Administration and control of the company's portfolio system

The present work has as one of its primary goals to guide future generations on the important aspects that must be considered in evaluating controls and securities of the Companies' Portfolio System.

The simple and direct language that has been used in its elaboration facilitates its understanding and will allow a greater vision, application and innovation of the same, aspiring to make it a useful reference material for students and graduates.

Likewise, we can highlight the contribution of work as support material for entrepreneurs, since this global assessment in the area of ​​the Portfolio Systems of companies, sets out the basic guidelines of the main controls and securities that must be implemented in a of the main Current Assets accounts that constitute the companies' short-term cash.

In the financial field, the importance of defining sound credit and collection policies linked inseparably to the objectives of the organization, outlined in its business strategy, mission and vision of the company, stands out.

In the field of Audit and Control, it highlights the importance of controls and security of current information processing systems.

In the Administrative field, he outlines the importance of an adequate definition of the organizational structure of the company that allows objectively defining the functions of each of the members of an organization and delineating the responsibilities according to their position.

These contributions highlight the importance of Portfolio Systems in all the constituent areas of an organization.

The contribution of Accounts Receivable in the group of Current Assets has an impact on the working capital of companies. Hence, the portfolio represents, in many activities, the main item of financial importance in the current assets of a company.

Credit sales are already an urgent necessity if we want to capture credits, whenever we implement credit policies, we will have to maintain strict control over the credit area and the administration of Accounts Receivable, not only because it can represent serious losses, but which is the main and most immediate source of funds.

When addressing the primordial initial point of this work, the importance and significance of the Administration of Accounts Receivable should be emphasized and highlighted, due to the importance of the controls and securities that deserve to be implemented.

The main factors that must be considered in the Administration of Accounts Receivable are:

• Sales volume on credit Seasonal nature of sales Rules for credit limits Conditions of sales and Credit Policies of individual companies Collection Policy

If there is not an adequate consideration of the factors described above and if our controls and assurances are wrong, our financial plans will be seriously affected.

Then, it is necessary to review, evaluate and update related aspects tending to an effective control of collections.

As a first point, we will mention the tendency of the Sales Department to its liberality in the granting of credits, terms and securities.

Although a rigid and strict policy of granting loans, it gives security of return may, on the other hand, make lose opportunities that mean the loss or absence of permanent and important clients.

The Financial Manager or the person responsible for controlling this item will have to find the desired balance. Its objective, in the Accounts Receivable Administration, will be that balance that, adapted to the circumstances of the business, provides a healthy turnover rate accompanied by a reasonable percentage of maximum profits.

A very important influence, in the credit policies, customs and variations in the sales conditions, is the perishable nature of the product, another is the analysis of the clients. The company that offers the credit must be less forgiving when it determines that a customer is a bad subject of credit, therefore the official in charge of evaluating the credit risk must consider the five "Cs", which are:

1. CharacterCapacityCapitalColateralConditions

CHARACTER.- The moral factor of the client is the most important in the evaluation of the credit for the fulfillment of the obligation.

CAPACITY.- Subjective and visual judgment of the client's economic potential.

CAPITAL.- Financial position, especially the tangible capital of the company.

COLLATERAL.- Represented by the assets that the client can offer as credit guarantee.

CONDITIONS.- Analysis of the general economic trends of the company or incidents that may affect the client's ability to fulfill its obligations.

These factors are important in the granting of credit itself, in determining the amount of investment that we are willing to incur in credit sales.

A company can make many sales, outperform its competitors if it is willing to freely grant: volume and terms; but in the end, credits of this nature can end with said company, if it does not have adequate controls.

Therefore, it is essential that a Credit Department is prepared to technically handle these matters, from the first contact that is the evaluation and granting of credit, to the happy ending of the sale charged.

The Financial administrator must intervene in the formulation of the credit department's plans, making permanent analyzes and evaluations of their development to certify that there is capacity in the development of the area and, above all, that there is a cash flow that has already been foreseen, as well as applying the basic controls and securities.

The evaluations of the controls and securities of the Portfolio System of the companies constitutes one of the basic pillars that contribute to achieving the financial objectives and therefore the growth and development of the companies.

1.2 Reasons for the Audit

Among the main justifications or reasons for an audit we find the following:

• Considerable and unjustified increase in the budget of the Data Processing Department Lack of knowledge at the managerial level of the company's IT situation Total or partial lack of logical and physical security to ensure the integrity of personnel, equipment and information Fraud discoveries made with the use of the computer.Lack of computer planning. Organization that does not function properly, due to a lack of policies, objectives, norms, methodology, standards, delegation of authority, assignment of tasks and adequate administration of human resources. General discontent of users, generally motivated by non-compliance with deadlines and poor quality of results. Lack of documentation or incomplete documentation of systems, which reveals difficulties or the impossibility of maintaining systems in production.

Within this range of justifications that are of special analysis in an audit, those that affect the company referring exclusively to the application of the portfolio have been considered for our study and are the potential reasons for our audit. Among these we have the following:

1. Total or partial lack of logical assurances

Computers are an instrument that store and structure large amounts of information, which can be confidential for individuals, companies or institutions, and can be misused or disclosed by people who misuse it. Fraud or sabotage can also occur, leading to the total or partial destruction of computing activity.

The need for control in access to systems is of vital importance since the concentration of many previously dispersed functions becomes particularly critical if the information entered and processed by a computerized system due to the lack of effective control procedures is intentionally or inadvertently destroyed or distorted.. Hence the importance of the Systems Evaluation in the logical securities as initial control to the Credit and Collections System.

1. System malfunction

A system is an application that can be developed internally in the same company and therefore it is made to order or can be purchased as a package that is normally offered by specialized software development companies. In the case of the company in our analysis, the portfolio system was developed internally, so it must satisfy the company's real needs.

Before detailing the system and the reasons for the malfunction of any application, we must focus on the different systems that are developed in a company.

On many occasions, what is intended to be achieved in the Computer Area within the development of Systems or applications is a result, however, the objective must be that the System works according to the functional specifications, so that the user has sufficient information for their use. handling, operation and acceptance.

The systems fulfill some phases among which are: analysis, design, programming, testing and maintenance, which are continuously fed back. If one of these stages is not considered with due importance, future inconveniences arise and with it the system malfunction.

