PC controls for troubled times

Most businessespresentlyprocess their

financial and account-ing transactions in amicrocomputer (PC)environment. Thesebusinesses, of allsizes, are processingthose financial trans-actions and maintain-ing account balancesusing PC-based sys-tems and purchased orpackaged softwareupon which the busi-ness, and the externalCPA, relies upon inthe preparation offinancial statements.There are many soft-ware packages on the marketfor financial and accountingapplications at relatively lowcosts that are designed for usein an interactive mode (“userfriendly”) which allows the userto have limited knowledge ofcomputer processing and con-trol procedures. In addition,with the severe downturn in theeconomy typified by downsiz-ing and layoffs, and generalemployee malaise in the work-place, disgruntled employeeslurk out there, causing fears of

data theft and computer sabo-tage. Finally, companies strug-gling during the downturnimplement cost-cutting mea-sures, also lessening the level ofcomputer security. Due to thisincreasingly uncontrolled PCoperating environment, youshould be aware of effectivecontrol considerations whenrelying on computer-processedfinancial and accounting data.

Although you don’t need tobe an IT professional or a com-puter programmer to effectivelyoperate within a PC-based sys-

tem, you should havesome knowledge as tohow the PC systemworks (both hardwareand software), whatcontrol measures needto be in place to ensurethe integrity of data, andwhat steps are necessaryto achieve the most pro-ductive use of the PCsystem.

IT GENERAL CONTROLS

IT general controlsencompass the environ-ment in which applica-tions (financial,accounting, and pro-grammatic) are

processed. Effective general con-trols provide the proper environ-ment for effective internalaccounting and program controls.General controls increase in sig-nificance as more and more criti-cal applications are processedthrough the PC system. Theirpurpose is not directed to anyone computer application, but toall applications processed. Whengeneral controls are weak ormissing, it must be ascertainedwhether application controlsexercised in user areas satisfy

Many businesses of all sizes use personal com-puters (PCs) to process financial and accountingtransactions and prepare financial statements.But many PC software packages are “userfriendly” and allow the user to have only limitedknowledge of control procedures. In addition, thesevere economic downturn is causing downsizingand layoffs—and many disgruntled employeesare tempted to steal data and sabotage PCs.Finally, as companies struggle to survive, theyimplement cost-cutting measures, lowering thelevel of computer security even more.

So what control measures should you put inplace now? What steps are needed? The authorsupplies some detailed plans you can use imme-diately to reduce your risks. © 2009 Wiley Periodicals, Inc.

featur

e artic

le

11

© 2009 Wiley Periodicals, Inc.Published online in Wiley InterScience (www.interscience.wiley.com).DOI 10.1002/jcaf.20509

PC Controls for Troubled Times

Rob Reider

JCAF20509.qxp 6/11/09 8:01 AM Page 11

internal control requirements. APC computer installation, by thenature of its relatively small size,predominant use of purchasedsoftware packages, and its abilityto be fully operable by one com-puter operator, carries intrinsicIT general control concerns. Inthe review and evaluation of ITgeneral controls, you should beaware of the following controlconsiderations.

Lack of Segregation of Functions

• Between IT and users• Within the IT department

To remedy this situation, youshould consider:

• independent initiation andauthorization of input trans-actions by someoneother than the com-puter operator;

• input controls, process-ing controls, and out-put settlement proce-dures to be handled by aperson(s) independent of thecomputer operation;

• assigning of distinct staff per-sonnel (other than computeroperators), with the functionsof data preparation, data con-trol, and data file/programlibrarian as part of their over-all responsibilities; and

• having personnel assigned tocomputer-operating respon-sibility only enter andprocess data through thecomputer as related to com-puter operations.

Location of Computer(s)

• In the user’s area• PCs may be in a nonsecure,

non-temperature/humidity-controlled environment. Thiscan cause problems.

The PC, due to its rela-tively small size and user ori-entation, is normally locatedwithin the user’s area in anaccessible location requiringuser and application softwaresecurity to control misuse ofthe system. In such an environ-ment proper controls to limitaccess to computer systemsand related software and datafiles to authorized individualsmight include:

• physical key and lock sys-tems,

• user passwords,• application program and

data file security passwords,and

• functional passwords, suchas inquiry only, transactionupdate, and master filemaintenance.

