THREATS EXAMPLES Natural and political disasters
advertisement
Threats to Accounting Information System THREATS Natural and political disasters EXAMPLES Fire of excessive heat Floods Earthquakes High wind War sion errors Software errors and equipment malfunctions Hardware failures Sofware errors or bugs Operating system crashes Power outages and fluctuation Unintentional acts Undetected data transmis Accidents caused by human carelessness, failure to follow established procedures, and poorly trained or supervised personnel Innocent erorrs or omissions Lost or misplaced data Logic erorrs Systems that do not meet company need or are incapable of handling their intended tasks Intertional acts/computer crimes Sabotage Computer fraud Emblezzlement AIS [ Romney, 2003, Page 191 ] Five Interrelated Components of COSO’s Control Model COMPONENT DESCRIPTION Control environment The core of any business is its people-their individual attributes, including integrity, ethical values, and competence-and the environment in which they operate. They are the engine that drive the organization and the foundation on which everything rests. Control activities Control policies and procedures must be established and executed to help ensure that the actions identified by managements as necessary to address risk to achivement of the organization’s objectives are efecctively carried out. Risk assessment The organization must be aware of and deal with the risk it faces. It must set objective, integrated with the sales , production, marketing, financial, and other activities so that the organization is operating in concert. It must also establish mechanism to identify, analyze, and manage the related risk. Information and communication Surrounding the control activities are information and communication system. They enable the organization’s people to capture and exchange the information needed to conduct, manage, and control its operations Monitoring The entire process must be monitored, and modifications made as necessary. In this way the system can react dynamically, changing as conditions warrant. AIS [ Romney, 2003, Page 197 ] Separation of duties Prevents employees from falsifying records in order to conceal theft of assets entrusted to them CUTODIAL FUNCTION • • • • RECORDING FUNCTION Handling cash Habdling inventories, tools, or fixed assets Writing checks Receiving checks in mail • • • • Preparing source documents Maintaining journals, ledgers, or other files Preparing reconciliations Preparing performance reports AUTHORIZATION FUNCTIONS • Prevents authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts AIS [Romney, 2003, Page 203 ] Authorization of transaction Prevents an employee from falsifying record to cover up a inaccurate or false transaction that was inappropriately authrized Determine threats thst confront company Estimate the risk,or probably,of each threat occuring Estimate the exposure, or potential loss,from each threat Identify set of controls to guard againts threat Estimate costs and benefits from instituting controls NO Is it cost benefical to protect system from threat YES Implement set of controls to guard againts threat AIS [ Romney, 2003, Page 208 ] General Reliability Controls THREAT/RISK CONTROL Is does not support business strategies, poor resource use, information need not met or can’t be paid for Multiyer strategic plan that is periodically evaluated, research and development group to asess emerging technologies impact on business operations, budgets to support plan. Developing a system reliability plan Inability to reliability system Assign plan responsibilty to toplevel manager;continuosly review and update plan; identify, document, and test user reliability requirements and performance objectives, policies, and standards; identify and review all new or changed legal requirements; log user request for change; document, analyze, dan reports system reliability problems; determine ownership, custody, access, and maintenance responsibility of information resources; develop security awarenes programm and communicate it to all existing employess; require new employee to sign security agreement; perform risk assessment for all changes to system environment. Documentation Ineffective design, operation, review, audit, and modification of systems Administrative documentation [standards and procedures for data processing, analisis, design, programming, file handling and strorage], system documentation [ application inputs,processing steps, outputs, error handling ], operating documentation [equipment configuration, programs, files, setup and execution procedures, corrective actions]. CONTROL CATEGORY Strategic budgeting planning dan AIS [ Romney, 2003, Page 227 ] Availability Controls ensure CONTROL CATEGORY THREATS/RISK CONTROLS Minimizing system downtime System outages or failure that interrupts critical business operations, loss or destruction of data Policies and procedures to handle outages, erorrs, los or destruction of data, and other problems; disaster and business interruption insurance; regular preventive maintenance on key components; uninterrupted power system; fault tolerance. Disaster recovery plan Prolonged interruption of data processing and business operating due to fire , natural disarter, sabotage, or vandalism Coordinator’s responsibility is to implement a plan, determine recovery priorities assign responbility for recovery activities, document and test plan, countinuosly review and revise plan; remote storage of backup data and program files [electronic vaulting, grandfather-father-son], procedures for recovering lost or destroyed files [ checpoint and roll-back] insurance, coverage, backup computer and telecommunications facilities [reciprocal agreements, hot and cold sites, duplicate hardware, sofware, and data strorage devices] AIS [ Romney, 2003, Page 230 ] Key Security Control CONTROL CATEGORY THREATS/RISK CONTROLS Computer fraud Clearly divide authority and responsibility among system administration, network, management,security management, change management, users, systems analiyst, programmer, computer operators, information systems librarian, and the data control group. Physical access controls Damage to computers and files; authorized access to confidential data Put computers in locked rooms; restrict access to authorized personnel; maintain a few securely