Information Systems Control Dr. Yan Xiong College of Business CSU Sacramento January 27,2003 This lecture is based on Martin (2002) and Romney and Steinbart (2002)

Agenda  AIS Threats  Internal Controls  General controls for information systems  Internet controls  Contingency management

AIS Threats Natural and political disasters: – fire or excessive heat – floods – earthquakes – high winds – war

AIS Threats t Software errors and equipment malfunctions – hardware failures – power outages and fluctuations – undetected data transmission errors

AIS Threats t Unintentional acts accidents caused by human carelessness accidents caused by human carelessness innocent errors of omissions innocent errors of omissions lost or misplaced data lost or misplaced data logic errors logic errors systems that do not meet company needs systems that do not meet company needs

AIS Threats t Intentional acts sabotage sabotage computer fraud computer fraud embezzlement embezzlement confidentiality breaches confidentiality breaches data theft data theft

Agenda  AIS Threats  Internal Control  Cost-benefit Analysis  General controls for information systems  Internet controls  Contingency management

Internal Control The COSO (Committee of Sponsoring Organizations) study defines internal control as the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved with regard to: – effectiveness and efficiency of operations – reliability of financial reporting – compliance with applicable laws and regulations

Internal Control Classifications t The specific control procedures used in the internal control and management control systems may be classified using the following four internal control classifications: 1 Preventive, detective, and corrective controls 2 General and application controls 3 Administrative and accounting controls 4 Input, processing, and output controls

Types of Controls t Preventive: deter problems before they arise u segregating duties t Detective: discover control problems as soon as they arise u bank reconciliation t Corrective: remedy problems discovered with detective controls u file backups

Internal Control Model t COSO’s internal control model has five crucial components: 1 Control environment 2 Control activities 3 Risk assessment 4 Information and communication 5 Monitoring

The Control Environment The control environment consists of many factors, including the following: 1 Commitment to integrity and ethical values 2 Management’s philosophy and operating style 3 Organizational structure

The Control Environment 4 The audit committee of the board of directors 5 Methods of assigning authority and responsibility 6 Human resources policies and practices 7 External influences

Control Activities Generally, control procedures fall into one of five categories: 1 Proper authorization of transactions and activities 2 Segregation of duties 3 Design and use of adequate documents and records 4 Adequate safeguards of assets and records 5 Independent checks on performance

Proper Authorization of Transactions and Activities t Authorization is the empowerment management gives employees to perform activities and make decisions. t Digital signature or fingerprint is a means of signing a document with a piece of data that cannot be forged. t Specific authorization is the granting of authorization by management for certain activities or transactions.

Segregation of Duties t Good internal control demands that no single employee be given too much responsibility. t An employee should not be in a position to perpetrate and conceal fraud or unintentional errors.

Segregation of Duties Recording Functions Preparing source documents Maintaining journals Preparing reconciliations Preparing performance reports Custodial Functions Handling cash Handling assets Writing checks Receiving checks in mail Authorization Functions Authorization of transactions

Segregation of Duties t If two of these three functions are the responsibility of a single person, problems can arise. t Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them. t Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts.

Segregation of Duties t Segregation of duties prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized.

Design and Use of Adequate Documents and Records t The proper design and use of documents and records helps ensure the accurate and complete recording of all relevant transaction data. t Documents that initiate a transaction should contain a space for authorization.

Design and Use of Adequate Documents and Records t The following procedures safeguard assets from theft, unauthorized use, and vandalism: – effectively supervising and segregating duties – maintaining accurate records of assets, including information – restricting physical access to cash and paper assets – having restricted storage areas

Adequate Safeguards of Assets and Records t What can be used to safeguard assets? – cash registers – safes, lockboxes – safety deposit boxes – restricted and fireproof storage areas – controlling the environment – restricted access to computer rooms, computer files, and information

Independent Checks on Performance t Independent checks to ensure that transactions are processed accurately are another important control element. t What are various types of independent checks? – reconciliation of two independently maintained sets of records – comparison of actual quantities with recorded amounts

Independent Checks on Performance – double-entry accounting – batch totals t Five batch totals are used in computer systems: 1 A financial total is the sum of a dollar field. 2 A hash total is the sum of a field that would usually not be added.