Limited Knowledge of IT

• By management personnel• By user personnel• By computer operators

PC hardware and software isdesigned for ease of learningand use, which allows for per-sonnel with limited IT knowl-edge to purchase and operatethem effectively. Such a com-puter operations atmosphere canresult in a lack of understandingin the need for data and process-ing controls, leading to anundisciplined control environ-ment. As reliance is placed onthe accuracy of financial trans-actions and the integrity ofaccount balances, you mustensure that proper PC controlsare implemented and in effect,such as:

1. Input controls,2. Data entry controls,3. Processing controls,4. Output reconcilement proce-

dures,5. Data file library procedures,

and6. Master file maintenance.

Disk Storage/Backup

Hard disk storage devices forapplication programs and largedatabases are susceptible to dam-age and destruction, such as diskread errors, corrupted cylindersand tracks, poorly controlledbackup (usually using a backuptape/disk/CD-ROM device) andrecovery procedures, and operat-ing failures. Data storage andbackup on small diskettes or tapeor CD-ROMs are susceptible todamage, loss, misplacement, mis-

appropriation, and use ofthe wrong diskettes or CD-ROMs. Some procedures toconsider over the control ofdisk storage include:

• disk data file and programlibrary procedures, ensuringthe correct data files arebeing used, backed up, andrecovered, and no unneces-sary data files are availableto the computer operator;

• use of properly controlledhard disk operating andbackup procedures;

• replacement of backupmedia (diskette, CD-ROM,or tape) after a period oftime (e.g., six months) or anumber of uses (e.g., 100uses);

• adequate back-up copylibrary procedures, includ-ing in-house and off-sitestorage; and

• periodic checkup and main-tenance for hard disk drivesand cleaning of disk driveread/write heads.

12 The Journal of Corporate Accounting & Finance / July/August 2009

DOI 10.1002/jcaf © 2009 Wiley Periodicals, Inc.

It’s the separation of functions, notthe separation of individuals.

JCAF20509.qxp 6/11/09 8:01 AM Page 12

Software Packages

Most PC business computerusers utilize application softwarepackages for their major account-ing systems that make it relatively

easy for the non-IT knowledge-able user to perform necessarycomputer processing. Theseaccounting packages operate inan interactive processing modethat is designed to edit out bad

data, but not necessarily wrongor duplicate data. However, this“user-friendly” approach doesnot usually allow the user toincorporate necessary internalaccounting controls into the sys-tem, as the user must acceptthose controls that have beenprovided by the software vendor(who may not be too knowledge-able about internal accountingcontrols). In this situation, it isthe responsibility of the user toreview and evaluate the softwarepackage before purchasing andimplementing to ensure requiredaccounting controls, such as:

• input editing and validationprocedures,

• data entry input controls,• processing controls,• error condition identifications,• error correction controls,• file update procedures;• file maintenance procedures,

and• file control procedures.

Physical/Logical Security

PC systems can be housedin a relatively small area, many

The Journal of Corporate Accounting & Finance / July/August 2009 13

© 2009 Wiley Periodicals, Inc. DOI 10.1002/jcaf

IT Planning for PC Security

1. Is there an overall IT plan for the entity? Does it cover all needs, including financial and accounting systems, aswell as operating requirements?

2. Is a hardware feasibility study part of the IT plan?3. Does the IT plan make the best possible use of microcomputers and the use of LANs and wide-area

communications?4. Have adequate organization and departmental problem statements together with systems specifications been

prepared?5. Are the necessary personnel resources available to implement and operate the elements of the IT plan?6. Has a preliminary survey been performed that clearly documents the requirements of the new system?7. Has a cost versus benefit analysis been performed for the new system with realistic estimates?8. Has software been identified in the IT plan? How was it selected? Does it cover all essential features?

