Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of California, Santa Barbara

Published byDale Flynn Modified over 6 years ago

Similar presentations

Presentation on theme: "University of California, Santa Barbara"— Presentation transcript:

1 University of California, Santa Barbara
Prepared by Coby Harmon University of California, Santa Barbara Westmont College

2 Accounting Information Systems, 2nd Edition
Internal Controls and Risks in IT Systems Accounting Information Systems, 2nd Edition

3 Study Objectives An overview of internal controls for IT systems
General controls for IT systems General controls from a Trust Services Principles perspective Hardware and software exposures in IT systems Application software and application controls Ethical issues in IT systems

4 Internal Controls for IT Systems
Accounting Information System - collects, processes, stores, and reports accounting information. Internal controls for computer-based systems have been described as being of two types: General controls Application controls SO 1 An overview of internal controls for IT systems

5 Internal Controls for IT Systems
Exhibit 4-1 General and Application Controls in IT Systems Application controls used to control inputs, processing, and outputs. General controls apply overall to the IT accounting system. SO 1 An overview of internal controls for IT systems

6 Internal Controls for IT Systems
Question Internal controls that apply overall to the IT system are called a. Overall controls. b. Technology controls. c. Application controls. d. General controls. SO 1 An overview of internal controls for IT systems

7 General Controls for IT Systems
Five categories of general controls: Authentication of users and limiting unauthorized access Hacking and other network break-ins Organizational structure Physical environment and physical security of the system Business Continuity SO 2 General controls for IT systems

8 General Controls for IT Systems
Authentication of Users and Limiting Unauthorized Users Log-in User IDs Password Smart card Security token Two factor authentication Biometric devices Computer log Nonrepudiation User profile Authority table Configuration tables SO 2 General controls for IT systems

9 General Controls for IT Systems
Hacking and other Network Break-Ins Firewall Symmetric encryption Public key encryption Wired equivalency privacy Wireless protected access Service set identifier Virtual private network Secure sockets layer Virus Antivirus software Vulnerability assessment Intrusion detection Penetration testing SO 2 General controls for IT systems

10 General Controls for IT Systems
Organizational Structure IT governance committee, responsibilities include: Align IT investments to business strategy. Budget funds and personnel for the most effective use of the IT systems. Oversee and prioritize changes to IT systems. Develop, monitor, and review all IT operational policies. Develop, monitor, and review security policies. SO 2 General controls for IT systems

11 General Controls for IT Systems
Organizational Structure Duties to be segregated are: Systems analysts Programmers Operations personnel Database administrator SO 2 General controls for IT systems

12 General Controls for IT Systems
Physical Environment and Security Controls for an IT system should include controls over the physical environment of the system which includes: Location Operating environment Back-up systems SO 2 General controls for IT systems

13 General Controls for IT Systems
Physical Environment and Security Controls for an IT system should include controls over the physical environment of the system which includes: Location Operating environment Back-up systems Locate in area that are least at risk of natural disasters such as flood, earthquake, hurricane, and fire. Properly control dust, temperature, and humidity. Location should also have a fire protection system. System should also have both an uninterruptible power supply and an emergency power supply. SO 2 General controls for IT systems

14 General Controls for IT Systems
Physical Environment and Security Physical access controls: Limited access to computer rooms through employee ID badges or card keys Video surveillance equipment Logs of persons entering and exiting the computer rooms Locked storage of backup data and offsite backup data SO 2 General controls for IT systems

15 General Controls for IT Systems
Business Continuity Business Continuity Planning (BCP) Two parts of business continuity are related to IT systems: A strategy for backup and restoration of IT systems, to include redundant servers, redundant data storage, daily incremental backups, a backup of weekly changes, and offsite storage of daily and weekly backups. A disaster recovery plan. SO 2 General controls for IT systems

16 The Real World In some organizations, loss of a key CEO could spell disaster. For example, Martha Stewart founded and became the CEO of Martha Stewart Living Omnimedia Inc. In June 2003, she was indicted for possible legal violations related to insider trading, and she stepped down as CEO. Some in the financial community wondered if the firm could continue or thrive without Martha Stewart. Part of the business continuity plan for her company should have been a strategy to operate if some event would prevent Martha Stewart from serving as CEO. Martha was convicted, served time in prison, and successfully returned to work. SO 2 General controls for IT systems

