Functional Requirement: 1
Citation Statements on Auditing Standards 55. Consideration of the Internal Control Structure in Financial
Statement Audit
Pages 12
Extract The applicability and importance of specific control environment factors, accounting system
methods and records, and control procedures that an entity establishes should be considered in the
context of -... It applicable legal and regulatory requirements.
Citation Institute of Internal Auditors Research Foundation. Systems Auditability and Control Report.
Module 2 Audit and Control Environment
Pages 2-5
Extract Federal, state, and local laws govern the way businesses are conducted. In establishing the way
businesses are conducted. In establishing the control environment and procedure, the need to operate
within these constraints and legal requirements should be taken into account.
Citation Institute of Internal Auditors Research Foundation. Systems Auditability and Control Report.
Module 2 Audit and Control Environment
Pages 2-36
Extract The second level of QA [Quality Assurance] rests with the director of audit, who is responsible for
the following...Ensuring that the audit effort compiles with appropriate standards and regulatory
requirements.
Citation American Institute of Certified Public Accountants. Statements on Auditing Standards 55.
Consideration of the Internal Control Structure in a Financial Statement Audit. Appendix A
Pages .9
Extract External Influences. These are influences established and exercised by parties outside an entity
that affect an entity's operations and practices. They include monitoring and compliance requirements
imposed by legislative and regulatory bodies.
Functional Requirement: 1b
Citation Marcella, A.J. & Chan, S. EDI security, control, and audit. 1993.
Pages 96
Extract Records should be kept long enough to satisfy business ... statutory, and regulatory
requirements.
Functional Requirement: 2
Citation "Auditing in a Microcomputer Environment" Bailey, Larry P. Miller GAAS Guide: A
Comprehensive Restatement of Generally Accepted Auditing Standards . 1995
Pages 8.05
Extract Adequate documentation of microcomputer system procedures usually includes: A description of
the functions that are to be performed by various personnel The procedures for authorizing transactions
The procedures for authorization of changes in microcomputer systems Designation of the personnel
responsible for testing microcomputer software, when applicable.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
7, End-user and Dept. Computing, 1991.
Pages 7-40
Extract CLASSIFICATION OF APPLICATIONS. One of the most difficult problems organizations face in
connection with EUC [End User Computing] is how to create and enforce a set of policies and
procedures governing documentation, back-up, security, development standards, and testing
requirements. In the traditional mainframe environment, it is recognized that these basic controls are
necessary. All of these control procedures require a substantial amount of time and cost to implement.
As EUC [End User Computing] has grown so rapidly, in part because users can satisfy their
information needs quickly, it is not surprising that they are reluctant to take the time to address such
issues as documentation and security.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
10, Contingency Planning, 1991
Pages 10-25
Extract INTRODUCTION. The success of the contingency plan is directly related to the quality of the
documentation. The structure of the contingency plan document should facilitate understanding,
implementation, and maintenance.
Functional Requirement: 2a
Citation Statements on Auditing Standards 55. Consideration of the Internal Control Structure in Financial
Statement Audit
Pages 30
Extract Assessing control risk at below the maximum level involves - Identifying specific internal control
structure policies and procedures relevant to specific assertions that are likely to prevent or detect
material misstatements in those assertions. Performing tests of controls to evaluate the effectiveness of
such policies and procedures.
Citation Statements on Auditing Standards 55. Consideration of the Internal Control Structure in Financial
Statement Audit
Pages 11
Extract Control procedures are those policies and procedures in addition to the control environment and
accounting system that management has established to provide reasonable assurance that specific entity
objectives will be achieved. Control procedures have various objectives and are applied at various
organization and data processing levels. They may also be integrated into specific components of the
control environment and the accounting system. Generally, they may be categorized as procedures that
pertain to - Independent checks on performance and proper valuation of recorded amounts, such as
clerical checks, reconciliation, caparisons of assets with recorded accountability, computer-programmed
controls, management review of reports that summarize the detail of account balances (for example, an
aged trial balance of accounts receivable),and user review of computer-generated reports.
Citation American Institute of Certified Public Accountants. Statements on Auditing Standards 55.
Consideration of the Internal Control Structure in a Financial Statement Audit. Appendix A
Pages .5
Extract These methods affect the understanding of reporting relationships and responsibilities established
within the entity. Methods of assigning authority and responsibility include consideration of
...Computer systems documentation indicating the procedures for authorizing transactions and approving
systems changes.
Citation American Institute of Certified Public Accountants. Statements on Auditing Standards 55.
Consideration of the Internal Control Structure in a Financial Statement Audit. Appendix A
Pages .6
Extract Management Control Methods. These methods affect management's direct control over the
exercise of authority delegated to others and its ability to effectively supervise overall company
activities. Management control methods include consideration of ...Establishing and monitoring policies
for developing and modifying accounting systems and control procedures, including the development,
modification, and use of any related computer programs and data files.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
5, Managing Info. & Developing Systems, 1991
Pages 5-11
Extract AUDIT CONSIDERATIONS. The internal auditor should examine the systems planning process
and obtain reasonable assurance that the following objectives are met: There are defined and
implemented standards, procedures, and policies for developing and maintaining data and
applications.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-103,4
Extract Controls include the following: * Documentation - Maintenance of on-line documentation of
operating system configuration tables, written procedures, guidelines, etc. - Comprehensive
documentation of operating system and other systems software exists and modifications -
Comprehensive documentation of the contingency plan and the disaster recovery process -
Comprehensive documentation of systems software output that can be used for review and that provides
an audit trail
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-108
Extract Determine whether current and comprehensive documentation of the systems software environment
exists.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-108
Extract Determine whether documentation of the systems software environment is reviewed on a periodic
basis and updated as changes occur.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-47
Extract CHANGE MANAGEMENT Change management is defined as the process by which changes in a
system are approved, developed, tested, and documented. User requests to change the network
configuration or access level authorization should be supported by well-documented change management
procedures.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-90,91,92
Extract RISKS AND CONTROLS The risks associated with EDI applications include the following:
Controls to mitigate these risks include the following: * Adequate system and user documentation
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 142
Extract DOCUMENTATION STANDARDS System and program documentation serves as a means of
communication among project team members during systems development. Adequate documentation
also facilitates the development effort and provides the information needed for the system to be used
effectively. In addition, documentation is essential for program maintenance and modifications and for
auditing.