Exhibit 1

Controls for Purchased PC Software Packages

1. Have arrangements been made for appropriate user participation indetail design specifications?

2. Has the software package been adequately evaluated and tested?3. Does the software contain the necessary procedures to provide for

proper internal controls when implemented? • Passwords (terminal access controls)• Edit and validation routines• Control totals or transaction lists• Exception reports• Management trails

4. Is the software and user documentation adequate?5. Has the conversion of existing information to the new system been

adequately controlled?6. Will the addition of the new software application cause overall sys-

tems performance to suffer? Has the need for additional or new hard-ware been considered?

Exhibit 2

JCAF20509.qxp 6/11/09 8:01 AM Page 13

times on a desktop within theuser area. In addition, if operat-ing within a local area network(LAN) environment, the LANfile server housing the system’sdatabases and programs may notbe secured properly. Many timesit may be accessible to any or allusers, even to strangers. Somecontrols that should be consideredrelative to the physical securityof PC computer hardware andsoftware include the following:

• access controls to computerhardware, use of physicallock and key, security userpasswords, and stricter con-trols for the LAN file server;

• environmental controls toprotect against excesshumidity, temperature varia-tions, or other atmosphericconditions;

• electrical connections, such asa separate power line, surgedevices, and uninterruptiblepower supplies (UPS);

• fire protection devices forhardware, data files, andprograms, as well asfire/smoke detection andextinguishers;

• protection of data files andprograms when not in use(fireproof secure facilities);

• backup procedures forhardware, data files, andprograms, both on-site andoff-site;

• off-site storage for impor-tant data files, programs,and documentation; and

• insurance coverage, such asequipment cost, reconstruc-tion of data files, businessinterruption, loss of records,and so on.

Passwords

Most software developersprovide for a password structurethat allows some degree of



Organizational Controls for PCs

1. Has a proper segregation of duties been achieved within the ITdepartment (if one exists)?

2. If a separate IT department exists, does it not:• Initiate and authorize transactions?• Record transactions?

3. Within user departments, are the following activities segregated fromeach other wherever possible?• Initiation of transactions• Authorization of transactions• Recording of transactions• Input, processing, and output control activities

4. If not segregated, has the best possible segregation beenachieved?

5. Wherever possible, are automated controls used to help ensure thecompleteness, accuracy, and authorization of data?

Exhibit 3

Controls for PC Application Systems Maintenance

and Documentation

1. Where software packages have been purchased off the shelf:• Is data on new versions of the package regularly reviewed to see if

such updates are desirable?• If an updated version is acquired, is it adequately reviewed and

tested prior to being put into use?2. Is there a user group for the software package? Does the entity par-

ticipate in the user group?3. Are changes to the software by employees limited to those that can

be made through routines (i.e., database manipulators or report gen-erators) available in the package?

4. Have any outside contractors made changes to the software? Are thecontractors authorized by the software developer? Documentchanges.

5. Are all such outside changes properly reviewed and tested by thecontractor and the user before they are accepted?

6. Are all program changes tested before the updated software is usedto process the company’s transactions?

Exhibit 4

JCAF20509.qxp 6/11/09 8:01 AM Page 14

flexibility in designing yourpassword structure. Passwordsshould be long enough to foilhackers who are using randomor systematic attempts to accessaccounting records by searchingfor a valid password. Long pass-words will make hackers’ effortstime-consuming, or lead todetecting the hackers. A pass-word that is too long may resultin employees posting their pass-word (for instance, on the moni-tor screen), increasing detection.Normally, a password of five orsix characters (with no meaning)is sufficient security.

The use of passwordsincludes the following functions:

• Users commit passwords tomemory with no writtenrecord.

• Password procedures inhibitprinting or displaying thepassword.

• Passwords are not printedout on reports.

• Users have a limited numberof attempts to enter a pass-word (e.g., three), and ifunsuccessful, further entriesfrom that terminal are pro-hibited until supervisoryaction is taken.

• Users are required to changetheir password frequently(e.g., after 60 days). Somesystems hang up if this isnot done.

• Users sign off each time theyleave the terminal. Some sys-tems have automatic signoffif inactive for a time (e.g.,three minutes).

