Relevant auditing standards
References will be made throughout this article to the most recent guidance in standards:
- ISA 300 (Redrafted) Planning an Audit of Financial Statements
- ISA 315 (Redrafted) Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment
- ISA 330 (Redrafted) The Auditor’s Responses to Assessed Risks.
Internal controls in a computer environment
The two main categories are application controls and general controls.
Application controls
These are manual or automated procedures that typically operate at a business process level and apply to the processing of transactions by individual applications. Application controls can be preventative or detective in nature and are designed to ensure the integrity of the accounting records.
Accordingly, application controls relate to procedures used to initiate, record, process and report transactions or other financial data. These controls help ensure that transactions occurred, are authorised and are completely and accurately recorded and processed (ISA 315 (Redrafted)).
Application controls apply to data processing tasks such as sales, purchases and wages procedures and are normally divided into the following categories:
(i) Input controls
Examples include batch control totals and document counts, as well as manual scrutiny of documents to ensure they have been authorised. An example of the operation of batch controls using accounting software would be the checking of a manually produced figure for the total gross value of purchase invoices against that produced on screen when the batch-processing option is used to input the invoices. This total could also be printed out to confirm the totals agree.
The most common example of programmed controls over the accuracy and completeness of input are edit (data validation) checks when the software checks that data fields included on transactions by performing:
- Reasonableness check, eg net wage to gross wage
- Existence check, eg that a supplier account exists
- Character check, eg that there are no alphabetical characters in a sales invoice number field
- Range check, eg no employee’s weekly wage is more than $2,000
- Check digit, eg an extra character added to the account reference field on a purchase invoice to detect mistakes such as transposition errors during input.
When data is input via a keyboard, the software will often display a screen message if any of the above checks reveal an anomaly, eg ‘Supplier account number does not exist’.
(ii) Processing controls
An example of a programmed control over processing is a run-to-run control. The totals from one processing run, plus the input totals from the second processing, should equal the result from the second processing run. For instance, the beginning balances on the receivables ledger plus the sales invoices (processing run 1) less the cheques received (processing run 2) should equal the closing balances on the receivable ledger.
(iii) Output Controls
Batch processing matches input to output, and is therefore also a control over processing and output. Other examples of output controls include the controlled resubmission of rejected transactions, or the review of exception reports (eg the wages exception report showing employees being paid more than $1,000).
(iv) Master files and Standing data controls
Examples include one-for-one checking of changes to master files, eg customer price changes are checked to an authorised list. A regular printout of master files such as the wages master file could be forwarded monthly to the personnel department to ensure employees listed have personnel records.
General controls
These are policies and procedures that relate to many applications and support the effective functioning of application controls. They apply to mainframe, mini-frame and end-user environments. General IT controls that maintain the integrity of information and security of data commonly include controls over the following:
- Data centre and network operations
- System software acquisition, change and maintenance
- Program change
- Access security
- Application system acquisition, development, and maintenance (ISA 315 (Redrafted))
‘End-user environment’ refers to the situation in which the users of the computer systems are involved in all stages of the development of the system.
(i) Administrative controls
Controls over ‘data centre and network operations’ and ‘access security’ include those that:
- Prevent or detect errors during program execution, eg procedure manuals, job scheduling, training and supervision; all these prevent errors such as using wrong data files or wrong versions of production programs
- Prevent unauthorised amendments to data files, eg authorisation of jobs prior to processing, back up and physical protection of files and access controls such as passwords
- Ensure the continuity of operations, eg testing of back – up procedures, protection against fire and floods.
(ii) System development controls
The other general controls referred to in ISA 315 cover the areas of system software acquisition development and maintenance; program change; and application system acquisition, development and maintenance.
‘System software’ refers to the operating system, database management systems and other software that increases the efficiency of processing. Application software refers to particular applications such as sales or wages. The controls over the development and maintenance of both types of software are similar and include:
- Controls over application development, such as good standards over the system design and program writing, good documentation, testing procedures (eg use of test data to identify program code errors, pilot running and parallel running of old and new systems), as well as segregation of duties so that operators are not involved in program development
- Controls over program changes: To ensure no unauthorised amendments and that changes are adequately tested, eg password protection of programs, comparison of production programs to controlled copies and approval of changes by users
- Controls over installation and maintenance of system software: Many of the controls mentioned above are relevant, eg authorisation of changes, good documentation, access controls and segregation of duties.