chapter 4-1. chapter 4-2 accounting information systems, 1 st edition internal controls and risks in...
Post on 20-Dec-2015
220 views
TRANSCRIPT
![Page 1: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/1.jpg)
Chapter 4-1
![Page 2: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/2.jpg)
Chapter 4-2 Accounting Information Systems, 1st Edition
Internal Controls and Risks in IT Systems
![Page 3: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/3.jpg)
Chapter 4-3
1. An overview of internal controls for IT systems
2. General controls for IT systems
3. General controls from a Trust Principles perspective
4. Hardware and software exposures in IT systems
5. Application software and application controls
6. Ethical issues in IT systems
Study ObjectivesStudy ObjectivesStudy ObjectivesStudy Objectives
![Page 4: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/4.jpg)
Chapter 4-4 SO 1 An overview of internal controls for IT systemsSO 1 An overview of internal controls for IT systems
Internal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT Systems
Accounting Information System - collects, processes, stores, and reports accounting information.
Computer-based systems have been described as being of two types:
General controls
Application controls
![Page 5: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/5.jpg)
Chapter 4-5 SO 1 An overview of internal controls for IT systemsSO 1 An overview of internal controls for IT systems
Internal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT Systems
Application controls used to control inputs, processing, and outputs.
Exhibit 4-1 General and Application Controls in IT Systems
General controls apply overall to the IT accounting system.
![Page 6: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/6.jpg)
Chapter 4-6
b. Technology controls.
Internal controls that apply overall to the IT system are called
Concept CheckConcept Check
c. Application controls.
d. General controls.
a. Overall controls.
SO 1 An overview of internal controls for IT systemsSO 1 An overview of internal controls for IT systems
Internal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT Systems
![Page 7: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/7.jpg)
Chapter 4-7 SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
Five categories of general controls:
1. Authentication of users and limiting unauthorized access
2. Hacking and other network break-ins
3. Organizational structure
4. Physical environment and physical security of the system
5. Business Continuity
![Page 8: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/8.jpg)
Chapter 4-8
Authentication of Users and Limiting Unauthorized Users
Authentication of users
Log-in
User IDs
Password
Smart card
Security token
Two factor authentication
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
Biometric devices
Computer log
Nonrepudiation
User profile
Authority table
Configuration tables
![Page 9: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/9.jpg)
Chapter 4-9
Hacking and other Network Break-Ins
Firewall
Symmetric encryption
Public key encryption
Wired equivalency privacy
Wireless protected access
Service set identifier
Virtual private networkSO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
Secure sockets layer
Virus
Antivirus software
Vulnerability assessment
Intrusion detection
Penetration testing
![Page 10: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/10.jpg)
Chapter 4-10
Organizational Structure
IT governance committee, responsibilities include:
1. Align IT investments to business strategy.
2. Budget funds and personnel for the most effective use of the IT systems.
3. Oversee and prioritize changes to IT systems.
4. Develop, monitor, and review all IT operational policies.
5. Develop, monitor, and review security policies.
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
![Page 11: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/11.jpg)
Chapter 4-11
Organizational Structure
Duties to be segregated are:
Systems analysts
Programmers
Operators
Database administrator
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
![Page 12: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/12.jpg)
Chapter 4-12
Physical Environment and Security
Physical access controls:
Limited access to computer rooms through employee ID badges or card keys
Video surveillance equipment
Logs of persons entering and exiting the computer rooms
Locked storage of backup data and offsite backup data
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
![Page 13: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/13.jpg)
Chapter 4-13
Business Continuity
Business Continuity Planning (BCP)
Business continuity related to IT systems:
A strategy for backup and restoration of IT systems, to include redundant servers, redundant data storage, daily incremental backups, a backup of weekly changes, and offsite storage of daily and weekly backups.
A disaster recovery plan.
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
![Page 14: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/14.jpg)
Chapter 4-14
b. Security token.
Which of the following is not a control intended to authenticate users?
Concept CheckConcept Check
c. Encryption.
d. Biometric devices.
a. User log-in.
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
![Page 15: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/15.jpg)
Chapter 4-15
b. Develop, monitor, and review security policies.
An IT governance committee has several responsibilities. Which of the following is least likely to be a responsibility of the IT governance committee?
Concept CheckConcept Check
c. Oversee and prioritize changes to IT systems.
d. Align IT investments to business strategy.
a. Develop and maintain the database and ensure adequate controls over the database.
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
![Page 16: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/16.jpg)
Chapter 4-16
AICPA Trust Principles categorizes IT controls and risks into five categories:
a. Security
b. Availability
c. Processing integrity
d. Online privacy
e. Confidentiality
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles PerspectiveGeneral Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles Perspective
![Page 17: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/17.jpg)
Chapter 4-17
IT controls that lessen risk of unauthorized users gaining access to the IT system:
a. user ID,
b. password,
c. security token,
d. biometric devices,
e. log-in procedures,
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles PerspectiveGeneral Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles Perspective
Risks In Not Limiting Unauthorized Users
f. access levels,
g. computer logs, and
h. authority tables.
