Chapter 4 - Internal Controls In IT Systems Instructor Manual Introduction To Internal Controls For IT Systems. It is important to consider possible threats that can disrupt or stop IT systems, and to implement controls that can help prevent these threats. It is important to understand general and application controls, the nature of risks in IT systems, and how these controls can reduce the risks. The AICPA Trust Services Principles is a structure to help organize these risks and controls. Controls can also be categorized into general controls and application controls. General controls apply to the overall IT accounting system. Application controls are input, processing, and output controls within IT applications. General Controls In IT Systems o Authentication Of Users And Limiting Unauthorized Users. Authentication is intended to ensure that users trying to access the IT system are valid, authorized users. There are many ways to authenticate users, including log-in procedures using a user ID and password, smart cards, security tokens, and biometric devices. User ID and password combinations are authentication based on what as person knows. Two factor authentication is based on what a user knows and what he has. Examples are smart cards and security tokens. Biometric authentication uses unique physical characteristics of a person such as a finger print. Even with these controls, an unauthorized user may be able to get access to the system. Thus, additional controls are needed such as a computer log, and a user profile in an authority table that determines each user’s access level. o Hacking And Other Network Break-Ins. The more extensive the network system, the more openings there are for hackers and unauthorized users. A firewall is hardware, software, or a combination of both that blocks instances of unauthorized network traffic. The firewall examines network packets of data and tries ton allow authorized data to flow through, yet block unauthorized packets of data. Encryption of data, either through symmetric or public key encryption converts data into cipher text that is not readable unless the user has the correct key. Wireless networks should be encrypted through either Wired Equivalency Privacy (WEP) or Wireless Protected Access (WPA). The Service Set Identifier (SSID) of a wireless network should be unique. Other methods to protect network traffic are virtual private network (VPN) and secure sockets layer (SSL). Other methods to increase authentication control are antivirus software, vulnerability assessment, intrusion detection, and penetration testing. These methods help monitor and prevent unauthorized access. o Organizational Structure. The manner in which a company establishes, delegates, and monitors IT system functions is part of the general controls. For companies with extensive IT systems, this would include at IT governance committee of top executives. The IT governance committee should: (1) align IT strategy with business strategy; (2) budget funds and personnel for IT; (3) develop, monitor; and review all IT policies; and (5) develop, monitor, and review security policies. It is also important that IT duties be properly segregated. 1 Systems analysts and programmers, operators, and database administrator duties should be segregated. As major changes are made to an IT system, the changes should follow a process that controls the initiation, approval, development, and maintenance of IT systems. Often, the process followed is a System Development Life Cycle (SDLC). o Physical Environment And Security. An IT system should have controls over the physical environment and physical access controls to the IT system. Physical access controls are intended to prevent malicious acts or vandalism to the system. The physical environment, such as temperature and humidity should be controlled to prevent system problems. There should also be dust and fire prevention systems. Uninteruptble power supplies and emergency power supplies can keep the system operating in the event of power failures. Physical access controls include: (1) ID badges or key cards to limit access, (2) video surveillance equipment, (3) logs of those entering the area, and (4) locked storage of data storage. o Business Continuity. Business continuity planning is a proactive program to consider risks to business continuation and developing plans to limit those risks. The business continuity plan should include a strategy for backup and restoration of IT systems, and a disaster recovery plan. The system can use redundant servers and redundant arrays of independent disks (RAID) to guard against system failure. There should also be regular backups of data and an off-site storage of backups. A disaster recovery plan includes the plan of steps necessary to continue IT operations after a disaster, General Controls From An AICPA Trust Principles Perspective. The AICPA Trust Services Principles are a framework that categorizes risks and controls into five categories: (1) security, (2) availability, (3) processing integrity, (4) online privacy, and (5) confidentiality. o Risks In Not Limiting Unauthorized Users. There are eight IT controls that can lessen the risk of unauthorized users gaining access to the IT system. Those eight are: user ID, password, security token, biometric devices, log-in procedures, access levels, computer logs, and authority tables. Without such controls, there are security risks, availability risks, processing integrity risks, and confidentiality risks. Security risks are from external persons, as well as employees of the organization who may try to access data for which they do not need access. Unauthorized access to the IT system can allow persons to browse through data, alter data in an unauthorized manner, destroy data, copy the data with the intent to steal and perhaps sell to competitors, or record unauthorized transactions. Availability risks result when a person gains unauthorized access, and may allow him to tamper with the IT system in a manner that may shut down systems and or programs to make the system or program temporarily unavailable for its intended use. If unauthorized users are able to access the IT system, they pose processing integrity risks in that they may be able to alter data to change the results of processing. This alteration of data could occur prior to the transaction being processed, during processing, or after the processing is complete. Confidentiality risks, or the risk of confidential data being available to unauthorized users, can