Chapter 9-1

Chapter 9-2

Chapter 9Computer Controls for

Accounting Information Systems

Introduction

General Controls For OrganizationsIntegrated Security for the Organization

Organization-Level, Personnel, File Security Controls

Fault-Tolerant Systems, Backup, and Contingency

Planning and Computer Facility Controls

Access to Computer Files

Chapter 9-3

Chapter 9Computer Controls for

Accounting Information Systems

Information Technology General ControlsSecurity for Wireless Technology

Controls for Hardwired Network Systems

Security and Controls for Microcomputers

IT Control Objectives for Sarbanes-Oxley

Application Controls For Transaction ProcessingInput, Processing, and Output Controls

Chapter 9-4

Introduction

Internal control systems with focus onspecific security in organizationscontrol procedures to ensure effective use of resources efficient utilization of resources

Primary challenges associated with connectivity protection of sensitive data and information stored or transferred

providing appropriate security and control procedures

Chapter 9-5

General Controls For Organizations

Developing an appropriate security policy involves

Identifying and evaluating assetsIdentifying threats Assessing riskAssigning responsibilitiesEstablishing security policies platformsImplementing across the organizationManaging the security program

Chapter 9-6

Integrated Security forthe Organization

Organizationsare dependent on networks for transactions,data sharing, and communications. need to give access to customers, suppliers, partners, and others

Security threats for organizations arise fromthe complexity of these networks the accessibility requirements present

Chapter 9-7

Integrated Security forthe Organization

Key security technologies that can beintegrated include

intrusion detection systems

firewalls

biometrics and others

An integrated security system reduces the risk of attack

increases the costs and resources needed by an intruder

Chapter 9-8

General Controls withinIT Environments

Organizational level controls

Personnel Controls

File Security Controls

Fault-Tolerant Systems, Backup,and Contingency Planning

Computer Facility Controls

Access to Computer Files

Chapter 9-9

Organization-Level Controls

Important controls includeconsistent policies and proceduresmanagement’s risk assessment processcentralized processing and controlscontrols to monitor results of operationscontrols to monitor the internal audit function, the audit committee, and self-assessment programsthe period-end financial reporting processBoard-approved policies that address significant business control and risk management practices

Chapter 9-10

Personnel Controls

An AIS depends heavily on people for the creation of the system,

the input of data into the system,

the supervision of data processing

distribution of processed data, and

the use of approved controls

Chapter 9-11

General controls that affect personnel include

separation of duties

use of computer accounts

separation of duties control procedures

Personnel Controls

Chapter 9-12

Separation of Duties

Separation of duties should be designed and implemented in two ways:

separate accounting and information processing subsystems

separate the responsibilities within the IT environment

Chapter 9-13

Separation of Duties

Separate Responsibilities within IT Environment.Designated operational subsystems

initiate and authorize asset custodydetect errors in processing data enter them on an error log, and refer them back to the specific user subsystemfor correction.

Chapter 9-14

Division of Responsibility

Division of responsibility functions within anIT environment can be on the following lines:

Systems Analysis FunctionData Control FunctionProgramming FunctionComputer Operations FunctionTransaction Authorization FunctionAIS Library Function

Chapter 9-15

Use of Computer Accounts

Use of computer accounts helps to ensure access is limited to specific users mostly by using passwords nowadays by use of biometrics

(digital fingerprinting)

protects use of scarce resources

Chapter 9-16

Use of Computer Accounts

limit user access to particular computer filesor programsprotect files from unauthorized useprotect computer time from unauthorized use place resource limitations on account numbers which limits programmer/operator errors

Chapter 9-17

File Security Controls

The purpose of file security controls is to protect computer files from

accidental abuse

intentional abuse

Chapter 9-18

File Security Controls

Some examples of file security controls areexternal file labels

internal file labels

lockout procedures

file protection rings

read-only file designation

Chapter 9-19

Fault-Tolerant Systems

Fault-tolerant systemsare designed to tolerate computer errorsand keep functioning

are often based on the concept of redundancy

are created by instituting duplicate communication paths and communications processors

Chapter 9-20

Redundancy in CPU processing can be achieved with consensus-based protocols

with a second watchdog processor

Disks can be made fault-tolerant by a process called disk mirroring

by rollback processing

Fault-Tolerant Systems

Chapter 9-21

Backup

Backupis essential for vital documents

is batch processed using Grandfather-parent-child procedure

can be electronically transmittedto remote sites (vaulting)

needs an uninterruptible power system (UPS) as an auxiliary power supply

Chapter 9-22

Backup

similar to the redundancy concept infault-tolerant systems a hot backup is performed while the database

is online and available for read/write a cold backup is performed while the database is

offline and unavailable to its users

Chapter 9-23

Contingency Planning

Contingency planning includes the development of a formal disasterrecovery plan. describes procedures to be followed in an emergency describes the role of each member of the team.appoint one person to be in command and another to be second-in-commandinvolves a recovery site that can either bea hot site or cold site

Chapter 9-24

Computer Facility Controls

Locate the Data Processing Center in asafe place where the public does not have access it is guarded by personnel there are limited number ofsecured entrances

there is protection againstnatural disasters

Chapter 9-25

Computer Facility Controls

Limit employee access byincorporating magnetic, electronic,or optical coded identification badges

