Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee
Control Classifications By ObjectivesBy SettingsBy Risk Aversion Administrative Accounting General Application Input Processing Output Corrective Preventive Detective By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base SAS 29 (1958) Text Chapter 7 This Chapter
Control Classifications By ObjectivesBy SettingsBy Risk Aversion Administrative Accounting General Application Input Processing Output Corrective Preventive Detective By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base Encourage adherence to management policies and procedures. Promote operational efficiency. Safeguard assets Ensure accuracy of accounting data and information.
Input Process Output Sensor Bench- mark Detective and Corrective Controls Corrective Controls Preventive, Detective, and Corrective Controls
Discover the occurrence of adverse events. Tend to be active in nature. After the fact controls
Lead to the righting of effects caused by adverse events. Tend to be more active than detective controls.
Block adverse events, such as errors or losses from occurring. Tend to be passive in nature.
Control Classifications By ObjectivesBy SettingsBy Risk Aversion Administrative Accounting General Application Input Processing Output Corrective Preventive Detective By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base Ensure that overall IS is stable and well maintained. Ensure the accuracy of specific applications, inputs, files, programs & outputs.
Control Classifications By ObjectivesBy SettingsBy Risk Aversion Administrative Accounting General Application Input Processing Output Corrective Preventive Detective By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base
What Constitutes A Reliable System
What Constitutes Reliability? Availability Security Maintainability Integrity
Corrective Preventive Detective General Application Input Processing Output Administrative Accounting By Risk AversionBy SettingsBy Objectives Control Classifications By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base
Controls – The Text Approach Key General Reliability Controls (> than one reliability principle) - Table 8-1 Key Availability Controls - Table 8-2 Key Security Controls - Table 8-3 Key Maintainability Controls - Table 8-4 Key Integrity Controls – Table 8-5
General Reliability Controls Strategic Planning & Budgeting Developing a System Reliability Plan Documentation
Key Availability Controls Minimizing System Downtime Disaster Recovery Plan
Key Security Controls Segregation of Duties in Systems Function
The Text Notes... In a highly integrated AIS, procedures that used to be performed by separate individuals are combined. Therefore, any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.
The Text Notes... To combat this threat, organizations must implement compensating control procedures such as the effective segregation of duties within the AIS function.
Organizational Independence Within the Information Systems Function of a Firm using Computer-Based processing Source: AIS, Wilkinson & Cerullo
Information Systems Manager Steering Committee Planning Staff Data-Base Administrator Technical Services Manager Systems Development Manager Data Processing Manager Information Center Systems Analysis & Projects Programming Data Preparation Computer Operations Data Library Data Control Tasks which CREATE systems. Tasks which OPERATE systems. These two functions need to be ORGANIZATIONALLY and PHYSICALLY separated
Flow of batched data within several units of an organization using computer-based processing. Source: AIS, Wilkinson & Cerullo
Data Input Data Input Outputs Errors to be corrected Errors to be corrected Receive & Log Receive & Log Convert Data Convert Data Process Files Log & Distribute Log & Distribute Outputs Error Listing Error Listing Files User Departments Computer-Based Data Processing Department Control Section Data Preparation Section Computer Operations Data Library Record input data in control log. Follow progress of processing. Maintains control totals Reconciles totals during processing. Distribute output. Monitors correction of errors.
Data Input Data Input Outputs Errors to be corrected Errors to be corrected Receive & Log Receive & Log Convert Data Convert Data Process Files Log & Distribute Log & Distribute Outputs Error Listing Error Listing Files User Departments Computer-Based Data Processing Department Control Section Data Preparation Section Computer Operations Data Library Prepare and verify data for entry into processing. What controls do we have here? Batch controls Various computer input controls.
Data Input Data Input Outputs Errors to be corrected Errors to be corrected Receive & Log Receive & Log Convert Data Convert Data Process Files Log & Distribute Log & Distribute Outputs Error Listing Error Listing Files User Departments Computer-Based Data Processing Department Control Section Data Preparation Section Computer Operations Data Library Processes data to produce outputs. What controls do we have here? Various computer processing controls.
