Chapter 12-1

Chapter 12-2 Chapter 12: Computer Controls for Organizations and Accounting Information Systems Introduction General Controls for Organizations General Controls for Information Technology Application Controls for Transaction Processing

Chapter 12-3 General Controls For Organizations Integrated Security for the Organization Organization-Level Controls Personnel Policies File Security Controls Business Continuity Planning Computer Facility Controls Computer Access Controls

Chapter 12-4 Developing a Security Policy

Chapter 12-5 Integrated Security for the Organization Physical Security  Measures used to protect its facilities, resources, or proprietary data stored on physical media Logical Security  Limit access to system and information to authorized individuals Integrated Security  Combines physical and logical elements  Supported by comprehensive security policy

Chapter 12-6 Physical and Logical Security

Chapter 12-7 Organization-Level Controls Consistent policies and procedures Management’s risk assessment process Centralized processing and controls Controls to monitor results of operations

Chapter 12-8 Organization-Level Controls Controls to monitor the internal audit function, the audit committee, and self- assessment programs Period-end financial reporting process Board-approved policies that address significant business control and risk management practices

Chapter 12-9 Personnel Policies Separation of Duties  Separate Accounting and Information Processing from Other Subsystems  Separate Responsibilities within IT Environment Use of Computer Accounts  Each employee has password protected account  Biometrics

Chapter Separation of Duties

Chapter Division of Responsibility in IT Environment

Chapter Division of Responsibility in IT Environment

Chapter Personnel Policies Informal Knowledge of Employees  Protect against fraudulent employee actions  Observation of suspicious behavior  Highest percentage of fraud involved employees in the accounting department  Must safeguard files from intentional and unintentional errors

Chapter Safeguarding Computer Files

Chapter File Security Controls

Chapter Business Continuity Planning Definition  Comprehensive approach to ensuring normal operations despite interruptions Components  Disaster Recovery  Fault Tolerant Systems  Backup

Chapter Disaster Recovery Definition  Process and procedures  Following disruptive event Summary of Types of Sites  Hot Site  Flying-Start Site  Cold Site

Chapter Fault Tolerant Systems Definition  Used to deal with computer errors  Ensure functional system with accurate and complete data (redundancy) Major Approaches  Consensus-based protocols  Watchdog processor  Utilize disk mirroring or rollback processing

Chapter Backup Batch processing  Risk of losing data before, during, and after processing  Grandfather-parent-child procedure Types of Backups  Hot backup  Cold Backup  Electronic Vaulting

Chapter Batch Processing

Chapter Computer Facility Controls Locate Data Processing Centers in Safe Places  Protect from the public  Protect from natural disasters (flood, earthquake) Limit Employee Access  Security Badges  Man Trap Buy Insurance

Chapter A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats. A.Firewall B.Security policy C.Risk assessment D.VPN Study Break #1

Chapter A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats. A.Firewall B.Security policy C.Risk assessment D.VPN Study Break #1 - Answer

Chapter All of the following are considered organization-level controls except: A.Personnel controls B.Business continuity planning controls C.Processing controls D.Access to computer files Study Break #2

Chapter All of the following are considered organization-level controls except: A.Personnel controls B.Business continuity planning controls C.Processing controls D.Access to computer files Study Break #2 - Answer

Chapter Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________. A.Redundancy B.COBIT C.COSO D.Integrated security Study Break #3

Chapter Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________. A.Redundancy B.COBIT C.COSO D.Integrated security Study Break #3 - Answer

Chapter General Controls for Information Technology Security for Wireless Technology Controls for Networks Controls for Personal Computers IT Control Objectives for Sarbanes-Oxley

Chapter General Controls for Information Technology IT general controls apply to all information systems Major Objectives  Computer programs are authorized, tested, and approved before usage  Access to programs and data is limited to authorized users

Chapter Control Concerns

Chapter Security for Wireless Technology Utilization of wireless local area networks Virtual Private Network (VPN)  Allows remote access to entity resources Data Encryption  Data converted into a scrambled format  Converted back to meaningful format following transmission

Chapter Controls for Networks Control Problems  Electronic eavesdropping  Hardware or software malfunctions  Errors in data transmission Control Procedures  Checkpoint control procedure  Routing verification procedures  Message acknowledgment procedures

Chapter Controls for Personal Computers Take an inventory of personal computers Applications utilized by each personal computer Classify computers according to risks and exposures Physical security

Chapter Additional Controls for Laptops

Chapter IT Control Objectives for Sarbanes-Oxley “IT Control Objectives for Sarbanes-Oxley”  Issued by IT Governance Institute (ITGI)  Provides guidance for compliance with SOX and PCAOB requirements Content  IT controls from COBIT  Linked to PCAOB standards  Linked to COSO framework

Chapter Application Controls for Transaction Processing Purpose  Embedded in business process applications  Prevent, detect, and correct errors and irregularities Application Controls  Input Controls  Processing Controls  Output Controls

Chapter Application Controls for Transaction Processing

Chapter Input Controls Purpose  Ensure validity  Ensure accuracy  Ensure completeness Categories  Observation, recording, and transcription of data  Edit tests  Additional input controls

Chapter Observation, Recording, and Transcription of Data Confirmation mechanism Dual observation Point-of-sale devices (POS) Preprinted recording forms

Chapter Preprinted Recording Form

Chapter Edit Tests Input Validation Routines (Edit Programs)  Programs or subroutines  Check validity and accuracy of input data Edit Tests  Examine selected fields of input data  Rejects data not meeting preestablished standards of quality

Chapter Edit Tests

Chapter Edit Tests

Chapter Additional Input Controls Unfound-Record Test  Transactions matched with master data files  Transactions lacking a match are rejected Check-Digit Control Procedure Modulus 11 Technique

Chapter Processing Controls Purpose  Focus on manipulation of accounting data  Contribute to a good audit trail Two Types  Control totals  Data manipulation controls

Chapter Audit Trail

Chapter Control Totals Common Processing Control Procedures  Batch control total  Financial control total  Nonfinancial control total  Record count  Hash total

Chapter Data Manipulation Controls Data Processing  Following validation of input data  Data manipulated to produce decision-useful information Processing Control Procedures  Software Documentation  Error-Testing Compiler  Utilization of Test Data

Chapter Output Controls Purpose  Ensure validity  Ensure accuracy  Ensure completeness Major Types  Validating Processing Results  Regulating Distribution and Use of Printed Output

Chapter Output Controls Validating Processing Results  Preparation of activity listings  Provide detailed listings of changes to master files Regulating Distribution and Use of Printed Output  Forms control  Pre-numbered forms  Authorized distribution list

Chapter A ______ is a security appliance that runs behind a firewall and allows remote users to access entity resources by using wireless, hand-held devices. A.Data encryption B.WAN C.Checkpoint D.VPN Study Break #4

Chapter A ______ is a security appliance that runs behind a firewall and allows remote users to access entity resources by using wireless, hand-held devices. A.Data encryption B.WAN C.Checkpoint D.VPN Study Break #4 - Answer

Chapter Organizations use ______ controls to prevent, detect, and correct errors and irregularities in transactions that are processed. A.Specific B.General C.Application D.Input Study Break #5

Chapter Organizations use ______ controls to prevent, detect, and correct errors and irregularities in transactions that are processed. A.Specific B.General C.Application D.Input Study Break #5 - Answer

Chapter Copyright Copyright 2010 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Chapter Chapter 12