Microcomputer controls for small business and others

Almost all smallbusinesses nowhave microcom-

puter installations toprocess their financialtransactions. Theseentities are processingthose financial trans-actions and maintain-ing account balancesthey rely on for con-ducting their businessproperly. Recentdecreases in the priceof this equipment,together with increasesin processing capability, havemade the purchase of a micro-computer system quite attractive.

In addition, there are manysoftware packages on the marketfor financial applications at rela-tively low costs. Such microcom-puter systems can be used asstand-alone systems, internal localarea networks (LANs), part of awide-area communications net-work via modem or wireless tech-nology (using laptops and porta-bles), or as a front-end processorto an umbrella system (i.e., work-stations electronically tied in to anorganizationwide computer net-work), or in some combination.

As many small businesseshave moved from manual

recordkeeping to the use ofmicrocomputer processing, thebusiness owner must be aware ofthe special control considera-tions operating in a microcom-puter environment such as gen-eral and application controls,and the ability to perform“through-the-computer”-typecontrolling.

SPECIAL CONTROLCONSIDERATIONS

In addition to decreasingprices and increasing capabili-ties, the use of microcomputershas become much easier usingpurchased application softwaredesigned to be used in an inter-

active mode (“user-friendly”) that allowsthe user to have limit-ed knowledge of com-puter processing andcontrol procedures.Due to this sometimes-uncontrolled operatingenvironment, the busi-ness owner should beaware of the followingcontrol considerationswhere microcomputersare used to processfinancial and account-ing data.

1. Lack of segregation offunctions

• Between IT and users • Within the IT department

Typically, the microcomput-er system is controlled and oper-ated by the user department (i.e.,accounts payable, accountsreceivable) that also becomes theIT department. These user per-sonnel (often only one person)may initiate transactions, per-form data-entry and controloperations, make systeminquiries, and process account-ing/financially related reports. Inaddition, data terminals (micro-computers or dumb terminals)

Almost all small businesses now use microcom-puters to process their financial transactions. Butthis opens the door to special problems—whichcould affect your company even if it is not a smallbusiness, since small firms may be your cus-tomers, suppliers, or consultants.

What special controls should small business-es use? The author exposes where these firmsare vulnerable and provides some valuablechecklists to remedy those problems. And evenmicrocomputer users in large firms will findthese checklists useful. © 2006 Wiley Periodicals, Inc.

Rob Reider

Microcomputer Controls for SmallBusiness and Others

featu

reartic

le

59

© 2006 Wiley Periodicals, Inc.Published online in Wiley InterScience (www.interscience.wiley.com).DOI 10.1002/jcaf.20232

may be located elsewhere withinthe organization for data inputand updating, by other userdepartments—resulting in thesepersonnel being computer opera-tors for their applications.

To remedy this situation, thesmall business owner shouldconsider:

• establishing independent ini-tiation and authorization ofinput transactions by some-one other than thecomputer operator;

• making sure inputcontrols, processingcontrols, and outputsettlement proceduresare handled by a per-son(s) independent ofthe microcomputeroperation;

• assigning distinct staff per-sonnel (other than computeroperators) the functions ofdata preparation, data con-trol, and data file/programlibrarian as part of theiroverall responsibilities; and

• having personnel assignedmicrocomputer operatingresponsibility only enter andprocess data through thecomputer as related to com-puter operations.

2. Location of the computer• In the user’s area• In a nonsecure, nontem-

perature/humidity-controlled environment

The microcomputer, due toits relatively small size and userorientation, is normally locatedwithin the user’s area in anaccessible location—requiringuser and application softwaresecurity to control misuse of thesystem. Proper controls in suchan environment to limit access tomicrocomputer systems andrelated software and data files to

only authorized individualsmight include:

• Physical key and lock sys-tems;

• Microcomputer user pass-words;

• Application program and datafile security passwords; and

• Functional passwords, suchas inquiry only, transactionupdate, and master filemaintenance.

