Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-1 Accounting Information Systems 9 th Edition Marshall.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-1 Accounting Information Systems 9 th Edition Marshall."— Presentation transcript:

1 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-1 Accounting Information Systems 9 th Edition Marshall B. Romney Paul John Steinbart

2 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-2 Computer Controls and Security Chapter 8

3 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-3 Learning Objectives 1. Identify and explain the four principles of systems reliability and the three criteria used to evaluate whether or not the principles have been achieved. 2. Identify and explain the controls that apply to more than one principle of reliability. 3. Identify and explain the controls that help explain that a system is available to users when needed.

4 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-4 Learning Objectives 4. Identify and explain the security controls that prevent unauthorized access to information, software, and other systems resources. 5. Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity. 6. Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized.

5 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-5 Introduction During his fifth month at Northwest Industries, Jason Scott is assigned to audit Seattle Paper Products (SPP). Jason’s task is to review randomly selected payable transactions, track down all supporting documents, and verify that all transactions have been properly authorized.

6 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-6 Introduction Jason is satisfied that many of the transactions are valid and accurate. However, some transactions involve the purchase of services from Pacific Electric. These transactions were processed on the basis of vendor invoices approved by management. Five of these invoices bear the initials “JLC.”

7 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-7 Introduction JLC is Jack Carlton, the general supervisor. Carlton denies initialing the invoices, and claims he has never heard of Pacific Electric. What questions does Jason have? Is Carlton telling the truth? If Carlton is not telling the truth, what is he up to?

8 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-8 Introduction If Pacific Electric is a fictitious company, how could SPP’s control systems allow its invoices to be processed and approved for payment? This chapter discusses the many different types of controls that companies use to ensure the integrity of their AIS.

9 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-9 Learning Objective 1 The four principles of systems reliability and the three criteria used to evaluate whether or not the principles have been achieved.

10 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-10 The Four Principles of a Reliable System 1. Availability of the system when needed. 2. Security of the system against unauthorized physical and logical access. 3. Maintainability of the system as required without affecting its availability, security, and integrity. 4. Integrity of the system to ensure that processing is complete, accurate, timely, and authorized.

11 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-11 The Criteria Used To Evaluate Reliability Principles For each of the four principles of reliability, three criteria are used to evaluate whether or not the principle has been achieved. 1. The entity has defined, documented, and communicated performance objectives, policies, and standards that achieve each of the four principles. 2. The entity uses procedures, people, software, data, and infrastructure to achieve each principle in accordance with established policies and standards. 3. The entity monitors the system and takes action to achieve compliance with the objectives, policies, and standards for each principle.

12 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-12 Learning Objective 2 Identify and explain the controls that apply to more than one principle of reliability.

13 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-13 Controls Related to More Than One Reliability Principle Strategic Planning & Budgeting Developing a Systems Reliability Plan Documentation Administrative documentation: Describes the standards and procedures for data processing. Systems documentation: Describes each application system and its key processing functions.

14 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-14 Controls Related to More Than One Reliability Principle Operating documentation: Describes what is needed to run a program. Equipment configuration Program and data files Procedures to set up and execute jobs Conditions that may interrupt program execution Corrective actions for program interruptions

15 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-15 Learning Objective 3 Identify and explain the controls that help explain that a system is available to users when needed.

16 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-16 Availability Minimizing Systems Downtime Preventive maintenance UPS Fault tolerance Disaster Recovery Plan Minimize the extent of disruption, damage, and loss Temporarily establish an alternative means of processing information Resume normal operations as soon as possible

17 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-17 Availability Train and familiarize personnel with emergency operations Priorities for the recovery process Insurance Backup data and program files Electronic vaulting Grandfather-father-son concept Rollback procedures Specific assignments Backup computer and telecommunication facilities Periodic testing and revision Complete documentation

18 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-18 Learning Objective 4 Identify and explain the security controls that prevent unauthorized access to information, software, and other system resources.

19 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-19 Developing a Security Plan Developing and continuously updating a comprehensive security plan is one of the most important controls a company can identify. What questions need to be asked? Who needs access to what information? When do they need it? On which systems does the information reside?

20 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-20 Segregation of Duties Within the Systems Function In a highly integrated AIS, procedures that used to be performed by separate individuals are combined. Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.

