720 likes | 2.2k Views
Chapter 12: Computer Controls for Organizations and Accounting Information Systems. Introduction General Controls for Organizations General Controls for Information Technology Application Controls for Transaction Processing. General Controls For Organizations.
E N D
Chapter 12:ComputerControls for Organizations and Accounting Information Systems • Introduction • General Controls for Organizations • General Controls for Information Technology • Application Controls for Transaction Processing
General Controls For Organizations • Integrated Security for the Organization • Organization-Level Controls • Personnel Policies • File Security Controls • Business Continuity Planning • Computer Facility Controls • Computer Access Controls
Integrated Security forthe Organization • Physical Security • Measures used to protect its facilities, resources, or proprietary data stored on physical media • Logical Security • Limit access to system and information to authorized individuals • Integrated Security • Combines physical and logical elements • Supported by comprehensive security policy
Organization-Level Controls • Consistent policies and procedures • Management’s risk assessment process • Centralized processing and controls • Controls to monitor results of operations
Organization-Level Controls • Controls to monitor the internal audit function, the audit committee, and self-assessment programs • Period-end financial reporting process • Board-approved policies that address significant business control and risk management practices
Personnel Policies • Separation of Duties • Separate Accounting and Information Processing from Other Subsystems • Separate Responsibilities within IT Environment • Use of Computer Accounts • Each employee has password protected account • Biometrics
Personnel Policies • Informal Knowledge of Employees • Protect against fraudulent employee actions • Observation of suspicious behavior • Highest percentage of fraud involved employees in the accounting department • Must safeguard files from intentional and unintentional errors
Business Continuity Planning • Definition • Comprehensive approach to ensuring normal operations despite interruptions • Components • Disaster Recovery • Fault Tolerant Systems • Backup
Disaster Recovery • Definition • Process and procedures • Following disruptive event • Summary of Types of Sites • Hot Site • Flying-Start Site • Cold Site
Fault Tolerant Systems • Definition • Used to deal with computer errors • Ensure functional system with accurate and complete data (redundancy) • Major Approaches • Consensus-based protocols • Watchdog processor • Utilize disk mirroring or rollback processing
Backup • Batch processing • Risk of losing data before, during, and after processing • Grandfather-parent-child procedure • Types of Backups • Hot backup • Cold Backup • Electronic Vaulting
Computer Facility Controls • Locate Data Processing Centers in Safe Places • Protect from the public • Protect from natural disasters (flood, earthquake) • Limit Employee Access • Security Badges • Man Trap • Buy Insurance
Study Break #1 • A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats. • Firewall • Security policy • Risk assessment • VPN
Study Break #1 - Answer • A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats. • Firewall • Security policy • Risk assessment • VPN
Study Break #2 • All of the following are considered organization-level controls except: • Personnel controls • Business continuity planning controls • Processing controls • Access to computer files
Study Break #2 - Answer • All of the following are considered organization-level controls except: • Personnel controls • Business continuity planning controls • Processing controls • Access to computer files
Study Break #3 • Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________. • Redundancy • COBIT • COSO • Integrated security
Study Break #3 - Answer • Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________. • Redundancy • COBIT • COSO • Integrated security
General Controls for Information Technology • Security for Wireless Technology • Controls for Networks • Controls for Personal Computers • IT Control Objectives for Sarbanes-Oxley
General Controls for Information Technology • IT general controls apply to all information systems • Major Objectives • Computer programs are authorized, tested, and approved before usage • Access to programs and data is limited to authorized users
Security for Wireless Technology • Utilization of wireless local area networks • Virtual Private Network (VPN) • Allows remote access to entity resources • Data Encryption • Data converted into a scrambled format • Converted back to meaningful format following transmission
Controls for Networks • Control Problems • Electronic eavesdropping • Hardware or software malfunctions • Errors in data transmission • Control Procedures • Checkpoint control procedure • Routing verification procedures • Message acknowledgment procedures
Controls for Personal Computers • Take an inventory of personal computers • Applications utilized by each personal computer • Classify computers according to risks and exposures • Physical security
IT Control Objectives for Sarbanes-Oxley • “IT Control Objectives for Sarbanes-Oxley” • Issued by IT Governance Institute (ITGI) • Provides guidance for compliance with SOX and PCAOB requirements • Content • IT controls from COBIT • Linked to PCAOB standards • Linked to COSO framework
Application Controlsfor Transaction Processing • Purpose • Embedded in business process applications • Prevent, detect, and correct errors and irregularities • Application Controls • Input Controls • Processing Controls • Output Controls
Input Controls • Purpose • Ensure validity • Ensure accuracy • Ensure completeness • Categories • Observation, recording, and transcription of data • Edit tests • Additional input controls
Observation, Recording,and Transcription of Data • Confirmation mechanism • Dual observation • Point-of-sale devices (POS) • Preprinted recording forms
Edit Tests • Input Validation Routines (Edit Programs) • Programs or subroutines • Check validity and accuracy of input data • Edit Tests • Examine selected fields of input data • Rejects data not meeting preestablished standards of quality
Additional Input Controls • Unfound-Record Test • Transactions matched with master data files • Transactions lacking a match are rejected • Check-Digit Control Procedure • Modulus 11 Technique
Processing Controls • Purpose • Focus on manipulation of accounting data • Contribute to a good audit trail • Two Types • Control totals • Data manipulation controls
Control Totals • Common Processing Control Procedures • Batch control total • Financial control total • Nonfinancial control total • Record count • Hash total
Data Manipulation Controls • Data Processing • Following validation of input data • Data manipulated to produce decision-useful information • Processing Control Procedures • Software Documentation • Error-Testing Compiler • Utilization of Test Data
Output Controls • Purpose • Ensure validity • Ensure accuracy • Ensure completeness • Major Types • Validating Processing Results • Regulating Distribution and Use of Printed Output
Output Controls • Validating Processing Results • Preparation of activity listings • Provide detailed listings of changes to master files • Regulating Distribution and Use of Printed Output • Forms control • Pre-numbered forms • Authorized distribution list