Download presentation
2
Chapter 9 Computer Controls for Accounting Information Systems
Introduction General Controls For Organizations Integrated Security for the Organization Organization-Level, Personnel, File Security Controls Fault-Tolerant Systems, Backup, and Contingency Planning and Computer Facility Controls Access to Computer Files
3
Chapter 9 Computer Controls for Accounting Information Systems
Information Technology General Controls Security for Wireless Technology Controls for Hardwired Network Systems Security and Controls for Microcomputers IT Control Objectives for Sarbanes-Oxley Application Controls For Transaction Processing Input, Processing, and Output Controls
4
Introduction Internal control systems with focus on
specific security in organizations control procedures to ensure effective use of resources efficient utilization of resources Primary challenges associated with connectivity protection of sensitive data and information stored or transferred providing appropriate security and control procedures
5
General Controls For Organizations
Developing an appropriate security policy involves Identifying and evaluating assets Identifying threats Assessing risk Assigning responsibilities Establishing security policies platforms Implementing across the organization Managing the security program
6
Integrated Security for the Organization
Organizations are dependent on networks for transactions, data sharing, and communications. need to give access to customers, suppliers, partners, and others Security threats for organizations arise from the complexity of these networks the accessibility requirements present
7
Integrated Security for the Organization
Key security technologies that can be integrated include intrusion detection systems firewalls biometrics and others An integrated security system reduces the risk of attack increases the costs and resources needed by an intruder
8
General Controls within IT Environments
Organizational level controls Personnel Controls File Security Controls Fault-Tolerant Systems, Backup, and Contingency Planning Computer Facility Controls Access to Computer Files
9
Organization-Level Controls
Important controls include consistent policies and procedures management’s risk assessment process centralized processing and controls controls to monitor results of operations controls to monitor the internal audit function, the audit committee, and self-assessment programs the period-end financial reporting process Board-approved policies that address significant business control and risk management practices
10
Personnel Controls An AIS depends heavily on people for the
creation of the system, the input of data into the system, the supervision of data processing distribution of processed data, and the use of approved controls
11
Personnel Controls General controls that affect personnel include
separation of duties use of computer accounts separation of duties control procedures
12
Separation of Duties Separation of duties should be designed and implemented in two ways: separate accounting and information processing subsystems separate the responsibilities within the IT environment
13
Separation of Duties Separate Responsibilities within IT Environment.
Designated operational subsystems initiate and authorize asset custody detect errors in processing data enter them on an error log, and refer them back to the specific user subsystem for correction.
14
Division of Responsibility
Division of responsibility functions within an IT environment can be on the following lines: Systems Analysis Function Data Control Function Programming Function Computer Operations Function Transaction Authorization Function AIS Library Function
15
Use of Computer Accounts
Use of computer accounts helps to ensure access is limited to specific users mostly by using passwords nowadays by use of biometrics (digital fingerprinting) protects use of scarce resources
16
Use of Computer Accounts
limit user access to particular computer files or programs protect files from unauthorized use protect computer time from unauthorized use place resource limitations on account numbers which limits programmer/operator errors
17
File Security Controls
The purpose of file security controls is to protect computer files from accidental abuse intentional abuse
18
File Security Controls
Some examples of file security controls are external file labels internal file labels lockout procedures file protection rings read-only file designation
19
Fault-Tolerant Systems
are designed to tolerate computer errors and keep functioning are often based on the concept of redundancy are created by instituting duplicate communication paths and communications processors
20
Fault-Tolerant Systems
Redundancy in CPU processing can be achieved with consensus-based protocols with a second watchdog processor Disks can be made fault-tolerant by a process called disk mirroring by rollback processing
21
Backup Backup is essential for vital documents
is batch processed using Grandfather-parent-child procedure can be electronically transmitted to remote sites (vaulting) needs an uninterruptible power system (UPS) as an auxiliary power supply
22
Backup similar to the redundancy concept in fault-tolerant systems
a hot backup is performed while the database is online and available for read/write a cold backup is performed while the database is offline and unavailable to its users
23
Contingency Planning Contingency planning
includes the development of a formal disaster recovery plan. describes procedures to be followed in an emergency describes the role of each member of the team. appoint one person to be in command and another to be second-in-command involves a recovery site that can either be a hot site or cold site
24
Computer Facility Controls
Locate the Data Processing Center in a safe place where the public does not have access it is guarded by personnel there are limited number of secured entrances there is protection against natural disasters
25
