Controlling Computer-Based Information Systems, Part II

Slides:



Advertisements
Similar presentations
Chapter 6 Computer Assisted Audit Tools and Techniques
Advertisements

Accounting Information Systems, 5th edition James A. Hall
Chapter 12 Designing System Interfaces, Controls, and Security
Accounting Information Systems, 6 th edition James A. Hall COPYRIGHT © 2009 South-Western, a division of Cengage Learning. Cengage Learning and South-Western.
9 - 1 Computer-Based Information Systems Control.
Chapter 10: Auditing the Expenditure Cycle
4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.
Chapter 14 System Controls. A Quote “The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The.
Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.
1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious.
Chapter 4 The Revenue Cycle
Processing Integrity and Availability Controls
Chapter 19 Security.
Auditing Electronic Data Interchange
Controlling Computer-Based Information Systems, Part II
Hall, Accounting Information Systems, 7e ©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Hall, Accounting Information Systems, 7e ©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
New Data Regulation Law 201 CMR TJX Video.
CHAPTER 6 ELECTRONIC DATA PROCESSING SYSTEMS
Security Measures Using IS to secure data. Security Equipment, Hardware Biometrics –Authentication based on what you are (Biometrics) –Biometrics, human.
The Office Procedures and Technology
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
Chapter 16 IT Controls Part II: Security and Access
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Implications of Information Technology for the Audit Process
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
System Security Chapter no 16. Computer Security Computer security is concerned with taking care of hardware, Software and data The cost of creating data.
Types of Electronic Infection
IT Controls Part I: Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation.
Chapter Eight CBIS and Checklists. General Controls 12 controls Planning, controls, standards, security Continuous updating –e.g., C&L 66% of firms inadequate.
ACM 511 Introduction to Computer Networks. Computer Networks.
 2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood Chapter 10 Electronic Data Processing Systems.
Auditing the Revenue Cycle. Learning Objectives After studying this chapter, you should: Understand the operational tasks associated with the revenue.
Chap1: Is there a Security Problem in Computing?.
Hall, Accounting Information Systems, 7e ©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
Deck 10 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.
Lecture 3 The Revenue Cycle Accounting Information Systems.
1 Chapter 16 Controlling Computer- Based Information Systems, Part II.
STANDAR & PROSEDUR 1. Peraturan dan Standar yang Biasa Digunakan  ISO / IEC and BS7799  Control Objectives for Information and related Technology.
Security Issues in Information Technology
INFORMATION SYSTEMS SECURITY AND CONTROL.
Electronic Data Processing Systems Chapter 6.
General Ledger, Financial Reporting and Management Reporting Systems
USAGE OF CRYPTOGRAPHY IN NETWORK SECURITY
Chapter 4 The Revenue Cycle 1.
Electronic Commerce Systems
Chapter 5 The Expenditure Cycle Part I: Purchases and Cash Disbursements Procedures 1.
Chapter 4 The Revenue Cycle 1.
Processing Integrity and Availability Controls
Part I: Purchases and Cash Disbursements Procedures
BY GAWARE S.R. DEPT.OF COMP.SCI
Computer Security Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
The Impact of Information Technology on the Audit Process
Computer-Based Processing: Developing an Audit Assessment Approach
The Impact of Information Technology on the Audit Process
Chapter 4 The Revenue Cycle
Chapter 10: Auditing the Expenditure Cycle
Purchases and Cash Disbursements Procedures
INFORMATION SYSTEMS SECURITY and CONTROL
Security.
ONLINE SECURE DATA SERVICE
CHAPTER 6 ELECTRONIC DATA PROCESSING SYSTEMS
Operating System Concepts
Presentation transcript:

Controlling Computer-Based Information Systems, Part II Chapter 16 Controlling Computer-Based Information Systems, Part II 1

General Control Framework for CBIS Risks Organizational Structure Internet & Intranet Data Management Internet & Intranet Operating System Systems Development Systems Maintenance Personal Computers EDI Trading Partners Applications Computer Center Security General Control Framework for CBIS Risks

Internet and Intranet Risks from Subversive Threats These acts include: unauthorized interception of a message gaining unauthorized access to an organization’s network a denial-of-service attack from a remote location 2

Dual-Homed Firewall

Controlling Risks from Subversive Threats Denial-of-service (DOS) attacks Security software searches for connections which have been half-open for a period of time. Encryption Computer program transforms a clear message into a coded (cipher) text form using an algorithm. 4