locked and carefully monitored entrances; require proper empoyee ID; require visitors to sign along as they enter and leave the site; use a security alarm system; restrict acess to private, secured telephone lines, authorized terminals, and PC’s; install lock on PC’s and other computer devices; restrict access to offline programs, data, dan equipment; locate, critical system components away from hazardous materials; install fire and smoke detectors and fire extinguishers. Logical access controls Unauthorized access to systems software, applicatian programs, data files, and other system resources Data security classifications [no restrictions, employees only, owners and top management only,etc], determine access privilleges of emloyees and outsider, review activities of those who can read, add, delete, and change data. Recognize users by what they know [pasword, pin, answer to personal questions], or possess [ ID card, active badge ], or by personal CONTROL CATEGORY THREATS/RISK CONTROLS Segregation of systems function duties in characteristics [figureprints, voice patterns, retina prints, facial patterns, signature dynamics, and keyboarding patterns], compatibility checks, access control matrix. Protection computers network Internet controls and of personal andclient/server Damage to the computer files and equipment; unautorized access to confidential data; users who are not security conscious Inventory PC’s and uses, tailor security to risk and exposure, train users in PC’ control, lock disk drives, label with unremovable tags,limit data stored, or downloaded, prohibit personal software or copying company software for personal uses, keep sensitive data in secure environtment, automatically shut down idle network PC’s, back up hard drives reguraly , encrypt or password protect file, wipe disks clean with utility program, place protective walls around operating system, boot PC’s within a security system, use multilevel passsword conrol,employe specialists or security programs to detect holes in a network, audit and record security breaches. e-commerce Damage to data files and equipment; unauthorized access to confindential data Passwords, encryption,routing vertification virus detection software fairwalls, tunneling,electronic envelopes, deny employees access to the internet, and internet servers not connected to other company computers. AIS [Romney, 2003, Page 236 ] Key Maintainability Controls CONTROL CATEGORY Project development acquisition controls and Change management controls AIS [ Romney, 2003, Page 247 ] Key Integrity Control THREATS/RISK CONTROL System development projects consume exercessive resource Long-range strategic master plan, data processing schedules, assignment of each project to a manager and team, project development plan, project milestones, performance evaluations, system performance measurements/throughput, utilization, response time, and post-implementation reviews System development projects consume excessive resources, unauthorized systems change Change management control policies and procedures, periodic review of all systems for needed changes, standardized format for change, long and review change requests, assess impact of change on system reliability, categorize and rank all changes, procedures to handle urgent matters, communicate changes to management and users, management approval of changes, assign specific responsibilities while maintaining adequate segregation of duties, control system access rights, make sure change go through all appropriate steps, test all changes, develop plan for backing out of mission-critical system change, implement a quality assurance function, and update documentation and procedures. CONTROLS CONTROL CATEGORY THREATS/RISK Source data controls Invalid, incomplete, inaccurate source data input or Forms design; sequentially,prenumberd forms; turnaround documents; cancelation and storage of documents; reviews for appropiate authorization; segregation of duties; visual scanning;check-digit vertification; and key vertification Input validation routines Invalid or inaccurate data in computer-processed transaction files As transaction file are processed edit programs check key data field using these edit checks; sequence, field, sign, validity, limit, range, reasonableness, redundant data, and capacity checks. Enter exceptions in an erorr log; investigate, correct, and resubmit them on a timely basist; re-edit them; and prepare a summary error report. On-line data entry controls Invalid or inaccurate transaction input entered through on-line terminals Field, limit, range, reasonableness, sign, validity, and redundant data checks; user ID’s and passwords; compatibility tests; automatic system data entry; promting operators during data entry; preformatting; completeness test; closed-loop vertification; a transaction log maintained by the system; clear error massages; and data retention sufficient to satisfy legal requirement. Data processing and storage controls Inaccurate or incomplete data in computer- processed master files Policies and procedures [governing the activities of data processing and storage personnel; data security and confidentiality, audit agreements]; monitoring and expiditing data entry by data control personal; reconciliation of system updates with control accounts or reports; reconsiliation of database totals with externally maintened totals; exception reporting, data currency CONTROL CATEGORY THREATS/ RISK CONTROL check,default values, data matching, data security [data library and librarian, back up copy of data files stored at a secure off-site location, protection againts condition that could harm stored data]; use of file label and write protection mechanisms, data base protection mechanisms [ data base administrator, data dictionaries, and cocurrent update control ]; and data conversion controls. Output controls Inaccurate or incompletes computer output Procedures to ensure that system outputs conform to the oeganization’s integrity objectives, policies, and standard; visual review of computer output; reconciliation of batch total; proper distribution of output; confidential outputs being delivered are protected from unauthorized access, modification, and misrouting; sensitive or confidential output stored in a secure,area; users review computer output for compelteness and accuracy; shred confidential