1. Computer-Based Information Systems Controls

2. Learning Objectives
Describe the threats to an AIS and discuss why these threats are growing.
Explain the basic concepts of control as applied to business organizations.
Describe the major elements in the control environment of a business organization.

3. Learning Objectives, continued
Describe control policies and procedures commonly used in business organizations.
Evaluate a system of internal accounting control, identify its deficiencies, and prescribe modifications to remedy those deficiencies.
Conduct a cost-benefit analysis for particular threats, exposures, risks, and controls.

4. Threats to Accounting Information Systems
What are examples of natural and political disasters?
fire or excessive heat
floods
earthquakes
high winds
war

5. Threats to Accounting Information Systems
What are examples of software errors and equipment malfunctions?
hardware failures
power outages and fluctuations
undetected data transmission errors

6. Threats to Accounting Information Systems
What are examples of unintentional acts?
accidents caused by human carelessness
innocent errors of omissions
lost or misplaced data
logic errors
systems that do not meet company needs

7. Threats to Accounting Information Systems
What are examples of intentional acts?
sabotage
computer fraud
embezzlement

8. Why are AIS Threats Increasing?
Increasing numbers of client/server systems mean that information is available to an unprecedented number of workers.
Because LANs and client/server systems distribute data to many users, they are harder to control than centralized mainframe systems.
WANs are giving customers and suppliers access to each other’s systems and data, making confidentiality a concern.

9. Overview of Control Concepts
What is the traditional definition of internal control?
Internal control is the plan of organization and the methods a business uses to safeguard assets, provide accurate and reliable information, promote and improve operational efficiency, and encourage adherence to prescribed managerial policies.

10. Overview of Control Concepts
What is management control?
Management control encompasses the following three features:
It is an integral part of management responsibilities.
It is designed to reduce errors, irregularities, and achieve organizational goals.
It is personnel-oriented and seeks to help employees attain company goals.

11. Internal Control Classifications
The specific control procedures used in the internal control and management control systems may be classified using the following four internal control classifications:
Preventive, detective, and corrective controls
General and application controls
Administrative and accounting controls
Input, processing, and output controls

12. The Foreign Corrupt Practices Act
In 1977, Congress incorporated language from an AICPA pronouncement into the Foreign Corrupt Practices Act.
The primary purpose of the act was to prevent the bribery of foreign officials in order to obtain business.
A significant effect of the act was to require corporations to maintain good systems of internal accounting control.

13. Committee of Sponsoring Organizations
The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of five organizations:
American Accounting Association
American Institute of Certified Public Accountants
Institute of Internal Auditors
Institute of Management Accountants
Financial Executives Institute

14. Committee of Sponsoring Organizations
In 1992, COSO issued the results of a study to develop a definition of internal controls and to provide guidance for evaluating internal control systems.
The report has been widely accepted as the authority on internal controls.

15. Committee of Sponsoring Organizations
The COSO study defines internal control as the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved with regard to:
effectiveness and efficiency of operations
reliability of financial reporting
compliance with applicable laws and regulations

16. Committee of Sponsoring Organizations
COSO’s internal control model has five crucial components:
Control environment
Control activities
Risk assessment
Information and communication
Monitoring

17. Information Systems Audit and Control Foundation
The Information Systems Audit and Control Foundation (ISACF) recently developed the Control Objectives for Information and related Technology (COBIT).
COBIT consolidates standards from 36 different sources into a single framework.
The framework addresses the issue of control from three vantage points, or dimensions:

18. Information Systems Audit and Control Foundation
Information: needs to conform to certain criteria that COBIT refers to as business requirements for information
IT resources: people, application systems, technology, facilities, and data
IT processes: planning and organization, acquisition and implementation, delivery and support, and monitoring

19. The Control Environment
The first component of COSO’s internal control model is the control environment.
The control environment consists of many factors, including the following:
Commitment to integrity and ethical values
Management’s philosophy and operating style
Organizational structure

