chapter 9-1. chapter 9-2 chapter 9 computer controls for accounting information systems introduction...
Post on 22-Dec-2015
222 views
TRANSCRIPT
Chapter 9-1
Chapter 9-2
Chapter 9Computer Controls for
Accounting Information Systems
Introduction
General Controls For OrganizationsIntegrated Security for the Organization
Organization-Level, Personnel, File Security Controls
Fault-Tolerant Systems, Backup, and Contingency
Planning and Computer Facility Controls
Access to Computer Files
Chapter 9-3
Chapter 9Computer Controls for
Accounting Information Systems
Information Technology General ControlsSecurity for Wireless Technology
Controls for Hardwired Network Systems
Security and Controls for Microcomputers
IT Control Objectives for Sarbanes-Oxley
Application Controls For Transaction ProcessingInput, Processing, and Output Controls
Chapter 9-4
Introduction
Internal control systems with focus onspecific security in organizationscontrol procedures to ensure effective use of resources efficient utilization of resources
Primary challenges associated with connectivity protection of sensitive data and information stored or transferred
providing appropriate security and control procedures
Chapter 9-5
General Controls For Organizations
Developing an appropriate security policy involves
Identifying and evaluating assetsIdentifying threats Assessing riskAssigning responsibilitiesEstablishing security policies platformsImplementing across the organizationManaging the security program
Chapter 9-6
Integrated Security forthe Organization
Organizationsare dependent on networks for transactions,data sharing, and communications. need to give access to customers, suppliers, partners, and others
Security threats for organizations arise fromthe complexity of these networks the accessibility requirements present
Chapter 9-7
Integrated Security forthe Organization
Key security technologies that can beintegrated include
intrusion detection systems
firewalls
biometrics and others
An integrated security system reduces the risk of attack
increases the costs and resources needed by an intruder
Chapter 9-8
General Controls withinIT Environments
Organizational level controls
Personnel Controls
File Security Controls
Fault-Tolerant Systems, Backup,and Contingency Planning
Computer Facility Controls
Access to Computer Files
Chapter 9-9
Organization-Level Controls
Important controls includeconsistent policies and proceduresmanagement’s risk assessment processcentralized processing and controlscontrols to monitor results of operationscontrols to monitor the internal audit function, the audit committee, and self-assessment programsthe period-end financial reporting processBoard-approved policies that address significant business control and risk management practices
Chapter 9-10
Personnel Controls
An AIS depends heavily on people for the creation of the system,
the input of data into the system,
the supervision of data processing
distribution of processed data, and
the use of approved controls
Chapter 9-11
General controls that affect personnel include
separation of duties
use of computer accounts
separation of duties control procedures
Personnel Controls
Chapter 9-12
Separation of Duties
Separation of duties should be designed and implemented in two ways:
separate accounting and information processing subsystems
separate the responsibilities within the IT environment
Chapter 9-13
Separation of Duties
Separate Responsibilities within IT Environment.Designated operational subsystems
initiate and authorize asset custodydetect errors in processing data enter them on an error log, and refer them back to the specific user subsystemfor correction.
Chapter 9-14
Division of Responsibility
Division of responsibility functions within anIT environment can be on the following lines:
Systems Analysis FunctionData Control FunctionProgramming FunctionComputer Operations FunctionTransaction Authorization FunctionAIS Library Function
Chapter 9-15
Use of Computer Accounts
Use of computer accounts helps to ensure access is limited to specific users mostly by using passwords nowadays by use of biometrics
(digital fingerprinting)
protects use of scarce resources
Chapter 9-16
Use of Computer Accounts
limit user access to particular computer filesor programsprotect files from unauthorized useprotect computer time from unauthorized use place resource limitations on account numbers which limits programmer/operator errors
Chapter 9-17
File Security Controls
The purpose of file security controls is to protect computer files from
accidental abuse
intentional abuse
Chapter 9-18
File Security Controls
Some examples of file security controls areexternal file labels
internal file labels
lockout procedures
file protection rings
read-only file designation
Chapter 9-19
Fault-Tolerant Systems
Fault-tolerant systemsare designed to tolerate computer errorsand keep functioning
are often based on the concept of redundancy
are created by instituting duplicate communication paths and communications processors
Chapter 9-20
Redundancy in CPU processing can be achieved with consensus-based protocols
with a second watchdog processor
Disks can be made fault-tolerant by a process called disk mirroring
by rollback processing
Fault-Tolerant Systems
Chapter 9-21
Backup
Backupis essential for vital documents
is batch processed using Grandfather-parent-child procedure
can be electronically transmittedto remote sites (vaulting)
needs an uninterruptible power system (UPS) as an auxiliary power supply
Chapter 9-22
Backup
similar to the redundancy concept infault-tolerant systems a hot backup is performed while the database
is online and available for read/write a cold backup is performed while the database is
offline and unavailable to its users
Chapter 9-23
Contingency Planning
Contingency planning includes the development of a formal disasterrecovery plan. describes procedures to be followed in an emergency describes the role of each member of the team.appoint one person to be in command and another to be second-in-commandinvolves a recovery site that can either bea hot site or cold site
Chapter 9-24
Computer Facility Controls
Locate the Data Processing Center in asafe place where the public does not have access it is guarded by personnel there are limited number ofsecured entrances