output no longer needed; error and exception reports. Data transmition controls Unauthorized access to data being transmitted or to the system itself; system failures; error in data transmission Monitor nerwork to detect weak points, backup compinents, design network to handle peak processing, multiple communication paths between network components, preventive maintenance, data encryption, routing vertification [ header labels, mutual authentication schemes, callback system ], parity checking, and message acnowledment procedures [echo check, trailer labels, numbered batches]. AIS [ Romney, 2003, Page 252 ] Edit Program Transactions Transaction edit program Error report Valid transactions Correction procedure To file maintenance Reentry Rejected transactions Error corection program Corrected transaction Merge with next batch of transactions AIS [ Romney, 2003, Page 254 ] Control Procedures PROCESSING PROCEDURES CONTROL PROCEDURES Sales order document Step 1 Batch control form Assemble in batchs - Sales order documents Step 2 Deliver to EDPdepartement Batch control forms - Sales order documents Data entry process - Sales order transaction file - A AIS [ Romney, 2003, Page 263 ] Check input for proper authorization Enter record of input receipt in control log Step 3 - Control report Record count of number of sales orders Line count if number of inventory items Hash totals of quantify sold and price Financial total of dollar sales Check digit vertification of account number Check digit vertification of inventory item number Field check on quantity, date, and price Check sequence of sales order numbers Key vertification of all numric fields Reconciliation of batch totals Processing procedures Control Procedures A Contol Roport Sort and edit process Sales order transaction file A/R and inventory master file File update Shipping/ Billing document Control report Review and distribute Shipping/ Billing documents Step 4 - Step 5 - - Reconsiliation of batch totals Review of error identified by edit checks Investigation and correction of erroneous input Distribution of billing and shipping documents Recording of output distribution in control log Return of master files to file library Step 7 - AIS [ Romney, 2003,Page 264 ] Security of master files in file library Protection of master files with file labels Maintenance of backup copies of master files Validity check of costumer account number Validity check of inventory item number Sign check of inventory quanttity on hand Limit check of sale amount versus credit limit Range check on sale price Reasonableness test of quantity ordered Redundant data check on inventory data Step 6 User review Sequence check on accounnt number Limit check on quantity and price Range check on delivery date Completeness test on entire record Roconsiliation of batch totals Review errors identified by edit checks Investigation and correction of erroneous input Visual inspection of output Reconciliation of batch totals Overview of data auditing process AUDIT PLANNING Established scope and objectives Organize audit team Develop knowledge of business operations Review prior audit results Identify risk factors Prepare audit program COLLECTION OF AUDIT EVIDENCE Observation of operating activities Review of documentation Discussions with employees Questionnaires Phycsical examination of assets Confirmation through third parties Reperformance of procedures Vouching of source documents Analystical review Audit sampling EVALUATION OF AUDIT EVIDENCE Asess quality of internal controls Asess reliability of information Asess operating performance Consider need for additional evidence Consider risk factors Consider materiality factors Document audit findings COMMUNICATION OF AUDIT RESULTS Formulate audit conclutions Develop recommendations for management Prepare audit report Present audit result to management AIS [ Romney, 2003, Page 322 ] Objective 1 Overal seciurity Objective 5 source data Source Data Data Entry Objective 2 Program development and acquisition Programs Source Data Processing Files Output Objective 3 Program Modification AIS [ Romney, 2003, Page 326 ] Objective 4 Computer Processing Objective 6 Data Files COMPUTER SECURITY Typest of errors and Fraud • • • • • Theft of or accidental or intentional damage to hardware and files Loss or theft of or unauthorized access to programs,data files,and other system resources Loss or theft of or unauthorized desclosure of confidential data Unauthorized modification or use of programs and data files Interruption of crucial business actifities Control Procedures • • • • • • • • • • • Information security/protection plan Restrictions on physical access to computer equipment Logical acess controls based on password protection and other authentication procedures Data storage and transmission controls such as encryption Virus protection procedures File backup and recovery procedures Fault-tolerant system design Disaster recovery plan Preventive maintenance Firewalls Information system insurance Audit Prosedures; System Review • • • • • • • • • • • • Inspect computer sistes Review the information security/protection plan Interview information system personel about security procedures Review written documentation about physical access policies and procedures Review logical acceess policies and procedures Review file backup and recovery policies and procedures Review data storage and transmission policies and procedures Review procedures employeed to minimize system downtime Review vendor maintenance contracts Examine system access logs Examine disaster recovery plan Examine information system casualty insurance policies Audit Procedures; Test of controls • • • • Observe computer site access procedures Observe the preparation and off-site storage of backup files Review records of password assignment and modification Investigate hoe unauthorized access attempts were dealt with • • • • • • • Verify the exetent and effectiveness of data encryption use Verify the effective use of data transmission controls Verify the effective use of firewalls Verify the effective use of virus protection procedures Verity the use of preventive maintenance and uninterruptible power Verity amounts and limitations on insurance coverage Examine the result of test simulations of disaster recovery plan Compensating Controls • • • Sound personnel policies Effective