Chapter 8:
Controlling Information
Systems: Introduction to
Pervasive Controls
Accounting Information Systems, 9e
Gelinas ►Dull ► Wheeler
© 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated,
in
whole or in part, except for use as permitted in a license distributed with a certain product
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
or or
service
ona a
password-protected
website
for classroom
use
distributed with a certain product
serviceor
or otherwise
otherwise on
password-protected
website
for classroom
use.
Learning Objectives
Describe the major pervasive controls that
organizations employ as part of their internal
control structure.
Explain how pervasive controls help ensure
continuous, reliable operational and IT
processes.
Appreciate how an organization must plan and
organize all resources, including IT resources,
to ensure achievement of its strategic vision.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Learning Objectives (cont’d)
Overview the major controls used to manage
the design and implementation of new
processes, especially new IT processes.
Appreciate the integral part played by the
monitoring function in ensuring the overall
effectiveness of a system of internal controls.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Suggested Exercise Questions
SP 8-1 on page 290
SP 8-2 on page 291
P 8-2 on page 293
P 8-3 on page 293
P 8-4 on page 294
P 8-5 on page 295
P 8-6 on page 295
P 8-7 on page 296
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Organizational Governance
and IT Governance
Organizational governance: processes employed
by organizations to select objectives, establish
processes to achieve objectives, and monitor
performance.
IT governance: process that ensures the
enterprise’s IT sustains and extends the
organization’s strategies and objectives.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Hypothetical Computer System
(large size organization)
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Information Systems Organization
(large size organization)
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Summary of IT Organization Functions
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Summary of IT Organization Functions
(cont’d)
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Summary of IT Organization
Functions (cont’d)
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Control Objectives for Information
and Related Technology (COBIT)
Provides guidance on the best practices for the
management of information technology.
 IT resources must be managed by IT control
processes to ensure an organization has the
information it needs to achieve its objectives.
Provides a framework to ensure that IT:
 is aligned with the business.
 enables the business and maximizes benefits.
 resources are used responsibly.
 risks are managed appropriately.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
IT Control Process Domains
COBIT groups IT control processes into four
broad domains:
 Plan and organize
 Acquire and implement
 Deliver and support
 Monitor and evaluate
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
IT Control Domains and Processes
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Stakeholders in AIS
A stakeholder is any person who has an interest
in an existing or proposed AIS. Stakeholders can
be technical or nontechnical workers. They may
also include both internal and external workers.
 System owners
 System users
 System designers
 System builders
 Systems analysts (project managers)
System Owners
System owners –responsible for funding the project of
developing, operating, and maintaining the information
system.
 They usually come from the ranks of management.
- large IS project: senior managers
- medium IS project: middle managers
- smaller IS project: middle or supervisory
Primary Concerns
- how much will the systems cost?
- how much value or what benefits will the system return to the
business?
System Users
System users
– a “customer” who will use or is affected by an IS on a regular
basis
 Make up the vast majority of “customers”
 Primary concern: get the job done using an IS!
 Internal users
 Clerical and service workers, technical and professional staff,
supervisors, middle managers, and executive managers
 External users
 Internet EC constomers, suppliers, partners…
System Designers and System
Builders
System designer – a technical specialist who translates
system users’ business requirements and constraints into
technical solution.
 DBA, Network architects, web designer, security experts…
System builders – a technical specialist who constructs
information systems and components based on the design
specifications generated by the system designers.
 Programmers (applications, systems, and DB), network
administrators, web masters..
Systems Analysts
Systems analyst – a specialist who studies the problems
and needs of an organization to determine how people,
data, processes, and information technology can best
accomplish improvements for the business.
Roles:
− Bridge (facilitator) between management and technical
specialist: next slide
− Understand both business and computing
− Ultimately, a problem solver
The Systems Analyst as a
Facilitator
Where Do Systems Analysts Work?
May be permanently assigned to a team that
supports a specific business function
May also be pooled and temporarily assigned to
specific projects
 Figure on next slide
Where Do Systems Analysts Work?
Skills Needed by the Systems
Analyst
 Working knowledge of (existing and emerging) IT
 General business problem-solving skills
 Good interpersonal communication skills
 Good interpersonal relation skills
 Flexibility and adaptability
 Character and ethics
Other Stakeholders
External Service Provider (ESP) – a systems analyst, system designer, or
system builder who sells his/her expertise and experience to other
businesses to help those businesses purchase, develop, or integrate
their information systems solutions; may be affiliated with a consulting
or services organization.
• PwC, Accenture (previously Anderson Consulting – spun off from
Arthur Anderson consulting)
• Consultants, Contracted SA, SD, SB, programmers..
Project Manager – an experienced professional who accepts
responsibility for planning, monitoring, and controlling projects with
respect to schedule, budget, deliverables, customer satisfaction,
technical standards, and system quality.
• Usually senior analysts
Plan & Organize Domain:
IT Control Process 1
Establish Strategic Vision for Information
Technology
IS management should establish a process for
developing a strategic.
IS strategic planning effort must ensure support
of the organization’s strategic plan and that IT
is optimally deployed.
Plan must ensure that the organization is
prepared to anticipate competitors’ actions and
take advantage of emerging technology.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Plan & Organize Domain:
IT Control Process 2
Develop Tactics to Plan, Communicate, and
Manage Realization of the Strategic Vision
Manage IT resources with budgeting, controlling
expenditures and monitoring costs.
Establish direction and related policies
consistent with the control environment
established by senior management.
 Communicate policies.
 Personnel policies for IT.
Project-management framework.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
IT Control Process 1:
Organizational Controls
IT steering committee: coordinates the
organizational and IT strategic planning
processes and reviews and approves the
strategic IT plan.
Security officer: safeguards the IT organization
by (1) establishing employee passwords and
access to data and (2) making sure the IT
organization is secure from physical threats.
Organizational design principles and
segregation of duties.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Segregation of Duties within
the IT Department
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Acquire & Implement Domain
Identify, develop or acquire, and implement IT
solutions.
Must correctly determine the requirements for
a new information system and see that those
requirements are satisfied by the new system.
Systems development life cycle (SDLC): The
SDLC covers the progression of information
systems through the systems development
process, from birth, through implementation,
to ongoing use and modification.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
A Simple System Development
Process
System development process – a set of
activities, methods, best practices, deliverables,
and automated tools that stakeholders use to
develop and maintain information systems and
software.
See “IS Development” from the class website
Acquire & Implement Domain:
IT Process 3
Identify Automated Solutions
 SDLC must include procedures to:
 define information requirements
 formulate alternative courses of action
 perform feasibility studies
 assess risks
 Solutions should be consistent with the strategic IT
plan.
 May develop the IT solution in-house OR contract with
third parties for all or part of the development.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Acquire & Implement Domain:
IT Process 4
Develop and Acquire IT Solutions
Develop and acquire application software.
Acquire technology infrastructure.
Develop service level requirements and
application documentation which typically
includes the following:
 Systems and program documentation
 Operations run manual
 User manual
 Training materials
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Acquire & Implement Domain:
IT Process 5
Integrate IT Solutions Into Operational
Processes
Provide for a planned, tested, controlled, and
approved conversion to the new system.
After installation review to determine that the
new system has met users’ needs in a costeffective manner.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Acquire & Implement Domain:
IT Process 6
Manage Changes to Existing IT Systems
 Changes to the IT infrastructure must be managed via
change request, impact assessment, documentation,
authorization, release and distribution policies, and
procedures.
 Program change controls: provide assurance that all
modifications to programs are authorized, and that
changes are completed, tested, and properly
implemented.
 These controls very important with enterprise systems
due to the interdependence and complexity of the
business processes.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Program Change Controls
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Deliver & Support Domain:
IT Process 7
Deliver Required IT Services
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Deliver & Support Domain:
IT Process 8
Ensure Security and Continuous Service
To ensure computing resources are operational,
IT management must plan for increases in
required capacity or losses of usable resources.
To ensure that computing resources are
secured, management should establish a
process to account for all IT components.
