Advanced Accounting Information Systems Day 20 Control and Security Frameworks October 9, 2009

announcements –Careers in accounting/IT –Quiz 4 –Graduate student paper

announcements –Assignment 3 Scoring –Night vs day – 12 points –Recalculate charges – 12 points –Problem found – 3 points –Action plan – 3 points Game plan –Identify potential misclassified minutes –Calculate rates by first identifying most recent contracts (i.e. max(Startdate) –Separate into flexible and fixed plans –Calculate minutes –Calculate charges per flexible –Calculate charges per fixed –Combine calculated charges per flexible and fixed (UNION) –Compare calculated to InvoiceLine charges

announcements –Assignment 4 Merger/acquisition due diligence – significantly shorter time frame What are the due diligence / audit objectives? Some of the due diligence work is already done –Identified due diligence objectives (See Figure 3) –Started with prior audit procedures (see Figure 3) No manufacturing costs since Threadchic is a retailer

announcements –Assignment 4 Existence procedure –Verify Threadchic paid for all purchases in a timely manner »join invoice and payment table using outer join to identify any invoices that were not paid yet –Verify inventory consistent with sales »For all items, sales price is 100 percent markup over cost except for marked down items with no sale in the last 21 days. List cost, lastSalesPrice, and calculate salesToCost to determine if each item markup is 100 percent

announcements –Assignment 4 Completeness procedure –Verify inclusion of all purchases in inventory »Match purchases to inventory on SKU to find purchases with no entry in inventoryMaster.QOH »Match purchases to counted inventory on SKU to find purchases with no entry in inventoryCount.obsvQOH »Remember – inventoryMaster is Threadchic’s records »inventoryCount – contains number counted by the auditors

Objectives Understand risks faced by information assets Comprehend relationship between risk and asset vulnerabilities Understand nature and types of threats faced by the asset Understand objectives of control and security of information assets and how these objectives are interrelated Understand the building blocks of control (and security) frameworks for information systems Apply a controls framework to a financial accounting system

Purpose of internal control framework

Information Assets

Threat Probability of an attack on an information asset

Countermeasures Designed to minimize or eliminate the risks stemming from vulnerabilities To design countermeasures

Definition of internal control Procedures designed by management to provide reasonable assurance regarding achievement of specific objectives Classification of internal controls –General vs application –Detective, preventive, or corrective

Definition of Information Security Protection from harm Being able to depend on the information system Two categories –Physical security –Logical security

Four objectives of internal controls

Information Security Objectives

Frameworks for control and security

COBIT control objectives Acquire and develop applications and system software Acquire technology infrastructure Develop and maintain policies and procedures Install and test application software and technology infrastructure Manage change Define and manage service levels Manage third-party services Ensure systems security Manage the configuration Manage problems and incidents Manage data Manage operations

ISO Ten categories or sections –Security policy –Security organization –Asset classification and control –Personnel security –Physical and environmental security –Computer and operations management –System access control –System development and maintenance –Compliance

COSO Control environment Risk assessment Control activities Information and communication Monitoring

Steps in Implementing a control framework

Questions for Monday Identify at least one difference between systems availability and business continuity Why is disaster recovery planning important? Is disaster recovery planning cost beneficial?