of various alternative solutions
 Cost-benefit analysis

• Phase 2: Planning and design:

 Project team: the computer steering committee should appoint a project team to
manage the project
 Member representation: The team should not include only one IT personnel but
also other appropriate personnel from the user departments affected by the project
 Programming standards: All work performed by the project team should be
conducted in accordance with predefined generally accepted programming
standards.
 Project plan: the project team should create a project plan which contains timelines
for the project. Can also be used to measure the project performance
  User requirements: A business analyst must perform a detailed investigation of user
needs, to understand affected user‟s requirements (including those of internal and
external auditors)
 System specifications signed off: The needs assessment should be reviewed and
signed off by heads of all user departments before programming can commence.

• Phase 3: System development and testing

 Development area: is used to program and develop the system, The programmers
should code/write the independent of live system and data.
 Test area: once the program is complete, it is tested in the test area
 Production area, moved to live system

Tests that need to be performed on the performance of hardware and software

 Program test: tests the processing logic, to verify if all the situations are treated
correctly.
 String test /series test: tests the linking to a correct program
 System test: this tests all programs used together as a single system, to ensure that
they integrate properly
 Stress/tension test: which tests the performance and capacity of the system when it
is subjected to a high volume of processing and is experiencing demand on its
resources.
 User Acceptance test phase: where the users including management test the
program‟s functionality. Final approval for implementation after testing and correction
of errors by management, users and IT.
• Phase 4: Implementation

• Controls: when implementing the program controls relating to system conversion and
transfer of data should be implemented
• Conversion: parallel (run concurrently together), direct shut down, phased (in stages)
• Implementation is a project on its own-Mini-project
• Senior experienced staff
• System documentation about the system and its operations, including training materials
• All users to receive appropriate training on the operations of the system

System Close-Off And  A change-over date must be set

Data Clean Up  All financial transactions from the old system should be
closed off
 All data from the old system should be cleaned up
 All necessary control totals and financial balances should be
calculated
 Record counts should be performed
 Where possible all data should be externally verified
 Back-up should be made of the old system
 All data from the old system should be signed off as
 System Conversion One of the three methods of implementing new systems may be
used.
 Parallel processing: the systems run concurrently for a
limited period of time
 Direct Shutdown: The old system is completely shut down
at once to launch the new system immediately.
 Modular/phased implementation: The old system is
phased out in sections and the new system takes its place
according to the set time.

Post-Conversion  Compare the new and old data files

Review  All necessary control totals, financial balances and record
counts of the new system should be calculated and should
be reconciled with the old ones.
 The data from the new system should be compared to the
results from external confirmation.
 Any discrepancies identified in performing the above-
mentioned steps and unusual items must be investigated
and resolved.
 A register or exception report of all discrepancies or unusual
items identified should be maintained for investigation and
approval by the users, once resolved

 PHASE 5: Post-implementation review

 Any errors that occur after the new system has become operational should be
corrected and register for these should be maintained by IT.
 IT personnel, auditors and members of management should determine whether:
o The system meets the respective users' needs
o The necessary controls have been implemented
o Misstatements that have been detected resolved
o The system development process was effective
o The system documentation and training is sufficient

C: System changes control

Systems maintenance describes changes to a system after

• As the needs of users change, it is also necessary to make less significant amendments
to the functionality of a program or simply to update the program to meet users‟ needs.
These are known as program changes.
• The five stages of the system development life cycle should be followed (less resource-
intensive)
• Users should be required to complete written requests on prenumbered, preprinted
standard forms
• Each request should be logged in a request register for later review and investigation
• The program change request must be approved by the relevant line manager.
• Once a program change has been affected, it must be recorded in the register
• Periodically, management must follow up on any requests not completed within a
reasonable time period

D: Access Controls
• Physical and computerised controls prevent unauthorised persons from gaining access.
Preventative controls
1: Security management policy
• Management should drive a culture of security awareness.
• This can be achieved by implementing a risk management process in which a company
continuously evaluates its processes in order to identify security risks and threats and
then act accordingly.
• A security management policy must be developed and widely distributed to all
employees, who acknowledge that they have agreed to comply with the policy.