user controls Segregation of incompatible duties AIS [Romney, 2003, Page 327 ] Program Development Types of Error and Fraud • • Inadvertenr programming errors Unauthorized program code Control Procedures • • • • • • • Review software license agreements Management authorization for program development and appproval of programming specifications Management authirazation of sofware acquisition User approval of programming specification Through testing of new programs User acceptance testing Complete system documentation, including approvals Audit procedures; system Review • • • • • • • • • Independent and concurrent review of the systems development process Review system development/acquisition policies and procedures Review system authorization and approval procedures Review programming evaluation standards Review program documentation standards Review program testing and test approval procedures Review procedures for ensuring all acquired softwari has a proper copyrigh licence agreement Discuss system development procedures with management, system users, and information system personnel Review final application system documentation Audit Procedures; Test of Controls • • • • • Interview users about their involvment in systems acquisition/development and implementation Review minutes of development team meeting for evidence of involvment Verify management and user sign-off at milestone point in the development process Review test specifications, test data, and results of systems tests Review software license agreements Compensating Control • • Strong processing controls Independent processing of test data by auditor AIS [ Romney, 2003, Page 328 ] Program Modification Typest of Errors and Fraud • • Inadvertent programming errors Unauthorized program code Control Procedures • • • • • • • • Listing of program components that are to be modified Management authorization and approval of program modifications User approval of program change specifications Through testing of program change, including user acceptance test Complete program change documentation, including approvals Separate development, test, and production version of program Changes implemented by personnel independent of users and programmers Logical access controls Audit Procedures; system Review • • • • • • • Review program modification policies, standards, and procedures Review documentation standards for program modification Review program modification testing and test approval procedures Discuss program modification policies and procedures with management, system users, and information systems personnel Review final documentation for some typical program modification Review test specification, test data, and results of system tests Review logical access contro policies and procedures Audit Procedures; Test of Controls • • • • • • • Verify user and information system management approval for program changes Verify that program components to be modified are identified and listed Verify that program change test procedures comply with standards Verify that program change documentation compiles with standards Verify that logical access controls are in effect for program changes Observe program change implementation and verify that [1] separate development, test, and production versions are maintained, and [2] change are not implemented by either user or programming personnel To test for unauthorized of erroneus program changes, use [1] source code comparison program, [2[ reproccesing, and [3] parallel simulation Compensating controls • • Independent audit tests for unauthorized of erroneous program changes Strong processing controls AIS [ Romney, 2003, Page 329 ] Computer Processing Controls Types or Error and Fraud • • • • • Failure to detect incorrect, incomplete, or unauthorized input data Failure to properly correct errors flagged by data editing procedures Introduction of error into files or database during updating Improper distribution or disclosure of computer output Intentional or unintentional report inaccuracies Control Procedures • • • • • • • • • Computer data editing routines Proper use of internal and external file labels Reconciliation of batch totals Effective error correction procedures Understandable operating documentation and run manuals Competent supervision of computer operation Effective handling of data input and output by data control personnel File change listings and summaries prepared for user department review Maintenance of proper environmental conditions in computer facility Audit Procedures; Systems Review • • • • • • Review administrative documentation for processing control standards Review systems documentation for data editing and other processing controls Review operating documentation for completeness and clarity Review copies of error listings, batch total reports, and file change lists Observe computer operations and data control functions Discuss processing and output controls with operators and information system supervisory personnel Audit Procedures; Test of Controls • • • • • • • • • • • • Evaluate adequacy of processing control standards and procedures Evaluate adequacy and completeness of data editing controls Verify adherence to processing control procedures by observing computer operations and the data control function Verify that selected application system output is properly distributed Reconcile a sample of batch totals, and follow up on discrepancies Trace dispotition of a sample of errors flagged by data edit routiness to ensure proper handling Verify processing accuracy for a sample of sensitive transactions Verify processing accuracy for selected computer-generated transactions Search for erroneous or unauthorized code via analysis of program logic Check accuracy and complementeness of processing controls using test data Monitor on-line processing systems using concurent audit techniques Recreate selected reports to test for accuracy and completeness Compensating Controls • • Strong user controls Effective source data controls AIS [ Romney, 2003, Page 332 ] Source Data Controls Types of errors and Fraud • • Inaccurate source data Unauthorized source data Control Procedures • • • • • • • • • • Effective handling of source data input by data control personnel User authorization of source data input Preparation and reconciliation of batch control totals Logging of the