17 General Controls for IT Systems
Question Which of the following is not a control intended to authenticate users? a. User log-in. b. Security token. c. Encryption. d. Biometric devices. SO 2 General controls for IT systems

18 General Controls for IT Systems
Question An IT governance committee has several responsibilities. Which of the following is least likely to be a responsibility of the IT governance committee? Develop and maintain the database and ensure adequate controls over the database. Develop, monitor, and review security policies. Oversee and prioritize changes to IT systems. d. Align IT investments to business strategy. SO 2 General controls for IT systems

19 General Controls from an AICPA Trust Services Principles Perspective
AICPA Trust Services Principles categorizes IT controls and risks into five categories: Security Availability Processing integrity Online privacy Confidentiality System is protected against unauthorized (physical and logical) access. SO 3 General controls from a Trust Services Principles perspective

20 System is available for operation and use as committed or agreed.
General Controls from an AICPA Trust Services Principles Perspective AICPA Trust Services Principles categorizes IT controls and risks into five categories: Security Availability Processing integrity Online privacy Confidentiality System is available for operation and use as committed or agreed. SO 3 General controls from a Trust Services Principles perspective

21 System processing is complete, accurate, timely and authorized.
General Controls from an AICPA Trust Services Principles Perspective AICPA Trust Services Principles categorizes IT controls and risks into five categories: Security Availability Processing integrity Online privacy Confidentiality System processing is complete, accurate, timely and authorized. SO 3 General controls from a Trust Services Principles perspective

22 General Controls from an AICPA Trust Services Principles Perspective
AICPA Trust Services Principles categorizes IT controls and risks into five categories: Security Availability Processing integrity Online privacy Confidentiality Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed. SO 3 General controls from a Trust Services Principles perspective

23 General Controls from an AICPA Trust Services Principles Perspective
AICPA Trust Services Principles categorizes IT controls and risks into five categories: Security Availability Processing integrity Online privacy Confidentiality Information designated as confidential is protected as committed or agreed. SO 3 General controls from a Trust Services Principles perspective

24 General Controls from an AICPA Trust Services Principles Perspective
Risks In Not Limiting Unauthorized Users Previously covered IT controls that can lessen risk of unauthorized users gaining access to the IT system: user ID, password, security token, biometric devices, log-in procedures, access levels, computer logs, and authority tables. SO 3 General controls from a Trust Services Principles perspective

25 General Controls from an AICPA Trust Services Principles Perspective
Risks From Hacking or Other Network Break-Ins Controls that may be applied are, firewalls, encryption of data, security policies, security breach resolution, secure socket layers (SSL), virtual private network (VPN), wired equivalency privacy (WEP) SO 3 General controls from a Trust Services Principles perspective

26 General Controls from an AICPA Trust Services Principles Perspective
Risks From Hacking or Other Network Break-Ins Controls that may be applied are, wireless protected access (WPA), service set identifier (SSID), antivirus software, vulnerability assessment, penetration testing, and intrusion detection. SO 3 General controls from a Trust Services Principles perspective

27 General Controls from an AICPA Trust Services Principles Perspective
Risks From Environmental Factors Environmental changes that affect the IT system can cause availability risks and processing integrity risks. Physical Access Risks Physical access to computer systems and computer rooms should be limited to those who must have access in order to carry out their job assignments. SO 3 General controls from a Trust Services Principles perspective

28 General Controls from an AICPA Trust Services Principles Perspective
Physical Access Risk Security risk is that an intruder who gains physical access may change user access levels. Availability risk is the unauthorized physical access to physically shut down, sabotage, or destroy hardware or software. Processing integrity risk is that systems or programs may be shut down or sabotaged. Confidentiality risk is that intruder may gain access to confidential data. SO 3 General controls from a Trust Services Principles perspective

29 General Controls from an AICPA Trust Services Principles Perspective
Business Continuity Risks Security risk is that an unauthorized person may gain access to the backup data. Availability risk is that as events interrupt operations, the system becomes unavailable for regular processing. Processing integrity risk is that business interruptions can lead to incomplete or inaccurate data. Confidentiality risk is that unauthorized persons may gain access to confidential data if they access backup data.. SO 3 General controls from a Trust Services Principles perspective