3. Limited knowledge of IT• By management personnel• By user personnel• By computer operators

Microcomputer hardwareand software is designed for easeof learning and use. This allowsfor personnel (management,users, and operators) with limit-ed IT knowledge to purchase andoperate them effectively. Suchpersonnel don’t need to knowhow the microcomputer works orhow to program for it. But sucha computer operations atmos-phere can result in a lack ofunderstanding in the need fordata and processing controls,resulting in an undisciplinedcontrol environment.

Since the owners and theirCPAs are relying on the accuracyof financial transactions and theintegrity of account balances,business owners must ensure forthemselves (and the CPA) thatproper controls are implementedand in effect, such as:

• input controls,• data-entry controls,

• processing controls,• output reconcilement proce-

dures,• data file library procedures,

and• master file maintenance.

4. Disk storageHard disk storage devices

for application programs andlarge databases are susceptible todamage and destruction, such asdisk-read errors, corrupted cylin-

ders and tracks, poorly con-trolled backup (usuallyusing a backup tape device)and recovery procedures,and operating failures.

Data storage and back-up on small diskettes orCD-ROMs are susceptibleto damage, loss, misplace-

ment, misappropriation, and useof the wrong diskettes or CD-ROMs. In addition, these datamedia are sensitive to datadestruction caused by things suchas magnetic fields or electrostaticdischarges, humidity, tempera-tures, fingerprints, pen/pencilimpressions, and so on.

Some procedures to considerrelative to the control of diskstorage include:

• disk data file and programlibrary procedures, ensuringthe correct data files arebeing used, backed up, andrecovered, and no unneces-sary data files are being avail-able to the computer operator;

• use of properly controlledhard disk operating andbackup procedures;

• replacement of backup media(diskette, CD-ROM, or tape)after a period of time (e.g.,six months) or a number ofuses (e.g., 100 uses);

• adequate backup copylibrary procedures, includ-ing in-house and off-sitestorage; and

60 The Journal of Corporate Accounting & Finance / July/August 2006

DOI 10.1002/jcaf © 2006 Wiley Periodicals, Inc.

Microcomputer hardware and softwareis designed for ease of learning anduse.

• periodic checkup and main-tenance for hard disk drives.

5. Software packagesMost small-business micro-

computer users utilize applica-tion software packages for theirmajor accounting systems—which makes it relatively easyfor the non-IT-knowledgeableuser to perform necessary com-puter processing. These account-ing packages operate in an inter-active processing mode that isdesigned to edit out bad data butnot necessarily wrong or dupli-cate data. However, this “user-friendly” approach does notusually allow the user toincorporate necessaryinternal accounting con-trols into the system; theuser must accept those con-trols that have been provid-ed by the software vendor(who may not be tooknowledgeable about inter-nal accounting controls). Thesystem documentation for theaccounting software package isalso dependent on the softwarevendor—and it may not be ade-quate to fully describe the sys-tem and accounting controls andmay not relate to the reality ofthe computer processing. In thissituation, it is the responsibilityof the user to review and evalu-ate the software package beforepurchasing and implementationto ensure required accountingcontrols, such as:

• input-editing and validationprocedures;

• data-entry input controls;• processing controls;• error-condition identifica-

tions;• error-correction controls;• file-update procedures;• file-maintenance proce-

dures; and• file-control procedures.

6. Physical securityMicrocomputer systems

(stand-alone or a data terminalas part of a LAN or a largerprocessing system) can behoused in a relatively smallarea—many times on a desktopwithin the user area. In addi-tion, the LAN file server maynot be secured properly—allowing accessibility to any orall users and others. Both ofthese conditions cause somephysical security concerns.

