Logo en.artbmxmagazine.com

Computerized systems audit

Anonim

1. Brief introduction

Due to the increasing installation of computers of various types and brands in our environment, as a working tool to assist in the business administration of companies, it has become necessary and essential to develop systems auditing standards and procedures.

The rapid technological advance in the development of new techniques or modalities of data processing (Software) as in machine equipment (Hardware), implies a concern to properly control and secure the area of ​​information systems supported by a computer, so important for modernization to encourage company growth, especially in the commerce and industry sectors.

2. Audit of computerized systems

2.1. Concept

It is the orderly and meticulous state diagnosis of the information systems supported by an electronic data processing equipment.

2.2. Importance

It is necessary to constantly monitor the proper functioning of a computerized information system given its complexity, concentration and veracity of data, since the proper functioning and evolution of a company largely depends on these.

3. Systems controls in a computer center

Internal control can be conceptualized as: a set of organization plan, coordinated methods and appropriate measures, which are adapted within a company in order to safeguard its assets, verify the accuracy, accounting and timeliness of its accounting data to improve the efficiency of its operations and monitor compliance with management policies and strategies.

Controls within an automated information system must be focused on three essential aspects that I detail below:

3.1. Incidence of Computer in the Organization

Even when a company is structured according to the variety of modern influences, the lines of responsibility and authority must be clearly defined.

The division of functional responsibilities should be defined by:

to. Functions to initiate and authorize the transaction.

b. Record of the transaction in writing.

c. Protection of resulting assets.

Such division implies specialization, providing greater efficiency, avoids duplication and waste of efforts, and increases the effectiveness of managerial control.

The result of centralizing data processing activities and the concentration of process functions, produces a remarkable effect on the organization's structures from a control point of view.

3.2. General Controls

3.2.1 General Controls

to. The data processing department must function organizationally independent from other departments.

b. Data processing personnel should not exercise any direct or indirect control over assets or make changes to master files without proper authorization.

c. There should be a clear segregation of duties between:

• Systems Design and Analysis

• Programming

• Processing

d. Regarding Processing, the functions must be segregated into:

• Equipment Operation

• Librarian

• Data entry

• Data output

and. The Company's business interruption insurance must cover interruptions in automatic data processing.

F. The reasonableness of the insurance on the records (files) of the computer equipment.

g. Management level that controls the effective function of electronic data processing through:

• Policy setting

• Determination of objectives

• Priority setting

• Periodic review of progress in internal development and / or statistics of operations

h. Level and independence of management review and approval required for proposed accounting systems and for reviews.

i. Technically qualified personnel to review new proposed systems or changes to give consideration to:

• Compliance with company policies

• Inclusion of adequate control factors

j. In the event that the processing equipment is rented or used by strangers, the following should be considered:

• Sufficient controls with the income from service fees that are recorded.

• Outside operators do not have access to our programs and / or files.

k. Reasonableness of concerns for alternative process in case of equipment failure and:

• Frequency with which these processes are tested in real conditions.

• Alternative facilities located so that the risk of a common disaster is minimized.

3.2.2. Specific Controls

3.2.2.1. Physical environment

to. The data processing equipment should be installed in one place and located in such a way as to provide physical segregation between the operational function and the control function.

b. Restriction of access by unauthorized personnel to the facility.

c. Adequate file protection provided by the installation against fire, theft, or other catastrophe.

3.2.2.2. Protection of Program Logic

1. There should be documentation standards for programs, procedures, and routines which include the following:

to. Total description of the system and its objectives as well as the basic flow of information through the system.

b. General system flowchart to illustrate the described description.

c. Description of the functions performed and an overview of how each program performs them.

d. Block diagram showing the sequence of operations executed by the program.

and. Description of records showing the form, content and type of inputs and outputs of intermediate files.

F. List of the source program in symbolic language.

g. Program operating instructions, shutdown procedures, input sources, and output layout.

2. Adequate segregation of the functions of:

• Systems design and analysis

• Programming

3. Restrict access to the operation of the computer to programmers and analysts, except cash access for testing and expungement of programs.

4. Restrict operators in relation to unsupervised programming, after evaluation give metered access, to the extent that time is available.

5. Programmers and systems analysts will have controlled access to:

• Master files or transactions

• Operational programs: Source or object

• Source documentation

• Exit documentation

6. There should be an adequate level of supervisory approval for programming staff to have access to operating source programs.

7. Appropriate level authorization to modify operating programs and this must be in writing.

8. Authorizations for program changes must be controlled, for example, numerically.

9. Changes to programs should be made at the source program level, compilation obtaining a new object program and a new post list.

10. When making a change in the programs these must be dated, documents by the programmer indicating the reason for the change in the form of its tape, its name, in order to provide a chronological history of the system.

