Internal Control III Computer related issues October 20, 2009

Today we will… 1.Review some of the control exposures that relate to computerized environments. 2.Comparison of computerized and non- computerized control issues. 3.Discuss some controls that are specific to computerized environments. 4.Discuss ERP systems and the control issues they present.

Exposures in a computerized environment 1.Errors in data entry. 2.Natural catastrophes. 3.Theft or fraud using a computer. 4.Theft of equipment and unauthorized use. 5.Theft of data. 6.Viruses.

Errors in data entry Any time we have a human and a computer interact, there is a possibility of miscommunication because we don’t speak the same language. 1.Data entry personnel do not understand interface. 2.Data entry personnel make “typing” mistakes. 3.Data entry personnel enter incomplete information. What can be done about these problems?

Reducing data entry errors Use encoded turnaround documents when possible. (preventive control) Make manual entry as intuitive as possible. (preventive control) Use UPC or RFID codes when possible. (preventive control) Include data checks and feedback - such as showing full customer name and address when a customer’s “number” is input. (detective control)

Natural catastrophes I include in this category all technical breakdowns that are not attributable to operator error or fraud. Power outages or network failure are examples. We need corrective plans here - since these are unintentional and unforseeable in a specific sense (you can forsee the possibility, but not the specific occurrence). We look for either backup and recovery plans or an alternative system. Many vendors offer downtimes of an hour or less (such as Oracle). How often do you save your files and how many “past” generations do you keep?

Theft or fraud using a computer The first two exposures related to unintentional errors or problems in a computerized environment. Now we will discuss theft and fraud in a computerized environment. Computerized environments are especially vulnerable to theft and fraud because you cannot “see” the data. With complex data structures, it is sometimes difficult to put the data back together (one of the tasks of the A523 project) in the desired way - because different components of a transaction are, perhaps, stored in different files - even different servers. In addition, access to the records may occur from another location.

How is theft perpetrated? 1.A programmer might include code that diverts money to them directly or that allows them re- entry (a trojan horse). 2.A hacker might, from a remote location, break into the system using stolen or guessed passcodes and steal company resources. 3.A user might steal cash or other assets and then find a way to alter the accounting database records to hide the theft.

How can theft be prevented? 1.Programs should be ‘tested’ and the original programs should be kept in a secure place for comparison. In other words, you can’t just audit around the computer. The programs themselves need to be periodically reviewed. This ensures the integrity of the programming and keeps programmers from successfully stealing from the company. 2.Sophisticated network security is essential for the protection of computerized systems. Have you noticed that your computer has to be registered in order to use it on campus? If you can control access to certain areas by requiring the access be obtained only by recognized computers, then you have created a responsibility chain. In addition, encrypted information transmission is essential for sensitive data. 3.Access to recording should be restricted to authorized personnel. Entries should never be able to be deleted without an audit trail. Each user should only see the “areas” for which they are authorized in menu-driven systems.

Theft of equipment and unauthorized use Computer assets (the physical assets) are valuable and typically contain important information. We used to be concerned about people using our hardware without being authorized - computer “time” was unbelievably expensive. An hour of CPU time used to cost many thousands of dollars. That has changed with the change in computer architecture. Laptops are easy to steal, as are palm pilots and other equipment. It is independent now (stand alone equipment).

Preventing unauthorized access and equipment theft 1.Equipment should be locked up if possible (physical access should be restricted). In the case of laptops, responsibility for security should be assigned to an individual. 2.Access to files should be restricted by password and physical access requirements and limited to activities that leave a trail. 3.Many companies have “computer logs” generated to see if employees are misusing their computers (for pornography or playing games).

Theft of data 1.Theft of sensitive data is an important problem in the computerized environment - partially because it is not always evident that it was taken. 2.Hackers broke into a bank computer and stole customer credit information and used it to steal customer identities. 3.A company engaged in industrial espionage by stealing another company’s proprietary data.

Viruses Viruses can shut down the availability of a computer (causing a business interruption). They can also destroy important files.

Comparison of computerized and non- computerized control issues

Controls in computerized environments 1.Data entry using prerecorded data 2.Edit checks (data checks) 3.Batch processing controls 4.Access controls 5.Computer generated (and numbered) forms

Data entry using prerecorded data Data entry of turnaround documents, particularly if they are machine readable, is less prone to error. UPC codes at the grocery store are an example, as is a magnetically encoded remittance advice. In addition, when an item (a remittance advice or an item at the grocery store) are scanned in, some display containing reconcilable information is typically provided. Further minimizing the potential for erroneous data entry.

Edit checks When data are entered, the data codes frequently contain a check digit that makes sure that the data were entered (and stored) correctly. – When the number is stored in a database, an additional digit might be added to the end =15, and 1+5=6, so the number would be stored as (this is an intuitive analogy to what is actually happening). This can be used for any data, since any data can be converted to a numeric value (we call the code ASCII). Also, we do “reasonableness” checks on the data - amount sizes, formats, etc.

Batch processing controls Batch totals – Record counts and line counts – Document counts – Dollar totals (the total of Cash Receipts) – Hash totals (like an edit check) Sequence checks Written approvals

Access controls We need to limit access to our access data. We do this 3 ways: – Limit physical access: only networked computers can access the system. – Limit individual’s access using passwords – Prohibit direct access to the files (require that all file access be through software that leaves an audit trail). You should never be able to delete journal entries!

Computer generated forms Whenever documents such as purchase orders or sales orders or invoices are computerized… – The numbering system is protected. Individuals cannot manipulate the numbering system. – Whatever information is on the document is in the database (by construction). – Reconciliation is easier. Copies can be printed out for a permanent record.

ERPs Enterprise Resource Planning systems (ERPs) are the current technological frontier. They are basically a database that encompasses most or all of the organization’s information storage and processing. Indiana University uses such a system from a vendor called PeopleSoft. Other notable vendors are SAP and Oracle. OneStart is the student and faculty interface for this system. Your grades and my paycheck are both generated from this software package. ERPs are quite powerful tools, but they have their own control issues.

ERPs Employee buy-in and training are essential. There is only one system and it is BIG. Since everything is in this one system, if someone were to find a way to compromise the system (get in where they are unauthorized), they would have unbelievable power to steal or do damage. The system is so big that it is impossible for most managers (or auditors) to really understand how it works.