Computer Facility Controls
Limit employee access by incorporating magnetic, electronic, or optical coded identification badges Buy insurance
26
Access to Computer Files
Logical access to data is restricted Password codes identifications (encourage strong passwords) biometric identifications with voice patterns, fingerprints, and retina prints
27
INFORMATION TECHNOLOGY GENERAL CONTROLS
The objectives of controls is to provide assurance that the development of and changes to computer programs are authorized, tested, and approved before their usage access to data files is restricted processed accounting data are accurate and complete
28
Control Concerns Errors may be magnified
Inadequate separation of duties Audit trails Greater access to data Characteristics of magnetic or optical media
29
INFORMATION TECHNOLOGY GENERAL CONTROLS
IT general controls involve Security for Wireless Technology Controls for Hardwired Network Systems Security and Controls for Microcomputers IT Control Objectives for Sarbanes-Oxley
30
Security for Wireless Technology
Security for wireless technology involves A virtual private network (VPN) Data encryption
31
Controls for Hardwired Network Systems
The routine use of systems such as DDP and client/server computing increases control problems for companies, which include electronic eavesdropping hardware or software malfunctions causing computer network system failures errors in data transmission
32
Controls for Hardwired Network Systems
To reduce the risk of system failures, networks are designed to handle periods of peak transmission volume to use redundant components,such as modems, to recover from failure using checkpoint control procedure to use routing verification procedures to use message acknowledgment procedures
33
Security and Controls for Microcomputers
General and application control procedures are important to microcomputers. Most risks associated with AISs result from errors, irregularities or fraud general threats to security (such as a computer virus) Some of the risks that are unique to the microcomputer are Hardware - microcomputers can be easily stolen or destroyed Data and software - easy to access, modify, copy or destroy; therefore are difficult to control
34
Control Procedures for Microcomputers
Some cost effective control procedures are take inventory install Keyboard locks lock laptops in cabinets follow software protection procedures create back-up files and lock office doors
35
Additional Controls for Laptops
Some specific controls for the laptop are identify your laptop use nonbreakable cables to attach laptops to stationary furniture load antivirus software keep laptop information backed up
36
IT Control Objectives for Sarbanes-Oxley
The Sarbanes-Oxley Act of 2002 (SOX) profoundly impacts public companies managers the internal auditors the external auditors
37
IT Control Objectives for Sarbanes-Oxley
The IT Governance Institute (ITGI) issued ‘IT Control Objectives for Sarbanes-Oxley’ in April 2004, which helps organizations comply with SOX requirements and the PCAOB requirements includes detailed guidance for organizations by starting with the IT controls from CobiT and linking those to the IT general control categories in the PCAOB standard, and then linking to the COSO framework
38
Application Controls for Transaction Processing
Application controls are designed to prevent, detect, and correct errors and irregularities in transactions in the input processing the output stages of data processing
39
Application Controls for Transaction Processing
40
Input Controls Input controls attempt to ensure the
validity accuracy completeness of the data entered into an AIS The categories of input controls include observation, recording, and transcription of data edit tests additional input controls
41
Observation, Recording, and Transcription of Data
The observation control procedures to assist in collecting data are feedback mechanism dual observation point-of-sale (POS) devices preprinted recording forms
42
Data Transcription Data transcription Preformatted screens
the preparation of data for computerized processing Preformatted screens Make the electronic version look like the printed version
43
Edit Tests Input validation routines (edit programs)
check the validity check the accuracy after the data have been entered, and recorded on a machine-readable file of input data
44
Edit Tests Edit tests examine selected fields of input data and reject those transactions whose data fields do not meet the pre-established standards of data quality Real-time systems use edit checks during data-entry.
45
Examples of Edit Tests The following are the tests for copy editing
Numeric field Alphabetic field Alphanumeric field Valid code Reasonableness Sign Completeness Sequence Consistency
46
Processing Controls Processing controls focus on the manipulation of accounting data after they are input to the computer system. Key objective is a clear audit trail Processing controls are of two kinds: Data-access controls Data manipulation controls
47
Data-Access Control Totals
Some common processing control procedures are batch control total financial control total nonfinancial control total hash total record count
48
Data Manipulation Controls
Once data has been validated by earlier portions of data processing, they usually must be manipulated in some way to produce useful output. Data manipulation controls include: Software documentation, i.e. flow charts and diagrams Compiler Test Data
49
Output Controls The objectives of output controls is to ensure
validity accuracy completeness Two major types of output application controls are validating processing results by Activity (or proof) listings
50
Output Controls regulating the distribution and use of printed output through Forms Prenumbered forms authorized distribution list Shredding sensitive documents
51
Copyright Copyright 2008 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.
52
Chapter 9
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.