Some controls that should beconsidered relative to the physi-cal security of microcomputer

hardware and software includethe following:

• access controls to computerhardware (e.g., use of physi-cal lock and key and securityuser passwords; stricter con-trols are dictated for a LANfile server);

• environmental controls toprotect against excesshumidity, temperature varia-tions, or other atmosphericconditions;

• electrical connections, suchas separate power lines,surge devices, and uninter-ruptible power supplies(UPS);

• fire protection devices forhardware, data files, andprograms (e.g., fire/smokedetection and extinguishers);

• protection of data files andprograms when not in use—for example, fireproofsecure facilities;

• backup procedures forhardware, data files, andprograms—both on-site andoff-site;

• off-site storage for importantdata files, programs, anddocumentation; and

• insurance coverage, such asthat for equipment cost,reconstruction of data files,business interruption, loss ofrecords, and so on.

IT CONTROLS IN ANAUTOMATED ENVIRONMENT

General Controls in aMicrocomputerEnvironment

IT general controlsencompass the environ-ment in which applica-tions (financial, account-ing, and programmatic)are processed. Effectivegeneral controls provide

the proper environment foreffective internal accountingand program controls. Generalcontrols increase in signifi-cance as more and more criticalapplications are processedthrough the microcomputer sys-tem. Their purpose is not nor-mally directed to any one com-puter application but to allapplications processed by themicrocomputer system. Whengeneral controls are weak ormissing, it must be ascertainedwhether application controlsexercised in user areas satisfyinternal control requirements. Amicrocomputer installation—bythe nature of its relatively smallsize, predominant use of pur-chased software packages, andits ability to be fully operableby one computer operator—cre-ates intrinsic IT general controlconcerns. In the review andevaluation of IT general con-trols for a microcomputer

The Journal of Corporate Accounting & Finance / July/August 2006 61

© 2006 Wiley Periodicals, Inc. DOI 10.1002/jcaf

Effective general controls providethe proper environment for effectiveinternal accounting and programcontrols.

installation, one should beaware of the following:

1. Organization and opera-tion controls

a. Segregation of functionsbetween IT and usersIn many microcomputer

installations, the personnel thatoperate the equipment are withinthe user department. These per-sonnel (often one person) mayinitiate transactions, performdata-entry operations, make sys-tem inquiries, and process finan-cial-related reports. The owneror CPA, when confronted withthis type of situation, shouldmake sure that compensatingcontrols such as input/pro-cessing/output settlementprocedures are handledeffectively by a person orpersons independent of themicrocomputer operation.

b. Prohibiting IT frominitiating or authoriz-ing transactionsWhere microcomputer oper-

ators are found to be initiating orauthorizing transactions, theowner must make sure that off-line controls are adequate toensure that unauthorizedtransactions are not entering thesystem. The function of transac-tion initiation and authorizationshould be performed by person-nel independent of the micro-computer operations.

c. Segregation of functionswithin the microcomputeroperationTypically, one or two individ-

uals who are also the computeroperators handle all of the neces-sary microcomputer controlfunctions such as data prepara-tion, data entry, data control, anddata file librarian. Although eco-nomics do not dictate the use ofseparate individuals for each of

these control functions, distinctpersonnel can be assigned thesefunctions as part of their overallresponsibilities. This results inthe computer operator only enter-ing and processing data throughthe microcomputer system, withthe control functions segregated.

2. Systems developmentSystems design, including

the acquisition of software pack-ages, should have participationby users, the accounting depart-ment, and auditors. Althoughmost microcomputer installationsuse purchased software packages(with documentation dependenton the vendor), the users (with

assistance, if necessary) shoulddefine their systems require-ments prior to purchase so as toensure that their processing andcontrol requirements exist andare operational in the softwarepurchased. In addition, the sys-tem must be fully tested (as tointernal controls and processingresults) and approved prior toimplementation to ensure that itoperates according to user-defined system specifications.

Other areas to consider rela-tive to systems developmentinclude:

• written specifications anddocumentation as to adequa-cy and accuracy;

• systems testing prior toimplementation;

• final approval by manage-ment, users, and IT personnel;

• master file and transactionfile conversion control;

• program-change controls;and

• acceptable level of docu-mentation (on- and off-line).