there is protection againstnatural disasters
Chapter 9-25
Computer Facility Controls
Limit employee access byincorporating magnetic, electronic,or optical coded identification badges
Buy insurance
Chapter 9-26
Access to Computer Files
Logical access to data is restricted
Password codes identifications (encourage strong passwords)
biometric identifications with voice patterns, fingerprints, and retina prints
Chapter 9-27
INFORMATION TECHNOLOGYGENERAL CONTROLS
The objectives of controls is to provide assurance that
the development of and changes to computer programs are authorized, tested, and approved before their usage
access to data files is restrictedprocessed accounting data are accurate and
complete
Chapter 9-28
Control Concerns
Errors may be magnified
Inadequate separation of duties
Audit trails
Greater access to data
Characteristics of magnetic or optical media
Chapter 9-29
INFORMATION TECHNOLOGYGENERAL CONTROLS
IT general controls involveSecurity for Wireless Technology
Controls for Hardwired Network Systems
Security and Controls for Microcomputers
IT Control Objectives for Sarbanes-Oxley
Chapter 9-30
Security for Wireless Technology
Security for wireless technology involves A virtual private network (VPN) Data encryption
Chapter 9-31
Controls for HardwiredNetwork Systems
The routine use of systems such as DDPand client/server computing increases
control problems for companies, which include
electronic eavesdropping hardware or software malfunctions causing
computer network system failures errors in data transmission
Chapter 9-32
Controls for HardwiredNetwork Systems
To reduce the risk of system failures, networks are designed
to handle periods of peak transmission volume
to use redundant components,such as modems,
to recover from failure using checkpoint control procedure
to use routing verification procedures
to use message acknowledgment procedures
Chapter 9-33
Security and Controls for Microcomputers
General and application control procedures are important to microcomputers.
Most risks associated with AISs result from errors, irregularities or fraud general threats to security (such as a computer
virus)
Some of the risks that are unique to the microcomputer are Hardware - microcomputers can be easily stolen
or destroyed Data and software - easy to access, modify, copy or
destroy; therefore are difficult to control
Chapter 9-34
Control Procedures for Microcomputers
Some cost effective control procedures aretake inventory
install Keyboard locks
lock laptops in cabinets
follow software protectionprocedures
create back-up files and
lock office doors
Chapter 9-35
Additional Controls for Laptops
Some specific controls for the laptop areidentify your laptop
use nonbreakable cables to attachlaptops to stationary furniture
load antivirus software
keep laptop informationbacked up
Chapter 9-36
IT Control Objectives for Sarbanes-Oxley
The Sarbanes-Oxley Act of 2002 (SOX) profoundly impacts
public companies
managers
the internal auditors
the external auditors
Chapter 9-37
IT Control Objectives for Sarbanes-Oxley
The IT Governance Institute (ITGI) issued ‘IT Control Objectives for Sarbanes-Oxley’ in April 2004, which
helps organizations comply with SOX requirements and
the PCAOB requirements
includes detailed guidance for organizations by starting with the IT controls from CobiT and
linking those to the IT general control categories in the PCAOB standard,
and then linking to the COSO framework
Chapter 9-38
Application Controls for Transaction Processing
Application controls are designed to
prevent, detect, and correct errors and irregularities
in transactions in the input processing the output stages of data processing
Chapter 9-39
Application Controlsfor Transaction
Processing
Chapter 9-40
Input Controls
Input controls attempt to ensure the validity
accuracy
completeness of the data entered into an AIS
The categories of input controls include observation, recording, and transcription of data
edit tests
additional input controls
Chapter 9-41
Observation, Recording,and Transcription of Data
The observation control procedures to assist in collecting data are
feedback mechanism
dual observation
point-of-sale (POS) devices
preprinted recording forms
Chapter 9-42
Data Transcription
Data transcription the preparation of data for computerized
processing
Preformatted screens Make the electronic version
look like the printed version
Chapter 9-43
Edit Tests
Input validation routines (edit programs) check the validity check the accuracy
after the data have been entered, and recorded on a machine-readable file of input
data
Chapter 9-44
Edit Tests
Edit tests examine selected fields of input data and reject those transactions whose data fields do not
meet the pre-established standards of data quality
Real-time systems use edit checks duringdata-entry.
Chapter 9-45
Examples of Edit Tests
The following are the tests for copy editingNumeric fieldAlphabetic fieldAlphanumeric fieldValid codeReasonablenessSignCompletenessSequenceConsistency
Chapter 9-46
Processing Controls
Processing controls focus on the manipulation of accounting data after they are input to the computer system.
Key objective is a clear audit trail
Processing controls are of two kinds: Data-access controls
Data manipulation controls
Chapter 9-47
Data-Access Control Totals
Some common processing control procedures are
batch control total
financial control total
nonfinancial control total
hash total
record count
Chapter 9-48
Data Manipulation Controls
Once data has been validated by earlier portions of data processing, they usually must be manipulated in some way to produce useful output.
Data manipulation controls include:Software documentation,
i.e. flow charts and diagrams
Compiler
Test Data
Chapter 9-49
Output Controls
The objectives of output controlsis to ensure
validity
accuracy
completeness
Two major types of output application controls are
validating processing results by Activity (or proof) listings
Chapter 9-50
Output Controls
regulating the distribution anduse of printed output through Forms Prenumbered forms authorized distribution list Shredding sensitive documents
Chapter 9-51
Copyright
Copyright 2008 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchasermay make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.
Chapter 9-52
Chapter 9