advanced accounting information systems day 20 control and security frameworks october 9, 2009
TRANSCRIPT
![Page 1: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/1.jpg)
Advanced Accounting Information Systems
Advanced Accounting Information Systems
Day 20
Control and Security FrameworksOctober 9, 2009
![Page 2: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/2.jpg)
announcementsannouncements
– Careers in accounting/IT– Quiz 4– Graduate student paper
![Page 3: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/3.jpg)
announcementsannouncements
– Assignment 3 • Scoring
– Night vs day – 12 points– Recalculate charges – 12 points– Problem found – 3 points– Action plan – 3 points
• Game plan
– Identify potential misclassified minutes
– Calculate rates by first identifying most recent contracts (i.e. max(Startdate)
– Separate into flexible and fixed plans
– Calculate minutes
– Calculate charges per flexible
– Calculate charges per fixed
– Combine calculated charges per flexible and fixed (UNION)
– Compare calculated to InvoiceLine charges
![Page 4: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/4.jpg)
announcementsannouncements
– Assignment 4 • Merger/acquisition due diligence – significantly
shorter time frame• What are the due diligence / audit objectives?• Some of the due diligence work is already done
– Identified due diligence objectives (See Figure 3)– Started with prior audit procedures (see Figure 3)
• No manufacturing costs since Threadchic is a retailer
•
![Page 5: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/5.jpg)
announcementsannouncements
– Assignment 4 • Existence procedure
– Verify Threadchic paid for all purchases in a timely manner
» join invoice and payment table using outer join to identify any invoices that were not paid yet
– Verify inventory consistent with sales» For all items, sales price is 100 percent markup
over cost except for marked down items with no sale in the last 21 days. List cost, lastSalesPrice, and calculate salesToCost to determine if each item markup is 100 percent
![Page 6: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/6.jpg)
announcementsannouncements
– Assignment 4 • Completeness procedure
– Verify inclusion of all purchases in inventory» Match purchases to inventory on SKU to find
purchases with no entry in inventoryMaster.QOH» Match purchases to counted inventory on SKU to
find purchases with no entry in inventoryCount.obsvQOH
» Remember – inventoryMaster is Threadchic’s records
» inventoryCount – contains number counted by the auditors
![Page 7: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/7.jpg)
ObjectivesObjectives
Understand risks faced by information assets Comprehend relationship between risk and asset
vulnerabilities Understand nature and types of threats faced by the
asset Understand objectives of control and security of
information assets and how these objectives are interrelated
Understand the building blocks of control (and security) frameworks for information systems
Apply a controls framework to a financial accounting system
![Page 8: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/8.jpg)
Purpose of internal control frameworkPurpose of internal control framework
![Page 9: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/9.jpg)
Information AssetsInformation Assets
![Page 10: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/10.jpg)
Information AssetsInformation Assets
![Page 11: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/11.jpg)
ThreatThreat
Probability of an attack on an information asset
![Page 12: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/12.jpg)
CountermeasuresCountermeasures
Designed to minimize or eliminate the risks stemming from vulnerabilities
To design countermeasures
![Page 13: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/13.jpg)
Definition of internal controlDefinition of internal control
Procedures designed by management to provide reasonable assurance regarding achievement of specific objectives
Classification of internal controls– General vs application– Detective, preventive, or corrective
![Page 14: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/14.jpg)
Definition of Information SecurityDefinition of Information Security
Protection from harm Being able to depend on the information
system Two categories
– Physical security– Logical security
![Page 15: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/15.jpg)
Four objectives of internal controlsFour objectives of internal controls
![Page 16: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/16.jpg)
Information Security ObjectivesInformation Security Objectives
![Page 17: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/17.jpg)
Frameworks for control and securityFrameworks for control and security
![Page 18: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/18.jpg)
COBIT control objectivesCOBIT control objectives
Acquire and develop applications and system software Acquire technology infrastructure Develop and maintain policies and procedures Install and test application software and technology infrastructure Manage change Define and manage service levels Manage third-party services Ensure systems security Manage the configuration Manage problems and incidents Manage data Manage operations
![Page 19: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/19.jpg)
ISO 17799ISO 17799
Ten categories or sections– Security policy– Security organization– Asset classification and control– Personnel security– Physical and environmental security– Computer and operations management– System access control– System development and maintenance– Compliance
![Page 20: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/20.jpg)
COSOCOSO
Control environment Risk assessment Control activities Information and communication Monitoring
![Page 21: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/21.jpg)
Steps in Implementing a control frameworkSteps in Implementing a control framework
![Page 22: Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009](https://reader035.vdocument.in/reader035/viewer/2022062422/56649ee55503460f94bf48d6/html5/thumbnails/22.jpg)
Questions for MondayQuestions for Monday
Identify at least one difference between systems availability and business continuity
Why is disaster recovery planning important?
Is disaster recovery planning cost beneficial?