Accounting Information Systems 9th Edition

advertisement
Accounting
Information
Systems
9th Edition
Marshall B. Romney
Paul John Steinbart
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-1
Computer Controls
and Security
Chapter 8
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-2
Learning Objectives
1.
2.
3.
Identify and explain the four principles
of systems reliability and the three
criteria used to evaluate whether the
principles have been achieved.
Identify and explain the controls that
apply to more than one principle of
reliability.
Identify and explain the controls that
help explain that a system is available
to users when needed.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-3
Learning Objectives
4.
5.
6.
Identify and explain the security
controls that prevent unauthorized
access to information, software, and
other system resources.
Identify and explain the controls that
help ensure that a system can be
properly maintained, while still providing
for system availability, security, and
integrity.
Identify and explain the integrity
controls that help ensure that system
processing is complete, accurate,
timely, and authorized.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-4
Introduction
During his fifth month at Northwest
Industries, Jason Scott is assigned to
audit Seattle Paper Products (SPP).
 Jason’s task is to review randomly
selected payable transactions, track
down all supporting documents, and
verify that all transactions have been
properly authorized.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-5
Introduction
Jason is satisfied that many of the
transactions are valid and accurate.
 However, some transactions involve
the purchase of services from Pacific
Electric.
 These transactions were processed
on the basis of vendor invoices
approved by management.
 Five of these invoices bear the initials
“JLC.”

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-6
Introduction
JLC is Jack Carlton, the general
supervisor.
 Carlton denies initialing the invoices,
and claims he has never heard of
Pacific Electric.
 What questions does Jason have?

Is Carlton telling the truth?
 If Carlton is not telling the truth, what
is he up to?

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-7
Introduction


If Pacific Electric is a fictitious
company, how could SPP’s control
systems allow its invoices to be
processed and approved for
payment?
This chapter discusses the many
different types of controls that
companies use to ensure the integrity
of their AIS.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-8
Learning Objective 1

Identify the four principles of systems
reliability and the three criteria used to
evaluate whether or not the principles
have been achieved.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-9
The Four Principles of a
Reliable System
1.
2.
3.
4.
Availability of the system when needed.
Security of the system against
unauthorized physical and logical access.
Maintainability of the system as required
without affecting its availability, security,
and integrity.
Integrity of the system to ensure that
processing is complete, accurate, timely,
and authorized.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-10
The Criteria Used To Evaluate
Reliability Principles

For each of the four principles of reliability, three
criteria are used to evaluate whether or not the
principle has been achieved.
1.
2.
3.
The entity has defined, documented, and
communicated performance objectives, policies, and
standards that achieve each of the four principles.
The entity uses procedures, people, software, data,
and infrastructure to achieve each principle in
accordance with established policies and standards.
The entity monitors the system and takes action to
achieve compliance with the objectives, policies,
and standards for each principle.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-11
Learning Objective 2

Identify and explain the controls that
apply to more than one principle of
reliability.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-12
Controls Related to More Than
One Reliability Principle



Strategic Planning & Budgeting
Developing a Systems Reliability Plan
Documentation
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-13
Controls Related to More Than
One Reliability Principle

Documentation may be classified into three
basic categories:



Administrative documentation: Describes the
standards and procedures for data
processing.
Systems documentation: Describes each
application system and its key processing
functions.
Operating documentation: Describes what is
needed to run a program.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-14
Learning Objective 3

Identify and explain the controls that
help explain that a system is available
to users when needed.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-15
Availability

Availability

Minimizing Systems Downtime
• Preventive maintenance
• UPS
• Fault tolerance
• Disaster Recovery Plan
• Minimize the extent of disruption, damage,
and loss
• Temporarily establish an alternative means of
processing information
• Resume normal operations as soon as
possible
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-16
Availability
Disaster Recovery, continued
• Train and familiarize personnel with emergency
operations
• Priorities for the recovery process
• Insurance
• Backup data and program files
• Electronic vaulting
• Grandfather-father-son concept
• Rollback procedures
• Specific assignments
• Backup computer and telecommunication facilities
• Periodic testing and revision
• Complete documentation
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-17
Learning Objective 4

Identify and explain the security
controls that prevent unauthorized
access to information, software, and
other system resources.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-18
Developing a Security Plan

Developing and continuously updating a
comprehensive security plan is one of
the most important controls a company
can identify.
What questions need to be asked?
 Who needs access to what information?
 When do they need it?
 On which systems does the information
reside?

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-19
Segregation of Duties Within
the Systems Function



In a highly integrated AIS, procedures that
used to be performed by separate
individuals are combined.
Any person who has unrestricted access to
the computer, its programs, and live data
could have the opportunity to both
perpetrate and conceal fraud.
To combat this threat, organizations must
implement compensating control
procedures.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-20
Segregation of Duties Within
the Systems Function

Authority and responsibility must be clearly divided
among the following functions:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Systems administration
Network management
Security management
Change management
Users
Systems analysis
Programming
Computer operations
Information system library
Data control
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-21
Segregation of Duties Within
the Systems Function
It is important that different people
perform these functions.
 Allowing a person to perform two or
more of them exposes the company to
the possibility of fraud.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-22
Physical Access Controls

How can physical access security be achieved?
– Place computer equipment in locked rooms and restrict
access to authorized personnel
– Have only one or two entrances to the computer room
– Require proper employee ID
– Require that visitors sign a log
– Use a security alarm system
– Restrict access to private secured telephone lines and
terminals or PCs.
– Install locks on PCs.
– Restrict access of off-line programs, data and equipment
– Locate hardware and other critical system components
away from hazardous materials.
– Install fire and smoke detectors and fire extinguishers
that don not damage computer equipment
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-23
Logical Access Controls


Users should be allowed access only to the
data they are authorized to use and then
only to perform specific authorized
functions.
What are some logical access controls?
–
–
–
–
passwords
physical possession identification
biometric identification
compatibility tests
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-24
Protection of PCs and
Client/Server Networks


Many of the policies and procedures for
mainframe control are applicable to PCs
and networks.
The following controls are also important:



Train users in PC-related control concepts.
Restrict access by using locks and keys on
PCs.
Establish policies and procedures.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-25
Protection of PCs and
Client/Server Networks









Portable PCs should not be stored in cars.
Keep sensitive data in the most secure environment
possible.
Install software that automatically shuts down a
terminal after its been idle for a certain amount of
time.
Back up hard disks regularly.
Encrypt or password protect files.
Build protective walls around operating systems.
Ensure that PCs are booted up within a secure
system.
Use multilevel password controls to limit employee
access to incompatible data.
Use specialists to detect holes in the network.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-26
Internet and e-Commerce
Controls

Why caution should be exercised
when conducting business on the
Internet.
–
–
the large and global base of people
that depend on the Internet
the variability in quality, compatibility,
completeness, and stability of network
products and services
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-27
Internet and e-Commerce
Controls
–
–
–

access of messages by others
security flaws in Web sites
attraction of hackers to the Internet
What controls can be used to secure
Internet activity?
–
–
–
passwords
encryption technology
routing verification procedures
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-28
Internet and e-Commerce
Controls

Another control is installing a firewall,
hardware and software that control
communications between a company’s
internal network (trusted network) and an
external network.


The firewall is a barrier between the
networks that does not allow information to
flow into and out of the trusted network.
Electronic envelopes can protect e-mail
messages
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-29
Learning Objective 5

Identify and explain the controls that
help ensure that a system can be
properly maintained, while still
providing for system availability,
security, and integrity.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-30
Maintainability

Two categories of controls help
ensure the maintainability of a system:
Project development and acquisition
controls
 Change management controls

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-31
Project Development and
Acquisition Controls

Project development and acquisition
controls include:
Strategic Master Plan
 Project Controls
 Data Processing Schedule
 System Performance Measurements
 Postimplementation Review

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-32
Change Management
Controls





Change management controls include:
Periodically review all systems for needed
changes
Require all requests to be submitted in
standardized format
Log and review requests form authorized
users for changes and additions to systems
Assess the impact of requested changes on
system reliability objectives, policies and
standards
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-33
Change Management
Controls, continued