The systems due to their malfunction can present distorted information or reflect inconsistent data in the fields and defined information ranges, in other cases they can be a problem instead of a solution, in short they turn out to be impractical.

Among the most common system problems are the following:

• Lack of standards in development, analysis and programming Inadequate specification of the system at the time of making the detailed design Poor design Problems in the conversion and implementation Weak control in the phases of elaboration of the system and over the system itself No experience in the analysis and programming New technology not used or used incorrectly.

• All the aforementioned may be the cause of the malfunction of the systems, which should be taken into account for this review.

Hence, it is important that the necessary verifications are carried out so that the systems and programs are thoroughly tested to ensure their consistency with the original specifications, there is no user dissatisfaction and transactions are carried out correctly.

1. User dissatisfaction

The dissatisfaction of the users is one of the reasons that generates a review and evaluation of the systems.

It usually arises for duly justified causes and it is necessary for the management level to carry out the investigation of the causes that originate said dissatisfaction.

In many cases this is due to the lack of user participation in the application analysis process itself. The criterion of the end user, who is going to use the application and who should become familiar with its use, should never be left aside, therefore the user must be motivated to participate in this process.

For the system to be hosted by the user, it must meet the jointly defined requirements. Therefore, complete communication is required between the user and the person responsible for developing the system. This communication must clearly define the elements that the user has, the information processing needs and the requirements for output information, stored or printed.

At the time of defining the system in the analysis phase, the quality of the information processed by the computer should have been defined, establish the appropriate controls, the levels of access to the information, among other aspects.

The objective of implementing a system is to contribute to the speed and accuracy of processes carried out by a user, reducing the time and effort carried out in a task and increasing the benefit and utility of the company.

1.3 Audit Objectives

The objectives of a Systems Audit can be various, all depend on the Computer Situation of analysis.

Among the main objectives that motivate an audit we have:

• Seek a better cost-benefit ratio of automated or computerized systems designed and implemented by the Data Processing Area. Increase user satisfaction Ensure greater integrity, confidentiality and reliability of information, through the recommendation of safeguards and controls. Know the current situation of the computing area and the activities and efforts aimed at achieving the objectives set.

A company may request the analysis of the following points:

1. Improve the logical security of the System

Computers in this century provide facilities in the establishment of logical security for systems and constitute a software alternative available on the market to guarantee access to the computer only by authorized persons.

It is important to maintain the security of the systems in order to have relevant information at the right time.

By means of this work, it is proposed to issue a list of controls aimed at improving the logical security of the Portfolio System of this company.

1. Ensure greater confidentiality of information

Confidentiality is understood to be the safeguarding of information in characters reserved and exclusive to authorized officials.

The confidentiality of the information allows access to data and information only to authorized personnel so that the transactions made by a user are recorded as the sole responsibility of the person who is authorized to carry out any transaction.

1. Improve the functioning of the System

Before running the programs with real data they must be tested with test data, until they exhaust all possible exceptions.

The objective of the systems is that they provide timely and effective information, for which they had to be developed within a properly planned process.

The completed system must be delivered to the user after training and the preparation of respective manuals, which guarantee the proper use of the system.

1. Increase the satisfaction of the users of the Portfolio System

The dissatisfaction of the users occurs due to the lack of understanding and coordination of needs and the marked divorce of the elements that intervene, between those who provide and receive the service.

When the results of a System are not in accordance with the needs of the user, certain discomfort arises that generates dissatisfaction. This phenomenon is detrimental to the company itself because the user prefers not to use the system, as support, due to the continuous inconveniences that it generates.

It is important to note that reasonably conceived, properly tested, and effectively controlled systems can wear out and become another patched, irrational, inefficient, and uncontrolled system or program that will cause discomfort for end users.

Therefore it is important to analyze the systems, find the flaws and improve them to increase the satisfaction of the systems, mainly in our case, the applicability of the Portfolio System. This aims to find precisely the present work, the main weaknesses that will be corrected, after the creation and delivery of the audit report.

1.4 Scope of the Audit

Based on the objectives and justifications set forth above, the scope of the audit lies in:

1.- Evaluate the input, processing and output controls implemented in the

Purse

These controls are intended to:

• Ensure the compatibility of the data but not its accuracy or precision, such is the case, of the validation of the type of data that the fields contain, or verify if they are within a specific range, security verification for access to terminals, programs, files, data and confidential information. Ensure that all data is processed by the computer. Ensure that the data processed by the computer is properly authorized. Ensure an adequate distribution of the outputs provided by the system.

2.- Define the controls to be implemented

After the observation made, the appropriate controls must be created in order to guarantee the integrity and confidentiality of the information, be they:

• Controls on user access Controls of access codes Controls of entered data Controls of badly carried out transactions, among others

3.- Establish Recommendations to Management.

Once the approach to the work done has been analyzed, the respective report must be delivered to Management for the review and subsequent completion of the work and acceptance of the improvement proposal.

CHAPTER II

Portfolio System Description

Episode 2

Portfolio System Description

Portfolio System

The Portfolio System arises as a need for the company to satisfy its most important clients by granting a defined credit through general company policies.

The most important clients are evaluated on their moral and economic solvency as a means of guaranteeing the recoverability of the portfolio.

For the approval of a loan to its best clients, the company must request a bank guarantee equal to one hundred percent of its transactions. This value is then paid to the company within a period of up to 30 days.

Likewise, the levels of credit authorization to avoid possible misinterpretations or inadequate credit authorizations are evaluated within the company.

Therefore this does not constitute a high credit risk, since the credit is jealously guarded by the Head of the Area and in cases of higher amounts for related companies, by the Manager of the company . Therefore there is less risk of contracting bad or bad debts.

In many credit cases, companies grant an extension of the loan in a specific term with an interest charge. In other companies this is not fulfilled, therefore the Accounts Receivable become effective in the indicated term and become a true asset in that time.

The Portfolio application detailed in this document was developed by the company's Systems Area, in Foxpro 2.5 for DOS and was implemented in May 1997 after receiving the go-ahead from the Corporation's Process Reengineering Area.

