Information technology control questionnaire

23

© 2010 Wiley Periodicals, Inc.Published online in Wiley InterScience (www.interscience.wiley.com).DOI 10.1002/jcaf.20607

featur

e artic

le

Rob Reider

Most busi-nesses, from the relatively

large public company to the small privately held business, process their financial trans-actions through a PC computer system—on a network or stand-alone basis. These entities, both large and small, are processing account-ing and financial transactions and maintaining account bal-ances the business must rely upon to make operating and business management deci-sions. Recent decreases in the price of PC equipment, together with increases in hardware and software processing capabilities, have made the use of a com-puter system available to all-size businesses. In addition, there are many software packages on the market for financial applica-tions at relatively low cost to fit any-size business. There is no longer any logical reason for a business of any size to neglect the use of computerization for their accounting needs. For those businesses that have moved from

manual recordkeeping to the use of computer processing, man-agement must be aware of the special control considerations in operating in a computer environment.

In addition to decreasing prices and increasing capabili-ties, the use of computers has become much easier using purchased application software designed to be used in an inter-active mode (“user friendly”) that allows management and user personnel to have limited knowledge of IT processing and control procedures. Due to this sometimes uncontrolled operat-ing environment, business man-agement should be aware of the following control considerations where computers are used to

process financial and accounting data.

LACK OF SEGREGATION OF FUNCTIONS: BETWEEN EDP AND USERS AND WITHIN THE EDP DEPARTMENT

Typically, the com-puter system is controlled and operated by the user department, which also becomes the informa-tion technology (IT) department. These user personnel (often only one person) may initiate transac-tions, perform data entry and control operations, make system inquiries, and process account-ing/financially related reports. In addition, other PCs used as data terminals may be located else-where within the organization for data input and updating, by other user departments—resulting in these personnel being computer operators for their applications.

To remedy this situation, you should consider:

establishing independent • initiation and authorization

Most businesses now process their financial trans-actions through a PC computer system. But there are special control considerations where comput-ers are used to process financial and accounting data. How secure are your firm’s PC controls? Answer the information technology control ques-tionnaire in this article and find out. © 2010 Wiley Periodicals, Inc.

Information Technology Control

Questionnaire

JCAF20607.indd 23JCAF20607.indd 23 6/16/10 11:37:23 PM6/16/10 11:37:23 PM

24 The Journal of Corporate Accounting & Finance / July/August 2010

DOI 10.1002/jcaf © 2010 Wiley Periodicals, Inc.

DISK STORAGE

Hard disk storage devices for application programs and large databases are susceptible to dam-age and destruction, such as disk read errors, corrupted cylinders and tracks, poorly controlled backup (using separate backup systems, CD-ROM, flash drives, etc.) recovery procedures, and operating failures.

Some procedures to consider relative to the control of disk storage include:

disk data file and program • library procedures, ensuring the correct data files being used, backed up, and recov-ered, and no unnecessary

data files being available to the computer operator;

use of properly con-• trolled hard disk operating and backup procedures; replacement of backup • media after a period of time (i.e., six months) or a number of uses (i.e., 100 uses); adequate backup copy • library procedures, including in-house and off-site storage; and

periodic checkup and main-• tenance for hard disk drives.

SOFTWARE PACKAGES

Most computer users uti-lize application software pack-ages for their major accounting systems that make it relatively easy for the non-IT knowledge-able user to perform necessary computer processing. These accounting packages operate in an interactive processing mode that is designed to edit out bad data, but not necessarily wrong or duplicate data. However, this

update, and master file maintenance.

LIMITED KNOWLEDGE OF IT: BY MANAGEMENT PERSONNEL, USER PERSONNEL, AND COMPUTER OPERATORS

PC hardware and software is designed for ease of learn-ing and use, which allows for personnel (management, users, and operators) with limited IT knowledge to purchase and operate them effectively. Such personnel don’t need to know how the computer works or how to program for it. Such a computer operations atmosphere can result in a lack of under-

standing in the need for data and processing controls, result-ing in an undisciplined control environment.

Since management (and the CPA) place reliance on the accu-racy of financial transactions and the integrity of account balances, management must ensure that proper controls are implemented and in effect, such as:

input controls,• data entry controls,• processing controls,• output reconcilement • procedures,data file library procedures, • andmaster file maintenance.•

of input transactions by someone other than the computer operator;setting up input controls, • processing controls, and output settlement procedures to be handled by a person(s) independent of the computer operation;assigning distinct staff per-• sonnel (other than computer operators) the functions of data preparation, data con-trol, and data file/program librarian as part of their overall responsibilities; andhaving personnel assigned • computer operating responsi-bility to only enter and pro-cess data through the com-puter as related to computer operations.

