Chapter 4-1 Prepared by Coby Harmon University of California, Santa Barbara Westmont College.

Chapter 4-1

Prepared by

Coby Harmon

University of California, Santa Barbara

Westmont College

Chapter 4-2

Internal Controls and Risks in IT Systems

Accounting Information Systems, 2nd Edition

Chapter 4-3

1. An overview of internal controls for IT systems

2. General controls for IT systems

3. General controls from a Trust Services Principles perspective

4. Hardware and software exposures in IT systems

5. Application software and application controls

6. Ethical issues in IT systems

Study ObjectivesStudy ObjectivesStudy ObjectivesStudy Objectives

Chapter 4-4 SO 1 An overview of internal controls for IT systems

Internal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT Systems

Accounting Information System - collects, processes, stores, and reports accounting information.

Internal controls for computer-based systems have been described as being of two types:

► General controls

► Application controls

Chapter 4-5 SO 1 An overview of internal controls for IT systems


Application controls used to control inputs, processing, and outputs.

Exhibit 4-1 General and Application Controls in IT Systems

General controls apply overall to the IT accounting system.

Chapter 4-6

b. Technology controls.

Internal controls that apply overall to the IT system are called

c. Application controls.

d. General controls.

a. Overall controls.

SO 1 An overview of internal controls for IT systems


Question

Chapter 4-7 SO 2 General controls for IT systems

General Controls for IT SystemsGeneral Controls for IT SystemsGeneral Controls for IT SystemsGeneral Controls for IT Systems

Five categories of general controls:

1. Authentication of users and limiting unauthorized access

2. Hacking and other network break-ins

3. Organizational structure

4. Physical environment and physical security of the

system

5. Business Continuity

Chapter 4-8

Authentication of Users and Limiting Unauthorized Users

Log-in

User IDs

Password

Smart card

Security token

Two factor authentication

SO 2 General controls for IT systems


Biometric devices

Computer log

Nonrepudiation

User profile

Authority table

Configuration tables

Chapter 4-9

Hacking and other Network Break-Ins

Firewall

Symmetric encryption

Public key encryption

Wired equivalency privacy

Wireless protected access

Service set identifier

Virtual private network



Secure sockets layer

Virus

Antivirus software

Vulnerability assessment

Intrusion detection

Penetration testing

Chapter 4-10

Organizational Structure

IT governance committee, responsibilities include:

1. Align IT investments to business strategy.

2. Budget funds and personnel for the most effective use of the IT systems.

3. Oversee and prioritize changes to IT systems.

4. Develop, monitor, and review all IT operational policies.

5. Develop, monitor, and review security policies.



Chapter 4-11

Organizational Structure

Duties to be segregated are:

► Systems analysts

► Programmers

► Operations personnel

► Database administrator



Chapter 4-12

Controls for an IT system should include controls over the physical environment of the system which includes:

► Location

► Operating environment

► Back-up systems

Physical Environment and Security



Chapter 4-13

Locate in area that are least at risk of natural disasters such as

flood, earthquake, hurricane, and fire.

Controls for an IT system should include controls over the physical environment of the system which includes:

► Location

► Operating environment

► Back-up systems




Properly control dust, temperature, and humidity.

Location should also have a fire protection system.

System should also have both an uninterruptible power supply and an

emergency power supply.

Chapter 4-14


Physical access controls:

► Limited access to computer rooms through employee ID badges or card keys

► Video surveillance equipment

► Logs of persons entering and exiting the computer rooms

► Locked storage of backup data and offsite backup data



Chapter 4-15

Business Continuity

Business Continuity Planning (BCP)

Two parts of business continuity are related to IT systems:

► A strategy for backup and restoration of IT systems, to include redundant servers, redundant data storage, daily incremental backups, a backup of weekly changes, and offsite storage of daily and weekly backups.

► A disaster recovery plan.



Chapter 4-16

The Real WorldThe Real WorldThe Real WorldThe Real World

In some organizations, loss of a key CEO could spell disaster. For

example, Martha Stewart founded and became the CEO of Martha

Stewart Living Omnimedia Inc. In June 2003, she was indicted for

possible legal violations related to insider trading, and she stepped

down as CEO. Some in the financial community wondered if the

firm could continue or thrive without Martha Stewart. Part of the

business continuity plan for her company should have been a

strategy to operate if some event would prevent Martha Stewart

from serving as CEO. Martha was convicted, served time in prison,

and successfully returned to work.


Chapter 4-17

b. Security token.

Which of the following is not a control intended to authenticate users?

c. Encryption.

d. Biometric devices.

a. User log-in.



Question

Chapter 4-18

b. Develop, monitor, and review security policies.

