Embed Size (px)
Citation preview
Chapter 10-1
Chapter 10-2
Chapter 10:Computer Controls for Organizations and
Accounting Information Systems
Introduction
Enterprise Level Controls
General Controls for Information Technology
Application Controls for Transaction Processing
Chapter 10-3
Enterprise Level Controls
Consistent policies and procedures
Management’s risk assessment process
Centralized processing and controls
Controls to monitor results of operations
Chapter 10-4
Enterprise Level Controls
Controls to monitor the internal audit function, the audit committee, and self-assessment programs
Period-end financial reporting process
Board-approved policies that address significant business control and risk management practices
Chapter 10-5
Risk Assessment and Security Policies
Chapter 10-6
Integrated Security forthe Organization
Physical Security Measures used to protect its facilities, resources,
or proprietary data stored on physical media
Logical Security Limit access to system and information to
authorized individuals
Administrative – Policies, procedures, standards, and guidelines.
Chapter 10-7
Physical and Logical Security
Chapter 10-8
General Controls for Information Technology
Access to Data, Hardware, and Software
Protection of Systems and Data with Personnel Policies
Protection of Systems and Data with Technology and Facilities
Chapter 10-9
General Controls for Information Technology
IT general controls apply to all information systems
Major Objectives Access to programs and data is limited to
authorized users Data and systems protected from change, theft,
and loss Computer programs are authorized, tested, and
approved before usage
Chapter 10-10
Access to Data, Hardware, and
Software
Utilization of strong passwords 8 or more characters in length…..or longer Different types of characters Letters, numbers, symbols
Biometric identification Distinctive user physical characteristics Voice patterns, fingerprints, facial patterns,
retina prints
Chapter 10-11
Security for Wireless Technology
Utilization of wireless local area networks
Virtual Private Network (VPN) Allows remote access to entity resources
Data Encryption Data converted into a scrambled format Converted back to meaningful format following
transmission
Chapter 10-12
Controls for Networks
Control Problems Electronic eavesdropping Hardware or software malfunctions Errors in data transmission
Control Procedures Checkpoint control procedure Routing verification procedures Message acknowledgment procedures
Chapter 10-13
Controls for Personal Computers
Take an inventory of personal computers
Identify applications utilized by each personal computer
Classify computers according to risks and exposures
Enhance physical security
Chapter 10-14
Additional Controls for Laptops
Chapter 10-15
Personnel Policies
Separation of Duties Separate Accounting and Information Processing
from Other Subsystems Separate Responsibilities within IT Environment
Use of Computer Accounts Each employee has password protected account Biometric identification
Chapter 10-16
Separation of Duties
Chapter 10-17
Division of Responsibility in IT Environment
Chapter 10-18
Division of Responsibility in IT Environment
Chapter 10-19
Personnel Policies
Identifying Suspicious Behavior Protect against fraudulent employee actions Observation of suspicious behavior Highest percentage of fraud involved employees
in the accounting department Must safeguard files from intentional and
unintentional errors
Chapter 10-20
Safeguarding Computer Files
Chapter 10-21
File Security Controls
Chapter 10-22
Business Continuity Planning
Definition Comprehensive approach to ensuring normal
operations despite interruptions
Components Disaster Recovery Fault Tolerant Systems Backup
Chapter 10-23
Disaster Recovery
Definition Process and procedures Following disruptive event
Summary of Types of Sites Hot Site Flying-Start Site Cold Site
Chapter 10-24
Fault Tolerant Systems
Definition Used to deal with computer errors Ensure functional system with accurate and
complete data (redundancy)
Major Approaches Consensus-based protocols Watchdog processor Utilize disk mirroring or rollback processing
Chapter 10-25
Backup
Batch processing Risk of losing data before, during, and after
processing Grandfather-parent-child procedure
Types of Backups Hot backup Cold Backup Electronic Vaulting
Chapter 10-26
Computer Facility Controls
Locate Data Processing Centers in Safe Places Protect from the public Protect from natural disasters (flood, earthquake)
Limit Employee Access Security Badges (color-coded with pictures) Man Trap
Buy Insurance
Chapter 10-27
A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats.
A. Firewall
B. Security policy
C. Risk assessment
D. VPN
Study Break #1
Chapter 10-28
Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________.
A. Redundancy
B. COBIT
C. COSO
D. Integrated security
Study Break #3
Chapter 10-29
Application Controlsfor Transaction
Processing
Purpose Embedded in business process applications Prevent, detect, and correct errors and
irregularities
Application Controls Input Controls Processing Controls Output Controls
Chapter 10-30
Application Controlsfor Transaction
Processing
Chapter 10-31
Input Controls
Purpose Ensure validity Ensure accuracy Ensure completeness
Categories Observation, recording, and transcription of data Edit tests Additional input controls
Chapter 10-32
Observation, Recording,and Transcription of Data
Confirmation mechanism
Dual observation
Point-of-sale devices (POS)
Preprinted recording forms
Chapter 10-33
Preprinted Recording Form
Chapter 10-34
Edit Tests
Input Validation Routines (Edit Programs) Programs or subroutines Check validity and accuracy of input data
Edit Tests Examine selected fields of input data Rejects data not meeting preestablished standards
of quality
Chapter 10-35
Edit Tests
Chapter 10-36
Edit Tests
Chapter 10-37
Additional Input Controls
Validity Test Transactions matched with master data files Transactions lacking a match are rejected
Check-Digit Control Procedure
Chapter 10-38
Processing Controls
Purpose Focus on manipulation of accounting data
Contribute to a good audit trail
Two Types Control totals
Data manipulation controls
Chapter 10-39
Audit Trail
Chapter 10-40
Control Totals
Common Processing Control Procedures Batch control total Financial control total Nonfinancial control total Record count Hash total
Chapter 10-41
Data Manipulation Controls
Data Processing Following validation of input data Data manipulated to produce decision-useful
information
Processing Control Procedures Software Documentation Error-Testing Compiler Utilization of Test Data
Chapter 10-42
Output Controls
Purpose Ensure validity Ensure accuracy Ensure completeness
Major Types Validating Processing Results Regulating Distribution and Use of Printed Output
Chapter 10-43
Output Controls
Validating Processing Results Preparation of activity listings Provide detailed listings of changes to master files
Regulating Distribution and Use of Printed Output Forms control Pre-numbered forms Authorized distribution list
Chapter 10-44
Organizations use ______ controls to prevent, detect, and correct errors and irregularities in transactions that are processed.
A. Specific
B. General
C. Application
D. Input
Study Break #5
Chapter 10-45
Triangles of Information Security
Why We Do It (Fraud) How We Prevent It
Chapter 10-46
Fraud Triangle
Chapter 10-47
CIA Triangle