Citation "Guideline for Software Documentation Management," Federal Information Processing Standards
Publication 105 (U.S. Department of Commerce/National Bureau of Standards, 6 June 1984)
Pages 8
Extract 2.5.2 Programmer Documentation. Programmers charged with maintaining or enhancing an
existing software program require information that describes what the program is supposed to do and
when it is doing it. They need illustrations and descriptions of program logic, final data storage design
specifications, and functional descriptions.
Functional Requirement: 2b
Citation Statements on Auditing Standards 55. Consideration of the Internal Control Structure in Financial
Statement Audit
Pages 09
Extract The control environment represents the collective effect of various factors on establishing,
enhancing, or mitigating the effectiveness of specific policies and procedures. Such factors include the
following ... Methods of assigning authority and responsibility.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 346
Extract * Ensure that the roles and responsibilities of the personnel involved in data management are
defined and incorporated into the development, maintenance and operation of the organization's
application systems.
Citation Miller GAAS Guide. 1994.
Pages 7.14
Extract The entity enhances the control environment if appropriate attention is given to methods of
assigning authority and responsibility within the entity.
Functional Requirement: 2c
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-103,4
Extract Controls include the following: * Procedures - Standard procedures for initially loading the
operating system - Standard procedures for applying program "patches" to correct a known problem
and for installing system revisions - Standard back-up and retention procedures for vital program
records and files - Standard procedures to control the issuance and the return of items used for
gaining physical access (e.g., keys, magnetic cards, and identification badges) - Standard procedures
prescribing retention periods for console logs and job accounting system records - Standard procedures
to govern system generation activities - Establishment and periodic testing of protection devices (e.g.,
smoke and fire detection and suppression equipment and back-up electrical power) and testing of
processing under emergency situations
Functional Requirement: 2d
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
7, End-user and Dept. Computing, 1991.
Pages 7-4
Extract Specific management and audit questions related to EUC [End User Computing] include the
following:...Have adequate back-up plans been established to ensure the ability to continue operations or
to re-create data?
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
10, Contingency Planning, 1991
Pages 10-41
Extract Contingency planning requires careful and detailed development of back-up procedures and
disaster recovery procedures. Equally important, a contingency plan must be continually maintained,
updated, and tested. When a contingency plan is developed, the contingency planning team should
consider processing alternatives, including manual processing, vendor supply agreements, redundant
facilities, reciprocal agreements, contingency facilities, and service bureaus.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-12
Extract Temporary processing interruptions are risks for all application systems. Unless adequate recovery
and restart procedures are in place to facilitate continued processing, an organization may lose a
significant amount of transaction data or processing capability.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-35
Extract INTRODUCTION The activities associated with computer resource management include the
following: * Disaster recovery planning
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-54
Extract If there are critical on-line applications, organization management must determine if the users can
employ alternative manual procedures until processing can be restored.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-67,68
Extract The disaster recovery plans should be reviewed to determine if the following conditions are met: *
The equipment configuration at the back-up site is still compatible and allows the organization to
process critical applications without requiring additional software or a data conversion effort.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-109
Extract To assess the adequacy of disaster recovery and contingency planning, the auditor should perform
the following steps: * If possible, observe or participate in tests of recovery procedures
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-68
Extract A variety of techniques may be used to verify the existence of adequate controls in the
telecommunications environment. These include the following: * Verifying network integrity and
monitoring procedures, such as incident reporting and response time measurement * Reviewing the
adequacy of network back-up and recovery through examination of back-up procedures and
redundancies in the network.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-90,91,92
Extract RISKS AND CONTROLS The risks associated with EDI applications include the following:
Controls to mitigate these risks include the following: * Adequate back-up and contingency planning to
ensure continuity of operations
Citation American Institute of Certified Public Accountants; Management Advisory Services Practice Aids:
Technical Consulting Practice Aid 11; "Conversion to a Microcomputer-Based Accounting System,
1989
Pages 13
Extract BACKUP RECOVERY SYSTEMS An effective disk- or tape-based backup and recovery system
is essential to avoid a potentially catastrophic loss of data. The client needs to regularly back up
programs and data files, maintaining copies of all files at a secure off-site location for use in case the
on-site files and backup copies are destroyed.
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 86
Extract Because EDI involves the operation of a separate computer system-- and sometimes separate
hardware--there are additional requirements for computer operations controls. These requirements
include developing restart and recovery procedures for EDI processing and backup procedures for
programs and, more importantly, for transaction and master files. Additionally, a disaster recovery plan
must be prioritized and its procedures updated to include the complete EDI processing code.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 95
Extract Part of the security measures which must be put in place for all data are those relating to backup
and recovery. Where an on-line transaction does not properly complete or where a systems problem
subsequently develops, there should be a roll back and roll forward process which minimizes any lost
data. The users of the system must also be made aware of any lost transactions. Many of the controls in
this area belong in the data base management system and the application system. However, there are
also procedural controls which must be in place to ensure that the correct files are used for recovery and
that there are backup files available in the event that live data must be re-created.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 244
Extract Contingency planning deals with a prolonged downtime at the primary processing facility. An
important part of contingency planning are the backup procedures which should be in place on a regular
basis within the computer operations facility. The backup files are then used for recovery procedures
where the backed up data is restored to the appropriate files and libraries so that processing can resume
at a particular point in time.
Functional Requirement: 3
Citation Institute of Internal Auditors Research Foundation. Systems Auditability and Control Report.
Module 2 Audit and Control Environment
Pages 2-20
Extract During the design of input procedures, consideration should be given to authorization, validation
and error notification and correction in order to support the following control objectives: Authorized
transactions are initially and completely recorded. The risk is that all information necessary to make
management decisions is not recorded.
Citation "Internal Control Structure" Bailey, Larry P. Miller GAAS Guide: A Comprehensive Restatement
of Generally Accepted Auditing Standards . 1995
Pages 7.16
Extract An adequately designed accounting system should incorporate methods and records that will satisfy
the following: Identify and record all valid transactions
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 75,76
Extract In the EDI environment, reconciliation control includes a completeness check that ensures that all
transactions are processed, with no duplicates or omissions. Control totals and unique sequence
numbers in trailer records are techniques that ensure completeness.
