Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)

Information Systems Controls

Lecture 5(Chapter 6, 7 & 8)

Lecture 5-2 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart

Introduction

1. Explain the basic concepts of control as applied to business organizations

2. Describe the major elements in the control environment of a business environment

3. Describe control policies and procedures commonly used in business organizations

4. Evaluate a system of internal control, identify its deficiencies, and prescribe modifications to remedy those deficiencies

5. Conduct a cost-benefit analysis for particular threats, exposures, risks, and controls.


Threats to AIS

Natural and political disasters:– fire / heat / floods / earthquakes / winds / war

S/W errors & Equipment Malfunctions:– H/W failures / power outages / data transmission errors

Unintentional acts:– accidents / lost data / human & logic errors /systems that

do not meet company needs

Intentional acts:– Sabotage / computer fraud / embezzlement


AIS Threats are increasing..

Due to: Increasing number of client/server systems LANs and client/server systems distribute

data to many users: harder to control than mainframe

WAN are giving customers & suppliers access to each other’s systems and data. e.g. Wal-Mart & its vendors

Better computer knowledge in population.Therefore, Computer Control & Security are important


Control Concepts

Internal control is the plan and methods a business uses to:1. safeguard assets2. provide accurate and reliable information3. promote & improve operational efficiency4. encourage adherence to managerial policies.

Management control encompasses:1 It is an integral part of management responsibilities.2 It is designed to reduce errors, irregularities, and

achieve organizational goals.3 It is personnel-oriented and seeks to help

employees attain company goals.


Internal Control Classifications The specific control procedures used in the

internal control and management control systems may be classified using the following four internal control classifications:1 Preventive, detective, and corrective controls 2 General and application controls3 Administrative and accounting controls4 Input, processing, and output controls


Committee of Sponsoring Organizations The Committee of Sponsoring

Organizations (COSO) is a private sector group consisting of five organizations:1 American Accounting Association 2 American Institute of Certified Public

Accountants3 Institute of Internal Auditors4 Institute of Management Accountants5 Financial Executives Institute


COSO’s Internal Control Model Components

1 Control environment2 Control activities3 Risk assessment4 Information and communication5 Monitoring Performance


COSO’S Model of Internal Control

COSO’s Internal Control Model

Control Environment

Control Activities

Risk Assessment

Information & Communication

Monitoring Performance

1.Commitment to integrity & ethical value

2.Management Philosophy

3.Emphasis on knowledge and skills

4.Effective Audit Comm.

5.Assigning authority

6.Executive competence

1.Policies & procedures

2.Authorization of Transactions

3.Segregation of duties

4.Design & use of adequate documentation

5.Safeguard of assets & records

6. Independent checks on performance

1. Identify threats

2.Estimate risk

3.Estimate exposure

4. Identify controls

5.Estimate costs & benefits

6.Determine cost-benefit effectiveness

1.Understanding of transaction process

2.Audit trail of transactions: Identify, classify & record at proper monetary value & accounting period

3.Effective communication & proper disclosure

1.Effective supervision:

• Training• Monitor performance

• Safeguard assets

2.Responsibility accounting:

• Budget• Costing• Perf. Report

3.Internal audit

Segregation of Duties

Recording FunctionsPreparing source documents

Maintaining journalsPreparing reconciliations

Preparing performance reports

Custodial FunctionsHandling cash

Handling assetsWriting checks

Receiving checks in mail Authorization FunctionsAuthorization of

transactions

Lecture 5-11

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart

Segregation of Duties

If two of these three functions are the responsibility of a single person, problems can arise.

Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them.

Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts.

1.Control environment

2.Control activities

3.Risk assessment

4. Information & communication

5.Monitoring Performance

Lecture 5-12


Adequate Safeguards ofAssets and Records

What can be used to safeguard assets?– cash registers– safes, lockboxes– safety deposit boxes– restricted and fireproof storage areas– controlling the environment– restricted access to computer rooms,

computer files, and information



3.Risk assessment



Lecture 5-13


Estimate Cost and Benefits No internal control system can provide

foolproof protection against all internal control threats.

The cost of a foolproof system would be prohibitively high.

One way to calculate benefits involves calculating expected loss.

The benefit of a control procedure is the difference between the expected loss with the control procedure(s) and without it.

Expected loss = risk × exposure



3.Risk assessment



Lecture 5-14


Information & Communication

o Audit trail:o An audit trail exists when individual company

transactions can be traced through the system.

o Provides Evidence of:o Properly classify transactionso Record transactions at their proper monetary

valueo Record transactions in the proper accounting

periodo Properly present transactions and related

disclosures in the financial statements



3.Risk assessment



Lecture 5-15


Principle of Reliable System

Availability: Minimizing Systems

Downtime Disaster Recovery

Plan

Security Controls:o Segregation of dutieso Physical access

controlo Logical access

controlo Protection of

computers & client/server networks

o Internet/e-commerce control

Maintainability:o Project

Development and Acquisition Controls

o Change Management Control

Integrity:

o Source data controls

o Input validation routines

o On-line data entry controls

o Data processing & storage controls

o Output controls

o Data transmission controls

Principle of a Reliable system

Lecture 5-16


Security Controls

Segregation of duties in system function

Physical access control Logical access control Protection of personal computers

& client/server networks Internet and e-commerce control

Security Controls:

- Segregation of duties

- Physical access control

- Logical access control

- Protection of computers & client/server networks

- Internet/e-commerce control

Lecture 5-17


Segregation of Duties Withinthe Systems Function

Organizations must implement compensating control procedures.

