Printer Friendly

Microcomputer controls.

A small computer system presents challenges and opportunities in the area of establishing and maintaining an adequate system of internal controls and in assessing and evaluating the firm's internal controls. This article will examine internal controls relevant to stand-alone microcomputers used by small and large businesses. (The internal control measures for microcomputers which are integrated into a local area network are beyond the scope of this article. A LAN requires unique controls separate and distinct from stand-alone microcomputers.) The control measures discussed will be applicable to stand-alone mirocomputers costing up to $10,000 plus, including software costs. For systems smaller than those discussed in this article, fewer and less specialized controls would be required. For larger microcomputer systems and for networked microcomputers, the internal control requirements would be considerably more than those discussed here.

The following internal controls are relevant to companies using stand-alone microcomputers:

1. Informal controls,

2. Audit trail controls,

3. Backup and recovery controls,

4. Security controls,

5. Programming controls,

6. User controls, and

7. Miscellaneous controls.

Informal Controls

Owner/Management Involvement

Data processing (DP) functions should be segregated to the extent possible. However, for the scenario described here, functions cannot be segregated since several employees may operate the microcomputers. Because of this concentration of functions, the owner-manager and/or supervisor should become intimately familiar with all aspects of DP operations. Such involvement serves as a system of checks and balances on the microcomputer's overall operations. Furthermore, when DP functions are highly concentrated, the presence of compensating controls within the computerized or manual portions of the systems might offset apparent weaknesses.

In analyzing internal control needs of microcomputer users, it is relevant to distinguish between security and control measures needed specifically because of the computer and those required because of business size. That is, many formal internal controls have been devised to compensate for the lack of personal supervision and observation that results as the company grows in size. Since this article is concerned specifically with small microcomputers, it is assumed that more informal control measures can contribute effectively to the total control system.

Executive Controls

Supervision and personal observation can effectively replace many formal controls in both a computerized and non-computerized environment. These controls have sometimes been referred to as executive controls, defined as the knowledge that key executives have of the business and their selective participation in important details of operations. Many of the limitations of a system of internal controls of the small business are offset by executive controls. These controls are most effective when the executive does the following:

1. Effectively uses accounting information in both budgeting/ planning and day-to-day managing of the business.

2. Seeks explanations for the discrepancies between the accounting information with which he is provided and his expectations based on his knwoledge of the business.

3. Is aware of the potential meaning of unusual items and customer complaints which come to his attention.

4. Enlists non-accounting employees (e.g., receptionists, secretaries) to perform certain accounting control functions on a partime basis where the segregation of duties is important.

5. Requires his prior authorization of certain transactions (types or amounts) or his personal approval before or when payment is made.

In this environment, these executive controls can be applied at minimal cost and, if applied to those conditions where risk of loss is material, will be extremely cost effective. When executive controls are in operation and in accordance with previous conditions and the executive also enlists close supervision over employee hiring, training, job orientation, job descriptions and duties, he or she can effectively reduce expected losses resulting from improper microcomputer usage.

Owner/Manager Participation

The owner/manager or supervisor should be quite selective in his participation. He should examine any potential loss conditions and allocate his participation only to those conditions of material loss. An example is where checks are computer printed. In this case, the owner-manager or supervisor may require his personal signature on all checks. In so doing, however, he may selectively review all supporting documents for any expendigure greater than a preselected amount. In many cases, it may even be cost-effective to examine all supporting documents periodically or routinely.

Audit Trail Controls

The audit trail is a maintainable trail of evidence enabling one to trace amounts contained in reports or financial statements back to processing and from processing to input. Specific controls which can be employed to ensure that an adequate audit trail is maintained in the microcomputer environment include the following:

* Instructions,

* Read-back,

* Completeness tests,

* Redundant data tests,

* Serial numbering,

* Time-control totals,

* Periodic copying of files,

* Hard-copy units, and

* Transaction logs.

Backup and Recovery


The owner/manager or supervisor should ensure that backup and recovery is provided for hardware, software and auxiliary electrical services.

Hardware Backup. The most appropriate hardware backup for the microcomputer is another compatible microcomputer, one owned by a local company, a computer store, a DP service bureau, the local college or university or by the company itself. All concerned parties should employ legal counsel to prepare a contract specifically spelling out responsibilities, such as the expected turnaround time for the critical jobs processed on the backup equipment. Because several million business microcomputers are presently operating, a company should experience no problems locating compatible equipment.

