Internal Control and End-User Computing
The National Commercial Bank has 15 branches and maintains a mainframe computer system at its corporate headquarters. National has recently undergone an examination by the state banking examiners, and the examiners have some concerns about National's computer operations.
During the last few years, each branch has purchased a number of microcomputers to communicate with the mainframe in the emulation mode. Emulation occurs when a microcomputer attaches to a mainframe computer and, with the use of the appropriate software, can act as if it is one of the mainframe terminals. The branch also uses these microcomputers to download information from the mainframe and, in the local mode, manipulate customer data to make banking decisions at the branch level. Each microcomputer is initially supplied with a word processing application package to formulate correspondence to the customers, a spreadsheet package to perform credit and financial loan analyses beyond the basic credit analysis package on the mainframe, and a database management package to formulate customer market and sensitivity information. National's centralized data processing department is responsible only for mainframe operations; microcomputer security is the responsibility of each branch.
Because the bank examiners believe National is at risk, they have advised the bank to review the recommendations suggested in a letter issued by banking regulatory agencies in 1988. This letter emphasizes the risks associated with end-user operations and encourages banking management to establish sound control policies. More specifically, microcomputer end-user operations have outpaced the implementation of adequate controls and have taken processing control out of the centralized environment, introducing vulnerability in new areas of the bank.
The letter also emphasizes that the responsibility for corporate policies identifying management control practices for all areas of information processing activities resides with the board of directors. The existence and adequacy of, and compliance with these policies and practices will be part of the regular banking examiners' review. The three required control groups for adequate information system security as they relate to National are (1) processing controls, (2) physical and environmental controls, and (3) spreadsheet program development controls.
Required:
For each of the three control groups listed
a. Identify three types of controls for microcomputer end-user operations where National Commercial Bank might be at risk, and
b. Recommend a specific control procedure that National should implement for each type of control you identified.