![Page 18: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/18.jpg)
Chapter 4-18
Controls that may be applied are,
a. firewalls
b. encryption of data,
c. security policies,
d. security breach resolution,
e. secure socket layers (SSL),
f. virtual private network (VPN),
g. network (VPN),
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles PerspectiveGeneral Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles Perspective
Risks From Hacking or Other Network Break-Ins
![Page 19: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/19.jpg)
Chapter 4-19
Controls that may be applied are,
h. wired equivalency privacy (WEP),
i. wireless protected access (WPA),
j. service set identifier (SSID),
k. antivirus software,
l. vulnerability assessment,
m. penetration testing, and
n. intrusion detection.
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles PerspectiveGeneral Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles Perspective
Risks From Hacking or Other Network Break-Ins
![Page 20: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/20.jpg)
Chapter 4-20
Environmental changes that affect the IT system can cause availability risks and processing integrity risks.
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles PerspectiveGeneral Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles Perspective
Risks From Environmental Factors
Physical Access Risks
Business Continuity Risks
![Page 21: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/21.jpg)
Chapter 4-21
b. Confidentiality.
AICPA Trust Principles describe five categories of IT risks and controls. Which of these five categories would best be described by the statement, “The system is protected against unauthorized access”?
Concept CheckConcept Check
c. Processing integrity.
d. Availability.
a. Security.
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA TrustTrustGeneral Controls from an AICPA General Controls from an AICPA TrustTrust
![Page 22: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/22.jpg)
Chapter 4-22
b. Availability risk.
The risk that an unauthorized user would shut down systems within the IT system is a(n)
Concept CheckConcept Check
c. Processing integrity risk.
d. Confidentiality risk.
a. Security risk.
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA TrustTrustGeneral Controls from an AICPA General Controls from an AICPA TrustTrust
![Page 23: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/23.jpg)
Chapter 4-23
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
Typical IT system components that represent “entry points” where the risks must be controlled.
1. The operating system
2. The database
3. The database management system (DBMS)
4. Local area networks (LANs)
5. Wireless networks
6. E-business conducted via the Internet
7. Telecommuting workers
8. Electronic data interchange (EDI)
9. Application software
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
![Page 24: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/24.jpg)
Chapter 4-24
Typical “entry points”
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
Exhibit 4-6
![Page 25: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/25.jpg)
Chapter 4-25
The software that controls the basic input and output activities of the computer.
Provides the instructions that enable the CPU to:
read and write to disk,
read keyboard input,
control output to the monitor,
manage computer memory, and
communicate between the CPU, memory, and disk storage.
The Operating System
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
![Page 26: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/26.jpg)
Chapter 4-26
Unauthorized access would allow an unauthorized user to:
1. Browse disk files or memory for sensitive data or passwords.
2. Alter data through the operating system.
3. Alter access tables to change access levels of users.
4. Alter application programs.
5. Destroy data or programs.
The Operating System
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
![Page 27: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/27.jpg)
Chapter 4-27
A large disk storage for accounting and operating data.
Controls such as:
user IDs, passwords,
authority tables,
firewalls, and
encryption
are examples of controls that can limit exposure.
The Database
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
![Page 28: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/28.jpg)
Chapter 4-28
A software system that manages the interface between many users and the database.
The Database Management System
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Exhibit 4-7
![Page 29: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/29.jpg)
Chapter 4-29
A software system that manages the interface between many users and the database.
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
The Database Management System
Exhibit 4-6
![Page 30: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/30.jpg)
Chapter 4-30
A software system that manages the interface between many users and the database.
Physical access, environmental, and business continuity controls can help guard against the loss of the data or alteration to the DBMS.
The Database Management System
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
![Page 31: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/31.jpg)
Chapter 4-31
A local area network, or LAN, is a computer network covering a small geographic area.
A group of LANs connected to each other is called a wide area network, or WAN.
LANS and WANS
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
![Page 32: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/32.jpg)
Chapter 4-32
LANS and WANS
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Controls: limit
unauthorized users
firewalls encryption virtual private
networks
Exhibit 4-6
![Page 33: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/33.jpg)
Chapter 4-33
Same kind of exposures as a local area network.
Wireless Networks
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Exhibit 4-6
![Page 34: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/34.jpg)
Chapter 4-34
Same kind of exposures as a local area network.
Controls include:
wired equivalency privacy (WEP) or wireless protected access (WPA),
station set identifiers (SSID), and
encrypted data.
Wireless Networks
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
![Page 35: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/35.jpg)
Chapter 4-35
The use of dual firewalls can help prevent hackers or unauthorized users from accessing the organization’s internal network of computers.
Internet and World Wide Web
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Exhibit 4-6
![Page 36: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/36.jpg)
Chapter 4-36
The organization’s security policy should address the security expectations of workers who telecommute, and such workers should connect to the company network via a virtual private network.
Telecommuting Workers
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
Exhibit 4-6
![Page 37: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/37.jpg)
Chapter 4-37
Company-to-company transfer of standard business documents in electronic form.
