Information Systems
Controls
Lecture 5
(Chapter 6, 7 & 8)
Introduction
1.
2.
3.
4.
5.
Explain the basic concepts of control as applied to
business organizations
Describe the major elements in the control
environment of a business environment
Describe control policies and procedures
commonly used in business organizations
Evaluate a system of internal control, identify its
deficiencies, and prescribe modifications to
remedy those deficiencies
Conduct a cost-benefit analysis for particular
threats, exposures, risks, and controls.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-2
Threats to AIS

Natural and political disasters:
–

S/W errors & Equipment Malfunctions:
–

H/W failures / power outages / data transmission errors
Unintentional acts:
–

fire / heat / floods / earthquakes / winds / war
accidents / lost data / human & logic errors /systems that
do not meet company needs
Intentional acts:
–
Sabotage / computer fraud / embezzlement
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-3
AIS Threats are increasing..
Due to:
 Increasing number of client/server systems
 LANs and client/server systems distribute
data to many users: harder to control than
mainframe
 WAN are giving customers & suppliers
access to each other’s systems and data.
e.g. Wal-Mart & its vendors

Better computer knowledge in population
.
Therefore,
Computer Control & Security are important
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-4
Control Concepts

Internal control is the plan and methods a
business uses to:
1.
2.
3.
4.

safeguard assets
provide accurate and reliable information
promote & improve operational efficiency
encourage adherence to managerial policies.
Management control encompasses:
1
2
3
It is an integral part of management responsibilities.
It is designed to reduce errors, irregularities, and
achieve organizational goals.
It is personnel-oriented and seeks to help
employees attain company goals.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-5
Internal Control
Classifications

The specific control procedures used in the
internal control and management control
systems may be classified using the
following four internal control classifications:
1
2
3
4
Preventive, detective, and corrective controls
General and application controls
Administrative and accounting controls
Input, processing, and output controls
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-6
Committee of Sponsoring
Organizations

The Committee of Sponsoring
Organizations (COSO) is a private sector
group consisting of five organizations:
1
2
3
4
5
American Accounting Association
American Institute of Certified Public
Accountants
Institute of Internal Auditors
Institute of Management Accountants
Financial Executives Institute
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-7
COSO’s Internal Control
Model Components
1 Control
environment
2 Control activities
3 Risk assessment
4 Information and communication
5 Monitoring Performance
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-8
COSO’S Model of Internal Control
COSO’s Internal Control Model
Control
Environment
1. Commitment
to integrity &
ethical value
2. Management
Philosophy
3. Emphasis on
knowledge
and skills
4. Effective
Audit Comm.
5. Assigning
authority
6. Executive
competence
Control
Activities
1. Policies
Risk
Assessment
&
procedures
2. Authorization of
Transactions
3. Segregation of
duties
4. Design & use of
adequate
documentation
5. Safeguard of
assets &
records
6. Independent
checks on
performance
Information &
Communication
1. Identify
threats
2. Estimate risk
3. Estimate
exposure
4. Identify
controls
5. Estimate
costs &
benefits
6. Determine
cost-benefit
effectiveness
Monitoring
Performance
1.Effective
1. Understanding
of
transaction
process
2. Audit trail of
transactions:
Identify, classify &
record at proper
monetary value &
accounting period
3. Effective
communication &
proper disclosure
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
supervision:
• Training
• Monitor
performance
• Safeguard
assets
2.Responsibility
accounting:
• Budget
• Costing
• Perf. Report
3.Internal audit
Lecture 5-9
Segregation of Duties
Custodial Functions
Handling cash
Handling assets
Writing checks
Receiving checks in mail
Recording Functions
Preparing source documents
Maintaining journals
Preparing reconciliations
Preparing performance reports
Authorization Functions
Authorization of
transactions
Segregation of Duties
1. Control
environment
2. Control activities
3. Risk assessment
4. Information &
communication
5. Monitoring
Performance



If two of these three functions are
the responsibility of a single person,
problems can arise.
Segregation of duties prevents
employees from falsifying records in
order to conceal theft of assets
entrusted to them.
Prevent authorization of a fictitious
or inaccurate transaction as a
means of concealing asset thefts.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-11
Adequate Safeguards of
Assets and Records
1. Control
environment
2. Control activities
3. Risk assessment
4. Information &
communication
5. Monitoring
Performance

