Information Systems Controls Lecture 5 (Chapter 6, 7 & 8)

Lecture 5-2 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Introduction 1. Explain the basic concepts of control as applied to business organizations 2. Describe the major elements in the control environment of a business environment 3. Describe control policies and procedures commonly used in business organizations 4. Evaluate a system of internal control, identify its deficiencies, and prescribe modifications to remedy those deficiencies 5. Conduct a cost-benefit analysis for particular threats, exposures, risks, and controls.

Lecture 5-3 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Threats to AIS Natural and political disasters: – fire / heat / floods / earthquakes / winds / war S/W errors & Equipment Malfunctions: – H/W failures / power outages / data transmission errors Unintentional acts: – accidents / lost data / human & logic errors /systems that do not meet company needs Intentional acts: – Sabotage / computer fraud / embezzlement

Lecture 5-4 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart AIS Threats are increasing.. Due to: Increasing number of client/server systems LANs and client/server systems distribute data to many users: harder to control than mainframe WAN are giving customers & suppliers access to each other’s systems and data. e.g. Wal-Mart & its vendors Better computer knowledge in population. Therefore, Computer Control & Security are important

Lecture 5-5 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Control Concepts Internal control is the plan and methods a business uses to: 1. safeguard assets 2. provide accurate and reliable information 3. promote & improve operational efficiency 4. encourage adherence to managerial policies. Management control encompasses: 1 It is an integral part of management responsibilities. 2 It is designed to reduce errors, irregularities, and achieve organizational goals. 3 It is personnel-oriented and seeks to help employees attain company goals.

Lecture 5-6 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Internal Control Classifications The specific control procedures used in the internal control and management control systems may be classified using the following four internal control classifications: 1 Preventive, detective, and corrective controls 2 General and application controls 3 Administrative and accounting controls 4 Input, processing, and output controls

Lecture 5-7 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Committee of Sponsoring Organizations The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of five organizations: 1 American Accounting Association 2 American Institute of Certified Public Accountants 3 Institute of Internal Auditors 4 Institute of Management Accountants 5 Financial Executives Institute

Lecture 5-8 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart COSO’s Internal Control Model Components 1 Control environment 2 Control activities 3 Risk assessment 4 Information and communication 5 Monitoring Performance

Lecture 5-9 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart COSO’S Model of Internal Control COSO’s Internal Control Model Control Environment Control Activities Risk Assessment Information & Communication Monitoring Performance 1. Commitment to integrity & ethical value 2. Management Philosophy 3. Emphasis on knowledge and skills 4. Effective Audit Comm. 5. Assigning authority 6. Executive competence 1. Policies & procedures 2. Authorization of Transactions 3. Segregation of duties 4. Design & use of adequate documentation 5. Safeguard of assets & records 6. Independent checks on performance 1. Identify threats 2. Estimate risk 3. Estimate exposure 4. Identify controls 5. Estimate costs & benefits 6. Determine cost-benefit effectiveness 1. Understanding of transaction process 2. Audit trail of transactions: Identify, classify & record at proper monetary value & accounting period 3. Effective communication & proper disclosure 1. Effective supervision: Training Monitor performance Safeguard assets 2. Responsibility accounting: Budget Costing Perf. Report 3. Internal audit

Segregation of Duties Recording Functions Preparing source documents Maintaining journals Preparing reconciliations Preparing performance reports Custodial Functions Handling cash Handling assets Writing checks Receiving checks in mail Authorization Functions Authorization of transactions

Lecture 5-11 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Segregation of Duties If two of these three functions are the responsibility of a single person, problems can arise. Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them. Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts. 1. Control environment 2. Control activities 3. Risk assessment 4. Information & communication 5. Monitoring Performance

Lecture 5-12 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Adequate Safeguards of Assets and Records What can be used to safeguard assets? – cash registers – safes, lockboxes – safety deposit boxes – restricted and fireproof storage areas – controlling the environment – restricted access to computer rooms, computer files, and information 1. Control environment 2. Control activities 3. Risk assessment 4. Information & communication 5. Monitoring Performance

Lecture 5-13 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Estimate Cost and Benefits No internal control system can provide foolproof protection against all internal control threats. The cost of a foolproof system would be prohibitively high. One way to calculate benefits involves calculating expected loss. The benefit of a control procedure is the difference between the expected loss with the control procedure(s) and without it. Expected loss = risk × exposure 1. Control environment 2. Control activities 3. Risk assessment 4. Information & communication 5. Monitoring Performance

Lecture 5-14 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Information & Communication o Audit trail: oAn audit trail exists when individual company transactions can be traced through the system. o Provides Evidence of: oProperly classify transactions oRecord transactions at their proper monetary value oRecord transactions in the proper accounting period oProperly present transactions and related disclosures in the financial statements 1. Control environment 2. Control activities 3. Risk assessment 4. Information & communication 5. Monitoring Performance

Lecture 5-15 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Principle of Reliable System Availability: Minimizing Systems Downtime Disaster Recovery Plan Security Controls: o Segregation of duties o Physical access control o Logical access control o Protection of computers & client/server networks o Internet/e-commerce control Maintainability: o Project Development and Acquisition Controls o Change Management Control Integrity: o Source data controls o Input validation routines o On-line data entry controls o Data processing & storage controls o Output controls o Data transmission controls Principle of a Reliable system

Lecture 5-16 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Security Controls Segregation of duties in system function Physical access control Logical access control Protection of personal computers & client/server networks Internet and e-commerce control Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control