11. The extension of testing procedures that are being effectively applied for new and revised programs should proceed:

to. Test procedures will include parallel runs of current and / or past data for more than one processing cycle.

b. The procedures shall ensure the compatibility of all the programs that form a single system.

c. Test results and procedures should be reviewed by:

- Technically qualified internal audit department

- A technically fit supervisor

- The management of the user department

d. The testing procedures for program modifications should be the same as for new programs.

12. The unauthorized entry of program changes and the data implemented must be prevented or detected by a security system.

3.2.2.3. Equipment Operation

to. Adequate and sufficient Supervision Control for operators to comply with established supervision procedures.

b. Maintain control log of use of consoles and sub-consoles indicating their type of work and date.

c. The console control log shall detail separately in addition:

• Run time

• Team preparation time

• Down time (pending or unexpected wait)

• Maintenance time

d. A written report of downtime that may occur during processing must be kept and these must contain:

• Complete description of the situation and action taken.

• Vo.Bo. o Qualification of the responsible supervising person.

and. Operators should be rotated between shifts and jobs to avoid permanent assignment to specific jobs.

F. Require the operating personnel to take their periodic vacations.

g. Provide operators with the operating instructions of the system for procedures appropriate to the measures to be taken in the event of error situations and / or stops in process.

h. Have orderly and adequate operation manuals to serve as a process guide, as well as additional copies in the librarian's possession.

i. Use of internal and external labels of files to be processed and these to be recognized by the application processing procedures.

j. Establish a security system using passwords (user and password) to avoid unauthorized procedures.

k. Supervisory control over machine performance through adequate written records.

l. Maintain control log of the computer's operating system by typing:

• Control of alterations

• Upgrade system

• Creation of system files

• Performance

ll) Verification of supervision of operations control in the different shifts.

m) Preparation of a process time schedule with the user areas and ensure that they are strictly followed.

3.2.2.4. Libraries

1. The librarian within an electronic data processing department shall be responsible for:

to. Control of delicate documents (checks, spreadsheets, etc.) and all files and programs for both the user and the system.

b. Deliver to operation what is necessary for each specific processing job.

c. Control of files, libraries, source and object that are produced by each process job (original files and backup files).

d. Proper conservation of floppy disks and packs.

and. Periodic review of physical condition of files.

F. Maintaining an adequate file retention program, requiring file preservation up to third generation.

g. Maintain adequate and sufficient stocks of print ribbons and continuous forms.

2. Maintain master and transaction files to prevent rebuilding.

3. The files mentioned in the previous paragraph shall be kept in a suitable environment that is fire, theft, earthquake or other disaster proof.

4. Use external tags on all files to identify:

• Date

• Application

• Volume

5. Assign, through an appropriate and supervised procedure, that an up-to-date copy of the last source program or operational object and its corresponding documentation be available.

6. Maintain a technical library of system manuals in order to consult the case if there are problems.

7. Maintain an adequate inventory of library files, manuals, etc.

3.2.2.5. Data flow

to. Data entry control procedure to ensure that they are complete and correct (number of documents, control totals) of the data source, as well as that they are verified by consistency programs, that is, that these procedures are in writing.

b. Issuance of data validation reports (Consistencies) in order to return the erroneous source documents to their place of origin in order to make the necessary corrections.

c. Procedure for correcting defective data previously checked by the source of origin, secondary or alternative validation, as well as routines to obtain corrections in a timely manner so that the application procedure is carried out on time and with adequate truthfulness.

d. Adequate procedure to distribute the necessary information in the user areas.

4. Comments or guidelines for the evaluation of information systems auditing using an electronic data equipment

to. Our tests of the electronic data processing function will be influenced by management's ability to enforce established controls and procedures. Normally, there is a direct relationship between the degree of participation of senior management in the supervision of the function and the degree of compliance with internal control procedures.

b. The review and approval should preferably be a joint effort of management, the representatives of the departments that use it and those of EDP and each of whom should know the functions of the others.

c. Periodic testing under real circumstances ensures that there have been no major changes to equipment or programs at the alternative site, which would impede proper processing.

d. Computer programs govern all processing. The operations are executed and will be repeated as long as the program is not altered, but changes can occur and go unnoticed. Therefore, the internal control system should protect the integrity of the programs, that is, they should not be susceptible to erroneous or unauthorized accidental alterations.

and. The ability to determine, walk through, evaluate, and test the system is greatly enhanced by the presence of up-to-date and detailed customer documentation. The existence of strict documentation standards is an indication that the client employs good internal control procedures.

Flowcharts, narrative descriptions, and other customer documentation may be used as audit documentation and emphasis should be placed on obtaining copies.

F. Operators should have access to source programs only when they are compiling a program; and to object programs only when they are running a program.

g. Since there may be errors in the program logic, new or modified programs should be tested to make sure they work as planned.

