Microcomputers present a new internal control challenge.
It was a great day for the credit union when they could end their reliance on a computer service center and purchase an in-house minicomputer system. With the lower costs of computers, the new system could be purchased outright and software leased for less than the cost of the multi-year contract renewal option available from their local computer service center. Service contracts through the vendor were included to cover maintenance of the hardware purchased. The new system had a projected useful life that was twice as long as the computer service center contract. The savings were more than adequate to justify the acquisition of the new computer system. In addition, the local company offering the software lease provided a package tailored specifically for the credit union industry. The new system promised to meet the unique needs of the credit union with timely responses to management's inquiries and greater flexibility in producing special reports. I.t was user friendly and did not require a computer expert or any additional staff to run it.
The new minicomputer system was acquired, the employees were trained, and the system was placed into service. Overall, the system appeared to work very well. Problems and limitations were relatively minor when compared to the computer service center mainframe system previously used. It was not until the author, a member of the Board of Directors, began reviewing the controls of the new system that serious internal control weaknesses were discovered. The most serious weakness was in the vendor software package. While the software did offer different security levels for tellers, loan officers, and the controller as promised, the software allowed the controller to perform virtually all of the operating functions within the credit union. Thus, the accounting control of separation of duties was seriously compromised. Upon discovery of the weakness, compensating controls were put into place and the credit union began working with the vendor through a user group to correct the control weaknesses discovered.
THE MOVE TOWARD SMALLER COMPUTERS
As organizations move toward minicomputers and microcomputers to handle critical accounting functions, they frequently compromise many of the internal controls which existed in their former systems. Internal control problems tend to be more numerous in a microcomputer environment than in a minicomputer environment. Microcomputers were originally developed for personal use and the limited operating capacity of early microcomputers made them impractical for most organizational computing needs. These computers were designed for a single user and for convenience and simplicity of operation. Security and internal control were typically ignored in the development of most microcomputer hardware and software. The common recommendation for the internal control of a microcomputer system was to simply lock the office door.
The amazing increase in computing power and data storage of microcomputers, their low cost, and the development of user friendly software have combined to make microcomputers a suitable replacement for the mainframe computer for some applications. In large organizations which still have a need for a main-frame computer system, microcomputers, through modems and networks, are being used to access the mainframe computer. They are also used to reduce substantially the amount of computing performed by the central mainframe computer. As critical accounting functions are migrating toward smaller computers and as microcomputers are increasingly used to access data and software residing on networks, minicomputers, and mainframe computers, the need for better internal control of microcomputer applications becomes apparent.
COMMON INTERNAL CONTROL PROBLEMS
Common internal control problems associated with current microcomputer environments and many minicomputer environments include lack of separation of duties, unauthorized access to hardware and software, and uncontrolled development of computer application programs. Each of these problems is addressed in the following paragraphs.
Lack of Separation Of Duties
As illustrated in the true scenario presented at the beginning of this article, many software applications developed for small computers do not include the necessary safeguards to assure adequate separation of duties. Microcomputers are popularly called personal computers. They were developed for a single user. Programs written for microcomputers typically are designed to be operated by a single individual. When these programs allow the operator access to assets (e.g. through the ability to write checks or transfer balances among accounts) and to the corresponding accounting records (e.g. the ability to make adjustments to accounts receivable or accounts payable balances), serious internal control compromises result.
In the scenario above, a credit union accounting software package allowed the controller access to all of the computer functions within the organization. As a resuit, fictitious deposits could be entered by the controller into a personal savings account, personal loan payments could be recorded, and favorable adjustments could be made to conceal inappropriate activity and reduce the risk of detection.
Unauthorized Access to Hardware And Software
When the only microcomputers were found in the boss's office, it was easy to lock the office door to prevent access to the computer. With the proliferation of microcomputers, it is no longer feasible to maintain this type of physical security of the hardware. Computers which contain sensitive data and programs are found on the desks of secretaries and clerks in relatively unsecured areas. In addition, microcomputers are increasingly being networked together and linked to other computers which further reduces the ability to maintain adequate access control with only a lock and a key.
Just a decade ago, the average employee in an organization was not computer literate. Even if they could gain physical access to a microcomputer, many individuals would not have had sufficient knowledge of the computer to use it to their own advantage and/or to the detriment of the organization. With the proliferation of microcomputers and their common presence in homes, offices, and schools, anyone with unauthorized access to a microcomputer should be viewed as a serious threat to security. Recently, I became aware of a custodian using the personal computer locked in an office to play games after business hours. While no loss, contamination, or misuse of data was apparent, a virus was detected and removed after the incident.