An IT governance committee has several responsibilities. Which of the following is least likely to be a responsibility of the IT governance committee?

c. Oversee and prioritize changes to IT systems.

d. Align IT investments to business strategy.

a. Develop and maintain the database and ensure adequate controls over the database.



Question

Chapter 4-19

AICPA Trust Services Principles categorizes IT controls and risks into five categories:

a. Security

b. Availability

c. Processing integrity

d. Online privacy

e. Confidentiality

SO 3 General controls from a Trust Services Principles perspective

General Controls from an AICPA Trust General Controls from an AICPA Trust Services Principles PerspectiveServices Principles PerspectiveGeneral Controls from an AICPA Trust General Controls from an AICPA Trust Services Principles PerspectiveServices Principles Perspective

System is protected against unauthorized (physical and

logical) access.

Chapter 4-20


a. Security

b. Availability


d. Online privacy

e. Confidentiality



System is available for operation and use as committed or agreed.

Chapter 4-21


a. Security

b. Availability


d. Online privacy

e. Confidentiality



System processing is complete, accurate, timely and authorized.

Chapter 4-22


a. Security

b. Availability


d. Online privacy

e. Confidentiality



Personal information obtained as a result of e-commerce is

collected, used, disclosed, and retained as committed or

agreed.

Chapter 4-23


a. Security

b. Availability


d. Online privacy

e. Confidentiality



Information designated as confidential is protected as

committed or agreed.

Chapter 4-24

Previously covered IT controls that can lessen risk of unauthorized users gaining access to the IT system:

a. user ID,

b. password,

c. security token,

d. biometric devices,

e. log-in procedures,

Risks In Not Limiting Unauthorized Users

f. access levels,

g. computer logs, and

h. authority tables.



Chapter 4-25

Controls that may be applied are,

► firewalls,

► encryption of data,

► security policies,

► security breach resolution,

► secure socket layers (SSL),

► virtual private network (VPN),

► wired equivalency privacy (WEP)

Risks From Hacking or Other Network Break-Ins



Chapter 4-26

Controls that may be applied are,

► wireless protected access (WPA),

► service set identifier (SSID),

► antivirus software,

► vulnerability assessment,

► penetration testing, and

► intrusion detection.



Risks From Hacking or Other Network Break-Ins

Chapter 4-27

Environmental changes that affect the IT system can cause availability risks and processing integrity risks.

Risks From Environmental Factors

Physical Access Risks



Physical access to computer systems and computer rooms should be limited to those who must have access in order to carry out their job assignments.

Chapter 4-28

► Security risk is that an intruder who gains physical access may change user access levels.

► Availability risk is the unauthorized physical access to physically shut down, sabotage, or destroy hardware or software.

► Processing integrity risk is that systems or programs may be shut down or sabotaged.

► Confidentiality risk is that intruder may gain access to confidential data.

Physical Access Risk



Chapter 4-29

► Security risk is that an unauthorized person may gain access to the backup data.

► Availability risk is that as events interrupt operations, the system becomes unavailable for regular processing.

► Processing integrity risk is that business interruptions can lead to incomplete or inaccurate data.

► Confidentiality risk is that unauthorized persons may gain access to confidential data if they access backup data..

Business Continuity Risks



Chapter 4-30

b. Confidentiality.

AICPA Trust Principles describe five categories of IT risks and controls. Which of these five categories would best be described by the statement, “The system is protected against unauthorized access”?

Question

c. Processing integrity.

d. Availability.

a. Security.


General Controls from an AICPA TrustGeneral Controls from an AICPA TrustGeneral Controls from an AICPA TrustGeneral Controls from an AICPA Trust

Chapter 4-31

b. Availability risk.

The risk that an unauthorized user would shut down systems within the IT system is a(n)

c. Processing integrity risk.

d. Confidentiality risk.

a. Security risk.


General Controls from an AICPA TrustGeneral Controls from an AICPA TrustGeneral Controls from an AICPA TrustGeneral Controls from an AICPA Trust

Question

Chapter 4-32

Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures

Typical IT system components that represent “entry points” where the risks must be controlled.

1. The operating system

2. The database

3. The database management system (DBMS)

4. Local area networks (LANs)

5. Wireless networks

6. E-business conducted via the Internet

7. Telecommuting workers

8. Electronic data interchange (EDI)

9. Application software

SO 4 Hardware and software exposures in IT systems

Chapter 4-33

Exposure Areas


Exhibit 4-6

SO 4

Chapter 4-34

The software that controls the basic input and output activities of the computer.

Provides the instructions that enable the CPU to:

► read and write to disk,

► read keyboard input,

► control output to the monitor,

► manage computer memory, and

► communicate between the CPU, memory, and disk storage.