30 General Controls from an AICPA Trust
Question AICPA Trust Principles describe five categories of IT risks and controls. Which of these five categories would best be described by the statement, “The system is protected against unauthorized access”? a. Security. b. Confidentiality. c. Processing integrity. d. Availability. SO 3 General controls from a Trust Services Principles perspective

31 General Controls from an AICPA Trust
Question The risk that an unauthorized user would shut down systems within the IT system is a(n) a. Security risk. b. Availability risk. c. Processing integrity risk. d. Confidentiality risk. SO 3 General controls from a Trust Services Principles perspective

32 Hardware and Software Exposures
Typical IT system components that represent “entry points” where the risks must be controlled. The operating system The database The database management system (DBMS) Local area networks (LANs) Wireless networks E-business conducted via the Internet Telecommuting workers Electronic data interchange (EDI) Application software SO 4 Hardware and software exposures in IT systems

33 Hardware and Software Exposures
Exposure Areas Exhibit 4-6 SO 4

34 Hardware and Software Exposures
The Operating System The software that controls the basic input and output activities of the computer. Provides the instructions that enable the CPU to: read and write to disk, read keyboard input, control output to the monitor, manage computer memory, and communicate between the CPU, memory, and disk storage. SO 4 Hardware and software exposures in IT systems

35 Hardware and Software Exposures
The Operating System Unauthorized access would allow an unauthorized user to: Browse disk files or memory for sensitive data or passwords. Alter data through the operating system. Alter access tables to change access levels of users. Alter application programs. Destroy data or programs. SO 4 Hardware and software exposures in IT systems

36 Hardware and Software Exposures
The Database A large disk storage for accounting and operating data. Controls such as: user IDs, passwords, authority tables, firewalls, and encryption are examples of controls that can limit exposure. SO 4 Hardware and software exposures in IT systems

37 Hardware and Software Exposures
The Database Management System A software system that manages the interface between many users and the database. Exhibit 4-7 SO 4 Hardware and software exposures in IT systems

38 Hardware and Software Exposures
Exhibit 4-6 The Database Management System A software system that manages the interface between many users and the database. SO 4 Hardware and software exposures in IT systems

39 Hardware and Software Exposures
The Database Management System A software system that manages the interface between many users and the database. Physical access, environmental, and business continuity controls can help guard against the loss of the data or alteration to the DBMS. SO 4 Hardware and software exposures in IT systems

40 Hardware and Software Exposures
LANS and WANS A local area network, or LAN, is a computer network covering a small geographic area. A group of LANs connected to each other is called a wide area network, or WAN. SO 4 Hardware and software exposures in IT systems

41 Hardware and Software Exposures
LANS and WANS Exhibit 4-6 Controls: limit unauthorized users firewalls encryption virtual private networks SO 4 Hardware and software exposures in IT systems

42 Hardware and Software Exposures
Exhibit 4-6 Wireless Networks Same kind of exposures as a local area network. SO 4 Hardware and software exposures in IT systems

43 Hardware and Software Exposures
Wireless Networks Same kind of exposures as a local area network. Controls include: wired equivalency privacy (WEP) or wireless protected access (WPA), station set identifiers (SSID), and encrypted data. SO 4 Hardware and software exposures in IT systems

44 The Real World Boeing Co. uses wireless networks on the floor of the large shop where it manufactures airplanes. This wireless network with notebook computers allows Boeing workers to move around the plane while they are working and view engineering drawings or parts availability during the manufacturing processes. The employees do not have to walk to a desk or workstation, away from the manufacturing flow, to access these things. Wireless networks can make employees more efficient by allowing them to roam. SO 4 Hardware and software exposures in IT systems

45 Hardware and Software Exposures
Exhibit 4-6 The Internet and World Wide Web The use of dual firewalls can help prevent hackers or unauthorized users from accessing the organization’s internal network of computers. SO 4 Hardware and software exposures in IT systems

46 Hardware and Software Exposures
Exhibit 4-6 Telecommuting Workers and Mobile Workers The organization’s security policy should address the security expectations of workers who telecommute, and such workers should connect to the company network via a virtual private network. SO 4

47 Hardware and Software Exposures
Electronic Data Interchange Company-to-company transfer of standard business documents in electronic form. EDI controls include: authentication, computer logs, and network break-in controls. Exhibit 4-6 SO 4