Functional Requirement: 3a
Citation Statements on Auditing Standards 55. Consideration of the Internal Control Structure in Financial
Statement Audit
Pages 11
Extract Control procedures are those policies and procedures in addition to the control environment and
accounting system that management has established to provide reasonable assurance that specific entity
objectives will be achieved. Control procedures have various objectives and are applied at various
organization and data processing levels. They may also be integrated into specific components of the
control environment and the accounting system. Generally, they may be categorized as procedures that
pertain to - Design and use of adequate documents and records to help ensure the proper recording of
transactions and events, such as monitoring the use of pre-numbered shipping documents
Citation Miller GAAS Guide. 1994.
Pages 7.16
Extract The accounting system should capture all relevant transactions that have occurred during the
accounting period.
Functional Requirement: 3c
Citation Statements on Auditing Standards 55. Consideration of the Internal Control Structure in Financial
Statement Audit
Pages 13
Extract Establishing and maintaining an internal control structure is an important management
responsibility. To provide reasonable assurance that an entity's objectives will be achieved, the internal
control structure should be under ongoing supervision by management to determine that it is operating
as intended and that it is modified as appropriate for changes in conditions.
Functional Requirement: 4
Citation Statements on Auditing Standards 53. The Auditor's Responsibility to Detect and Report Errors
and Irregularities
Pages .12
Extract The auditor should assess the risk of management misrepresentation by reviewing information
obtained about risk factors and the internal control structure. Matters such as the following may be
considered... Are there indications of a lack of control over computer processing, such as ..high levels of
processing errors, or unusual delays in providing processing results and reports.
Citation Institute of Internal Auditors Research Foundation. Systems Auditability and Control Report.
Module 2 Audit and Control Environment
Pages 2-3
Extract [T]he proper mix of controls is implemented to ensure that data are accurately captured and that
users have the ability to control the completeness, accuracy and proprietary of processing (control
procedures).
Citation Institute of Internal Auditors Research Foundation. Systems Auditability and Control Report.
Module 2 Audit and Control Environment
Pages 2-13
Extract Application controls, whether they address input, processing, or output, can be used to prevent,
detect, and correct errors and irregularities as transactions flow through the system:...Output controls
ensure that a complete and accurate audit trail of the results of processing is reported to appropriate
individuals for review.
Citation American Institute of Certified Public Accountants. Statements on Auditing Standards 55.
Consideration of the Internal Control Structure in a Financial Statement Audit
Pages .52
Extract [F]or a control procedure performed by a computer program, the auditor may test the operation of
the control at a particular point in time to obtain evidential matter about whether the program executes
the control effectively. The auditor may then perform tests of controls directed toward the design and
operation of other control procedures pertaining to the modification and the use of that computer
program during the audit period to obtain evidential matter about whether the programmed control
procedure operated consistently during the audit period.
Citation American Institute of Certified Public Accountants. Statements on Auditing Standards. 65 Analytic
Procedures.
Pages .16
Extract The following factors influence the auditor's consideration of the reliability of data for purposes of
achieving audit objectives:...Whether the data was developed under a reliable system with adequate
controls.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
10, Contingency Planning, 1991.
Pages 10-11
Extract Plan Maintenance. The contingency plan should be flexible and maintainable. This requires
adequate update procedures and formal document control and management procedures.
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 98, 99
Extract 8.5 THE ADMISSIBILITY OF ELECTRONIC RECORDS To demonstrate to a court that a
computer-originated document is admissible evidence, taxpayers (or their representatives) must fulfill
four requirements. They must prove 1. That the document in question is of a type that was regularly
processed and stored on the computer; 2. That, at the time the transaction was finalized and a record
of it was created, the computer on which the work was performed was used regularly for processing and
storing information; 3. That the computer was working properly all the time or, if it was not working
properly, that any breakdowns could not have affected the accuracy of the document; 4. That the system
was reliable enough to ensure accurate and complete recall of finalized documents and, in particular,
that there was no possibility that the document could have been tampered with after finalization. (There
is always the possibility that documents have been tampered with and, therefore, it is important to prove
that they have not.)
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 286
Extract The key is to have stringent edit checks in place and to ensure that these checks are fully tested.
It is also advisable to have reasonableness checks in the processing and reporting sections of the system
to track resulting situations that theoretically cannot happen, or that seem suspect.
Functional Requirement: 4a
Citation American Institute of Certified Public Accountants. Statements on Auditing Standards.
Communication of Internal Control Structure Related Matters Noted in on Audit. Appendix
Pages .2.
Extract Deficiencies in internal control structure design [includes] .. Evidence that a system fails to provide
complete and accurate output that is consistent with objectives and current needs because of designs
flaws.
Citation "Auditing in a Microcomputer Environment" Bailey, Larry P. Miller GAAS Guide: A
Comprehensive Restatement of Generally Accepted Auditing Standards . 1995
Pages 8.05
Extract Control methods that are related to the use of microcomputers include policies over the
development and modification of microcomputer programs and data files. An example is policies
regarding the extent of tests of software that have been developed for the microcomputer before it is
implemented.
Citation "Internal Control Structure" Bailey, Larry P. Miller GAAS Guide: A Comprehensive Restatement
of Generally Accepted Auditing Standards . 1995
Pages 7.64
Extract Uniform processing of transactions. When subject to the same processing instructions, all like
transactions are uniformly processed in a computerized system
Citation Bailey, Larry P. Miller GAAS Guide: A Comprehensive Restatement of Generally Accepted
Auditing Standards. 1995
Pages 8.12
Extract Uniform processing of transactions. When subject to the same processing instructions, all like
transactions are uniformly processed in a computerized system.
Functional Requirement: 4b
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-17
Extract Test data analysis involves using simulated transactions to test processing logic, computations, and
controls programmed in the application.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-18
Extract The specific purpose of tracing is to document and analyze the logic paths in complex software.
The objective of the tracing audit technique is to verify compliance with specifications, policies, and
procedures by documenting how the application software processes transactions. By analyzing the
transaction's path through the application, tracing can show instructions that have been executed and the
sequence in which they have been executed.
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 75,76
Extract 6.1.1.2 Processing Controls. Controls must be built into application programs to ensure that the
right data are processed. Accuracy in processing requires that the correct records and files be read and
updated. The logic of computer processing integrity can be tested via independent programs run from a
separate job stream.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 4,5
Extract Application system integrity is crucial to the success or failure of the business. There needs to be
a set of controls in place to ensure that the system processes and logic perform according to the
specifications each time the system is run.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 364
Extract LOSS OF DATA Errors in setting up the physical form of the data base, errors in the request
issued from the application program or any combination of the two could result in loss of data. The
data may still be physically present on the storage device but not accessible to the application system
through the DBMS. Complete testing of the interface between application systems and the DBMS is
essential if loss of data is to be avoided. This interface testing should take into account all read, update,
create and delete functions.
