Chapter 9 Computer Controls for Accounting Information Systems Introduction General Controls For Organizations Integrated Security for the Organization Organization-Level, Personnel, File Security Controls Fault-Tolerant Systems, Backup, and Contingency Planning and Computer Facility Controls Access to Computer Files

Chapter 9 Computer Controls for Accounting Information Systems Information Technology General Controls Security for Wireless Technology Controls for Hardwired Network Systems Security and Controls for Microcomputers IT Control Objectives for Sarbanes-Oxley Application Controls For Transaction Processing Input, Processing, and Output Controls

Introduction Internal control systems with focus on specific security in organizations control procedures to ensure effective use of resources efficient utilization of resources Primary challenges associated with connectivity protection of sensitive data and information stored or transferred providing appropriate security and control procedures

General Controls For Organizations Developing an appropriate security policy involves Identifying and evaluating assets Identifying threats Assessing risk Assigning responsibilities Establishing security policies platforms Implementing across the organization Managing the security program

Integrated Security for the Organization Organizations are dependent on networks for transactions, data sharing, and communications. need to give access to customers, suppliers, partners, and others Security threats for organizations arise from the complexity of these networks the accessibility requirements present

Integrated Security for the Organization Key security technologies that can be integrated include intrusion detection systems firewalls biometrics and others An integrated security system reduces the risk of attack increases the costs and resources needed by an intruder

General Controls within IT Environments Organizational level controls Personnel Controls File Security Controls Fault-Tolerant Systems, Backup, and Contingency Planning Computer Facility Controls Access to Computer Files

Organization-Level Controls Important controls include consistent policies and procedures management’s risk assessment process centralized processing and controls controls to monitor results of operations controls to monitor the internal audit function, the audit committee, and self-assessment programs the period-end financial reporting process Board-approved policies that address significant business control and risk management practices

Personnel Controls An AIS depends heavily on people for the creation of the system, the input of data into the system, the supervision of data processing distribution of processed data, and the use of approved controls

Personnel Controls General controls that affect personnel include separation of duties use of computer accounts separation of duties control procedures

Separation of Duties Separation of duties should be designed and implemented in two ways: separate accounting and information processing subsystems separate the responsibilities within the IT environment

Separation of Duties Separate Responsibilities within IT Environment. Designated operational subsystems initiate and authorize asset custody detect errors in processing data enter them on an error log, and refer them back to the specific user subsystem for correction.

Division of Responsibility Division of responsibility functions within an IT environment can be on the following lines: Systems Analysis Function Data Control Function Programming Function Computer Operations Function Transaction Authorization Function AIS Library Function

Use of Computer Accounts Use of computer accounts helps to ensure access is limited to specific users mostly by using passwords nowadays by use of biometrics (digital fingerprinting) protects use of scarce resources

Use of Computer Accounts limit user access to particular computer files or programs protect files from unauthorized use protect computer time from unauthorized use place resource limitations on account numbers which limits programmer/operator errors

File Security Controls The purpose of file security controls is to protect computer files from accidental abuse intentional abuse

File Security Controls Some examples of file security controls are external file labels internal file labels lockout procedures file protection rings read-only file designation

Fault-Tolerant Systems are designed to tolerate computer errors and keep functioning are often based on the concept of redundancy are created by instituting duplicate communication paths and communications processors

Fault-Tolerant Systems Redundancy in CPU processing can be achieved with consensus-based protocols with a second watchdog processor Disks can be made fault-tolerant by a process called disk mirroring by rollback processing

Backup Backup is essential for vital documents is batch processed using Grandfather-parent-child procedure can be electronically transmitted to remote sites (vaulting) needs an uninterruptible power system (UPS) as an auxiliary power supply

Backup similar to the redundancy concept in fault-tolerant systems a hot backup is performed while the database is online and available for read/write a cold backup is performed while the database is offline and unavailable to its users

Contingency Planning Contingency planning includes the development of a formal disaster recovery plan. describes procedures to be followed in an emergency describes the role of each member of the team. appoint one person to be in command and another to be second-in-command involves a recovery site that can either be a hot site or cold site

Computer Facility Controls Locate the Data Processing Center in a safe place where the public does not have access it is guarded by personnel there are limited number of secured entrances there is protection against natural disasters

Computer Facility Controls Limit employee access by incorporating magnetic, electronic, or optical coded identification badges Buy insurance

