GENERAL OR APPLICATION CONTROL?
advertisement
GENERAL AND APPLICATION CONTROLS PLACEMENT OF CONTROLS CONTROLS CAN RESIDE IN: MANAGEMENT POLICIES AND PROCEDURES JOB DESCRIPTIONS OPERATING PROCEDURES COMPUTER SOFTWARE COMPUTER HARDWARE PHYSICAL SECURITY MEASURES controls often work best when combined with other controls. GENERAL CONTROLS 1. ORGANIZATIONAL CONTROLS/SEGREGATION OF DUTIES authorization of transactions vs. recording of transactions custody of assets vs. maintenance of related accounting records information services dept. vs. other depts. data base administrator vs. programmers systems development vs. computer operations program development vs. program testing rotation of assignments within an operational group enforced vacations bonding insurance for employees that handle cash 2. SYSTEMS DEVELOPMENT & MAINTENANCE CONTROLS (for example POS Terminal conversion) AUTHORIZATION OF NEW SYSTEMS AND CHANGES SYSTEMS DEVELOPMENT LIFE CYCLE METHODOLOGY –SDLC 1. ANALYZE NEEDS-REQUIREMENT RESOURCES (USERS) 2. DESIGN-PLAN 3. IMPLEMENT 4. TEST 5. FEEDBACK-EVALUATION (when changing the system-you run parallel, old/new concurrent) WRITTEN SPECIFICATIONS USER, INTERNAL AUDITOR (works for the company), EXTERNAL AUDITOR(works for an outside firm) PARTICIPATION. MUST HAVE TEAM & BUDGET (cost & timeline) FORMAL TESTING AND APPROVAL (sign off each step) USE OF A STEERING COMMITTEE 3. SYSTEMS DOCUMENTATION CONTROLS MANUALS, NARRATIVES, FLOWCHARTS PROVIDE A BASIS FOR RECONSTRUCTION OF THE SYSTEM IN CASE OF DAMAGE OR DESTRUCTION SYSTEM SHOULD BE DOCUMENTED TO PROVIDE BASIS FOR EFFECTIVE OPERATION, USE, AUDIT, AND FUTURE SYSTEM ENHANCEMENT CONTROLS MITIGATE THE RISK THAT PERSONNEL ARE NOT PROPERLY TRAINED DOCUMENTATION SHOULD BE PREPARED, APPROVED, MAINTAINED, AND DISSEMINATED IN ACCORDANCE WITH FORMAL ESTABLISHED DOCUMENTATION STANDARDS PREPARATION STANDARDS APPROVAL STANDARDS MAINTENANCE STANDARDS-how often updated or reviewed DISSEMINATION STANDARDS-distributed on need to know basis, who gets copies 4. PHYSICAL SECURITY MEASURES FOR HARDWARE, SOFTWARE, AND DOCUMENTATION HARDWARE SECURITY MEASURES SECURED COMPUTER AREA SMOKE AND WATER DETECTORS FIRE SUPPRESSION DEVICES BURGLAR ALARMS SURVEILLANCE CAMERAS INDIVIDUAL LOCKS (piggybacking-someone leaving the door open or not signing off the computer opens the door for unauthorized users) SECURITY PERSONNEL IDENTIFICATION OF PERSONNEL BIOMETRIC (using physical characteristics to verify one’s identity to the computer system) HARDWARE AUTHENTICATION SOFTWARE AND DOCUMENTATION SECURITY MEASURES INFORMATION SERVICES LIBRARY AUTHORIZED USE LOGGING PROCEDURES FOR CHECKOUT 5. RECOVERY CONTROLS Technology Issues) (always in the AICPA Top 10 PREMATURE TERMINATION CONTROLS-the power source is terminated, need a battery source FATHER -SON VERSIONS OF MASTER FILES BEFORE-AND-AFTER IMAGES OF DATA BASE RECORDS PROCEDURES FOR REINSTATING FILES PROCEDURES FOR RERUNNING PROGRAMS PROCEDURES FOR RECALLING CONTAMINATED OUTPUT ROLLBACK PROCESSING (checkpoint) DISK SHADOWING, DISK MIRRORING (save 2 copies) POWER FAILURE CONTROLS UNINTERRUPTIBLE POWER SOURCES ALTERNATIVE PROCESSING FACILITIES o COLD SITE-wiring (no equipment) o WARM SITE-equipment available; no data; cost more than cold o HOT SITE-has