The internal controls in a computerized environment include both manual procedures and procedures designed into computer programs. Such control procedures comprise two types of control, general controls and application controls.
a) General IT Controls
GITCs are a critical component of business operations and financial information controls. They provide the foundation for reliance on data, reports, automated controls, and other system functionality underlying business processes. The security, integrity, and reliability of financial, procurement and inventory information relies on proper access controls, controls over network operations, system software acquisition, change and maintenance, and operational controls. The General IT Controls are very important to key stakeholders—owners, investors, regulators, audit committees, management, and auditors.
i) Access to Programmes and Data
Risk: Unauthorized access to program and data may result in improper changes to data or destruction of data.
Objectives: Access to program and data is properly restricted to authorized individuals only.
• Policies and procedures
• Roles and responsibilities
• Security parameter settings of operating systems, applications (including Enterprise Resource Planning (ERP) systems (e.g. SAP, Navision, Oracle) and databases
• User access rights
• User access provisioning and de-provisioning
• Periodic access reviews
• Password requirements
• Privileged user accounts
• Monitoring & Training
• Physical security
EXAMPLES
| Area | Existing Control
Design |
How to Test/Validate |
| Physical access | Only authorized personnel can access secured areas and
computer facilities |
Walkthrough of areas (e.g. data centre, backup storage etc.) |
| User access provisioning | A formal process for granting or modifying system access (based on appropriate level of
approval) is in place. |
Review an evidence of approval |
| Password requirements | Unique (to individual)
and strong passwords are used. |
Assess password rules enforced |
ii) Network access Control over Computer Operations
Risk: Systems or programs may not be available for users or may not be processing accurately. Objectives: Systems and programs are available and processing accurately.
• Organisation of IT function
• Service Level Agreements
• Backup and recovery procedures
• Incident handling and problem management
• Environmental controls
• Business Continuity and Disaster Recovery Plans
• Network Management
• Backups and Recovery
• Insurance
EXAMPLES
| Area | Existing Control
Design |
How to Test/Validate |
| Backup and recovery | Backups for critical data and programs are available in the event of an emergency. | Review/assess procedures for backup and recovery and validate that procedures are
followed |
| Problem/issue management | A formal process for problem/issue handling is in place in order to ensure timely identification, escalation, resolution and documentation of
problem. |
Review/assess procedures for problem/issue management and validate that procedures are followed |
III. Controls over Programme Development and Implementation of New Systems
Risk: Direct changes in IT development environment would override the established change management process. This could result in inappropriate and untested application changes that can potentially affect the system’s stability and integrity of procurement data.
Objectives: All changes to existing systems are properly authorized, tested, approved, implemented and documented.
• Testing procedures
• Transfer to live
• Documentation and Training
• Controls over Programme Changes
• Maintenance activities
• Change Requests Controls over Programme Changes
• Maintenance activities
• Change Requests
• Segregation of duties
EXAMPLES
| Area | Existing Control
Design |
How to Test/Validate |
| Change management controls | A formal process for proper change management is in place. | Review change management procedures and validate that
procedures are followed |
| Testing | Appropriate level of
testing is performed. |
Review an evidence of
test plans and results |
| Approval | Appropriate approval prior to migration to production is required. |
Review an evidence of approval |
General IT controls that relate to some or all applications are usually interdependent controls, i.e. their operation is often essential to the effectiveness of application controls. As application controls may be useless when general controls are ineffective, it will be more efficient to review the design of general IT controls first, before reviewing the application controls
b) Application controls are manual or automated procedures that typically operate at a business process level. They can be preventative or detective in nature and are designed to ensure the integrity of the procurement records. Accordingly, they relate to procedures used to initiate, record, process and report transactions or other financial data.
The purpose of application controls is to establish specific control procedures over the procurement applications such as inventory control, manufacturing resource planning (MRP), distribution requirements planning
(DRP) in order to provide reasonable assurance that all transactions are authorized and recorded, and are processed completely, accurately and on a timely basis. Application controls include the following.
I. Input Controls – These controls are used mainly to check the integrity of data entered into a business application, whether the data is entered directly by staff, remotely by a business partner, or through a Web- enabled application or interface. Data input is checked to ensure that is remains within specified parameters.
EXAMPLES
| Area | Existing Controls | How to tests/
validate |
| Data checks and validation | · Sequence check
· Limit check · Range check · Validity check · Reasonableness check · Table lookups · Existence check · Key verification · Check digit · Completeness check · Duplicate check · Logical Relationship check |
• Conduct a sample test of each scenario.
• Observe attempts to input incorrect data. • Determine who can override controls. |
| Automated authorization, approval, and override | • Override capability
• Authorization and approval rights |
• Conduct tests based on user access rights.
• Test access privileges for each sensitive function or transaction. • Review access rights that set and amend configurable approval and authorization limits |
II. Processing Controls – These controls provide an automated means to ensure processing is complete, accurate, and authorized.
EXAMPLES
| Area | Existing Controls | How to tests/
validate |
| Automated file
identification and validation |
Files for processing are available and complete. | Review process for
validation and test operation. |
| Audit trails and overrides | • Automated tracking of changes made to data, associating the change with a specific user.
• Automated tracking and highlighting of overrides to normal processes. |
• Review reports and evidence of reviews.
• Review access to override normal processes. |
| Data extraction, filtering, and reporting | • Extract routine outputs are assessed for reasonableness and completeness.
• Automated allocation of transactions. • Evaluation of data used to perform estimation for financial reporting purposes |
• Review design of extract routine against data files used.
• Review supervisory assessment of output from extract routine for evidence of regular review and challenges. • Review sample of allocations for appropriateness. • Review process to assess extracted data for completeness and validity. |
III. Output Controls – These controls address what is done with the data and should compare output results with the intended result by checking the output against the input.
IV. Integrity Controls – These controls monitor data being processed and in storage to ensure it remains consistent and correct.
V. Management Trail – Processing history controls, often referred to as an audit trail, enables management to identify the transactions and events they record by tracking transactions from their source to their output and by tracing backward. These controls also monitor the effectiveness of other controls and identify errors as close as possible to their sources.
Relying on application controls can yield reliability, benchmarking, time and cost savings.