Simplified organizational separation in a computer- based system using on-line processing. Source: AIS, Wilkinson & Cerullo
User Departments Computer Operations On-Line Files (Data Library) Data Inputs Displayed Outputs Displayed Outputs Printed Outputs Printed Outputs Process Batch Files Batch Files On- Line Files On- Line Files
Subdivisions of transaction (application) controls and typical control points. Source: AIS, Wilkinson & Cerullo
Source Document Manual Entry Convert To MRF Trans. Data Editing Computer-Based Data Processing Source Document User Transaction Via Terminal Soft-Copy Output Input Controls Processing Controls Output Controls Control Point
Key Security Controls Segregation of Duties in Systems Function Physical Access Controls
Perimeter ControlBuilding Controls Computer Facility Controls
Key Security Controls Segregation of Duties in Systems Function Physical Access Controls Logical Access Controls
Identification Authentication Access Rights Threat Monitoring
Key Security Controls Protection of Personal Computers and Client/Server Networks Internet and e-commerce Controls
Key Maintainability Controls Project Development and Acquisition Controls. Change Management Controls
Control Classifications By ObjectivesBy SettingsBy Risk Aversion Administrative Accounting General Application Input Processing Output Corrective Preventive Detective By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base Ensure that overall IS is stable and well maintained. Ensure the accuracy of specific applications, inputs, files, programs & outputs.
Objectives of Application Controls To prevent, detect, and correct errors in transactions as they flow through the various stages of a specific data processing program. Input Process Output
The text correctly notes... If application controls are weak AIS output is likely to contain errors. Erroneous data leads to significant potential problems Objectives of Application Controls
Key Integrity Controls Source Data Controls Input Validation Controls On-Line Data Entry Controls Data Processing and Storage Controls
Key Integrity Controls Output Controls Data Transmission Controls
Input Process Output Source Data Input Validation On-line Data Entry Data Processing Storage Data Transmission Output
Key Integrity Controls Source Data Controls
Ensure that all source documents are authorized, accurate, complete, properly accounted for and entered into the system or sent to their intended destinations in a timely manner.
Source Data Controls Forms Design Prenumbered Forms Sequence Test Turnaround Documents Cancelation and Storage of Documents
Source Data Controls Authorization and Segregation of Duties Visual Scanning Check Digit Verification Key Verification
Key Integrity Controls Input Validation Controls
Input Validation Routines Routines that check the integrity of input data as the data are entered into the system. Edit Programs Edit Checks
Input Validation Routines Sequence Check Field Check Sign Check Validity Check Limit Check
Input Validation Routines Range Check Reasonableness Test Redundant Data Check Capacity Check
Key Integrity Controls On-Line Data Entry Controls
To ensure the integrity of transaction data entered from on-line terminals and PCs by minimizing errors and omissions.
On-Line Data Entry Controls Input Validation Routines User ID and Passwords Automatic Entering of Data Prompting Preformatting
On-Line Data Entry Controls Completeness Check Closed-Loop Verification Transaction Log Error Messages Record Retention
Key Integrity Controls Data Processing and Storage Controls
Processing/Storage Controls Preserve the integrity of data processing and stored data.
Processing/Storage Controls Policies and procedures Data Control Function Reconciliation procedures External data Reconciliation Exception reporting
Data Input Data Input Outputs Errors to be corrected Errors to be corrected Receive & Log Receive & Log Convert Data Convert Data Process Files Log & Distribute Log & Distribute Outputs Error Listing Error Listing Files User Departments Computer-Based Data Processing Department Control Section Data Preparation Section Computer Operations Data Library
Processing/Storage Controls Data currency checks Default values Data matching File labels Write Protection mechanisms
Processing/Storage Controls Database Protection Mechanisms Data Conversion Controls Data Security
Key Integrity Controls Output Controls
Review all output for reasonableness and proper format Reconcile output and input control totals daily Distribute output to appropriate user departments
Output Controls Protect sensitive or confidential outputs Store sensitive/confidential data in secure area Require users to review completeness and accuracy of all output
Output Controls Shred or otherwise destroy sensitive data. Correct errors found on output reports.
Key Integrity Controls Transmission Controls