20. The Control Environment
The audit committee of the board of directors
Methods of assigning authority and responsibility
Human resources policies and practices
External influences

21. Control Activities
The second component of COSO’s internal control model is control activities.
Generally, control procedures fall into one of five categories:
Proper authorization of transactions and activities
Segregation of duties

22. Control Activities Design and use of adequate documents and records
Adequate safeguards of assets and records
Independent checks on performance

23. Proper Authorization of Transactions and Activities
Authorization is the empowerment management gives employees to perform activities and make decisions.
Digital signature or fingerprint is a means of signing a document with a piece of data that cannot be forged.
Specific authorization is the granting of authorization by management for certain activities or transactions.

24. Segregation of Duties
Good internal control demands that no single employee be given too much responsibility.
An employee should not be in a position to perpetrate and conceal fraud or unintentional errors.

25. Segregation of Duties Custodial Functions Handling cash
Recording Functions
Preparing source documents
Maintaining journals
Preparing reconciliations
Preparing performance reports
Custodial Functions
Handling cash
Handling assets
Writing checks
Receiving checks in mail
Authorization Functions
Authorization of
transactions

26. Segregation of Duties
If two of these three functions are the responsibility of a single person, problems can arise.
Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them.
Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts.

27. Segregation of Duties
Segregation of duties prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized.

28. Design and Use of Adequate Documents and Records
The proper design and use of documents and records helps ensure the accurate and complete recording of all relevant transaction data.
Documents that initiate a transaction should contain a space for authorization.

29. Design and Use of Adequate Documents and Records
The following procedures safeguard assets from theft, unauthorized use, and vandalism:
effectively supervising and segregating duties
maintaining accurate records of assets, including information
restricting physical access to cash and paper assets
having restricted storage areas

30. Adequate Safeguards of Assets and Records
What can be used to safeguard assets?
cash registers
safes, lockboxes
safety deposit boxes
restricted and fireproof storage areas
controlling the environment
restricted access to computer rooms, computer files, and information

31. Independent Checks on Performance
Independent checks ensure that transactions are processed accurately are another important control element.

32. Independent Checks on Performance
What are various types of independent checks?
reconciliation of two independently maintained sets of records
comparison of actual quantities with recorded amounts
double-entry accounting
batch totals

33. Independent Checks on Performance
Five batch totals are used in computer systems:
A financial total is the sum of a dollar field.
A hash total is the sum of a field that would usually not be added.

34. Independent Checks on Performance
A record count is the number of documents processed.
A line count is the number of lines of data entered.
A cross-footing balance test compares the grand total of all the rows with the grand total of all the columns to check that they are equal.

35. Risk Assessment
The third component of COSO’s internal control model is risk assessment.
Companies must identify the threats they face:
strategic — doing the wrong thing
financial — having financial resources lost, wasted, or stolen
information — faulty or irrelevant information, or unreliable systems

36. Risk Assessment
Companies that implement electronic data interchange (EDI) must identify the threats the system will face, such as:
Choosing an inappropriate technology
Unauthorized system access
Tapping into data transmissions
Loss of data integrity

37. Risk Assessment Incomplete transactions System failures
Incompatible systems

38. Risk Assessment
Some threats pose a greater risk because the probability of their occurrence is more likely. For example:
A company is more likely to be the victim of a computer fraud rather than a terrorist attack.
Risk and exposure must be considered together.

39. Estimate Cost and Benefits
No internal control system can provide foolproof protection against all internal control threats.
The cost of a foolproof system would be prohibitively high.
One way to calculate benefits involves calculating expected loss.

40. Estimate Cost and Benefits
The benefit of a control procedure is the difference between the expected loss with the control procedure(s) and the expected loss without it.
Expected loss = risk × exposure

41. Information and Communication
The fourth component of COSO’s internal control model is information and communication.

