9 - 1 Computer-Based Information Systems Control.
-
Upload
edgar-young -
Category
Documents
-
view
221 -
download
0
Transcript of 9 - 1 Computer-Based Information Systems Control.
![Page 1: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/1.jpg)
9 - 1
Computer-Based Information Systems Control
![Page 2: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/2.jpg)
9 - 2
General Controls
A company designs general controls to ensure that its overall computer system is stable and well managed.
The following are categories of general controls:
1 Developing a security plan
2 Segregation of duties within the systems function
![Page 3: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/3.jpg)
9 - 3
General Controls
3 Project development controls
4 Physical access controls
5 Logical access controls
6 Data storage controls
7 Data transmission controls
8 Documentation standards
9 Minimizing system downtime
![Page 4: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/4.jpg)
9 - 4
General Controls
10 Disaster recovery plans
11 Protection of personal computers and client/server networks
12 Internet controls
![Page 5: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/5.jpg)
9 - 5
Developing a Security Plan
Developing and continuously updating a comprehensive security plan is one of the most important controls a company can identify.
What questions need to be asked?
» Who needs access to what information?
» When do they need it?
» On which systems does the information reside?
![Page 6: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/6.jpg)
9 - 6
Segregation of Duties Withinthe Systems Function
In a highly integrated AIS, procedures that used to be performed by separate individuals are combined.
Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.
![Page 7: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/7.jpg)
9 - 7
Segregation of Duties Withinthe Systems Function
To combat this threat, organizations must implement compensating control procedures.
Authority and responsibility must be clearly divided among the following functions:
1 Systems analysis
2 Programming
3 Computer operations
![Page 8: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/8.jpg)
9 - 8
Segregation of Duties Withinthe Systems Function
4 Users
5 AIS library
6 Data control It is important that different people perform
these functions. Allowing a person to perform two or more of
them exposes the company to the possibility of fraud.
![Page 9: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/9.jpg)
9 - 9
Project Development Controls
To minimize failures, the basic principles of responsibility accounting should be applied to the AIS function.
What key elements are included in project development control?
1 Long-range master plan
2 Project development plan
3 Data processing schedule
![Page 10: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/10.jpg)
9 - 10
Project Development Controls
4 Assignment of responsibility 5 Periodic performance evaluation6 Post-implementation review7 System performance measurements
![Page 11: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/11.jpg)
9 - 11
Physical Access Controls
How can physical access security be achieved?
– placing computer equipment in locked rooms and restricting access to authorized personnel
– having only one or two entrances to the computer room
– requiring proper employee ID
– requiring that visitors sign a log
– installing locks on PCs
![Page 12: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/12.jpg)
9 - 12
Logical Access Controls
Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions.
What are some logical access controls?
– passwords
– physical possession identification
– biometric identification
![Page 13: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/13.jpg)
9 - 13
Data Storage Controls
Information is generally what gives a company a competitive edge and makes it viable.
A company should identify the types of data maintained and the level of protection required for each.
A company must also document the steps taken to protect data.
![Page 14: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/14.jpg)
9 - 14
Data Storage Controls
A properly supervised file library is one essential means of preventing loss of data.
A file storage area should also be protected against fire, dust, excess heat, or humidity.
Following are types of file labels that can be used to protect data files from misuse:
– external labels– internal labels (volume, header, trailer)
![Page 15: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/15.jpg)
9 - 15
Data Transmission Controls
To reduce the risk of data transmission failures, companies should monitor the network.
How can data transmission errors be minimized?– using data encryption (cryptography)– implementing routing verification procedures– adding parity– using message acknowledgment techniques
![Page 16: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/16.jpg)
9 - 16
Data Transmission Controls
Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT).
In these types of environments, sound internal control is achieved using the following control procedures:
1 Physical access to network facilities should be strictly controlled.
![Page 17: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/17.jpg)
9 - 17
Data Transmission Controls
2 Electronic identification should be required for all authorized network terminals.
3 Strict logical access control procedures are essential, with passwords and dial-in phone numbers changed on a regular basis.
4 Encryption should be used to secure stored data as well as data being transmitted.
5 Details of all transactions should be recorded in a log that is periodically reviewed.
![Page 18: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/18.jpg)
9 - 18
Documentation Standards
Another important general control is documentation procedures and standards to ensure clear and concise documentation.
Documentation may be classified into three basic categories:
1 Administrative documentation2 Systems documentation3 Operating documentation
![Page 19: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/19.jpg)
9 - 19
Minimizing System Downtime
Significant financial losses can be incurred if hardware or software malfunctions cause an AIS to fail.
What are some methods used to minimize system downtime?
– preventive maintenance– uninterruptible power system– fault tolerance
![Page 20: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/20.jpg)
9 - 20
Disaster Recovery Plan
Every organization should have a disaster recovery plan so that data processing capacity can be restored as smoothly and quickly as possible in the event of a major disaster.
What are the objectives of a recovery plan?1 Minimize the extent of the disruption, damage, and
loss.2 Temporarily establish an alternative means of
processing information.
![Page 21: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/21.jpg)
9 - 21
Disaster Recovery Plan
3 Resume normal operations as soon as possible.4 Train and familiarize personnel with emergency
operations. A sound disaster plan should contain the
following elements:1 Priorities for the recovery process2 Backup data and program files
![Page 22: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/22.jpg)
9 - 22
Disaster Recovery Plan
3 Specific assignments4 Complete documentation5 Backup computer and telecommunications
facilities
» reciprocal agreements
» hot and cold sites
![Page 23: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/23.jpg)
9 - 23
Disaster Recovery Plan
There are other aspects of disaster recovery planning that deserve mention:
The recovery plan is incomplete until it has been satisfactorily tested by simulating a disaster.
The recovery plan must be continuously reviewed and revised to ensure that it reflects current situation.
The plan should include insurance coverage.
![Page 24: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/24.jpg)
9 - 24
Protection of PCs and Client/Server Networks
Why are PCs more vulnerable to security risks than are mainframes?
» It is difficult to restrict physical access.
» PC users are usually less aware of the importance of security and control.
» Many people are familiar with the operation of PCs.
» Segregation of duties is very difficult.
![Page 25: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/25.jpg)
9 - 25
Application Controls
The primary objective of application controls is to ensure the accuracy of a specific application’s inputs, files, programs, and outputs.
This section will discuss five categories of application controls:
1 Source data controls2 Input validation routines
![Page 26: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/26.jpg)
9 - 26
Application Controls
3 On-line data entry controls4 Data processing and file maintenance controls5 Output controls
![Page 27: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/27.jpg)
9 - 27
Source Data Controls
There are a number of source data controls that regulate the accuracy, validity, and completeness of input:
– key verification– check digit verification– prenumbered forms sequence test– turnaround documents– authorization
![Page 28: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/28.jpg)
9 - 28
Input Validation Routines
Input validation routines are programs that check the validity and accuracy of input data as it is entered into the system.
These programs are called edit programs. The accuracy checks they perform are called
edit checks. What are some edit checks used in input
validation routines?
![Page 29: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/29.jpg)
9 - 29
Input Validation Routines
– sequence check– field check– sign check– validity check– limit check– range check– reasonableness test
![Page 30: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/30.jpg)
9 - 30
On-Line Data Entry Controls
The goal of on-line data entry controls is to ensure the accuracy and integrity of transaction data entered from on-line terminals and PCs.
What are some on-line data entry controls?– data checks– user ID numbers and passwords– compatibility tests– prompting
![Page 31: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/31.jpg)
9 - 31
On-Line Data Entry Controls
– preformatting– completeness check– automatic transaction data entry– transaction log– clear error messages
![Page 32: 9 - 1 Computer-Based Information Systems Control.](https://reader036.fdocuments.us/reader036/viewer/2022062308/56649cf05503460f949be954/html5/thumbnails/32.jpg)
9 - 32
Data Processing and File Maintenance Controls
What are some of the more common controls that help preserve the accuracy and completeness of data processing?
– data currency checks– default values– data matching– exception reporting