LOCATION OF THE COMPUTER: IN THE USER’S AREA, IN A NONSECURE, NON-TEMPERATURE-/HUMIDITY-CONTROLLED ENVIRONMENT

The PC, due to its relatively small size and user orientation, is normally located within the user’s area in an accessible location requiring user and application software security to control misuse of the system. Proper controls in such an environment to limit access to computer systems and related software and data files to only authorized individuals might include:

physical key and lock • systems;microcomputer user pass-• words;application program and data • file security passwords; andfunctional passwords, such • as inquiry only, transaction

The PC, due to its relatively small size and user orientation, is normally located within the user’s area in an accessible location requiring user and application software security to con-trol misuse of the system.


The Journal of Corporate Accounting & Finance / July/August 2010 25

© 2010 Wiley Periodicals, Inc. DOI 10.1002/jcaf

allow a degree of flexibility in designing your password struc-ture. Passwords should be long enough so that random or sys-tematic attempts to access your accounting records by searching for a valid password are time-consuming or lead to detection. A password that is too long may result in employees posting their password (for instance, on the monitor screen), increasing detection. Normally, a password of five or six characters (with no meaning) is sufficient security.

Assigning of Passwords

The password gatekeeper • only assigns individual passwords.

The gatekeeper assigns • passwords only to those who have authorized data entry or inquiry responsibilities. Password only allows • for specific transactions or data access in an indi-vidual’s area of responsibility. An original password is • communicated orally and not in writing. Users are trained to keep • passwords confidential.

Passwords are assigned on • an individual basis (not globally).

Use of Passwords

Users commit passwords • to memory with no written record.Password procedures inhibit • printing or displaying the password.Passwords are not printed • out on reports.Users have a limited num-• ber of attempts to enter a password (i.e., three), and

“user-friendly” approach does not usually allow the user to incorporate necessary internal accounting controls into the system, as the user must accept those controls that have been provided by the software vendor. The system documentation for the accounting software pack-age is also dependent on the software vendor. It may not be adequate to fully describe the system and accounting controls, and it may not relate to the real-ity of the computer processing. In this situation, it is the respon-sibility of the user to review and evaluate the software package before purchasing to ensure required accounting controls, such as:

input editing and vali-• dation procedures,data entry input • controls,processing controls,• error condition • identifications,error correction • controls,file update procedures,• file maintenance pro-• cedures, andfile control procedures.•

PHYSICAL SECURITY

Computer systems can be housed in a relatively small area, many times on a desktop within the user area. In addition, the network file server may not be secured properly; many times, it is accessible to any or all users and others. Both of these condi-tions cause some physical secu-rity concerns.

Some controls that should be considered relative to the physi-cal security of computer hard-ware and software include the following:

access controls to computer • hardware (use of physical lock and key and security user passwords); environmental controls • to protect against excess humidity, temperature varia-tions, or other atmospheric conditions;electrical connections, such • as separate power lines, surge devices, and uninterruptible power supplies (UPS);fire protection devices for • hardware, data files, and pro-grams, and fire/smoke detec-tion and extinguishers;protection of data files and • programs when not in use (fireproof secure facilities);

backup procedures for • hardware, data files, and programs, both on-site and off-site;off-site storage, for impor-• tant data files, programs, and documentation; andinsurance coverage, such as • equipment cost, reconstruc-tion of data files, business interruption, loss of records, and the like.

PASSWORD CHARACTERISTICS

Most software developers of applications and utilities who provide for a password structure

Computer systems can be housed in a relatively small area, many times on a desktop within the user area. In addition, the network file server may not be secured properly; many times, it is accessible to any or all users and others.




processing, and providing update control totals, which can be reconciled to off-line maintained control totals; andmaster file maintenance • listing, showing the master file record contents prior to the maintenance, the main-tenance transaction itself, and the master file record contents as a result of the file maintenance update (this listing should be produced every time master file main-tenance is performed, so that its results can be verified for accuracy back to the origi-nal file maintenance source, prior to any further master file updates).