The Operating System



Chapter 4-35

Unauthorized access would allow an unauthorized user to:

1. Browse disk files or memory for sensitive data or

passwords.

2. Alter data through the operating system.

3. Alter access tables to change access levels of users.

4. Alter application programs.

5. Destroy data or programs.

The Operating System



Chapter 4-36

A large disk storage for accounting and operating data.

Controls such as:

► user IDs, passwords,

► authority tables,

► firewalls, and

► encryption

are examples of controls that can limit exposure.

The Database



Chapter 4-37

A software system that manages the interface between many users and the database.

The Database Management System



Exhibit 4-7

Chapter 4-38





Exhibit 4-6

Chapter 4-39


Physical access, environmental, and business continuity controls can help guard against the loss of the data or alteration to the DBMS.




Chapter 4-40

A local area network, or LAN, is a computer network covering a small geographic area.

A group of LANs connected to each other is called a wide area network, or WAN.

LANS and WANS



Chapter 4-41

LANS and WANS



Controls:

limit unauthorized users

firewalls

encryption

virtual private networks

Exhibit 4-6

Chapter 4-42

Same kind of exposures as a local area network.

Wireless Networks



Exhibit 4-6

Chapter 4-43

Same kind of exposures as a local area network.

Controls include:

wired equivalency privacy (WEP) or wireless protected access (WPA),

station set identifiers (SSID), and

encrypted data.

Wireless Networks



Chapter 4-44


Boeing Co. uses wireless networks on the floor of the large shop

where it manufactures airplanes. This wireless network with

notebook computers allows Boeing workers to move around the

plane while they are working and view engineering drawings or

parts availability during the manufacturing processes. The

employees do not have to walk to a desk or workstation, away from

the manufacturing flow, to access these things. Wireless networks

can make employees more efficient by allowing them to roam.


Chapter 4-45

The use of dual firewalls can help prevent hackers or unauthorized users from accessing the organization’s internal network of computers.

The Internet and World Wide Web



Exhibit 4-6

Chapter 4-46

The organization’s security policy should address the security expectations of workers who telecommute, and such workers should connect to the company network via a virtual private network.


Exhibit 4-6

Telecommuting Workers and Mobile Workers

SO 4

Chapter 4-47

Company-to-company transfer of standard business documents in electronic form.

EDI controls include:

authentication,

computer logs, and

network break-in controls.


Electronic Data Interchange

Exhibit 4-6

SO 4

Chapter 4-48

b. Internet.

The risk of an unauthorized user gaining access is likely to be a risk for which of the following areas?

c. Wireless networks.

d. All of the above.

a. Telecommuting workers.



Question

Chapter 4-49


Cloud Computing

As introduced in chapter 2, cloud computing includes:

► Software and data reside with third party companies (the cloud)

and not on company computers.

► Outsourcing of IT to a third party.

Advantages:

1. Scalability

2. Expanded access

3. Infrastructure is reduced

4. Cost savings


Chapter 4-50 SO 4

Cloud Cloud ComputingComputingCloud Cloud ComputingComputing

Exhibit 2–2

Cloud Hosting of Accounting

Software

Chapter 4-51

Risks associated with cloud computing

► Security. All processing, storing data, and reading

data occur over the Internet; therefore, the third-party

provider must have good user authentication,

firewalls, encryption, and virtual private network

connections.

► Availability. Any interruptions in service cause the

software and data to be unavailable.


Cloud Computing


Chapter 4-52

Risks associated with cloud computing

► Processing integrity. All control of software

installation, testing, and upgrading is transferred to the

third-party provider of cloud computing services.

► Confidentiality. Risk that employees of the third-party

provider can possibly browse and misuse company

data.


Cloud Computing


Chapter 4-53


Starbucks uses a combination of public clouds, private clouds, and

traditional corporate IT systems. In its stores, Starbucks uses Office

365 for e-mail and productivity applications such as Microsoft Word.

Office 365 is the public cloud version of the Microsoft Office Suite.

For e-mail and productivity applications at the corporate offices,

Starbucks uses its own traditional IT systems on premises. For its

customer relationship management software, Starbucks uses

Salesforce.com, a public cloud application. For other accounting

and Oracle ERP applications, Starbucks uses a private cloud based

on virtualized servers that they maintain. This example of using

various IT approaches is quite common.


Chapter 4-54

Applications software accomplishes end user tasks such as:

► word processing,

► spreadsheets,

► database maintenance, and

► accounting functions.

Application Software and Application ControlsApplication Software and Application ControlsApplication Software and Application ControlsApplication Software and Application Controls

SO 5 Application software and application controls

Applications controls - intended to improve the accuracy, completeness, and security of input, process, and output.

Chapter 4-55

Date input - data converted from human readable form to computer readable form.