everything(software, data files, computers); cost more than hot EMERGENCY REPAIRS TEAM NATURAL DISASTER, ACCIDENTS, SABOTAGE CONTINGENCY PLANNING SPECIAL TRAINING TEAM SIMULATION EXERCISES-earthquake/fire drills ALTERNATIVE PROCESSING FACILITIES OFF-SITE STORAGE OF COPIES OF PROGRAMS, FILES, AND SYSTEMS DOCUMENTATION 6. SOFTWARE BASED PROGRAM AND DATA ACESS CONTROLS USER AUTHENTICATION IDENTIFICATION CODES PASSWORD SYSTEM - LEVELS OF ACCESS (how much you can see) a good password is a combo of letter & number, it should be case sensitive and be able to take symbols; changed frequently; “cracked” password allows id to be stolen-piggybacking LOG OUT, LOG OFF (timed out/turns off) ALLOWABLE USER FUNCTIONS-CONTROL UNAUTHORIZED ACCESS LIMIT FUNCTIONS BY USERS ASSIGN SCOPE OF ACCESS TO DATA RESTRICT ACCESS TO DATA FILES LIMIT USE OF TERMINALS-DUMB TERMINALS (no CPU), DESIGNATED TERMINALS, DISKLESS (no disk drives--to block viruses, unauthorized taking of work home, loading unauthorized softwares) WORKSTATIONS, USE OF CENTRAL FILE SERVERS (restrict view of data) CREATION OF AUDIT TRAIL (tested by CISA—audit the black box) UNALTERABLE LOG OF ACTUAL AND ATTEMPTED ACCESSES ASSIGNED RESPONSIBILITY TO REVIEW LOG LOG IS CREATED BY THE OPERATING SYSTEM OF THE COMPUTER 7. DATA BASE CONTROLS USER AUTHENTICATION ALLOWABLE USER FUNCTIONS CREATION OF AUDIT TRAIL USE OF LOGICAL VIEWS OF DATA DATA ENCRYPTION 8. TELECOMMUNICATION CONTROLS DATA ACCESS CONTROLS MESSAGE SECURITY CONTROLS-- # MESSAGE, USE PASSWORD, KEEP TRACK OF # OF BITS, PACKETS IN THE MESSAGE (sent should equal received) AUTOMATIC DIAL BACK OR CALL BACK (dials into system, verifies your access by calling you back where you should be, if not verified turns you off) e.g activating a credit card by phone,GPS USE OF A HARD WIRED NETWORK VERIFICATION OF AUTHORIZATION OF RECEIVING STATION DATA ENCRYPTION-key is needed to view the information Public key-recipient gets this to decode the message Private key-codes the message SECURITY MODEM--REQUIRES USE OF PASSWORDS FOR ACCESS TO THE NETWORK NETWORK DATA BASE--DETERMINES WHICH WORKSTATIONS ARE AUTHORIZED TO CONNECT TO OTHERS AND WHICH CAN ACCESS CERTAIN SOFTWARE AUTOMATIC LOG OFF DATA ACCURACY AND COMPLETENESS CONTROLS =MESSAGE INTEGRITY CONTROLS PROTECT COMMUNICATION CHANNELS AND NETWORKS FROM LOSS OR DISTORTION OF DATA OR ROUTING DATA TO WRONG DESTINATIONS PARITY BIT --9TH BIT, EVEN OR ODD 9th bit is generated by the machine-lets you know that an error has occurred in the data transmission (already programmed to be an even or an odd) 8 bits to a byte-uses 0(off) & 1(on) ERROR DETECTION CODES IN TRAILER (last record, with summary info.) HEADER (comes first, identification record, tells you what is coming and how many pages) ACKNOWLEDGMENT SIGNALS DOWNTIME CONTROLS ! ALTERNATIVE COMMUNICATION CHANNELS DIAL UP TELEPHONE LINES VS. LEASED LINES www.calcpa.org/TBRG 9. COMPUTER OPERATIONS CONTROLS MAINTENANCE CONTROLS SCHEDULED MAINTENANCE (cleaning the machine) OPERATIONS CONTROLS AUTHORIZED OPERATIONS SCHEDULED OPERATIONS ACTIVITY LOG (keeps track of all activities) ASSIGNED RESPONSIBILITY TO REVIEW LOG WORKSTATION OPERATING PROCEDURES 10. COMPUTER HARDWARE CONTROLS-built into the computer by the manufacturer DUAL READ CHECK - data are