Functional Requirement: 4c
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
5, Managing Info. & Developing Systems, 1991
Pages 5-47
Extract Database Back-up and Recovery Procedures * - The database and its data must be backed up on a
regular basis, and the back-ups must be secured. DBMSs may include a variety of specialized recovery
procedures, such as rollback, roll forward, and partial dynamic restart. Rollback is the ability to remove
all changes made past a certain point. Roll forward is the ability to apply a large group of changes at
once, after problem correction.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-52
Extract MANAGEMENT REVIEW Data center management should use system incident reports to assess
the causes of operational inefficiency and poor user service and to allocate appropriate resources to
prevent such failures in the future. The following three factors are typically used to measure system
incidents: * Rerun time, which measures total rerun time and reasons for reruns * System failures and
unscheduled downtime, which also provide reasons for the breakdown * Status of reported problems,
which might include the number of unsolved problems, reported problems, resolved problems, etc.
Citation American Institute of Certified Public Accountants; Management Advisory Services Practice Aids:
Technical Consulting Practice Aid 11; "Conversion to a Microcomputer-Based Accounting System,
1989
Pages 13
Extract The computer operators can maintain logs showing which files were backed up, the operator's
name, and the date and time of the backup. (The backup medium itself should indicate the files it
contains, the accounting date through which the processing has been completed, and the date of the
backup.) If possible, the log entry indicates or summarized the day's work performed, in case the
backup or restoration is unsuccessful and reentry of the data is necessary. An important and often
overlooked element of an effective backup procedure is recovery. When errors are detected--such as
lost data or corrupt files--the backup copy will be useless if no one knows how to restore the data to the
system. Therefore, users need to know how to read the logs to determine which backup media to use,
how to read the media labels to be sure of selecting the correct backups, and how to carry out the
procedures correctly to restore the data.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 209
Extract TYPES OF EXPOSURE For each of the causes of exposure and resultant types of exposure, there
should be application and system controls in place to prevent, detect and/or recover from the occurrence
of any type of problem.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 272
Extract Error report: Each input item with one or more erroneous fields should be shown on this report.
Exception report: This report lists entries that do not pass complete editing rules in the application
system. The processing controls should produce certain output reports which can be used by the data
control group and/or by the users to verify that the processing has taken place correctly.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 287
Extract It is the vendor's software in the form of the operating system and associated subsystems that must
ensure that records are properly written to the data base and that any errors are trapped and reported
back to the application system. The application system must then have routines which can deal with
these erroneous conditions.
Functional Requirement: 4d
Citation "Auditing in a Microcomputer Environment" Bailey, Larry P. Miller GAAS Guide: A
Comprehensive Restatement of Generally Accepted Auditing Standards . 1995
Pages 8.09
Extract Controls over microcomputers are typically tested using the following procedures: ...Observation
and inquiry procedures directed at the entity's back-up procedures.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
5, Managing Info. & Developing Systems, 1991
Pages 5-34,35
Extract Recovery Software. The recovery software of a DBMS is essential for maintaining data integrity.
This component maintains a log or journal (commonly on disk devices) on which details of update
operations to data items and records of a database are recorded. The log contains before and after
images of updated data items and/or database records. The log is used by the DBMS in circumstances
where it is necessary to reverse or roll back updates made to database data. Examples of these
circumstances include a DBMS failure or an application program explicitly requesting the DBMS to roll
back updates performed by one or more transactions. The log is also used when the DBMS is asked to
restore a database as a result of media failure. Recovery operations of this type require copying of
database data from a back-up copy to the database and using the log to reapply all changes to the data
that were completed since the back-up copy was taken. Normally, the DBMS utilities are used to
invoke the operations that create back-up copies of the database or to recover a database from a
specified back-up.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
5, Managing Info. & Developing Systems, 1991
Pages 5-44
Extract Inability to Recover - The inability to recover may be due to either inadequate back-up or
inadequate journalizing procedures. Adequate back-up procedures require the timely creation of database
back-up tapes so that the database can be recovered from tape in the event of an emergency. Adequate
journalizing procedures require making a copy of any change to the database at the time that change is
made, in order to recover from a minor emergency.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-50
Extract The following are the four major on-line recovery techniques: * Transaction log method, in which
a simple sequence-numbered and/or time -and-date stamped journal file (typically a tape) of all
transactions is maintained, in addition to a periodic dump of the master file * Pre-update master
transaction log technique, in which a series of record pairs are used, (i.e., a copy of the active master
file record before updating and a copy of the transaction to be applied to the masterfile record) * Post-
update master log technique, which is similar to the previous technique, except that the journal file
contains a copy of each master record after updating and does not contain a transaction image * Full
trace technique, which gives the best audit trail but involves significant overhead (i.e., requiring a copy
of the pre-update master, the transaction record, and the post-update master)
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-55
Extract Controls to preclude system failures and their resulting impact include the following: * Built-in
redundancy to enable continued processing when a single part fails
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-63
Extract Network Back-up and Recovery In reviewing the adequacy of a network's back-up and recovery
procedures, the internal auditor should consider the following: * Determine if the current network
topology provides multiple communication paths to critical sites or nodes on the network, if required for
continuous operation. * Determine the adequacy of back-up and off-site retention procedures for all
communications software. * Verify that back-up procedures exist for critical sites, in the event of
equipment loss of malfunction or line/carrier interruptions, and that back-up procedures are validated by
successful tests or actual experience. * Determine if dynamic reconfiguration of the network is used, and
review the administrative procedures and the way the reconfiguration is incorporated in an
organization's change management process. * Confirm that multiple lines used to provide
communications back-up are not physically on the same route or cable. This possibility can exist even
when separate carriers are used. * Determine whether triangulation of lines to provide alternate routing
paths for the network has been considered.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 99
Extract In the case of on-line systems there is a need for a transaction log to be maintained so that in the
event of a systems failure there can be a re-creation of all master and transaction files up to the point of
a failure in the system, or as close as possible.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 100
Extract In the case of long-running batch jobs there needs to be a policy on checkpoint and restart times
so that in the event of a systems failure while the job is running, it is not necessary to restart the job
from the beginning.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 274
Extract In an on-line system, it is mandatory that the system be able to recover at any point of failure with
a minimum of re-keying on the part of the users. It is simply not acceptable to have to go back to start-
of-day processing.
