©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-1 Accounting Information Systems 9 th Edition Marshall.

Slides:



Advertisements
Similar presentations
Computer Fraud Chapter 5.
Advertisements

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Control and Accounting Information Systems
Accounting Information Systems 9th Edition
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.
Information Technology Control Day IV Afternoon Sessions.
Crime and Security in the Networked Economy Part 4.
Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems
Auditing Computer-Based Information Systems
9 - 1 Computer-Based Information Systems Control.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza
Chapter 10: Auditing the Expenditure Cycle
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Chapter 14 System Controls. A Quote “The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The.
Risks, Controls and Security Measures
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 18-1 Accounting Information Systems 9 th Edition Marshall.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Processing Integrity and Availability Controls
Chapter 4-1 The Islamic University of Gaza Accounting Information System The Expenditure Cycle : Purchases and Cash Disbursements Procedures Dr. Hisham.
Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-1 Accounting Information Systems 9 th Edition Marshall.
Session 3 – Information Security Policies
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter
Processing Integrity and Availability Controls
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Information Systems Auditing and Assurance
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Chapter 22 Systems Design, Implementation, and Operation Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 22-1.
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.
Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
The Islamic University of Gaza
Transaction Processing and the Internal Control Process Small Business Information Systems Professor Barry Floyd.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood 4 – 1 Transaction Processing and the Internal Control.
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 6-1 Accounting Information Systems 9 th Edition Marshall.
Information Systems Security Operational Control for Information Security.
System Security Chapter no 16. Computer Security Computer security is concerned with taking care of hardware, Software and data The cost of creating data.
Understanding the IT environment of the entity. Session objectives Defining contours of financial accounting in an IT environment and its characteristics.
S4: Understanding the IT environment of the entity.
 2001 Prentice Hall Business Publishing, Accounting Information Systems, 8/E, Bodnar/Hopwood Chapter 10 Electronic Data Processing Systems.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.
Today’s Lecture Covers
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Deck 10 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Welcome to the ICT Department Unit 3_5 Security Policies.
LESSON 12 Business Internet. Electronic business, or e-business, is the application of information and communication technologies (ICT) in support of.
Information Systems Security
Larry Brownfield, CPO, OHE – KOA, Inc.
Controlling Computer-Based Information Systems, Part II
Processing Integrity and Availability Controls
Managing the IT Function
County HIPAA Review All Rights Reserved 2002.
Internal controls 01-Nov-2017.
Presentation transcript:

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-1 Accounting Information Systems 9 th Edition Marshall B. Romney Paul John Steinbart

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-2 Computer Controls and Security Chapter 8

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-3 Learning Objectives 1. Identify and explain the four principles of systems reliability and the three criteria used to evaluate whether the principles have been achieved. 2. Identify and explain the controls that apply to more than one principle of reliability. 3. Identify and explain the controls that help explain that a system is available to users when needed.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-4 Learning Objectives 4. Identify and explain the security controls that prevent unauthorized access to information, software, and other system resources. 5. Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity. 6. Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-5 Introduction During his fifth month at Northwest Industries, Jason Scott is assigned to audit Seattle Paper Products (SPP). Jason’s task is to review randomly selected payable transactions, track down all supporting documents, and verify that all transactions have been properly authorized.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-6 Introduction Jason is satisfied that many of the transactions are valid and accurate. However, some transactions involve the purchase of services from Pacific Electric. These transactions were processed on the basis of vendor invoices approved by management. Five of these invoices bear the initials “JLC.”

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-7 Introduction JLC is Jack Carlton, the general supervisor. Carlton denies initialing the invoices, and claims he has never heard of Pacific Electric. What questions does Jason have? Is Carlton telling the truth? If Carlton is not telling the truth, what is he up to?