Buy insurance

Chapter 9-26

Access to Computer Files

Logical access to data is restricted

Password codes identifications (encourage strong passwords)

biometric identifications with voice patterns, fingerprints, and retina prints

Chapter 9-27

INFORMATION TECHNOLOGYGENERAL CONTROLS

The objectives of controls is to provide assurance that

the development of and changes to computer programs are authorized, tested, and approved before their usage

access to data files is restrictedprocessed accounting data are accurate and

complete

Chapter 9-28

Control Concerns

Errors may be magnified

Inadequate separation of duties

Audit trails

Greater access to data

Characteristics of magnetic or optical media

Chapter 9-29

INFORMATION TECHNOLOGYGENERAL CONTROLS

IT general controls involveSecurity for Wireless Technology

Controls for Hardwired Network Systems

Security and Controls for Microcomputers

IT Control Objectives for Sarbanes-Oxley

Chapter 9-30

Security for Wireless Technology

Security for wireless technology involves A virtual private network (VPN) Data encryption

Chapter 9-31

Controls for HardwiredNetwork Systems

The routine use of systems such as DDPand client/server computing increases

control problems for companies, which include

electronic eavesdropping hardware or software malfunctions causing

computer network system failures errors in data transmission

Chapter 9-32

Controls for HardwiredNetwork Systems

To reduce the risk of system failures, networks are designed

to handle periods of peak transmission volume

to use redundant components,such as modems,

to recover from failure using checkpoint control procedure

to use routing verification procedures

to use message acknowledgment procedures

Chapter 9-33

Security and Controls for Microcomputers

General and application control procedures are important to microcomputers.

Most risks associated with AISs result from errors, irregularities or fraud general threats to security (such as a computer

virus)

Some of the risks that are unique to the microcomputer are Hardware - microcomputers can be easily stolen

or destroyed Data and software - easy to access, modify, copy or

destroy; therefore are difficult to control

Chapter 9-34

Control Procedures for Microcomputers

Some cost effective control procedures aretake inventory

install Keyboard locks

lock laptops in cabinets

follow software protectionprocedures

create back-up files and

lock office doors

Chapter 9-35

Additional Controls for Laptops

Some specific controls for the laptop areidentify your laptop

use nonbreakable cables to attachlaptops to stationary furniture

load antivirus software

keep laptop informationbacked up

Chapter 9-36

IT Control Objectives for Sarbanes-Oxley

The Sarbanes-Oxley Act of 2002 (SOX) profoundly impacts

public companies

managers

the internal auditors

the external auditors

Chapter 9-37

IT Control Objectives for Sarbanes-Oxley

The IT Governance Institute (ITGI) issued ‘IT Control Objectives for Sarbanes-Oxley’ in April 2004, which

helps organizations comply with SOX requirements and

the PCAOB requirements

includes detailed guidance for organizations by starting with the IT controls from CobiT and

linking those to the IT general control categories in the PCAOB standard,

and then linking to the COSO framework

Chapter 9-38

Application Controls for Transaction Processing

Application controls are designed to

prevent, detect, and correct errors and irregularities

in transactions in the input processing the output stages of data processing

Chapter 9-39

Application Controlsfor Transaction

Processing

Chapter 9-40

Input Controls

Input controls attempt to ensure the validity

accuracy

completeness of the data entered into an AIS

The categories of input controls include observation, recording, and transcription of data

edit tests

additional input controls

Chapter 9-41

Observation, Recording,and Transcription of Data

The observation control procedures to assist in collecting data are

feedback mechanism

dual observation

point-of-sale (POS) devices

preprinted recording forms

Chapter 9-42

Data Transcription

Data transcription the preparation of data for computerized

processing

Preformatted screens Make the electronic version

look like the printed version

Chapter 9-43

Edit Tests

Input validation routines (edit programs) check the validity check the accuracy

after the data have been entered, and recorded on a machine-readable file of input

data

Chapter 9-44

Edit Tests

Edit tests examine selected fields of input data and reject those transactions whose data fields do not

meet the pre-established standards of data quality

Real-time systems use edit checks duringdata-entry.

Chapter 9-45

Examples of Edit Tests

The following are the tests for copy editingNumeric fieldAlphabetic fieldAlphanumeric fieldValid codeReasonablenessSignCompletenessSequenceConsistency

Chapter 9-46

Processing Controls

Processing controls focus on the manipulation of accounting data after they are input to the computer system.

Key objective is a clear audit trail

Processing controls are of two kinds: Data-access controls

Data manipulation controls

Chapter 9-47

Data-Access Control Totals

Some common processing control procedures are

batch control total

financial control total

nonfinancial control total

hash total

record count

Chapter 9-48

Data Manipulation Controls

Once data has been validated by earlier portions of data processing, they usually must be manipulated in some way to produce useful output.

Data manipulation controls include:Software documentation,

i.e. flow charts and diagrams

Compiler

Test Data

Chapter 9-49

Output Controls

The objectives of output controlsis to ensure

validity

accuracy

completeness

Two major types of output application controls are

validating processing results by Activity (or proof) listings

Chapter 9-50

Output Controls

regulating the distribution anduse of printed output through Forms Prenumbered forms authorized distribution list Shredding sensitive documents

Chapter 9-51

Copyright

Copyright 2008 John Wiley & Sons, Inc. All rights reserved.

Reproduction or translation of this work beyond that permitted in

Section 117 of the 1976 United States Copyright Act without the

express written permission of the copyright owner is unlawful.

Request for further information should be addressed to the

Permissions Department, John Wiley & Sons, Inc. The purchasermay make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Chapter 9-52

Chapter 9