Citation Marcella, A.J. & Chan, S. EDI security, control, and audit. 1993.
Pages 98-99
Extract To demonstrate to a court that a computer-originated document is admissible evidence, taxpayers
(or their representatives) must fulfill four requirements. They must prove ... 3. That the computer was
working properly all the time or, if it was not working properly, that any breakdowns could not have
affected the accuracy of the document ...
Functional Requirement: 5
Citation Statements on Auditing Standards 53. The Auditor's Responsibility to Detect and Report Errors
and Irregularities
Pages .21
Extract If a condition or circumstance differs adversely from the auditor's expectation, the auditor needs to
consider the reason for such a difference. Examples of such conditions or circumstances are the
following...Transactions selected for testing are not supported by proper documentation
Citation Institute of Internal Auditors Research Foundation. Systems Auditability and Control Report.
Module 2 Audit and Control Environment
Pages 2-20
Extract During the design of input procedures, consideration should be given to authorization, validation
and error notification and correction in order to support the following control objectives:...All
transactions are completely and accurately entered into the system for processing. The risk is that
transactions approved for processing are not entered and included in data files.
Citation American Institute of Certified Public Accountants, Codification of Statements on Auditing
Standards, Numbers 1 to 73, AU Section 326.05 : Evidential Matter, Nature of Assertions, 1994
Pages 153
Extract .05 Assertions about completeness deal with whether all transactions and accounts that should be
presented in the financial statements are so included. For example, management asserts that all
purchases of goods and services are recorded and are included in the financial statements. Similarly,
management asserts that notes payable in the balance sheet include all such obligations of the entity.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 271
Extract Completeness and accuracy--checks of this type should be part of the input validation performed
by the application system. This is typically referred to as input editing. Input edit checks can be thought
of as having two elements: (1) at the batch level, and (2) at the individual transaction level. Sequence
checks, control total reconciliation, hash total checks, crossfoot and balance, and record counts are all
controls to ensure that there is nothing missing from the batch (and that nothing has been added to the
batch). Valid character tests, checks for missing data, valid field checks, tests on the validity of input
codes, cross checks between data elements, limit tests, tests for zero, reasonableness tests and check
digits are all examples of individual transaction tests to ensure that the data within the transaction is
valid for subsequent processing.
Functional Requirement: 6
Citation American Institute of Certified Public Accountants. Statements on Auditing Standards 55.
Consideration of the Internal Control Structure in a Financial Statement Audit
Pages .10
Extract The accounting system consists of the methods and records established to identify, assemble,
analyze, classify, record, and report an entity's transaction and to maintain accountability for the related
assets and liabilities. An effective accounting system gives appropriate consideration to establishing
methods and records that will - Identify and record all valid transactions.
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 97
Extract 1. The basic document must contain all the components that together constitute legally acceptable
evidence of a completed action. 2. The documented proof of completed business transactions must be
created, processed, and retained to comply with corporate policy and business practice and with external
statutory and regulatory needs.
Functional Requirement: 6a
Citation Institute of Internal Auditors Research Foundation. Systems Auditability and Control Report.
Module 2 Audit and Control Environment
Pages 2-13
Extract Application controls, whether they address input, processing, or output, can be used to prevent,
detect, and correct errors and irregularities as transactions flow through the system: Input controls ensure
the complete and accurate recording of authorized transactions: identify rejected, suspended, and
duplicate items; and ensure resubmission of rejected and suspended items.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-55
Extract The review of EFT may entail significant testing of manual and management controls. Other
system-specific aspects of an EFT system that the internal auditor should consider reviewing include the
following: Verify the completeness of message input/output sequence numbers.
Functional Requirement: 7a
Citation Institute of Internal Auditors Research Foundation. Systems Auditability and Control Report.
Module 2 Audit and Control Environment
Pages 2-7
Extract Application controls are specific to the flow of transactions for a particular system or function and
are designed to ensure authorized, accurate, and complete processing of a transaction from input,
through processing, to the output of information. Application controls are designed to prevent, detect,
and correct errors and irregularities as transaction flow through the business system.
Citation "Internal Control Structure" Bailey, Larry P. Miller GAAS Guide: A Comprehensive Restatement
of Generally Accepted Auditing Standards . 1995
Pages 7.10
Extract Recording transactions. Policies and procedures must be adopted to reasonably ensure that
authorized transactions are properly recorded. To be properly recorded, a transaction must be recorded
for the correct quantity, in the correct account, and in the proper accounting period.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
5, Managing Info. & Developing Systems, 1991
Pages 5-42
Extract Controls should ensure that only information that adheres to data standards is accepted by the
system for either addition or update.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
5, Managing Info. & Developing Systems, 1991
Pages 5-43
Extract Edit and Validation Rules - Proper edit and validation rules ensure that only data that are in the
proper format and range can be added to the database. These rules help to ensure that the integrity of
the database is maintained and that only the proper form and value ranges can be entered into the
system.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-102
Extract AUDIT CONSIDERATIONS The internal auditor should consider the following when reviewing
retail merchandise planning and buying systems: Verify the accuracy and completeness of interfaces to
the open-to-buy, reordering, and accounts payable systems, and the item master and vendor master
subsystems.
Citation American Institute of Certified Public Accountants; Management Advisory Services Practice Aids:
Technical Consulting Practice Aid 11; "Conversion to a Microcomputer-Based Accounting System,
1989.
Pages 15
Extract ESTABLISH CONTROLS FOR DATA INPUT Control of data input is essential to produce
accurate and complete computer files. The controls, which can include document counts, item counts,
dollar totals, batch totals, and hash totals, are suitable for monitoring the input of both start-up
information and daily operations. If input is accurate, the previously established control values will
correspond with the computer-generated output.
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 75,76
Extract Validation controls. These controls prevent or detect errors or omissions in the recording,
preparing, and entering of data for processing.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 241
Extract The data control responsibilities under the heading of quality control are fairly straightforward: to
make sure that the input to the various application systems is complete, accurate and timely and that the
output reports from these systems are similarly complete, accurate, timely and properly distributed to the
correct users.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 286
Extract INPUT ERRORS Input errors which are allowed through the editing process can have a potentially
devastating impact on an application system. All processing subsequent to the edit routines within an
application system usually assumes that only valid data are now being handled. Consequently, little
revalidation is performed and the erroneous input is applied to the master files and/or to the report files.
