MANAGEMENT CONSULTANCY - Solutions Manual

CHAPTER 33
EFFECTS OF COMPUTERS ON INTERNAL
CONTROL
I.

Questions
1. A computer system does not affect the overall objectives of internal
control. These objectives remain intact irrespective of the method of
data processing. Computer systems often make these objectives more
important to achieve, however, and the specific controls used to
achieve basic internal control objectives may change.
2. Computer data processing changes the ways in which functions must
be separated to maintain control. For example, whereas in a manual
system separate individuals may have been responsible for initiating
and recording transactions, in a computer system a program may
perform both functions. It now becomes important to separate
responsibility for running the program in production mode from
responsibility for modifying and maintaining the program. This
separation may be enforced physically; for example, computer
operations staff may be separated from program maintenance staff.
With minicomputers and microcomputers, however, physical separation
of duties becomes increasingly difficult to implement. The person
entering data into the system often has the capability to alter the
program being used to capture the data. In these types of situations,
software-based access controls become more important as a means of
enforcing separation of duties.
3. When resources in a computer system are shared, it is often difficult to
assign responsibility for the various functions that must be performed
to acquired, protect, use, and maintain the resource. For example, if

data is shared, it may be unclear whether each user of the data should
be allowed to assign access and modification rights to new users who
potentially are untrustworthy. Similarly, if data is corrupted, disputes
may arise over who must take responsibility for correcting the
consequential errors that have occurred.

33-1


Chapter 33

Effect of Computers on Internal Control

4. In an environment of end-user computing, three types of problems can
arise when attempting to specify clear lines of authority and
responsibility. First, it is difficult to specify clearly the types of
systems that end users can develop without top management approval.
Some types of end-user systems are critical to the ongoing success of
the organization, and they should be vetted by top management.
Second, it is difficult to specify clear lines of authority and
responsibility with respect to hardware and software acquisition.
Many end users have been especially creative in their efforts to
circumvent the controls that have been put in place. Third, it may be
difficult to differentiate the responsibilities of end users from the
responsibilities of data processing personnel in terms of the many
functions that must be performed to design, implement, operate, and
maintain systems.
5. Substantial power is vested in an organization’s data processing
personnel. They have the in-depth technical knowledge that allows
them to design, implement, operate, and maintain the organization’s

data processing systems. In addition, it is difficult to implement
effective and efficient internal controls that restrict the actions they can
undertake. A malicious data processing employee can wreak havoc.
Consequently, greater reliance must be placed on the personal integrity
of the individuals employed in the data processing department.
6. In a computer system, the general authorizations are often embedded
within a program. Thus, auditors must examine and test programs to
evaluate compliance with general authorizations. Since specific
authorizations relate to high-value and critical actions undertaken by
the organization, they are often still embedded within manual systems
or the manual subsystems in a computer system. Thus, auditors
perform traditional manual auditing procedures to evaluate compliance
with these authorizations. With growth of expert systems, however,
specific authorizations are also becoming increasingly embedded
within computer systems.
7. The primary impact of computer systems on the audit trail is that the
audit trail may no longer be visible in hard-copy form. Thus, the
computer system must be designed to capture and store the information
needed for audit trail purposes. In a well-designed computer system,
the audit trail can often be more extensive than the audit trail in a
manual system because the overheads associated with maintaining the
audit trail in a computer system are less.
33-2


Effect of Computers on Internal Control

Chapter 33

8. The audit trail is disappearing in the sense that it is no longer visible in

hard-copy form. There is no evidence, however, that the quality of
audit trails has been undermined because computer systems have been
implemented. Indeed, the audit trails in computer systems can be very
comprehensive because the overheads associated with maintaining the
audit trail are low.
9. Computer systems affect the concentration of assets in an organization
in three ways. First, the organization’s major data files, which are
critical assets, are stored at a small number of locations. Second, the
hardware and software, which may represent substantial investments,
are also located in only a few places. Third, substantial knowledge
about the organization and its systems is vested in the data processing
staff who design, implement, operate, and maintain the computer
systems.
The primary effect of this concentration of assets on the system of
internal controls is to increase the importance of the individual internal
controls being in place and working. The consequences of a control
failure can be more serious.
10. In a computer system, management supervision of employees is harder
to implement. Often the tasks performed by employees are technically
complex and difficult for management to understand. In addition, many
of the tasks performed are not visible. The effects of these tasks occur
internally to the systems on which the employees work. Employees
also might be using a computer system at a remote location. As a
result, management are unable to physically observe their actions.
11. Many independent checks are carried out in manual systems to ensure
that employees are following the procedures needed to safeguard assets
and preserve data integrity. In a computer system, procedures for
safeguarding assets and preserving data integrity are often embedded in
a program. Thus, auditors must focus on the procedures in place to
ensure program code is authentic, accurate, and complete.