42. Information and Communication
Accountants must understand the following:
How transactions are initiated
How data are captured in machine-readable form or converted from source documents
How computer files are accessed and updated
How data are processed to prepare information
How information is reported

43. Information and Communication
All of these items make it possible for the system to have an audit trail.
An audit trail exists when individual company transactions can be traced through the system.

44. Monitoring Performance
The fifth component of COSO’s internal control model is monitoring.
What are the key methods of monitoring performance?
effective supervision
responsibility accounting
internal auditing

45. Computer Controls and Security

46. Learning Objectives
Identify and explain the four principles of systems reliability and the three criteria used to evaluate whether the principles have been achieved.
Identify and explain the controls that apply to more than one principle of reliability.
Identify and explain the controls that help explain that a system is available to users when needed.

47. Learning Objectives
Identify and explain the security controls that prevent unauthorized access to information, software, and other system resources.
Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity.
Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized.

48. The Four Principles of a Reliable System
Availability of the system when needed.
Security of the system against unauthorized physical and logical access.
Maintainability of the system as required without affecting its availability, security, and integrity.
Integrity of the system to ensure that processing is complete, accurate, timely, and authorized.

49. The Criteria Used To Evaluate Reliability Principles
For each of the four principles of reliability, three criteria are used to evaluate whether or not the principle has been achieved.
The entity has defined, documented, and communicated performance objectives, policies, and standards that achieve each of the four principles.
The entity uses procedures, people, software, data, and infrastructure to achieve each principle in accordance with established policies and standards.
The entity monitors the system and takes action to achieve compliance with the objectives, policies, and standards for each principle.

50. Controls Related to More Than One Reliability Principle
Strategic Planning & Budgeting
Developing a Systems Reliability Plan
Documentation

51. Controls Related to More Than One Reliability Principle
Documentation may be classified into three basic categories:
Administrative documentation: Describes the standards and procedures for data processing.
Systems documentation: Describes each application system and its key processing functions.
Operating documentation: Describes what is needed to run a program.

52. Availability Availability Minimizing Systems Downtime
Preventive maintenance
UPS
Fault tolerance
Disaster Recovery Plan
Minimize the extent of disruption, damage, and loss
Temporarily establish an alternative means of processing information
Resume normal operations as soon as possible

53. Availability Disaster Recovery, continued
Train and familiarize personnel with emergency operations
Priorities for the recovery process
Insurance
Backup data and program files
Electronic vaulting
Grandfather-father-son concept
Rollback procedures
Specific assignments
Backup computer and telecommunication facilities
Periodic testing and revision
Complete documentation

54. Developing a Security Plan
Developing and continuously updating a comprehensive security plan is one of the most important controls a company can identify.
What questions need to be asked?
Who needs access to what information?
When do they need it?
On which systems does the information reside?

55. Segregation of Duties Within the Systems Function
In a highly integrated AIS, procedures that used to be performed by separate individuals are combined.
Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.
To combat this threat, organizations must implement compensating control procedures.

56. Segregation of Duties Within the Systems Function
Authority and responsibility must be clearly divided among the following functions:
Systems administration
Network management
Security management
Change management
Users
Systems analysis
Programming
Computer operations
Information system library
Data control

57. Segregation of Duties Within the Systems Function
It is important that different people perform these functions.
Allowing a person to perform two or more of them exposes the company to the possibility of fraud.

58. Physical Access Controls
How can physical access security be achieved?
Place computer equipment in locked rooms and restrict access to authorized personnel
Have only one or two entrances to the computer room
Require proper employee ID
Require that visitors sign a log
Use a security alarm system
Restrict access to private secured telephone lines and terminals or PCs.
Install locks on PCs.
Restrict access of off-line programs, data and equipment
Locate hardware and other critical system components away from hazardous materials.
Install fire and smoke detectors and fire extinguishers that don not damage computer equipment

59. Logical Access Controls
Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions.
What are some logical access controls?
passwords
physical possession identification
biometric identification
compatibility tests

60. Protection of PCs and Client/Server Networks
Many of the policies and procedures for mainframe control are applicable to PCs and networks.
The following controls are also important:
Train users in PC-related control concepts.
Restrict access by using locks and keys on PCs.
Establish policies and procedures.

