Presentation is loading. Please wait.

Presentation is loading. Please wait.

Controlling Computer-Based Information Systems, Part II

Published byJulian Adams Modified over 5 years ago

Similar presentations

Presentation on theme: "Controlling Computer-Based Information Systems, Part II"— Presentation transcript:

1 Controlling Computer-Based Information Systems, Part II
Chapter 16 Controlling Computer-Based Information Systems, Part II 1

2 General Control Framework for CBIS Risks
Organizational Structure Internet & Intranet Data Management Internet & Intranet Operating System Systems Development Systems Maintenance Personal Computers EDI Trading Partners Applications Computer Center Security General Control Framework for CBIS Risks

3 Internet and Intranet Risks from Subversive Threats
These acts include: unauthorized interception of a message gaining unauthorized access to an organization’s network a denial-of-service attack from a remote location 2

4 Dual-Homed Firewall

5 Controlling Risks from Subversive Threats
Denial-of-service (DOS) attacks Security software searches for connections which have been half-open for a period of time. Encryption Computer program transforms a clear message into a coded (cipher) text form using an algorithm. 4

6 Controlling Risks from Subversive Threats
Encryption A computer program transforms a clear message into a coded (ciphertext) form using an algorithm. Encryption can be used for transmitted data and for stored data. 7

7 Data Encryption Standard Technique
Key Ciphertext Encryption Program Communication System Cleartext Message Cleartext Message Encryption Program Ciphertext Communication System Key 7

8 Public and Private Key Encryption
Message A Message B Message C Message D Multiple people may have the public key (e.g., subordinates). Public Key is used for encoding messages. Ciphertext Ciphertext Ciphertext Ciphertext Typically one person or a small number of people have the private key (e.g., a supervisor). Private Key is used for decoding messages. Message D Message A Message B Message C 8

9 Controlling Risks from Subversive Threats
Digital signature: electronic authentication technique that ensures that the transmitted message originated with the authorized sender and that it was not tampered with after the signature was applied Digital certificate: like an electronic identification card that is used in conjunction with a public key encryption system to verify the authenticity of the message sender

10 Electronic Data Interchange (EDI) Risks
Authorization automated and absence of human intervention Access need to access EDI partner’s files Audit trail paperless and transparent (automatic) transactions 9

11 Electronic Data Interchange (EDI) Controls
Authorization use of passwords and VANs to ensure valid partner Access software to specify what can be accessed and at what level Audit trail control log records the transaction’s flow through each phase of the transaction processing 9

12 EDI System without Controls
Company B (Vendor) Company A Sales Order System Application Software Application Software Purchases System EDI Translation Software EDI Translation Software Direct Connection Communications Software Communications Software 14

13 EDI System with Controls
Company A Company B (Vendor) Application Software Audit trail of transactions between trading partners Sales Order System Application Software Purchases System EDI Translation Software EDI Translation Software Transaction Log Transaction Log Communications Software Communications Software Other Mailbox Software limits vendor’s (Company B) access to company A’s database Use of VAN to enforce use of passwords and valid partners Company A’s mailbox VAN Company B’s mailbox Other Mailbox 15

14 Personal Computer (PC) Controls
PCs… are relatively simple to use are frequently controlled and used by end users usually employ interactive (v. batch) data processing typically run commercial software applications allow users to develop their own applications PCs, in contrast to servers and mainframes, have weak operating systems. makes them easy to use but results in minimal security and weak controls 16

15 Access Risks in the PC Environment
PCs typically weak in controlling access data files Techniques to prevent theft or tampering of data: data encryption - must decode even if stolen disk locks - software or physical locks to prevent booting from A:\ 17

16 Inadequate Segregation of Duties
In PC environments, employees often have access to multiple applications that process incompatible transactions. Controls: increased supervision detailed management reports more frequent independent verification 18

17 PC Backup Controls PC end-users often fail to appreciate the importance of backup procedures until it is too late. Back up mechanisms: tape--high capacity (3.2gb, inexpensive) CD--about 650mb (>450 floppies) dual internal hard drives (high capacity) dual external hard drives (>12 gb) USB memory attachments (portable, >64 mb) 19 19

18 Application Controls Narrowly focused exposures within a specific system, for example: accounts payable cash disbursements fixed asset accounting payroll sales order processing cash receipts general ledger 9 9

19 Application Controls Risks within specific applications
Can affect manual procedures (e.g., entering data) or embedded procedures Convenient to look at in terms of: input stage processing stage output stage PROCESSING INPUT OUTPUT 21 21

20 Application Controls Input
Goal of input controls - inputted data are valid, accurate, and complete Source document controls use prenumbered source documents auditing missing source documents Data coding controls transcription errors check digits GIGO 21 21

21 Application Controls Input
Batch controls - used to reconcile the output produced by the system with the input originally entered into the system Based on different types of batch totals: total number of records total dollar value hash totals - sum of non-financial numbers 22 22

22 Application Controls Input
Validation controls - intended to detect errors in transaction data before the data are processed field interrogation - data in individual fields; for example, missing data, data type, range record interrogation - interrelationship of data in fields of a record file interrogation - the correct file; for example, internal and external labels compared, version, dates 23 23

23 Transaction Log to Preserve the Audit Trail
32

24 Application Controls Output
Goal of output controls is to ensure that system output is not lost, misdirected, or corrupted, and that privacy is not violated. In the following flowchart, there are exposures at every stage. 33

Download ppt "Controlling Computer-Based Information Systems, Part II"

Similar presentations

Chapter 6 Computer Assisted Audit Tools and Techniques

Chapter 6 Computer Assisted Audit Tools and Techniques
Accounting Information Systems, 5th edition James A. Hall

Accounting Information Systems, 5th edition James A. Hall
Chapter 12 Designing System Interfaces, Controls, and Security

Chapter 12 Designing System Interfaces, Controls, and Security
Accounting Information Systems, 6 th edition James A. Hall COPYRIGHT © 2009 South-Western, a division of Cengage Learning. Cengage Learning and South-Western.

Accounting Information Systems, 6 th edition James A. Hall COPYRIGHT © 2009 South-Western, a division of Cengage Learning. Cengage Learning and South-Western.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Chapter 10: Auditing the Expenditure Cycle

Chapter 10: Auditing the Expenditure Cycle
4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.

4/15: Security & Controls in IS Systems Vulnerabilities Controls: what to use to guard against vulnerabilities –General controls –Application controls.
Chapter 14 System Controls. A Quote “The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The.

Chapter 14 System Controls. A Quote “The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The.
Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.

Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.

Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.
1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious.

1 Output Controls Ensure that system output is not lost, misdirected, or corrupted and that privacy is not violated. Exposures of this sort can cause serious.
Chapter 4 The Revenue Cycle

Chapter 4 The Revenue Cycle
Processing Integrity and Availability Controls

Processing Integrity and Availability Controls
Chapter 19 Security.

Chapter 19 Security.
Auditing Electronic Data Interchange

Auditing Electronic Data Interchange
Controlling Computer-Based Information Systems, Part II

Controlling Computer-Based Information Systems, Part II
Hall, Accounting Information Systems, 7e ©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.

Hall, Accounting Information Systems, 7e ©2011 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly.
Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.

Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star.
Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter 10 10-1.

Copyright © 2015 Pearson Education, Inc. Processing Integrity and Availability Controls Chapter

Similar presentations

Ads by Google