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-8 Introduction If Pacific Electric is a fictitious company, how could SPP’s control systems allow its invoices to be processed and approved for payment? This chapter discusses the many different types of controls that companies use to ensure the integrity of their AIS.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-9 Learning Objective 1 Identify the four principles of systems reliability and the three criteria used to evaluate whether or not the principles have been achieved.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-10 The Four Principles of a Reliable System 1. Availability of the system when needed. 2. Security of the system against unauthorized physical and logical access. 3. Maintainability of the system as required without affecting its availability, security, and integrity. 4. Integrity of the system to ensure that processing is complete, accurate, timely, and authorized.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-11 The Criteria Used To Evaluate Reliability Principles For each of the four principles of reliability, three criteria are used to evaluate whether or not the principle has been achieved. 1. The entity has defined, documented, and communicated performance objectives, policies, and standards that achieve each of the four principles. 2. The entity uses procedures, people, software, data, and infrastructure to achieve each principle in accordance with established policies and standards. 3. The entity monitors the system and takes action to achieve compliance with the objectives, policies, and standards for each principle.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-12 Learning Objective 2 Identify and explain the controls that apply to more than one principle of reliability.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-13 Controls Related to More Than One Reliability Principle Strategic Planning & Budgeting Developing a Systems Reliability Plan Documentation

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-14 Controls Related to More Than One Reliability Principle Documentation may be classified into three basic categories: Administrative documentation: Describes the standards and procedures for data processing. Systems documentation: Describes each application system and its key processing functions. Operating documentation: Describes what is needed to run a program.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-15 Learning Objective 3 Identify and explain the controls that help explain that a system is available to users when needed.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-16 Availability Minimizing Systems Downtime Preventive maintenance UPS Fault tolerance Disaster Recovery Plan Minimize the extent of disruption, damage, and loss Temporarily establish an alternative means of processing information Resume normal operations as soon as possible

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-17 Availability Disaster Recovery, continued Train and familiarize personnel with emergency operations Priorities for the recovery process Insurance Backup data and program files Electronic vaulting Grandfather-father-son concept Rollback procedures Specific assignments Backup computer and telecommunication facilities Periodic testing and revision Complete documentation

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-18 Learning Objective 4 Identify and explain the security controls that prevent unauthorized access to information, software, and other system resources.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-19 Developing a Security Plan Developing and continuously updating a comprehensive security plan is one of the most important controls a company can identify. What questions need to be asked? Who needs access to what information? When do they need it? On which systems does the information reside?

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-20 Segregation of Duties Within the Systems Function In a highly integrated AIS, procedures that used to be performed by separate individuals are combined. Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud. To combat this threat, organizations must implement compensating control procedures.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-21 Segregation of Duties Within the Systems Function Authority and responsibility must be clearly divided among the following functions: 1. Systems administration 2. Network management 3. Security management 4. Change management 5. Users 6. Systems analysis 7. Programming 8. Computer operations 9. Information system library 10. Data control

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-22 Segregation of Duties Within the Systems Function It is important that different people perform these functions. Allowing a person to perform two or more of them exposes the company to the possibility of fraud.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-23 Physical Access Controls How can physical access security be achieved? – Place computer equipment in locked rooms and restrict access to authorized personnel – Have only one or two entrances to the computer room – Require proper employee ID – Require that visitors sign a log – Use a security alarm system – Restrict access to private secured telephone lines and terminals or PCs. – Install locks on PCs. – Restrict access of off-line programs, data and equipment – Locate hardware and other critical system components away from hazardous materials. – Install fire and smoke detectors and fire extinguishers that don not damage computer equipment

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-24 Logical Access Controls Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions. What are some logical access controls? – passwords – physical possession identification – biometric identification – compatibility tests

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-25 Protection of PCs and Client/Server Networks Many of the policies and procedures for mainframe control are applicable to PCs and networks. The following controls are also important: Train users in PC-related control concepts. Restrict access by using locks and keys on PCs. Establish policies and procedures.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-26 Protection of PCs and Client/Server Networks Portable PCs should not be stored in cars. Keep sensitive data in the most secure environment possible. Install software that automatically shuts down a terminal after its been idle for a certain amount of time. Back up hard disks regularly. Encrypt or password protect files. Build protective walls around operating systems. Ensure that PCs are booted up within a secure system. Use multilevel password controls to limit employee access to incompatible data. Use specialists to detect holes in the network.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-27 Internet and e-Commerce Controls Why caution should be exercised when conducting business on the Internet. – the large and global base of people that depend on the Internet – the variability in quality, compatibility, completeness, and stability of network products and services

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-28 Internet and e-Commerce Controls – access of messages by others – security flaws in Web sites – attraction of hackers to the Internet What controls can be used to secure Internet activity? – passwords – encryption technology – routing verification procedures

