Accounting
Information
Systems
9th Edition
Marshall B. Romney
Paul John Steinbart
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-1
Computer Controls
and Security
Chapter 8
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-2
Learning Objectives
1.
2.
3.
Identify and explain the four principles
of systems reliability and the three
criteria used to evaluate whether or not
the principles have been achieved.
Identify and explain the controls that
apply to more than one principle of
reliability.
Identify and explain the controls that
help explain that a system is available
to users when needed.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-3
Learning Objectives
4.
5.
6.
Identify and explain the security
controls that prevent unauthorized
access to information, software, and
other systems resources.
Identify and explain the controls that
help ensure that a system can be
properly maintained, while still providing
for system availability, security, and
integrity.
Identify and explain the integrity
controls that help ensure that system
processing is complete, accurate,
timely, and authorized.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-4
Introduction
During his fifth month at Northwest
Industries, Jason Scott is assigned to
audit Seattle Paper Products (SPP).
 Jason’s task is to review randomly
selected payable transactions, track
down all supporting documents, and
verify that all transactions have been
properly authorized.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-5
Introduction
Jason is satisfied that many of the
transactions are valid and accurate.
 However, some transactions involve
the purchase of services from Pacific
Electric.
 These transactions were processed
on the basis of vendor invoices
approved by management.
 Five of these invoices bear the initials
“JLC.”

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-6
Introduction
JLC is Jack Carlton, the general
supervisor.
 Carlton denies initialing the invoices,
and claims he has never heard of
Pacific Electric.
 What questions does Jason have?

Is Carlton telling the truth?
 If Carlton is not telling the truth, what
is he up to?

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-7
Introduction


If Pacific Electric is a fictitious
company, how could SPP’s control
systems allow its invoices to be
processed and approved for
payment?
This chapter discusses the many
different types of controls that
companies use to ensure the integrity
of their AIS.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-8
Learning Objective 1

The four principles of systems
reliability and the three criteria used to
evaluate whether or not the principles
have been achieved.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-9
The Four Principles of a
Reliable System
1.
2.
3.
4.
Availability of the system when needed.
Security of the system against
unauthorized physical and logical access.
Maintainability of the system as required
without affecting its availability, security,
and integrity.
Integrity of the system to ensure that
processing is complete, accurate, timely,
and authorized.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-10
The Criteria Used To Evaluate
Reliability Principles

For each of the four principles of reliability, three
criteria are used to evaluate whether or not the
principle has been achieved.
1.
2.
3.
The entity has defined, documented, and
communicated performance objectives, policies, and
standards that achieve each of the four principles.
The entity uses procedures, people, software, data,
and infrastructure to achieve each principle in
accordance with established policies and standards.
The entity monitors the system and takes action to
achieve compliance with the objectives, policies,
and standards for each principle.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-11
Learning Objective 2

Identify and explain the controls that
apply to more than one principle of
reliability.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-12
Controls Related to More Than
One Reliability Principle



Strategic Planning & Budgeting
Developing a Systems Reliability Plan
Documentation


Administrative documentation: Describes the
standards and procedures for data
processing.
Systems documentation: Describes each
application system and its key processing
functions.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-13
Controls Related to More Than
One Reliability Principle

Operating documentation: Describes what is
needed to run a program.
•
•
•
•
•
Equipment configuration
Program and data files
Procedures to set up and execute jobs
Conditions that may interrupt program execution
Corrective actions for program interruptions
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-14
Learning Objective 3

Identify and explain the controls that
help explain that a system is available
to users when needed.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-15
Availability

Availability

Minimizing Systems Downtime
• Preventive maintenance
• UPS
• Fault tolerance
• Disaster Recovery Plan
• Minimize the extent of disruption, damage, and loss
• Temporarily establish an alternative means of
processing information
• Resume normal operations as soon as possible
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-16
Availability
• Train and familiarize personnel with emergency
operations
• Priorities for the recovery process
• Insurance
• Backup data and program files
• Electronic vaulting
• Grandfather-father-son concept
• Rollback procedures
• Specific assignments
• Backup computer and telecommunication facilities
• Periodic testing and revision
• Complete documentation
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-17
Learning Objective 4

Identify and explain the security
controls that prevent unauthorized
access to information, software, and
other system resources.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-18
Developing a Security Plan





