Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 9 Computer Controls for Accounting Information Systems

Similar presentations

Presentation on theme: "Chapter 9 Computer Controls for Accounting Information Systems"— Presentation transcript:


2 Chapter 9 Computer Controls for Accounting Information Systems
Introduction General Controls For Organizations Integrated Security for the Organization Organization-Level, Personnel, File Security Controls Fault-Tolerant Systems, Backup, and Contingency Planning and Computer Facility Controls Access to Computer Files

3 Chapter 9 Computer Controls for Accounting Information Systems
Information Technology General Controls Security for Wireless Technology Controls for Hardwired Network Systems Security and Controls for Microcomputers IT Control Objectives for Sarbanes-Oxley Application Controls For Transaction Processing Input, Processing, and Output Controls

4 Introduction Internal control systems with focus on
specific security in organizations control procedures to ensure effective use of resources efficient utilization of resources Primary challenges associated with connectivity protection of sensitive data and information stored or transferred providing appropriate security and control procedures

5 General Controls For Organizations
Developing an appropriate security policy involves Identifying and evaluating assets Identifying threats Assessing risk Assigning responsibilities Establishing security policies platforms Implementing across the organization Managing the security program

6 Integrated Security for the Organization
Organizations are dependent on networks for transactions, data sharing, and communications. need to give access to customers, suppliers, partners, and others Security threats for organizations arise from the complexity of these networks the accessibility requirements present

7 Integrated Security for the Organization
Key security technologies that can be integrated include intrusion detection systems firewalls biometrics and others An integrated security system reduces the risk of attack increases the costs and resources needed by an intruder

8 General Controls within IT Environments
Organizational level controls Personnel Controls File Security Controls Fault-Tolerant Systems, Backup, and Contingency Planning Computer Facility Controls Access to Computer Files

9 Organization-Level Controls
Important controls include consistent policies and procedures management’s risk assessment process centralized processing and controls controls to monitor results of operations controls to monitor the internal audit function, the audit committee, and self-assessment programs the period-end financial reporting process Board-approved policies that address significant business control and risk management practices

10 Personnel Controls An AIS depends heavily on people for the
creation of the system, the input of data into the system, the supervision of data processing distribution of processed data, and the use of approved controls

11 Personnel Controls General controls that affect personnel include
separation of duties use of computer accounts separation of duties control procedures

12 Separation of Duties Separation of duties should be designed and implemented in two ways: separate accounting and information processing subsystems separate the responsibilities within the IT environment

13 Separation of Duties Separate Responsibilities within IT Environment.
Designated operational subsystems initiate and authorize asset custody detect errors in processing data enter them on an error log, and refer them back to the specific user subsystem for correction.

14 Division of Responsibility
Division of responsibility functions within an IT environment can be on the following lines: Systems Analysis Function Data Control Function Programming Function Computer Operations Function Transaction Authorization Function AIS Library Function

15 Use of Computer Accounts
Use of computer accounts helps to ensure access is limited to specific users mostly by using passwords nowadays by use of biometrics (digital fingerprinting) protects use of scarce resources

16 Use of Computer Accounts
limit user access to particular computer files or programs protect files from unauthorized use protect computer time from unauthorized use place resource limitations on account numbers which limits programmer/operator errors

17 File Security Controls
The purpose of file security controls is to protect computer files from accidental abuse intentional abuse

18 File Security Controls
Some examples of file security controls are external file labels internal file labels lockout procedures file protection rings read-only file designation

19 Fault-Tolerant Systems
are designed to tolerate computer errors and keep functioning are often based on the concept of redundancy are created by instituting duplicate communication paths and communications processors

20 Fault-Tolerant Systems
Redundancy in CPU processing can be achieved with consensus-based protocols with a second watchdog processor Disks can be made fault-tolerant by a process called disk mirroring by rollback processing

21 Backup Backup is essential for vital documents
is batch processed using Grandfather-parent-child procedure can be electronically transmitted to remote sites (vaulting) needs an uninterruptible power system (UPS) as an auxiliary power supply

22 Backup similar to the redundancy concept in fault-tolerant systems
a hot backup is performed while the database is online and available for read/write a cold backup is performed while the database is offline and unavailable to its users

23 Contingency Planning Contingency planning
includes the development of a formal disaster recovery plan. describes procedures to be followed in an emergency describes the role of each member of the team. appoint one person to be in command and another to be second-in-command involves a recovery site that can either be a hot site or cold site

24 Computer Facility Controls
Locate the Data Processing Center in a safe place where the public does not have access it is guarded by personnel there are limited number of secured entrances there is protection against natural disasters