2: Physical Access Controls (to premises and IT department)

• Restricting physical access by means of high electrified fences around the company‟s
premises.
• Installing security gates and magnetic doors, which open by means of an electronic tag /
pin pad / biometric identification and which close after use.
• Presence of security guards at all entrances and exits.
• Limiting the number of potential entry / exit points.
• Doors should remain locked at all times.
• Premises should be monitored by closed-circuit TV monitors.
• Important hardware should be locked away in a dedicated room

3: Logical access controls

• Logical access controls are computerised access controls that are implemented within
the system and which limit access to terminals, networks, data and functionality.
Identification of users and computer resources
 User identification or username
 Magnetic card or tag
 Biometric techniques
 Terminal identification or IP address
Authentication of Users
 Entering a unique password.
  Entering a piece of information which an unauthorised individual would not know
about the genuine user.
 Connecting a device to the USB port of the terminal.
 Entering one-time-password sent to the user‟s cell phone / email account.
Authorization
 Defining the levels of access to be granted to users and computer resources.
 Once the system has authenticated the user, access will only be given to those
programs and data files to which the user is authorised to have access

Password Controls
 It must be unique to each user and should not be obvious or easy to guess.
 It should remain confidential.
 It should have a minimum length.
 It should consist of a combination of letters, figures and symbols and contain both upper-
and lower-case letters.
 New users should change their initial password the first time they log on to the system.
 It should be changed frequently.
 It should not be displayed on the screen, printed in a report or logged on transaction logs.
5: Logs and Reviews
 Management and senior personnel review reports and logs for
o Errors
o Unauthorised transactions
o Omissions

4 & 6: Other important security controls: Library Control

 Library function: should be created: a designated employee “data librarian” secures &
manages data
Controls during data communication
 Regular software updates
 Encryption
 Firewalls
 Call-back facilities
 Anti-virus and malware programs

E: Business continuity controls

Preventative Controls
• Controls should be implemented to protect a company against non-physical dangers and
physical danger

Detective and Corrective Controls

 Data backups: A business should maintain suitable backups of all source documents
and records.
 Emergency recovery plan: Having backups is not sufficient if not supported by a
comprehensive plan that outlines how a business should act during and after a
disaster.
 Other controls to mitigate impact: companies must ensure that they have sufficient
and appropriate insurance cover in place that covers all pertinent risks, including
losses of profits arising from a loss of business due to a disaster

Guidelines for making backup copies of data

• A formalised backup policy that states when and how backups are to be made must be
in place.
• The policy should state which files should be backed up and it should include all
operating and financial information necessary for a business to recommence operations
should a disaster occur.
• Regular backups must be scheduled and made. At least three generations of backups
should be maintained.
• Backups should be stored in a secure location off-site, preferably in a fireproof
facility. The viability of cloud services should also be considered.
• The backup copies must be tested frequently

Characteristics of Emergency Recovery Plan

• A written emergency recovery plan/strategy document should be in place,
• This emergency recovery plan/strategy document must be widely distributed.
• A list of data and program files that are key to the operations of the business and that
have to be recovered in case of disaster must be prepared
• An alternative processing facility should be in place at which the company‟s core
operations can continue to operate
• Provision should be made for testing the emergency recovery plan to identify
weaknesses

F: Operating controls and system maintenance controls

 Scheduling when production runs, and processing takes place to ensure IT

resources are used effectively.
 Setting standards for the operating activities and maintenance and use of assets.
 Ensuring that library controls are in place to keep track of and secure data, files,
programs and documentation.
 Maintain logs and activity registers of the use of software and hardware, and the
review of these by management.
 Implementing policies about acceptable user behaviour and best practices to ensure the
effective operations of the hardware and software.
 Detect and correct controls
 Logs, activity registers and security violation reports maintained on:
o All visitors to the premises, as well as an electronic log of movements
o All sign-off and sign-on details
o All changes to usernames and passwords

APPLICATION CONTROLS
An application- Is a set of procedures and programmes designed to satisfy all users
associated with a specific task.
Application controls: are manual (performed by humans) and automated (performed by
the computer system) controls within a particular application

o Provide reasonable assurance that recorded transactions are:

 Valid
 Accurate
 Complete

Application controls: Background

The primary objective of application controls is to prevent, detect and correct misstatements
arising when a transaction is:
• Input
• Processed
• Output generated

• Thus, application controls implemented around:

  Input: capturing and recording of information
 Processing of data within a computer
 Distribution of output
 Changes to master file data.

Input Controls
 Recording data on documents
 The screen
 Capturing of data
 Electronic logs to be maintained
 The error correction process
Processing Controls
 Ensuring the correct data, files and programs are used
 Calculating control total
 Programming of the software
 Electronic logs to be maintained, reviews to be performed
Output Controls
 Correctness of generation of output
 Proper distribution of output
 The receipt of output
 Electronic logs to be maintained and reviews

Three types of application controls in this context:

• Independent manual controls
 Performed independently of the computer system

• IT-dependent manual controls

 Dependant on the output produced by the computer system

• Programmed Controls
 Solely dependent and performed by the computer system and operates without any
human interaction

Overview of application controls

• Key areas in application controls
 Input
 Processing
 Output
 Master file changes