What can be used to safeguard
assets?
–
–
–
–
–
–
cash registers
safes, lockboxes
safety deposit boxes
restricted and fireproof storage areas
controlling the environment
restricted access to computer rooms,
computer files, and information
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-12
Estimate Cost and Benefits
1. Control
environment
2. Control activities
3. Risk assessment
4. Information &
communication
5. Monitoring
Performance




No internal control system can provide
foolproof protection against all internal
control threats.
The cost of a foolproof system would be
prohibitively high.
One way to calculate benefits involves
calculating expected loss.
The benefit of a control procedure is the
difference between the expected loss with
the control procedure(s) and without it.
Expected loss = risk × exposure
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-13
Information & Communication
1. Control
environment
2. Control activities
3. Risk assessment
4. Information &
communication
5. Monitoring
Performance
o
Audit trail:
o An audit trail exists when individual company
transactions can be traced through the system.
o
Provides Evidence of:
o Properly classify transactions
o Record transactions at their proper monetary
value
o Record transactions in the proper accounting
period
o Properly present transactions and related
disclosures in the financial statements
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-14
Principle of Reliable System
Principle of a Reliable system
Availability:


Minimizing Systems
Downtime
Disaster Recovery
Plan
Security Controls:
o
o
o
o
o
Segregation of duties
Physical access
control
Logical access
control
Protection of
computers &
client/server
networks
Internet/e-commerce
control
Maintainability:
o
o
Project
Development and
Acquisition
Controls
Change
Management
Control
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Integrity:
o
Source data controls
o
Input validation
routines
o
On-line data entry
controls
o
Data processing &
storage controls
o
Output controls
o
Data transmission
controls
Lecture 5-15
Security Controls
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers &
client/server networks
- Internet/e-commerce control





Segregation of duties in system
function
Physical access control
Logical access control
Protection of personal computers
& client/server networks
Internet and e-commerce control
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-16
Segregation of Duties Within
the Systems Function
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers &
client/server networks
- Internet/e-commerce control


Organizations must implement
compensating control procedures.
Authority & responsibility must be
clearly divided among the following
functions:
1
2
3
4
5
6
Systems analysis
Programming
Computer operations
Users
AIS library
Data control
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-17
Physical Access Controls
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers &
client/server networks
- Internet/e-commerce control

How can physical access security be
achieved?
–
–
–
–
–
placing computer equipment in locked
rooms and restricting access to
authorized personnel
having only one or two entrances to
the computer room
requiring proper employee ID
requiring that visitors sign a log
installing locks on PCs
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-18
Logical Access Controls
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers &
client/server networks
- Internet/e-commerce control


Users should be allowed access
only to the data they are
authorized to use and then only to
perform specific authorized
functions.
What are some logical access
controls?
–
–
–
–
passwords
physical possession identification
biometric identification
compatibility tests
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-19
Protection of PCs and
Client/Server Networks
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers &
client/server networks
- Internet/e-commerce control


Many of the policies and procedures for
mainframe control are applicable to PCs
and networks.
The following controls are also important:








Train users in PC-related control concepts.
Restrict access by using locks/keys on PCs.
Establish policies and procedures.
Portable PCs should not be stored in cars.
Back up hard disks regularly.
Encrypt or password protect files.
Build protective walls around systems.
Use multilevel password controls to limit
employee access to incompatible data.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-20
Protection of PCs and
Client/Server Networks
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers &
client/server networks
- Internet/e-commerce control

PCs more vulnerable to security risks
than are mainframes because:
 It is difficult to restrict physical
access.
 PC users are usually less aware of
the importance of security and
control.
 Many people are familiar with the
operation of PCs.
 Segregation of duties is very
difficult.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-21
Internet & E-Commerce Controls
Security Controls:
- Segregation of duties
- Physical access control
- Logical access control
- Protection of computers &
client/server networks
- Internet/e-commerce control

Caution when conducting business on the
Internet:
–
–
–

the global dependence on the Internet
the variability in quality, compatibility,
completeness, and stability of network
products and services
Website security flaws & attraction of hackers
Controls used to secure Internet
activity:
–
–
–
Passwords and encryption technology
routing verification procedures
Firewall = a barrier between the networks that
does not allow information to flow into and out
of the trusted network.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-22
Maintainability Controls Project Development Controls


