590 likes | 1.24k Views
Accounting Information Systems 9 th Edition. Marshall B. Romney Paul John Steinbart. Computer Controls and Security. Chapter 8. Learning Objectives.
E N D
Accounting Information Systems9th Edition Marshall B. Romney Paul John Steinbart ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Computer Controls and Security Chapter 8 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Learning Objectives • Identify and explain the four principles of systems reliability and the three criteria used to evaluate whether the principles have been achieved. • Identify and explain the controls that apply to more than one principle of reliability. • Identify and explain the controls that help explain that a system is available to users when needed. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Learning Objectives • Identify and explain the security controls that prevent unauthorized access to information, software, and other system resources. • Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity. • Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Introduction • During his fifth month at Northwest Industries, Jason Scott is assigned to audit Seattle Paper Products (SPP). • Jason’s task is to review randomly selected payable transactions, track down all supporting documents, and verify that all transactions have been properly authorized. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Introduction • Jason is satisfied that many of the transactions are valid and accurate. • However, some transactions involve the purchase of services from Pacific Electric. • These transactions were processed on the basis of vendor invoices approved by management. • Five of these invoices bear the initials “JLC.” ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Introduction • JLC is Jack Carlton, the general supervisor. • Carlton denies initialing the invoices, and claims he has never heard of Pacific Electric. • What questions does Jason have? • Is Carlton telling the truth? • If Carlton is not telling the truth, what is he up to? ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Introduction • If Pacific Electric is a fictitious company, how could SPP’s control systems allow its invoices to be processed and approved for payment? • This chapter discusses the many different types of controls that companies use to ensure the integrity of their AIS. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Learning Objective 1 • Identify the four principles of systems reliability and the three criteria used to evaluate whether or not the principles have been achieved. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
The Four Principles of a Reliable System • Availability of the system when needed. • Security of the system against unauthorized physical and logical access. • Maintainability of the system as required without affecting its availability, security, and integrity. • Integrity of the system to ensure that processing is complete, accurate, timely, and authorized. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
The Criteria Used To Evaluate Reliability Principles • For each of the four principles of reliability, three criteria are used to evaluate whether or not the principle has been achieved. • The entity has defined, documented, and communicated performance objectives, policies, and standards that achieve each of the four principles. • The entity uses procedures, people, software, data, and infrastructure to achieve each principle in accordance with established policies and standards. • The entity monitors the system and takes action to achieve compliance with the objectives, policies, and standards for each principle. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Learning Objective 2 • Identify and explain the controls that apply to more than one principle of reliability. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Controls Related to More Than One Reliability Principle • Strategic Planning & Budgeting • Developing a Systems Reliability Plan • Documentation ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Controls Related to More Than One Reliability Principle • Documentation may be classified into three basic categories: • Administrative documentation: Describes the standards and procedures for data processing. • Systems documentation: Describes each application system and its key processing functions. • Operating documentation: Describes what is needed to run a program. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Learning Objective 3 • Identify and explain the controls that help explain that a system is available to users when needed. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Availability • Availability • Minimizing Systems Downtime • Preventive maintenance • UPS • Fault tolerance • Disaster Recovery Plan • Minimize the extent of disruption, damage, and loss • Temporarily establish an alternative means of processing information • Resume normal operations as soon as possible ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Availability Disaster Recovery, continued • Train and familiarize personnel with emergency operations • Priorities for the recovery process • Insurance • Backup data and program files • Electronic vaulting • Grandfather-father-son concept • Rollback procedures • Specific assignments • Backup computer and telecommunication facilities • Periodic testing and revision • Complete documentation ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Learning Objective 4 • Identify and explain the security controls that prevent unauthorized access to information, software, and other system resources. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Developing a Security Plan • Developing and continuously updating a comprehensive security plan is one of the most important controls a company can identify. • What questions need to be asked? • Who needs access to what information? • When do they need it? • On which systems does the information reside? ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Segregation of Duties Withinthe Systems Function • In a highly integrated AIS, procedures that used to be performed by separate individuals are combined. • Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud. • To combat this threat, organizations must implement compensating control procedures. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Segregation of Duties Withinthe Systems Function • Authority and responsibility must be clearly divided among the following functions: • Systems administration • Network management • Security management • Change management • Users • Systems analysis • Programming • Computer operations • Information system library • Data control ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Segregation of Duties Withinthe Systems Function • It is important that different people perform these functions. • Allowing a person to perform two or more of them exposes the company to the possibility of fraud. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Physical Access Controls • How can physical access security be achieved? • Place computer equipment in locked rooms and restrict access to authorized personnel • Have only one or two entrances to the computer room • Require proper employee ID • Require that visitors sign a log • Use a security alarm system • Restrict access to private secured telephone lines and terminals or PCs. • Install locks on PCs. • Restrict access of off-line programs, data and equipment • Locate hardware and other critical system components away from hazardous materials. • Install fire and smoke detectors and fire extinguishers that don not damage computer equipment ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Logical Access Controls • Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions. • What are some logical access controls? • passwords • physical possession identification • biometric identification • compatibility tests ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Protection of PCs and Client/Server Networks • Many of the policies and procedures for mainframe control are applicable to PCs and networks. • The following controls are also important: • Train users in PC-related control concepts. • Restrict access by using locks and keys on PCs. • Establish policies and procedures. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Protection of PCs and Client/Server Networks • Portable PCs should not be stored in cars. • Keep sensitive data in the most secure environment possible. • Install software that automatically shuts down a terminal after its been idle for a certain amount of time. • Back up hard disks regularly. • Encrypt or password protect files. • Build protective walls around operating systems. • Ensure that PCs are booted up within a secure system. • Use multilevel password controls to limit employee access to incompatible data. • Use specialists to detect holes in the network. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Internet and e-Commerce Controls • Why caution should be exercised when conducting business on the Internet. • the large and global base of people that depend on the Internet • the variability in quality, compatibility, completeness, and stability of network products and services ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Internet and e-Commerce Controls • access of messages by others • security flaws in Web sites • attraction of hackers to the Internet • What controls can be used to secure Internet activity? • passwords • encryption technology • routing verification procedures ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Internet and e-Commerce Controls • Another control is installing a firewall, hardware and software that control communications between a company’s internal network (trusted network) and an external network. • The firewall is a barrier between the networks that does not allow information to flow into and out of the trusted network. • Electronic envelopes can protect e-mail messages ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Learning Objective 5 • Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Maintainability • Two categories of controls help ensure the maintainability of a system: • Project development and acquisition controls • Change management controls ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Project Development and Acquisition Controls • Project development and acquisition controls include: • Strategic Master Plan • Project Controls • Data Processing Schedule • System Performance Measurements • Postimplementation Review ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Change Management Controls • Change management controls include: • Periodically review all systems for needed changes • Require all requests to be submitted in standardized format • Log and review requests form authorized users for changes and additions to systems • Assess the impact of requested changes on system reliability objectives, policies and standards ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Change Management Controls, continued • Categorize and rank all changes using established priorities • Implement procedures to handle urgent matters • Communicate all changes to management • Require IT management to review, monitor, and approve all changes to software, hardware and personnel responsibilities • Assign specific responsibilities to those involved in the change and monitor their work. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Change Management Controls, continued • Control system access rights to avoid unauthorized systems and data access • Make sure all changes go through the appropriate steps • Test all changes • Make sure there is a plan for backing our of any changes in the event they don’t work properly • Implement a quality assurance function • Update all documentation and procedures when change is implemented ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Learning Objective 6 • Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Integrity • A company designs general controlsto ensure that its overall computer system is stable and well managed. • Application controls prevent, detect and correct errors in transactions as they flow through the various stages of a specific data processing program. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Integrity: Source Data Controls Companies must establish control procedures to ensure that all source documents are authorized, accurate , complete and properly accounted for, and entered into the system or sent ot their intended destination in a timely manner. Source data controls include: ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Integrity: Source Data Controls • Forms design • Prenumbered forms sequence test • Turnaround documents • Cancellation and storage of documents • Authorization and segregation of duties • Visual scanning • Check digit verification • Key verification ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Integrity:Input Validation Routines Input validation routines are programs the check the integrity of input data. They include: • Sequence check • Field check • Sign check • Validity check • Capacity check • Limit check • Range check • Reasonableness test • Redundant data check ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Integrity: On-line Data Entry Controls The goal of on-line data entry control is to ensure the integrity of transaction data entered from on-line terminals and PCs by minimizing errors and omissions. They include: ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Integrity: On-line Data Entry Controls • Field, limit, range, reasonableness, sign, validity, redundant data checks • User ID numbers • Compatibility tests • Automatic entry of transaction data, where possible • Prompting • Preformatting • Completeness check • Closed-lop verification • Transaction log • Error messages • Retain data for legal purposes ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Integrity: Data Processing and Storage Controls Controls to help preserve the integrity of data processing and stored data: • Policies and procedures • Data control function • Reconciliation procedure • External data reconciliation • Exception reporting ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Integrity: Data Processing and Storage Controls, continued • Data currency checks • Default values • Data matching • File labels • Write protection mechanisms • Database protection mechanisms • Data conversion controls • Data security ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Output Controls • The data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control totals. • Data control is also responsible for distributing computer output to the appropriate user departments. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Output Controls • Users are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive. • A shredder can be used to destroy highly confidential data. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Data Transmission Controls • To reduce the risk of data transmission failures, companies should monitor the network. • How can data transmission errors be minimized? • using data encryption (cryptography) • implementing routing verification procedures • adding parity • using message acknowledgment techniques ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Data Transmission Controls Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT). ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Data Transmission Controls • In these types of environments, sound internal control is achieved using the following control procedures: • Physical access to network facilities should be strictly controlled. • Electronic identification should be required for all authorized network terminals. • Strict logical access control procedures are essential, with passwords and dial-in phone numbers changed on a regular basis. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart
Data Transmission Controls Control procedures, continued • Encryption should be used to secure stored data as well as data being transmitted. • Details of all transactions should be recorded in a log that is periodically reviewed. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart