Auditors are responsible to evaluate the security and integrity of computer based systems. Internal auditors are needed to ensure that there is sufficient control over personnel and departments within an organization. Such controls are needed in order to maintain data security and data integrity. Data integrity concerns the accuracy and reliability of data. Data security concerns the safety of data from unauthorized access. There are many threats to the accuracy of accounting data. Some of these threats include errors and irregularities.
Errors are usually unintentional and arise from carelessness and misjudgment. This can be caused from a breakdown in attention by the employee, lack of training, or lack of knowledge by the employee. Another threat to the accuracy of accounting data include irregularities. Unlike errors, irregularities are intentional and include defalcation or management fraud. Defalcation is the theft of assets from an organization. This ! causes an overstatement of asset accounts in the financial statements. An example of defalcation is a theft of cash from an organization by an employee.
Accounting data are also susceptible to management fraud. A manager may intentionally misstate financial information of a company to make it look more profitable. By making the company look more profitable this may increase the managers bonus or the selling price of the companys stock. Internal controls are necessary to help prevent this. Internal control is a process, implemented by people in the organization, designed to provide reasonable assurance regarding the effectiveness and the efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
Internal control policies and procedures provide reasonable assurance of preventing or detecting errors and irregularities, however they may fail because of collusion and management override. Internal controls that are important when using a computer based accounting system are system controls. Internal controls can be categorized by their objectives or by scope. When categorizing system controls by objective there are preventive controls, detective controls, and corrective controls. Preventive controls are used to prevent errors and irregularities. Detective controls detect errors and irregularities after they have already occurred.
Once an error is found, management may institute corrective controls. An example of a corrective control is an adjusting entry made to correct an item found on the trial balance. System controls can also be categorized by their scope and this is more widely used. General controls affect all application systems. These policies, practices, and procedures attempt to prevent errors and irregularities in all accounting application systems. Application controls affect only specific applications. Application controls are policies,! practices, and procedures, that affect only a specific application within an accounting system.
By instituting effective general and application controls, an organization will have better computer security and will be able to identify potential risks and prevent fraud. The three main sources of computer security risks include internal sources, external sources, and collusive sources. Internal sources of risk include operational level employees and managers. This risk is present due to these employees having custody of the asset or the records concerning the asset. External sources of risk include business contacts and unknown criminals. The third type of risk associated with computer security are collusive sources.
There is both internal collusion and external collusion. Collusion exists when more than one individual joins efforts with another individual(s) to defraud an organization. These individuals usually conceal the theft by altering the computerized records. Internal collusion occurs when employees work together to defraud the organization. Usually an operational level employee steels the asset and the manager conceals the theft by falsifying the computerized records. External collusion is present when an employee acts with! a non-employee to defraud the company.
An effective segregation of duties can help eliminate some of the risk an organization is faced with. By instituting an effective segregation of duties no one individual should control more than one of the three general types of responsibilities. These three responsibilities include authorization to execute a transaction, recording of the transaction, and custody of the asset in the transaction. This would be an example of an internal accounting control because several people are handling different parts of the same transaction making detection and correction of errors more likely.
This is why collusive efforts are the primary source of risk to an organization. The four types of risks due to weaknesses in computer security include the destruction of data, espionage, invasion of privacy, and employee fraud. The intentional destruction of data may arise from former employees, hackers, and virus programmers. This can be minimized by having sufficient security procedures to eliminate unauthorized access, following standard backup procedures, and by using virus detection software. Espionage occurs when a company finds out information about competing firms by gaining access to their data files.
This can be prevented by implementing effective access controls. However, collusive efforts are harder to prevent. Since computer files contain personal information there is a risk of this confidential information leaking out. Threats of this type come from hackers and employees. Once again, with adequate access controls this can be minimized. The fourth risk associated with a weakness in computer security is employee fraud. The main thr! eat of employee fraud comes from managers who can override controls and when employees collude together. The reasons why an employee defrauds an organization is the fraud triangle.