The objective of the Portfolio System arises as a need to respond to Management's requirements to grant credits to its main clients by giving them comfortable payment facilities, according to their previously established request.

The purpose of this application is to manage all the information regarding the portfolio, which interacts with the Cash / Banks and Billing modules.

2.1 Hardware and Software Environment

2.1.1 Computer Network Environment

The company has a small Computer Center that is the Area destined for the head of Systems, Programmers and Operators and equipment in general that allow providing the necessary technical attention as support in Hardware and Software of the company.

In this area, the company has a Novell Netware 3.0 network installed on the Dedicated Server through which all System users interact.

The network has 15 intelligent terminals integrated within the company.

2.1.2 Available Equipment

The computers that are operational with the Wallet System are Compaq Prolínea 466 personal computers for users of the System, with the following characteristics:

• Processor 804868 Mb of RAM 420 Mb of disk space

The Server uses a Pentium computer with the following characteristics:

• INTEL processor 16 Mb of RAM 1.2 Gb of disk space

2.1.3 Operating System

The Network Operating System is Novell 3.0 Netware and additionally the DOS version 6.2 Operating System is installed.

2.1.4 Systems and Utilities Software

Programming languages:

The company uses the FOXPRO 2.5 Programming language to manage the Databases in DOS Operating system.

Application Systems:

In the company some systems are developed, among which we find the most outstanding:

User names

(Departments)

Personal Payroll

Warehouse Inventories

Fixed Assets Accounting

Accounting Accounting

Utilities:

The main utilities used in this company are:

• Windows 3.1 for graphical command environment management Word, Excel for the development of spreadsheets and communications Access for the manipulation of information that has not been entered into the system

2.2 System Operation

2.2.1 Process Description

The Portfolio application is integrated into the Billing and Cash / Banks modules. In this application you receive information on invoices, debit notes, credit notes that feed the System in daily processing.

The update of the application files is immediate and their processing is centralized.

When executing the process, the System proceeds to evaluate the approved credits and generate the corresponding Credit Notes. At the closing, a temporary file is generated that contains the details of the invoices of the distributors and related companies that opted for the credit, with which at the end of the day the system generates a Credit Note and sends it to the Portfolio system of the mother company

1. Modules Integrated into the Caja / Bancos Portfolio System

Information about payment vouchers, debit notes and credit notes is received from the Caja / Bancos application.

1. Billing

Invoices from related companies are received from the billing application

(Agricultural, industrial, livestock), from the main distributors and other clients.

1. Processes

1. Manuals

The entry of information that feeds the Billing and Cash System is entered by the receiver of the transaction, therefore it constitutes the manual processing that interacts with the Portfolio Module.

1. Automated

The processes of the system are automated since it takes the information from other modules and performs the respective calculations and distribution of information to the other bases of the System.

2.2.3.3 Centralized

The generation of the process that feeds the other bases of the system, at the end of the day, is channeled by a single user so that the operation is centralized to a single computer, located in the Computer Center

2.3 Process Diagram

1. Information Entry (Billing-Cash)

The invoices of the related companies enter the Billing and Cash module: Agricultural, industrial, livestock; from distributors and other customers. Information is also received on payment vouchers, debit notes and credit notes.

1. Online and Batch processes

The main existing processes in the application are:

1. a) Credit Application Processes

• Income Modification Elimination

b) Credit Application Approval Process

1. c) Documents Receivable Process

• Income Modification Elimination

1. d) Interest Receivable Process

• Antiquity of balances Summary / Detail of balances

1. e) Payment Document Process

• Income Elimination

1. Exits to files (Accounts Receivable and Temporary)

After processing, a temporary file for dealer billing is generated. Likewise, the Billing file is updated and the corresponding records are generated in the Accounts Receivable File where the information is stored that then allows decisions to be made regarding the Past Due Portfolio.

2.3.5 Printed Outputs (Various Listings)

Among the main lists that are generated in this system are:

• Amortization table

• Account Statements Pending payment documents Registered documents date

2.4 Information Flow

The information flow, observed in Annex RC1, shows the interaction of the data as well as of the systems that interact with the Portfolio System.

See Annex RC1

Among the main inputs to the system we have:

• Billing Files

• CajaFacturasN / DN / C files

Among the main outputs of the System we have:

1.- Storage of information in the following files:

• Billing

• Accounts Receivable Temporary Product Billing

2.- Screen inquiries of:

• Issuance of applications Amortization table Account statements (See Annex RC2) Payment documents pending.

3.- Listings of:

• Issuance of applications

• Amortization table Various Lists Pending payment documents

This brief explanation is graphically verified in the flow diagram shown in annex RC 1

CHAPTER III

Controls and Security Assessment

Chapter 3

Controls and Security Assessment

Controls are understood as the set of methodical provisions, the purpose of which is to monitor the functions and attitudes of companies and for this purpose it is possible to verify whether everything is carried out in accordance with the programs adopted, orders issued and principles accepted.

When we talk about securities, we refer to all the activities carried out in order to keep the information confidential: in the handling, processing, filing and use of information by the personnel who operate and administer the system.

This review is very important because more than determining the existence of safeguards and controls or the effectiveness and efficiency of those that already exist, the details that must be analyzed in depth are required.

The assurances of our study are exclusively due to logical assurances, that is, of the Application System.

3.1 Controls on system access codes

Access key controls are important to avoid system vulnerability.

It is not convenient that the access codes are made up of employee codes, since an unauthorized person through simple tests or deductions can find this code.

To redefine the keys to all users, they must be:

Individuals.- A password must belong to a single user, that is, individual and personal, to facilitate and determine the people who carry out the transactions, as well as assign responsibilities.

Confidential.- Users must be formally instructed regarding the use of passwords.

Not significant.- The keys must not correspond to sequential numbers, nor to names or dates.

In the revision of access key control, the following points should be considered:

• Only a limited range of activities and menus are accessible.

• Authorized users must be identified for the main transactions, through userid Passwords must be known exclusively by authorized users, and must be changed periodically Access to data in the System must be restricted according to the role of each employee.

During our visit we were informed that several users may have the same password at a certain time, which is allowed by the system.

