Management Controls in Electronic Data Processing
by FRANCIS J. THOMASON Manager, Management Advisory Services, San Francisco Office
Adapted from a paper presented before a joint meeting of the San Francisco Area Chapter of The Institute of Internal Auditors and the Golden Gate Chapter of The National Association of Bank Auditors and Controllers—October 1967
THE SUBJECT of discussion contains two elements—Management and EDP. Both have had a wide range of meaning applied to them. Since each reader would likely apply a different interpretation to these terms, the prudent course is to state the framework within which such remarks should be considered.
As to the term "management": Who is management and what levels of the organization structure should be concerned with EDP control?
There are three general strata of the management structure who should be concerned with control of EDP. The first level in management
structure to be concerned with control of EDP is the first-line supervisor—the person charged with day-to-day operation. The next is the first-line supervisor's superior, and the next is top company management.
This last-mentioned group may occupy two or three levels in the organization. Subsequent comments will be directed primarily toward those controls that should be exercised by the first-line supervisor in either EDP operations or EDP systems design. They are of interest to the internal auditor because he is the representative of top management who must look at controls in an over-all perspective; and they are of interest to the controller because in many organizations the EDP function
is located in his area of responsibility.
For the purpose of discussion, the term "EDP" must be circumscribed.
In the term, we will include all types of installations concerned with processing information with mechanized or electronic equipment. The functions to be included are systems planning, systems development, programming, operations, scheduling, and so-called clerical control groups. The term "EDP," therefore, should be considered in a broad functional context.
Why should internal auditors and controllers as a group be interested
in how management controls EDP? Some may even ask whether it is a proper concern of the auditor to question or observe the degree of