• Users keep passwords confi-dential.

• Users design passwords thatare random and do notcontain employee’s/child’snames, birthdates, and soon.

• Users leaving the companyor whose responsibilitieshave changed are deletedimmediately from the pass-word file.

• Limiting functions withpasswords can also beachieved as follows:

• restricting the terminal, suchas inquiry or cash receiptsonly;

• use of menus, on sign-onproviding a menu of author-ized items; and

• resource restrictions, such asread-only.

IT APPLICATION CONTROLS

IT application controls arethose internal controls thatrelate to the specific processingrequirements of an individualapplication such as accountspayable, accounts receivable,and general ledger. During thereview of application controls,any weaknesses identified dur-ing the review of general con-trols should be tested as to theavailability of compensatingcontrols within the softwareapplication.

Application controls areintended to ensure that there areno errors in:

1. Input: the recording, classify-ing, and summarizing ofauthorized accounting andfinancial transactions;

2. Processing: the maintenance/update of master file informa-tion;

3. Output: the results of computerprocessing; and

4. Accounting controls and audittrial.

In the review and evalua-tion of application controlswhere purchased software



Prevention of Record and Equipment Loss

1. Are there written procedures for computer operators to follow thatrequire the regular copying of data files for backup?

2. Are all copies of transactions (on magnetic media) since the lastbackup stored properly so as to facilitate re-entry?

3. Has a disaster plan been prepared that includes instructions aboutwhat to do on-site, and how to perform hardware and software recov-ery procedures? Have arrangements been made and tested as tohardware backup?

4. Are copies of the following stored off-site?• Operating systems• Application support software and utilities• Application programs• Systems, program, and user documentation• Copies of data files: master and transaction files

5. Have insurance arrangements to offset losses due to business inter-ruption and to defray the cost of data reconstruction been considered?

Exhibit 5

JCAF20509.qxp 6/11/09 8:01 AM Page 15

packages is the norm, the busi-ness is most concerned aboutthe following.

Input Controls

There are four basic cate-gories of input that need to becontrolled.

1. Transaction entries: largestvolume, biggest number oferrors

2. File maintenance: limitedvolume, continuing impact

3. Inquiry transactions: nochange, trigger decisions

4. Error corrections: more com-plex than original entry, offer

a greater opportunity foradditional errors

Input controls over thesetypes of transactions aredesigned to ensure that:

1. Data received for processingare properly authorized.

2. No errors occurred in keyingthe data through the keyboardinto machine-readable form.

3. Input data are complete: nodata has been lost, suppressed,added, duplicated, or other-wise improperly changed.

4. Errors or other rejected dataare properly re-entered intothe system.

In a well-controlled systemwith adequate input controls,the user departments establishcontrol totals prior to submit-ting data for processing usingsome of the following tech-niques:

1. Footing totals (e.g., dollar orquantity fields);

2. Hash totals of variousnumeric fields (e.g., accountnumbers);

3. Self-checking digits (e.g.,customer numbers, vendornumbers);

4. Record counts (e.g., numberof purchase orders, invoices,checks); and



Input Controls

1. Are input transactions properly authorized by operations personnel?2. Are standardized input forms used, and are they prenumbered with the numerical sequence being accounted for?3. Are input forms checked for completeness and accuracy before they are submitted for data entry?4. Are source documents canceled by data entry to prevent duplicate data entry?5. Is the maximum possible use made of magnetic media data to reduce the amount of data to be entered?6. When transactions are rejected, is the input document corrected by the initiator and re-entered on a timely

basis?7. Are transaction or file totals used to control the correct and complete entry of all transactions?8. Are transaction totals balanced or verified by someone other than data entry personnel?9. As a minimum, do different individuals perform the following activities?

• Authorizing transactions• Initiating and recording transactions on the terminal• Input controls: reconciling input transactions to processing

10. Are terminals physically located so as to minimize the chance of access by unauthorized personnel?11. Have passwords been properly used to restrict employees from unauthorized functions—allowing them only

their own authorized functions? 12. Is the password system structure properly designed and maintained?