To correct a problem of this type it is often necessary to take special custom coded routines to "cleanse"
the master files of the erroneous data.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 366
Extract Domain checking by the DBMS ensures the adherence of the values in a data element to the
attributes or value ranges that have been established for that data element.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 403
Extract INTEGRITY CONTROLS In order to ensure correct transmission, the content and form of the
message should be standardized and strictly followed. The minimum tests for message validity are as
follows: * Positional edits for correct control characters, address and data fields, and line and
format constraints. * Data validation for routing numbers, addresses, type codes, and user specific,
content-oriented information. * Authorization checks for coded data, test words, and other security
tests, such as identical currency fields.
Functional Requirement: 7a1
Citation "Auditing in a Microcomputer Environment" Bailey, Larry P. Miller GAAS Guide: A
Comprehensive Restatement of Generally Accepted Auditing Standards . 1995
Pages 8.07
Extract Control procedures that are relevant to a financial statement audit include those that relate
to:...Independent checks on performance and proper valuation of recorded amounts.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-10
Extract Most application systems use routines to edit and validate data entered for processing. Edit and
validation checks are designed to identify inaccuracies in entered data, duplicate entries, or data not
meeting predetermined acceptance criteria (e.g., data that fall outside a specified range of
reasonableness).
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-9- 6-10
Extract Certain transactions may be identified by computerized systems as inaccurate or unacceptable
according to predefined criteria and rejected. For example, an edit and validation control may indicate
that an account number was incorrect or that the number of hours an employee worked was
unreasonable.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 330
Extract INTEGRITY Domain checking concerns the adherence of the data values to the attributes that
have been established for a data element. Attributes concern the length of the data element, the nature of
the content (for example, numeric versus alphanumeric) and any specific values that the data element is
restricted to.
Functional Requirement: 7b
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
7, End-user and Dept. Computing, 1991
Pages 7-25
Extract Some specific areas of spreadsheet risk include the following: Proper headers and other labeling
information may be missing, which can result in misinterpretations or misuse of the data.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-53
Extract Edit and Validation Routines -- Computerized controls include the following: * Reasonableness
checks of transactions or transaction limit checks, such as amounts or dates. * Validation of account
numbers for customers or banks * Edit check of message formatting
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-90,91,92
Extract RISKS AND CONTROLS The risks associated with EDI applications include the following:
Controls to mitigate these risks include the following: * Use of standard message formats and
accounting procedures
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 343
Extract ERRONEOUS RECORD KEEPING Poor data management practices can lead to erroneous record
keeping in the sense that incomplete data may be stored, the attributes for data elements may be
improperly specified and misleading relationships between data elements may be established.
Functional Requirement: 7c
Citation "Internal Control Structure" Bailey, Larry P. Miller GAAS Guide: A Comprehensive Restatement
of Generally Accepted Auditing Standards . 1995
Pages 7.16
Extract The accounting system should capture all the relevant details of transactions to ensure that the
transactions are properly reflected in the records.
Citation "Internal Control Structure" Bailey, Larry P. Miller GAAS Guide: A Comprehensive Restatement
of Generally Accepted Auditing Standards . 1995
Pages 7.16
Extract Methods and records should allow an entity to properly summarize transactions so that they are
presented in accordance with generally accepted accounting principles.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-8
Extract If transactions are to be recorded accurately, transactions and master file data must be complete
and in the correct format, and transactions must not be duplicated...Transaction data are information
unique to a particular transaction (e.g., invoice numbers or bill of material change numbers).
Citation American Institute of Certified Public Accountants; Management Advisory Services Practice Aids:
Technical Consulting Practice Aid 11; "Conversion to a Microcomputer-Based Accounting System,
1989
Pages 10
Extract DEVELOP CODING SYSTEMS The coding system affects the quality and usefulness of the
information the computer system produces. Virtually every accounting system depends on a coding
system, which comprises general ledger account numbers, department or division designations,
salesperson numbers, sales tax codes, payroll deduction codes, customer types, and so on. These codes
control report formatting, calculations, running totals in quantities and dollars, and other facets of a
client's business.
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 80
Extract Maintain a log of all data transmissions. The log should contain the batch ID, transaction set
control numbers, date and time stamp, sender and receiver IDs, and transmission status.
Functional Requirement: 7c2
Citation American Institute of Certified Public Accountants. Statements on Auditing Standards 55.
Consideration of the Internal Control Structure in a Financial Statement Audit
Pages .10
Extract The accounting system consists of the methods and records established to identify, assemble,
analyze, classify, record, and report an entity's transaction and to maintain accountability for the related
assets and liabilities. An effective accounting system gives appropriate consideration to establishing
methods and records that will ...Determine the time period in which transaction occurred to permit
recording of transaction in the proper accounting period.
Citation "Internal Control Structure" Bailey, Larry P. Miller GAAS Guide: A Comprehensive Restatement
of Generally Accepted Auditing Standards . 1995
Pages 7.16
Extract An adequately designed accounting system should incorporate methods and records that will satisfy
the following...Determine the time period in which transactions occurred to permit recording of
transactions in the proper accounting period.
Functional Requirement: 8
Citation Statements on Auditing Standards 55. Consideration of the Internal Control Structure in Financial
Statement Audit
Pages 11
Extract Control procedures are those policies and procedures in addition to the control environment and
accounting system that management has established to provide reasonable assurance that specific entity
objectives will be achieved. Control procedures have various objectives and are applied at various
organization and data processing levels. They may also be integrated into specific components of the
control environment and the accounting system. Generally, they may be categorized as procedures that
pertain to - Adequate safeguards over access to the use of assets and records, such as secured facilities
and authorization for access to computer programs and data files.
