GENERAL CONTROLS

General Controls in CIS Environment

These are usually defined as:
1) Data Centre or Computer Operations controls.
2) System Development controls.
3) System Security controls (access security)

General Controls–are control policies and procedures that relate to the overall computer information
system.
1) Organization controls–clear assignment of authority and responsibility
a) Segregation between CIS dept. and user dept.
b) Segregation of duties within the CIS dept
2) Systems development and documentation controls–to facilitate use of program as well as changes
that may be introduced to system
3) Access controls–adequate security controls, such as use of passwords
4) Data recovery controls–provides maintenance of back-up files and off-site storage procedures.
5) Monitoring controls–to ensure that CIS controls are working effectively as planned

Why do general CIS Controls need to be effective?

1) CIS Controls allow organizations to mitigate known attacks and are designed to be largely
implemented, monitored and enforced through automated means.
2) The primary purpose of this approach is to minimize the effect of human error, especially when it
comes to enforcing security controls.

What is an example of a general control?

Example of general controls includes software controls, physical hardware controls, data security
controls, computer operations controls, etc. For example, a company may ensure that the hardware is
only physically accessible to authorized personnel.

What are the 6 types of general control of information system controls?

General controls include
1) software controls,
2) physical hardware controls,
3) computer operations controls,
4) data security controls,
5) controls over the systems implementation process, and
6) administrative controls.
 APPLICATION CONTROLS

What are the 3 application controls?

Application controls can be classified as
1) input controls,
2) processing controls, and
3) output controls. Input controls check data for accuracy and completeness when they enter the
system.

Application Controls–are those policies and procedures that relate to the specific use of the system.
1) Controls over Input–designed to provide reasonable assurance that data submitted for processing
are complete, properly authorized and accurately translated into machine readable form.
a) Key verification–this requires data to be entered twice to provide assurance that there are no
key entry errors committed.
b) Field check -this ensures that the input data agree with required field format. Ex.: SSS number
must contain 10 digits. An input of SSS number w/ more or less than 10 digits will be rejected
c) Validity check–information entered are compared with valid info in the master file to determine
the authenticity of the input. Ex.: Employees’ master file may contain two valid codes to indicate
the employee’s gender “1” for male and “2” for female. A code of “3” is invalid and will be
rejected.
d) Self-checking digit–this is a mathematically calculated digit which is usually added to a
document number to detect common transpositional errors in data submitted for processing.
e) Limit check–or reasonable check is designed to ensure that data submitted for processing do not
exceed a predetermined or reasonable amount.
f) Control totals–these are totals computed based on the data submitted for processing. Control
totals ensure the completeness of data before and after they are processed.
 Financial totals–sum total of the peso amount in the documents
 Hash totals–sum total of the control numbers in the documents and no intrinsic value such
as the department number
 Record count -total number of the documents

2) Controls over Processing–designed to provide reasonable assurance that input data are processed
accurately, and that data is not lost, added, excluded, duplicated, or improperly changed. Almost all
of input controls mentioned above are also part of processing controls.

3) Controls over Output–designed to provide reasonable assurance that the results of processing are
complete, accurate, and that these outputs are distributed only to authorized personnel.

Advantages of Using Application Security Controls

They help prevent malicious actors from exploiting application vulnerabilities and reduce the risk of a
breach. Security controls also help minimize the costs involved in containing attacks by improving the
observability of applications, network traffic, and data
 Test of Control in a CIS Environment
1) The auditor’s objectives and scope of the audit do not change in a CIS environment.
2) Testing the reliability of general controls may include:
a) Observing client’s personnel in performing their duties
b) Inspecting program documentation
c) Observing security measure in force
3) In testing application controls, the auditor may either:
a) Audit around the computer
 Similar to testing control in a manual control structure in that it involves examination of
documents and reports to determine the reliability of the system.
 When using this approach, the auditor ignores the client’s data processing procedures,
focusing solely on the INPUT documents and the CIS OUTPUT.
 Can be used only if there are visible input documents and detailed output that will enable
the auditor to trace individual transactions back and forth.
 This is also known as “black box approach”
b) Use Computer-Assisted Audit Techniques (CAATs)
 Are computer programs and data which the auditor uses as part of the audit procedures to
PROCESS data of audit significance contained in an entity’s information systems.
 Used when computerized accounting systems performs tasks which no visible evidence is
available. Consequently, the auditor will have to audit directly the client’s computer program
using CAATs.
 This is also known as “white box approach”.
 Commonly used CAATs

1) Test Data-Designed to test the effectiveness of the internal control procedures which are
incorporated in the client’s computer program. The objective of this technique is to
determine whether the client’s computer programs can correctly handle valid and
invalid conditions as they rise.