3. Hardware and systemssoftware controlsControl features inherent in

computer hardware, operatingsystems, and other supportingsoftware should be utilized tothe maximum possible extent.Many of the control featuresincluded with larger computersystems such as data file internallabel checking may not be avail-able in a microcomputer withdata files on hard disks, CD-ROMs, and diskettes. Microcom-

puter operations are moredependent on operator han-dling and external labelingprocedures. However,operators should be awareof hardware error detectionprocedures (boot-up diag-nostics), necessary preven-tive maintenance, recovery

procedures from hardware andsoftware errors, and file controlprocedures. Systems softwareshould be subjected to the samecontrol procedures as thoseapplied to application programs.

Microcomputer operatingsystems software are provided bythe equipment manufacturer(such as Apple or Hewlett-Packard) or an outside vendor(such as Windows by Microsoft)and purchased intact (usuallyalready loaded onto the harddrive) by the user. The equipmentmanufacturer or software devel-oper makes all modifications orchanges. The user, if he or she sodesires, would purchase or down-load this updated version intact.

4. Access controls to hard-ware, software, and datafilesMicrocomputer systems,

due to their relatively small size



Systems design, including the acquisi-tion of software packages, shouldhave participation by users, theaccounting department, and auditors.

and user orientation, manytimes are physically located inthe midst of a user area, acces-sible to anyone. In addition,with the increased use of LANsconnected to a central file serv-er (with a large hard drive con-taining the shared data files),hardware security of the fileserver becomes even more criti-cal. Proper controls in such anenvironment to limit access tomicrocomputer systems to onlyauthorized individuals mightinclude:

• physical key and lock sys-tem (room and hardware);

• user passwords (by data ter-minal, application, and func-tion); and

• programs and data files(encrypted, hiddenfiles, library function,backup procedures,storage).

5. Data controlfunctionsA control function indepen-

dent of the microcomputer oper-ation should exist that is respon-sible for:

• receiving all data to beprocessed;

• ensuring that all data arerecorded;

• following up on errorsdetected during processingto see that the transactionsare corrected and resubmit-ted by the proper party; and

• verifying the proper distribu-tion of output.

The microcomputer operator(s),who may also be user personnel,often perform this control func-tion. The business owner andCPA should make sure such anindependent data control func-tion exists and that it properly

coordinates user and microcom-puter activities.

6. Physical securityMicrocomputer systems can

be physically housed on a desk-top within the user area, or rela-tively anywhere. Although mostsystems today use large harddisk data storage for ongoingdata file and program storage,they also may use relativelysmall diskettes, CD-ROMs, ormagnetic tape cartridges forbackup storage purposes. Bothof these attributes create physi-cal security concerns. Some con-trols that should be reviewed rel-ative to such physical securityinclude the following:

• physical access to computerhardware and backup datafiles;

• environmental controls toprotect against excesshumidity, temperature varia-tions, or other atmosphericconditions;

• electrical connections, suchas separate power lines,surge protectors, and unin-terruptible power supplies;

• fire protection devices forcomputer hardware, datafiles, and programs;

• backup procedures for hard-ware, data files, and pro-grams;

• protection of data files andprograms when not in use;and

• off-site storage of importantdata files, programs, anddocumentation.

Application Controls in aMicrocomputer Environment

Application controls arethose internal controls that relateto the specific processingrequirements of an individualapplication (such as generalledger, accounts payable, etc.).During the review of applicationcontrols, any weaknesses identi-fied during the review of generalcontrols should be tested.

Application controls areintended to ensure that there areno errors in:

• input: the recording, classi-fying, and summarizing ofauthorized transactions;• processing: the mainte-nance and update of masterfile information; and • output: the results of

computer processing.

Microcomputer appli-cations are predominantlypurchased software pack-ages. These are used togeth-

er with—or supported by—inter-nally designed processingprocedures using either a spread-sheet and/or a database package.The spreadsheet or database soft-ware comes from a softwarehouse selling directly to the enduser, a third party who may offerauthorized modifications, or aretail outlet selling the softwareon an “off-the-shelf ” basis. Eventhough this is the most likely sce-nario for microcomputer users,the burden is still on the users to:

• define their specific systemsspecifications;

• analyze existing softwarepackages to determine whichpackage most closely meetstheir needs and providesnecessary controls;

• test out the chosen softwarepackage; and



Application controls are those internalcontrols that relate to the specificprocessing requirements of an indi-vidual application.