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-29 Internet and e-Commerce Controls Another control is installing a firewall, hardware and software that control communications between a company’s internal network (trusted network) and an external network. The firewall is a barrier between the networks that does not allow information to flow into and out of the trusted network. Electronic envelopes can protect messages

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-30 Learning Objective 5 Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-31 Maintainability Two categories of controls help ensure the maintainability of a system: Project development and acquisition controls Change management controls

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-32 Project Development and Acquisition Controls Project development and acquisition controls include: Strategic Master Plan Project Controls Data Processing Schedule System Performance Measurements Postimplementation Review

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-33 Change Management Controls Change management controls include: Periodically review all systems for needed changes Require all requests to be submitted in standardized format Log and review requests form authorized users for changes and additions to systems Assess the impact of requested changes on system reliability objectives, policies and standards

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-34 Change Management Controls, continued Categorize and rank all changes using established priorities Implement procedures to handle urgent matters Communicate all changes to management Require IT management to review, monitor, and approve all changes to software, hardware and personnel responsibilities Assign specific responsibilities to those involved in the change and monitor their work.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-35 Change Management Controls, continued Control system access rights to avoid unauthorized systems and data access Make sure all changes go through the appropriate steps Test all changes Make sure there is a plan for backing our of any changes in the event they don’t work properly Implement a quality assurance function Update all documentation and procedures when change is implemented

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-36 Learning Objective 6 Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-37 Integrity A company designs general controls to ensure that its overall computer system is stable and well managed. Application controls prevent, detect and correct errors in transactions as they flow through the various stages of a specific data processing program.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-38 Integrity: Source Data Controls Companies must establish control procedures to ensure that all source documents are authorized, accurate, complete and properly accounted for, and entered into the system or sent ot their intended destination in a timely manner. Source data controls include:

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-39 Integrity: Source Data Controls  Forms design  Prenumbered forms sequence test  Turnaround documents  Cancellation and storage of documents  Authorization and segregation of duties  Visual scanning  Check digit verification  Key verification

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-40 Integrity: Input Validation Routines Input validation routines are programs the check the integrity of input data. They include:  Limit check  Range check  Reasonableness test  Redundant data check  Sequence check  Field check  Sign check  Validity check  Capacity check

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-41 Integrity: On-line Data Entry Controls The goal of on-line data entry control is to ensure the integrity of transaction data entered from on-line terminals and PCs by minimizing errors and omissions. They include:

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-42 Integrity: On-line Data Entry Controls Field, limit, range, reasonableness, sign, validity, redundant data checks User ID numbers Compatibility tests Automatic entry of transaction data, where possible Prompting Preformatting Completeness check Closed-lop verification Transaction log Error messages Retain data for legal purposes

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-43 Integrity: Data Processing and Storage Controls Controls to help preserve the integrity of data processing and stored data:  Policies and procedures  Data control function  Reconciliation procedure  External data reconciliation  Exception reporting

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-44 Integrity: Data Processing and Storage Controls, continued  Data currency checks  Default values  Data matching  File labels  Write protection mechanisms  Database protection mechanisms  Data conversion controls  Data security

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-45 Output Controls The data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control totals. Data control is also responsible for distributing computer output to the appropriate user departments.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-46 Output Controls Users are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive. A shredder can be used to destroy highly confidential data.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-47 Data Transmission Controls To reduce the risk of data transmission failures, companies should monitor the network. How can data transmission errors be minimized? – using data encryption (cryptography) – implementing routing verification procedures – adding parity – using message acknowledgment techniques

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-48 Data Transmission Controls Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT).

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-49 Data Transmission Controls In these types of environments, sound internal control is achieved using the following control procedures: 1 Physical access to network facilities should be strictly controlled. 2 Electronic identification should be required for all authorized network terminals. 3 Strict logical access control procedures are essential, with passwords and dial-in phone numbers changed on a regular basis.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-50 Data Transmission Controls Control procedures, continued 4 Encryption should be used to secure stored data as well as data being transmitted. 5 Details of all transactions should be recorded in a log that is periodically reviewed.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-51 Case Conclusion Were Jason and his supervisor able to identify the source of the fictitious invoices? No. They asked the police to identify the owner of the Pacific Electric bank account. What did the police discover? Patricia Simpson, a data entry clerk at SPP, was the owner of the account.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-52 End of Chapter 8

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-53

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.