2
COMPUTER CONTROLS In the February 1979 issue of Computer Fraud & Security Bulletin, - WEAKNESSES? computer controls were defined as: "Hardware, software and clerical procedures which ensure the completeness, accuracy and integrity of the data processed through a computer system, of the processing steps, and of the output results". Most of the techniques used under the broad heading of computer controls have been around for more than a decade, but the view of most specialists in this field is that the techniques are seldom rigorously implemented. The majority of installations are believed to be undercontrolled, often dangerously so, mostly because of lack of in-depth training, partly because of complacency, and also because of the constant pressure to "cut corners" in terms of time and cost. There is no "cook-book" approach to controls. It requires a sufficient knowledge of techniques and risks to develop a pattern of controls sensitive to the real needs of a system, plus a realisation that any security measures are as strong as their weakest link. Controls must therefore encompass the total system including: - data, as regards completeness and accuracy of input, output and master files; - programs, as regards the use of the correct version of author- ised and proven programs and proper processing procedures; - a documentation trail adequate for reconciling inputs to external records and for generally proving the integrity of the data programs and procedures; - a facility for correcting detected errors within an environ- ment which is itself rigorously controlled and for recon- structing information accidentally mutilated or destroyed. The control procedures to guard against accidental error or damage are similar but by no means identical to those for prevention of deliberate abuse. The differences will be explored in a future issue of the Bulletin. Adequate data controls encompass controls over: - creation, ie control over access to certain types of input source documents (such as receipt books, credit notes, wage rate increases), proper checking of information recorded on these forms, formal authorisation of these where appropriate; - movement between persons or departments, to ensure no accidental or unauthorised combination of batch (pre-list) totals, document serial numbers, etc; - conversion into machineable media, by means of formal verification or sight-checking procedures; - input, to ensure completeness and accuracy of input; the input control procedures would often complement and/or reconcile to some of the earlier controls and might include programmed editing of input to ensure validity of codes, validity of self-checking digits, range tests over selected fields, item counts and accumulation of batch control totals. Also included under this heading would be tight controls over access to and usage of on-line terminals; - master files to provide a means for ensuring that the current opening balance equals the prior closing balance, and that the difference between these and the current closing balance COMPUTEBBWMB&SMUBITYBlIUBIH Vol.1 No.8

Computer controls — weaknesses?

  • View
    215

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Computer controls — weaknesses?

COMPUTER CONTROLS In the February 1979 issue of Computer Fraud & Security Bulletin,

- WEAKNESSES? computer controls were defined as:

"Hardware, software and clerical procedures which ensure the

completeness, accuracy and integrity of the data processed through

a computer system, of the processing steps, and of the output

results".

Most of the techniques used under the broad heading of computer

controls have been around for more than a decade, but the view of

most specialists in this field is that the techniques are seldom

rigorously implemented. The majority of installations are believed

to be undercontrolled, often dangerously so, mostly because of

lack of in-depth training, partly because of complacency, and

also because of the constant pressure to "cut corners" in terms

of time and cost.

There is no "cook-book" approach to controls. It requires a

sufficient knowledge of techniques and risks to develop a pattern

of controls sensitive to the real needs of a system, plus a

realisation that any security measures are as strong as their

weakest link. Controls must therefore encompass the total system

including:

- data, as regards completeness and accuracy of input, output

and master files;

- programs, as regards the use of the correct version of author-

ised and proven programs and proper processing procedures;

- a documentation trail adequate for reconciling inputs to

external records and for generally proving the integrity

of the data programs and procedures;

- a facility for correcting detected errors within an environ-

ment which is itself rigorously controlled and for recon-

structing information accidentally mutilated or destroyed.

The control procedures to guard against accidental error or damage

are similar but by no means identical to those for prevention of

deliberate abuse. The differences will be explored in a future

issue of the Bulletin.

Adequate data controls encompass controls over:

- creation, ie control over access to certain types of input

source documents (such as receipt books, credit notes, wage

rate increases), proper checking of information recorded on

these forms, formal authorisation of these where appropriate;

- movement between persons or departments, to ensure no

accidental or unauthorised combination of batch (pre-list)

totals, document serial numbers, etc;

- conversion into machineable media, by means of formal

verification or sight-checking procedures;

- input, to ensure completeness and accuracy of input; the

input control procedures would often complement and/or

reconcile to some of the earlier controls and might include

programmed editing of input to ensure validity of codes,

validity of self-checking digits, range tests over selected

fields, item counts and accumulation of batch control totals.

Also included under this heading would be tight controls

over access to and usage of on-line terminals;

- master files to provide a means for ensuring that the current

opening balance equals the prior closing balance, and that

the difference between these and the current closing balance

COMPUTEBBWMB&SMUBITYBlIUBIH Vol.1 No.8

Page 2: Computer controls — weaknesses?

is entirely accounted for by current input data and processing.

The above controls should recognise that errors can occur because of a diversity of factors including erroneous data, faulty programming, machine error or loss or distortion of data written onto magnetic storage media.

Adequate processing controls should cover:

- programs, to ensure that all programs and program changes are rigorously tested and properly authorised, that documentation is complete and current, that operational programs cannot be tampered with and that the correct version of the program is in use;

- procedures to ensure that the system is not subverted by faulty procedures, through the use of formal procedure manuals, log books, proper separation of duties, proper supervision, and careful inspection and balancing of controls and "audit trail" documentation;

- master files to ensure usage of the correc't version for each processing cycle (achieved by means of proper external labels, "header label" messages, library procedures and reconciliation of inputs to outputs.

Most control loopholes leading to system failure or fraud are the result of insufficiently rigorous attention to the above.

RESPONSIBILITIES Sometimes there is doubt over what obligations an external auditor has to detect fraud and over his powers to inspect and

AND POWERS OF UK demand information. The following summary of Statutory Duties

EXTERNAL AUDITORS and Powers of UK auditors is based on a paper presented by Alec Rabarts , FCA, to a recent conference for the Institute for

International Research.

AUDITOR'S STATUTORY DUTIES IN THE UK

The auditors' statutory duties, so far as companies are concerned, are set out in the Companies Acts 1948 and 1967 and include the requirements to:

(a) make a report to the members on accounts examined by the auditors (and on every balance sheet, profit and loss account and group accounts laid before members in general meeting during period of office); (b) state whether accounts have been properly prepared in accord- ance with the legislation; (c) state whether a true and fair view is given of the company's state of affairs as at the end of it's financial year; (d) state whether a true and fair view is given of the company's profit or loss; (e) state whether a true and fair view, so far as concerns members of the company, is given of the company's and subsidiaries' state of affairs and profit in the case of group accounts; (f) carry out such investigations as will enable the auditor to form an opinion as to whether proper books of account have been kept by the company and proper returns adequate for their audit have been received from branches not visited by them; (g) carry out such investigations as will enable the auditor to form an opinion as to whether the company's balance sheet and (consolidated) profit and loss account are in agreement with the

COMPUTEBF~AND& SECUBITYB- Vol.1 No.8 7