• Are passwords kept confidential?• Are passwords changed periodically and with a change in responsibilities?• Are passwords deleted for employees leaving the company?• Do passwords appear on screens or output?• Is the password file encrypted and protected by a password?• Has a gatekeeper been assigned to control the password file?

Exhibit 6

JCAF20509.qxp 6/11/09 8:01 AM Page 16

5. Zero balancing (e.g., sub-tracting each entry from aninitial total entered so that thelast item brings the balanceto zero).

The computer system accu-mulates these same control totalsduring processing so that theycan be compared to the off-linetotals and differences resolvedbefore processing continues.These input control totals areused to ensure that all transac-tions initiated and authorized areprocessed and are free of miss-ing or erroneous data. Typically,such input controlling does notexist in a PC system as mostsoftware packages rely on inter-active processing and onlineediting procedures that ensureno “bad data” entering the sys-tem. However, such processingcontrols do not ensure no wrongdata (duplicate entries, missingtransactions, or unauthorizedentries) are entered into thesystem.

Processing Controls

These controls provide rea-sonable assurance that the appli-cation system is performing asintended, to ensure that allauthorized transactions are:

• processed as authorized,• included in the processing, and • the only transactions

processed (no unauthorizedtransactions being added).

Such processing controlsincluded in the application pro-grams are designed to prevent ordetect the following types of errors:

• not processing all authorizedinput transactions,

• erroneous processing of thesame input more than once,

• processing and updating ofthe wrong data file(s),

• processing of illogical orunreasonable input or out-put, and

• loss of data during processing.

Some processing controlprocedures to be consideredinclude the following:

1. Processing control totalsshould be produced andreconciled to input controltotals.

2. Data file totals are producedthat can be reconciled to thepreviously run program.These are called “run-to-run”controls. The formula forascertaining the correctnessof such run-to-run totals is:beginning data file total plustotal transactions = endingdata file total.

3. Controls should prevent pro-cessing the wrong data file.PC processing may not useeffective internal label check-ing procedures, but a greaterdependency on manual exter-nal label checking. Operatingprocedures should includesuch techniques as checkingfile dates, size in bytes, con-trol totals, record counts, andthe like.

4. Limit and reasonablenesschecks should be incorpo-rated within programs (e.g.,net pay cannot exceed$1,000).

5. Run-to-run controls shouldbe verified at appropriatepoints in the processingcycle, basically from onecomputer run to anotherwhere the number of recordsor file control totals haschanged.

Output Controls

In a PC processing system,output controls are designed toensure that:

1. Output data representing theresults of computer process-ing such as computer reports,



Audit Trails

1. Does the audit trail:• Provide the information needed for control purposes?• Provide information for management to effectively operate the

business?• Satisfy legal requirements?

2. Is the application designed (or does it provide for database manipula-tion or report generation) in such a way that data can be summarizedor reported to meet the changing needs of management?

3. Does every transaction entered appear on a control report, showingthe person (and terminal) who entered the data?

4. Are detailed reports available that facilitate the checking of calcula-tions?

5. Are there sufficient records retention (magnetic media and reports)policies in place that cover the audit trail?

Exhibit 7

JCAF20509.qxp 6/11/09 8:01 AM Page 17

data files, screen displays,checks, invoices, and the likeare accurate, complete, andreasonable.

2. Output reports (hard copy andscreen displays) are distrib-uted or accessible only toauthorized personnel.

3. Data file output is properlycontrolled and identified.

Specific output controls to beconsidered include:

• Output control totals shouldbe reconciled with input and

processing controls (outputreconcilement procedures).

• Output should be scannedand tested by comparison tooriginal source documentsfor transactions that cannotbe controlled by the estab-lishment and balancing ofcontrol totals.

An example is changes tomaster files of non-numeric datasuch as employee name and/oraddress, item descriptions, andnumeric data such as pay rates,selling prices, and item numbers.

The system must provide ade-quate output data for this purpose.

• Systems output should bedistributed or made accessi-ble only to authorizedusers—output reports andscreen displays.