Citation Statements on Auditing Standards 55. Consideration of the Internal Control Structure in Financial
Statement Audit
Pages 11
Extract Control procedures are those policies and procedures in addition to the control environment and
accounting system that management has established to provide reasonable assurance that specific entity
objectives will be achieved. Control procedures have various objectives and are applied at various
organization and data processing levels. They may also be integrated into specific components of the
control environment and the accounting system. Generally, they may be categorized as procedures that
pertain to - Proper authorization of transactions and activities ...assigning different people the
responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets
Citation Statements on Auditing Standards 53. The Auditor's Responsibility to Detect and Report Errors
and Irregularities
Pages .12
Extract The auditor should assess the risk of management misrepresentation by reviewing information
obtained about risk factors and the internal control structure. Matters such as the following may be
considered...Are there indications that management has not developed or communicated adequate
policies and procedures for security of data or assets, such as...allowing unauthorized personnel to have
ready access to data or assets.
Citation Institute of Internal Auditors Research Foundation. Systems Auditability and Control Report.
Module 2 Audit and Control Environment
Pages 2-4
Extract Accountability encompasses the ability to trace each transaction or event back to a responsible
individual. The ability to hold individuals accountable for their actions or inaction is an essential
element of any control system.
Citation "Auditing in a Microcomputer Environment" Bailey, Larry P. Miller GAAS Guide: A
Comprehensive Restatement of Generally Accepted Auditing Standards . 1995
Pages 8.07
Extract Control procedures that are relevant to a financial statement audit include those that relate to :
Proper authorization of transactions and activities.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
7, End-user and Dept. Computing, 1991.
Pages 7-4
Extract Specific management and audit questions related to EUC [End User Computing] include the
following: Have adequate control policies and procedures been established and implemented to prevent
unauthorized changes to data files and application programs?
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
5, Managing Info. & Developing Systems, 1991
Pages 5-43
Extract Data ownership functions as a control only to the extent that the people who know how the data
are used are responsible for determining the level of controls over the data. The controls are of the
following types: Specification of personnel to be allowed access and the types of access
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
5, Managing Info. & Developing Systems, 1991
Pages 5-44
Extract Unauthorized Access - Unauthorized access can refer to either of the following: Users who have
gained access to database areas for which they have no authorization
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-55
Extract The review of EFT may entail significant testing of manual and management controls. Other
system-specific aspects of an EFT system that the internal auditor should consider reviewing include the
following: Verify that proper identification and authentication controls are present and that instructions
from unauthorized users are rejected and flagged for appropriate follow-up.
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 75,76
Extract Authorization controls. These controls, which ensure that transactions are properly authorized,
range from simple user Ids and passwords, to joint custody and split knowledge of access keys, to
segregation of entry and release functions, to sophisticated techniques, such as digital signatures and
challenge and response added to dial access.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
9, Security, 1991
Pages 9-48
Extract Access Control Software - Controls include the following: * Access to the system is restricted to
authorized individuals. * Users/application programs are limited to the specific types of data access
(e.g., read, update) required to perform their functional responsibilities.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 270
Extract Input authorization is achieved in different ways depending on whether the system is on-line or
batch. In an on-line environment, the user should be required to go through an identification and
authentication process just to get into the system. Beyond this point of entry, the application system
should determine the type of input the user is authorized to initiate.
Citation Marcella, A.J. & Chan, S. EDI security, control, and audit. 1993.
Pages 95
Extract The primary concern [for EDI] still pivots on the reliability of an electronic record and whether an
electronic record's existence and authenticity can be validated.
Functional Requirement: 8b
Citation American Institute of Certified Public Accountants. Statements on Auditing Standards 55.
Consideration of the Internal Control Structure in a Financial Statement Audit. Appendix D
Pages .3
Extract The objectives of safeguarding assets requires that access to assets be limited to authorized
personnel. In this context, access to assets includes both direct physical access and indirect access
through the preparation or processing of documents that authorize the use or disposition of assets.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-31
Extract Logical views and other controls must be implemented to restrict user access. Without strong
access controls, the confidentiality and reliability of system information may be at risk.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 94
Extract Data should be available only to those who are authorized to receive and use the data.
Functional Requirement: 9a
Citation American Institute of Certified Public Accountants. Statements on Auditing Standards.
Communication of Internal Control Structure Related Matters Noted in on Audit. Appendix
Pages .2.
Extract Failures in the operation of the internal control structure [includes] .. Evidence of manipulation,
falsification, or alteration of accounting records or supporting documents.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-67
Extract One key risk to a network is unauthorized users gaining access to the network and trying to
execute applications or authorized users gaining access to applications for which they are not authorized.
The general risks posed to a network by an unauthorized user include unauthorized use of network
resources to transport data, modification or deletion of data, disclosure of data, and use of network
resources to deny legitimate use of services.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 94
Extract Information systems security is concerned with ensuring that data is protected against unauthorized
disclosure, modification or destruction, whether accidental or intentional.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 106
Extract ERRONEOUS RECORD KEEPING Given that the financial accounting record keeping for many
organizations is one of the key business applications run on the computer, any loss of data, distortion of
data, outdated information and human error would almost certainly result in erroneous record
keeping.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 296
Extract The data security audit in terms of the controls in place to protect the data processed by the
application system from unauthorized disclosure, modification or destruction, whether accidental or
intentional. The data security audit will have determined the adequacy of the control structure over data
files in general. The question is "are these controls in place and functioning for the application system
under review?"
Citation Marcella, A.J. & Chan, S. EDI security, control, and audit. 1993.
Pages 98-99
Extract To demonstrate to a court that a computer-originated document is admissible evidence, taxpayers
(or their representatives) must fulfill four requirements. They must prove ... 4. That the system was
reliable enough to ensure accurate and complete recall of finalized documents and, in particular, that
there was no possibility that the document could be tampered with after their finalization.
Functional Requirement: 9b
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
7, End-user and Dept. Computing, 1991.
Pages 7-23
Extract Specific risk considerations that apply to EUC [End User Computing] include the following:
A user may access database files directly and independently of the program. Files may be rearranged, or
data may be changed or deleted. The structure of the database may be compromised, and its continued
operation may be unreliable.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
7, End-user and Dept. Computing, 1991
Pages 7-25
Extract Some specific areas of spreadsheet risk include the following .. Spreadsheets tend to grow quickly
and uncontrollably, often with no record of changes. Structural changes implemented at a later date can
often change correct data into incorrect data, especially when successive changes are not
documented.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
5, Managing Info. & Developing Systems, 1991
Pages 5-61
Extract When the data of one system are manipulated or data are added or deleted to accommodate the
new system (whether done programmatically or manually), controls should be in place to ensure that
data are converted accurately and completely.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems
Pages 6-54
Extract Additional EFT Controls -- Additional control features specific to an EFT system may include the
following: ... Use of multi-part transfer request forms to facilitate verification and prevent unauthorized
changes.