61. Protection of PCs and Client/Server Networks
Portable PCs should not be stored in cars.
Keep sensitive data in the most secure environment possible.
Install software that automatically shuts down a terminal after its been idle for a certain amount of time.
Back up hard disks regularly.
Encrypt or password protect files.
Build protective walls around operating systems.
Ensure that PCs are booted up within a secure system.
Use multilevel password controls to limit employee access to incompatible data.
Use specialists to detect holes in the network.

62. Internet and e-Commerce Controls
Why caution should be exercised when conducting business on the Internet.
the large and global base of people that depend on the Internet
the variability in quality, compatibility, completeness, and stability of network products and services

63. Internet and e-Commerce Controls
access of messages by others
security flaws in Web sites
attraction of hackers to the Internet
What controls can be used to secure Internet activity?
passwords
encryption technology
routing verification procedures

64. Internet and e-Commerce Controls
Another control is installing a firewall, hardware and software that control communications between a company’s internal network (trusted network) and an external network.
The firewall is a barrier between the networks that does not allow information to flow into and out of the trusted network.
Electronic envelopes can protect messages

65. Maintainability
Two categories of controls help ensure the maintainability of a system:
Project development and acquisition controls
Change management controls

66. Project Development and Acquisition Controls
Project development and acquisition controls include:
Strategic Master Plan
Project Controls
Data Processing Schedule
System Performance Measurements
Postimplementation Review

67. Change Management Controls
Change management controls include:
Periodically review all systems for needed changes
Require all requests to be submitted in standardized format
Log and review requests form authorized users for changes and additions to systems
Assess the impact of requested changes on system reliability objectives, policies and standards

68. Change Management Controls, continued
Categorize and rank all changes using established priorities
Implement procedures to handle urgent matters
Communicate all changes to management
Require IT management to review, monitor, and approve all changes to software, hardware and personnel responsibilities
Assign specific responsibilities to those involved in the change and monitor their work.

69. Change Management Controls, continued
Control system access rights to avoid unauthorized systems and data access
Make sure all changes go through the appropriate steps
Test all changes
Make sure there is a plan for backing our of any changes in the event they don’t work properly
Implement a quality assurance function
Update all documentation and procedures when change is implemented

70. Integrity
A company designs general controls to ensure that its overall computer system is stable and well managed.
Application controls prevent, detect and correct errors in transactions as they flow through the various stages of a specific data processing program.

71. Integrity: Source Data Controls
Companies must establish control procedures to ensure that all source documents are authorized, accurate , complete and properly accounted for, and entered into the system or sent ot their intended destination in a timely manner.
Source data controls include:

72. Integrity: Source Data Controls
Forms design
Prenumbered forms sequence test
Turnaround documents
Cancellation and storage of documents
Authorization and segregation of duties
Visual scanning
Check digit verification
Key verification

73. Integrity: Input Validation Routines
Input validation routines are programs the check the integrity of input data. They include:
Sequence check
Field check
Sign check
Validity check
Capacity check
Limit check
Range check
Reasonableness test
Redundant data check

74. Integrity: On-line Data Entry Controls
The goal of on-line data entry control is to ensure the integrity of transaction data entered from on-line terminals and PCs by minimizing errors and omissions.
They include:

75. Integrity: On-line Data Entry Controls
Field, limit, range, reasonableness, sign, validity, redundant data checks
User ID numbers
Compatibility tests
Automatic entry of transaction data, where possible
Prompting
Preformatting
Completeness check
Closed-lop verification
Transaction log
Error messages
Retain data for legal purposes

76. Integrity: Data Processing and Storage Controls
Controls to help preserve the integrity of data processing and stored data:
Policies and procedures
Data control function
Reconciliation procedure
External data reconciliation
Exception reporting

77. Integrity: Data Processing and Storage Controls, continued
Data currency checks
Default values
Data matching
File labels
Write protection mechanisms
Database protection mechanisms
Data conversion controls
Data security

78. Output Controls
The data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control totals.
Data control is also responsible for distributing computer output to the appropriate user departments.