21 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-21 Segregation of Duties Within the Systems Function To combat this threat, organizations must implement compensating control procedures. Authority and responsibility must be clearly divided among the following functions: 1 Systems analysis 2 Programming 3 Computer operations

22 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-22 Segregation of Duties Within the Systems Function 4 Users 5 AIS library 6 Data control It is important that different people perform these functions. Allowing a person to perform two or more of them exposes the company to the possibility of fraud.

23 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-23 Physical Access Controls How can physical access security be achieved? – placing computer equipment in locked rooms and restricting access to authorized personnel – having only one or two entrances to the computer room – requiring proper employee ID – requiring that visitors sign a log – installing locks on PCs

24 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-24 Logical Access Controls Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions. What are some logical access controls? – passwords – physical possession identification – biometric identification – compatibility tests

25 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-25 Protection of PCs and Client/Server Networks Many of the policies and procedures for mainframe control are applicable to PCs and networks. The following controls are also important: Train users in PC-related control concepts. Restrict access by using locks and keys on PCs. Establish policies and procedures.

26 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-26 Protection of PCs and Client/Server Networks Portable PCs should not be stored in cars. Back up hard disks regularly. Encrypt or password protect files. Build protective walls around operating systems. Use multilevel password controls to limit employee access to incompatible data.

27 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-27 Internet Controls Why caution should be exercised when conducting business on the Internet. – the large and global base of people that depend on the Internet – the variability in quality, compatibility, completeness, and stability of network products and services

28 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-28 Internet Controls – access of messages by others – security flaws in Web sites – attraction of hackers to the Internet What controls can be used to secure Internet activity? – passwords – encryption technology – routing verification procedures

29 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-29 Internet Controls Another control is installing a firewall, hardware and software that control communications between a company’s internal network (trusted network) and an external network. The firewall is a barrier between the networks that does not allow information to flow into and out of the trusted network.

30 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-30 Learning Objective 5 Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity.

31 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-31 Minimizing System Downtime Significant financial losses can be incurred if hardware or software malfunctions cause an AIS to fail. What are some methods used to minimize system downtime? – preventive maintenance – uninterruptible power system – fault tolerance

32 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-32 Disaster Recovery Plan Every organization should have a disaster recovery plan so that data processing capacity can be restored as smoothly and quickly as possible in the event of a major disaster. What are the objectives of a recovery plan? 1 Minimize the extent of the disruption, damage, and loss. 2 Temporarily establish an alternative means of processing information.

33 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-33 Disaster Recovery Plan 3 Resume normal operations as soon as possible. 4 Train and familiarize personnel with emergency operations. A sound disaster plan should contain the following elements: 1 Priorities for the recovery process 2 Backup data and program files

34 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-34 Disaster Recovery Plan 3 Specific assignments 4 Complete documentation 5 Backup computer and telecommunications facilities reciprocal agreements hot and cold sites

35 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-35 Disaster Recovery Plan There are other aspects of disaster recovery planning that deserve mention: The recovery plan is incomplete until it has been satisfactorily tested by simulating a disaster. The recovery plan must be continuously reviewed and revised to ensure that it reflects current situation. The plan should include insurance coverage.

36 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-36 Protection of PCs and Client/Server Networks Why are PCs more vulnerable to security risks than are mainframes? It is difficult to restrict physical access. PC users are usually less aware of the importance of security and control. Many people are familiar with the operation of PCs. Segregation of duties is very difficult.

37 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-37 Data Processing and File Maintenance Controls What are some of the more common controls that help preserve the accuracy and completeness of data processing? – data currency checks – default values – data matching – exception reporting

38 Data Processing and File Maintenance Controls – external data reconciliation – control account reconciliation – file security – file conversion controls

39 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-39 Learning Objective 6 Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized.

40 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-40 General Controls A company designs general controls to ensure that its overall computer system is stable and well managed. The following are categories of general controls: 1 Developing a security plan 2 Segregation of duties within the systems function

41 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-41 General Controls 3 Project development controls 4 Physical access controls 5 Logical access controls 6 Data storage controls 7 Data transmission controls 8 Documentation standards 9 Minimizing system downtime

42 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-42 General Controls 10 Disaster recovery plans 11 Protection of personal computers andclient/server networks 12 Internet controls

43 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-43 Documentation Standards Another important general control is documentation procedures and standards to ensure clear and concise documentation. Documentation may be classified into three basic categories: 1 Administrative documentation 2 Systems documentation 3 Operating documentation