25 Computer Facility Controls
Limit employee access by incorporating magnetic, electronic, or optical coded identification badges Buy insurance

26 Access to Computer Files
Logical access to data is restricted Password codes identifications (encourage strong passwords) biometric identifications with voice patterns, fingerprints, and retina prints

The objectives of controls is to provide assurance that the development of and changes to computer programs are authorized, tested, and approved before their usage access to data files is restricted processed accounting data are accurate and complete

28 Control Concerns Errors may be magnified
Inadequate separation of duties Audit trails Greater access to data Characteristics of magnetic or optical media

IT general controls involve Security for Wireless Technology Controls for Hardwired Network Systems Security and Controls for Microcomputers IT Control Objectives for Sarbanes-Oxley

30 Security for Wireless Technology
Security for wireless technology involves A virtual private network (VPN) Data encryption

31 Controls for Hardwired Network Systems
The routine use of systems such as DDP and client/server computing increases control problems for companies, which include electronic eavesdropping hardware or software malfunctions causing computer network system failures errors in data transmission

32 Controls for Hardwired Network Systems
To reduce the risk of system failures, networks are designed to handle periods of peak transmission volume to use redundant components,such as modems, to recover from failure using checkpoint control procedure to use routing verification procedures to use message acknowledgment procedures

33 Security and Controls for Microcomputers
General and application control procedures are important to microcomputers. Most risks associated with AISs result from errors, irregularities or fraud general threats to security (such as a computer virus) Some of the risks that are unique to the microcomputer are Hardware - microcomputers can be easily stolen or destroyed Data and software - easy to access, modify, copy or destroy; therefore are difficult to control

34 Control Procedures for Microcomputers
Some cost effective control procedures are take inventory install Keyboard locks lock laptops in cabinets follow software protection procedures create back-up files and lock office doors

35 Additional Controls for Laptops
Some specific controls for the laptop are identify your laptop use nonbreakable cables to attach laptops to stationary furniture load antivirus software keep laptop information backed up

36 IT Control Objectives for Sarbanes-Oxley
The Sarbanes-Oxley Act of 2002 (SOX) profoundly impacts public companies managers the internal auditors the external auditors

37 IT Control Objectives for Sarbanes-Oxley
The IT Governance Institute (ITGI) issued ‘IT Control Objectives for Sarbanes-Oxley’ in April 2004, which helps organizations comply with SOX requirements and the PCAOB requirements includes detailed guidance for organizations by starting with the IT controls from CobiT and linking those to the IT general control categories in the PCAOB standard, and then linking to the COSO framework

38 Application Controls for Transaction Processing
Application controls are designed to prevent, detect, and correct errors and irregularities in transactions in the input processing the output stages of data processing

39 Application Controls for Transaction Processing

40 Input Controls Input controls attempt to ensure the
validity accuracy completeness of the data entered into an AIS The categories of input controls include observation, recording, and transcription of data edit tests additional input controls

41 Observation, Recording, and Transcription of Data
The observation control procedures to assist in collecting data are feedback mechanism dual observation point-of-sale (POS) devices preprinted recording forms

42 Data Transcription Data transcription Preformatted screens
the preparation of data for computerized processing Preformatted screens Make the electronic version look like the printed version

43 Edit Tests Input validation routines (edit programs)
check the validity check the accuracy after the data have been entered, and recorded on a machine-readable file of input data

44 Edit Tests Edit tests examine selected fields of input data and reject those transactions whose data fields do not meet the pre-established standards of data quality Real-time systems use edit checks during data-entry.

45 Examples of Edit Tests The following are the tests for copy editing
Numeric field Alphabetic field Alphanumeric field Valid code Reasonableness Sign Completeness Sequence Consistency

46 Processing Controls Processing controls focus on the manipulation of accounting data after they are input to the computer system. Key objective is a clear audit trail Processing controls are of two kinds: Data-access controls Data manipulation controls

47 Data-Access Control Totals
Some common processing control procedures are batch control total financial control total nonfinancial control total hash total record count

48 Data Manipulation Controls
Once data has been validated by earlier portions of data processing, they usually must be manipulated in some way to produce useful output. Data manipulation controls include: Software documentation, i.e. flow charts and diagrams Compiler Test Data

49 Output Controls The objectives of output controls is to ensure
validity accuracy completeness Two major types of output application controls are validating processing results by Activity (or proof) listings

50 Output Controls regulating the distribution and use of printed output through Forms Prenumbered forms authorized distribution list Shredding sensitive documents

51 Copyright Copyright 2008 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

52 Chapter 9

Download ppt "Chapter 9 Computer Controls for Accounting Information Systems"

Similar presentations

Ads by Google