Lecture 5-17 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Segregation of Duties Within the Systems Function Organizations must implement compensating control procedures. Authority & responsibility must be clearly divided among the following functions: 1 Systems analysis 2 Programming 3 Computer operations 4 Users 5 AIS library 6 Data control Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control

Lecture 5-18 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Physical Access Controls How can physical access security be achieved? – placing computer equipment in locked rooms and restricting access to authorized personnel – having only one or two entrances to the computer room – requiring proper employee ID – requiring that visitors sign a log – installing locks on PCs Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control

Lecture 5-19 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Logical Access Controls Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions. What are some logical access controls? – passwords – physical possession identification – biometric identification – compatibility tests Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control

Lecture 5-20 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Protection of PCs and Client/Server Networks Many of the policies and procedures for mainframe control are applicable to PCs and networks. The following controls are also important: Train users in PC-related control concepts. Restrict access by using locks/keys on PCs. Establish policies and procedures. Portable PCs should not be stored in cars. Back up hard disks regularly. Encrypt or password protect files. Build protective walls around systems. Use multilevel password controls to limit employee access to incompatible data. Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control

Lecture 5-21 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Protection of PCs and Client/Server Networks PCs more vulnerable to security risks than are mainframes because: It is difficult to restrict physical access. PC users are usually less aware of the importance of security and control. Many people are familiar with the operation of PCs. Segregation of duties is very difficult. Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control

Lecture 5-22 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Internet & E-Commerce Controls Caution when conducting business on the Internet: – the global dependence on the Internet – the variability in quality, compatibility, completeness, and stability of network products and services – Website security flaws & attraction of hackers Controls used to secure Internet activity: – Passwords and encryption technology – routing verification procedures – Firewall = a barrier between the networks that does not allow information to flow into and out of the trusted network. Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control

Lecture 5-23 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Maintainability Controls - Project Development Controls To minimize failures, the basic principles of responsibility accounting should be applied to the AIS function. Key elements included in project development control: 1Long-range master plan 2Project development plan 3Data processing schedule 4Assignment of responsibility 5Periodic performance evaluation 6Post-implementation review 7System performance measurements

Lecture 5-24 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Application Controls Objective of application controls is to ensure the integrity of a specific application’s inputs, files, programs, and outputs. Six categories of application controls: 1. Source data controls 2. Input validation routines 3. Online data entry controls 4. Data processing & file maintenance controls 5. Output controls 6. Data transmission controls

Lecture 5-25 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Application Controls - Source Data Controls There are a number of source data controls that regulate the accuracy, validity, and completeness of input : – key verification – check digit verification – prenumbered forms sequence test – turnaround documents – authorization Application controls: - Source data controls - Input validation routines - Online data entry controls - Data processing & file maintenance controls - Output controls - Data transmission control

Lecture 5-26 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Application Controls - Input Validation Routines Input validation routines are programs that check the validity and accuracy of input data as they are entered into the system. These programs are called edit programs and the accuracy checks they perform are called edit checks, such as: – sequence check – field check – sign check – validity check – limit check – range check – reasonableness test Application controls: - Source data controls - Input validation routines - Online data entry controls - Data processing & file maintenance controls - Output controls - Data transmission control

Lecture 5-27 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Application Controls - Online Data Entry Controls Online data entry controls ensure the accuracy and integrity of transaction data entered from online terminals & PCs. Some online data entry controls are: – data checks – user ID numbers and passwords – comparability tests – Prompting – preformatting – completeness check – automatic transaction data entry – transaction log – clear error messages Application controls: - Source data controls - Input validation routines - Online data entry controls - Data processing & file maintenance controls - Output controls - Data transmission control

Lecture 5-28 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Application Controls - Data Processing Controls Common controls to preserve accuracy and completeness of data processing: – data currency checks – default values – data matching – exception reporting – external data reconciliation – control account reconciliation – file security – file conversion controls Application controls: - Source data controls - Input validation routines - Online data entry controls - Data processing & file maintenance controls - Output controls - Data transmission control

Lecture 5-29 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Application Controls - Output Controls Data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control totals. Data control is also responsible for distributing computer output to the appropriate user departments. Users are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive. A shredder can be used to destroy highly confidential data. Application controls: - Source data controls - Input validation routines - Online data entry controls - Data processing & file maintenance controls - Output controls - Data transmission control

Lecture 5-30 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Application Controls - Data Transmission Controls Companies monitor network to reduce the risk of data transmission failures Data transmission errors can be minimized: – using data encryption (cryptography) – implementing routing verification procedures – adding parity – using message acknowledgment techniques Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT). Application controls: - Source data controls - Input validation routines - Online data entry controls - Data processing & file maintenance controls - Output controls - Data transmission control

Lecture 5-31 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Application Controls - Data Transmission Controls Sound internal control is achieved using the following control procedures: 1 Physical access to network facilities should be strictly controlled. 2 Electronic identification should be required for all authorized network terminals. 3 Strict logical access control procedures are essential, with passwords and dial-in phone numbers changed on a regular basis. 4 Encryption should be used to secure stored data as well as data being transmitted. 5 Details of all transactions should be recorded in a log that is periodically reviewed. Application controls: - Source data controls - Input validation routines - Online data entry controls - Data processing & file maintenance controls - Output controls - Data transmission control

Lecture 5-32 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart General Controls General controls ensure that overall computer system is stable and well managed: 1. Developing a security plan 2. Segregation of duties within the systems function 3. Project development controls 4. Physical access controls 5. Logical access controls 6. Data storage controls 7. Data transmission controls 8. Documentation standards 9. Minimizing system downtime 10. Disaster recovery plans 11. Protection of personal computers & client/server networks 12. Internet controls

Lecture 5-33 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart End of Lecture 5