receipt, movement, and disposition of source data input Check digit vertication Key vertication Use of turnaround documents Computer data editing routines File change listings and summaries prepared for user department review Effective procedures for correcting and resubmitting errroneous data Audit Procedures; System Review • • • • • • Review documentation about responsibilities of data control function Review administrative documentation for resource data control standards Review methode of authorization and examine authorization signatures Review accounting systems documentation to identify source data content and processing steps and specific source data control used Document accounting source data countrols using an input control matrix Discuss source data control procedures with data control personnel as well as the users and managers of the system Audit Procedures; Test of Controls • • • • • • Observe and evaluate data control department operations and specific data control procedures Verify proper maintenance and use of data control log Evaluate how items recorded in the error log are dealt with Examine samples of accounting source data for proper authorization Reconcile a sample of a sample of batch totals and follow up on discrepancies Trace disposition of a sample of errors flagged by data edit routines Compensating Controls • • Strong user controls Strong processing controls AIS [ Romney, 2003, Page 336 ] Input Controls Matrix AIS [ Romney, 2003, Page 337 ] Regular hours Overtime hours Week ending/date Transaction code Input controls Finance controls Hash total Record counts Cross-footing balance Key vertification Visual inspection Check digit vertification Prenumbered forms Turnaround document Edit program Sequence check Field check Sign check Validity check Limit check Reasonableness test Redundant data check Completeness test Overflow procedure Other Department number Employee Wekkly Time Report Last name Field Names Employee number Record Name - - Comments Yes No - - All fields No No Yes - - - - - - - - - - - - - - - - Data File Controls Typest of Errors and Fraud • • Destruction of stored data due to inadvertent errors, hardware or sofware malfunctions, and intentional acts of sabotage or vandilsm Unauthorized modification or disclosure of stored data Control Procedures • • • • • • • • Secure file library and restrictions on physical access to data files Logical access controls using passwords and access control matrix Proper use of file labels and write-protection mechanisms Concurrent update controls Use of data encryption for highly confidential data Use of virus protection software Maintenance of backup copies of all data files in an off-site location Use of checkpoint and rollback to facilitate system recovery Audit Procedures; System Review • • • • • • Review documentation for functions of file library operation Review logical access policies and procedures Review operating documentation to determine prescribe standard for - Use of file labels and write-protection mechanisms - Use of virus protection software - Use of backup data storage - System recovery; including check point and rollback procedures Review systems documentation to examine prescribed procedures for - Use of concurrent update controls and data encryption - Control of file conversions - Reconciling master file totals with independent control totals Examine disaster recovery plan Discuss data file control procedures with systems managers and operators Audit Procedures; Test of Controls • • • • • • • • • Observe and evaluates file library operations Review record s of password assignment and modification Observe and evaluate file-handling procedures by operations personnel Observe the preparation and off-site storage of backup files Verify the effective use of virus protection procedures Verify the use of concurrent update controls and data encryption Verify completeness, currency, and testing of disaster recovery plan Recouncilee master file totals with separatery maintained controls totals Observe the procedures used to control file convertion Compensating • • • Strong user controls Effective computer security controls Strong processing controls AIS [ Romney, 2003, Page 338 ] Computer Audit Software FUNCTION EXPLANATION EXAMPLES Reformatting Read data in different formats and data structures, and convert to a common format and structure Read inventory records from purchasing database and convert to an inventory file by the GAS program File manipulation Sort records into sequential order; merge files sequenced on the same sort key Sort inventory records by locations; merge customer transaction file with receivables mater file Calculation Perform the flour basic arithmetic operations; add, subtract, multiply, and divide Foot client accounts receivable file; recalculate client inventory valuation; recalculate client depreciation; sum employee payroll by department Data selection Review data files to retrieve records meeting specified criteria Identify customer accounts having a balance exceeding the credit limit; select all purchase transactions in excess of a specified dollar amount Data analysis Examine records for errors or missing values; compare fields in related records for inconsistencies Perform data editing of client files; compare personnel and payroll files to verify consistency File processing Provide programming capability for file cretions; updating, and downloading to a personal computer Use paralel simulation to verify that client gross pay calculations are correct; download sample of client inventory records to personnel computer for further analisys to support inventory test counts Statistics Stratify file records by item valuation; select statistical samples; analyze statistical sampling results Stratify customer accounts by size of account balance and select a stratified sample of accounts for audit confirmation Report generation Format and print reports and documents Prepare analysis of financial statement ratios and trends; prepare accounts receivable aging schedule; prepare audit confirmations AIS [ Romney, 2003, Page 340 ] Threats and Control in the Revenue Cycle PROCESS /ACTIVITY Sales Order Entry Shipping Billing and Accounts Recevable Cash Collection THREAT APPLICABLE CONTROL PROCEDURES inaccurate Data entry edit checks 1. Incomplete or customer order 2. Credit sales to customers with poor credit Credit approval by credit manager, not by sales function; accurate records of customer account balances 3. Legitimacy of orders 4. Stockouts, carrying coasts, and markdowns Signatures on paper documents; digital signatures and digital certificates for e-business Inventory control systems 5. Shipping errors; Wrong merchandise, wrong quatities, wrong address Reconciliation of sales order with picking ticket and packing slip; bar code scanners;data entry application controls 6. Theft of inventory Restrict physical access to inventory; documentation of all internal transfers of inventory; periodic physical counts of inventory and reconciliation of counts to recorded amounts 7. Failure to bill customers Separation of shippng and billing functions; prenumbering of all shipping documents and periodic reconciliation to invoices; roconciliation of picking tickets and bills of lading with sales orders 8. Billing errors Data entry edit controls Price lists 9. Positing errors in updating accounts receivable Reconciliation of subsidiary accounts receivable ledger with general ledger; monthly statements to customers 10. Theft of cash Segregation of duties; minimization of cash handling; lockbox arrangements; prompt endorsement and deposit of all receipts; Periodic reconciliation of bank statement with records by Someone not involved in cash receipts processing General Control Issues AIS [ Romney, 2003, Page 381 ] 11. Loss of data Backup and disaster recovery procedures; access controls/physical and logical 12. Poor performance Preparation and review performance reports of Threat and Controls in the Expenditure Cycle PROCESS/ACTIVITY Order goods Receive and store goods THREAT APPLICABLE CONTROL PROCEDURES 1. Preventing stockouts and/or axcess inventory Inventory control systems; perpetual inventory records; bar code technology; periodic counts of inventory 2. Requesting items unnecessary Accurate perpetual inventory records; approval of purchase requisitions 3. Purchasing goods of inflated prices Solicit competitive bids; use of approved suppliers; approval of purchase orders; budgetary controls 4. Purchasing goods of inferior quality Use of approved vendors; approval of purchase orders; monitor vendor performance; budgetary controls 5. Purchasing from unauthorized suppliers Approval of purchase orders; restrict access to supplier master file 6. Kikcbacks Policies; require purchasing empoyees to disclose financial interests in suppliers; vendor audits 7. Receiving unordered goods Require receiving to verify existence of valid purchase order 8. Making errors in counting Use of bar coding technology; document employee performance; incentives for accurate counts 9. Stealing inventory Physical access controls; periodic count of inventory and reconciliation of physical Approve invoices and pay vendor General control AIS [ Romney, 2003, Page 435 ] 10. Failint to catch errors in vendor invoices Double-check invoice accuracy; training of accounts payable staff; use of ERS 11. Paying for received Only pay invoices supported by original receiving report; use of ERS; budgetary controls goods not 12. Failing to take available purchase discounts Proper filing; cash flow budgets 13. Paying the same invoice twice Only pay invoices supported by original voucher package; cancellation of voucher package upon payment; use of ERS; control acess to supplier master file 14. Recording and posting errors in accounts payable Various data entry processing edit controls 15. Misapproprating checks, or EFTs Restrict access to blank checks; check signing machine, and ETF transfer terminals; segregation of duties of accounts payable and cashier; reconciliation of bank account by someone independent of cash disbursement process; check protection measures including positive pay; regular review of EFT transactions cash, and 16. Losing data Backup and disaster recovery plans; physical and logical access controls 17. Performing poorly Development and periodic review of appropriate performance reports Threats and Controls in the Production Cycle PROCESS/ACTIVITY THREAT APPLICABLE CONTROL PROCEDURES Improved information about the effects of product design on coasts. Detailed data about warranty and repair costs Product design 1. Poor product design Planning and schedulling 2. Overproduction underproduction or Better production systems 3. Suboptimal fixed assets in Review and approval of fixed assets acquisitions; budgetary controls 4. Theft or distruction of inventories and fixed access Restrict physical access to inventories and fixed assets Production operations investment planning Document all movements of inventory through the production process Identification of all fixed assets Periodic physical counts inventory and fixed assets of Proper documentation and review of all transactions involving disposal of fixed assets Adequate insurance Cost accounting 5. Recording and posting errors resulting in inaccurate cost data Data entry edit controls; use of bar code scanning where feasible; reconciliation of record amounts with periodic physical counts General threats 6. Loss of data Backup and disaster recovery planning restricting access to cost data 7. Poor performance Improved and timilier reporting AIS [ Romney, 2003, Page 482 ] Threats and Controls in the Payroll/HRM Cycle PROCESS/ACTIVITY THREAT Hiring and recruiting 1. Hiring unqualified larcenous employees Payroll processing 2. Violation of employement law Through documentation of hiring procedures ; training on current developments in employement law 3. Unauthorized changes payroll master file Segregatiom of duties; HRM versus payroll and paycheck distribution; access controls; review of all changes 4. Inaccurate time data 5. Inaccurate payroll of Batch totals and other application controls; payroll clearing account; review of IRS regulations 6. Theft or fraudulent distribution of paychecks Direct deposit; paycheck distribution of payroll process; investigation of unclaimed pay check; restricted access to blank pay checks; prenumbering and periodic acounting for all paychecks; use of separate payroll checking account;\, maintained as abn imprest fund; reconciliation of payroll bank account by someone not involved in payroll processing 7. Loss or unauthorized disclosure of data Backup procedures; disaster recovery plans; physical and logical access controls; encryption of data General peocessing 8. Poor performance or APPLICABLE CONTROL PROCEDURES Sound hiring procedures; including verification of job applicant’s skills, reference and employment history to Automation of data collection; various edit checks; reconciliation of time card data with job-time ticket data Development and periodic review of appropriate performance metrics; training programs AIS [ Romney, 2003, Page 518 ] Threat and Controls in the General Ledger and Reporting Systems PROCESS/ACTIVITY THREAT APPLICABLE CONTROL PROCEDURES Updating the general ledger 1. Errors Input and processinf controls; reconciliations and control reports; audit traill Access to the general ledger 2. Loss of confidential data and/or concealment of theft Access controls; audit traill Loss or destruction of the general ledger 3. Loss of data and assetss AIS [ Romney, 2003, Page 550 ] Backup and disaster recovery procedures Advantages and Disadvantage of Data Gathering Methods ADVANTAGES DISADVANTAGES Interviews Can answer ‘why’ questions Interview can probe and follow up Questions can be clarified Builds positive ralationships with interviewe Builds acceptance and support for new system Time-consuming Expensive Personal biases ofr self-interest may produce inaccurate information Questionnaires Can be anonymous Not time-consuming Inexpensive Allows more time to think about responses Does not allow in-depth questions or answers Cannot probe or folow up on responses Questions cannot be clarified Impersonal; does not build relationships Difficult to develop Often ignored or completed superficially Observation Can verify how system actually works; rather than how it should work Results in greater understanding of system Time-consuming Expensive Difficult to interpret properly Observed people may alter behavior Systems dicumentation Describes how system should work Written from facilitates review, analysis Time consuming May not be available or easy to find AIS [ Romney, 2003, Page 589 ] AIS Objectives Usefulness Information produced by the system should help management and users in decision making Economy The benefit of system should exceed the costs Reliability The system should process data accurately and completely Availability User should be able to access the system at their convenience Timeliness Crucial information should be produced first and the less important items as time permits Customer service Courteous and efficient customer services should be provided Capacity System capacity should be sufficient to handle periods of peak operation and future growth Ease of use The system should be user-friendly Flexibility The system should accommodate reasonable operating or system requirements changes Tractability The system should be easily understood by users and designers and facilitate problem solving and future systems development Auditability Auditablility should be buit into the system from the beginning of systems development Security Only authorized users should be granted acces or allowed to change system data AIS [ Romney, 2003, Page 593 ] Hardware, Software, and Vendor Evaluation Criteria Hardware evaluation Is the cost of the hardware reasonable, based on its capabilities and features Can the hardware run the desired software Are the CPU’s processing speed and capabilities adequate for the intended use Are the secondary storage capabilities adequate Are the input and output speeds and capabiliites adequate Does the system have adequate comunication capabilities Is the system expandable Is the hardware based on the most recent technology, or on technology that is old or soon to be out of date Is the hardware available now If not, when Is the system under consideration compatible with existing hardware, software, and peripherals How do evaluation of the system’s performance compare with those of its competitors What is the availability and cost of support and maintenace What guarantees and warranties come with the system Are financing arrangements available [ If applicable] Software evaluation Does the package meet all mandatory specifications How well does the package meet desirable specifications Will program modifications be required to meet company needs Does the software contain adequate controls Is the performance [ speed, accuracy, reliability ] adequate How many other companies use the software Are other users satisfied with the package Is the package well documented Is the software compatible with existing corporate software Is the software user-friendly Can the software be demonstrated and test driven Does the software have an adequate warranty Is the software flexible and easily maintained Is on-line inquiry of files and records possible Will the vendor keep the package up-to-date Vendor evaluation AIS [ Romney, 2003, Page 618 ] How long has the vendor been in business How large is the vendor Is the vendor financially stable and secure How much experience does the vendor have with the hardware and software How well does the vendor stand behind its products../ How goods is its guarantee Does the vendor regurarly update its products Does the vendor provide financing Will the vendor put promises in a contract Will the vendor supply a list of customers as references Does the vendor have a reputation for reliability and dependability Does the vendor provide hardware and software support and maintenance Does the vendor provide implementation and installation support Does the vendor have high-quality, and experienced personnel Does the vendor provide training How responsive and timely is vendor support Output Design Considerations CONSIDERATION CONCERN Use Who will use the output, why and when do they need it, and what decisions will they need to make based on it Medium Should output be paper, screen, voice response, diskette, microfilm, or some combination of these Format The format that clearly conveys the most information should be selected [table, narrative, graphic]; for example, large volumes of data can be condensed easily into graphs that are easy to read and interpret Preprinted Should paper output be on a preprinted from, such as a check or purchse order../ Should turnaround documents be used Location Where should AIS output be sent Access Who should have access to hard copy and computer screen output Detail Lengthy output should be preceded by an executive summary and a table