Input Controls.
• Objective: Ensure data entered, and Masterfile changes are valid, accurate and
complete
• E.g. correct information, no duplications, not fictitious, all input entered.
• Controls are also implemented to ensure that rejected inputs are identified, investigated
and corrected or re-entered

• Consequences if input controls fail

 Unauthorised transactions being entered
 Data already in the system being added to or deleted
 Errors occurring during the creation of data
 Data being lost

Input controls are necessary over:

• Data Capturer
 Controls over: the person capturing the document or data and the hard copy
document
• Computer ‘screen’
 The computer screen that aids the person capturing the document (known as screen
aids)
 This is done by means of controls programmed into the software (known as logical
programmed controls)
• Management review of the data
 This is done to identify and correct any errors timeously

Input controls are achieved through the following:

CONTROLS
User Relate
Controls o Users should receive specific training on the functionalities of the
programs that are necessary for them to perform their job function
to reduce the number of errors
o Dedicated employees should be appointed as capturing specialists
o Employees responsible for capturing data should be held
accountable
o setting up access profiles with each user receiving a unique
username linked to an authentication mechanism such as a
password (PASSWORD CONTROLS)
o Each user‟s access rights should be set up on an access table that
contains the user‟s rights to access programs and data and the
functionalities he or she can perform.
o Enforce segregation of duties by allocating override rights to a
senior employee

Documentation
o ensure that the manual documentation complies with acceptable
document standards, is well-designed, and is easy to understand.

Screen Aids
 Screen aids are all the features and procedures built into the program
and are reflected on the screen to assist the user in capturing data with
the least effort and the lowest probability of error.
o The screen layout should assist in ensuring that the user inputs all
data that is required
o The hard-copy document layout should appear similar to that of the
screen.
o The screen layout should be standard and user-friendly and require
the minimum data to be captured (drop-down menu & look-up
function)
o The computer should prompt the user to enter data where data is
missing
o Prompting or computer dialogue could also be used to highlight
error
o A user could also be prompted to confirm whether the details
captured on the screen are correct.
o A user could be directed further by the use of compulsory fields,
which require that a field be completed before the program allows
the user to continue capturing further data.
o if a user is not authorised to perform a function, the button or tab on
the screen triggering the function could be shaded and made
inactive

Logical Logical programmed controls are application controls that test the input
Programmed of data against predetermined rules that are programmed into the
Controls computer package, to validate the input
o Types of logical controls:
 Validity test
 Limit test
 Related data test
 Field length test
 Completeness test
 Alphabetic/alphanumeric/numeric character test
 Reasonability test
 Sign test
 Check digit verification

Review, o a senior member of staff should extract logs, audit trails and
reporting & registers from the computer to review activities and any unusual
Exemption transactions
monitoring

Additional Batch Controls:

Input
 Once the class of transactions has been recorded on hard-copy documents for some
time a staff member should place the documents into manageable batches or
bundles.
 Each batch must receive a unique bundle number.
 The staff member should review the sequential numbers of the documents and
calculate various control totals before creating a batch
Control totals
  Once the documents have been grouped into batches control totals should be
calculated by the user.
 These control totals should be entered onto the computer which will compare the
totals that were entered with the totals calculated by the system after input.
 The program should only authorise the transaction file for processing if the control
totals agree.
Control sheets
 Once the batch has been prepared and control totals calculated, a batch control
sheet, attached to the batch, is prepared.
 A second staff member should review the batch and recalculate the totals and sign
the batch control sheet as proof that the controls have been performed.
 He or she should also review the batch to ensure that it contains transactions for only
the period specified on the batch control sheet.
 After capturing of the batch, the computer should print a batch control report as proof
that the totals have been compared.
Batch register
 A batch register should be maintained that contains information on the batch and
tracks the movement of the batch documents to be processed.
 As the batches are handed to the data capture by the preparer of the batch, they
must be recorded in a batch register.
 A report with rejected transactions and errors should be generated and reviewed.
 A report with rejected transactions and errors should be generated and reviewed.

MANUAL ENVIRONMENT VS COMPUTERISED ENVIRONMENT

MANUAL ENVIRONMENT COMPUTERISED

ENVIRONMENT
RECORD
PROCEDURES  Manual comparisons are  The program makes the
performed to confirm the comparisons between the
correctness of the details. data captured and the
information already stored in
the computer‟s memory.

AUTHORISATION
& APPROVAL  Approval is done by a  A programmed task will not
senior member through proceed if approval has not
signing a document been granted by a senior staff
through capturing his/her
username and password.

