Copyright © 2004 South-Western. All rights reserved.

Slides:



Advertisements
Similar presentations
OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Advertisements

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Control and Accounting Information Systems
Auditing Computer-Based Information Systems
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Auditing Computer-Based Information Systems
9 - 1 Computer-Based Information Systems Control.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
The Information Systems Audit Process
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
PowerPoint Presentation by Charlie Cook Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information.
Session 3 – Information Security Policies
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Information Systems Controls for System Reliability -Information Security-
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Control environment and control activities. Day II Session III and IV.
Chapter 4 Internal Controls McGraw-Hill/Irwin
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Chapter 7 Controlling Information Systems:
Chapter 3 Internal Controls.
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.
Chapter Three IT Risks and Controls.
Chapter 5 Internal Control over Financial Reporting
Controlling Information Systems: IT Processes. 2 Learning Objectives Learn the major IT resources Appreciate the problems in providing adequate controls.
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
Chapter 7 Control and AIS. Threats to AIS Natural disasters –DSM flood (p. 249) Political disasters –Terrorism Cyber crime (as opposed to general terrorism)
Chapter 8 - Controlling Information Systems: Introduction to Pervasive Controls Accounting Information Systems 8e Ulric J. Gelinas and Richard Dull © 2010.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Committee of Sponsoring Organizations of The Treadway Commission Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting “Internal.
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
Evaluation of Internal Control System
Controlling Information Systems: IT Processes. 2 Learning Objectives Learn the major IT resources Appreciate the problems in providing adequate controls.
Internal Controls and Fraud Convery Describe an Internal Controls System and its elements Identify specific Internal Control issues in a NPO Consider.
Fundamentals I: Accounting Information Systems McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
Chapter 9: Introduction to Internal Control Systems
Auditing Internal Control Studies & Risk Assessment Chapter 9 Internal Control Studies & Risk Assessment Chapter 9.
A Guide for Management. Overview Benefits of entity-level controls Nature of entity-level controls Types of entity-level controls, control objectives,
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
Chapter 3-Auditing Computer-based Information Systems.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Chapter 8 Controlling Information Systems: IT Processes.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
SUNY Maritime College Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal.
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Internal Control.
Chapter 4 Internal Controls McGraw-Hill/Irwin
Errors, Fraud, Risk Management, and Internal Controls
Controlling Information Systems: IT Processes
Internal control objectives
Managing the IT Function
Internal controls 01-Nov-2017.
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

Copyright © 2004 South-Western. All rights reserved. Chapter 8 IT Governance: Management Control of Information Technology and Information Integrity Copyright © 2004 South-Western. All rights reserved.

Learning Objectives To explain why business organizations need to achieve an adequate level of internal control To explain the importance of internal control to organizational and IT governance, and business ethics To enumerate IT resources and explain how difficult it is to control them To describe management fraud, computer fraud, and computer abuse Copyright © 2004 South-Western. All rights reserved.

Learning Objectives To describe the major IT control processes organizations use to manage their IT resources To identify operations and information process control goals and categories of control plans Copyright © 2004 South-Western. All rights reserved.

Why Controls? To ensure attainment of objectives To lessen risks of unwanted outcomes Heightened awareness of scandals Impact of software and hardware on corporate governance Management’s legal responsibilities Highly publicized management and employee fraud Copyright © 2004 South-Western. All rights reserved.

Fraud and Control Fraud Deliberate act or untruth intended to obtain unfair or unlawful gain. Management is charged with the responsibility to prevent and/or disclose fraud. Control systems enable management to meet this responsibility. Copyright © 2004 South-Western. All rights reserved.

Internal Control A system of integrated elements—people, structure, processes, and procedures—acting together to provide reasonable assurance that an organization achieves its process goals. The internal control system is the responsibility of top management and therefore should: Reflect management’s careful assessment of risks. Be based on management’s evaluation of costs versus benefits. Be built on management’s strong sense of business ethics and personal integrity. Copyright © 2004 South-Western. All rights reserved.

Ethics and Controls COSO report stresses ethics as part of control environment (tone at the top). Many corporations have developed a Code of Conduct. Copyright © 2004 South-Western. All rights reserved.

Business Process Control Goals and Plans Objectives to be obtained Operations process Information process Plans Policies and procedures that assist in accomplishing control goals Copyright © 2004 South-Western. All rights reserved.

Effectiveness and Efficiency A measure of individual or organizational success in meeting established goals. Efficiency A measure of the productivity of resources applied to individual and organizational goals. Copyright © 2004 South-Western. All rights reserved.

Control Goals of Operations Process Effectiveness of operations Ensure operations process is fulfilling its purpose Satisfying critical success factors Efficient employment of resources Prevent unnecessary waste of resources Accomplish goals with a minimum deployment of resources Security of resources Lock the door Lock the computer door (access codes/passwords) Copyright © 2004 South-Western. All rights reserved.

Control Goals of the Information Process For transaction data (temporary) Input validity (only approved/authorized data) Input completeness (all valid data captured/entered) Input accuracy (correct data entered correctly) For master data (permanent) Update completeness (all data entered in updated master) Update accuracy (data entered reflected accurately in updated master) Copyright © 2004 South-Western. All rights reserved.