IT CONTROL QUESTIONNAIRE IN A PC ENVIRONMENT

To assist in obtaining work-ing knowledge of the business’s IT operations, control question-naires such as the ones shown in Exhibits 1–10 can be used. Using

package should also produce other printed evidence of com-puter activity that make up an inclusive accounting control/audit trail package, which would include printing such reports as:

a data input list (of valid • accepted items), which can be reconciled to off-line maintained input controls;an input error list, showing • all error transactions for cor-rection (this listing could include all input errors, even those corrected immediately through the keyboard; or only those not corrected at the time of keyboard input);an error correction list, • showing disposition of cor-rected items (if the software maintains an internal com-puter suspense file of all errors, which is the preferred system of control, then the printout should show the original error condition and the result of the correction);a master file update list-• ing, showing the results of

if unsuccessful, further entries from that terminal are prohibited until supervi-sory action is taken.Users are required to change • their password frequently (i.e., after 60 days). Some systems hang up if this is not done.Users sign off each time they • leave the terminal. Some systems have automatic signoff if inactive for a time (i.e., three minutes).Users keep passwords • confidential.Users (or gatekeeper) • design passwords that are random and do not contain employee/child’s names, birth dates, and the like.

Accounting Controls and Audit Trail

As mentioned, the input error and error correction print-outs are part of the computerized system’s accounting controls and audit trail. The software

IT Planning

1. Is there an overall IT plan for the entity? Does it cover all needs, including financial and accounting systems, as well as operating requirements?

2. Is a hardware feasibility study part of the IT plan?3. Does the IT plan make the best possible use of microcomputers and the use of local area networks (LANs) and

wide area communications?4. Have adequate organization and departmental problem statements together with systems specifications been

prepared?5. Are the necessary personnel resources available to implement and operate the elements of the IT plan?6. Has a preliminary survey been performed that clearly documents the requirements of the new system?7. Has a cost versus benefit analysis been performed for the new system with realistic estimates?8. Has software been identified in the IT plan? How was it selected? Does it cover all essential features?

Exhibit 1




Purchased Software Packages

1. Have arrangements been made for appropriate user participation in detail design specifications?2. Has the software package been adequately evaluated and tested?3. Does the software contain the necessary procedures to provide for proper internal controls when implemented? • Passwords (terminal access controls) • Edit and validation routines • Control totals or transaction lists • Exception reports • Management trails4. Is the software and user documentation adequate?5. Has the conversion of existing information to the new system been adequately controlled?6 Will the addition of the new software application cause overall systems performance to suffer? Has the need for

additional or new hardware been considered?

Exhibit 2

Organizational Controls

1. Has a proper segregation of duties been achieved within the IT department (if one exists)?2. If a separate IT department exists, does it not: • initiate and authorize transactions? • record transactions?3. Within user departments, are the following activities segregated from each other wherever possible? • Initiation of transactions • Authorization of transactions • Recording of transactions • Input, processing, and output control activitiesIf not segregated, has the best possible segregation been achieved?4. Wherever possible, are automated controls used to help ensure the completeness, accuracy, and authorization

of data?

Exhibit 3

the appropriate questionnaire you can use professional judgment as to what is pertinent to the spe-cific business, as not all IT con-trols would be appropriate.

Understanding IT basics such as hardware and software

concepts and related controls together with knowledge of off-line control procedures is usu-ally adequate for the business in operating their PC computer systems in an effective control environment. However, what is

important is to not only be aware of IT controls, but also how to implement such controls (and which ones) so that the busi-ness’s efficiency of operations is not brought down by unwieldy and unnecessary controls.




Prevention of Record and Equipment Loss

1. Are there written procedures for computer operators to follow that require the regular copying of data files for backup?

2. Are all copies of transactions (on magnetic media) since the last backup stored properly so as to facilitate re-entry?

3. Has a disaster plan been prepared that includes what to do on-site and hardware and software recovery procedures? Have arrangements been made and tested as to hardware backup?

4. Are copies of the following stored off-site? • Operating systems • Application support software and utilities • Application programs • Systems, program, and user documentation • Copies of data files: master and transaction files5. Have insurance arrangements to offset losses due to business interruption and to defray the cost of data

reconstruction been considered?

Exhibit 5

Application Systems Maintenance and Documentation

1. Where software packages have been purchased off the shelf: • Is data on new versions of the package regularly reviewed to see if such updates are desirable?

• If an updated version is acquired, is it adequately reviewed and tested prior to being put into use?2. Is there a user group for the software package? Does the entity participate in the user group?3. Are changes to the software by employees limited to those that can be made through routines (i.e., database

manipulators or report generators) available in the package?4. Have any outside contractors made changes to the software? Are the contractors authorized by the software

developer? Document changes.5. Are all such outside changes properly reviewed and tested by the contractor and the user before they are

accepted?6. Are all program changes tested before the updated software is used to process the company’s transactions?