occur if authentication controls 2 are weak. An unauthorized user who gains access can browse, steal, or destroy confidential data. o Risks From Hacking Or Other Network Break-Ins. Whether the threat is from an insider or outsider, efforts should be made to reduce the threat of hacking or network break-ins and to limit the potential harm that can be done by hacking and break-ins. The security risks related to hacking and network break-ins are the same as those identified in the previous section on unauthorized users. The availability risks are that the network break-in can allow systems or programs to be shut down, altered or sabotaged. The person who breaks in may also plant a virus or worm into the system. The processing integrity risks are that the person breaking in can alter the data or programs to compromise the accuracy or completeness of the data. Recording nonexistent or unauthorized transactions will also compromise data accuracy or completeness, as could a virus or worm. Again there is a confidentiality risk since the person breaking in may access, browse, steal or change confidential data. o Risks From Environmental Factors. Any environmental changes that affect the IT system can cause availability risks and processing integrity risks. These risks are that systems can be shut down or errors and glitches in processing can occur that cause lost or corrupted data. Backup power supply systems allow IT systems to be gradually shut down without the loss or corruption of data o Physical Access Risks. The security risk is that an intruder who gains physical access may change user access levels so that he or she can later access data or systems through any network attached system. The availability risks are that unauthorized physical access would allow an intruder to physically shut down, sabotage, destroy hardware or software, or insert viruses or worms from diskette, CD or other media. An intruder may interrupt processing and thereby affect the accuracy or completeness of processing, causing processing integrity risks. Viruses and worms can also affect the accuracy and completeness of processing. An intruder poses confidentiality risks in that an intruder may be able to gain access to confidential data to browse, alter, or steal the data. o Business Continuity Risks. The security risk is that an unauthorized person may gain access to the backup data. The availability risk is that as disasters or events interrupt operations, the system becomes unavailable for regular processing. The processing integrity risk is that business interruptions can lead to incomplete or inaccurate data. The confidentiality risk is that unauthorized persons may gain access to confidential data if they are able to gain access to backup data. Hardware And Software Exposures In IT Systems. There are many possible configurations of hardware and software that could be used in organizations. This section describes some typical hardware and software systems and the corresponding risks and controls. o The Operating System. The operating system is the software that controls the basic input and output activities of the computer. The operating system can be an “entry point” for unauthorized users or hackers. Operating system access allows a user access to all the important aspects of the IT system. Since all application software and database software works through the operating system, 3 o o o o o o access to the operating system also allows access to applications and the database. In addition, all read/write data functions are controlled by the operating system and any person who has access to the operating system can have access to data. Essentially, access to the operating system opens access to any data or program in the IT system. If a knowledgeable person is able to access and manipulate the operating system, that person potentially has access to all data passing through the operating system, and all processes or programs. Thus the operating system poses security risks, availability risks, processing integrity risks, and confidentiality risks. The Database. The database is an exposure area because any unauthorized access to the data can compromise the security and confidentiality of the data, and potentially interfere with the availability and normal processing of the IT system. An unauthorized user who gains access to the data base can browse through the data, compromising the security and confidentiality of the data in the database. The unauthorized user could also destroy or erase data, thereby affecting the accuracy of processing, and perhaps making processing unavailable since some data has been erased. The Database Management System. As is true of the data, the DBMS poses security, confidentiality, availability, and processing integrity risk exposures. Since the database management system reads and writes data to the database, unauthorized access to the DBMS is another exposure area. An unauthorized user who is able to access the DBMS may be able to browse, alter, or steal data. LANS And WANS. Since LANs and WANs are connected into the larger network of servers and computers within a company, the LANs represent risk exposure areas because anyone who has access to a workstation on the LAN can have access to data and devices on the entire network within the organization. LANs pose security, confidentiality, availability, and processing integrity risks. An unauthorized user on the LAN may browse, alter or steal data and thereby compromise the security and confidentiality of data. Any unauthorized manipulation of data or programs through the LAN can affect availability and processing integrity of the IT system. Wireless Networks. The wireless network does represent another potential “entry point” of unauthorized access and therefore poses the same four risk exposures of security, confidentiality, availability, and processing integrity. The wireless network has the same kind of exposures as described in the LAN section above. These network signals are similar to radio signals and therefore anyone who can receive those radio signals may gain access to the network. The Internet And World Wide Web. The Internet connection required to conduct Internet based business can open the company network to unauthorized users, hackers and other network break-ins. An unauthorized user can compromise security and confidentiality, and affect availability and processing integrity by alter data or programs or inserting virus or worm programs. Telecommuting Workers. Telecommuting workers cause