Control Plans (space domain) Information processing policies and procedures that assist in accomplishing control goals Control environment Pervasive control plans Process control plans Copyright © 2004 South-Western. All rights reserved.

A Control Hierarchy The Control Environment Pervasive Control Plans Overall policies and procedures that demonstrate an organization’s commitment to the importance of control Overall protection: Enhances the effectiveness of the pervasive and application control plans. Corporate ethics; “Tone at the top” Pervasive Control Plans Address multiple goals and apply to many processes Second level of protection: A major subset of these controls, IT processes (i.e., controls) are discussed in this chapter. Access to systems; fidelity bonds. Process Control Plans Relate to specific business process or to the technology used to implement the process Edit checks; batch totals Third level of protection: Discussed and illustrated in Chapters 9–14. A Control Hierarchy Copyright © 2004 South-Western. All rights reserved. FIGURE 8.1

Control Plans: Other Classifications(time domain) Preventive Detective Corrective Copyright © 2004 South-Western. All rights reserved.

Information Technology Resources Data Application systems Technology Facilities People Copyright © 2004 South-Western. All rights reserved.

Four Broad IT Control Process Domains (from COBIT) Copyright © 2004 South-Western. All rights reserved. FIGURE 8.2

Ten Important IT Control Processes Copyright © 2004 South-Western. All rights reserved. FIGURE 8.2

IT Control Processes and Domains Planning and Organization Process 1: Establish strategic vision Process 2: Develop tactics to realize strategic vision Acquisition and Implementation Process 3: Identify automated solutions Process 4: Develop and acquire IT solutions Process 5: Integrate IT solutions into operations Process 6: Manage change to existing IT systems Copyright © 2004 South-Western. All rights reserved.

IT Control Processes and Domains (cont’d) Delivery and Support Process 7: Deliver required IT services Process 8: Ensure security and continuous service Process 9: Provide support services Monitor operations Copyright © 2004 South-Western. All rights reserved.

Process 1: Elements of Strategic IT Plan Summary of the organization’s strategic goals and strategies and how they relate to the IT function. IT goals and strategies and how each will support the organization’s goals and strategies. Information architectural model Corporate data model and the associated information systems Copyright © 2004 South-Western. All rights reserved.

Process 2: Organizational Control Plans Segregation of duties Authorizing transactions Executing transactions Recording transactions Safeguarding resulting resources Organizational plans for the information system function IT steering committee Copyright © 2004 South-Western. All rights reserved.

Illustration of Segregation of Duties Function 1 Authorizing Events Approve steps of event processing. Function 2 Executing Events Physically move resources. Complete source documents. Function 3 Recording Events Record events in the appropriate data store(s). Post event summaries to the master data store. Function 4 Safeguarding Resources Resulting from Consummating Events Physically protect resources. Maintain accountability of physical resources. Copyright © 2004 South-Western. All rights reserved. TABLE 8.2a

Illustration of Segregation of Duties (cont’d) Copyright © 2004 South-Western. All rights reserved. TABLE 8.2b

Process 3: Identify Automated Solutions Develop solutions consistent the strategic IT plan Process 4: Develop/Acquire IT Solutions Develop/acquire application software Acquire technology infrastructure Develop service-level requirements and application documentation Copyright © 2004 South-Western. All rights reserved.

Process 5: Integrate IT Solutions Into Operational Processes Develop solutions consistent the strategic IT plan Process 6: Manage Changes to Existing IT Systems Develop/acquire application software Acquire technology infrastructure Develop service-level requirements and application documentation Copyright © 2004 South-Western. All rights reserved.

Process 7: Deliver Required IT Services Define service levels Manage Third-party services Manage IT Operations Manage data (backup) Identify and allocate costs Copyright © 2004 South-Western. All rights reserved.

Illustration of Program Change Controls Copyright © 2004 South-Western. All rights reserved. FIGURE 8.3

Process 8: Ensure Security and Continuous Service Disaster recovery Hot site (fully equipped) Cold site (environmentally conditioned) Restrict Access Physical access Logical access Copyright © 2004 South-Western. All rights reserved.

Restricting Access to Computing Resources— Layers of Protection Copyright © 2004 South-Western. All rights reserved. FIGURE 8.4a

Restricting Access to Computing Resources— Layers of Protection (cont’d) Copyright © 2004 South-Western. All rights reserved. FIGURE 8.4b

Environmental Controls Environmental hazard Controls Fire Smoke detectors, fire alarms, fire extinguishers, fire-resistant construction materials, insurance Water damage Waterproof ceilings, walls, and floors, adequate drainage, water and moisture detection alarms, insurance Dust, coffee, Regular cleaning of rooms and equipment, dust- tea, soft drinks collecting rugs at entrances, separate dust- generating activities from computer, good housekeeping, prohibiting food and drinks within computing facilities Energy increase, Voltage regulators, backup batteries and decrease, loss generators, fiber optic networks Copyright © 2004 South-Western. All rights reserved. TABLE 8.5

Process 9: Provide Support Services Regular Training sessions should be provided Advice and assistance should be given Very often a “help desk” is set up for these purposes Process 10: Monitor Operations Gather data about processes Generate performance reports. WebTrust - ISP Copyright © 2004 South-Western. All rights reserved.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com Inc. All rights reserved.