Independent Checks on Performance 3 A record count is the number of documents processed. 4 A line count is the number of lines of data entered. 5 A cross-footing balance test compares the grand total of all the rows with the grand total of all the columns to check that they are equal.

Information and Communication t The fourth component of COSO’s internal control model is information and communication. t Accountants must understand the following: 1 How transactions are initiated 2 How data are captured in machine- readable form or converted from source documents

Information and Communication 3 How computer files are accessed and updated 4 How data are processed to prepare information 5 How information is reported 6 How transactions are initiated t All of these items make it possible for the system to have an audit trail. t An audit trail exists when individual company transactions can be traced through the system.

Monitoring Performance t The fifth component of COSO’s internal control model is monitoring. t What are the key methods of monitoring performance? – effective supervision – responsibility accounting – internal auditing

Risk Assessment t The third component of COSO’s internal control model is risk assessment. t Companies must identify the threats they face: – strategic — doing the wrong thing – financial — having financial resources lost, wasted, or stolen – information — faulty or irrelevant information, or unreliable systems

Risk Assessment t Companies that implement electronic data interchange (EDI) must identify the threats the system will face, such as: 1 Choosing an inappropriate technology 2 Unauthorized system access 3 Tapping into data transmissions 4 Loss of data integrity

Risk Assessment 5 Incomplete transactions 6 System failures 7 Incompatible systems

Risk Assessment t Some threats pose a greater risk because the probability of their occurrence is more likely. t What is an example? t A company is more likely to be the victim of a computer fraud rather than a terrorist attack. t Risk and exposure must be considered together.

Cost and Benefits t Benefit of control procedure is difference between u expected loss with control procedure(s) u expected loss without it

Loss / Fraud Conditions t Threat : potential adverse or unwanted event that can be injurious to AIS t Exposure : potential maximum $ loss if event occurs t Risk : likelihood that event will occur t Expected Loss: Risk * Exposure

Loss / Fraud Conditions Exposure Risk Expected Loss Expected Loss X X = = Maximum Loss ($) Maximum Loss ($) Likelihood of Event Occurring Likelihood of Event Occurring Potential $ Loss Potential $ Loss For each AIS threat: For each AIS threat:

Exposures PossibleThreatSymbolExpo-sureRisk DisasterDHL+ Power Outage OMH System Down HLL Human Error EMM FraudFML Data Theft TLM SabotageSHL

Risk Assessment of Controls Control Needs Costs Threat Risk Exposure Cost Benefi- cial? Cost Benefi- cial? Implement Yes No

Payroll Case Condition Condition Without Without With WithDifference Cost Payroll Cost Payroll $10K $10K Risk of Error Risk of Error 15% 15% 1% 1% Error Cost Error Cost $1.5K $1.5K $0.1K $0.1K $1.4K $1.4K Validate Cost 0 $0.6K $0.6K $(0.6K) $(0.6K) Expected Expected Benefit Benefit $0.8K $0.8K

Agenda  AIS Threats  Internal Controls  General controls for information systems  Internet controls  Contingency management

General Controls t General controls ensure that overall computer environment is stable and well managed t General control categories: 1 Developing a security plan 2 Segregation of duties within the systems function

General Controls 3 Project development controls 4 Physical access controls 5 Logical access controls 6 Data storage controls 7 Data transmission controls 8 Documentation standards 9 Minimizing system downtime

General Controls 10. Protection of personal computers andclient/server networks 11. Internet controls 12. Disaster recovery plans

Security Plan t Developing and continuously updating a comprehensive security plan one of most important controls for company t Questions to be asked: u Who needs access to what information? u When do they need it? u On which systems does the information reside?

