General Control: These controls apply to a wide range of exposures that systematically threaten the integrity of all applications processed within the Computer Based Information System (CBIS) environment. General controls can be further subdivided under following headings:
i) Operating system controls,
ii) Data management controls,
iii) Organizational structure controls,
iv) Systems development controls,
v) Systems maintenance controls,
vi) Computer centre security and controls,
vii) Internet and Internet control,
viii) Personal computer control.
Personal Computer Controls
The capabilities, adaptability and user friendliness of Personal Computers (PCs) are posing a serious challenge to auditors as stated below:
PCs are likely to be shifted from one location to another or even taken outside the organization.
Decentralised purchasing of PCs can result in hardware/software incompatibility in the long run.
Floppies can be very conveniently transported from one place to another, as a result of which data corruption may occur. Mishandling, improper storage etc. can also cause damage.
The inherent data security provided is rather poor.
There is a chance that application software is not thoroughly tested.
Segregation of duties is not possible owing to limited number of staff.
The operating staff may not be adequately trained.
Computer viruses can slow down the system, corrupt data and so on.
The security measures that could be exercised are as follows:
Physically locking the keyboard or the PC itself must be enforced.
Proper logging of equipment shifting must be done.
The PC purchase must be centrally coordinated and company-wide standards established for spreadsheets, word-processors, applications software etc.
Floppies must be stored in secured places and their issues duly authorized. They must be adequately packed before any shipment.
Data and programs on hard-disks must be secured using hardware/software mechanisms.
Backups must be taken regularly.
Minimum standards must be set for developing, testing and documenting applications.
Properly organized training programs must be periodically conducted. More than one user should be trained on each application.
Virus prevention and detection software obtained from reliable sources must be used. Write- protect tabs should be used on diskettes that do not require any alteration. Pirated software should be strictly avoided.
The PCs and their peripherals must be maintained regularly.
While the proliferation of powerful PCs in recent years has its own plus points, the associated risks must not be ignored. Thus, implementing effective controls is of prime importance.
Some other inherent problems of personal computers and the controls to be exercised are discussed below:
Weak Access Control: Security software that provides log-on procedures is available for PCs. Most of these programs, however, become active only when the computer is booted from the hard drive. A computer criminal attempting to circumvent the log-on procedure may do so by forcing the computer to boot from the A: drive, where by an uncontrolled operating system can be loaded into the computer‘s memory. Having bypassed the computer‘s stored operating system and security package, the criminal has unrestricted access to data and programs on the hard disk.
Disk locks are devices that prevent unauthorized that prevent unauthorized individuals from accessing the floppy disk drive of a computer. One form of disk lock is a memory-resident program that prevents the computer from being booted from the A: dive. The lock will also prevent the A: drive from being used to run programs, upload data and programs to the hard disk, or download from the hard disk. This form of disk lock is password controlled so it can be disabled as needed by an authorized user.
Multilevel Password Control: It is used to restrict employees who are sharing the same computers to specific directories, programs, and data files. This technique uses stored authorization tables to further limit an individual‘s access to read-only, data input, data modification, and data deletion capability. Multilevel password control can greatly enhance the small organization‘s control environment.
Inadequate Backup Procedures: To preserve the integrity of mission-critical data and programs, organizations need formal backup procedures. Computer failure, usually disk failure, is the primary cause of significant data loss in the PC environment. If the hard drive of the microcomputer fails, it may be impossible to recover the data stored on the disk. Formal procedures for making backup copies of critical data (and program) files can reduce this threat considerably. There are a number of options available for dealing with this problem.
Floppy Disk Backup: Files can be backed up to floppy disks at routine periods during processing and stored away from the computer. In the event of a microcomputer failure, the data file can be reconstructed from the backup disks.
Dual Internal Hard Drives: Microcomputers can be configured with two physical internal hard disks. One disk can be used to store production data while the other stores the backup files.
External Hard Drives: A popular backup option is the external hard drive with removable disk cartridge, which can store more than a gigabyte of data per cartridge. When a cartridge is filled, the user can remove it and insert a new one. External hard drives can be used as an effective and simple backup technique.