EDI controls include:
authentication,
computer logs, and
network break-in controls.
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
Electronic Data Interchange
Exhibit 4-6
![Page 38: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/38.jpg)
Chapter 4-38
b. Internet.
The risk of an unauthorized user gaining access is likely to be a risk for which of the following areas?
Concept CheckConcept Check
c. Wireless networks.
d. All of the above.
a. Telecommuting workers.
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
![Page 39: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/39.jpg)
Chapter 4-39
Applications software accomplishes end user tasks such as:
word processing,
spreadsheets,
database maintenance, and
accounting functions.
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Applications controls - intended to improve the accuracy, completeness, and security of input, process, and output.
![Page 40: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/40.jpg)
Chapter 4-40
Date input - data converted from human readable form to computer readable form.
Input controls are of four types:
1. Source document controls
2. Standard procedures for data preparation and error handling
3. Programmed edit checks
4. Control totals and reconciliation
Input Controls
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
![Page 41: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/41.jpg)
Chapter 4-41
Source document -paper form used to capture and record the original data of an accounting transaction.
Note:
Many IT systems do not use source documents.
General controls such as computer logging of transactions and keeping backup files, become important.
Where source documents are used, several source document controls should be used.
Source Document Controls
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
![Page 42: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/42.jpg)
Chapter 4-42
Form Design - Both the source document and the input screen should be well designed so that they are easy to understand and use, logically organized into groups of related data.
Form Authorization and Control:
Area for authorization by appropriate manager
Prenumbered and used in sequence
Blank source documents should be controlled
Source Document Controls
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
![Page 43: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/43.jpg)
Chapter 4-43
Retention of Source Documents:
Retained and filed for easy retrieval
Part of the audit trail.
Source Document Controls
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
![Page 44: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/44.jpg)
Chapter 4-44
Data Preparation – standard data collection procedures reduce the chance of lost, misdirected, or incorrect data collection from source documents.
Error Handling:
Errors should be logged, investigated, corrected, and resubmitted for processing
Error log should be regularly reviewed by an appropriate manager
Standard Procedures for Data Input
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
![Page 45: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/45.jpg)
Chapter 4-45
Data should be validated and edited to be as close to the original source of data as possible.
Input validation checks include:
Programmed Input Validation Checks
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
1. Field check
2. Validity check
3. Limit check
4. Range check
5. Reasonableness check
6. Completeness check
7. Sign check
8. Sequence check
9. Self-checking digit
![Page 46: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/46.jpg)
Chapter 4-46
Control totals are subtotals of selected fields for an entire batch of transactions.
Three types:
record counts,
batch totals, and
hash totals.
Control Totals and Reconciliation
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
![Page 47: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/47.jpg)
Chapter 4-47
Intended to prevent, detect, or correct errors that occur during processing.
Ensure that application software has no errors.
Control totals, limit and range tests, and reasonableness and sign tests.
Computer logs of transactions processed, production run logs, and error listings.
Processing Controls
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
![Page 48: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/48.jpg)
Chapter 4-48
Reports from the various applications.
Two primary objectives of output controls:
to assure the accuracy and completeness of the output, and
to properly manage the safekeeping of output reports to ascertain that security and confidentiality of the information is maintained.
Output Controls
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
![Page 49: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/49.jpg)
Chapter 4-49
b. Validity check.
Which programmed input validation check compares the value in a field with related fields with determine whether the value is appropriate?
Concept CheckConcept Check
c. Reasonableness check.
d. Completeness check.
a. Completeness check.
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
![Page 50: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/50.jpg)
Chapter 4-50
b. Validity check.
Which programmed input validation check determines whether the appropriate type of data, either alphabetic or numeric, was entered?
Concept CheckConcept Check
c. Reasonableness check.
d. Field check.
a. Completeness check.
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
![Page 51: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/51.jpg)
Chapter 4-51
b. Validity check.
Which programmed input validation makes sure that a value was entered in all of the critical fields?
Concept CheckConcept Check
c. Reasonableness check.
d. Field check.
a. Completeness check.
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
![Page 52: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/52.jpg)
Chapter 4-52
b. Hash total.
Which control total is the total of field values that are added for control purposes, but not added for any other purpose?
Concept CheckConcept Check
c. Batch total.
d. Field total.
a. Record count.
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
![Page 53: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/53.jpg)
Chapter 4-53
Besides fraud, there are many kinds of unethical behaviors related to computers, such as:
Misuse of confidential customer information.
Theft of data, such as credit card information, by hackers.
Employee use of IT system hardware and software for personal use or personal gain.
Using company e-mail to send offensive, threatening, or sexually explicit material.
Ethical Issues in Information Ethical Issues in Information TechnologyTechnologyEthical Issues in Information Ethical Issues in Information TechnologyTechnology
SO 6 Ethical issues in IT systemsSO 6 Ethical issues in IT systems
![Page 54: Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in IT Systems](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d485503460f94a23054/html5/thumbnails/54.jpg)
Chapter 4-54
Copyright © 2008 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.
CopyrightCopyrightCopyrightCopyright