Input controls are of four types:

1. Source document controls

2. Standard procedures for data preparation and error handling

3. Programmed edit checks

4. Control totals and reconciliation

Input Controls



Chapter 4-56

Source document -paper form used to capture and record the original data of an accounting transaction.

Note:

► Many IT systems do not use source documents.

General controls such as computer logging of transactions and keeping backup files, become important.

► Where source documents are used, several source document controls should be used.

Source Document Controls



Chapter 4-57

Form Design - Both the source document and the input screen should be well designed so that they are easy to understand and use, logically organized into groups of related data.

Form Authorization and Control:

► Area for authorization by appropriate manager

► Prenumbered and used in sequence

► Blank source documents should be controlled




Chapter 4-58

Retention of Source Documents:

► Retained and filed for easy retrieval

► Part of the audit trail.




Chapter 4-59

Data Preparation – standard data collection procedures reduce the chance of lost, misdirected, or incorrect data collection from source documents.

Error Handling:

► Errors should be logged, investigated, corrected, and resubmitted for processing

► Error log should be regularly reviewed by an appropriate manager

Standard Procedures for Data Input



Chapter 4-60

Data should be validated and edited to be as close to the original source of data as possible.

Input validation checks include:

Programmed Input Validation Checks



1. Field check

2. Validity check

3. Limit check

4. Range check

5. Reasonableness check

6. Completeness check

7. Sign check

8. Sequence check

9. Self-checking digit

Chapter 4-61

Control totals are subtotals of selected fields for an entire batch of transactions.

Three types:

► record counts,

► batch totals, and

► hash totals.

Control Totals and Reconciliation



Chapter 4-62

Intended to prevent, detect, or correct errors that occur during processing.

► Ensure that application software has no errors.

► Control totals, limit and range tests, and reasonableness and sign tests.

► Computer logs of transactions processed, production run logs, and error listings.

Processing Controls



Chapter 4-63

Reports from the various applications.

Two primary objectives of output controls:

► to assure the accuracy and completeness of the output, and

► to properly manage the safekeeping of output reports to ascertain that security and confidentiality of the information is maintained.

Output Controls



Chapter 4-64

b. Validity check.

Which programmed input validation check compares the value in a field with related fields with determine whether the value is appropriate?

c. Reasonableness check.

d. Completeness check.

a. Completeness check.



Question

Chapter 4-65

b. Validity check.

Which programmed input validation check determines whether the appropriate type of data, either alphabetic or numeric, was entered?


d. Field check.




Question

Chapter 4-66

b. Validity check.

Which programmed input validation makes sure that a value was entered in all of the critical fields?


d. Field check.




Question

Chapter 4-67

b. Hash total.

Which control total is the total of field values that are added for control purposes, but not added for any other purpose?

c. Batch total.

d. Field total.

a. Record count.



Question

Chapter 4-68

Besides fraud, there are many kinds of unethical behaviors related to computers, such as:

► Misuse of confidential customer information.

► Theft of data, such as credit card information, by hackers.

► Employee use of IT system hardware and software for personal use or personal gain.

► Using company e-mail to send offensive, threatening, or sexually explicit material.

Ethical Issues in IT SystemsEthical Issues in IT SystemsEthical Issues in IT SystemsEthical Issues in IT Systems

SO 6 Ethical issues in IT systems

Chapter 4-69


An unusual case of computer abuse occurred at a federal agency that

regulates financial aspects of companies. The Securities and

Exchange Commission (SEC) detected senior managers spending

excessive hours viewing pornography during regular working hours.

One SEC attorney spent as much as eight hours a day viewing

pornography on his office computer. A congressional investigation

revealed that 33 high-level SEC staffers in Washington, D.C., were

involved in such abuse of computers. Ironically, this misconduct was

occurring during the same time that this agency should have been

monitoring and reviewing banking institutions and other companies

involved in the country’s financial meltdown.

SO 6 Ethical issues in IT systems

Chapter 4-70

Copyright © 2013 John Wiley & Sons, Inc. All rights reserved.

Reproduction or translation of this work beyond that permitted in

Section 117 of the 1976 United States Copyright Act without the

express written permission of the copyright owner is unlawful.

Request for further information should be addressed to the

Permissions Department, John Wiley & Sons, Inc. The purchaser

may make back-up copies for his/her own use only and not for

distribution or resale. The Publisher assumes no responsibility for

errors, omissions, or damages, caused by the use of these

programs or from the use of the information contained herein.

CopyrightCopyrightCopyrightCopyright

Chapter 4-1 Prepared by Coby Harmon University of California, Santa Barbara Westmont College.

Documents

Transcript of Chapter 4-1 Prepared by Coby Harmon University of California, Santa Barbara Westmont College.