Segregation of Duties t In AIS, procedures that used to be performed by separate individuals combined t Person with unrestricted access u to computer, u its programs, u and live data t has opportunity to both perpetrate and conceal fraud

Segregation of Duties t To combat this threat, organizations must implement compensating control procedures t Authority and responsibility must be clearly divided NOTE: must change with increasing levels of automation

Segregation of Duties Divide following functions: Systems analysis Systems analysis Programming Programming Computer operations Computer operations Users Users AIS library AIS library Data control Data control

Duty Segregation Programs Output UseArchive Design Specs Design Specs Analyze Program Operate What about small firms? What about small firms?

Project Development Controls  Long-range master plan  Project development plan  Periodic performance evaluation  Post-implementation review  System performance measurements

Development Controls Master Development Plan Master Development Plan Project Development Plan Project Development Plan STARTED PROJECT COMPLETED PROJECT COMPLETED PROJECT SYSTEM OPERATION SYSTEM OPERATION Periodic Performance Review Periodic Performance Review Post Implement Review Post Implement Review Performance Measures Performance Measures

Physical Access Controls  Placing computer equipment in locked rooms and restricting access to authorized personnel  Having only one or two entrances to computer room  Requiring proper employee ID  Requiring visitors to sign log  Installing locks on PCs

Logical Access Controls t Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions. t What are some logical access controls? – passwords – physical possession identification – biometric identification – compatibility tests

Access Control Matrix ABC ABC DEF DEF KLM KLM NOP NOP WORD WORD A B 1 2 PASS- PASS- FILES FILES PROGRAMS PROGRAMS 0 – No access 1 – Read / display 0 – No access 1 – Read / display 2 – Update 3 – Create / delete 2 – Update 3 – Create / delete

Data Storage Controls t Information gives company competitive edge and makes it viable t Company should identify types of data used and level of protection required for each t Company must also document steps taken to protect data u e.g., off-site storage

Data Transmission Controls t Reduce risk of data transmission failures – data encryption (cryptography) – routing verification procedures – parity bits – message acknowledgment techniques

Information Transmission System Information Source Receiver Information Destination Transmitter Message Channel Signal Noise

Transmission Controls Encrypt Decrypt SEND RECEIVE Routing Verification Routing Verification Data Encryption Data Encryption Message Acknowledge- ment Message Acknowledge- ment Message Parity Bit Parity Bit

Even Parity Bit System Parity Bit Message in Binary A “1” placed in parity bit to make an even number of “1”s. A “1” placed in parity bit to make an even number of “1”s. There are five “1” bits in message There are five “1” bits in message

Data Transmission Controls t Added importance when using electronic data interchange (EDI) or electronic funds transfer (EFT) t In these types of environments, sound internal control is achieved using control procedures

Data Transmission Control  Controlled physical access to network facilities  Identification required for all network terminals  Passwords and dial-in phone numbers changed on regular basis  Encryption used to secure stored and transmitted data  Transactions log

Documentation Standards t Documentation procedures and standards ensure clear and concise documentation t Documentation categories: Administrative documentation Administrative documentation Systems documentation Systems documentation Operating documentation Operating documentation

Minimizing System Downtime t Significant financial losses can be incurred if hardware or software malfunctions cause AIS to fail t Methods used to minimize system downtime preventive maintenance preventive maintenance uninterruptible power system uninterruptible power system fault tolerance fault tolerance

Protection of PCs and Client/Server Networks t PCs more vulnerable to security risks than mainframe computers u Difficult to restrict physical access u PC users less aware of importance of security and control u More people familiar with the operation of PCs u Segregation of duties is difficult

Protection of PCs and Client/Server Networks t Train users in PC-related control concepts t Restrict access by using locks and keys on PCs t Establish policies and procedures

Protection of PCs and Client/Server Networks t Portable PCs should not be stored in cars t Back up hard disks regularly t Encrypt or password protect files t Build protective walls around operating systems t Use multilevel password controls to limit employee access to incompatible data

Agenda  AIS Threats  Control concepts  General controls for information systems  Internet controls  Contingency management

Internet Controls t Internet control is installing a firewall, hardware and software that control communications between a company’s internal network (trusted network) and an external network.

