Chapter
10-1
Chapter 10:
Computer Controls for Organizations and
Accounting Information Systems
Introduction
Enterprise Level Controls
General Controls for Information Technology
Application Controls for Transaction
Processing
Chapter
10-2
Enterprise Level Controls
Consistent policies and procedures
Management’s risk assessment process
Centralized processing and controls
Controls to monitor results of operations
Chapter
10-3
Enterprise Level Controls
Controls to monitor the internal audit
function, the audit committee, and selfassessment programs
Period-end financial reporting process
Board-approved policies that address
significant business control and risk
management practices
Chapter
10-4
Risk Assessment and
Security Policies
Chapter
10-5
Integrated Security for
the Organization
Physical Security
 Measures
used to protect its facilities, resources,
or proprietary data stored on physical media
Logical Security
 Limit
access to system and information to
authorized individuals
Administrative – Policies, procedures,
standards, and guidelines.
Chapter
10-6
Physical and Logical Security
Chapter
10-7
General Controls for
Information Technology
Access to Data, Hardware, and Software
Protection of Systems and Data with
Personnel Policies
Protection of Systems and Data with
Technology and Facilities
Chapter
10-8
General Controls for
Information Technology
IT general controls apply to all information
systems
Major Objectives
 Access
to programs and data is limited to
authorized users
 Data and systems protected from change, theft,
and loss
 Computer programs are authorized, tested, and
Chapter
approved before usage
10-9
Access to Data, Hardware,
and Software
Utilization of strong passwords
8
or more characters in length…..or longer
 Different types of characters
 Letters, numbers, symbols
Biometric identification
 Distinctive
user physical characteristics
 Voice patterns, fingerprints, facial patterns,
retina prints
Chapter
10-10
Security for Wireless Technology
Utilization of wireless local area networks
Virtual Private Network (VPN)
 Allows
remote access to entity resources
Data Encryption
 Data
converted into a scrambled format
 Converted back to meaningful format following
transmission
Chapter
10-11
Controls for Networks
Control Problems
 Electronic
eavesdropping
 Hardware or software malfunctions
 Errors in data transmission
Control Procedures
 Checkpoint
control procedure
 Routing verification procedures
 Message acknowledgment procedures
Chapter
10-12
Controls for Personal Computers
Take an inventory of personal computers
Identify applications utilized by each
personal computer
Classify computers according to risks and
exposures
Enhance physical security
Chapter
10-13
Additional Controls for Laptops
Chapter
10-14
Personnel Policies
Separation of Duties
 Separate
Accounting and Information Processing
from Other Subsystems
 Separate Responsibilities within IT Environment
Use of Computer Accounts
 Each
employee has password protected account
 Biometric identification
Chapter
10-15
Separation of Duties
Chapter
10-16
Division of Responsibility in
IT Environment
Chapter
10-17
Division of Responsibility in
IT Environment
Chapter
10-18
Personnel Policies
Identifying Suspicious Behavior
 Protect
against fraudulent employee actions
 Observation of suspicious behavior
 Highest percentage of fraud involved employees
in the accounting department
 Must safeguard files from intentional and
unintentional errors
Chapter
10-19
Safeguarding Computer Files
Chapter
10-20
File Security Controls
Chapter
10-21
Business Continuity Planning
Definition
 Comprehensive
approach to ensuring normal
operations despite interruptions
Components
 Disaster
Recovery
 Fault Tolerant Systems
 Backup
Chapter
10-22
Disaster Recovery
Definition
 Process
and procedures
 Following disruptive event
Summary of Types of Sites
 Hot
Site
 Flying-Start Site
 Cold Site
Chapter
10-23
Fault Tolerant Systems
Definition
 Used
to deal with computer errors
 Ensure functional system with accurate and
complete data (redundancy)
Major Approaches
 Consensus-based
protocols
 Watchdog processor
 Utilize disk mirroring or rollback processing
Chapter
10-24
Backup
Batch processing
 Risk
of losing data before, during, and after
processing
 Grandfather-parent-child procedure
Types of Backups
 Hot
backup
 Cold Backup
 Electronic Vaulting
Chapter
10-25
Computer Facility Controls
Locate Data Processing Centers in Safe Places
 Protect from
the public
 Protect from natural disasters (flood, earthquake)
Limit Employee Access
 Security
Badges (color-coded with pictures)
 Man Trap
Buy Insurance
Chapter
10-26
Study Break #1
A _______ is a comprehensive plan that helps protect the
enterprise from internal and external threats.
A. Firewall
B. Security policy
C. Risk assessment
D. VPN
Chapter
10-27
Study Break #3
Fault-tolerant systems are designed to tolerate computer errors
and are built on the concept of _________.
A. Redundancy
B. COBIT
C. COSO
D. Integrated security
Chapter
10-28
Application Controls
for Transaction Processing
Purpose
 Embedded
in business process applications
 Prevent, detect, and correct errors and
irregularities
Application Controls
 Input
Controls
 Processing Controls
 Output Controls
Chapter
10-29
Application Controls
for Transaction Processing
Chapter
10-30
Input Controls
Purpose
 Ensure
validity
 Ensure accuracy
 Ensure completeness
Categories
 Observation,
recording, and transcription of data
 Edit
tests
 Additional input controls
Chapter
10-31
Observation, Recording,
and Transcription of Data
Confirmation mechanism
Dual observation
Point-of-sale devices (POS)
Preprinted recording forms
Chapter
10-32
Preprinted Recording Form
Chapter
10-33
Edit Tests
Input Validation Routines (Edit Programs)
 Programs
or subroutines
 Check validity and accuracy of input data
Edit Tests
 Examine
selected fields of input data
 Rejects data not meeting preestablished standards
of quality
Chapter
10-34
Edit Tests
Chapter
10-35
Edit Tests
Chapter
10-36
Additional Input Controls
Validity Test
 Transactions
matched with master data files
 Transactions lacking a match are rejected
Check-Digit Control Procedure
Chapter
10-37
Processing Controls
Purpose
 Focus
on manipulation of accounting data
 Contribute
to a good audit trail
Two Types
 Control
 Data
totals
manipulation controls
Chapter
10-38
Audit Trail
Chapter
10-39
Control Totals
Common Processing Control Procedures
 Batch
control total
 Financial control total
 Nonfinancial control total
 Record count
 Hash total
Chapter
10-40
Data Manipulation Controls
Data Processing
 Following
validation of input data
 Data manipulated to produce decision-useful
information
Processing Control Procedures
 Software
Documentation
 Error-Testing Compiler
 Utilization of Test Data
Chapter
10-41
Output Controls
Purpose
 Ensure
validity
 Ensure accuracy
 Ensure completeness
Major Types
 Validating
Processing Results
 Regulating Distribution and Use of Printed Output
Chapter
10-42
Output Controls
Validating Processing Results
 Preparation
of activity listings
 Provide detailed listings of changes to master files
Regulating Distribution and Use of Printed
Output
 Forms
control
 Pre-numbered forms
 Authorized distribution list
Chapter
10-43
Study Break #5
Organizations use ______ controls to prevent, detect, and
correct errors and irregularities in transactions that are
processed.
A. Specific
B. General
C. Application
D. Input
Chapter
10-44
Triangles of Information Security
Why We Do It (Fraud)
How We Prevent It
Chapter
10-45
Fraud Triangle
Chapter
10-46
CIA Triangle
Chapter
10-47