• ensure that the package iscompatible with the entity’soperating systems and pro-cedures.

There may be someinstances where the entity hashad a software development firmcustomize (typically using data-base or spreadsheet software) ormodify existing software to meettheir specific needs. While thisis not the normal occurrence,where this exists, these proce-dures must be reviewed as well.

In the review and evaluationof application controls in amicrocomputer environment,where purchased software pack-ages is the norm, the busi-ness owner would be mostconcerned about the fol-lowing.

1. Input controlsThere are four basic

categories of input thatneed to be controlled—transaction entries, file-maintenance entries, inquirytransactions, and error correc-tions. Input controls over thesetypes of transactions aredesigned to ensure that:

• data received for processinghave been properly author-ized;

• no errors occurred in keyingthe data through the key-board into machine-readableform;

• input data are complete—nodata have been lost, sup-pressed, added, duplicated,or otherwise improperlychanged; and

• errors or other rejected dataare properly re-entered intothe system.

In a well-controlled systemwith adequate input controls, theuser departments establish con-

trol totals prior to submittingdata for processing, using someof the following techniques:

• footing totals (dollar andquantity fields),

• hash totals (of numericfields such as account num-bers),

• record counts (number ofinvoices, checks, etc.),

• self-checking digits (clientnumbers, vendor numbers,etc.), and

• zero balancing (subtractingeach entry from an initialtotal entered so that the lastitem brings the balance tozero).

The computer system accu-mulates these same control totalsduring processing so that they canbe compared to the off-line totalsand differences resolved beforeprocessing continues. These inputcontrol totals are used to ensurethat all transactions initiated andauthorized are processed and arefree of missing or erroneous data.Typically, such input controllingdoes not exist in a microcomputersystem, as most software pack-ages rely on interactive processingand on-line editing proceduresthat ensure no “bad data” enteringthe system. However, such proc-essing controls do not ensure that“wrong data” (duplicate entries,missing transactions, or unautho-rized entries) is not entered intothe system. Thus, there needs tobe some form of input-transactioncontrolling and reconcilement tocomputer-produced totals.

Other input controls thatshould be considered include thefollowing:

• Only properly authorizedand approved input shouldbe accepted for processing.

• The system should verify allsignificant codes used torecord data.

• Proper edit, validation, andlimit and reasonablenesstests should be used duringdata input.

• Correction of all errorsdetected by the applicationsystem and the resubmissionof corrected transactionsshould be reviewed and con-

trolled.

2. Processing controlsThese controls provide

reasonable assurance thatthe computer application isperforming as intended, toensure that all authorizedtransactions are processedas authorized, included in

the processing, and are the onlytransactions processed (that is,no unauthorized transactions areadded). Such processing controlsare designed to prevent or detectthe following types of errors:

• not processing all authorizedinput transactions;

• erroneous processing of thesame input more than once;

• processing and updating ofthe wrong data file(s);

• processing of illogical orunreasonable input; and

• loss of data during process-ing.

Processing control weaknessesmay greatly affect the data re-cords, resulting in lost or dupli-cated data records and errors inbalance forward amounts. Inaddition, program logic andprocessing errors may go unde-



There are four basic categories ofinput that need to be controlled—transaction entries, file-maintenanceentries, inquiry transactions, anderror corrections.



Tips for Assigning Passwords

• The password gatekeeper only assigns individual passwords.• The gatekeeper assigns passwords only to those who have authorized data-entry or inquiry responsibilities. The

gatekeeper is one individual within the organization who is assigned sole responsibility over the control andmaintenance of passwords.

• Password only allows for specific transactions or data access in individual’s area of responsibility.• An original password is communicated orally and not in writing.• Users are trained to keep passwords confidential.• Passwords are assigned on an individual basis (not globally).