Processes should be in place to identify, track,
and resolve problems in a timely manner.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Ensure Continuous Service
Business continuity planning (also known as
disaster recovery planning, contingency
planning, and business interruption planning): a
process that identifies events that may threaten
an organization and provides a framework to
ensure that the organization will continue to
operate when the threatened event occurs or will
resume operations with a minimum of disruption.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Continuity of IT Services
Backup: making a copy of data, programs, and
documentation.
Recovery: use the backup data to restore lost
data and resume operations.
Continuous Data Protection (CDP): all data
changes are date stamped and saved to
secondary systems as the changes are
happening.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Continuity of IT Services (cont’d)
Mirror site: the site that maintains copies of
the primary site’s programs and data.
Electronic vaulting: service whereby data
changes are automatically transmitted over the
Internet on a continuous basis to an off-site
server maintained by a third party.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Continuity of IT Services (cont’d)
Hot site: fully equipped data center that can
accommodate many businesses and that is
made available to client companies for a
monthly subscriber fee.
Cold site: facility usually comprised of airconditioned space with a raised floor,
telephone connections, and computer ports
into which a subscriber can move equipment.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Continuity of IT Services (cont’d)
Denial-of-service attack: a Web site is
overwhelmed by an intentional onslaught of
thousands of simultaneous messages, making it
impossible for the attacked site to engage in its
normal activities.
Distributed denial-of-service attack: uses
many computers (called zombies) that
unwittingly cooperate in a denial-of-service
attack by sending messages to the target Web
sites.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Distributed DoS
Distributed denial-of-service attack
(DDoS) – attacks from multiple computers
that flood a Web site with so many requests
for service that it slows down or crashes.
Distributed Denial-of-Service
Attack
Restricting Access to Computing
Resources – Layers of Protection
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Restricting Logical Access to Stored
Programs, Data, and Documentation
Access control software: ensures that (1) only
authorized users gain access to a system through
a process of identification (e.g., a unique account
number for each user) and authentication (e.g., a
password to verify that users are who they say
they are), (2) restricts authorized users to
specific data they require and sets the action
privileges for that data (e.g., read, copy, write
data), and (3) monitors access attempts and
violations.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Restricting Logical Access to Stored Programs,
Data, and Documentation (cont’d)
Intrusion-detection system (IDS): part of
access control software that logs and monitors
who is on or trying to access the network.
Intrusion-prevention system (IPS): actively
block unauthorized traffic using rules specified
by the organization.
Library controls: a combination of people,
procedures, and computer software that
restrict access to data, programs, and
documentation in an offline environment.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Restricting Logical Access to Stored Programs,
Data, and Documentation (cont’d)
Data encryption: process that employs
mathematical algorithms and encryption keys
to encode data so that it is unintelligible in its
encrypted form.
Public-key cryptography: employs a pair of
matched keys for each system user, one private
(i.e., known only to the party who possesses it)
and one public. The public key corresponds to
but is not the same as the user’s private key.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Computer Hacking and Cracking
Computer hacking and cracking: intentional,
unauthorized access to an organization’s
computer system, accomplished by bypassing
the system’s access security controls.
Hacker: someone who simply gets a kick out of
breaking into a computer system but does not
hold malicious intentions to destroy or steal.
Cracker: term used when a hacker’s motive is
crime, theft, or destruction.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Hacking techniques
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Physical Protection of IT Assets
Preventive maintenance: periodic cleaning,
testing, and adjusting of computer equipment to
ensure their equipment’s continued efficient and
correct operation.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Deliver & Support Domain:
IT Process 9
Provide Support Services
Identify training needs of all personnel internal and external.
Conduct timely training sessions.
Help desk: provides advice and assistance to
users to help them overcome problems
encountered in using IT resources so that they
can effectively use those resources.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Monitor & Evaluate Domain:
IT Process 10
Monitor and Evaluate the Processes
Establish a system for defining performance
indicators (service levels).
Gather data about processes and generate
performance reports.
Measure progress toward identified goals.
Obtain outside confirmation based on
independent review.
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Trust Services Principles
and Criteria
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license
distributed with a certain product or service or otherwise on a password-protected website for classroom use.