Access to Computer Files Logical access to data is restricted Password codes identifications (encourage strong passwords) biometric identifications with voice patterns, fingerprints, and retina prints

INFORMATION TECHNOLOGY GENERAL CONTROLS The objectives of controls is to provide assurance that the development of and changes to computer programs are authorized, tested, and approved before their usage access to data files is restricted processed accounting data are accurate and complete

Control Concerns Errors may be magnified Inadequate separation of duties Audit trails Greater access to data Characteristics of magnetic or optical media

INFORMATION TECHNOLOGY GENERAL CONTROLS IT general controls involve Security for Wireless Technology Controls for Hardwired Network Systems Security and Controls for Microcomputers IT Control Objectives for Sarbanes-Oxley

Security for Wireless Technology Security for wireless technology involves A virtual private network (VPN) Data encryption

Controls for Hardwired Network Systems The routine use of systems such as DDP and client/server computing increases control problems for companies, which include electronic eavesdropping hardware or software malfunctions causing computer network system failures errors in data transmission

Controls for Hardwired Network Systems To reduce the risk of system failures, networks are designed to handle periods of peak transmission volume to use redundant components,such as modems, to recover from failure using checkpoint control procedure to use routing verification procedures to use message acknowledgment procedures

Security and Controls for Microcomputers General and application control procedures are important to microcomputers. Most risks associated with AISs result from errors, irregularities or fraud general threats to security (such as a computer virus) Some of the risks that are unique to the microcomputer are Hardware - microcomputers can be easily stolen or destroyed Data and software - easy to access, modify, copy or destroy; therefore are difficult to control

Control Procedures for Microcomputers Some cost effective control procedures are take inventory install Keyboard locks lock laptops in cabinets follow software protection procedures create back-up files and lock office doors

Additional Controls for Laptops Some specific controls for the laptop are identify your laptop use nonbreakable cables to attach laptops to stationary furniture load antivirus software keep laptop information backed up

IT Control Objectives for Sarbanes-Oxley The Sarbanes-Oxley Act of 2002 (SOX) profoundly impacts public companies managers the internal auditors the external auditors

IT Control Objectives for Sarbanes-Oxley The IT Governance Institute (ITGI) issued ‘IT Control Objectives for Sarbanes-Oxley’ in April 2004, which helps organizations comply with SOX requirements and the PCAOB requirements includes detailed guidance for organizations by starting with the IT controls from CobiT and linking those to the IT general control categories in the PCAOB standard, and then linking to the COSO framework

Application Controls for Transaction Processing Application controls are designed to prevent, detect, and correct errors and irregularities in transactions in the input processing the output stages of data processing

Application Controls for Transaction Processing

Input Controls Input controls attempt to ensure the validity accuracy completeness of the data entered into an AIS The categories of input controls include observation, recording, and transcription of data edit tests additional input controls

Observation, Recording, and Transcription of Data The observation control procedures to assist in collecting data are feedback mechanism dual observation point-of-sale (POS) devices preprinted recording forms

Data Transcription Data transcription Preformatted screens the preparation of data for computerized processing Preformatted screens Make the electronic version look like the printed version

Edit Tests Input validation routines (edit programs) check the validity check the accuracy after the data have been entered, and recorded on a machine-readable file of input data

Edit Tests Edit tests examine selected fields of input data and reject those transactions whose data fields do not meet the pre-established standards of data quality Real-time systems use edit checks during data-entry.

Examples of Edit Tests The following are the tests for copy editing Numeric field Alphabetic field Alphanumeric field Valid code Reasonableness Sign Completeness Sequence Consistency

Processing Controls Processing controls focus on the manipulation of accounting data after they are input to the computer system. Key objective is a clear audit trail Processing controls are of two kinds: Data-access controls Data manipulation controls

Data-Access Control Totals Some common processing control procedures are batch control total financial control total nonfinancial control total hash total record count

Data Manipulation Controls Once data has been validated by earlier portions of data processing, they usually must be manipulated in some way to produce useful output. Data manipulation controls include: Software documentation, i.e. flow charts and diagrams Compiler Test Data

Output Controls The objectives of output controls is to ensure validity accuracy completeness Two major types of output application controls are validating processing results by Activity (or proof) listings

Output Controls regulating the distribution and use of printed output through Forms Prenumbered forms authorized distribution list Shredding sensitive documents

Copyright Copyright 2008 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Chapter 9