Chapter 10-1 Chapter 10: Computer Controls for Organizations and Accounting Information Systems Introduction Enterprise Level Controls General Controls for Information Technology Application Controls for Transaction Processing Chapter 10-2 Enterprise Level Controls Consistent policies and procedures Management’s risk assessment process Centralized processing and controls Controls to monitor results of operations Chapter 10-3 Enterprise Level Controls Controls to monitor the internal audit function, the audit committee, and selfassessment programs Period-end financial reporting process Board-approved policies that address significant business control and risk management practices Chapter 10-4 Risk Assessment and Security Policies Chapter 10-5 Integrated Security for the Organization Physical Security Measures used to protect its facilities, resources, or proprietary data stored on physical media Logical Security Limit access to system and information to authorized individuals Administrative – Policies, procedures, standards, and guidelines. Chapter 10-6 Physical and Logical Security Chapter 10-7 General Controls for Information Technology Access to Data, Hardware, and Software Protection of Systems and Data with Personnel Policies Protection of Systems and Data with Technology and Facilities Chapter 10-8 General Controls for Information Technology IT general controls apply to all information systems Major Objectives Access to programs and data is limited to authorized users Data and systems protected from change, theft, and loss Computer programs are authorized, tested, and Chapter approved before usage 10-9 Access to Data, Hardware, and Software Utilization of strong passwords 8 or more characters in length…..or longer Different types of characters Letters, numbers, symbols Biometric identification Distinctive user physical characteristics Voice patterns, fingerprints, facial patterns, retina prints Chapter 10-10 Security for Wireless Technology Utilization of wireless local area networks Virtual Private Network (VPN) Allows remote access to entity resources Data Encryption Data converted into a scrambled format Converted back to meaningful format following transmission Chapter 10-11 Controls for Networks Control Problems Electronic eavesdropping Hardware or software malfunctions Errors in data transmission Control Procedures Checkpoint control procedure Routing verification procedures Message acknowledgment procedures Chapter 10-12 Controls for Personal Computers Take an inventory of personal computers Identify applications utilized by each personal computer Classify computers according to risks and exposures Enhance physical security Chapter 10-13 Additional Controls for Laptops Chapter 10-14 Personnel Policies Separation of Duties Separate Accounting and Information Processing from Other Subsystems Separate Responsibilities within IT Environment Use of Computer Accounts Each employee has password protected account Biometric identification Chapter 10-15 Separation of Duties Chapter 10-16 Division of Responsibility in IT Environment Chapter 10-17 Division of Responsibility in IT Environment Chapter 10-18 Personnel Policies Identifying Suspicious Behavior Protect against fraudulent employee actions Observation of suspicious behavior Highest percentage of fraud involved employees in the accounting department Must safeguard files from intentional and unintentional errors Chapter 10-19 Safeguarding Computer Files Chapter 10-20 File Security Controls Chapter 10-21 Business Continuity Planning Definition Comprehensive approach to ensuring normal operations despite interruptions Components Disaster Recovery Fault Tolerant Systems Backup Chapter 10-22 Disaster Recovery Definition Process and procedures Following disruptive event Summary of Types of Sites Hot Site Flying-Start Site Cold Site Chapter 10-23 Fault Tolerant Systems Definition Used to deal with computer errors Ensure functional system with accurate and complete data (redundancy) Major Approaches Consensus-based protocols Watchdog processor Utilize disk mirroring or rollback processing Chapter 10-24 Backup Batch processing Risk of losing data before, during, and after processing Grandfather-parent-child procedure Types of Backups Hot backup Cold Backup Electronic Vaulting Chapter 10-25 Computer Facility Controls Locate Data Processing Centers in Safe Places Protect from the public Protect from natural disasters (flood, earthquake) Limit Employee Access Security Badges (color-coded with pictures) Man Trap Buy Insurance Chapter 10-26 Study Break #1 A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats. A. Firewall B. Security policy C. Risk assessment D. VPN Chapter 10-27 Study Break #3 Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________. A. Redundancy B. COBIT C. COSO D. Integrated security Chapter 10-28 Application Controls for Transaction Processing Purpose Embedded in business process applications Prevent, detect, and correct errors and irregularities Application Controls Input Controls Processing Controls Output Controls Chapter 10-29 Application Controls for Transaction Processing Chapter 10-30 Input Controls Purpose Ensure validity Ensure accuracy Ensure completeness Categories Observation, recording, and transcription of data Edit tests Additional input controls Chapter 10-31 Observation, Recording, and Transcription of Data Confirmation mechanism Dual observation Point-of-sale devices (POS) Preprinted recording forms Chapter 10-32 Preprinted Recording Form Chapter 10-33 Edit Tests Input Validation Routines (Edit Programs) Programs or subroutines Check validity and accuracy of input data Edit Tests Examine selected fields of input data Rejects data not meeting preestablished standards of quality Chapter 10-34 Edit Tests Chapter 10-35 Edit Tests Chapter 10-36 Additional Input Controls Validity Test Transactions matched with master data files Transactions lacking a match are rejected Check-Digit Control Procedure Chapter 10-37 Processing Controls Purpose Focus on manipulation of accounting data Contribute to a good audit trail Two Types Control Data totals manipulation controls Chapter 10-38 Audit Trail Chapter 10-39 Control Totals Common Processing Control Procedures Batch control total Financial control total Nonfinancial control total Record count Hash total Chapter 10-40 Data Manipulation Controls Data Processing Following validation of input data Data manipulated to produce decision-useful information Processing Control Procedures Software Documentation Error-Testing Compiler Utilization of Test Data Chapter 10-41 Output Controls Purpose Ensure validity Ensure accuracy Ensure completeness Major Types Validating Processing Results Regulating Distribution and Use of Printed Output Chapter 10-42 Output Controls Validating Processing Results Preparation of activity listings Provide detailed listings of changes to master files Regulating Distribution and Use of Printed Output Forms control Pre-numbered forms Authorized distribution list Chapter 10-43 Study Break #5 Organizations use ______ controls to prevent, detect, and correct errors and irregularities in transactions that are processed. A. Specific B. General C. Application D. Input Chapter 10-44 Triangles of Information Security Why We Do It (Fraud) How We Prevent It Chapter 10-45 Fraud Triangle Chapter 10-46 CIA Triangle Chapter 10-47