The fraud triangle consists of opportunity, pressure, and rationalization. The opportunity to commit fraud is present due to a weakness or limitation of internal controls. Employees usually commit fraud because of financial or job pressure. Then, employees rationalize their fraud by intending to repay the theft or by asserting that other people do it. The components of a fraud include the theft, conversion, and concealment. Generally, a fraud begins when someone steals assets that do not belong to them which causes overstatements of these asset accounts. When a thief steals assets other than cash they try to convert them into cash.
This is known as conversion. The third component of fraud is concealment. Concealment is the falsifying of accounting records to prevent the identification of the theft. Each component of the fraud provides opportunities for detecting the fraud. Fraud can be minimized by instituting proper controls over the computerized accounting system. In order to minimize the risk of fraud and make sure there is adequate data security and integrity Highlight Corporation hired Mark Tick to do a general controls review of their data center. General controls affect all application systems.
General controls can be broken down into five different types: organization of the MIS activity, application system development and maintenance controls, hardware controls, access controls, and data center operations controls. The MIS activity is the part of the organization that provides computer services to the other parts of the organization. Application system and development and maintenance controls are preventive controls which consist of procedures for system and program changes. A formal review of these applications are necessary before implementation in order to prevent the use of inefficient or ineffective systems.
Hardware controls are placed into the computer equipment by the manufacturer to prevent and detect errors durin! g data processing. Access controls restrict people from retrieving or changing data in which they are not authorized to do so. Data center operations controls consist of backup procedures and contingency plans. These general controls are necessary to prevent errors and irregularities for application systems. It is obvious that Mark Tick did not have general controls in mind when he performed the review of the data center. The first major problem concerning Highlight Corporation is there lack of access controls.
There data center is advertised by a large neon sign inviting outsiders to come in. The data center should not have a large neon sign depicting its existence for unauthorized outsiders to come in. Another major weakness concerning Highlights data center is their lack of physical security. When Tick entered the data center and asked for the manager he was instructed to wait in the computer room without questioning his identity. The receptionist should restrict entrance into the data center and record all visitors in a computerized log.
All visitors should also be asked for identification in order to be admitted into restrictive areas. A secured waiting room should also be established for all visitors until they are authorized in by the appropriate personnel. The fact that the data center is located below flood level, next to the boiler room, and contains a gas fired coffee urn p! oses additional threats to the data center. The data center should be re-located away from the boiler room, above sea level, away from the riverside, and the gas fired coffee urn should be moved out of the data center in order to minimize these unnecessary risks of floods and fires.
The data center is extremely warm probably because it is located next to the boiler room and because of the coffee urn. As a result of these war conditions, there will be computer downtime and this will damage and shorten the life of the computer equipment. Therefore, not only should the data center be moved but an adequate air conditioning system must be installed. Highlight should also invest in fire extinguishers, and fire detection alarms for the data center to ensure the safety of both the employees and the data. Should a catastrophe such as a flood or fire occur a contingency plan is necessary.
A contingency plan is a data center operations control that consists of specific procedures ! to follow if a catastrophe occurs. Presently, Highlights contingency plan consists of storing copies of programs in the bottom of the foreman of the maintenance departments locker. The information being stored seems to not be necessary to the ongoing operations of the data center and is stored at the data center. A proper contingency plan should include adequate insurance coverage, an alternative processing location, vital applications, off-site storage location, and responsibility for these procedures should be made in advance with all employees.
Therefore, the contingency plan used by Highlight Corporation should consist of storing only important programs and they should be stored away from the data center. There is another lack of control over the accounting files. The accounting files are stored in hallways accessible by all employees. Highlight should institute data control and librarian. They can do this using a data base management system (DBMS). The DBMS woul! d retain accounting records and prevent unauthorized changes to them.
The data base administrator would determine which users would have access to records contained in the data base and would also monitor attempts of unauthorized access. The records should be backed up and the back ups should be held under lock and key. There would no longer be a need to store accounting information in the hallways. This would also prevent the employees of Highlight from removing the file protection reels that cause erasure of files and use them for ring toss because they would no longer have access to the disks but only the information.