Use of Passwords• Users commit passwords to memory with no written record.• Password procedures inhibit printing or displaying the password.• Passwords are not printed out on reports.• Users have a limited number of attempts to enter a password (e.g., three), and if unsuccessful, further entries

from that terminal are prohibited until supervisory action is taken.• Users are required to change their password frequently (e.g., after 60 days). Some systems hang up if this is not done.• Users sign off each time they leave the terminal. Some systems have automatic sign-off if inactive for a time

(e.g., three minutes)• Users keep passwords confidential.• Users (or gatekeeper) design passwords that are random and do not contain employee or child’s names, birth

dates, etc.

Exhibit 1

IT Planning for Microcomputers

1. Is there an overall IT plan for the entity? Does it cover all needs, including financial and accounting systems, aswell as operating requirements?

2. Is a hardware feasibility study part of the IT plan?3. Does the IT plan make the best possible use of microcomputers and the use of LANs and wide-area com-

munications?4. Have adequate organizational and departmental problem statements, together with systems specifications, been

prepared?5. Are the necessary personnel resources available to implement and operate the elements of the IT plan?6. Has a preliminary survey been performed that clearly documents the requirements of the new system?7. Has a cost versus benefit analysis been performed for the new system with realistic estimates?8. Has software been identified in the IT plan? How was it selected? Does it cover all essential features?

Exhibit 2

tected for a long time, adverselyaffecting the results of computerprocessing.

Some of the processing con-trols that should be consideredinclude the following:

• Control totals should be pro-duced and reconciled withinput control totals.

• Data file totals are producedthat can be reconciled to thepreviously run program.

These are called “run-to-run” controls (beginning filetotal + transactions = endingfile total).

• Controls should prevent pro-cessing the wrong data file.



Purchased Software Packages

1. Have arrangements been made for appropriate user participation in detail design specifications?2. Has the software package been adequately evaluated and tested?3. Does the software contain the necessary procedures to provide for proper internal controls when implemented?

It should include:• Passwords (terminal access controls)• Edit and validation routines• Control totals or transaction lists• Exception reports• Management trails

4. Is the software and user documentation adequate?5. Has the conversion of existing information to the new system been adequately controlled?6. Will the addition of the new software application cause overall systems performance to suffer? Has the need for

additional or new hardware been considered?

Exhibit 3

Organizational Controls

1. Has a proper segregation of duties been achieved within the IT department (if one exists)?2. If a separate IT department exists, does it not:

• Initiate and authorize transactions?• Record transactions?

3. Within user departments, are the following activities segregated from each other wherever possible:• Initiation of transactions?• Authorization of transactions?• Recording of transactions?• Input, processing, and output control activities?If not segregated, has the best possible segregation been achieved?

4. Wherever possible, are automated controls used to help ensure the completeness, accuracy, and authorizationof data?

Exhibit 4

Microcomputer processingmay not use effective internallabel-checking procedures buthave a greater dependency onmanual external label check-ing. Operating procedures

should include such tech-niques as checking file dates,size in bytes, control totals,record counts, and so on.

• Limit and reasonablenesschecks should be incorporat-

ed within programs (i.e., netpay cannot exceed $1,000).

• Run-to-run controls shouldbe verified at appropriatepoints in the processingcycle, basically from one



Application Systems Maintenance and Documentation

1. Where software packages have been purchased off the shelf:• Is data on new versions of the package regularly reviewed to see if such updates are desirable?• If an updated version is acquired, is it adequately reviewed and tested prior to being put into use?

2. Is there a users’ group for the software package? Does the entity participate in the users’ group?3. Are changes to the software by employees limited to those that can be made through routines (e.g., database

manipulators or report generators) available in the package?4. Have any outside contractors made changes to the software? Are the contractors authorized by the software

developer? Document such changes.5. Are all such outside changes properly reviewed and tested by the contractor and the user before they are

accepted?6. Are all program changes tested before the updated software is used to process the company’s transactions?

Exhibit 5

Prevention of Record and Equipment Loss

1. Are there written procedures for computer operators to follow that require the regular copying of data files forbackup?