Therefore, the access password controls are null for this application since any user who knows a password can access this application, which is so sensitive and delicate for the proper functioning of the company. (P / I) (Report Point)

1. Review of User Authorization File (IDEA)

In order to access the information, we request the corresponding documentation from the system, which would facilitate the interpretation of the System and save analysis time. However, such documentation was incomplete and outdated.

For this reason, through the Auditing software called IDEA (Interactive Data Extraction and Analysis), software internationally recognized by the Canadian Institute of Certified Accountants for use in Audits and / or System Reviews, we proceeded to review the authorization file of users. The information contained in that file can be seen in annex RC3 where the respective authorizations of the users of the system can be established, in binary coding.

See annex RC 3

Despite the fact that there are express authorizations to access menu options, through the authorization file, many users have unauthorized options in their menus due to poor menu and option management, thus losing the confidentiality of the information. (P / I) (Report Point)

1. Frequency of change of access codes

It is convenient that the access codes to the programs are changed periodically. Users generally retain the same password that they were initially assigned.

Not changing the keys periodically increases the possibility that unauthorized people know and use the keys of users of the computer system. It is convenient to change the passwords, at least quarterly.

The periodicity in the change of the access codes of the users to the Portfolio System does not occupy an important place in the control that must be given to the application.

From the review of the case study in reference, it was possible to determine that there was no periodicity in the change of the access codes, because the Head of Portfolio in many cases does not have enough time to properly administer this application. (P / I) (Report Point)

3.1.3 Access password management

The Administration of access codes is given to two people who are the Systems Analyst and the Portfolio Manager who is the person directly responsible for the administration of the application that includes the creation of users as well as the respective permissions and authorizations to options of the Menu of the Application under analysis, while the analyst includes certain requirements expressly requested by the Portfolio Manager.

Furthermore, it could be seen that the access codes created are small and significant (See Annex RC3), in some cases they are not individual or confidential, but there are still users who access the system without a password.. (P / I) (Report Point)

3.2 Analysis of Securities to Menu Options

3.2.1 Details of Users and Functions

This application allows access to officials from different areas, mainly those who are linked to the higher level review process. Below we detail the users of this application:

• Accounting manager

• Administrative Manager Marketing Manager Financial Manager Assistant Administrative Manager Comptroller Assistant Financial Manager Administrative Manager Portfolio Manager Portfolio Supervisor Systems Analyst Client Coding Manager

3.2.2 Evaluation of Menu Options Assignment

The administration of the security of the application is in charge of the Portfolio Manager, who is in charge of creating and deleting users, as well as granting them the permissions regarding the operations that they can use, however the permissions granted by user are badly assigned according to the functions that they fulfill, in addition the systems analyst has permission on all the operations of the system and appears as its supervisor, so that eventually it can carry out operations on the data files without leaving any trace.. (P / I) (Report Point)

Likewise, we could find menu options that are not developed and that are not necessary.

3.2.2.1 Entry of Credit Applications

As standard, with the entry of a new employee, a menu is generated containing the main options in your daily work. In many cases, this menu can be a copy of an existing menu, which means that the options of a user's menu are the same as those of another user, making security vulnerable in this and other options.

Therefore, there are no adequate safeguards in this option, because different users have excessive access to this option, which should be restricted. (P / I) (Report Point)

3.2.2.2 Modification of Credit Applications

The supervisor can modify a credit request if it falls within the credit range established for the client.

In our review it was determined that there are other workers who have access to said modification, which generates failures in the security of the option.

It is important to emphasize that this option keeps an audit trail of the users who have accessed it, allowing you to have control over it. We consider it important to standardize its use.. (P / I) (Report Point)

1. Elimination of Credit Applications

The safeguards of this option are not the most appropriate since at this level many accesses are registered in options assigned within the different menus, therefore it is important to standardize the use of it.. (P / I) (Report Point)

It is important to define that this transaction is not dispersed in multiple menus, but rather that its use is restricted.

1. Credit Approval

The approval of the Credit is in charge of both the Head of Portfolio and the General Manager of the Company, based on established amounts, however many users can observe this option and access it without being able to approve it due to an inappropriate message for the case, which indicates the following: »Approval amount has not been defined by the company», which indicates failures in the securities of this option. (P / I) (Report Point)

1. Maintenance of Options

This option refers to the global update of tables, concepts, documents, quotes, Entities by Companies, Users, Authorizations, parameters.

The Portfolio Manager and the Systems Analyst mainly have access to these global Portfolio Application Maintenance options, which carry out option maintenance upon request from the Portfolio Area (See Annex RC 3).

The Managers, Assistant Managers, Comptroller, Administrative Chief have maintenance access to some options regarding their management and application.

From the review of the case study in reference, it was possible to determine that there are flaws in the security of this option since an audit record of the users who modified any specific table is not kept.. (P / I) (Report Point)

This is a failure of the System that must be considered and corrected.

3.3 Access controls to Main Module programs

The main programs of the Portfolio module are:

Credit Requests.- Through the entry of requests, the flow of the System processing begins, generating the basic movement of credit approval or disapproval. Your main options are: Income, Modification and Elimination

Another additional program is the maintenance of options, which constitutes one of the most critical processes in the module.

3.3.1 Credit Applications

1. Entry

The entry of requests is in charge of the Portfolio Supervisor who enters the request of the Client that is in the window or via telephone line.

This request is entered after reviewing the bases of your payment history and if it appears on the list of customers who can choose to purchase on credit. If neither of the two things mentioned above is met, the supervisor may enter it through the system pending a response from the Portfolio Manager.

Once the request has been entered, it is the duty of the Head of Portfolio or the General Manager of the company to approve or deny the request.

Controls on entry are given through the ranges of the allowed amounts.

Therefore, in this option, there are no adequate access controls because different users can access it, when its use should be particularized. (P / I) (Report Point)

3.3.1.2 Modification

The supervisor can modify a credit request if it falls within the credit range established for the client. If this exceeds the amount and it has been decided to grant the credit, it must be authorized by the Portfolio Manager.

From the review carried out, it was determined that there are no adequate access controls in the modification of the request, however, as a caveat, the name of the user who made the modification is saved. (P / I) (Report Point)

3.3.1.3 Disposal

To delete a credit request made by involuntary error, you must prepare a debit note that records the opposite movement.