read twice during input and compared FIRMWARE-sequence of instructions (software) is substituted for hardware circuits and cannot be altered by the applications programmer DUPLICATE CIRCUITRY-double wiring of key hardware elements ensures no malfunctioning ECHO CHECK -data received by output device is transmitted back to the source unit for comparison with the original data (info echoed between printer/cpu, monitor/mouse, monitor/tower) PARITY CHECK-bit of information is added to the data being processed in order to help ensure that no bits are lost in data transfers between input-process-output functions INTERLOCK-hardware device that prevents more than 1 peripheral unit from communicating with the CPU at the same time BOUNDARY PROTECTION-protection against unauthorized entry (read or write) to a tape, disk, or other storage device VALIDITY CHECK -bit pattern is checked to determine that the combination of the "on" and "off" bits is valid within the character set of the computer (not valid code check, this is checking combo of 0 and 1) FILE PROTECTION RING-removable plastic or metal ring prevents improper use of a magnetic tape file REVERSE MULTIPLICATION -roles of the original multiplicand and multiplier are reversed and the new product is compared with the original product UNINTERRUPTIBLE POWER SYSTEMS-battery and generator systems are provided for temporary backup in the event of power failure until normal electricity is restored GRACEFUL DEGRADATION-when certain hardware components malfunction others can be programmed to continue processing but on less efficient basis(safe mode-the machine is not running at full capacity, but will work) OVERFLOW CHECK-data are checked and a signal is activated when data are lost through arithmetic operations that exceed the planned capacity of receiving fields or registers (making sure information is saved properly) COMPUTER APPLICATION CONTROLS BASIC OBJECTIVES OF APPLICATION CONTROLS ARE: 1. ALL AUTHORIZED TRANSACTIONS ARE COMPLETELY PROCESSED ONCE & ONLY ONCE 2. TRANSACTION DATA ARE COMPLETE & ACCURATE 3. TRANSACTION PROCESSING IS CORRECT AND APPROPRIATE TO THE CIRCUMSTANCES. 4. PROCESSING RESULTS ARE UTILIZED FOR THE INTENDED BENEFITS. 5. THE APPLICATION CAN CONTINUE TO FUNCTION. (detects the errors & fix in a timely manner) INPUT CONTROLS: AUTHORIZATION CONTROLS GENERAL AUTHORIZATIONS--CLASS OF TRANSACTIONS SPECIFIC AUTHORIZATIONS --1 TRANSACTION i.e. FILE MAINTENANCE TRANSACTIONS DONE BY SIGNATURES OR AUTHORIZATION CODES PASSWORDS--LEVELS OF ACCESS (a good password is a combo of letter & number, it should be case sensitive and be able to take symbols) DATA CAPTURE CONTROLS-need good screens in order to capture all the data you need SOURCE DOCUMENTS ELECTRONIC DATA CAPTURE REDUNDANT STORAGE DEVICES FORM DESIGN CLASSIFICATION AND IDENTIFICATION CONTROLS SOURCE CODE REFERENCE NUMBER TAG ACCOUNT NUMBER USE OF CONSECUTIVE NUMBERING-sequential DATA ENTRY CONTROLS SCREEN INPUT PROMPTS-tells you if something is not completed or put in wrong SCREEN MENUS READBACK FORMATTED INPUT VISUAL VERIFICATION-human actual sees it (rationality) EXCEPTION INPUT--ERRORS DATA VERIFICATION CONTROLS – EDIT CHECKS--see record layout question VALID DATA TYPE- alpha (A), numeric (N), combo (AN) VALID