1 / 47

Computer Controls for Organizations and Accounting Information Systems

This chapter discusses enterprise-level controls, general controls for information technology, and application controls for transaction processing in organizations. It also covers risk assessment and security policies, integrated security measures, general controls for IT, access to data and hardware, and controls for personal computers and networks.

jswanson
Download Presentation

Computer Controls for Organizations and Accounting Information Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 10:ComputerControls for Organizations and Accounting Information Systems • Introduction • Enterprise Level Controls • General Controls for Information Technology • Application Controls for Transaction Processing

  2. Enterprise Level Controls • Consistent policies and procedures • Management’s risk assessment process • Centralized processing and controls • Controls to monitor results of operations

  3. Enterprise Level Controls • Controls to monitor the internal audit function, the audit committee, and self-assessment programs • Period-end financial reporting process • Board-approved policies that address significant business control and risk management practices

  4. Risk Assessment and Security Policies

  5. Integrated Security forthe Organization • Physical Security • Measures used to protect its facilities, resources, or proprietary data stored on physical media • Logical Security • Limit access to system and information to authorized individuals • Administrative – Policies, procedures, standards, and guidelines.

  6. Physical and Logical Security

  7. General Controls for Information Technology • Access to Data, Hardware, and Software • Protection of Systems and Data with Personnel Policies • Protection of Systems and Data with Technology and Facilities

  8. General Controls for Information Technology • IT general controls apply to all information systems • Major Objectives • Access to programs and data is limited to authorized users • Data and systems protected from change, theft, and loss • Computer programs are authorized, tested, and approved before usage

  9. Access to Data, Hardware, and Software • Utilization of strong passwords • 8 or more characters in length…..or longer • Different types of characters • Letters, numbers, symbols • Biometric identification • Distinctive user physical characteristics • Voice patterns, fingerprints, facial patterns, retina prints

  10. Security for Wireless Technology • Utilization of wireless local area networks • Virtual Private Network (VPN) • Allows remote access to entity resources • Data Encryption • Data converted into a scrambled format • Converted back to meaningful format following transmission

  11. Controls for Networks • Control Problems • Electronic eavesdropping • Hardware or software malfunctions • Errors in data transmission • Control Procedures • Checkpoint control procedure • Routing verification procedures • Message acknowledgment procedures

  12. Controls for Personal Computers • Take an inventory of personal computers • Identify applications utilized by each personal computer • Classify computers according to risks and exposures • Enhance physical security

  13. Additional Controls for Laptops

  14. Personnel Policies • Separation of Duties • Separate Accounting and Information Processing from Other Subsystems • Separate Responsibilities within IT Environment • Use of Computer Accounts • Each employee has password protected account • Biometric identification

  15. Separation of Duties

  16. Division of Responsibility in IT Environment

  17. Division of Responsibility in IT Environment

  18. Personnel Policies • Identifying Suspicious Behavior • Protect against fraudulent employee actions • Observation of suspicious behavior • Highest percentage of fraud involved employees in the accounting department • Must safeguard files from intentional and unintentional errors

  19. Safeguarding Computer Files

  20. File Security Controls

  21. Business Continuity Planning • Definition • Comprehensive approach to ensuring normal operations despite interruptions • Components • Disaster Recovery • Fault Tolerant Systems • Backup

  22. Disaster Recovery • Definition • Process and procedures • Following disruptive event • Summary of Types of Sites • Hot Site • Flying-Start Site • Cold Site

  23. Fault Tolerant Systems • Definition • Used to deal with computer errors • Ensure functional system with accurate and complete data (redundancy) • Major Approaches • Consensus-based protocols • Watchdog processor • Utilize disk mirroring or rollback processing

  24. Backup • Batch processing • Risk of losing data before, during, and after processing • Grandfather-parent-child procedure • Types of Backups • Hot backup • Cold Backup • Electronic Vaulting

  25. Computer Facility Controls • Locate Data Processing Centers in Safe Places • Protect from the public • Protect from natural disasters (flood, earthquake) • Limit Employee Access • Security Badges (color-coded with pictures) • Man Trap • Buy Insurance

  26. Study Break #1 • A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats. • Firewall • Security policy • Risk assessment • VPN

  27. Study Break #3 • Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________. • Redundancy • COBIT • COSO • Integrated security

  28. Application Controlsfor Transaction Processing • Purpose • Embedded in business process applications • Prevent, detect, and correct errors and irregularities • Application Controls • Input Controls • Processing Controls • Output Controls

  29. Application Controlsfor Transaction Processing

  30. Input Controls • Purpose • Ensure validity • Ensure accuracy • Ensure completeness • Categories • Observation, recording, and transcription of data • Edit tests • Additional input controls

  31. Observation, Recording,and Transcription of Data • Confirmation mechanism • Dual observation • Point-of-sale devices (POS) • Preprinted recording forms

  32. Preprinted Recording Form

  33. Edit Tests • Input Validation Routines (Edit Programs) • Programs or subroutines • Check validity and accuracy of input data • Edit Tests • Examine selected fields of input data • Rejects data not meeting preestablished standards of quality

  34. Edit Tests

  35. Edit Tests

  36. Additional Input Controls • Validity Test • Transactions matched with master data files • Transactions lacking a match are rejected • Check-Digit Control Procedure

  37. Processing Controls • Purpose • Focus on manipulation of accounting data • Contribute to a good audit trail • Two Types • Control totals • Data manipulation controls

  38. Audit Trail

  39. Control Totals • Common Processing Control Procedures • Batch control total • Financial control total • Nonfinancial control total • Record count • Hash total

  40. Data Manipulation Controls • Data Processing • Following validation of input data • Data manipulated to produce decision-useful information • Processing Control Procedures • Software Documentation • Error-Testing Compiler • Utilization of Test Data

  41. Output Controls • Purpose • Ensure validity • Ensure accuracy • Ensure completeness • Major Types • Validating Processing Results • Regulating Distribution and Use of Printed Output

  42. Output Controls • Validating Processing Results • Preparation of activity listings • Provide detailed listings of changes to master files • Regulating Distribution and Use of Printed Output • Forms control • Pre-numbered forms • Authorized distribution list

  43. Study Break #5 • Organizations use ______ controls to prevent, detect, and correct errors and irregularities in transactions that are processed. • Specific • General • Application • Input

  44. Triangles of Information Security Why We Do It (Fraud) How We Prevent It

  45. Fraud Triangle

  46. CIA Triangle

More Related