Introduction to Internal Controls

6. Internal controls over IT systems

So far we’ve discussed controls that generally involve manual processes performed by employees. For this next section, we’ll focus on controls related to a company’s technology environment.

Technology, if used correctly, can be a wonderful asset in today’s business environment. Information technology (IT) allows a business to communicate more efficiently with customers and suppliers, and it can drastically reduce transaction processing time. While IT systems virtually eliminate human calculation errors, they are not completely immune to all processing inaccuracies. Upper management must take care to design effective controls when implementing new technological systems - computer automation could mask a particular processing error without methods in place to detect the error.

IT controls come in two different flavors - general controls and application controls.

General controls over information technology

General controls can be thought of like the walls and security system of a house. These controls provide some general protections for all aspects of a company’s IT systems, much like walls and a monitored alarm help protect possessions inside the house from things like burglars, pests, and the weather.

Physical security over IT assets is the most basic general control a company can implement. A locked door leading to the server room at headquarters or security guards at the corporate data center are examples of physical security over IT. You might recognize these types of controls from our discussion of asset safeguarding earlier - better access control in any area of the business is rarely a bad idea.

Passwords and other data security controls are nearly universal in the corporate world. For an idea of how important those controls are, consider the consequences of high-profile data breaches:

  • TJ Maxx, 2007 – company disclosed that more than 45 million credit and debit accounts were compromised all the way back in 2003.
  • Heartland Payment Systems, 2008 – 130 million credit and debit accounts compromised when the payment processor’s system was breached.
  • Sony, 2011 – 77 million PlayStation Network and Qriocity accounts were compromised.
  • Adobe, 2013 – as of last count, information about 152 million customers was compromised.

Businesses are regularly entrusted with customer information, such as name, date of birth, credit card information, and Social Security number, but even companies that don’t collect personal information can be vulnerable to related-party data theft:

  • In 1998, an employee of Wright Industries, which had been hired by Gillette, sold design information to Gillette’s competition.
  • A survey from 2009 revealed that around 60 percent of respondents stole some type of data from a former employer after being fired or laid off - 24 percent of all respondents also said they still had access to the former employer’s IT systems.
  • In 2009, Starwood executives took confidential information with them when they were hired by Hilton.

Many common types of security breaches can be stopped by establishing strong corporate IT security policies, such as cybercrime awareness training, data destruction procedures, and system access controls. In addition, segregation of duties can help a business avoid problems associated with employees who can perform incompatible functions.

Finally, because most IT systems today are network-based and connected to the Internet, firewalls and antivirus programs are essential general controls. Companies without those security assets in place are asking for external hackers to come knocking.

Merely protecting access to sensitive IT systems, however, is not sufficient to guard against unauthorized use by individuals who normally have access to those systems. It is also important to establish sound change management procedures, which guide the development or acquisition and modification of corporate systems.

As you will often find in the business environment, segregation of duties is a key component of good change management policies. For example, software programmers should not be given access to the production environment of IT systems. This ensures that any new code has been tested and approved before being promoted to the production environment where real transactions and information are handled. A bug in software could result in a costly shutdown, but an intentional piece of malicious code could be even worse. As an example, a disgruntled programmer for a bank, who also has direct access to the production environment of IT systems, could load malware that diverts money to an offshore fund in the programmer’s name. The theft might go unnoticed for many years, especially if it is designed to steal as little as a penny from every account every few days.

Application controls

While general controls provide overall security for IT assets, application controls are designed to work with specific programs or processes. These can vary widely by application, but most fall into one of three categories:

  • Input controls monitor data entry functions to filter out erroneous information before it enters an information system. For example, a company might use Data Validation in a Microsoft Excel spreadsheet so that employees can’t accidentally record a bank deposit with a negative number.
  • Processing controls monitor the integration of raw data into the information system. As an example, a company that processes sales transactions in batches can force the processing system to confirm that the number of transactions processed matches the number of transactions input by the data entry clerk. Without processing controls, information could mysteriously disappear between the input and output stage without anyone knowing about it.
  • Output controls assure management that sensitive processed information isn’t being released to users who have no business receiving the data. For instance, it would be unwise to allow general employees to see a payroll registry for the entire company.
Not a member?
See why people join our
online accounting course: