Chapter
12-1
Chapter 12:
Computer Controls for Organizations and
Accounting Information Systems
Introduction
General Controls for Organizations
General Controls for Information Technology
Application Controls for Transaction
Processing
Chapter
12-2
General Controls For
Organizations
Integrated Security for the Organization
Organization-Level Controls
Personnel Policies
File Security Controls
Business Continuity Planning
Computer Facility Controls
Computer Access Controls
Chapter
12-3
Developing a Security
Policy
Chapter
12-4
Integrated Security for
the Organization
Physical Security
 Measures
used to protect its facilities, resources,
or proprietary data stored on physical media
Logical Security
 Limit
access to system and information to
authorized individuals
Integrated Security
 Combines
physical and logical elements
 Supported by comprehensive security policy
Chapter
12-5
Physical and Logical Security
Chapter
12-6
Organization-Level Controls
Consistent policies and procedures
Management’s risk assessment process
Centralized processing and controls
Controls to monitor results of operations
Chapter
12-7
Organization-Level Controls
Controls to monitor the internal audit
function, the audit committee, and selfassessment programs
Period-end financial reporting process
Board-approved policies that address
significant business control and risk
management practices
Chapter
12-8
Personnel Policies
Separation of Duties
 Separate
Accounting and Information Processing
from Other Subsystems
 Separate Responsibilities within IT Environment
Use of Computer Accounts
 Each
employee has password protected account
 Biometrics
Chapter
12-9
Separation of Duties
Chapter
12-10
Division of Responsibility in
IT Environment
Chapter
12-11
Division of Responsibility in
IT Environment
Chapter
12-12
Personnel Policies
Informal Knowledge of Employees
 Protect
against fraudulent employee actions
 Observation of suspicious behavior
 Highest percentage of fraud involved employees
in the accounting department
 Must safeguard files from intentional and
unintentional errors
Chapter
12-13
Safeguarding Computer Files
Chapter
12-14
File Security Controls
Chapter
12-15
Business Continuity Planning
Definition
 Comprehensive
approach to ensuring normal
operations despite interruptions
Components
 Disaster
Recovery
 Fault Tolerant Systems
 Backup
Chapter
12-16
Disaster Recovery
Definition
 Process
and procedures
 Following disruptive event
Summary of Types of Sites
 Hot
Site
 Flying-Start Site
 Cold Site
Chapter
12-17
Fault Tolerant Systems
Definition
 Used
to deal with computer errors
 Ensure functional system with accurate and
complete data (redundancy)
Major Approaches
 Consensus-based
protocols
 Watchdog processor
 Utilize disk mirroring or rollback processing
Chapter
12-18
Backup
Batch processing
 Risk
of losing data before, during, and after
processing
 Grandfather-parent-child procedure
Types of Backups
 Hot
backup
 Cold Backup
 Electronic Vaulting
Chapter
12-19
Batch Processing
Chapter
12-20
Computer Facility Controls
Locate Data Processing Centers in Safe Places
 Protect from
the public
 Protect from natural disasters (flood, earthquake)
Limit Employee Access
 Security
Badges
 Man Trap
Buy Insurance
Chapter
12-21
Study Break #1
A _______ is a comprehensive plan that helps protect the
enterprise from internal and external threats.
A.
B.
C.
D.
Firewall
Security policy
Risk assessment
VPN
Chapter
12-22
Study Break #1 - Answer
A _______ is a comprehensive plan that helps protect the
enterprise from internal and external threats.
A.
B.
C.
D.
Firewall
Security policy
Risk assessment
VPN
Chapter
12-23
Study Break #2
All of the following are considered organization-level controls
except:
A.
B.
C.
D.
Personnel controls
Business continuity planning controls
Processing controls
Access to computer files
Chapter
12-24
Study Break #2 - Answer
All of the following are considered organization-level controls
except:
A.
B.
C.
D.
Personnel controls
Business continuity planning controls
Processing controls
Access to computer files
Chapter
12-25
Study Break #3
Fault-tolerant systems are designed to tolerate computer errors
and are built on the concept of _________.
A.
B.
C.
D.
Redundancy
COBIT
COSO
Integrated security
Chapter
12-26
Study Break #3 - Answer
Fault-tolerant systems are designed to tolerate computer errors
and are built on the concept of _________.
A.
B.
C.
D.
Redundancy
COBIT
COSO
Integrated security
Chapter
12-27
General Controls for
Information Technology
Security for Wireless Technology
Controls for Networks
Controls for Personal Computers
IT Control Objectives for Sarbanes-Oxley
Chapter
12-28
General Controls for
Information Technology
IT general controls apply to all information
systems
Major Objectives
 Computer
programs are authorized, tested, and
approved before usage
 Access to programs and data is limited to
authorized users
Chapter
12-29
Control Concerns
Chapter
12-30
Security for Wireless Technology
Utilization of wireless local area networks
Virtual Private Network (VPN)
 Allows
remote access to entity resources
Data Encryption
 Data
converted into a scrambled format
 Converted back to meaningful format following
transmission
Chapter
12-31
Controls for Networks
Control Problems
 Electronic
eavesdropping
 Hardware or software malfunctions
 Errors in data transmission
Control Procedures
 Checkpoint
control procedure
 Routing verification procedures
 Message acknowledgment procedures
Chapter
12-32
Controls for Personal Computers
Take an inventory of personal computers
Applications utilized by each personal
computer
Classify computers according to risks and
exposures
Physical security
Chapter
12-33
Additional Controls for Laptops
Chapter
12-34
IT Control Objectives for
Sarbanes-Oxley
“IT Control Objectives for Sarbanes-Oxley”
 Issued
by IT Governance Institute (ITGI)
 Provides guidance for compliance with SOX and
PCAOB requirements
Content
 IT
controls from COBIT
 Linked to PCAOB standards
 Linked to COSO framework
Chapter
12-35
Application Controls
for Transaction Processing
Purpose
 Embedded
in business process applications
 Prevent, detect, and correct errors and
irregularities
Application Controls
 Input
Controls
 Processing Controls
 Output Controls
Chapter
12-36
Application Controls
for Transaction Processing
Chapter
12-37
Input Controls
Purpose
 Ensure
validity
 Ensure accuracy
 Ensure completeness
Categories
 Observation,
recording, and transcription of data
 Edit
tests
 Additional input controls
Chapter
12-38
Observation, Recording,
and Transcription of Data
Confirmation mechanism
Dual observation
Point-of-sale devices (POS)
Preprinted recording forms
Chapter
12-39
Preprinted Recording Form
Chapter
12-40
Edit Tests
Input Validation Routines (Edit Programs)
 Programs
or subroutines
 Check validity and accuracy of input data
Edit Tests
 Examine
selected fields of input data
 Rejects data not meeting preestablished standards
of quality
Chapter
12-41
Edit Tests
Chapter
12-42
Edit Tests
Chapter
12-43
Additional Input Controls
Unfound-Record Test
 Transactions
matched with master data files
 Transactions lacking a match are rejected
Check-Digit Control Procedure
Modulus 11 Technique
Chapter
12-44
Processing Controls
Purpose
 Focus
on manipulation of accounting data
 Contribute
to a good audit trail
Two Types

Control totals

Data manipulation controls
Chapter
12-45
Audit Trail
Chapter
12-46
Control Totals
Common Processing Control Procedures
 Batch
control total
 Financial control total
 Nonfinancial control total
 Record count
 Hash total
Chapter
12-47
Data Manipulation Controls
Data Processing
 Following
validation of input data
 Data manipulated to produce decision-useful
information
Processing Control Procedures
 Software
Documentation
 Error-Testing Compiler
 Utilization of Test Data
Chapter
12-48
Output Controls
Purpose
 Ensure
validity
 Ensure accuracy
 Ensure completeness
Major Types
 Validating
Processing Results
 Regulating Distribution and Use of Printed Output
Chapter
12-49
Output Controls
Validating Processing Results
 Preparation
of activity listings
 Provide detailed listings of changes to master files
Regulating Distribution and Use of Printed
Output
 Forms
control
 Pre-numbered forms
 Authorized distribution list
Chapter
12-50
Study Break #4
A ______ is a security appliance that runs behind a firewall
and allows remote users to access entity resources by using
wireless, hand-held devices.
A.
B.
C.
D.
Data encryption
WAN
Checkpoint
VPN
Chapter
12-51
Study Break #4 - Answer
A ______ is a security appliance that runs behind a firewall
and allows remote users to access entity resources by using
wireless, hand-held devices.
A.
B.
C.
D.
Data encryption
WAN
Checkpoint
VPN
Chapter
12-52
Study Break #5
Organizations use ______ controls to prevent, detect, and
correct errors and irregularities in transactions that are
processed.
A.
B.
C.
D.
Specific
General
Application
Input
Chapter
12-53
Study Break #5 - Answer
Organizations use ______ controls to prevent, detect, and
correct errors and irregularities in transactions that are
processed.
A.
B.
C.
D.
Specific
General
Application
Input
Chapter
12-54
Copyright
Copyright 2010 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchaser
may make backup copies for his/her own use only and not for distribution
or resale. The Publisher assumes no responsibility for errors, omissions,
or damages, caused by the use of these programs or from the use of the
information contained herein.
Chapter
12-55
Chapter 12
Chapter
12-56