Chapter 10: Computer Controls for Organizations and Accounting Information Systems Introduction Enterprise Level Controls General Controls for Information Technology Application Controls for Transaction Processing

Enterprise Level Controls Consistent policies and procedures Management’s risk assessment process Centralized processing and controls Controls to monitor results of operations

Enterprise Level Controls Controls to monitor the internal audit function, the audit committee, and self-assessment programs Period-end financial reporting process Board-approved policies that address significant business control and risk management practices

Risk Assessment and Security Policies

Integrated Security for the Organization Physical Security Measures used to protect its facilities, resources, or proprietary data stored on physical media Logical Security Limit access to system and information to authorized individuals Administrative – Policies, procedures, standards, and guidelines.

Physical and Logical Security

General Controls for Information Technology Access to Data, Hardware, and Software Protection of Systems and Data with Personnel Policies Protection of Systems and Data with Technology and Facilities

General Controls for Information Technology IT general controls apply to all information systems Major Objectives Access to programs and data is limited to authorized users Data and systems protected from change, theft, and loss Computer programs are authorized, tested, and approved before usage

Access to Data, Hardware, and Software Utilization of strong passwords 8 or more characters in length…..or longer Different types of characters Letters, numbers, symbols Biometric identification Distinctive user physical characteristics Voice patterns, fingerprints, facial patterns, retina prints

Security for Wireless Technology Utilization of wireless local area networks Virtual Private Network (VPN) Allows remote access to entity resources Data Encryption Data converted into a scrambled format Converted back to meaningful format following transmission

Controls for Networks Control Problems Control Procedures Electronic eavesdropping Hardware or software malfunctions Errors in data transmission Control Procedures Checkpoint control procedure Routing verification procedures Message acknowledgment procedures

Controls for Personal Computers Take an inventory of personal computers Identify applications utilized by each personal computer Classify computers according to risks and exposures Enhance physical security

Additional Controls for Laptops

Personnel Policies Separation of Duties Use of Computer Accounts Separate Accounting and Information Processing from Other Subsystems Separate Responsibilities within IT Environment Use of Computer Accounts Each employee has password protected account Biometric identification

Separation of Duties

Division of Responsibility in IT Environment

Division of Responsibility in IT Environment

Personnel Policies Identifying Suspicious Behavior Protect against fraudulent employee actions Observation of suspicious behavior Highest percentage of fraud involved employees in the accounting department Must safeguard files from intentional and unintentional errors

Safeguarding Computer Files

File Security Controls

Business Continuity Planning Definition Comprehensive approach to ensuring normal operations despite interruptions Components Disaster Recovery Fault Tolerant Systems Backup

Disaster Recovery Definition Summary of Types of Sites Process and procedures Following disruptive event Summary of Types of Sites Hot Site Flying-Start Site Cold Site

Fault Tolerant Systems Definition Used to deal with computer errors Ensure functional system with accurate and complete data (redundancy) Major Approaches Consensus-based protocols Watchdog processor Utilize disk mirroring or rollback processing

Backup Batch processing Types of Backups Risk of losing data before, during, and after processing Grandfather-parent-child procedure Types of Backups Hot backup Cold Backup Electronic Vaulting

Computer Facility Controls Locate Data Processing Centers in Safe Places Protect from the public Protect from natural disasters (flood, earthquake) Limit Employee Access Security Badges (color-coded with pictures) Man Trap Buy Insurance

Study Break #1 A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats. Firewall Security policy Risk assessment VPN

Study Break #3 Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________. Redundancy COBIT COSO Integrated security

Application Controls for Transaction Processing Purpose Embedded in business process applications Prevent, detect, and correct errors and irregularities Application Controls Input Controls Processing Controls Output Controls

Application Controls for Transaction Processing

Input Controls Purpose Categories Ensure validity Ensure accuracy Ensure completeness Categories Observation, recording, and transcription of data Edit tests Additional input controls

Observation, Recording, and Transcription of Data Confirmation mechanism Dual observation Point-of-sale devices (POS) Preprinted recording forms

Preprinted Recording Form

Edit Tests Input Validation Routines (Edit Programs) Edit Tests Programs or subroutines Check validity and accuracy of input data Edit Tests Examine selected fields of input data Rejects data not meeting preestablished standards of quality

Edit Tests

Edit Tests

Additional Input Controls Validity Test Transactions matched with master data files Transactions lacking a match are rejected Check-Digit Control Procedure

Processing Controls Purpose Two Types Focus on manipulation of accounting data Contribute to a good audit trail Two Types Control totals Data manipulation controls

Audit Trail

Control Totals Common Processing Control Procedures Batch control total Financial control total Nonfinancial control total Record count Hash total

Data Manipulation Controls Data Processing Following validation of input data Data manipulated to produce decision-useful information Processing Control Procedures Software Documentation Error-Testing Compiler Utilization of Test Data

Output Controls Purpose Major Types Ensure validity Ensure accuracy Ensure completeness Major Types Validating Processing Results Regulating Distribution and Use of Printed Output

Output Controls Validating Processing Results Preparation of activity listings Provide detailed listings of changes to master files Regulating Distribution and Use of Printed Output Forms control Pre-numbered forms Authorized distribution list

Study Break #5 Organizations use ______ controls to prevent, detect, and correct errors and irregularities in transactions that are processed. Specific General Application Input

Triangles of Information Security Why We Do It (Fraud) How We Prevent It

Fraud Triangle

CIA Triangle