2. Are all copies of transactions (on magnetic media) since the last backup stored properly so as to facilitate re-entry?

3. Has a disaster plan been prepared that includes what to do on-site as well as hardware and software recoveryprocedures? Have arrangements been made and tested as to hardware backup?

4. Are copies of the following stored off-site:• Operating systems?• Application support software and utilities?• Application programs?• Systems, program, and user documentation?• Copies of data files: master and transaction files?

5. Have insurance arrangements to offset losses due to business interruption and to defray the cost of data recon-struction been considered?

Exhibit 6

computer run to anotherwhere the number of recordsor file control totals havechanged.

3. Output controlsIn a microcomputer process-

ing system, output controls aredesigned to ensure that:

• output data representing theresults of computer process-ing (such as computerreports, data files, screendisplays, checks, invoices,etc.) are accurate, complete,and reasonable;

• output reports and screendisplays are distributed or

accessible only to authorizedpersonnel; and

• data file output is properlycontrolled and identified.

Specific output controls thatshould be considered include:

• Output control totals shouldbe reconciled with inputand processing controls(output reconcilement pro-cedures).

• Output should be scannedand tested by comparison tooriginal source documentsfor transactions that cannotbe controlled by the estab-lishment and balancing of

control totals (for example,changes to master files ofnon-numeric data such asemployee name and/oraddress, item descriptions,and numeric data such aspay rates, selling prices,and item numbers). Thesystem must provide ade-quate output data for thispurpose.

• Systems output should bedistributed or made accessi-ble only to authorizedusers—this includes outputreports and screen displays.

• Data file output should beproperly controlled and iden-tified through such tech-



Input Controls

1. Are input transactions properly authorized by operations personnel?2. Are standardized input forms used, and are they prenumbered with the numerical sequence being accounted for?3. Are input forms checked for completeness and accuracy before they are submitted for data entry?4. Are source documents canceled by data entry to prevent duplicate data entry?5. Is the maximum possible use made of magnetic media data to reduce the amount of data to be entered?6. When transactions are rejected, is the input document corrected by the initiator and re-entered on a timely basis?7. Are transaction or file totals used to control the correct and complete entry of all transactions?8. Are transaction totals balanced or verified by someone other than data-entry personnel?9. As a minimum, do different individuals perform the following activities:

• Authorizing transactions?• Initiating and recording transactions on the terminal?• Input controls: reconciling input transactions to processing?

10. Are terminals physically located so as to minimize the chance of access by unauthorized personnel?11. Have passwords been properly used to restrict employees from unauthorized functions—allowing them only

their own authorized functions? 12. Is the password system structure properly designed and maintained?

• Are passwords kept confidential?• Are passwords changed periodically and with a change in responsibilities?• Are passwords deleted for employees leaving the company?• Do passwords not appear on screens or output?• Is the password file encrypted and protected by a password?• Has a gatekeeper been assigned to control the password file?

Exhibit 7

niques as record counts andcontrol totals, run-to-runcontrol procedures, externallabels, backup library proce-dures, etc.

PASSWORD CHARACTERISTICS

Most software developersof applications and computersoftware utilities who providefor a password structure allow adegree of flexibility in design-ing your password structure.Passwords should be long

enough so that random or sys-tematic attempts to accessaccounting records by search-ing for a valid password aretime-consuming or lead todetection. A password that istoo long may result in employ-ees posting their password (forinstance, on the monitorscreen), increasing detection.Normally, a password of five orsix characters (with no mean-ing) is sufficient security. Afew tips for assigning pass-words are listed in Exhibit 1.

Passwords for users leavingthe company or whose jobresponsibilities have changedare deleted immediately fromthe password file. The gate-keeper flags inactive passwordsfor review.

The gatekeeper also has theultimate responsibility to assignoriginal passwords and main-tain the password file. Thepassword file should beencrypted, protected by its ownpassword, and protected fromaccess by all users except the



Computer Operations Controls

1. Are systems controls designed to help ensure that the correct data files are being processed, and are they usedto the maximum extent?