With access to hardware becoming more difficult to control, greater attention needs to be given to controlling access to data and software. User profiles, passwords, and a limited number of sign-on attempts have been standard controls on mainframe computers for many years. Software packages developed for microcomputer applications often have not included these same controls. Even when they are available, many of these controls do not provide adequate security.
Recently I acquired a new computer for my office. I was impressed that the operating system included password protection and immediately created a user password and turned on the password protection feature. My son, impressed by the new computer, asked if he could try running some programs on the new machine. I agreed and left to attend a meeting. As I was returning from the meeting I remembered that I had not given my son the password to the new computer and expected to find him frustrated by not being able to try out the new machine. To my surprise, he was happily using the computer. When I asked him how he got around the password protection, he told me that it was easy. He found that it did not matter what he typed on the password line, the system would still allow him access. He said that he could even close the password box without typing anything at all and still have full use of the machine. On another system I found that password protections could be circumvented by using a boot disk to start the computer. Once the user was into the system, all of the programs and data files were available to the user. Before placing reliance on password protection functions I now test them to assure myself that they actually do provide protection.
Uncontrolled Development of Computer Application Programs
A growing number of individuals are capable of writing their own application programs using modern, user-friendly software. Managers who are not trained in computer controls often allow the "computer whiz" in the office to develop applications which are not adequately controlled, documented, or tested. The author of the program, being the "expert" then becomes the primary operator of the new application which he or she developed. When the application programs developed allow access to assets, directly or indirectly, and the ability to alter the accounting records, the result is seriously compromised internal controls.
In one organization an employee developed a comprehensive spreadsheet program to perform employee payroll calculations, employee reimbursements, employer payroll tax calculations, print payroll reports, and print the related checks. Discussions with representatives of the organization revealed that a single employee had developed, written, and operated the program with very little supervision. The spreadsheet was very large and complex and made extensive use of macro commands to automate the payroll accounting functions. By independently developing, testing, and operating the payroll program, the employee had the opportunity to divert assets of the organization to unauthorized uses with little fear of being detected. After the original author of the spreadsheet left the organization questions arose regarding whether the spreadsheet output complied with state and federal tax laws. I was asked to review the payroll application and noted that there was no documentation explaining the development or testing of the spreadsheet. The only possible way to effectively review the extensive spreadsheet was to examine the contents of each cell and evaluate each of the functions used. Due to the large size and complexity of the spreadsheet application and the ready availability of low cost payroll packages, it was decided to abandon the spreadsheet application program altogether. The time and energy used to create the spreadsheet was lost due to the excessive time and costs associated with testing and routine maintenance without adequate documentation. Authorization prior to development, supervision of the development, independent testing, and supervised operation of the application would have solved the problems created.
ENGAGEMENTS WHERE MICROCOMPUTERS ARE USED
With the proliferation of microcomputers, today's accountant must approach every engagement with an awareness of the impact that the computer system may have on the effective operation of internal controls. The same basic principles apply whether a mainframe or a microcomputer is employed. The following principles commonly employed by both independent and internal auditors will help any accountant evaluate the risks associated with a computerized system.
Determine the Extent of Reliance on Computers
Prior to using an accounting system or evaluating the outputs of a system, the accountant should assess the internal controls associated with the system. Essential to the accountant's understanding of the internal control structure in a computerized environment is an understanding of the extent of reliance on the computer for critical accounting functions. When a great deal of reliance is placed on computers for the production and storage of critical accounting information the accountant should consider the potential for errors and irregularities as a result of the specific system in use. As discussed above, frequently microcomputers and often minicomputers do not utilize effective controls. However, some of the more sophisticated systems employ an excellent system of internal controls. Proper use of these computer systems may actually enhance the internal controls rather than weaken them. Misapplication or lack of computer controls will create the opposite result. In a worst case scenario, inadequate control over accounting programs, lack of sufficient source documents, and inadequate separation of duties may result in an accounting disaster.
In a microcomputer environment it may be difficult, or even impossible, to verify that the computer programs in use at the beginning of the year are the same as those in use throughout the year. Mainframe systems rely on a librarian and computer run logs to maintain control over application programs and to ensure that the outputs are reliable. If programs may be edited or substituted throughout the year without the changes and substitutions being detected, errors and data manipulations may exist.
Computers have the potential advantage of reducing the amount of paper used in performing routine accounting functions. As the volume of paper is reduced, the audit trail may become difficult to follow or disappear altogether. Sufficient documentation, whether in paper form or in the form of computer files, is necessary to enable an accountant to reconstruct a questionable transaction. When computer files are relied upon for the storage of critical documentation, internal controls must be adequate to insure reliability of the information. Adequate backup is also essential to reduce the risk of losing critical information.