48 Hardware and Software Exposures
Question The risk of an unauthorized user gaining access is likely to be a risk for which of the following areas? a. Telecommuting workers. b. Internet. c. Wireless networks. d. All of the above. SO 4 Hardware and software exposures in IT systems

49 Hardware and Software Exposures
Cloud Computing As introduced in chapter 2, cloud computing includes: Software and data reside with third party companies (the cloud) and not on company computers. Outsourcing of IT to a third party. Advantages: Scalability Expanded access Infrastructure is reduced Cost savings SO 4 Hardware and software exposures in IT systems

50 Cloud Computing Exhibit 2–2 Cloud Hosting of Accounting Software SO 4

51 Hardware and Software Exposures
Cloud Computing Risks associated with cloud computing Security. All processing, storing data, and reading data occur over the Internet; therefore, the third-party provider must have good user authentication, firewalls, encryption, and virtual private network connections. Availability. Any interruptions in service cause the software and data to be unavailable. SO 4 Hardware and software exposures in IT systems

52 Hardware and Software Exposures
Cloud Computing Risks associated with cloud computing Processing integrity. All control of software installation, testing, and upgrading is transferred to the third-party provider of cloud computing services. Confidentiality. Risk that employees of the third-party provider can possibly browse and misuse company data. SO 4 Hardware and software exposures in IT systems

53 The Real World Starbucks uses a combination of public clouds, private clouds, and traditional corporate IT systems. In its stores, Starbucks uses Office 365 for and productivity applications such as Microsoft Word. Office 365 is the public cloud version of the Microsoft Office Suite. For and productivity applications at the corporate offices, Starbucks uses its own traditional IT systems on premises. For its customer relationship management software, Starbucks uses Salesforce.com, a public cloud application. For other accounting and Oracle ERP applications, Starbucks uses a private cloud based on virtualized servers that they maintain. This example of using various IT approaches is quite common. SO 4 Hardware and software exposures in IT systems

54 Application Software and Application Controls
Applications software accomplishes end user tasks such as: word processing, spreadsheets, database maintenance, and accounting functions. Applications controls - intended to improve the accuracy, completeness, and security of input, process, and output. SO 5 Application software and application controls

55 Application Software and Application Controls
Input Controls Date input - data converted from human readable form to computer readable form. Input controls are of four types: Source document controls Standard procedures for data preparation and error handling Programmed edit checks Control totals and reconciliation SO 5 Application software and application controls

56 Application Software and Application Controls
Source Document Controls Source document -paper form used to capture and record the original data of an accounting transaction. Note: Many IT systems do not use source documents. General controls such as computer logging of transactions and keeping backup files, become important. Where source documents are used, several source document controls should be used. SO 5 Application software and application controls

57 Application Software and Application Controls
Source Document Controls Form Design - Both the source document and the input screen should be well designed so that they are easy to understand and use, logically organized into groups of related data. Form Authorization and Control: Area for authorization by appropriate manager Prenumbered and used in sequence Blank source documents should be controlled SO 5 Application software and application controls

58 Application Software and Application Controls
Source Document Controls Retention of Source Documents: Retained and filed for easy retrieval Part of the audit trail. SO 5 Application software and application controls

59 Application Software and Application Controls
Standard Procedures for Data Input Data Preparation – standard data collection procedures reduce the chance of lost, misdirected, or incorrect data collection from source documents. Error Handling: Errors should be logged, investigated, corrected, and resubmitted for processing Error log should be regularly reviewed by an appropriate manager SO 5 Application software and application controls

60 Application Software and Application Controls
Programmed Input Validation Checks Data should be validated and edited to be as close to the original source of data as possible. Input validation checks include: 1. Field check 2. Validity check 3. Limit check 4. Range check 5. Reasonableness check 6. Completeness check 7. Sign check 8. Sequence check 9. Self-checking digit SO 5 Application software and application controls

61 Application Software and Application Controls
Control Totals and Reconciliation Control totals are subtotals of selected fields for an entire batch of transactions. Three types: record counts, batch totals, and hash totals. SO 5 Application software and application controls

62 Application Software and Application Controls
Processing Controls Intended to prevent, detect, or correct errors that occur during processing. Ensure that application software has no errors. Control totals, limit and range tests, and reasonableness and sign tests. Computer logs of transactions processed, production run logs, and error listings. SO 5 Application software and application controls