RECONCILIATION
& REVIEW  Staff member performs  Computer automatically
comparisons between performs comparisons or
multiple sets of data, matching. An exception report
record, documents, and is reviewed and investigated.
physical assets
Processing Controls
• Occurs when the computer system processes information in the computer system or
package.
• Logical process controls are designed to ensure the integrity of data when being
processed
• Examples: saving a file, updating a file (after input), generating a report

Consequences if processing controls fails

• Data being lost, corrupted or changed
• Existing data being duplicated
• Invalid data being added during processing
• Calculation or accounting errors occurring
• Logical and rounding errors occurring
• Incorrect version of the program or data file being used

o CONTROLS
User related
controls o Dedicated employees should perform specific job functions and act
as capturing specialists
o Employees responsible for capturing data should be held
accountable
o by setting up access profiles with each user receiving a unique
username linked to an authentication mechanism such as a
password (NB: PASSWORD CONTROLS)

Correct
Program and o A data librarian should be appointed to ensure that the correct
File version of the program and data files are used.
o The risk of using incorrect or old data can be mitigated by having
clear internal naming of files as well as by means of using
external labels on files.
o A company must have a processing schedule or register to link
each production run with a specific date and time

Computer
Control Totals o Various control totals must be calculated while preparing the
and Report data
o These should be reconciled to control totals calculated
automatically by the computer after the data has been processed.
o The control totals of the master file, which must be updated with the
transaction data on an independent transaction file, must be
compared with the updated total of the master file.
o File balancing and shadow balancing
o The console log of processing and other control reports must be
reviewed regularly to identify any errors.
o Any unusual items/errors should be investigated
 Controls
During o Controls programmed into the computer program should be able to
Processing identify any missing transaction data
o Other programmed validation tests must be performed by the
system to detect data errors and processing errors
o Exception reports generated and investigated

Review,
Reporting and o Periodically, a senior member of staff should extract logs, audit
exception trails and registers from the computer to review activities and any
monitoring unusual transactions.
o Any unusual items should be investigated, and corrective action
taken

Output controls
• Involves distribution of data from stored to viewed
• Hard-copy document, on-screen display, etc.
• Output valid, accurate complete, authorised parties only.

Controls over the distribution of data

CONTROLS
User-related o Implement out access controls over the output (reports
Controls marked confidential, encryption of confidential information)

Controls over o There should be a clear, written policy in the entity on how
the distribution each type of output and confidential information should be
of output. treated
o The policy should address how outputs should be treated at
the following stages generation, during distribution, on receipt,
and after use.
o A dedicated person should be appointed to accept
responsibility for the distribution of output.
o The names of these persons should be documented in a
register, either manual or electronic
o Should the recipient receive the output or review the contents,
they should give an indication that they have received or
reviewed the output.
o A senior person should regularly review the distribution
register to detect any unauthorised distribution of outputs.

Controls The recipient should:

applicable when o Reconcile the input to the output, as well as major control
receiving output totals.
o Perform an output count and review the number sequence of
the reports.
o Check the page numbers.
o Match the content of the report with the table of contents and
the cover page; and
 oCheck that blank pages contain words such as „empty page‟
and that the end of the report contains words such as „end of
report‟.
There should be fixed procedures to prevent unauthorised persons
from obtaining outputs after their intended use.

Review o Periodically, a senior member of staff should extract logs, audit

reporting & trails and registers from the computer to review activities and
exception any unusual transactions.
o Any unusual items should be investigated, and corrective
action taken

Consequences if Output Controls fail

• Output being distributed to unauthorised persons
• Output being incomplete or inaccurate, which can result in incorrect management
decisions or
• Output not agreeing with the underlying
• Controls implemented

Masterfile Change Controls

• When standing data is changed, added, or deleted
• Requested by user, not computer E.g.: Debtors/creditors details, price lists, inventory
details
• Standing data used repeatedly when transactions processed
• If data error in master file: data errors in all affected transactions
Controls implemented over changes to master file information
CONTROLS
User related o Approval for master file amendments should be granted by a
controls senior member of staff.
o Only specific, designated staff members should be given
access rights to update master file information.
o Any changes that could have a fundamental impact on the
financial records should only be allowed to be made on a
designated computer.
o Backups should be made of the master file information before
changes are made.

Request forms o All master file amendment requests should be documented on a

hard-copy master file change request form.
o This form should meet the acceptable document standards
o A senior member of staff should approve the master file change
electronically and manually

Input Controls o ALL INPUT CONTROLS DISCUSSED EARLIER

Review, o Each request logged should be recorded in a master file

reporting and amendment request register.
exception
 monitoring of o It should regularly be reconciled with the automated register of
logs and completed requests.
registers, o Only read-only rights should be granted to the masterfile
and financial changes register
data o These rights must be restricted to management and senior staff
o Both these registers must be reviewed by a responsible senior
staff member on a regular basis.

Consequences if master file change controls fail.

• Unauthorised amendments
• Not all authorised amendments being updated on master file
• Errors in capturing amendments
• Errors contained in the master file data going undetected