2. Do controls exist within the application systems to ensure that correct beginning-of-cycle, end-of-cycle, andtransaction control routines are executed by the computer operator?

3. If controls are not built into the application software, are there other controls and procedures followed by thecomputer operator to ensure that processing controls (run-to-run controls), correct data files, backup proce-dures, and other operations procedures are performed?

Exhibit 9

Audit Trails

1. Does the audit trail:• Provide the information needed for control purposes?• Provide information for management to effectively operate the business?• Satisfy legal requirements?

2. Is the application designed (or provide for database manipulation or report generation) in such a way that datacan be summarized or reported to meet the changing needs of management?

3. Does every transaction entered appear on a control report, showing the person (and terminal) who entered thedata?

4. Are detailed reports available that facilitate the checking of calculations?5. Are there sufficient records retention (magnetic media and reports) policies in place that cover the audit trail?

Exhibit 8

gatekeeper. Only the gatekeep-er, who periodically scans thefile to ensure only authorizedusers are present and thataccess rights are appropriate,updates the password file. Thegatekeeper reviews all reportsof terminal activities andinvalid access attempts. Allinvalid access attempts are fol-lowed up as they happen.

The password file indicates(via a password matrix) the func-

tions and resources that eachpassword can have access to.Upon entry of the user’s pass-word, the user can only carry outthe functions that have beenpreauthorized in the passwordfile. Limiting functions by theuse of passwords can also beachieved as follows:

• restricting the terminal, suchas inquiry or cash receiptsonly;

• use of menus, on sign-onproviding a menu of author-ized items; and

• resource restrictions, such asread-only.

Some detailed microcomput-er control questionnaires are pre-sented in Exhibits 2 through 11to help firms manage thisprocess. Microcomputer users inlarge firms will also find thesechecklists useful!



Computer Viruses

1. Are all diskettes (particularly program diskettes) and CD-ROMs received from third parties scanned for virusesbefore being used?

2. Are program diskettes purchased only from reputable sources and received in secure packaging?3. Is there a policy to prohibit the use of pirated software or software procured through irregular channels?4. Are new programs added to a microcomputer or the LAN done only by one authorized person?5. Is some form of virus-detection software in use?6. Have arrangements (including outside professional help) to recover from a virus infection been determined and

documented?

Exhibit 11

Output Controls

1. Have output controls been designed to help offset weaknesses that may exist in controls over the use of oper-ating systems and utilities?

2. Is all computer output subjected to one or more of the following controls before being used:• Is the output data file subjected to file balance controls?• Is output reviewed by user management, with a periodic check of results and calculations made?

3. Are all significant data files subjected to balance control procedures?4. Is master file data periodically printed out for review by an appropriate employee?5. Is material output reviewed by an employee with sufficient knowledge of the business so as to spot obvious

errors or suspect items?

Exhibit 10



Rob Reider, CPA, MBA, PhD, is the president of Reider Associates, a management and organizational con-sulting firm he founded in 1976, which is located in Santa Fe, New Mexico. Dr. Reider has been a con-sultant to numerous large, medium, and small businesses of all types in both the private and public sec-tors. He is the course author and sought-after discussion leader and presenter for more than 20 differentseminars that are conducted nationally for various organizations and associations. He has presented morethan 1,000 such seminars throughout the country. He is also the author or coauthor of the following bookspublished by John Wiley & Sons:

• Operational Review: Maximum Results at Efficient Costs (text and workbook);• Benchmarking Strategies: A Tool for Profit Improvement;• Improving the Economy, Efficiency, and Effectiveness of Not-for-Profits; and• Managing Cash Flow: An Operational Focus.

Dr. Reider is also the author of the recently released novel Road to Oblivion: The Footpath Back Home, anovel of discovery that looks at the life of a downsized executive. He is considered a national expert in thearea of performing internal and external benchmarking studies together with operational reviews. He canbe reached via e-mail at [email protected].

Documents

Microcomputer controls for small business and others