63 Application Software and Application Controls
Output Controls Reports from the various applications. Two primary objectives of output controls: to assure the accuracy and completeness of the output, and to properly manage the safekeeping of output reports to ascertain that security and confidentiality of the information is maintained. SO 5 Application software and application controls

64 Question Application Software and Application Controls
Which programmed input validation check compares the value in a field with related fields with determine whether the value is appropriate? a. Completeness check. b. Validity check. c. Reasonableness check. d. Completeness check. SO 5 Application software and application controls

65 Question Application Software and Application Controls
Which programmed input validation check determines whether the appropriate type of data, either alphabetic or numeric, was entered? a. Completeness check. b. Validity check. c. Reasonableness check. d. Field check. SO 5 Application software and application controls

66 Question Application Software and Application Controls
Which programmed input validation makes sure that a value was entered in all of the critical fields? a. Completeness check. b. Validity check. c. Reasonableness check. d. Field check. SO 5 Application software and application controls

67 Question Application Software and Application Controls
Which control total is the total of field values that are added for control purposes, but not added for any other purpose? a. Record count. b. Hash total. c. Batch total. d. Field total. SO 5 Application software and application controls

68 Ethical Issues in IT Systems
Besides fraud, there are many kinds of unethical behaviors related to computers, such as: Misuse of confidential customer information. Theft of data, such as credit card information, by hackers. Employee use of IT system hardware and software for personal use or personal gain. Using company to send offensive, threatening, or sexually explicit material. SO 6 Ethical issues in IT systems

69 The Real World An unusual case of computer abuse occurred at a federal agency that regulates financial aspects of companies. The Securities and Exchange Commission (SEC) detected senior managers spending excessive hours viewing pornography during regular working hours. One SEC attorney spent as much as eight hours a day viewing pornography on his office computer. A congressional investigation revealed that 33 high-level SEC staffers in Washington, D.C., were involved in such abuse of computers. Ironically, this misconduct was occurring during the same time that this agency should have been monitoring and reviewing banking institutions and other companies involved in the country’s financial meltdown. SO 6 Ethical issues in IT systems

70 Copyright Copyright © 2013 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Download ppt "University of California, Santa Barbara"

Similar presentations

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
ACCOUNTING INFORMATION SYSTEMS

ACCOUNTING INFORMATION SYSTEMS
Chapter 13-1. Chapter 13-2 Chapter 13 Data Modeling Introduction An Overview of Databases Steps in Creating a Database Using Rea Creating Database Tables.

Chapter Chapter 13-2 Chapter 13 Data Modeling Introduction An Overview of Databases Steps in Creating a Database Using Rea Creating Database Tables.
Chapter 14 System Controls. A Quote “The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The.

Chapter 14 System Controls. A Quote “The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The.
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 15-1 Introduction to Information Technology.

Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.
Accounting Information Systems, 1st Edition

Accounting Information Systems, 1st Edition
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Processing Integrity and Availability Controls

Processing Integrity and Availability Controls
Chapter 3: Data Modeling

Chapter 3: Data Modeling
Auditing 81.3550 Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
Accounting Information Systems, 1st Edition

Accounting Information Systems, 1st Edition
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Accounting Information Systems, 1st Edition

Accounting Information Systems, 1st Edition
Chapter 15 Prepared by Richard J. Campbell Copyright 2011, Wiley and Sons Auditing Assets, Liabilities, and Equity Related to the Financing Cycle.

Chapter 15 Prepared by Richard J. Campbell Copyright 2011, Wiley and Sons Auditing Assets, Liabilities, and Equity Related to the Financing Cycle.
Chapter 13 Prepared by Richard J. Campbell Copyright 2011, Wiley and Sons Auditing Human Resources Processes: Personnel and Payroll in Service Industries.

Chapter 13 Prepared by Richard J. Campbell Copyright 2011, Wiley and Sons Auditing Human Resources Processes: Personnel and Payroll in Service Industries.
The Office Procedures and Technology

The Office Procedures and Technology
Chapter 10: Computer Controls for Organizations and Accounting Information Systems

Chapter 10: Computer Controls for Organizations and Accounting Information Systems
Introduction to Databases Chapter 1: Introducing Data and Data Management.

Introduction to Databases Chapter 1: Introducing Data and Data Management.
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.

Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.

Similar presentations

Ads by Google