Otherwise, an application may be automatically deleted if, after 24 hours of being entered into the system, it has not been approved by any user. This mechanism allows batch-type processes to eliminate requests that were not attended or that have denial of credit as an indicator at night.

Controls at this level are very good as it records the identifier of the user who carried out the transaction as well as the names of the programs in the event that these requests have been eliminated by batch processes. (P / I) (Report Point

1. Credit Approval

This option allows the person in charge of credit approval to review the applications that are considered within their approval range and enter the approval option with S in the event that the credit amount is approved or N in the application. in case it is denied.

All users of the System have access to this option. The basic restriction is the visibility of the allowable credits according to their rank.

The approval of the Credit is in charge of the Portfolio Manager who is the one who authorizes the amounts of most credit purchases, only in the case that the amount exceeds the normal limits, it is approved by Management.

Although many users can access this option and execute the operation or not, the caveats in the controls are given by registering the name of the user who approved the credit . (P / I) (Report Point)

3.3.3 Maintenance of Options

This option refers to the global update of tables, concepts, documents, quotes, Entities by Companies, Users, Authorizations, parameters.

The Portfolio Manager and the Systems Analyst mainly have access to these global Portfolio Application Maintenance options, which carry out option maintenance upon request from the Portfolio Area (See Annex RC 3).

The Managers, Assistant Managers, Comptroller, Administrative Chief have maintenance access to some options regarding their management and application.

The least degree of action for the maintenance of options is held by the Portfolio Supervisor and the Client Coding Manager.

We consider that there is no adequate control to regulate the alterations in the maintenance of these sensitive options. We believe that criteria should be unified and a maximum of three responsible for the Maintenance of Options established, and that most of the main officials should have options for their Consultation . (P / I) (Report Point)

3.4 Program editing and validation controls

Controls for editing and validating input data to programs are based on the need for consistent and complete data, which will ensure reliable output from a given process.

There are many controls for editing and validating data, which are detailed by the main menu options.

3.4.1 Verification of data in Entry and Modification Options

The type of data to be entered or modified must go hand in hand with the reasonableness of the data. For this reason, the control of the most sensitive fields in this module will be considered in the analysis.

3.4.1.1 Format control

The format control allows verifying if the data is appropriate (Numeric, alphabetic or alphanumeric) and corresponds to the specific length, that is, that it is not too small so that the entire content of the field can be viewed.

Verifying the type of data that the fields contain is very important as well as verifying if they are within the allowed range of values.

For the application object of our analysis, it was possible to determine that there are anomalies in the definition of the data type, which causes serious consequences such as showing an unreal Portfolio, error caused by the defined data type.

For the application under study, the validation controls are really a general flaw present in both options. (P / I) (Report Point)

Additionally, it was possible to determine that there are faults in the editing controls, allowing to enter erroneous values ​​as alphabetical values. This type of error occurs due to not having registered some field validation routine. (P / I) (Report Point)

3.4.1.2 Missing field

Sensitive fields must be filled before accepting any transaction in the System. This verification is made in the evaluation of the controls, that is, the important fields must be complete.

In the case of priority information such as the RUC number or the ID. These fields should not be excluded from being concatenated in the transaction, that is, this field should not be allowed to be omitted when making a credit transaction.

With this example we specify that the operation record should not be allowed whose most sensitive fields have been left blank. This problem must be detected and controlled through the System.

This type of error is present in this application, which is not considered by the application . (P / I) (Report Point)

3.4.1.3 Reasonableness

The data should not exceed its fair value. Thus in Hours: 24; Months: 12; etc.

Reasonableness also considers the automatic verification of tables, codes, minimum and maximum limits or the revision of certain previously established conditions.

For the application under analysis, we found weaknesses in the grace period and dividend fields.

Additionally, we detect that there are reasonableness errors in this system, mainly in the handling of debit notes and credit notes where the numbering of these documents as well as the values ​​have excesses not allowed, an adequate verification routine should be used that should be included in the system. (P / I) (Report Point)

CHAPTER IV

Final report

Chapter 4

Final report

4.1 General Information

4.1.1 Preparation of the Report

The report is the culmination of an audit or review. It represents the critical aspect of the process because it is the trustworthy, visible representation that third parties can trust. Thus, the report must clearly show the scope of the work carried out and the responsibility assumed regarding the reasonableness of the Systems. Once the evidence is gathered, the auditor should purge and judge with the utmost professional zeal in order to obtain the appropriate conclusions. By issuing their opinion, third parties place their trust in it, to the point that they can legally hold it liable for their opinion.

Report Features

Verifiability

The reports must be verifiable, the reader may not always be able to verify them personally, but if commonly accepted names are used or reference is made to specific elements or sites of the place of the review, the verification of the information is improved.

Inferences

An inference is a statement about something unknown, made on the basis of something known. One should be aware of the inferences being made.

The technique of data collection and analysis will allow inferences to be presented in an understandable and logical way.

Trials

Judgments are the expression of approval or disapproval. Just as inferences cannot be avoided, you should be aware of the judgments made in the report.

Summary

The summary is the important part of the entire report. The credibility and acceptance of the report benefits when an assessment of global behavior is included.

Clarity

Clarity is a primary feature in a report because the purpose is to present situations in the most understandable way possible. Avoid using very complex and technical terms except if their meaning is specified.

It should always be borne in mind that the content of the report must be understood by other people who do not have knowledge, or have little knowledge of the subject.

Objectivity

The report must be presented with impartial criteria, that is, it has not been affected by the prejudices or predispositions of the person who prepared it.

Conciseness

The entire report must be concise and precise: The title, the structure, the formulation of the conclusions, the recommendations and the vocabulary.

This characteristic reflects the particularity that only what is essential should be part of the report.

The following should be taken into account when presenting the report:

Appearance

The report must demonstrate good taste and personality. It should not be written on colored paper, nor used in colored underlined text. The manager must show sobriety not to appear ostentatious.

Extension

The report must be concise. The language used must be direct, appropriate and simple to ensure good communication. It should not be exceptionally long.

Opportunity

The preparation of the report must be timely so that the recommendations being proposed take effect. This ensures that the report will remain in effect throughout the days until it is reproduced.

Elements of the Report

The report must be written in managerial terms. One or two sentences of the important findings, if any, should go in your presentation.