79. Output Controls
Users are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive.
A shredder can be used to destroy highly confidential data.

80. Data Transmission Controls
To reduce the risk of data transmission failures, companies should monitor the network.
How can data transmission errors be minimized?
using data encryption (cryptography)
implementing routing verification procedures
adding parity
using message acknowledgment techniques

81. Data Transmission Controls
Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT).

82. Data Transmission Controls
In these types of environments, sound internal control is achieved using the following control procedures:
Physical access to network facilities should be strictly controlled.
Electronic identification should be required for all authorized network terminals.
Strict logical access control procedures are essential, with passwords and dial-in phone numbers changed on a regular basis.

83. Data Transmission Controls
Control procedures, continued
Encryption should be used to secure stored data as well as data being transmitted.
Details of all transactions should be recorded in a log that is periodically reviewed.

84. Computer Fraud

85. Learning Objectives
Describe fraud and describe the process one follows to perpetuate a fraud.
Discuss why fraud occurs, including the pressures, opportunities, and rationalizations that are present in most frauds.
Compare and contrast the approaches and techniques that are used to commit computer fraud.
Describe how to deter and detect computer fraud.

86. Most frauds involve three steps.
The Fraud Process
Most frauds involve three steps.
The theft of
something
The conversion
to cash
The
concealment

87. The Fraud Process What is a common way to hide a theft?
to charge the stolen item to an expense account
What is a payroll example?
to add a fictitious name to the company’s payroll

88. The Fraud Process What is lapping?
In a lapping scheme, the perpetrator steals cash received from customer A to pay its accounts receivable.
Funds received at a later date from customer B are used to pay off customer A’s balance, etc.

89. The Fraud Process What is kiting?
In a kiting scheme, the perpetrator covers up a theft by creating cash through the transfer of money between banks.
The perpetrator deposits a check from bank A to bank B and then withdraws the money.

90. The Fraud Process
Since there are insufficient funds in bank A to cover the check, the perpetrator deposits a check from bank C to bank A before his check to bank B clears.
Since bank C also has insufficient funds, money must be deposited to bank C before the check to bank A clears.
The scheme continues to keep checks from bouncing.

91. Significant differences
Why Fraud Occurs
Researchers have compared the psychological and demographic characteristics of three groups of people:
White-collar
criminals
Few differences
Significant differences
General
public
Violent
criminals

92. Why Fraud Occurs
What are some common characteristics of fraud perpetrators?
Most spend their illegal income rather than invest or save it.
Once they begin the fraud, it is very hard for them to stop.
They usually begin to rely on the extra income.

93. Why Fraud Occurs
Perpetrators of computer fraud tend to be younger and possess more computer knowledge, experience, and skills.
Some computer fraud perpetrators are more motivated by curiosity and the challenge of “beating the system.”
Others commit fraud to gain stature among others in the computer community.

94. Why Fraud Occurs Three conditions are necessary for fraud to occur:
A pressure or motive
An opportunity
A rationalization

95. Pressures What are some financial pressures? living beyond means
high personal debt
“inadequate” income
poor credit ratings
heavy financial losses
large gambling debts

96. Pressures What are some work-related pressures? low salary
nonrecognition of performance
job dissatisfaction
fear of losing job
overaggressive bonus plans

97. Pressures What are other pressures? challenge family/peer pressure
emotional instability
need for power or control
excessive pride or ambition

98. Opportunities
An opportunity is the condition or situation that allows a person to commit and conceal a dishonest act.
Opportunities often stem from a lack of internal controls.
However, the most prevalent opportunity for fraud results from a company’s failure to enforce its system of internal controls.