FIELD LENGTH- # at the bottom of field VALID COMBINATION OF FIELDS-compare the fields to each other (is the city in the state, is the zip in the state) LOGICAL RELATIONSHIPS-Greater Than, Less Than, = COMPLETENESS CHECKS--CHECKS FOR BLANK SPACES OR FIELDS SEQUENCE CHECKS OF TRANSACTION, DOCUMENT OR BATCH NUMBERS REASONABLENESS CHECK OF NUMERIC AMOUNTSe.g the minimum balance should be reasonable to the current balance amount VALID CODE CHECK--VALID ACCOUNT NUMBER OR CODE (LOOK UP VALUE IN A TABLE) LIMIT TEST--TEST OF AMOUNTS –(range test, acceptable lower and higher limits e.g. gpa is between 0-4)) OVERFLOW TESTS--SIZE OF FIELD SIGN TEST--CHECKING APPROPRIATE SIGN -POSITIVE OR NEGATIVE NUMBERS CHECK DIGIT-used to catch transposition errors -- an algorithm or formula that is used with the customer number calculates the check digit—a transposed customer or account number produces an incorrect check digit FORMAT CHECK More INPUT CONTROLS: TRANSMITTAL DOCUMENT (BATCH CONTROL TICKET) BATCH SEQUENCE-SERIAL NUMBERS CONTROL REGISTER-BATCH CONTROL LOG (TIME, TOTAL) AMOUNT CONTROL TOTAL DOCUMENT CONTROL TOTAL LINE CONTROL TOTAL HASH TOTAL=NON ACCOUNTING TOTAL BATCH CONTROL TOTAL=ACCOUNTING TOTAL (FINANCIAL USE) DATING BY COMPUTER – COMPUTER AUTOMATICALLY ASSIGNS DATE TO THE TRANSACTION (DEFAULT) KEY VERIFICATION-DATA IS ENTERED/KEYED IN TWICE BY TWO SEPARATE OPERATORS EXPIRATION-COMPUTER CHECKS DATES (DISCOUNT PERIOD) PROCESSING CONTROLS: WRITTEN PROCEDURES MECHANIZATION STANDARDIZATION PRENUMBERED DOCUMENTS DEFAULT OPTION BATCH CONTROLS RECORD COUNT CONTROL TOTAL HASH TOTAL BATCH TRANSMITTAL TICKET BATCH CONTROL REPORT CONTROL TOTAL ANALYSIS--BATCH BALANCING, RUN-TO-RUN TOTALS DOCUMENT AUDITS REDUNDANT PROCESSING RECONCILIATION PURPOSES USE OF SUMMARY PROCESSING TICKLER FILE-waiting for an event to occur and then remaining transactions update or close HEADER AND TRAILER RECORD LABELS AND TOTALS AUTOMATED ERROR CORRECTION OUTPUT CONTROLS: Controls over REPORTS, CHECKS, DOCUMENTS COMPLETENESS AND ACCURACY CONTROLS HEADER AND TRAILER PAGES OUTPUT SECURITY CONTROLS MINIMUM NUMBER OF COPIES AUTHORIZED PROCEDURES FOR DISPOSAL OF EXCESS OUTPUT CUSTODY OF PREPRINTED DOCUMENT FORMS LOG OF ISSUED &VOIDED PREPRINTED DOCUMENT FORMS RESPONSIBILITY FOR SENSITIVE MATERIAL DUAL CUSTODY OF NEGOTIABLE DOCUMENTS PRIVACY OF TERMINALS RECONCILIATION ERROR DISCREPANCY REPORTS UPSTREAM RESUBMISSION-resubmit corrections at the beginning of the process to go through edit check again USE OF PERIODIC AUDIT SUSPENSE FILE, SUSPENSE ACCOUNT-errors that are stuck in the system, they need to be fixed FILE CONTROLS: GENERAL OR APPLICATION CONTROL? Depends on the textbook you look at FILE CUSTODY CONTROLS SECURE LOCATION FILE LIBRARY AUTHORIZED USE LOGGING PROCEDURES FOR CHECKOUT ASSIGNED RESPONSIBILITY FORMAINTENANCE RECORD RETENTION POLICIES FILE PROCESSING CONTROLS FILE LABEL - INTERNAL (stored electronically inside the disk) & EXTERNAL FILE LABELS (actual label on outside of disk) FILE PROTECTION RING MACHINE READABLE FILE DIRECTORY FATHER-SON VERSIONS OF MASTER FILES BEFORE AND AFTER RECORD IMAGING VERIFICATION OF INTEGRITY OF INDEX FILES, POINTERS, AND OTHER LINKAGES FILE BACKUP CONTROLS SECURE OFF-SITE LOCATION SCHEDULED BACK-UP (back up hard drive)
