In an CIS environment, an entity will establish an organizational structure and procedures to manage the CIS activities. Characteristics of an CIS organizational structure include:
- Concentration of functions and knowledge—although most systems employing CIS methods will include certain manual operations, generally the number of persons involved in the processing of financial information is significantly reduced. Furthermore, certain data processing personnel may be the only ones with a detailed knowledge of the interrelationship between the source of data,
how it is processed and the distribution and use of the output. It is also likely that they are aware of any internal control weaknesses and, therefore, may be in a position to alter programs or data while stored or during processing. Moreover, many conventional controls based on adequate segregation of incompatible functions may not exist, or in the absence of access and other controls, may be less effective.
- Concentration of programs and data—transaction and master file data are often concentrated, usually in machine-readable form, either in one computer installation located centrally or in a number of installations distributed throughout an entity. Computer programs which provide the ability to obtain access to and alter such data are likely to be stored at the same location as the data. Therefore, in the absence of appropriate controls, there is an increased potential for unauthorized access to, and alteration of, programs and data.
Nature of Processing : The use of computers may result in the design of systems that provide less visible evidence than those using manual procedures. In addition, these systems may be accessible by a larger number of persons. System characteristics that may result from the nature of CIS processing
- Absence of input documents—data may be entered directly into the computer system without supporting documents. In some on-line transaction systems, written evidence of individual data entry authorization (e.g. approval for order entry) may be replaced by other procedures, such as authorization controls contained in computer programs (e.g. credit limit approval).
- Lack of visible transaction trail—certain data may be maintained on computer files only. In a manual system, it is normally possible to follow a transaction through the system by examining source documents, books of account, records, files and reports. In an CIS environment, however, the transaction trail may be partly in machine-readable form, and furthermore it may exist only for a limited period of time.
- Lack of visible output—certain transactions or results of processing may not be printed. In a manual system, and in some CIS systems, it is normally possible to examine visually the results of processing. In other CIS systems, the results of processing may not be printed, or only summary data may be printed. Thus, the lack of visible output may result in the need to access data retained on files readable only by the computer.
- Ease of access to data and computer programs—data and computer programs may be accessed and altered at the computer or through the use of computer equipment at remote locations. Therefore, in the absence of appropriate controls, there is an increased potential for unauthorized access to, and alteration of, data and programs by persons inside or outside the entity.
Design and Procedural Aspects : The development of CIS systems will generally result in design and procedural characteristics that are different from those found in manual systems. These different design and procedural aspects of CIS systems include:
- Consistency of performance—CIS systems performed functions exactly as programmed and are potentially more reliable than manual systems, provided that all transaction types and conditions that could occur are anticipated and incorporated into the system. On the other hand, a computer program that is not correctly programmed and tested may consistently process transactions or other data erroneously.
- Programmed control procedures—the nature of computer processing allows the design of internal control procedures in computer programs. These procedures can be designed to provide controls with limited visibility (e.g. protection of data against unauthorized access may be provided by passwords). Other procedures can be designed for use with manual intervention, such as review of reports printed for exception and error reporting, and reasonableness and limit checks of data.
- Single transaction update of multiple or data base computer files—a single input to the accounting system may automatically update all records associated with the transaction (e.g. shipment of goods documents may update the sales and customers’ accounts receivable files as well as the inventory file). Thus, an erroneous entry in such a system may create errors in various financial accounts.
- Systems generated transactions—certain transactions may be initiated by the CIS system itself without the need for an input document. The authorization of such transactions may not be evidenced by visible input documentation nor documented in the same way as transactions which are initiated outside the CIS (e.g., interest may be calculated and charged automatically to customers’ account balances on the basis of pre-authorized teams contained in a computer program).
- Vulnerability of data and program storage media—large volumes of data and the computer programs used to process such data may be stored on portable or fixed storage media, such as magnetic disks and tapes. These media are vulnerable to theft, or intentional or accidental destruction.