Software Backup. Software backup provisions require a company to maintain duplicate copies of programming packages, application computer programs, data base files, operating systems and so on, preferably in an off-premise location such as in a large bank safety deposit box. This simple task, which can be quickly accomplished at a small cost, will enable the company to continue operating if a disaster strikes. Consequently, a company should immediately use its operating system to prepare duplicate copies of critical software.

Making archival copies. However, certain purchased software is copy-protected, meaning that a company cannot duplicate such software using the normal copy commands contained in its operating system. To copy this type of software, a company must purchase a special utility program which automatically formats, copies and verifies the protected software. These utilities are available for a cost of about $30 - $50. These programs usually handle sector timing, multiple sector sizes and bad sector identifications which do not allow normal operating systems to copy the protected software.

Using a Hardware Copying Device. Another device which enables a company to make copies of protected software operates differently from the special utility program described above. This device -- a hardware copying device taking up one expansion slot in the microcomputer's central processing unit (CPU) -- does not copy disks track by track. Rather, the hardware device ignores the disk and any copy protection encrypted on it. The copy-protected disk is read into memory and the hardware device takes a snapshot of this memory onto a black disk. Thus, backup copies of protected software can be made with the push of a button.

The two types of copy devices described are offered for the purpose of allowing companies to make archival copies only. Under the copyright law, companies, as renters of computer software, are entitled to make a new copy of protected software for archival and backup purposes only. Companies are not permitted to utilize the copy devices for any use other than that specified.

Auxiliary Electrical Services Backup. This type of backup is required for power pollution caused by a variety of voltage fluctuations and by line noise. Of the many ways that power lines can be disturbed, several varieties of voltage flutuations are responsible for most problems with microcomputers. These fluctuations can be caused by voltage transients, brownouts and blackouts.

Voltage Sag. A sudden voltage sag can shut down the microcomputer, completely wiping out critical data. Inventories, payrolls, receivables or whatever is in the memory may be lost instantly. In addition, sensitive electronic components can even be damaged.

Transients. Voltage transients include above normal voltage surges, below normal voltage sags and split-second voltage spikes that leap far above the nominal levels. Power surges and sags are long-duration events that are caused, for example, by turning on or off nearby electrical equipment, such as electrical motors or air conditioning units, or by a sudden reduction in demand for power.

Voltage Spike. The most damaging power line disturbance is the instantaneous high-energy voltage spike, usually lasting less than 100 microseconds. Most voltage transients are produced by the switching off of inductive loads, by the opening of switch contracts, blown fuses, short circuits, severe network load charges or lightning.

Brownouts. A brownout is a short-term reduction in power caused by the corrective action taken by the utility company when power demand is greater than generating capacity. A blackout is a complete power outage -- the voltage goes to zero. A blackout results in loss of data on disks and in random access memory (RAM).

Noise. Line noise can be caused by a variety of factors such as radio frequency interference, start and stop of elevators, operating home appliances, flickering flourescent lights and noise generated by peripherals within the microcomputer system. For example, a printer and microcomputer are connected to an electrical outlet. Operating the printer generates line noise which feeds back through the electrical outlets into the computer causing software errors and possible hardware damages.

Protecting Against Voltage


Since transients, brownouts, blackouts and line noise occur frequently in computer environments, a company should protect its microcomputer from these irregularities. For protection against power surges, sags (dips), spikes and line noise, several protection devices are available at modest cost. These devices, called power line conditioners (PLC), essentially filter out the current from a wall outlet. Designed to meet the Institute of Electrical and Electronic Engineers (IEEE) specifications, the PLC quickly clips surges and spikes to a safe voltage level and filters out common line noise. Also, the PLC filters out line noise generated by peripherals within the microcomputer system. PLCs are available from most computer stores or directly from the manufacturers.

For protection against brownouts and blackouts, an uninterruptable power system (UPS) can be purchased. Such devices are relatively expensive, costing from $500 to $3,000. The UPS, a rechargeable battery backup device, plugs into any standard outlet. All the company needs to do is plug what needs protection into the UPS. In the event of a problem, the UPS will take over instantly, delivering power at full load from 10 to 45 minutes, depending upon the UPS purchased. Simultaneously, an alarm will sound, enabling the microcomputer operator to close out files and shut down equipment. In addition, most UPS will remove voltage transients, surges, dips, and line noise from electrical circuits.

A special type of utility program is available to automatically recover erased data files. Data may be lost, for example, by pushing a wrong key on the keyboard, a lightning storm or from static electricity. Whatever the cause, when a file is accidentally erased, valuable data or computer programs can be permanently lost. The utilities are designed to recover this lost information.