Testing should be done using real data under real operating conditions to the greatest extent possible.

Erroneous data should also be included so that all sections and all program review routines are properly tested. Customer review and evaluation of test results should be done by capable representatives from all concerned departments (including internal auditors) to ensure that all implications of test results have been taken into account.

h. The auditor should be aware of the possibility that operations controls vary from shift to shift.

i. Program listings will usually indicate whether internal file tags are used.

j. Using a manufacturer-provided supervisor program (operating system) avoids the need for much human intervention during processing.

k. An adequate internal control system should include a procedure to protect the company against accidental destruction or erroneous or unauthorized alterations of the master files or data. These files require stricter controls than manually prepared records because they can be more easily destroyed or damaged, and the non-visibility of their contents makes misuse or abuse difficult to detect.

l. Normal tape file processing provides automatic duplication. However, the disk files must be copied (usually to tape) to enable eventual rebuilding.

m. Some program support is provided by block diagrams, code sheets, and other program documentation, if current, but duplicate copies of the source and object programs allow for much faster reconstruction.

5. Development of computer audit programs

The computer offers a series of resources to the auditor in order to determine the quality of the information generated by the processing system, in order to evaluate and analyze it.

It is necessary to consider four basic elements in the development of computer audit programs:

5.1. Determination of objectives and audit procedure

The Auditor with the programming support is the one who defines the objectives and procedures according to the generally accepted legal auditing standards, he is the one who determines the data in the master records or transactions that he wants to verify.

5.2. Elaboration of system travel diagrams

Having defined the procedures and objectives, the system run diagrams are prepared, indicating files of resulting inputs and outputs to be obtained through the audit program.

5.3. Preparation of program diagrams

Through these they indicate how the data will be processed, indicating specific operations and decisions and the sequence to be followed within the program. Also this diagram will show the logic and functions of the program. This diagram will essentially provide:

5.3.1. A graphic image of the solution to the problem

5.3.2. Guide to coding and testing the program determining if all possible conditions have been considered

5.3.3. Documentation for your explanation and modification of the program

The program journey diagram can be completed using decision tables to evaluate action alternatives that can be taken under the conditions.

5.4. Coding, Compiling and Testing Program

This phase does not require further comment because it proceeds just like an ordinary program.

6. Use of computer audit programs

There are essentially three ways to use computer audit programs:

6.1. Analysis and Exception Reports

The auditor may develop programs to:

• Analyze file details

• Explore aspects or attributes that interest you

• Search for irregularities in files

Exceptions to the rules and criteria contemplated by the program will be printed as output.

6.2. Sample Selection

The auditor may develop programs to select samples, either randomly or according to the criteria they deem appropriate.

6.3. Computations and Detailed Tests

The auditor may develop programs to perform tests or computations (calculations) that were previously performed manually.

7. Final analysis

7.1. Advantages of the use of the Computer by the Auditor

7.1.1. Better knowledge of the client's procedure and controls system.

7.1.2. Much larger area of ​​professional activity.

7.1.3. The most elemental achievement of Auditing continues.

7.1.4. Better use of the exception principle.

7.2. problems

7.2.1. Costs

The use of test data and audit programs have to be justified on the basis of reducing time compared to manual auditing as well as obtaining a more qualitative audit. They should analyze: cost of preparing test and program data, cost of operation versus the value of the benefits obtained.

7.2.2. Technical requirements

The new technology needed to assess a computer-supported information system and develop an audit program requires detailed, logical, and explicit planning in the processing stages.

7.2.3. Need for Advance Planning

The auditor should be aware of the large amount of time initially required to perform an audit in a computer facility, which the client should know before performing the work, and should also inform the client of the time it takes to evaluate the system and develop audit programs.

7.2.4. Conversion

Due to any conversion during its audit time, it may face:

• Lack of meaningful documentation

• Workload of programmers that make it difficult to access them.

• Frequent program changes that hinder evaluation and system review.

7.3. Conclusions

to. Auditing techniques are significantly affected by the role played by the computer within the information systems in the company.

Computerized systems audit
Technology

Editor's choice

Fundamental problems in the financing of higher education in the world

Fundamental problems in the financing of higher education in the world

Environmental problems, economic growth and technological advance. origin, current debate and consequences

Environmental problems, economic growth and technological advance. origin, current debate and consequences

Garbage collection problem in a municipality of Mexico. test

Garbage collection problem in a municipality of Mexico. test

The problem of urban transport in Venezuela

The problem of urban transport in Venezuela

Problems of adolescents in Mexico

Problems of adolescents in Mexico

National problems and presidential disapproval in Peru 2015

National problems and presidential disapproval in Peru 2015

© Copyright en.artbmxmagazine.com, 2024 October | About site | Contacts | Privacy policy.