• Data file output is properlycontrolled and identified,through such techniques asrecord counts and controltotals, run-to-run controlprocedures, external labels,backup library procedures,and the like.



Operations Controls, Output Controls, and Virus Controls

COMPUTER OPERATIONS CONTROLS

1. Are systems controls designed to help ensure that the correct data files are being processed and are theyused to the maximum extent?

2. Do controls exist within the application systems to ensure that correct beginning-of-cycle, end-of-cycle, andtransaction-control routines are executed by the computer operator?

3. If controls are not built into the application software, are there other controls and procedures followed by thecomputer operator to ensure that processing controls (run-to-run controls), correct data files, backup proce-dures, and other operations procedures are performed?

OUTPUT CONTROLS

1. Have output controls been designed to help offset weaknesses that may exist in controls over the use of oper-ating systems and utilities?

2. Is all computer output subjected to one or more of the following controls before being used?• Is the output data file subjected to file balance controls?• Is output reviewed by user management, with a periodic check of results and calculations made?

3. Are all significant data files subjected to balance control procedures?4. Is master file data periodically printed out for review by an appropriate employee?5. Is material output reviewed by an employee with sufficient knowledge of the business so as to be able to spot

obvious errors or suspect items?

COMPUTER VIRUSES

1. Are all diskettes (particularly program diskettes) and CD-ROMs received from third parties scanned for virusesbefore being used?

2. Are program media purchased only from reputable sources and received in secure packaging?3. Is there a policy to prohibit the use of pirated software or software procured through irregular channels?4. Are new programs added to a microcomputer or the LAN done only by one authorized person?5. Is some form of virus-detection software in use?6. Have arrangements (including outside professional help) to recover from a virus infection been determined and documented?

Exhibit 8

JCAF20509.qxp 6/11/09 8:01 AM Page 18

IT CONTROL QUESTIONNAIREIN A PC ENVIRONMENT

To assist in obtaining aworking knowledge of the busi-ness’s IT operations, controlquestionnaires such as the onesshown in Exhibits 1 through 8can be used. Using such ques-tionnaires, you can use profes-

sional judgment as to what ispertinent to the specific smallbusiness, as not all IT controlswould be appropriate.

Understanding IT basics,such as hardware and softwareconcepts and related controlstogether with knowledge of off-line control procedures, is usu-ally adequate for the business to

operate its PC computer systemsin an effective control environ-ment. However, what is impor-tant is to not only be aware of ITcontrols, but of how to imple-ment such controls—and whichones—so that the business’sefficiency of operations is notbrought down by unwieldy andunnecessary controls.



Rob Reider, CPA, MBA, PhD, is the president of Reider Associates, a management and organizationalconsulting firm located in Santa Fe, New Mexico, which he founded in 1976. Prior to starting Reider Asso-ciates, Dr. Reider was a manager in the Management Consulting Department of Peat, Marwick, & Mitchell(now KPMG) in Philadelphia. He has been a consultant to numerous large, medium, and small businessesof all types in both the private and public sectors.

Dr. Reider is the course author and discussion leader and presenter for over 20 different seminarsthat are conducted nationally to various organizations and associations. He has conducted over 1,000such seminars throughout the country. He has received the American Institute of Certified PublicAccountants Outstanding Discussion Leader of the Year award. Dr. Reider has presented at many pro-fessional meetings and conferences around the country and has published many articles in professionaljournals.

He is the author of the following professional management books published by John Wiley & Sons:

• Operational Review: Maximum Results at Efficient Costs;• Benchmarking Strategies: A Tool for Profit Improvements;• Managing Cash Flow: An Operational Focus (coauthor with Peter B. Heyler);• Improving the Economy, Efficiency, and Effectiveness of Not-for-Profits; and• Effective Operations and Controls for the Small Privately Held Business.

He can be contacted via e-mail at [email protected] article is excerpted and adapted from Effective Operations and Controls for the Small Privately

Held Business, authored by Rob Reider and published by John Wiley & Sons.

JCAF20509.qxp 6/11/09 8:01 AM Page 19

Documents

PC controls for troubled times