Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)
-
Upload
job-kelley -
Category
Documents
-
view
216 -
download
0
Transcript of Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)
![Page 1: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/1.jpg)
Information Systems Controls
Lecture 5(Chapter 6, 7 & 8)
![Page 2: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/2.jpg)
Lecture 5-2 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Introduction
1. Explain the basic concepts of control as applied to business organizations
2. Describe the major elements in the control environment of a business environment
3. Describe control policies and procedures commonly used in business organizations
4. Evaluate a system of internal control, identify its deficiencies, and prescribe modifications to remedy those deficiencies
5. Conduct a cost-benefit analysis for particular threats, exposures, risks, and controls.
![Page 3: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/3.jpg)
Lecture 5-3 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Threats to AIS
Natural and political disasters:– fire / heat / floods / earthquakes / winds / war
S/W errors & Equipment Malfunctions:– H/W failures / power outages / data transmission errors
Unintentional acts:– accidents / lost data / human & logic errors /systems that
do not meet company needs
Intentional acts:– Sabotage / computer fraud / embezzlement
![Page 4: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/4.jpg)
Lecture 5-4 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
AIS Threats are increasing..
Due to: Increasing number of client/server systems LANs and client/server systems distribute
data to many users: harder to control than mainframe
WAN are giving customers & suppliers access to each other’s systems and data. e.g. Wal-Mart & its vendors
Better computer knowledge in population.Therefore, Computer Control & Security are important
![Page 5: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/5.jpg)
Lecture 5-5 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Control Concepts
Internal control is the plan and methods a business uses to:1. safeguard assets2. provide accurate and reliable information3. promote & improve operational efficiency4. encourage adherence to managerial policies.
Management control encompasses:1 It is an integral part of management responsibilities.2 It is designed to reduce errors, irregularities, and
achieve organizational goals.3 It is personnel-oriented and seeks to help
employees attain company goals.
![Page 6: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/6.jpg)
Lecture 5-6 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Internal Control Classifications The specific control procedures used in the
internal control and management control systems may be classified using the following four internal control classifications:1 Preventive, detective, and corrective controls 2 General and application controls3 Administrative and accounting controls4 Input, processing, and output controls
![Page 7: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/7.jpg)
Lecture 5-7 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Committee of Sponsoring Organizations The Committee of Sponsoring
Organizations (COSO) is a private sector group consisting of five organizations:1 American Accounting Association 2 American Institute of Certified Public
Accountants3 Institute of Internal Auditors4 Institute of Management Accountants5 Financial Executives Institute
![Page 8: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/8.jpg)
Lecture 5-8 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
COSO’s Internal Control Model Components
1 Control environment2 Control activities3 Risk assessment4 Information and communication5 Monitoring Performance
![Page 9: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/9.jpg)
Lecture 5-9 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
COSO’S Model of Internal Control
COSO’s Internal Control Model
Control Environment
Control Activities
Risk Assessment
Information & Communication
Monitoring Performance
1.Commitment to integrity & ethical value
2.Management Philosophy
3.Emphasis on knowledge and skills
4.Effective Audit Comm.
5.Assigning authority
6.Executive competence
1.Policies & procedures
2.Authorization of Transactions
3.Segregation of duties
4.Design & use of adequate documentation
5.Safeguard of assets & records
6. Independent checks on performance
1. Identify threats
2.Estimate risk
3.Estimate exposure
4. Identify controls
5.Estimate costs & benefits
6.Determine cost-benefit effectiveness
1.Understanding of transaction process
2.Audit trail of transactions: Identify, classify & record at proper monetary value & accounting period
3.Effective communication & proper disclosure
1.Effective supervision:
• Training• Monitor performance
• Safeguard assets
2.Responsibility accounting:
• Budget• Costing• Perf. Report
3.Internal audit
![Page 10: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/10.jpg)
Segregation of Duties
Recording FunctionsPreparing source documents
Maintaining journalsPreparing reconciliations
Preparing performance reports
Custodial FunctionsHandling cash
Handling assetsWriting checks
Receiving checks in mail Authorization FunctionsAuthorization of
transactions
![Page 11: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/11.jpg)
Lecture 5-11
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Segregation of Duties
If two of these three functions are the responsibility of a single person, problems can arise.
Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them.
Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts.
