advanced accounting information systems day 20 control and security frameworks october 9, 2009

Advanced Accounting Information Systems

Advanced Accounting Information Systems

Day 20

Control and Security FrameworksOctober 9, 2009

announcementsannouncements

– Careers in accounting/IT– Quiz 4– Graduate student paper

announcementsannouncements

– Assignment 3 • Scoring

– Night vs day – 12 points– Recalculate charges – 12 points– Problem found – 3 points– Action plan – 3 points

• Game plan

– Identify potential misclassified minutes

– Calculate rates by first identifying most recent contracts (i.e. max(Startdate)

– Separate into flexible and fixed plans

– Calculate minutes

– Calculate charges per flexible

– Calculate charges per fixed

– Combine calculated charges per flexible and fixed (UNION)

– Compare calculated to InvoiceLine charges

announcementsannouncements

– Assignment 4 • Merger/acquisition due diligence – significantly

shorter time frame• What are the due diligence / audit objectives?• Some of the due diligence work is already done

– Identified due diligence objectives (See Figure 3)– Started with prior audit procedures (see Figure 3)

• No manufacturing costs since Threadchic is a retailer

•

announcementsannouncements

– Assignment 4 • Existence procedure

– Verify Threadchic paid for all purchases in a timely manner

» join invoice and payment table using outer join to identify any invoices that were not paid yet

– Verify inventory consistent with sales» For all items, sales price is 100 percent markup

over cost except for marked down items with no sale in the last 21 days. List cost, lastSalesPrice, and calculate salesToCost to determine if each item markup is 100 percent

announcementsannouncements

– Assignment 4 • Completeness procedure

– Verify inclusion of all purchases in inventory» Match purchases to inventory on SKU to find

purchases with no entry in inventoryMaster.QOH» Match purchases to counted inventory on SKU to

find purchases with no entry in inventoryCount.obsvQOH

» Remember – inventoryMaster is Threadchic’s records

» inventoryCount – contains number counted by the auditors

ObjectivesObjectives

Understand risks faced by information assets Comprehend relationship between risk and asset

vulnerabilities Understand nature and types of threats faced by the

asset Understand objectives of control and security of

information assets and how these objectives are interrelated

Understand the building blocks of control (and security) frameworks for information systems

Apply a controls framework to a financial accounting system

Purpose of internal control frameworkPurpose of internal control framework

Information AssetsInformation Assets

Information AssetsInformation Assets

ThreatThreat

Probability of an attack on an information asset

CountermeasuresCountermeasures

Designed to minimize or eliminate the risks stemming from vulnerabilities

To design countermeasures

Definition of internal controlDefinition of internal control

Procedures designed by management to provide reasonable assurance regarding achievement of specific objectives

Classification of internal controls– General vs application– Detective, preventive, or corrective

Definition of Information SecurityDefinition of Information Security

Protection from harm Being able to depend on the information

system Two categories

– Physical security– Logical security

Four objectives of internal controlsFour objectives of internal controls

Information Security ObjectivesInformation Security Objectives

Frameworks for control and securityFrameworks for control and security

COBIT control objectivesCOBIT control objectives

Acquire and develop applications and system software Acquire technology infrastructure Develop and maintain policies and procedures Install and test application software and technology infrastructure Manage change Define and manage service levels Manage third-party services Ensure systems security Manage the configuration Manage problems and incidents Manage data Manage operations

ISO 17799ISO 17799

Ten categories or sections– Security policy– Security organization– Asset classification and control– Personnel security– Physical and environmental security– Computer and operations management– System access control– System development and maintenance– Compliance

COSOCOSO

Control environment Risk assessment Control activities Information and communication Monitoring

Steps in Implementing a control frameworkSteps in Implementing a control framework

Questions for MondayQuestions for Monday

Identify at least one difference between systems availability and business continuity

Why is disaster recovery planning important?

Is disaster recovery planning cost beneficial?