Internet Controls  Passwords  Encryption technology  Routing verification procedures  Installing a firewall

Internet Risks Split into packets May travel different paths A A Message originating at Point A Message originating at Point A B B Intended Destination Point B Intended Destination Point B ? ? Did Point B receive this message? Did Point B receive this message? ? ? Was the message really sent by Point A? Was the message really sent by Point A? ? ? Did anyone else see the message? Did anyone else see the message?

Messaging Security t Confidentiality t Integrity: detect tampering t Authentication: correct party t Non-repudiation: sender can’t deny t Access controls: limit entry to authorized users

Symmetric Encryption Clear Text Message Decrypt Encrypt Encoded Message Clear Text Message Sender Receiver Identical Keys

PKI t Public Key Infrastructure t Most commonly used t Two keys: u public key – publicly available u private key – kept secret t Two keys related through secret mathematical formula t Need both to process transaction

Biometric Usage t For user authentication t By order of use u finger scanners u hand geometry u face-recognition u eye scan u voiceprints u signature verification

Digital Signature t Also called Certificate t Issued by trusted third party u Certification Authority (CA) t Electronic passport to prove identity t Provides assurance messages are valid t Uses encryption to verify identity of unseen partner

Firewall t Firewall is barrier between networks not allowing information to flow into and out of trusted network

Firewalls Valid Traffic Valid Traffic Sensitive Database Sensitive Database Valid Access Valid Access FirewallFirewall External Screen External Screen Access Controls Internal Screen Internal Screen Internet Attempted Access Attempted Access

Firewall Types t Packet Filter: u simplest type u doesn’t examine data u looks at IP header t Proxy Firewall (Server): u hides protected private network u forwards requests from private to public network (not within)

Firewall Types t Demilitarized Zone: u more secure u several layers of firewall protection u different levels of protection to different portions of company’s network u runs between private network and outside public network

Bypassing Firewalls Firewall Internet SERVER Inventory Customer Info Ordering R&D Department

Agenda  AIS Threats  Control concepts  General controls for information systems  Internet controls  Contingency management

Contingency Management t Disaster Recovery is reactive t Contingency Management is proactive t Continuity Planning latest term t Accounting standards in terms of Disaster Recovery

Disaster Recovery Plan t Purpose: to ensure processing capacity can be restored as smoothly and quickly as possible in the event of: u a major disaster u a temporary disruption

Disaster Plan Objectives  Minimize disruption, damage, and loss  Temporarily establish alternative means of processing information  Resume normal operations as soon as possible  Train and familiarize personnel with emergency operations

Plan Elements  Priorities for recovery process  Backup data and program files  Backup facilities u reciprocal agreements u hot and cold sites u shadow mode (parallel)

Back Up Data t Rollback: u predated copy of each record created prior to processing transaction t If hardware failure u records rolled back to predated version u transactions processed from beginning

Back Up Data Decisions t How often? (e.g., weekly) u Exposure * Risk = Expected Loss t Where do you store backup data u on-site (e.g., fireproof safe) u off-site (incurs costs) t How quick to recover? t What is recovered first?

Remote Access t Computer World, 1/21/02 t Companies eying remote access as contingency management tool t Scrambling to develop remote access systems t Result of September 11 t If main facilities down, still can communicate with one another

Recovery Plan t Recovery plan not complete until tested by simulating disaster u EDS t Plan must be continuously reviewed and revised so it reflects current situation t Plan should include insurance coverage

Cardinal Health t Redundant systems for critical order processing t Redundant WAN trunks t System data backed up daily u backup media kept off-site t Backup replica site u different part of country u switched on within 30 minutes

The Money Store t Databases backed up every evening t Back-up files stored at u on-site u information storage vendor t Automatic archival process that periodically pulls / stores back-up data files

The Money Store t Call Centers u in 3 locations nationally u separated so that a natural disaster will not hit all three simultaneously u calls electronically rerouted to other two sites u in Sacramento, rent vacant building as emergency site

Topics Covered  AIS Threats  Control concepts  General controls for information systems  Internet controls  Contingency management