Exhibit 4




Input Controls

1. Are input transactions properly authorized by operations personnel? 2. Are standardized input forms used, and are they prenumbered with the numerical sequence being accounted for? 3. Are input forms checked for completeness and accuracy before they are submitted for data entry? 4. Are source documents canceled by data entry to prevent duplicate data entry? 5. Is the maximum possible use made of magnetic media data to reduce the amount of data to be entered? 6. When transactions are rejected, is the input document corrected by the initiator and re-entered on a timely basis? 7. Are transaction or file totals used to control the correct and complete entry of all transactions? 8. Are transaction totals balanced or verified by someone other than data-entry personnel? 9. As a minimum, do different individuals perform the following activities? • Authorizing transactions • Initiating and recording transactions on the terminal • Input controls: reconciling input transactions to processing 10. Are terminals physically located so as to minimize the chance of access by unauthorized personnel?11. Have passwords been properly used to restrict employees from unauthorized functions—allowing them only

their own authorized functions? 12. Is the password system structure properly designed and maintained? • Passwords are kept confidential. • Passwords are changed periodically and with a change in responsibilities. • Passwords are deleted for employees leaving the company. • Passwords do not appear on screens or output. • The password file is encrypted and protected by a password. • A gatekeeper has been assigned to control the password file.

Exhibit 6

Audit Trails

1. Does the audit trail: • Provide the information needed for control purposes? • Provide information for management to effectively operate the business? • Satisfy legal requirements?2. Is the application designed (or does it provide for database manipulation or report generation) in such a way that

data can be summarized or reported to meet the changing needs of management?3. Does every transaction entered appear on a control report, showing the person (and terminal) who entered the

data?4. Are detailed reports available that facilitate the checking of calculations?5. Are there sufficient records retention (magnetic media and reports) policies in place that covers the audit trail?

Exhibit 7




Output Controls

1. Have output controls been designed to help offset weaknesses that may exist in controls over the use of operat-ing systems and utilities?

2. Is all computer output subjected to one or more of the following controls before being used? • The output data file subjected to file balance controls • Output reviewed by user management, with a periodic check of results and calculations made3. Are all significant data files subjected to balance control procedures?4. Is master file data periodically printed out for review by an appropriate employee?5. Is material output reviewed by an employee with sufficient knowledge of the business so as to spot obvious

errors or suspect items?

Exhibit 9

Computer Viruses

1. Are all diskettes (particularly program diskettes) and CD-ROMs received from third parties scanned for viruses before being used?

2. Are program media purchased only from reputable sources and received in secure packaging?3. Is there a policy to prohibit the use of pirated software or software procured through irregular channels?4. Are new programs added to a microcomputer or the LAN done only by one authorized person?5. Is some form of virus-detection software in use?6. Have arrangements (including outside professional help) to recover from a virus infection been determined and

documented?

Exhibit 10

Computer Operations Controls

1. Are systems controls designed to help ensure that the correct data files are being processed, and are they used to the maximum extent?

2. Do controls exist within the application systems to ensure that correct beginning-of-cycle, end-of-cycle, and transaction control routines are executed by the computer operator?

3. If controls are not built into the application software, are there other controls and procedures followed by the computer operator to ensure that processing controls (run-to-run controls), correct data files, backup proce-dures, and other operations procedures are performed?

Exhibit 8




Rob Reider, CPA, MBA, PhD, is the president of Reider Associates, a management and organizational con-sulting firm located in Santa Fe, New Mexico, which he founded in 1976. Prior to starting Reider Associates, Dr. Reider was a manager in the Management Consulting Department of Peat, Marwick & Mitchell (now KPMG) in Philadelphia. Reider has been a consultant to numerous large, medium, and small businesses of all types in both the private and public sectors. Dr. Reider is the course author and discussion leader and presenter for over 20 different seminars that are conducted nationally to various organizations and associations. He has conducted over 1,000 such seminars throughout the country. He has received the American Institute of Certified Public Accountants (AICPA) Outstanding Discussion Leader of the Year award. He has presented at numerous professional meetings and conferences around the country and has published numerous articles in professional journals. He is the author of the following books published by John Wiley & Sons:

Operational Review: Maximum Results at Efficient Costs• ;Benchmarking Strategies: A Tool for Profit Improvements• ;Managing Cash Flow: An Operational Focus• (coauthor with Peter B. Heyler);Improving the Economy, Efficiency, and Effectiveness of Not-For-Profits• ; andEffective Operations and Controls for the Small Privately Held Business• .

He can be contacted at [email protected].


Documents

Information technology control questionnaire