In general, the report should mainly contain the following:

1.- Background

2.- Objectives of the Audit

3.- Evaluation Results

Current situation

Effects

recommendations

The report presents the necessary and concrete information that identifies the findings or observations that were captured at the time of the Portfolio Application Controls audit, in its main modules and options.

4.1.2 Supporting documentation

It is important that the highest priority documentation is attached as a physical record of the work carried out, as a result of the review carried out.

This may include information from the surveys carried out or evaluation guides formulated to the users of the system, as well as documentation issued by the system under review, evidencing the novelties found or simply the outputs of the system.

For the preparation of the final report are attached as supporting documentation: Account Statements, List of Authorizations, User Service Register.

4.1.3 Closing phase

The closing phase of the review and evaluation of a System covers the activities that follow the issuance of the formal report. These activities can be classified into:

1. Response evaluation

1. Presentation of the report and final closure of the audit Corrective action Response to the report

These elements are closely related, therefore, it is convenient to start with an explanation of them.

1. Response Assessment

Once the report is finished, a draft must be presented to be discussed with Management, so that the necessary observations are made to clarify any criteria that are not specified with the required clarity or depth.

1. Presentation of the report and formal closure

The presentation of the report and the formal closing must be done by means of a letter or memorandum, once all the necessary corrections made in the evaluation of the response have been made, the final report is delivered after a presentation of the work carried out, supported with due supporting documentation, with which the work is partially completed since the auditor after this delivery must follow up on the news found in a set period.

1. Corrective action

One of the basic principles of the evaluation of the response by the Manager is that the adverse conditions to the quality of the System must be identified and corrected immediately. For significant adverse causes, management must take the necessary measures to avoid recurrence.

This last part of the corrective action process is often the most difficult to implement, therefore corrective action has to be a serious and continuous process.

1. Reply to the report

Thirty days after receipt of the report is a typical period for responding.

It is normally the responsibility of the team leader conducting the review to follow up on responses to a report. If a response is not received by the requested date, a team member should call the customer who requested the service to remind the organization that they have to seriously commit to corrective action.

Practical case

Report presented to the General Manager of the company Fertilizantes Agrícolas X by Ms. Alice Naranjo Sánchez, President of the Auditing Company Naranjo-Arrobo Asociados, for the period from October 1 to Dec 8, 1998.

Guayaquil, December 8, 1998

Distinguished gentleman:

Our basic commitment to the company that you worthily and aptly preside over consists of: Evaluation of controls and securities of the Portfolio System in the company of Agricultural Fertilizers X, for which the basic problems detailed below were analyzed:

1. Total or partial lack of logical assurances

1. System malfunction User discontent

These problems caused by the Portfolio System were channeled towards achieving the following objectives in our work and are:

1. Improve the logical security of the System

1. Ensure greater confidentiality of information Improve the functioning of the System Increase the satisfaction of the users of the Portfolio System

In this report, we present the controls that must be implemented in light of the changes found in the Portfolio System.

Sincerely, Miss Alice Naranjo

President

Naranjo-Arrobo Associate Auditors

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

Gathering the news found in the System in relation to the weaknesses of the controls after receiving user concerns and physical verification in the system, we proceed to prepare a document of the weaknesses found and the respective recommendations to management.

COMPANY BACKGROUND

The company of Fertilizantes Agrícolas X, resides in the city of Guayaquil, is a subsidiary of an important Corporation of our country and is dedicated to produce, elaborate and distribute all kinds of chemical fertilizers for the agricultural sector of the Costa region mainly.

Its plant is located in the city of Guayaquil within the industrial sector. It has many sales points in the main localities of the country such as: Machala, El Triunfo, Quevedo, Naranjal, Milagro, among others.

Among its main local suppliers we have: Ramexco, Fertagric, Comercial Agrofam.

Among its main international suppliers we have: NOVARTIS, BASF, Bayer, etc.

Its main clients are: Reybanpac, Cartonera Andina SA, Expoplast, among others.

Its main competitors are: MITSUI, SQM, Fertagric, among others.

Faced with a series of problems that afflict the General Management of the company at a Board meeting, it approved the hiring of an external Audit in order to carry out the Evaluation of controls and securities of the Portfolio System in the company of Agricultural Fertilizers X, by the period between October 1 to December 8, 1998, with an estimated duration of 84 working days .

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

OBJECTIVES OF THE AUDIT

1. Improve the logical security of the System

1. Ensure greater confidentiality of information Improve the functioning of the System Increase the satisfaction of the users of the Portfolio System

EVALUATION RESULTS

The main weaknesses detected in our analysis are due to aspects of controls applied in the different phases of the Portfolio System process.

1. Application documentation is incomplete and outdated

1. There are authorizations assigned to certain users that are poorly defined The system does not control that users have different passwords between them. There is no periodicity for the change of access codes to the system. The user's passwords are very small. back up and restore system data files There are two system monitors There are undeveloped and unnecessary menu options Data entry validation controls are incomplete Incorrect transaction entry is not validated Some application error messages are incorrect Some fields used to display data on the screen are very small

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

EVALUATION RESULTS

The following is a detailed analysis of the weaknesses found, the effects and a series of recommendations aimed at eliminating these shortcomings detected in the Portfolio application:

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

EVALUATION RESULTS:

1.- The application documentation is incomplete and outdated

Current situation:

During the analysis, we could see that the necessary documentation for the system is not available, since there is only the user manual, which is outdated.

Effects:

This situation can lead to problems of:

• Dependence of the personnel who developed the system

• Difficulty in implementing changes in the application in the absence of staff who are familiar with the application Difficulty for new users of the system when trying to use it guided by outdated documentation, which would lead to confusion and loss of time.

Recommendations:

It is important to maintain a complete documentation of the systems, which includes user, technical, and operation manuals, and the documentation of the programs. As well as a record of the modifications made to the application, which includes the date, description, analyst in charge, user, signature of review and approval of the user with respect to the changes made, etc., this for each modification, to In order to have a supporting document in case of subsequent claims.

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

EVALUATION RESULTS:

2.- There are authorizations assigned to certain users that are poorly defined

Current situation:

During the review we were able to observe that there are no user definition procedures that guarantee adequate access control to the different application options. For example, the MCJ user has permission to back up the system data files, being he the person in charge of handling only the producer codes.