99. Rationalizations
Most perpetrators have an excuse or a rationalization that allows them to justify their illegal behavior.
What are some rationalizations?
The perpetrator is just “borrowing” the stolen assets.
The perpetrator is not hurting a real person, just a computer system.
No one will ever know.

100. Computer Fraud
The U.S. Department of Justice defines computer fraud as any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution.
What are examples of computer fraud?
unauthorized use, access, modification, copying, and destruction of software or data

101. Computer Fraud
theft of money by altering computer records or the theft of computer time
theft or destruction of computer hardware
use or the conspiracy to use computer resources to commit a felony
intent to illegally obtain information or tangible property through the use of computers

102. The Rise in Computer Fraud
Organizations that track computer fraud estimate that 80% of U.S. businesses have been victimized by at least one incident of computer fraud.

103. The Rise in Computer Fraud
No one knows for sure exactly how much companies lose to computer fraud. Why?
There is disagreement on what computer fraud is.
Many computer frauds go undetected, or unreported.
Most networks have a low level of security.
Many Internet pages give instructions on how to perpetrate computer crimes.
Law enforcement is unable to keep up with fraud.

104. Computer Fraud Classifications
Data fraud
Input
fraud
Output
fraud
Processor fraud
Computer
instruction fraud

105. Computer Fraud and Abuse Techniques
What are some of the more common techniques to commit computer fraud?
Cracking
Data diddling
Data leakage
Denial of service attack
Eavesdropping
forgery and threats

106. Computer Fraud and Abuse Techniques
Hacking
Internet misinformation and terrorism
Logic time bomb
Masquerading or impersonation
Password cracking
Piggybacking
Round-down
Salami technique

107. Computer Fraud and Abuse Techniques
Software piracy
Scavenging
Social engineering
Superzapping
Trap door
Trojan horse
Virus
Worm

108. Preventing and Detecting Computer Fraud
What are some measures that can decrease the potential of fraud?
Make fraud less likely to occur.
Increase the difficulty of committing fraud.
Improve detection methods.
Reduce fraud losses.
Prosecute and incarcerate fraud perpetrators.

109. Preventing and Detecting Computer Fraud
Make fraud less likely to occur.
Use proper hiring and firing practices.
Manage disgruntled employees.
Train employees in security and fraud prevention.
Manage and track software licenses.
Require signed confidentiality agreements.

110. Preventing and Detecting Computer Fraud
Increase the difficulty of committing fraud.
Develop a strong system of internal controls.
Segregate duties.
Require vacations and rotate duties.
Restrict access to computer equipment and data files.
Encrypt data and programs.

111. Preventing and Detecting Computer Fraud
Improve detection methods.
Protect telephone lines and the system from viruses.
Control sensitive data.
Control laptop computers.
Monitor hacker information.

112. Preventing and Detecting Computer Fraud
Reduce fraud losses.
Maintain adequate insurance.
Store backup copies of programs and data files in a secure, off-site location.
Develop a contingency plan for fraud occurrences.
Use software to monitor system activity and recover from fraud.

113. Preventing and Detecting Computer Fraud
Prosecute and incarcerate fraud perpetrators.
Most fraud cases go unreported and unprosecuted. Why?
Many cases of computer fraud are as yet undetected.
Companies are reluctant to report computer crimes.

114. Preventing and Detecting Computer Fraud
Law enforcement officials and the courts are so busy with violent crimes that they have little time for fraud cases.
It is difficult, costly, and time consuming to investigate.
Many law enforcement officials, lawyers, and judges lack the computer skills needed to investigate, prosecute, and evaluate computer crimes.