Information Systems Controls Lecture 5 (Chapter 6, 7 & 8) Introduction 1. 2. 3. 4. 5. Explain the basic concepts of control as applied to business organizations Describe the major elements in the control environment of a business environment Describe control policies and procedures commonly used in business organizations Evaluate a system of internal control, identify its deficiencies, and prescribe modifications to remedy those deficiencies Conduct a cost-benefit analysis for particular threats, exposures, risks, and controls. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-2 Threats to AIS Natural and political disasters: – S/W errors & Equipment Malfunctions: – H/W failures / power outages / data transmission errors Unintentional acts: – fire / heat / floods / earthquakes / winds / war accidents / lost data / human & logic errors /systems that do not meet company needs Intentional acts: – Sabotage / computer fraud / embezzlement ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-3 AIS Threats are increasing.. Due to: Increasing number of client/server systems LANs and client/server systems distribute data to many users: harder to control than mainframe WAN are giving customers & suppliers access to each other’s systems and data. e.g. Wal-Mart & its vendors Better computer knowledge in population . Therefore, Computer Control & Security are important ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-4 Control Concepts Internal control is the plan and methods a business uses to: 1. 2. 3. 4. safeguard assets provide accurate and reliable information promote & improve operational efficiency encourage adherence to managerial policies. Management control encompasses: 1 2 3 It is an integral part of management responsibilities. It is designed to reduce errors, irregularities, and achieve organizational goals. It is personnel-oriented and seeks to help employees attain company goals. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-5 Internal Control Classifications The specific control procedures used in the internal control and management control systems may be classified using the following four internal control classifications: 1 2 3 4 Preventive, detective, and corrective controls General and application controls Administrative and accounting controls Input, processing, and output controls ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-6 Committee of Sponsoring Organizations The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of five organizations: 1 2 3 4 5 American Accounting Association American Institute of Certified Public Accountants Institute of Internal Auditors Institute of Management Accountants Financial Executives Institute ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-7 COSO’s Internal Control Model Components 1 Control environment 2 Control activities 3 Risk assessment 4 Information and communication 5 Monitoring Performance ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-8 COSO’S Model of Internal Control COSO’s Internal Control Model Control Environment 1. Commitment to integrity & ethical value 2. Management Philosophy 3. Emphasis on knowledge and skills 4. Effective Audit Comm. 5. Assigning authority 6. Executive competence Control Activities 1. Policies Risk Assessment & procedures 2. Authorization of Transactions 3. Segregation of duties 4. Design & use of adequate documentation 5. Safeguard of assets & records 6. Independent checks on performance Information & Communication 1. Identify threats 2. Estimate risk 3. Estimate exposure 4. Identify controls 5. Estimate costs & benefits 6. Determine cost-benefit effectiveness Monitoring Performance 1.Effective 1. Understanding of transaction process 2. Audit trail of transactions: Identify, classify & record at proper monetary value & accounting period 3. Effective communication & proper disclosure ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart supervision: • Training • Monitor performance • Safeguard assets 2.Responsibility accounting: • Budget • Costing • Perf. Report 3.Internal audit Lecture 5-9 Segregation of Duties Custodial Functions Handling cash Handling assets Writing checks Receiving checks in mail Recording Functions Preparing source documents Maintaining journals Preparing reconciliations Preparing performance reports Authorization Functions Authorization of transactions Segregation of Duties 1. Control environment 2. Control activities 3. Risk assessment 4. Information & communication 5. Monitoring Performance If two of these three functions are the responsibility of a single person, problems can arise. Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them. Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-11 Adequate Safeguards of Assets and Records 1. Control environment 2. Control activities 3. Risk assessment 4. Information & communication 5. Monitoring Performance What can be used to safeguard assets? – – – – – – cash registers safes, lockboxes safety deposit boxes restricted and fireproof storage areas controlling the environment restricted access to computer rooms, computer files, and information ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-12 Estimate Cost and Benefits 1. Control environment 2. Control activities 3. Risk assessment 4. Information & communication 5. Monitoring Performance No internal control system can provide foolproof protection against all internal control threats. The cost of a foolproof system would be prohibitively high. One way to calculate benefits involves calculating expected loss. The benefit of a control procedure is the difference between the expected loss with the control procedure(s) and without it. Expected loss = risk × exposure ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-13 Information & Communication 1. Control environment 2. Control activities 3. Risk assessment 4. Information & communication 5. Monitoring Performance o Audit trail: o An audit trail exists when individual company transactions can be traced through the system. o Provides Evidence of: o Properly classify transactions o Record transactions at their proper monetary value o Record transactions in the proper accounting period o Properly present transactions and related disclosures in the financial statements ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-14 Principle of Reliable System Principle of a Reliable system Availability: Minimizing Systems Downtime Disaster Recovery Plan Security Controls: o o o o o Segregation of duties Physical access control Logical access control Protection of computers & client/server networks Internet/e-commerce control Maintainability: o o Project Development and Acquisition Controls Change Management Control ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Integrity: o Source data controls o Input validation routines o On-line data entry controls o Data processing & storage controls o Output controls o Data transmission controls Lecture 5-15 Security Controls Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control Segregation of duties in system function Physical access control Logical access control Protection of personal computers & client/server networks Internet and e-commerce control ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-16 Segregation of Duties Within the Systems Function Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control Organizations must implement compensating control procedures. Authority & responsibility must be clearly divided among the following functions: 1 2 3 4 5 6 Systems analysis Programming Computer operations Users AIS library Data control ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-17 Physical Access Controls Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control How can physical access security be achieved? – – – – – placing computer equipment in locked rooms and restricting access to authorized personnel having only one or two entrances to the computer room requiring proper employee ID requiring that visitors sign a log installing locks on PCs ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-18 Logical Access Controls Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions. What are some logical access controls? – – – – passwords physical possession identification biometric identification compatibility tests ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-19 Protection of PCs and Client/Server Networks Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control Many of the policies and procedures for mainframe control are applicable to PCs and networks. The following controls are also important: Train users in PC-related control concepts. Restrict access by using locks/keys on PCs. Establish policies and procedures. Portable PCs should not be stored in cars. Back up hard disks regularly. Encrypt or password protect files. Build protective walls around systems. Use multilevel password controls to limit employee access to incompatible data. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-20 Protection of PCs and Client/Server Networks Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control PCs more vulnerable to security risks than are mainframes because: It is difficult to restrict physical access. PC users are usually less aware of the importance of security and control. Many people are familiar with the operation of PCs. Segregation of duties is very difficult. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-21 Internet & E-Commerce Controls Security Controls: - Segregation of duties - Physical access control - Logical access control - Protection of computers & client/server networks - Internet/e-commerce control Caution when conducting business on the Internet: – – – the global dependence on the Internet the variability in quality, compatibility, completeness, and stability of network products and services Website security flaws & attraction of hackers Controls used to secure Internet activity: – – – Passwords and encryption technology routing verification procedures Firewall = a barrier between the networks that does not allow information to flow into and out of the trusted network. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-22 Maintainability Controls Project Development Controls To minimize failures, the basic principles of responsibility accounting should be applied to the AIS function. Key elements included in project development control: 1 2 3 4 5 6 7 Long-range master plan Project development plan Data processing schedule Assignment of responsibility Periodic performance evaluation Post-implementation review System performance measurements ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-23 Application Controls Objective of application controls is to ensure the integrity of a specific application’s inputs, files, programs, and outputs. Six categories of application controls: 1. Source data controls 2. Input validation routines 3. Online data entry controls 4. Data processing & file maintenance controls 5. Output controls 6. Data transmission controls ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-24 Application Controls Source Data Controls Application controls: - Source data controls - Input validation routines - Online data entry controls - Data processing & file maintenance controls - Output controls - Data transmission control There are a number of source data controls that regulate the accuracy, validity, and completeness of input: – – – – – key verification check digit verification prenumbered forms sequence test turnaround documents authorization ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-25 Application Controls Input Validation Routines Application controls: - Source data controls - Input validation routines - Online data entry controls - Data processing & file maintenance controls - Output controls - Data transmission control Input validation routines are programs that check the validity and accuracy of input data as they are entered into the system. These programs are called edit programs and the accuracy checks they perform are called edit checks, such as: – – – – – – – sequence check field check sign check validity check limit check range check reasonableness test ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-26 Application Controls Online Data Entry Controls Application controls: - Source data controls - Input validation routines - Online data entry controls Online data entry controls ensure the accuracy and integrity of transaction data entered from online terminals & PCs. Some online data entry controls are: - Data processing & file maintenance controls – - Output controls – - Data transmission control – – – – – – – data checks user ID numbers and passwords comparability tests Prompting preformatting completeness check automatic transaction data entry transaction log clear error messages ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-27 Application Controls Data Processing Controls Application controls: - Source data controls - Input validation routines - Online data entry controls - Data processing & file maintenance controls - Output controls - Data transmission control Common controls to preserve accuracy and completeness of data processing: – data currency checks – default values – data matching – exception reporting – external data reconciliation – control account reconciliation – file security – file conversion controls ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-28 Application Controls Output Controls Application controls: - Source data controls - Input validation routines - Online data entry controls - Data processing & file maintenance controls - Output controls - Data transmission control Data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control totals. Data control is also responsible for distributing computer output to the appropriate user departments. Users are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive. A shredder can be used to destroy highly confidential data. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-29 Application Controls Data Transmission Controls Application controls: - Source data controls - Input validation routines - Online data entry controls Companies monitor network to reduce the risk of data transmission failures Data transmission errors can be minimized: - Data processing & file maintenance controls – - Output controls – - Data transmission control – – using data encryption (cryptography) implementing routing verification procedures adding parity using message acknowledgment techniques Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT). ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-30 Application Controls Data Transmission Controls Application controls: - Source data controls - Input validation routines Sound internal control is achieved using the following control procedures: 1 - Online data entry controls - Data processing & file maintenance controls - Output controls 2 3 - Data transmission control 4 5 Physical access to network facilities should be strictly controlled. Electronic identification should be required for all authorized network terminals. Strict logical access control procedures are essential, with passwords and dial-in phone numbers changed on a regular basis. Encryption should be used to secure stored data as well as data being transmitted. Details of all transactions should be recorded in a log that is periodically reviewed. ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-31 General Controls General controls ensure that overall computer system is stable and well managed: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Developing a security plan Segregation of duties within the systems function Project development controls Physical access controls Logical access controls Data storage controls Data transmission controls Documentation standards Minimizing system downtime Disaster recovery plans Protection of personal computers & client/server networks Internet controls ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-32 End of Lecture 5 ©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart Lecture 5-33