Effects:

This situation allows:

• Eventually a user can obtain confidential information from the company and possibly misuse it.

• A user may mislead the information obtained, the same that could come into the hands of third parties, with the danger that this implies.

Recommendations:

It is essential to carry out a review of the authorizations assigned to users in order to avoid leaks of confidential company information, as well as assign users the corresponding authorizations according to the functions they perform.

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

EVALUATION RESULTS:

3.- The system does not control that users have different passwords between

they

Current situation:

During our visit we were informed that several users may have the same password at a certain time, which is allowed by the system.

Effects:

This situation allows:

• Unauthorized access to the system, since a person who is not a user of the system (intruder) can learn the password of some user A, and as it is the same password of another user B who may have authorizations that allow access to certain functions With restricted information processing, the attacker could access the system using the name of user B and the password of user A, and thus perform unauthorized operations on the application's data files.

• Lack of confidentiality in user passwords.

Recommendations:

It is important to maintain the confidentiality and uniqueness of the user access codes to the system, in order to avoid any possible unauthorized access to the application, in addition, a programming routine should be implemented that allows the system to evaluate the password of the a user when it is being created or modified, and thus avoid repeated keys.

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

EVALUATION RESULTS

4.- There is no periodicity for the change of access codes to the system

Current situation:

During the review, it was observed that a time interval has not been defined to change the access codes of the users to the Wallet System.

Effects:

This situation allows:

• Unauthorized persons know the password of a user.

• Unauthorized access to system information using the name and password of a careless user who may carry out unauthorized operations.

Recommendations:

Data security policies must be defined that include: time interval for password changes, system security administrator, user creation standards, among other things.

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

EVALUATION RESULTS

5 .- The user keys are very small

Current situation:

During the analysis, we learned that users have very small keys, basically consisting of two or three letters, which are assigned by the portfolio manager.

It is also possible to create users without a password.

Effects:

This situation allows:

• Confidentiality and security are reduced to the system, since the very small keys are easy to learn and to copy.

• There are possible unauthorized accesses to the system Users can be created without a password, which is a potential danger for information security, since the name (login) of the user that is the first thing entered when accessing the system if it is You can view it, so since that user does not have a password, any unauthorized person could enter only with the name of the user without a password, and in this way they could execute all the operations for which that user has authorization.

Recommendations:

It is recommended to use passwords with a minimum of five characters, and the user password entry option must also be modified, so that its entry is mandatory when creating a user.

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

EVALUATION RESULTS

6.- Any user can backup and restore system data files

Current situation:

After reviewing the menu options for each user, we were able to observe that any user of the system can backup and restore the data files, since they have the respective permissions.

Effects:

This situation involves:

A user can eventually obtain a backup of the information, modify it and then restore it to the system, all this in an unauthorized way, which means a great danger to the security of the information, since any operation could be carried out, record transactions, etc.., without leaving any evidence of it.

Recommendations:

It is recommended that information backup and restoration functions be assigned to a person, whether from the financial or systems area, and then only allow them to have access to that system option, and this person should also be indicated. the frequency with which the backups must be made.

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

EVALUATION RESULTS

7.- There are two system supervisors

Current situation:

We could see that there are two system supervisors: the portfolio manager (FF) and the systems analyst (RG), the latter appears in the system as the supervisor, so she has access to all the data processing functions of the system At the request of the financial manager, these functions were assigned to the portfolio manager, but the corresponding permissions to the systems analyst have not been withdrawn.

Effects:

This situation allows:

• With the permission of two people to carry out all kinds of operations, problems could arise due to changes made by either of them without the knowledge of the other.

• There is the possibility of unauthorized modifications to the production files without the knowledge of the financial area, which could cause many inconveniences when reviewing the results.

Recommendations:

It is important to segregate the functions of each user in such a way that the supervision of the system is carried out by a single person who is responsible for this, in addition, the systems personnel should not have access to the operations that on production files can affect the application, you should only have permission to perform operations on development files (tests)

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

EVALUATION RESULTS

8.- There are menu options that are not developed and are not necessary

Current situation:

During the review it was observed that in the application process menu there are options that have not been developed, such as; Generation of late fees and Transfer of Documents Receivable, which will not be developed. They are currently only mentioned on the menu.

Effects:

This situation can cause:

• Confusion and disgust to users when they try to use these options

• That a wrong criterion is generated on the application

Recommendations:

It is recommended that only the options that are used or that will be used in the future appear in all the menus, so that the user can appreciate what the system can really do.

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

EVALUATION RESULTS

9.- The data entry validation controls are incomplete

Current situation:

During the review, it was observed that data entry validations are missing, for example: When a debit note is entered, a negative value can be defined for the grace period field, and also the total value of the note can be divided into 99 dividends.

Effects:

This type of errors can cause:

• Cause significant differences in system results

• Provoke imbalances in the totals in relation to those of other systems Directly affect the reliability and veracity of the information expressed in the financial statements

Recommendations:

We recommend that the systems area review the data entry validations of this application, with the help of users who provide them with information to solve this problem, in order to prevent the aforementioned problems from occurring in the future.

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

EVALUATION RESULTS

10.- The entry of incorrect transactions is not validated

Current situation:

During the review, it is observed that no transaction validation routines have been created with erroneous data or routines that do not allow the omission of sensitive fields in the application, for example: If we enter a debit note with a grace period (40) and 99 dividends payable, the system accepts it, and no subsequent notification occurs stating that an incorrect transaction has been entered.

Effects:

These kinds of errors can:

• Cause significant differences in system results

• Cause mismatches of the totals relative to those of other systems Generate difficulties in detecting incorrect transactions Directly affect the reliability and veracity of the information expressed in the financial statements.

Recommendations:

It is recommended that programming routines be created that allow the system to detect incorrect transactions even after they have been entered, and at the same time delete them and record them in a temporary file for later review and correction by someone who stops them. the effect is designated.

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

EVALUATION RESULTS

11.- Some application error messages are incorrect

Current situation:

Some of the error messages displayed by the system do not reflect the true fault that had occurred, for example: When a debit note was entered and a negative number was entered in the exchange rate field, the system displayed the following message "The exchange rate has not been entered", which is totally incorrect.