of contents Heading and legends organize data and highlight important items Detailed information is placed in an appendix Timeliness AIS [ Romney, 2003, Page 664 ] How often should AIS output be produced File and Database Design Considerations CONSIDERATION CONCERN Medium Should data be stored on hard drive, disk, diskette, CD, tape, or paper Organization and access Should sequential, indexed-sequential, or randomaccess methods be used Processing mode Should manual, batch, or real-time processing be used Mainenance What procedures are needed to maintain data effectively S ize How many records will be stored in the database and how large are they, How fast is the number of records expected to grow Activity level What percentage of the records will be added or deleted each year What percentage will need to be update Input Design Considerations CONSIDERATION CONCERN Medium Should AIS data be entered using a keyboard; an OCR, MIRC, or POS terminal ;EDI; OR voice input Source Where do data originate [ a compiter, customer, remote location, etc], and how does that affect data entry Format What format [source or turnaraound document, screen, source data automation] efficiently captures the data with the least effort and cost Type What is the nature of AIS data CONSISERATIONS CONCERN Volume How much data are to be entered Personnel What are the data entry operators abilities, function, and expertise../ Is additional training necessary Frequency How often does AIS data to be entered Cost How can costs be minimized without adversely affecting efficiency and accuracy Error detection and correction What errors are possible, and how can they be detected and corrected AIS [ Romney, 2003, Page 665 ] Principle of Good Forms Design General Considerations • • • • • • • • Are preprinted data used to the maximum extent possible Are the weight and grade of the paper appropriate for the planned use Are bold type, double-thick lines, and shading used appropriately to highlight different parts of the form Is the form a standard size Is the size of the form consistent with requirements for filing, binding, or mailing If the form will be mailed to external parties, is the address positioned so that the form can be used in a window envelope Are copies of the form printed in different colors to facilitate proper distribution Are this clear instructions on how to complete the form Introductory Section of Form • • • Does the same of the form appear at the top, in bold type Is the form prenumbered consecutively If the form will be distributed to external parties; are the company’s name and address preprinted on the form Main Body of Form • • • Is logically related information [e.g customer name,address] grouped together Is the ordering of data items consistent with the sequence in which those items are most likely to be acquired Are standardized explainations preprinted so that codes or check-offs can be used instead of requiring written user entries Conclution Section of Form • • • • • Is space provide to record the final disposition of the form Is space provide for a signature[s] to indicate final approval of the transaction Is space provide to record the date of final disposition or approval Is space provide for a dollar or other numeric total Is the distribution of each copy of the form clearly indicated AIS [ Romney, 2003, Page 666 ] Control Design Considerations CONSIDERATION Validit Authorization CONCERN Are all system interactions valid. For example, how can the AIS ensure that cash disbursements are made only to legitimate vendors Are input, processing, storage, and output activities authorized by the appropriate managers. For example, how can the AIS ensure that payroll additions have been authorized Accuracy Is input verified to ensure accuracy. What controls are in place to ensure that data passed between processing activities are not lost Security Is the system protected against [a] unauthorized physical and logical access to prevent the improper use, alteration, destruction, or disclosure of information and software and [b] the theft of system resources Numerical control Are documents prenumbered to prevent errors or intentional misuse and to detect when documents are missing or stolen Availability Is the system available for operation and use at times set forth in service-level statements or agreements. Can users enter, update, and retrieve data during the agreed upon times Maintainability Can the system be modified as required without affecting system availability, security, and integrity. Are only authorized, tested, and documented changes made to the system and related data. Are resources available to manage, schedule, document, and communicate the changes to management and authorized users Itegrity Is data processing complete, accurate, timely, and authorized. Is data processing free from unauthorized or inadvertent system manipulation Audit trail Can transaction data be traced from source documents to final output [and vice versa] For example, if a customer calls with a question, can transaction details be easily accessed AIS [ Romney, 2003, Page 670 ] Factors to Investigate During Postimplementation Review FACTORS QUESTIONS Goals and objectives Does the system help in organization meet its goals, objectives, and overall mission Satisfaction Are the users statisfied with the system . What would they like changed or improved Benefit How have users benefited from the system. Where the expected benefit achieved Costs Are actual costs in line with expected costs Reliability Is the system reliable. Has the system failed and, if so, what caused its failure Accuracy Does the sytem produce accurate and complete data Timeliness Does the systen produce information on a timely basis Compatibility Are the hardware, software ,data, and procedures compatible with exsisting Controls and security Is the system safeguarded againts unintentional errors, fraud, and unauthorized intrusion Errors Do error-handling procedures exist, and they adequate Training Are systems personnal and users adequately trained to support and use the system Communications Is the communcation system adequate Organizational changes Are any organizazional change brought about by the system beneficial or harmful. If harnful,how can they be resolved Documentation Is system documentation complete and accurate AIS [ Romney, 2003, Page 677 ]
