ACCA P3考試：INFORMATION TECHNOLOGY

CONTROLS IN IT SYSTEMS

IT poses particular risks to organisations’ internal control and information systems. This can lead to their operations being severely disrupted and subsequently to lost sales, increased costs, incorrect decisions and reputational damage.

Risks include:

• Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, reporting inaccurate, misleading results - or all three.

• Unauthorised access to data leading to destruction of data, improper changes to data, or inaccurate recording of transactions.

• Particular risks may arise where multiple users access a common database on which everyone in the organisation relies.

• The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties.

• Unauthorised changes to data in master files. For example, changing a selling price or credit limit.

• Unauthorised changes to systems or programs so that they no longer operate correctly and reliably.

• Failure to make necessary changes to systems or programs to keep them up-to-date and in line with legal and business requirements.

• Potential loss of data or inability to access data as required. This could prevent, for example, the processing of internet sales.

Controls in computer systems can be categorised as general controls and application controls.

GENERAL CONTROLS

These are policies and procedures that relate to the computer environment and which are therefore relevant to all applications. They support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General IT controls that maintain the integrity of information and security of data commonly include controls over the following:

• Data centre and network operations. A data centre is a central repository of data and it is important that controls there include back-up procedures, anti-virus software and firewalls to prevent hackers gaining access. Organisations should also have disaster recovery plans in place to minimise damage caused by events such as floods, fire and terrorist activities. Where IT is critical to an operation’s business these plans might include having a parallel system operating at a remote location that can be switched to immediately.

• System software acquisition, change and maintenance. System software refers to operating systems, such as Windows or Apple’s OS. These systems often undergo updates as problems and vulnerabilities are identified and it is important for updates to be implemented promptly.

• Access security. Physical access to file servers should be carefully controlled. This is where the company keeps it data and it is essential that this is safeguarded: data will usually endow companies with competitive advantage. Access to processing should also be restricted, typically through the use of log-on procedures and passwords.

• Application system acquisition, development, and maintenance. Applications systems are programs that carry out specific operations needed by the company – such as calculating wages and invoices and forecasting inventory usage. Just as much damage can be done by the incorrect operation of software as by inputting incorrect data. For example, think of the damage that could be done if sales analyses were incorrectly calculated and presented. Management could be led to withdraw products that are in fact very popular. All software amendments must be carefully specified and tested before implementation.