AN OVERVIEW OF INTERNAL CONTROLS FOR IT SYSTEMS (STUDY OBJECTIVE 1)

For all but the smallest organizations, computer systems are critical to ongoing operations. One of the critical functions within IT systems is the accounting information system. As described in Chapter 1, the accounting information system collects, processes, stores, and reports accounting information. Companies, government agencies, and nonprofit organizations all depend heavily on their computerized accounting systems to process transactions, store data, answer inquiries, and monitor operations. IT systems have become so critical that organizations would hardly be able to operate if their IT systems were suddenly to fail. Since IT systems are such a crucial and valuable resource for accounting systems, you should learn and understand the types of threats to which they are vulnerable so that these threats can be minimized. As an analogy, when you park your car in a public garage, you give some thought to whether it is susceptible to theft or vandalism and take some precautions such as locking the door or turning on a car alarm. Likewise, it is important for you to consider possible threats to the IT system and to know how to implement controls to try to prevent those threats from becoming reality. Unchecked threats and risks can lead to events that interrupt or stop computer operations, which can be severely damaging to the organization. Not only can they stop or disrupt normal operations, but they can also lead to incorrect or incomplete accounting information. This chapter provides an overview of controls in IT systems, the risks that these controls are intended to reduce, and important hardware and software components of IT systems to which controls should be applied.

Knowledge about IT systems and the related risks and controls are important factors in gaining an understanding of business processes and the recording, summarizing, monitoring, and reporting of results. Later chapters will describe the usual business processes such as those involving revenues, expenditures, conversion, and administrative processes. The data resulting from these processes are usually recorded, monitored, and stored in IT systems. The material you learn in this chapter regarding risks and controls in IT hardware and software will prepare you to better understand the systems for revenue, expenditures, conversion, and administrative processes described in later chapters.

An important set of concepts in this chapter is the matching of controls to risks. To master risks and controls and how they fit together, three areas must be understood fully. The first area is the description of the general and application controls that should exist in IT systems. The second is the type and nature of risks in IT systems. Third and most important is the recognition of how these controls can be used to reduce the risks in IT systems. The fit of controls to risks is explained through the use of terminology, concepts, and the framework from the AICPA Trust Services Principles. The Trust Services Principles were briefly described in Chapter 3 and will be covered in more depth in this chapter.

From the early days of computer use in accounting, internal controls for computer-based systems have been described as being of two types: general controls and application controls. (See Exhibit 4-1.) General controls apply overall to the IT accounting system; they are not restricted to any particular accounting application. An example of a general control is the use of passwords to allow only authorized users to log in to an IT based accounting system. Without regard to processing data in any specific application, passwords should be employed in the IT system.

Application controls are used specifically in accounting applications to control inputs, processing, and outputs. Application controls are intended to ensure that inputs and processing are accurate and complete and that outputs are properly distributed, controlled, and disposed. An example of an input application control is a validity check. Within a specific accounting application, such as payroll, the system can use programmed input controls to reduce input errors. For example, in Exhibit 4-2, the date of hire that was entered (02/30/2002) was invalid, since February does not have 30 days. A programmed input check called a validity check can examine the date and alert the user to an invalid entry. You can see the error message a Microsoft Dynamics GP^® user receives in Exhibit 4-2.

Exhibit 4-1 General and Application Controls in IT Systems

Exhibit 4-2 Validity Check–an Input Application Control

A larger set of application controls is described in detail in a later section of this chapter.