12. As with manual systems, auditors must prepare reports on the assets
held and compare the control totals in the reports with physical counts
of the assets that they undertake. In a computer system, however,
programs are used to prepare the reports for comparison purposes. For
example, a program sorts an inventory file by warehouse location and
prepares control totals by inventory type. Again, auditors must ensure
that controls are in place to ensure the authenticity, accuracy and
33-3


Chapter 33

Effect of Computers on Internal Control

completeness of the programs used to prepare the control totals needed
for comparison purposes.
13. Compared to a manual systems environment, auditors face a greater
number of controls to be evaluated in a computer systems environment.
These controls are also more complex and diverse. Some controls have
become important only with the emergence of computer technology; for
example, the cryptographic controls used to preserve the integrity of
controls in electronic funds transfer systems. With the rapid evolution
of computer technology, auditors find it increasingly difficult to keep up
with the technology and to have sufficient understanding of the controls
to be able to carry out a competent audit.
The ongoing, rapid evolution of computer technology also makes the
evidence-collection task harder. As a result of new technology, manual
evidence-collection techniques may no longer be useful. Inevitably the
development of new automated audit evidence collection techniques
lags the emergence of the technology. Auditors must use some type of

stop-gap measure in the interim.
14. The use of computers has two effects on the conduct of the evidence
evaluation function. First, given the increased complexity of computer
control technology, it is also more difficult to evaluate the
consequences of individual control strengths and weaknesses and to
perform a global evaluation of the reliability of controls. Second,
because the consequences of control weaknesses are often more serious
in a computer systems environment, auditors are under greater stress to
make accurate assessments of the reliability of controls in computer
systems.
15. A control is a system that prevents, detects, or corrects unlawful
events.
16. We must focus on controls as a system because a failure to perform one
function reliably may undermine the overall reliability of the control.
For example, if management does not check the log of failed
passwords, attempts to enter a system illegally may not be detected.
17. Controls reduce expected loses by (a) reducing the probability of
events occurring that lead to a loss, and/or (b) reducing the amount of a
loss if the loss does, in fact, eventuate.
II. Multiple Choice
33-4


Effect of Computers on Internal Control

1.
2.
3.
4.
5.


C
B
D
A
B

11.
12.
13.
14.
15.

C
B
C
A
A

6.
7.
8.
9.
10.

C
B
A
D
C


16.
17.
18.
19.
20.

A
B
A
B
D

21.
22.
23.

Chapter 33

D
D
B

III. Problems
Problem 1
The following controls might have prevented or detected Cruz’s activities:
(a) Cash box control procedures should have been stronger. It seems as if
Cruz had free access to the cash box. A log of deposits and
withdrawals should have been kept, which might have triggered an
investigation of Cruz’s activities.

(b) In the case of terminal having special access to privileges (such as
supervisory terminals), a log of transactions should have been kept and
examined regularly by an independent person (e.g., Cruz’s manager).
(c) Accounts having little activity are always a special cause for concern
in banks because of the possibility of fraud. A sample of transactions
for low activity accounts should have been investigated.
(d) Customer complaints should have been handled by a special section,
not by Cruz. Investigations of complaints should have detected Cruz’s
activities.
(e) Checking the correspondence between deposits and the documentation
for two-year certificate accounts would have revealed that Cruz had not
recorded deposits.
(f) Controls over the issue of passbooks should have been stronger. Again,
it seems that Cruz had easy access to new passbooks. Periodically, the
documentation supporting the issue of a new passbook should have
been examined.
(g) Confirmation of customer account balances should have detected
discrepancies between customer records and bank records.
33-5


Chapter 33

Effect of Computers on Internal Control

Problem 2
(a) General control features in most computer-based accounting systems
are classified as follows:
1. The plan of organization and operation of data processing activity.
2. The procedures for documenting, reviewing, testing, and approving

systems or programs and changes thereto.
3. Controls built into the equipment (i.e., hardware controls).
4. Controls over access to equipment and data files.
5. Other data and procedural controls affecting overall data
processing operations.
6. Security controls address the physical security of data processing
and disaster recovery.
(b) The purposes of the categories of application controls are as follows:
1. Input controls are designed to provide reasonable assurance that
data received for computer processing have been properly
authorized and converted into machine-readable form and
identified, and that data (including data transmitted over
communication lines) have not been lost, suppressed, added,
duplicated, or otherwise improperly changed.
2. Processing controls are designed to provide reasonable assurance
that data processing has been performed as intended for the
particular application (i.e., that all transactions are processed as
authorized, that no authorized transactions are omitted, and that no
unauthorized transactions are added).
3. Output controls are designed to ensure the accuracy of the
processing result (such as account listings or displays, reports,
magnetic files, invoices, or disbursement checks) and to ensure that
only authorized personnel received the output.
Problem 3
In auditing Nico Corporation, Rain may be able to rely on the well-known
accounting software based on her previous experience. Using a control
copy, she can determine that an unmodified copy is being used. In the case
of Tower, Rain will have to perform extensive testing of the software or
33-6



Effect of Computers on Internal Control

Chapter 33

perform a code review or other tests of the design process to determine
whether the software results in the financial statement assertions are valid.
Indeed, Tower’s need to be calling the developer on a regular basis should
cause Rain some concern.

33-7