If for some reason the company is not ready to implement a DBMS, the files should be kept under lock and key and logged out when needed by appropriate employees. The disks used by this organization are also being improperly stored. Tick actually spilled coffee on the disks. There should be a cabinet to store all disks in and they should be in cases in ! order to protect them from damage and accidents. The fact that computer operators have access to source code makes it easier for these operators to alter or destroy the programs and defraud the organization.
By instituting an effective segregation of duties computer operators should not be able to access source code. There are also many other controls needed by this organization. Tick observed that employees were dumping source documents into a box labeled input and the documents were processed by operators in a random LIFO fashion. This means that old source documents would never get entered. These source documents are not being controlled which may lead to them getting lost or stolen. Management needs to implement effective processing controls in which the source documents are entered at the end of the week using batch totals.
This will make the accounting information more accurate. Thus, management will be able to use the sum of the batches as control totals and will be able to detect lost or added transactions and prevent fraud. Tick also noticed that the output at the end of the week was placed in the cafeteria on a table allowing everyone to access the information. The output should be put in a secured place with access granted to only those who are authorized to review th! e information and output report distribution logs should be kept.
There is also a lack of access controls over private information such as vice presidents salaries. The operator and mailboy were discussing how much the vice presidents were paid and the computer operator was actually entering in the amount. This information should be confidential with limited access. Data encryption is used for data that is subject to privacy restrictions and this should be used to hide the amounts of the salaries. Highlight Corporation should use asymmetric encryption which uses two different encryption keys, one to encode the data and the other to decode the data.
The computer operators are also involved with using bad procedures concerning incorrect transaction amounts. The computer operators are re-entering data that was rejected by the validation program. Data validation procedures detect erroneous data as it enters an application system and prevents the system from posting the in! valid data to a master file (Text 526). These incorrect amounts should be corrected before they are re-entered into the computer, otherwise it makes no sense to have validation programs. Some common data validation procedures include limit checks and validity checks.
There is also a lack of control over the input and it is processed on a first come first serve basis instead of a batch process. Input should be a batch process according to weekly and monthly production schedules in order to prevent improper input or use of data during processing. Routine items should be inputted at specified times. Input can also be controlled by being entered twice by two different operators in order to prevent potential problems such as incomplete processing or fraudulent modification of the data. There are also many control weaknesses associated with the payroll system of Highlight Corporation.
The payroll checks are not numbered which makes it virtually impossible to keep track of the payroll checks. When using pre-numbered documents such as checks it is easier to detect a fraud. In addition to not being numbered, payroll checks are also produced in multiple copies. This makes it easy for a copy to be stolen and fraudulently negotiated to a third party. Therefore, it is only necessary to produce one copy of an original check and it should be marked non-negotiable. As Tick passed through the payroll department he noticed that the console logs were shredded upon completing the payroll run.
These documents are used not only to provide evidence of operations performed by computer operators but also to detect fraud. Console logs should be kept for a period of time and reviewed by auditors. Tick also found a shortage of forty-seven cents in the petty cash fund. H! owever, he failed to report that the petty cash fund was only five dollars and must be increased in order to be effectively used. The petty cash fund must be increased to an adequate amount and properly maintained. These control weaknesses all add to the risk of Highlight Corporation being defrauded by internal, external, and collusive efforts.
It is clearly evident that Highlight Corporation lacks many of the necessary general and application controls and is therefore at risk to many types of fraud. Mark Tick, the internal auditor, failed to evaluate the computer security and advise management of the necessary improvements. Tick should have conducted tests of controls, which is a survey in which an auditor evaluates data security and integrity. In order to prevent from being defrauded, the management of Highlight must establish general controls and their internal auditors must be able to effectively evaluate these general controls for their weaknesses.
It also seems that this company is completely outdated as to their use of computers and advanced technologies. Tick was unaware of generalized audit software (GAS), a software package that makes it easy for auditors to perform common audit tasks on data that is stored in computer files. He also failed to evaluate the computerized records for their completeness,! accuracy, and consistency. Until Highlight implements general controls and trains their personnel on how to evaluate these general controls they are faced with serious risks of fraud.