two sources of risk exposures to their organizations. First, the network equipment and cabling that is necessary can be an “entry point” for hackers and unauthorized users. Secondly, the teleworker’s computer is also an “entry point” for potential 4 unauthorized users. The computer used by the teleworker is not under the control of the organization since it is located in the teleworker’s home. Therefore, the organization must rely on the teleworker to maintain appropriate security over that computer and to appropriately use firewalls and virus software updates to keep security up to date. These two “entry points” pose security, confidentiality, availability, and processing integrity risks. o Electronic Data Interchange. To conduct EDI with business partners, a business must use a dedicated network, a value added network, or the Internet. Regardless of the type of network used for EDI, the EDI network entails security, confidentiality, availability, and processing integrity risks. The EDI network is another “entry point” for unauthorized users or hackers. EDI transactions must be properly guarded and controlled by general controls including authentication, computer logs, and network break-in controls. Application Software And Application Controls. Applications software is the software that accomplishes end user tasks such as word processing, spreadsheets, database maintenance, and accounting functions. Application software represents another “entry point” through which unauthorized users or hackers could gain access. Application software has specific processing integrity risks that are not inherent in the eight previous IT components. The specific processing risks are inaccurate, incomplete, or unsecure data as it is input, processed, or becomes output. In addition, a risk of application software is the addition and processing of unauthorized transactions. For these specific risks, application controls should be part of accounting applications. o Input Controls. No matter the manner of input, controls should be in place to insure that the data entered is accurate and complete. Input controls should be in place to insure the authorization, accuracy, and completeness of that data input. These input controls are of four types. Source document controls. Where source documents are used, several source document controls should be used to minimize the potential for errors, incomplete data, or unauthorized transactions as data is entered. The source document as well as the input screen should be well designed so that they are easy to understand and use. Source documents should have clear and direct instructions embedded into the form. Finally the source document design and input screen design should match each other. The source document should contain an area for authorization by the appropriate manager. The source document forms should be prenumbered and used in that sequence. After source documents have been entered by keying, the source documents should be retained and filed in a manner that allows for easy retrieval. Standard procedures for data preparation and error handling. Without well-defined source data preparation procedures, employees would be unsure as which forms to use, when to use them, how to use them, and where to route them. An organization should have error handling procedures. As errors are discovered, they should be logged, investigated, corrected, and resubmitted for processing. The error log should be regularly reviewed by an appropriate manager so that corrective action can be taken on a timely basis. 5 Programmed edit checks. Application software can include input validation checks to prevent or detect input errors. These validation checks are preprogrammed into accounting application software and they are intended to check a field, or fields, for errors. These include field checks, validity checks, limit checks, range checks, reasonableness checks, completeness checks, sign checks, sequence checks, and self checking digits. Control totals and reconciliations. Control totals are useful in any IT system in which transactions are processed in batches. Control totals are subtotals of selected fields for an entire batch of transactions. The totals include record counts, batch totals, and hash totals. o Processing Controls. Processing controls are intended to prevent, detect, or correct errors that occur during the processing in an application. The reconciliation of control totals at various stages of the processing is called run-torun control totals. During processing, some calculations such as addition or multiplication must occur. Limit, range, and reasonableness checks can be used to insure that the results of these mathematical manipulations are within expected ranges or limits. Computer logs of transactions processed, production run logs, and error listings can be regularly examined to prevent, detect, or correct other errors. o Output Controls. There are two primary objectives of output controls: to assure the accuracy and completeness of the output, and to properly manage the safekeeping of output reports to insure that security and confidentiality of the information is maintained. To insure accuracy and completeness, the output can be reconciled to control totals. In addition, it is extremely important that users of the reports examine the reports for completeness and reasonableness. An organization must maintain procedures to protect output from unauthorized access. There should be written guidelines and procedures for output distribution. The organization should also establish procedures to guide the retention and disposal of output. Ethical Issues Of Information Technology. Without proper controls on IT systems the computer systems can be easily misused by outsiders or employees. In addition to computer assets being misused, access to IT systems may give unauthorized users access to other assets. Management must try to prevent theft conducted using the IT system such as theft by entering fraudulent transactions. Both misuse of computers and theft through the computer systems are unethical behaviors that management should discourage through proper internal controls. Unethical problems related to IT systems would include: (1) misuse of confidential customer information stored in an IT system; (2) theft of data such as credit card information by hackers. (3) employee use of IT system hardware and software for personal use or personal gain, and (4) using company e-mail to send offensive, threatening, or sexually explicit material. 6