1.Control environment
2.Control activities
3.Risk assessment
4. Information & communication
5.Monitoring Performance
![Page 12: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/12.jpg)
Lecture 5-12
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Adequate Safeguards ofAssets and Records
What can be used to safeguard assets?– cash registers– safes, lockboxes– safety deposit boxes– restricted and fireproof storage areas– controlling the environment– restricted access to computer rooms,
computer files, and information
1.Control environment
2.Control activities
3.Risk assessment
4. Information & communication
5.Monitoring Performance
![Page 13: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/13.jpg)
Lecture 5-13
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Estimate Cost and Benefits No internal control system can provide
foolproof protection against all internal control threats.
The cost of a foolproof system would be prohibitively high.
One way to calculate benefits involves calculating expected loss.
The benefit of a control procedure is the difference between the expected loss with the control procedure(s) and without it.
Expected loss = risk × exposure
1.Control environment
2.Control activities
3.Risk assessment
4. Information & communication
5.Monitoring Performance
![Page 14: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/14.jpg)
Lecture 5-14
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Information & Communication
o Audit trail:o An audit trail exists when individual company
transactions can be traced through the system.
o Provides Evidence of:o Properly classify transactionso Record transactions at their proper monetary
valueo Record transactions in the proper accounting
periodo Properly present transactions and related
disclosures in the financial statements
1.Control environment
2.Control activities
3.Risk assessment
4. Information & communication
5.Monitoring Performance
![Page 15: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/15.jpg)
Lecture 5-15
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Principle of Reliable System
Availability: Minimizing Systems
Downtime Disaster Recovery
Plan
Security Controls:o Segregation of dutieso Physical access
controlo Logical access
controlo Protection of
computers & client/server networks
o Internet/e-commerce control
Maintainability:o Project
Development and Acquisition Controls
o Change Management Control
Integrity:
o Source data controls
o Input validation routines
o On-line data entry controls
o Data processing & storage controls
o Output controls
o Data transmission controls
Principle of a Reliable system
![Page 16: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/16.jpg)
Lecture 5-16
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Security Controls
Segregation of duties in system function
Physical access control Logical access control Protection of personal computers
& client/server networks Internet and e-commerce control
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers & client/server networks
- Internet/e-commerce control
![Page 17: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/17.jpg)
Lecture 5-17
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Segregation of Duties Withinthe Systems Function
Organizations must implement compensating control procedures.
Authority & responsibility must be clearly divided among the following functions:
1 Systems analysis2 Programming3 Computer operations4 Users5 AIS library6 Data control
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers & client/server networks
- Internet/e-commerce control
![Page 18: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/18.jpg)
Lecture 5-18
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Physical Access Controls
How can physical access security be achieved? – placing computer equipment in locked
rooms and restricting access to authorized personnel
– having only one or two entrances to the computer room
– requiring proper employee ID– requiring that visitors sign a log– installing locks on PCs
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers & client/server networks
- Internet/e-commerce control
![Page 19: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/19.jpg)
Lecture 5-19
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Logical Access Controls
Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions.
What are some logical access controls?– passwords– physical possession identification– biometric identification– compatibility tests
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers & client/server networks
- Internet/e-commerce control
![Page 20: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/20.jpg)
Lecture 5-20
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Protection of PCs and Client/Server Networks
Many of the policies and procedures for mainframe control are applicable to PCs and networks.
The following controls are also important: Train users in PC-related control concepts. Restrict access by using locks/keys on PCs. Establish policies and procedures. Portable PCs should not be stored in cars. Back up hard disks regularly. Encrypt or password protect files. Build protective walls around systems. Use multilevel password controls to limit
employee access to incompatible data.
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers & client/server networks
- Internet/e-commerce control
![Page 21: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/21.jpg)
Lecture 5-21
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Protection of PCs and Client/Server Networks
PCs more vulnerable to security risks than are mainframes because: It is difficult to restrict physical
access. PC users are usually less aware of
the importance of security and control.
Many people are familiar with the operation of PCs.
Segregation of duties is very difficult.
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers & client/server networks
- Internet/e-commerce control
![Page 22: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/22.jpg)
Lecture 5-22
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Internet & E-Commerce Controls Caution when conducting business on the
Internet:– the global dependence on the Internet– the variability in quality, compatibility,
completeness, and stability of network products and services
– Website security flaws & attraction of hackers Controls used to secure Internet
activity:– Passwords and encryption technology– routing verification procedures– Firewall = a barrier between the networks that
does not allow information to flow into and out of the trusted network.
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers & client/server networks
- Internet/e-commerce control
![Page 23: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/23.jpg)
Lecture 5-23
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Maintainability Controls -Project Development Controls
To minimize failures, the basic principles of responsibility accounting should be applied to the AIS function.