Security Provisions

Most security measures discussed in the literature apply mainly to mainframe computer systems. Very few businesses which use microcomputers can justify the purchase of a fireproof, waterproof or riotproof building. But much can be accomplished by the proper training and supervision of users operating microcomputers. Personnel properly educated as to the vulnerability of the microcomputer along with small expenditures for portable fire extinguishers and special covers for all hardware components can significantly reduce the risk of loss.

Since a microcomputer will only utilize a small portion of a room, the computer should be locked in a secure cabinet when not in use, especially after working hours. This safeguard will minimize security problems by more effectively controlling access to the computers.

Another important security device for microcomputers is the use of a write protect notch found on diskettes. This device is analogous to a file protection ring utilized for magnetic tape systems. The write protect notch, if properly used, will prevent information from being written on diskettes containing critical information, thus preventing changes to information on the diskette. When a metallic label or tab covers the write protect notch, the computer may read the diskette only, but will not write on the diskette. When the tab is removed, data can be both read and written. Consequently, the tab should only be removed when a diskette is to be scratched, i.e., made available for use in other applications.

Other security measures related to diskettes include:

1. Always keep a diskette in its paper envelope when not in use.

2. Store diskettes in a vertical position.

3. Never touch the surface of a diskette or try to wipe the surface of the diskette with a rag, handkerchief or other piece of cloth.

4. Keep diskettes away from extreme heat, such as that produced from radiators, direct sun or other sources of heat.

5. Never bend a diskette.

6. When writing on a diskette label, use only a felt-tipped pen. Never use any sort of instrument with a sharp point.

7. Keep diskettes away from magnetic fields, such as those generated by electrical motors, radios, televisions, tape recorders and other devices. A strong magnetic field may erase data on a diskette.

8. Never remove a diskette while the drive is running. Doing so may cause permanent damage to the diskette.

Furthermore, all diskettes should be locked in a tamper-proof, on-premises storage container, such as a key-lock diskette tray. Such trays are constructed of durable high impact plastic which is made of anti-static and non-conductive materials to keep out contaminants like moisture, dust and dirt and to protect diskettes from heat and magnetic interference. The tray holds diskettes upright to prevent warping and data loss.

Residue Controls

Residue controls ensure the trash is destroyed by using a paper shredder. Trash yields lists, notes, passwords, diskettes and so on which can be searched for confidential information or be used to gain unauthorized access to data files. This is one of the most common methods of gaining unauthorized access to computer systems and is known as "browsing" or "scavenging" through trash containers. The purchase of an inexpensive microshredder will reduce residue to a pulp-like confetti that cannot be reassembled to gain confidential information. A company should avoid the purchase of a shredder that reduces residue to spaghetti-like slices of paper which can be readily reassembled to extract or appropriate classified or other information.


Companies should purchase insurance to cover losses to equipment caused by theft, water or fire damage. Also, insurance should cover losses to critical records, files and other essential information. Since insurance costs vary widely among insurance carriers, a company should carefully evaluate all policies with respect to coverage and cost.

Programming Controls

Programming controls are routines incorporated into the purchased accounting or other computer programs. The use of such controls is very important in the microcomputer environment being discussed. If proper programming controls are not implemented into the packages, which in most cases they are not, many input errors will go undetected during the processing phase and, as a result, the output will be inaccurate and unreliable. Effective programming controls for microcomputer systems include field-size tests, sequence checks, valid character tests, overflow tests, cross-footing tests, zero balancing tests, completeness tests, rounding tests, percent error tests, limit tests and range tests.

User Controls

User controls are very important in a small OLRT microcomputer environment employing OLDE. These controls, exercised by users, can compensate for weak or inadequate controls which exist within the DP environment. In many cases, users may exercise control to compensate for any weaknesses in the computer portion of the internal control system. For example, even though weak controls may exist over the transit of source data to the computer area, users may reconcile their own control totals with those produced as output from programming packages. Furthermore, users should be involved in the development of the systems and should be required to approve its final design.

Another compensating control is the review of output by users for reasonableness. This technique can sometimes locate errors which have gone undetected. Users may detect such errors through application of their knowledge of the approximate results they expect. Further, consideration can be given to utilizing even more user department controls in place of the programming controls previously mentioned. For instance, in the absence of reasonableness tests during processing, these checks can be performed to some extent by users. However, a proper balance should be obtained in order to prevent an overload of user responsibilities because too much work load may impair their overall effectiveness.

Output controls can be effectively performed by users. Users should reconcile all output-control totals with those generated during input and processing. Users should be aware of the reports they are to receive and when they should receive them. Again, any expectations should be promptly investigated.