2) Integrated Test Facility (ITF)

a) the auditor creates dummy or fictitious employee, or other appropriate unit for
testing within the entity’s computer system.
b) ITF integrates the processing of test data w/ the actual processing of ordinary
transactions without management being aware of the testing process.
c) ITF provides assurance that the program tests by the auditor is the same program
used by the client in the processing of transactions (unlike test data approach)

3) Parallel Simulation-requires the auditor write a program that simulates key features or
processes of the program under review.
a) The simulated program is then used to reprocess transactions that were previously
processed by the client’s program.
 b) Can be accomplished by using:
 Generalized auditing software–composed of generally available computer
packages which has been designed to perform common audit tasks
 Purpose-written programs–designed to perform audit tasks in specific
circumstances.

4) Other CAATs
a) Snapshots–taking a picture of a transaction as it flows through the computer systems.
b) System control audit review files (SCARF)–embedding audit software modules within
an application system to provide continuous monitoring of the systems transactions.
The information is collected into a special computer filethat the auditor can examine

MULTIPLE CHOICE QUESTIONS

1) The applications of auditing procedures using the computer as an audit tool refer to
a) Integrated test facility c) Data-based management system
b) Auditing through the computer d) Computer assisted audit techniques
2) An internal auditor noted the following points when conducting a preliminary survey in connection
with the audit of an EDP department. Which of the following would be considered a safeguard
in the control system on which the auditor might rely?
a) Programmers and computer operators correct daily processing problems as they arise
b) The control group works with user organizations to correct rejected input
c) New systems are documented as soon as possible after they begin processing live data
d) The average tenure of employees working in the EDP department is ten months
3) Which statement is incorrect regarding CAATs?
a) CAATs are often an efficient means of testing a large number of transactions or controls over
large populations
b) To ensure appropriate control procedures, the presence of the auditor is not necessarily
required at the computer facility during the running of a CAAT
c) The general principles outlined in PAPS 1009 apply in small entity IT environments
d) Where smaller volumes of data are processed, the use of CAATs is more cost effective
4) Consists of generalized computer programs designed to perform common audit tasks or
standardized data processing functions.
a) Package or generalized audit software
b) Utility programs
c) Customized or purpose-written programs
d) System management programs
5) Which statement is incorrect regarding the evaluation of general CIS controls and CIS
application controls?
 a) The general CIS controls may have a pervasive effect on the processing of transactions in
application systems
b) If general CIS controls are not effective, there may be a risk that misstatements might
occur and go undetected in the application systems
c) Manual procedures exercised by users may provide effective control at the application level
d) Weaknesses in general CIS controls cannot preclude testing certain CIS application controls
6) Which one of the following represents a lack of internal control in a computer-based
information system?
a) The design and implementation is performed in accordance with management’s specific
authorization
b) Any and all changes in application programs have the authorization and approval of
management
c) Provisions exist to protect data files from unauthorized access, modification, or destruction
d) Both computer operators and programmers have unlimited access to the programs and data
files
7) Some of the more important controls that relate to automated accounting information systems
are validity checks, limit checks, field checks, and sign tests. These are classified as
a) Control total validation routines
b) Output controls
c) Hash totaling
d) Input validation routines
8) In an automated payroll processing environment, a department manager substituted the time
card for a terminated employee with a time card for a fictitious employee. The fictitious
employee had the same pay rate and hours worked as the terminated employee. The best
control technique to detect this action using employee identification numbers would be a
a) Batch total c) Record count
b) Hash total d) Subsequent check
9) The most critical aspect regarding separation of duties within information systems is between
a) Project leaders and programmers
b) Programmers and systems analysts
c) Programmers and computer operators
d) Data control and file librarians
10) Which of the following most likely represents a significant deficiency in the internal control
structure?
a) The systems analyst review applications of data processing and maintains systems
documentation
b) The systems programmer designs systems for computerized applications and maintains output
controls
c) The control clerk establishes control over data received by the EDP department and
reconciles control totals after processing
d) The accounts payable clerk prepares data for computer processing and enters the data into
the computer