To minimize failures, the basic principles of
responsibility accounting should be applied to
the AIS function.
Key elements included in project development
control:
1
2
3
4
5
6
7
Long-range master plan
Project development plan
Data processing schedule
Assignment of responsibility
Periodic performance evaluation
Post-implementation review
System performance measurements
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-23
Application Controls


Objective of application controls is to ensure the
integrity of a specific application’s inputs, files,
programs, and outputs.
Six categories of application controls:
1. Source data controls
2. Input validation routines
3. Online data entry controls
4. Data processing & file maintenance controls
5. Output controls
6. Data transmission controls
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-24
Application Controls Source Data Controls
Application controls:
- Source data controls
- Input validation
routines
- Online data entry
controls
- Data processing & file
maintenance
controls
- Output controls
- Data transmission
control

There are a number of source data
controls that regulate the accuracy,
validity, and completeness of input:
–
–
–
–
–
key verification
check digit verification
prenumbered forms sequence test
turnaround documents
authorization
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-25
Application Controls Input Validation Routines
Application controls:
- Source data controls

- Input validation
routines
- Online data entry
controls
- Data processing & file
maintenance
controls
- Output controls
- Data transmission
control

Input validation routines are programs that
check the validity and accuracy of input
data as they are entered into the system.
These programs are called edit programs
and the accuracy checks they perform are
called edit checks, such as:
–
–
–
–
–
–
–
sequence check
field check
sign check
validity check
limit check
range check
reasonableness test
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-26
Application Controls Online Data Entry Controls
Application controls:
- Source data controls

- Input validation
routines
- Online data entry
controls

Online data entry controls ensure the
accuracy and integrity of transaction data
entered from online terminals & PCs.
Some online data entry controls are:
- Data processing & file
maintenance
controls
–
- Output controls
–
- Data transmission
control
–
–
–
–
–
–
–
data checks
user ID numbers and passwords
comparability tests
Prompting
preformatting
completeness check
automatic transaction data entry
transaction log
clear error messages
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-27
Application Controls Data Processing Controls
Application controls:
- Source data controls
- Input validation
routines
- Online data entry
controls
- Data processing &
file maintenance
controls
- Output controls
- Data transmission
control

Common controls to preserve accuracy
and completeness of data processing:
– data currency checks
– default values
– data matching
– exception reporting
– external data reconciliation
– control account reconciliation
– file security
– file conversion controls
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-28
Application Controls Output Controls
Application controls:
- Source data controls

- Input validation
routines
- Online data entry
controls
- Data processing & file
maintenance
controls

- Output controls
- Data transmission
control


Data control functions should review all
output for reasonableness and proper
format and should reconcile corresponding
output and input control totals.
Data control is also responsible for
distributing computer output to the
appropriate user departments.
Users are responsible for carefully
reviewing the completeness and accuracy
of all computer output that they receive.
A shredder can be used to destroy highly
confidential data.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-29
Application Controls Data Transmission Controls
Application controls:

- Source data controls
- Input validation
routines

- Online data entry
controls
Companies monitor network to reduce
the risk of data transmission failures
Data transmission errors can be
minimized:
- Data processing & file
maintenance
controls
–
- Output controls
–
- Data transmission
control
–
–

using data encryption (cryptography)
implementing routing verification procedures
adding parity
using message acknowledgment techniques
Data Transmission Controls take on
added importance in organizations that
utilize electronic data interchange (EDI)
or electronic funds transfer (EFT).
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-30
Application Controls Data Transmission Controls
Application controls:
- Source data controls
- Input validation
routines

Sound internal control is achieved using
the following control procedures:
1
- Online data entry
controls
- Data processing & file
maintenance
controls
- Output controls
2
3
- Data transmission
control
4
5
Physical access to network facilities should be
strictly controlled.
Electronic identification should be required for
all authorized network terminals.
Strict logical access control procedures are
essential, with passwords and dial-in phone
numbers changed on a regular basis.
Encryption should be used to secure stored
data as well as data being transmitted.
Details of all transactions should be recorded
in a log that is periodically reviewed.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-31
General Controls

General controls ensure that overall computer
system is stable and well managed:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
Developing a security plan
Segregation of duties within the systems function
Project development controls
Physical access controls
Logical access controls
Data storage controls
Data transmission controls
Documentation standards
Minimizing system downtime
Disaster recovery plans
Protection of personal computers & client/server networks
Internet controls
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-32
End of Lecture 5
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
Lecture 5-33