Authority & responsibility must be clearly divided among the following functions:

1 Systems analysis2 Programming3 Computer operations4 Users5 AIS library6 Data control

Security Controls:






Lecture 5-18


Physical Access Controls

How can physical access security be achieved? – placing computer equipment in locked

rooms and restricting access to authorized personnel

– having only one or two entrances to the computer room

– requiring proper employee ID– requiring that visitors sign a log– installing locks on PCs

Security Controls:






Lecture 5-19


Logical Access Controls

Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions.

What are some logical access controls?– passwords– physical possession identification– biometric identification– compatibility tests

Security Controls:






Lecture 5-20


Protection of PCs and Client/Server Networks

Many of the policies and procedures for mainframe control are applicable to PCs and networks.

The following controls are also important: Train users in PC-related control concepts. Restrict access by using locks/keys on PCs. Establish policies and procedures. Portable PCs should not be stored in cars. Back up hard disks regularly. Encrypt or password protect files. Build protective walls around systems. Use multilevel password controls to limit

employee access to incompatible data.

Security Controls:






Lecture 5-21


Protection of PCs and Client/Server Networks

PCs more vulnerable to security risks than are mainframes because: It is difficult to restrict physical

access. PC users are usually less aware of

the importance of security and control.

Many people are familiar with the operation of PCs.

Segregation of duties is very difficult.

Security Controls:






Lecture 5-22


Internet & E-Commerce Controls Caution when conducting business on the

Internet:– the global dependence on the Internet– the variability in quality, compatibility,

completeness, and stability of network products and services

– Website security flaws & attraction of hackers Controls used to secure Internet

activity:– Passwords and encryption technology– routing verification procedures– Firewall = a barrier between the networks that

does not allow information to flow into and out of the trusted network.

Security Controls:






Lecture 5-23


Maintainability Controls -Project Development Controls

To minimize failures, the basic principles of responsibility accounting should be applied to the AIS function.

Key elements included in project development control:

1 Long-range master plan2 Project development plan3 Data processing schedule4 Assignment of responsibility 5 Periodic performance evaluation6 Post-implementation review7 System performance measurements

Lecture 5-24


Application Controls Objective of application controls is to ensure the

integrity of a specific application’s inputs, files, programs, and outputs.

Six categories of application controls:

1. Source data controls

2. Input validation routines

3. Online data entry controls

4. Data processing & file maintenance controls

5. Output controls

6. Data transmission controls

Lecture 5-25


Application Controls - Source Data Controls

There are a number of source data controls that regulate the accuracy, validity, and completeness of input:– key verification– check digit verification– prenumbered forms sequence test– turnaround documents– authorization

Application controls:

- Source data controls

- Input validation routines

- Online data entry controls

- Data processing & file maintenance controls

- Output controls

- Data transmission control

Lecture 5-26


Application Controls - Input Validation Routines

Input validation routines are programs that check the validity and accuracy of input data as they are entered into the system.

These programs are called edit programs and the accuracy checks they perform are called edit checks, such as:

– sequence check– field check– sign check– validity check– limit check– range check– reasonableness test






- Output controls


Lecture 5-27


Application Controls - Online Data Entry Controls

Online data entry controls ensure the accuracy and integrity of transaction data entered from online terminals & PCs.

Some online data entry controls are:– data checks– user ID numbers and passwords– comparability tests– Prompting– preformatting– completeness check– automatic transaction data entry– transaction log– clear error messages






- Output controls


Lecture 5-28


Application Controls - Data Processing Controls

Common controls to preserve accuracy and completeness of data processing:– data currency checks– default values– data matching– exception reporting– external data reconciliation– control account reconciliation– file security– file conversion controls






- Output controls


Lecture 5-29


Application Controls - Output Controls

Data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control totals.

Data control is also responsible for distributing computer output to the appropriate user departments.

Users are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive.

A shredder can be used to destroy highly confidential data.






- Output controls


Lecture 5-30


Application Controls - Data Transmission Controls

Companies monitor network to reduce the risk of data transmission failures

Data transmission errors can be minimized:

– using data encryption (cryptography)– implementing routing verification procedures– adding parity– using message acknowledgment techniques

Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT).






- Output controls


Lecture 5-31


Application Controls - Data Transmission Controls

Sound internal control is achieved using the following control procedures:

1 Physical access to network facilities should be strictly controlled.

2 Electronic identification should be required for all authorized network terminals.

3 Strict logical access control procedures are essential, with passwords and dial-in phone numbers changed on a regular basis.

4 Encryption should be used to secure stored data as well as data being transmitted.

5 Details of all transactions should be recorded in a log that is periodically reviewed.






- Output controls


Lecture 5-32


General Controls General controls ensure that overall computer

system is stable and well managed:1. Developing a security plan2. Segregation of duties within the systems function3. Project development controls4. Physical access controls 5. Logical access controls6. Data storage controls7. Data transmission controls8. Documentation standards9. Minimizing system downtime10. Disaster recovery plans11. Protection of personal computers & client/server networks12. Internet controls

Lecture 5-33


End of Lecture 5

Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)

Documents

Transcript of Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)