Controlling Risks from Subversive Threats Encryption A computer program transforms a clear message into a coded (ciphertext) form using an algorithm. Encryption can be used for transmitted data and for stored data. 7

Data Encryption Standard Technique Key Ciphertext Encryption Program Communication System Cleartext Message Cleartext Message Encryption Program Ciphertext Communication System Key 7

Public and Private Key Encryption Message A Message B Message C Message D Multiple people may have the public key (e.g., subordinates). Public Key is used for encoding messages. Ciphertext Ciphertext Ciphertext Ciphertext Typically one person or a small number of people have the private key (e.g., a supervisor). Private Key is used for decoding messages. Message D Message A Message B Message C 8

Controlling Risks from Subversive Threats Digital signature: electronic authentication technique that ensures that the transmitted message originated with the authorized sender and that it was not tampered with after the signature was applied Digital certificate: like an electronic identification card that is used in conjunction with a public key encryption system to verify the authenticity of the message sender

Electronic Data Interchange (EDI) Risks Authorization automated and absence of human intervention Access need to access EDI partner’s files Audit trail paperless and transparent (automatic) transactions 9

Electronic Data Interchange (EDI) Controls Authorization use of passwords and VANs to ensure valid partner Access software to specify what can be accessed and at what level Audit trail control log records the transaction’s flow through each phase of the transaction processing 9

EDI System without Controls Company B (Vendor) Company A Sales Order System Application Software Application Software Purchases System EDI Translation Software EDI Translation Software Direct Connection Communications Software Communications Software 14

EDI System with Controls Company A Company B (Vendor) Application Software Audit trail of transactions between trading partners Sales Order System Application Software Purchases System EDI Translation Software EDI Translation Software Transaction Log Transaction Log Communications Software Communications Software Other Mailbox Software limits vendor’s (Company B) access to company A’s database Use of VAN to enforce use of passwords and valid partners Company A’s mailbox VAN Company B’s mailbox Other Mailbox 15

Personal Computer (PC) Controls PCs… are relatively simple to use are frequently controlled and used by end users usually employ interactive (v. batch) data processing typically run commercial software applications allow users to develop their own applications PCs, in contrast to servers and mainframes, have weak operating systems. makes them easy to use but results in minimal security and weak controls 16

Access Risks in the PC Environment PCs typically weak in controlling access data files Techniques to prevent theft or tampering of data: data encryption - must decode even if stolen disk locks - software or physical locks to prevent booting from A:\ 17

Inadequate Segregation of Duties In PC environments, employees often have access to multiple applications that process incompatible transactions. Controls: increased supervision detailed management reports more frequent independent verification 18

PC Backup Controls PC end-users often fail to appreciate the importance of backup procedures until it is too late. Back up mechanisms: tape--high capacity (3.2gb, inexpensive) CD--about 650mb (>450 floppies) dual internal hard drives (high capacity) dual external hard drives (>12 gb) USB memory attachments (portable, >64 mb) 19 19

Application Controls Narrowly focused exposures within a specific system, for example: accounts payable cash disbursements fixed asset accounting payroll sales order processing cash receipts general ledger 9 9

Application Controls Risks within specific applications Can affect manual procedures (e.g., entering data) or embedded procedures Convenient to look at in terms of: input stage processing stage output stage PROCESSING INPUT OUTPUT 21 21

Application Controls Input Goal of input controls - inputted data are valid, accurate, and complete Source document controls use prenumbered source documents auditing missing source documents Data coding controls transcription errors check digits GIGO 21 21

Application Controls Input Batch controls - used to reconcile the output produced by the system with the input originally entered into the system Based on different types of batch totals: total number of records total dollar value hash totals - sum of non-financial numbers 22 22

Application Controls Input Validation controls - intended to detect errors in transaction data before the data are processed field interrogation - data in individual fields; for example, missing data, data type, range record interrogation - interrelationship of data in fields of a record file interrogation - the correct file; for example, internal and external labels compared, version, dates 23 23

Transaction Log to Preserve the Audit Trail 32

Application Controls Output Goal of output controls is to ensure that system output is not lost, misdirected, or corrupted, and that privacy is not violated. In the following flowchart, there are exposures at every stage. 33

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.