Key elements included in project development control:
1 Long-range master plan2 Project development plan3 Data processing schedule4 Assignment of responsibility 5 Periodic performance evaluation6 Post-implementation review7 System performance measurements
![Page 24: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/24.jpg)
Lecture 5-24
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Application Controls Objective of application controls is to ensure the
integrity of a specific application’s inputs, files, programs, and outputs.
Six categories of application controls:
1. Source data controls
2. Input validation routines
3. Online data entry controls
4. Data processing & file maintenance controls
5. Output controls
6. Data transmission controls
![Page 25: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/25.jpg)
Lecture 5-25
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Application Controls - Source Data Controls
There are a number of source data controls that regulate the accuracy, validity, and completeness of input:– key verification– check digit verification– prenumbered forms sequence test– turnaround documents– authorization
Application controls:
- Source data controls
- Input validation routines
- Online data entry controls
- Data processing & file maintenance controls
- Output controls
- Data transmission control
![Page 26: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/26.jpg)
Lecture 5-26
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Application Controls - Input Validation Routines
Input validation routines are programs that check the validity and accuracy of input data as they are entered into the system.
These programs are called edit programs and the accuracy checks they perform are called edit checks, such as:
– sequence check– field check– sign check– validity check– limit check– range check– reasonableness test
Application controls:
- Source data controls
- Input validation routines
- Online data entry controls
- Data processing & file maintenance controls
- Output controls
- Data transmission control
![Page 27: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/27.jpg)
Lecture 5-27
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Application Controls - Online Data Entry Controls
Online data entry controls ensure the accuracy and integrity of transaction data entered from online terminals & PCs.
Some online data entry controls are:– data checks– user ID numbers and passwords– comparability tests– Prompting– preformatting– completeness check– automatic transaction data entry– transaction log– clear error messages
Application controls:
- Source data controls
- Input validation routines
- Online data entry controls
- Data processing & file maintenance controls
- Output controls
- Data transmission control
![Page 28: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/28.jpg)
Lecture 5-28
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Application Controls - Data Processing Controls
Common controls to preserve accuracy and completeness of data processing:– data currency checks– default values– data matching– exception reporting– external data reconciliation– control account reconciliation– file security– file conversion controls
Application controls:
- Source data controls
- Input validation routines
- Online data entry controls
- Data processing & file maintenance controls
- Output controls
- Data transmission control
![Page 29: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/29.jpg)
Lecture 5-29
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Application Controls - Output Controls
Data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control totals.
Data control is also responsible for distributing computer output to the appropriate user departments.
Users are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive.
A shredder can be used to destroy highly confidential data.
Application controls:
- Source data controls
- Input validation routines
- Online data entry controls
- Data processing & file maintenance controls
- Output controls
- Data transmission control
![Page 30: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/30.jpg)
Lecture 5-30
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Application Controls - Data Transmission Controls
Companies monitor network to reduce the risk of data transmission failures
Data transmission errors can be minimized:
– using data encryption (cryptography)– implementing routing verification procedures– adding parity– using message acknowledgment techniques
Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT).
Application controls:
- Source data controls
- Input validation routines
- Online data entry controls
- Data processing & file maintenance controls
- Output controls
- Data transmission control
![Page 31: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/31.jpg)
Lecture 5-31
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Application Controls - Data Transmission Controls
Sound internal control is achieved using the following control procedures:
1 Physical access to network facilities should be strictly controlled.
2 Electronic identification should be required for all authorized network terminals.
3 Strict logical access control procedures are essential, with passwords and dial-in phone numbers changed on a regular basis.
4 Encryption should be used to secure stored data as well as data being transmitted.
5 Details of all transactions should be recorded in a log that is periodically reviewed.
Application controls:
- Source data controls
- Input validation routines
- Online data entry controls
- Data processing & file maintenance controls
- Output controls
- Data transmission control
![Page 32: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/32.jpg)
Lecture 5-32
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
General Controls General controls ensure that overall computer
system is stable and well managed:1. Developing a security plan2. Segregation of duties within the systems function3. Project development controls4. Physical access controls 5. Logical access controls6. Data storage controls7. Data transmission controls8. Documentation standards9. Minimizing system downtime10. Disaster recovery plans11. Protection of personal computers & client/server networks12. Internet controls
![Page 33: Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)](https://reader035.fdocuments.us/reader035/viewer/2022062801/56649e6b5503460f94b69ab7/html5/thumbnails/33.jpg)
Lecture 5-33
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
End of Lecture 5