44 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-44 Application Controls The primary objective of application controls is to ensure the accuracy of a specific application’s inputs, files, programs, and outputs. This section will discuss five categories of application controls: 1 Source data controls 2 Input validation routines

45 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-45 Application Controls 3 Online data entry controls 4 Data processing and file maintenance controls 5 Output controls

46 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-46 Source Data Controls There are a number of source data controls that regulate the accuracy, validity, and completeness of input: – key verification – check digit verification – prenumbered forms sequence test – turnaround documents – authorization

47 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-47 Input Validation Routines Input validation routines are programs that check the validity and accuracy of input data as they are entered into the system. These programs are called edit programs. The accuracy checks they perform are called edit checks. What are some edit checks used in input validation routines?

48 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-48 Input Validation Routines – sequence check – field check – sign check – validity check – limit check – range check – reasonableness test

49 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-49 Online Data Entry Controls The goal of online data entry controls is to ensure the accuracy and integrity of transaction data entered from online terminals and PCs. What are some online data entry controls? – data checks – user ID numbers and passwords – comparability tests – prompting

50 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-50 Online Data Entry Controls – preformatting – completeness check – automatic transaction data entry – closed-loop verifications – transaction log – clear error messages

51 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-51 Data Transmission Controls To reduce the risk of data transmission failures, companies should monitor the network. How can data transmission errors be minimized? – using data encryption (cryptography) – implementing routing verification procedures – adding parity – using message acknowledgment techniques

52 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-52 Data Transmission Controls Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT). In these types of environments, sound internal control is achieved using the following control procedures: 1 Physical access to network facilities should be strictly controlled.

53 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-53 Data Transmission Controls 2 Electronic identification should be required for all authorized network terminals. 3 Strict logical access control procedures are essential, with passwords and dial-in phone numbers changed on a regular basis. 4 Encryption should be used to secure stored data as well as data being transmitted. 5 Details of all transactions should be recorded in a log that is periodically reviewed.

54 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-54 Data Storage Controls Information is generally what gives a company a competitive edge and makes it viable. A company should identify the types of data maintained and the level of protection required for each. A company must also document the steps taken to protect data.

55 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-55 Data Storage Controls A properly supervised file library is one essential means of preventing loss of data. A file storage area should also be protected against fire, dust, excess heat, or humidity. Following are types of file labels that can be used to protect data files from misuse: – external labels – internal labels (volume, header, trailer)

56 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-56 Output Controls The data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control totals. Data control is also responsible for distributing computer output to the appropriate user departments.

57 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-57 Output Controls Users are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive. A shredder can be used to destroy highly confidential data.

58 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-58 Project Development Controls To minimize failures, the basic principles of responsibility accounting should be applied to the AIS function. What key elements are included in project development control? 1 Long-range master plan 2 Project development plan 3 Data processing schedule

59 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-59 Project Development Controls 4 Assignment of responsibility 5 Periodic performance evaluation 6 Postimplementation review 7 System performance measurements

60 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-60 Case Conclusion Were Jason and his supervisor able to identify the source of the fictitious invoices? No. They asked the police to identify the owner of the Pacific Electric bank account. What did the police discover? Patricia Simpson, a data entry clerk at SPP, was the owner of the account.

61 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-61 End of Chapter 8

Download ppt "©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-1 Accounting Information Systems 9 th Edition Marshall."

Similar presentations

The Revenue Cycle: Sales to Cash Collections

The Revenue Cycle: Sales to Cash Collections
Computer Fraud Chapter 5.

Computer Fraud Chapter 5.
Software Quality Assurance Plan

Software Quality Assurance Plan
Accounting Information Systems 9th Edition

Accounting Information Systems 9th Edition
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 10-1 Accounting Information Systems 9 th Edition Marshall.
Information Technology Control Day IV Afternoon Sessions.

Information Technology Control Day IV Afternoon Sessions.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
The Islamic University of Gaza

The Islamic University of Gaza
Chapter 10: Auditing the Expenditure Cycle

Chapter 10: Auditing the Expenditure Cycle
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 18-1 Accounting Information Systems 9 th Edition Marshall.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 18-1 Accounting Information Systems 9 th Edition Marshall.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Processing Integrity and Availability Controls

Processing Integrity and Availability Controls

Similar presentations

Ads by Google