Effects:

This situation can:

• Cause confusion and waste of time for system users

• When users enter the wrong data, they do not know what the real error is, since the system shows them the wrong message. The degree of difficulty in operating the system increases.

Recommendations:

• It is recommended that the systems area review the error messages displayed by this application, so that the system offers greater facilities to users.

Final report

Evaluation of controls and securities of the Portfolio System in an Agricultural Fertilizer Company

EVALUATION RESULTS

12.- Some fields used to show data on the screen are very small

Current situation:

Certain fields on the screen are not large enough to show the result of an arithmetic operation, for example: When a dollar credit note was entered, and the result of multiplying the exchange rate by the value of the note was larger than the value the output field could display, then the sucres equivalence of the transaction could not be displayed.

Effects:

This situation can:

• Cause confusion and waste of time for system users

• Generate annoyance to users when they are entering data and cannot visualize the results of their arithmetic operations, so they would be forced to perform them manually to verify their data.

Recommendations:

It is recommended that the systems area review the output fields of this application in which the arithmetic operation results are shown, in order for the system to provide greater facilities to users and to prevent the aforementioned inconveniences from occurring in the future.

Conclusions:

Computing and computing are disciplines or techniques that have an influence on all human activities, without which it would not be possible to store or process large volumes of data, obtain information in minimum time or with great precision, relate data to obtain alternatives for solution to financial, administrative and even social problems.

Consequently, a company cannot be conceived in which this sensitive area is neglected by the periodic controls that the information environment demands.

The area of ​​Audits in its many forms is beginning to be recognized by the business world as an effective means of improving quality.

The Systems audit must be an integral part of the General Audit. In this way, periodic controls are carried out to eliminate the risks presented by the design of some systems.

The risks and general controls affect the risks and controls of the application, therefore, each of them should be emphasized from the entrance controls, processing to the exit controls.These will minimize the risks to the extent that the general controls are fulfilled.

In our work we were able to find a series of anomalies in the controls, such as:

• Misassignment of user profiles, serious error that generates indiscriminate access to sensitive options. Bad management and administration of keys.

• Editing control failures Bad permission assignment caused by mismanagement of securities.

However, in some cases if rescue options are presented, such as saving the user of the person who accessed the system, which could help when identifying or detecting a problem.

Therefore, user departments should be made aware of the importance of being involved in the development of applications in order to detect failures in the systems before it comes into operation, as well as the safety and significance of sharing access codes with coworkers in the same area or outsiders.

Information systems are part of the total resources of the organization, in fact in some companies, they are as important as market strategy, product design, etc. Therefore, executives, in addition to allocating monetary resources, must participate in the design of systems that will result in a real path towards achieving the objectives and goals of the company.

In this work, basic concepts and theories of the systems audit process have been exposed. An attempt has also been made to present some ways of putting the theory into practice. As the application of audits is established, certain methods will be developed and others will disappear. This is due to the evolutionary process of science. Regardless of the changes; The purpose of an audit or evaluation will always be to provide management with meaningful information to base the decision-making that drives the smooth running of the company.

Annexes

Information flow of the portfolio system

Terminology

Terminology

File.- It is an information storage element that consists of a series of records, each of which contains similar information. Thus a file can contain the information of all the clients of the company and each record will be a particular client.

Audit.- Independent, structured and documented evaluation of the adequacy and implementation of an activity with respect to specified requirements.

Systems Audit.- It allows knowing how to identify existing weaknesses in the systems area, learning how to verify the degree of credibility of the information processed, increasing the capacity to define the appropriate security environment for information processing and understanding the handling of computerized tools to carry out audit tests.

Flow Diagram.- It is a graphic representation of a sequence of operations in which a predetermined set of symbols is used in order to illustrate the steps involved in the flow of data in a given procedure or system, it may be general or detailed.

Interactive.- System that allows the interaction between men and machines through some terminal device.

Multiprocessing.- It is the link between two or more processors to handle large volumes of data and provide multiprogramming services, or timeshare services or both.

Multiprogramming.- Computer system that allows two or more different programs to run simultaneously.

Processing.- It is the actual execution of the tasks of a system.

Distributed process.- Data processing system that implies a decentralized design, control and operation, by means of a series of networked computers.

Application programs.- Are those that are required to execute tasks in a specific transaction processing system.

Symbology.- Among the main symbols used in a flow chart we have the following:

Storage Process

Data Entry Report

Manual Entry Screen Entry

Decision Start / End Flowchart

Operating System.- They are system programs that control the resources of the machine and serve as a link between these resources and the users. Also called master control programs, monitors, or system control programs. Each manufacturer has a unique name for the system or operating systems they supply.

Software.- Program that gives instructions to the computer. This is also the name of the Operating System.

Timeshare.- Performing two or more functions during the same period, assigning small divisions of the total time to each function.

It allows the computer to be used in a way that serves several users during the same time.

Response time.- Time necessary to transmit information from a computer and receive a response.

Real time.- The storage of information in the system occurs at the time the transactions are taking place. Real-time applications are essential in those cases in which the data is modified several times in the course of a day and require to be consulted almost immediately with the modifications made.

Validation.- Scheduled verification of data or results, to ensure that they meet predetermined standards.

Bibliography

• Cohen Daniel, Sistemas de Información, Ed..McGraw Hill, 1995Ettinger Richard and Golieb David, Créditos y Cobranzas, De. Continental, México, 1980.Institute Mexicano de Contadores Publicos, Norms and Procedures for Auditing, De. Litograf, México, 1972Leiva Francisco, Scientific Research, De. Ortiz, Quito, 1979. Mayne Lynette, Direct from the Top, De. Alfaomega, De. Presencia, Bogotá, 1995. Méndez E. Carlos, Research Methodology, Mc Graw Hill, 1994Ríos Wellington Dr, Computing Systems Audit, De. Abaco, Quito, 1994 Sanders Donald, Computing: present and Future. McGraw Hill, De. Interamericana, 1990The Canadian Institute of Chartered vs. 5.0, IDEA Interactive Data Extraction and Analysis- User´s Manual, Toronto, 1994

Download the original file