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 17
Extract EDI translation software typically includes these security and control provisions * Routines that
are designed to facilitate sequencing of both sending and receiving EDI transmissions for which (1)
sending translations provide error correction, suspense file maintenance, and transmission compression;
and (2) receiving translations provide translation verification from public standard format to internal
format, as well as provisions for detecting "dropped" data via record control counts.
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 129
Extract Auditors should consider how processing might go wrong, given the additional opportunities for
error that the EDI translation and communications software layers introduce. For example, with respect
to the control objective of ensuring that all transactions that should be recorded are recorded, the
possibility that transactions might be lost between the business application and the translation software
or vice versa must be addressed.
Functional Requirement: 9c
Citation Institute of Internal Auditors Research Foundation. Systems Auditability and Control Report.
Module 2 Audit and Control Environment
Pages 2-20
Extract A complete audit trail is a key output control. The audit trail is a set of processing references,
data, reports or logic documentation that enables the tracking of transaction processing from its source
to inclusion in the organization's records or tracing of any result of processing back to its origin. The
audit trail should allow tracking in both directions.
Functional Requirement: 9c2
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-90,91,92
Extract RISKS AND CONTROLS The risks associated with EDI applications include the following:
Controls to mitigate these risks include the following: * Activity logging
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-90,91,92
Extract The internal auditor should perform the following steps when reviewing controls over EDI
applications: * Verify that reconciliation/balancing and error detection/correction procedures are
adequate to ensure that processing is complete, accurate, and timely. * Review the adequacy of the
audit trail, including the completeness of activity logging and file retention requirements.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
9, Security, 1991
Pages 9-52
Extract The evaluation of all types of software should assure that the following objectives are met: * An
audit trail of all significant activity is maintained.
Functional Requirement: 10
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-94
Extract Risks and Controls Associated With E-Mail (Controls) * Policy for destruction at destination of
data at predefined intervals
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 96
Extract Records should be kept long enough to satisfy business (operational, administrative, financial, and
historical), statutory, and regulatory requirements. Records for which no legal requirements exist should
be destroyed after a reasonable period, based on an organization's specific business needs. Some
experts recommend three years as an adequate standard retention period.
Functional Requirement: 11
Citation "Internal Control Structure" Bailey, Larry P. Miller GAAS Guide: A Comprehensive Restatement
of Generally Accepted Auditing Standards . 1995
Pages 7.16
Extract The use of transaction counts, control totals, and hash totals provides a basis for determining
whether all transactions initially documented have been transferred to another processing point or
recorded in a book of original entry.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
5, Managing Info. & Developing Systems, 1991
Pages 5-61
Extract From the planning process through implementation, users should be responsible for the planning of
activities such as the following: Participating with the IS department in developing a data conversion
cross-reference map that correlates data values on the current system to corresponding data values in the
new system.
Functional Requirement: 12a
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 94
Extract Not only must the information systems security measures control the availability of data, they must
also ensure that the data is available in the first place. Unavailability of data may be as a result of a
loss of data for reasons previously defined. It may also be the case that the data exists but has not been
set up to be accessed by those who have a legitimate need for access. Unavailability in this situation
may simply be the result of having set the wrong access levels for particular individuals.
Citation Ian B. Gilhooley Information Systems Management, Control and Audit (Altamonte Springs, Fla.:
The Institute of Internal Auditors 1991)
Pages 338
Extract LACK OF ACCESSIBILITY The final objective of data management is to make information
available to those who have a right to this information. A great deal of time is spent discussing the
prevention of access. However, just as much thought should go into the granting of access and making
sure that barriers to access are not built inadvertently. Barriers to access can result from a variety of
reasons, including: * The data is not available within the data base. * The user has not been
granted access to the data elements that produce the required information. * The data base has been
structured incorrectly. For example, allowing users access to information to which they are entitled
would mean having to grant access to data to which they are not entitled.
Functional Requirement: 12b
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-56
Extract Manual or automated controls should be in place when data are transmitted to assure the sender
that the data were received and to assure the receiver that all records were transmitted.
Functional Requirement: 12c
Citation "Internal Control Structure" Bailey, Larry P. Miller GAAS Guide: A Comprehensive Restatement
of Generally Accepted Auditing Standards . 1995
Pages 7.64
Extract A transaction trail is a chain of documentation that connects an account balance or other summary
results with its related original transactions or calculations.
Citation Bailey, Larry P. Miller GAAS Guide: A Comprehensive Restatement of Generally Accepted
Auditing Standards. 1995
Pages 8.12 Transaction Trails. A transaction trail is a chain of documentation that connects an
account balance or other summary results with its related original transaction or calculations
Functional Requirement: 13
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-40
Extract This section addresses the risk considerations and control features of an IHRIS that should be
evaluated by the internal auditor. Because disbursement systems involve financial payments, they are
prone to misuse. Consequently, it is critical to ensure that these systems are used properly and that
payments are controlled, accurate, and timely. The risk considerations and consequences areas follows:
* Privacy violation (e.g., salaries and personnel or medical data are not kept confidential)
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-49
Extract Report distribution procedures should be designed to protect the confidentiality of data on reports
and to ensure that reports are accurately labeled and properly distributed. Computer operations staff
must be aware of the sensitive nature of some of the information handled. In organizations where
reports are not printed but are distributed electronically in "soft copy," care must be exercised when
determining who can access the reports.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-108
Extract Examine system logs of accesses to sensitive files or libraries to determine that access is restricted
to appropriate individuals
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-54,55
Extract The risk and control considerations relative to the scenarios described above are discussed in the
following sections: * Reduced data confidentiality - An external user who is authorized for specific data
may gain access to confidential databases or data files to which he/she is not authorized.
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 127
Extract The most serious security failures include: * Disclosure of confidential data--more data is
maintained in electronic form in EDI systems than in other systems, thus increasing the risk of
disclosure; * Failure of computer hardware and software;
Last Modified: 7/3/96 [kjb]
Additional Warrant by Professions:
Lawyers |
Records Managers |
Information Technologists |
Managers |
Medical Professions
MAIN MENU |
Functional Requirements |
Production Rules |
Metadata Specifications |
Glossary
|