Categorize and rank all changes using
established priorities
Implement procedures to handle urgent
matters
Communicate all changes to management
Require IT management to review, monitor,
and approve all changes to software,
hardware and personnel responsibilities
Assign specific responsibilities to those
involved in the change and monitor their
work.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-34
Change Management
Controls, continued






Control system access rights to avoid
unauthorized systems and data access
Make sure all changes go through the
appropriate steps
Test all changes
Make sure there is a plan for backing our of
any changes in the event they don’t work
properly
Implement a quality assurance function
Update all documentation and procedures
when change is implemented
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-35
Learning Objective 6

Identify and explain the integrity
controls that help ensure that system
processing is complete, accurate,
timely, and authorized.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-36
Integrity

A company designs general controls
to ensure that its overall computer
system is stable and well managed.

Application controls prevent, detect
and correct errors in transactions as
they flow through the various stages
of a specific data processing program.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-37
Integrity:
Source Data Controls
Companies must establish control
procedures to ensure that all source
documents are authorized, accurate ,
complete and properly accounted for,
and entered into the system or sent ot
their intended destination in a timely
manner.
Source data controls include:
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-38
Integrity:
Source Data Controls
 Forms design
 Prenumbered forms sequence test
 Turnaround documents
 Cancellation and storage of documents
 Authorization and segregation of duties
 Visual scanning
 Check digit verification
 Key verification
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-39
Integrity:
Input Validation Routines
Input validation routines are programs the check
the integrity of input data. They include:
Sequence check
Limit check
Field check
Range check
Sign check
Reasonableness test
Validity check
Redundant data check
Capacity check
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-40
Integrity:
On-line Data Entry Controls
The goal of on-line data entry control is
to ensure the integrity of transaction
data entered from on-line terminals
and PCs by minimizing errors and
omissions.
They include:
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-41
Integrity:
On-line Data Entry Controls











Field, limit, range, reasonableness, sign, validity,
redundant data checks
User ID numbers
Compatibility tests
Automatic entry of transaction data, where possible
Prompting
Preformatting
Completeness check
Closed-lop verification
Transaction log
Error messages
Retain data for legal purposes
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-42
Integrity: Data Processing
and Storage Controls
Controls to help preserve the integrity of
data processing and stored data:
 Policies and procedures
 Data control function
 Reconciliation procedure
 External data reconciliation
 Exception reporting
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-43
Integrity: Data Processing and
Storage Controls, continued
Data currency checks
 Default values
 Data matching
 File labels
 Write protection mechanisms
 Database protection mechanisms
 Data conversion controls
 Data security

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-44
Output Controls
The data control functions should
review all output for reasonableness
and proper format and should
reconcile corresponding output and
input control totals.
 Data control is also responsible for
distributing computer output to the
appropriate user departments.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-45
Output Controls
Users are responsible for carefully
reviewing the completeness and
accuracy of all computer output that
they receive.
 A shredder can be used to destroy
highly confidential data.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-46
Data Transmission Controls


To reduce the risk of data transmission
failures, companies should monitor the
network.
How can data transmission errors be
minimized?
–
–
–
–
using data encryption (cryptography)
implementing routing verification
procedures
adding parity
using message acknowledgment
techniques
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-47
Data Transmission Controls
Data Transmission Controls take on
added importance in organizations
that utilize electronic data interchange
(EDI) or electronic funds transfer
(EFT).
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-48
Data Transmission Controls

In these types of environments, sound internal
control is achieved using the following control
procedures:
1
2
3
Physical access to network facilities should be
strictly controlled.
Electronic identification should be required for all
authorized network terminals.
Strict logical access control procedures are
essential, with passwords and dial-in phone
numbers changed on a regular basis.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-49
Data Transmission Controls
Control procedures, continued
4
5
Encryption should be used to secure
stored data as well as data being
transmitted.
Details of all transactions should be
recorded in a log that is periodically
reviewed.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-50
Case Conclusion
Were Jason and his supervisor able to
identify the source of the fictitious
invoices? No.
 They asked the police to identify the
owner of the Pacific Electric bank
account. What did the police
discover? Patricia Simpson, a data
entry clerk at SPP, was the owner of
the account.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-51
End of Chapter 8
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-52
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-53
Download