Developing and continuously updating a
comprehensive security plan is one of the most
important controls a company can identify.
What questions need to be asked?
Who needs access to what information?
When do they need it?
On which systems does the information reside?
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-19
Segregation of Duties Within
the Systems Function
In a highly integrated AIS, procedures
that used to be performed by separate
individuals are combined.
 Any person who has unrestricted
access to the computer, its programs,
and live data could have the
opportunity to both perpetrate and
conceal fraud.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-20
Segregation of Duties Within
the Systems Function
To combat this threat, organizations
must implement compensating control
procedures.
 Authority and responsibility must be
clearly divided among the following
functions:

1
2
3
Systems analysis
Programming
Computer operations
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-21
Segregation of Duties Within
the Systems Function
4
5
6
Users
AIS library
Data control
It is important that different people
perform these functions.
 Allowing a person to perform two or
more of them exposes the company to
the possibility of fraud.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-22
Physical Access Controls

How can physical access security be
achieved?
–
–
–
–
–
placing computer equipment in locked rooms
and restricting access to authorized personnel
having only one or two entrances to the
computer room
requiring proper employee ID
requiring that visitors sign a log
installing locks on PCs
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-23
Logical Access Controls


Users should be allowed access only to the
data they are authorized to use and then
only to perform specific authorized
functions.
What are some logical access controls?
–
–
–
–
passwords
physical possession identification
biometric identification
compatibility tests
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-24
Protection of PCs and
Client/Server Networks
Many of the policies and procedures for
mainframe control are applicable to PCs
and networks.
 The following controls are also important:

Train users in PC-related control concepts.
 Restrict access by using locks and keys on
PCs.
 Establish policies and procedures.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-25
Protection of PCs and
Client/Server Networks





Portable PCs should not be stored in cars.
Back up hard disks regularly.
Encrypt or password protect files.
Build protective walls around operating
systems.
Use multilevel password controls to limit
employee access to incompatible data.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-26
Internet Controls

Why caution should be exercised
when conducting business on the
Internet.
–
–
the large and global base of people
that depend on the Internet
the variability in quality, compatibility,
completeness, and stability of network
products and services
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-27
Internet Controls
–
–
–

access of messages by others
security flaws in Web sites
attraction of hackers to the Internet
What controls can be used to secure
Internet activity?
–
–
–
passwords
encryption technology
routing verification procedures
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-28
Internet Controls
Another control is installing a firewall,
hardware and software that control
communications between a
company’s internal network (trusted
network) and an external network.
 The firewall is a barrier between the
networks that does not allow
information to flow into and out of the
trusted network.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-29
Learning Objective 5

Identify and explain the controls that
help ensure that a system can be
properly maintained, while still
providing for system availability,
security, and integrity.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-30
Minimizing System
Downtime
Significant financial losses can be
incurred if hardware or software
malfunctions cause an AIS to fail.
 What are some methods used to
minimize system downtime?

–
–
–
preventive maintenance
uninterruptible power system
fault tolerance
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-31
Disaster Recovery Plan


Every organization should have a disaster
recovery plan so that data processing
capacity can be restored as smoothly and
quickly as possible in the event of a major
disaster.
What are the objectives of a recovery plan?
1
2
Minimize the extent of the disruption,
damage, and loss.
Temporarily establish an alternative means
of processing information.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-32
Disaster Recovery Plan
3
4

Resume normal operations as soon
as possible.
Train and familiarize personnel with
emergency operations.
A sound disaster plan should contain
the following elements:
1
2
Priorities for the recovery process
Backup data and program files
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-33
Disaster Recovery Plan
3
4
5
Specific assignments
Complete documentation
Backup computer and
telecommunications facilities
reciprocal agreements
 hot and cold sites

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-34
Disaster Recovery Plan




There are other aspects of disaster
recovery planning that deserve mention:
The recovery plan is incomplete until it has
been satisfactorily tested by simulating a
disaster.
The recovery plan must be continuously
reviewed and revised to ensure that it
reflects current situation.
The plan should include insurance
coverage.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-35
Protection of PCs and
Client/Server Networks
Why are PCs more vulnerable to
security risks than are mainframes?
 It is difficult to restrict physical access.
 PC users are usually less aware of
the importance of security and control.
 Many people are familiar with the
operation of PCs.
 Segregation of duties is very difficult.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-36
Data Processing and File
Maintenance Controls

What are some of the more common
controls that help preserve the
accuracy and completeness of data
processing?
–
–
–
–
data currency checks
default values
data matching
exception reporting
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-37
Data Processing and File
Maintenance Controls
–
–
–
–
external data reconciliation
control account reconciliation
file security
file conversion controls
Learning Objective 6

Identify and explain the integrity
controls that help ensure that system
processing is complete, accurate,
timely, and authorized.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-39
General Controls
A company designs general controls
to ensure that its overall computer
system is stable and well managed.
 The following are categories of
general controls:

1
2
Developing a security plan
Segregation of duties within the
systems function
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-40
General Controls
3
4
5
6
7
8
9
Project development controls
Physical access controls
Logical access controls
Data storage controls
Data transmission controls
Documentation standards
Minimizing system downtime
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-41
General Controls
10
11
12
Disaster recovery plans
Protection of personal computers and
client/server networks
Internet controls
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-42
Documentation Standards
Another important general control is
documentation procedures and
standards to ensure clear and concise
documentation.
 Documentation may be classified into
three basic categories:

1
2
3
Administrative documentation
Systems documentation
Operating documentation
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-43
Application Controls
The primary objective of application
controls is to ensure the accuracy of a
specific application’s inputs, files,
programs, and outputs.
 This section will discuss five
categories of application controls:

1
2
Source data controls
Input validation routines
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-44
Application Controls
3
4
5
Online data entry controls
Data processing and file maintenance
controls
Output controls
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-45
Source Data Controls

There are a number of source data
controls that regulate the accuracy,
validity, and completeness of input:
–
–
–
–
–
key verification
check digit verification
prenumbered forms sequence test
turnaround documents
authorization
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-46
Input Validation Routines




Input validation routines are programs that
check the validity and accuracy of input
data as they are entered into the system.
These programs are called edit programs.
The accuracy checks they perform are
called edit checks.
What are some edit checks used in input
validation routines?
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-47
Input Validation Routines
–
–
–
–
–
–
–
sequence check
field check
sign check
validity check
limit check
range check
reasonableness test
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-48
Online Data Entry Controls


The goal of online data entry controls is to
ensure the accuracy and integrity of
transaction data entered from online
terminals and PCs.
What are some online data entry controls?
–
–
–
–
data checks
user ID numbers and passwords
comparability tests
prompting
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-49
Online Data Entry Controls
–
–
–
–
–
–
preformatting
completeness check
automatic transaction data entry
closed-loop verifications
transaction log
clear error messages
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-50
Data Transmission Controls


To reduce the risk of data transmission
failures, companies should monitor the
network.
How can data transmission errors be
minimized?
–
–
–
–
using data encryption (cryptography)
implementing routing verification
procedures
adding parity
using message acknowledgment
techniques
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-51
Data Transmission Controls


Data Transmission Controls take on added
importance in organizations that utilize
electronic data interchange (EDI) or
electronic funds transfer (EFT).
In these types of environments, sound
internal control is achieved using the
following control procedures:
1
Physical access to network facilities should
be strictly controlled.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-52
Data Transmission Controls
2
3
4
5
Electronic identification should be required
for all authorized network terminals.
Strict logical access control procedures are
essential, with passwords and dial-in phone
numbers changed on a regular basis.
Encryption should be used to secure stored
data as well as data being transmitted.
Details of all transactions should be
recorded in a log that is periodically
reviewed.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-53
Data Storage Controls
Information is generally what gives a
company a competitive edge and
makes it viable.
 A company should identify the types
of data maintained and the level of
protection required for each.
 A company must also document the
steps taken to protect data.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-54
Data Storage Controls



A properly supervised file library is one
essential means of preventing loss of data.
A file storage area should also be protected
against fire, dust, excess heat, or humidity.
Following are types of file labels that can be
used to protect data files from misuse:
–
–
external labels
internal labels (volume, header, trailer)
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-55
Output Controls
The data control functions should
review all output for reasonableness
and proper format and should
reconcile corresponding output and
input control totals.
 Data control is also responsible for
distributing computer output to the
appropriate user departments.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-56
Output Controls
Users are responsible for carefully
reviewing the completeness and
accuracy of all computer output that
they receive.
 A shredder can be used to destroy
highly confidential data.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-57
Project Development
Controls
To minimize failures, the basic
principles of responsibility accounting
should be applied to the AIS function.
 What key elements are included in
project development control?

1
2
3
Long-range master plan
Project development plan
Data processing schedule
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-58
Project Development
Controls
4
5
6
7
Assignment of responsibility
Periodic performance evaluation
Postimplementation review
System performance measurements
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-59
Case Conclusion





Were Jason and his supervisor able to
identify the source of the fictitious invoices?
No.
They asked the police to identify the owner
of the Pacific Electric bank account.
What did the police discover?
Patricia Simpson, a data entry clerk at SPP,
was the owner of the account.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-60
End of Chapter 8
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
8-61