As discussed above, adequate separation of duties is often lacking in microcomputer environments. When computer controls are found to be lacking the accountant should determine whether sufficient compensating controls are in place to insure the integrity of data presented on the financial statements. Examples of compensating controls commonly employed are regular reconciliations, recomputations, or close supervision of employees.
Assess Risks Associated with Microcomputers
All computer controls are not of equal interest to the accountant. When microcomputers are not used for critical accounting functions they are typically of little relevance to the accountant because they pose little if any risk of contaminating the accounting information. In an environment where significant accounting functions are performed on the microcomputer, the accountant must consider the adequacy of the controls related to those accounting functions. If controls appear to be nonexistent or severely lacking, the integrity of the accounting information will be in question. Making managerial decisions on inaccurate accounting data could prove to be very costly. Severe weaknesses in internal controls could even jeopardize the ability of the organization to obtain an independent audit of the financial records. When the accountant identifies microcomputer controls which he or she needs to rely on, those controls need testing to assure they are operating as planned.
Test the Controls Which Will Be Relied Upon
Those internal controls which will be relied upon must he tested to determine whether they are effective before reliance may be placed on them to assure accurate accounting information. As with the ineffective password example noted earlier, internal controls may be documented in the computer system and have an appearance of working and yet, not be functioning properly at all. In a microcomputer system, controls must be considered for all aspects of a transaction including inputs, processing, outputs, and data storage.
A good system will provide an adequate audit trail to trace transactions from inception to their final disposition. Data will be reasonably protected from accidental and malicious contamination. Software used for processing will be protected from alteration or substitution throughout the period under audit.
Computer applications developed internally need to be approved by appropriate levels of management to assure that they meet the goals of the organization. Programs should be documented to facilitate later review and maintenance. Testing should be done by individuals independent of those writing the application to reduce the frequency of errors and the possibility of irregularities occurring within the program.
After evaluating the internal control environment and testing controls to be relied upon, the accountant will assess the adequacy of the controls in protecting the accounting information from errors. If the controls prove to be reliable, the accountant can be better assured of reliable accounting information. When control weaknesses are noted, they should be brought to the attention of the appropriate level of management to ensure their correction. The accountant will typically be a key player in the development of a better system of internal controls. The more sophisticated systems may also require an experienced computer specialist, even in a microcomputer environment.
Accountants working in an environment reliant on microcomputers or minicomputers must consider the typical internal control weaknesses which are prone to exist. Internal controls commonly found on mainframe computers often do not exist in the smaller computer environment. Even when controls such as password protection are present, they cannot be assumed to be reliable.
Control strategies and procedures typically used in a mainframe computing environment often may be employed in a microcomputer environment. In the early days of mainframe computing, accountants learned some very hard and expensive lessons about the need for controls in a computerized environment. As a direct result of early computer frauds, internal controls were implemented where they previously did not exist and strengthened where they were found to be inadequate. Unfortunately, microcomputer systems and some minicomputer systems suffer from the same internal control weaknesses associated with those early mainframe computers. If proper steps are not taken to assure adequate controls, the trend toward using smaller computers could result in the same types of losses suffered in the early days of mainframe computing. An awareness of the internal control problems and adherence to proper internal control procedures will enable the accountant to avoid costly errors in the future as organizations and clients place greater reliance on minicomputers and microcomputers.
The author would like to acknowledge the generous support of the School of Business Administration at The University of Montana for summer research grant funding which helped to make this work possible.
Stanley Earl Jenne currently holds the rank of full professor in the Department of Accounting and Finance at The University of Montana. Previously, he was a member of the faculty at Illinois State University and Weber State University. He served a term as Chair of the Department at both of these institutions. In addition to his academic experience, Professor Jenne has worked for Grant Thornton, the IRS, and has provided consulting services for various organizations. In 1982 he completed a Ph.D. in Accountancy at the University of Illinois at UrbanaChampaign. He holds a Masters degree from Colorado State University and a Bachelors degree from Weber State University. Professor Jenne has been a CPA since 1979 and he became a Certified Fraud Examiner in 1997. His articles have been published in academic and professional journals and he has presented papers at national and regional conferences.
|Printer friendly Cite/link Email Feedback|
|Author:||Jenne, Stanley Earl|
|Publication:||The National Public Accountant|
|Date:||Jun 1, 1998|
|Previous Article:||The practice manager.|
|Next Article:||The flat tax: restoring freedom and fairness to federal taxation.|