Miscellaneous Controls

These safeguards relate to preventive maintenance and coping with static electricity.

Maintenance. To keep the microcomputer, including peripherals such as printers, in good working order, the company should purchase a maintenance contract. These contracts are available for a cost of between $300 to $500, depending upon what is insured and whether the contract contains an on-site maintenance clause. Such contracts normally provide for one annual inspection of the system. Any defects, of course, are fixed free of charge.

Simple Preventive Maintenance. However some simple preventive maintenance to preserve and enhance the microcomputer's functionality can be completed by a company, such as cleaning disk heads and guarding against dust build-up. Several brands of disk head cleaning kits can be utilized to clean the oxide and dirt build-up off the read/write head of a disk drive periodically. Excessive oxide and dirt build-up will interfere with the disk drive's proper functioning. Such build-up occurs when the medium coating of the diskette rubs off on the read/write head and when free floating dirt contaminates the microcomputer's disk drive head. Disk head cleaning kits cost about $15 to $25. Some come presoaked in a solvent and are discarded after each use. Some brands must be treated with a solvent before use and can be reused. A solvent type cleaner will dissolve any oxide build-up on the disk head. However, when a solvent is used, the disk heads must be dry before any diskette is inserted or it will be damaged. Authorities recommend that disk heads should be cleaned weekly if the drives are heavily used or monthly if they are occasionally used.

Dust build-up can be partially controlled by using dust covers. However, the rate of dust collection is about 10 to 20 times higher when the monitor is on. Hence, the monitor should be cleaned each morning before use. It is recommended that the faceplate of the monitor be cleaned with a commercial glass cleaner. Frequent cleaning of the monitor will enable the operator to turn down the brightness control an eighth of a turn and will rejuvenate the anti-glare surface by removing all fingerprints left on the monitor.

To prevent excessive dust build-up in the keyboard, the keyboard should be protected with a dust cover when not in use. Dust accumulation in the key contacts will cause missed keystrokes.

Tracking Down Malfunctions. For companies operating in areas far removed from the maintenance contractor, special kits are available to isolate the cause of the malfunction. By plugging a special board into one of the microcomputer's slots and issuing a few simple commands, the board's own display indicates which computer board has failed. The defective board, not the entire computer system, is sent to the service contractor, thereby saving shipping costs, avoiding unnecessary jolts to the system, and providing quicker turnaround-time.

Static Electricity. Static electricity is not just confined to a few square feet around the monitor. Someone casually walking past a monitor can generate enough charges to make the microcomputer function erratically, delete data from memory and damage a chip, necessitating expensive repairs. Two common causes of static electricity are nylon carpeting and very dry air.

The microcomputer can be protected from static shock by touching another grounded conductor before touching the computer, using an anti-static mat or rug, using an anti-static spray and using a humidifier if the air is extremely dry. The two most cost-effective remedies to protect against static electricity are an anti-static spray and a small, portable humidifier. An anti-static spray provides an invisible barrier against static when applied on a regular basis, and costs only a few dollars. Care should be taken not to get any spray on the hardware components since it can cause corrosion. Also, anti-static cloths are available to eliminate static and dust attraction on monitors and keyboards.


All companies should ensure that they implement appropriate internal controls for their stand-alone microcomputer systems. This article discussed the controls applicable to stand-alone systems costing up to $10,000 plus. Such controls included informal controls, audit trail controls, backup and recovery controls, security controls, programmings controls, user controls and miscellaneous controls.

Michael J. Cerullo, PhD, CPA, is professor of accounting at Southwest Missouri State University in Springfield, Missouri. He has published in a number of academic and professional accounting and information systems journals.

Virginia Cerullo, PhD, CPA, is assistant professor of accounting at Southwest Missouri State University in Springfield, Missouri.
COPYRIGHT 1991 National Society of Public Accountants
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1991 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:internal controls for computers
Author:Cerullo, Michael J.; Cerullo, Virginia
Publication:The National Public Accountant
Date:May 1, 1991
Previous Article:The productivity factor: justifying your computer purchase.
Next Article:Taming SFAS 12 with a microcomputer.

Related Articles
Putting the magic to work.
Microcomputers in microbiology: a matter of special needs.
Workload recording with an electronic spreadsheet.
Tips on buying microcomputer hardware and software.
Uses of a microcomputer in microbiology.
Trends in microcomputer-based lab systems.
Quicker QC on a small microcomputer.
The perils of personal computers.
Microcomputer security and control: six inexpensive and simple techniques.
Microcomputers present a new internal control challenge.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters