General Control Framework For Cbais Exposures - 1-4

1
CHAPTER I
INTRODUCTION
1.1 Definition of Computer Based Information Systems
An information system can defined technically as a set of interrelated

components that collect, process, store, and distribute information to decision
making, coordination, and control in an organization. Information systems contain
information about significant people, places, and things within the organization or
in the environment surrounding it. Three activities in an information system
produce the information that organizations need to make decisions, control
operations, analyze problems, and create new products or services. These
activities are input, processing, and output. . Input is the capture or collection of
raw data from within the organization or from its external environment for
processing in an information system. Processing is the conversion, manipulation,
and analysis of raw input into a form that is more meaningful to humans. Output
is the distribution of processed information to the people who will use it or to the
activities for which it will be used. Information systems also require feedback,
which is output that is returned to the appropriate members of the organization to
help them evaluate or correct input.
2
Functions of an information system. An information system contains information about an organization and its surrounding
environment.
Information systems can be categorized into two which is manually and

automatically or also known as Computer-Based Information Systems (CBIS).
Before we are using CBIS, all the data is done manually, where all the
information is written and store in a different file. Sometimes, this process is
called non-computerized system. Non-computerized is not efficient because it
consumes a lot of time to find and modify the information. So, to eliminate this
problem, a new system is created which is known as computerized system or
CBIS.
Computer-Based Information Systems means that the computer plays an

important role in an information system. In theory, the application of an
information system does not have to use computers in their activities. But in
practice, not possible if systems which is very complex information that can be
run well if without a computer. The computer based information system is
developed by the people and for the people. Computer users are people who will
use the computer system. The developers are the people, who will develop the
system on basis of requirement.
3
Based on statements above, we can conclude that Computer-Based

Information Systems is a data processing system that process the data into high-
quality information and used for a decision-making tool.
Computer-Based Information Systems (CBIS) is a single set of hardware,
software, database, telecommunication, people, and procedure that are
configured to collect manipulate, store, and process data into information.
(Principles of Information Systems by Ralph M. Stair,George Reynolds,George
W. Reynolds)
Components of Computer-Based Information Systems (CBIS):
1. Hardware
The term hardware refers to machinery. This category includes the computer
itself, which is often referred to as the central processing unit (CPU), and all
of its support equipments. Among the support equipments are input and
output devices, storage devices and communications devices.
2. Software
The term software refers to computer programs and the manuals (if any) that
support them. Computer programs are machine-readable instructions that
direct the circuitry within the hardware parts of the CBIS to function in ways
that produce useful information from data. Programs are generally stored on
some input / output medium-often a disk or tape.
3. People
Every CBIS needs people if it is to be useful. Often the most over-looked
element of the CBIS is the people: probably the components that most
influence the success or failure of information system.
4. Data
Data are facts that are used by program to produce useful information. Like
programs, data are generally stored in machine-readable from on disk or tape
until the computer needs them.
4
5. Procedures
Procedures are the policies that govern the operation of a computer system.
"Procedures are to people what software is to hardware" is a common analogy
that is used to illustrate the role of procedures in a CBIS.
6. Telecommunication
Telecommunication is the transmission of messages over significant distances
for the purpose of communication.
5
1.2 An Overview of Controlling Computer-Based Accounting Information

Systems
Information technology can represent a source of increased control, or a

source of risk. Recently, researchers have investigated the relationship between
computerization of accounting systems and the incidence and size of audit
differences. The study reported that incorrect manual computations, improper
recording of transactions, incorrect application and internal controls, and
inadequate internal controls are more likely to be sources of problems when
information systems are computerized. Most frequently, the errors are associated
with data entry errors, while general controls are not a common cause of
misstatements. Problems with technology development are also a frequent source
of misstatements. In terms of magnitude, problems with personnel, program
changes and exception reports result in the largest misstatements.
A number of features of computer-based accounting information systems

lead to concerns. In some cases, the very same features of computer-based
systems that make them so valuable to enterprises can, if not adequately
controlled, lead to significant problems.
The goal of most computer-based systems is the progressive automation of

as many activities as possible, particularly mundane, tedious or complicated
transaction processing functions. A problem with system-generated transactions is
that the transaction initiation and approval process becomes relatively invisible
once it becomes embedded within programmed instructions residing within the
computer system. In such a case, it is possible for users to lose control over
transaction processing activities, to lose touch with the transaction processing
system, and, as a result, increasingly abdicate the responsibility for transaction
processing completeness, accuracy and authorization.
Computer-based accounting systems are capable of executing accounting

procedures and exercising accounting controls automatically. This can be a great
6
boon to the enterprise. However, since accounting programs often replace

accounting clerks, if those programs are not at least as good as the clerks were, if
the procedures are not designed and programmed to be sound, or if the control
procedures are not properly implemented, then it is possible for there to be no one
in the organization actually carrying out these procedures.
From a different perspective, once computer systems begin to exercise

programmed accounting procedures and controls, there is a natural tendency, after
some period of testing, to assume that things are being properly taken care of by
the computer system. This can lead users to take a relatively lax attitude to
verifying computer processing results and otherwise monitoring the programmed
procedures. This can lead to inadequate handling of error conditions, poor
business practices going unchecked, incorrect accounting procedures being
tolerated for extended periods of time, etc.
For those reason in the above, the controlling of Computer-Based

Accounting Information Systems (CBAIS) is needed. Because, we can avoid the
problems that can be happened in Computer-Based Information Systems (CBIS)
environments. So, in the next chapter we discussed about how to control the
Computer-Based Information Systems environment.
In this paper, we explain about how to control the computer-based

information systems based on James Hall’s book and Romney. Based on James
Hall, there is two main of the controls in order to eliminate computer fraud. That
two main of the controls are General Controls and Application Controls. General
controls consist of many parts that will be explained in the next title, they are:
1. Operating system controls

2. Data management controls
3. Organizational structure controls
4. Systems development controls
5. Systems maintenance controls
6. Computer center security and controls
7
7. Internet and Intranet controls

8. Electronic Data Interchange controls
9. Personal Computer controls
Application controls have a focus just in specific areas, such as payroll and
accounts receivables.
Based on Romney, we will explain about Control Objectives for

Information and Related Technology (COBIT) framework developed by the
Information Systems Audit and Control Foundation (ISACF) and also The
Committee of Sponsoring Organizations (COSO) which is a private sector group
consisting of: The American Accounting Association, the AICPA, the Institute of
Internal Auditors, the Institute of Management Accountants, and the Financial
Executives Institute.
8
CHAPTER II
THEORY
2.1 GENERAL CONTROL FRAMEWORK FOR CBAIS EXPOSURES
In CBAIS (Computer Based Accounting Information Systems), there is

two main of the controls in order to eliminate computer fraud. That two main of
the controls are General Controls and Application Controls. General Controls
apply to a wide range of exposures that systematically threaten the integrity of all
applications proceeded within the CBAIS environment. General controls consist
of many parts that will be explained in the next title, they are:

accounts receivable. Before the detail explanation about general and application
controls begin, this framework is useful to know first:
9
Figure 2.1 Frameworks for Viewing CBAIS Exposures
OPERATING SYSTEMS CONTROLS
The operating systems is the computer’s control program that allow users
and their applications to share and access common computer resources. The
computer resources are such as processors, main memory, databases, and printers.
Nowadays, more computer resources being shared by an ever-expanding user
community, operating systems security becomes an important control issue. Not
only that but also as an accountant, we need to recognize the operating system’s
role in the overall control picture to properly assess the risks that threaten the
accounting system.
Based on James Hall, the operating systems perform three main tasks.
First, it translates high-level languages, such as COBOL, FORTRAN, BASIC,
and SQL, into the machine-level language that the computer can execute. Second,
the operating system allocates computer resources to users, work-groups, and
applications. This includes assigning memory work space (partitions) to
applications and authorizing access to terminals, telecommunications links,
databases, and printers. Third, the operation system manages the task of job
10
scheduling and multiprogramming. At any point in time, numerous user

applications (jobs) are seeking access to the computer resources under the control
of the operating systems. Jobs are submitted to the systems in three ways:
1. Directly by the systems operator

2. From various batch-job queues
3. Through telecommunications links from remote
workstation
To achieve efficient and effective use of finite computer resources, the
operating system must schedule job processing according to established priorities
and balance the use of resources among the competing applications.
To perform these tasks consistently and reliably, the operating systems

must achieve five fundamental control objectives:1
1. The operating systems must protect itself from users. User

applications must not be able to gain control of, or damage in any way, the
operating system, thus causing it to cease running or destroy data.
2. The operating system must protect users from each other. One user
must not be able to access, destroy, or corrupt the data or programs of another
user.
3. The operating systems must protect users from themselves. A
user’s application may consist of several modules stored in separate memory
locations, each with its own data. One module must not be allowed to destroy
or corrupt another module.
4. The operating system must be protected from itself. The operating
system is also made up of individual modules. No module should be allowed
to destroy or corrupt another module.
5. The operating systems must be protected from its environment. In
the event of a power failure or other disaster, the operating system should be
1
F.M. Stepczyk, “Requirements for Secure Operating Systems,” Data
Security and Data Processing, Vol. 5; Study Result: TRW Systems, Inc.
(New York: IBM Corporation, 1974): 25-73
11
able to achieve a controlled termination of activities from which it can later

recover.
Operating Systems Security
Operating system security is focused on who can access the operating

system, which the computer resources such as files, programs, and printers they
can access, and what they can do. Several key components of operating system
security based on James Hall would be mentioned on the below:
a. Log On Procedure
Log-on procedure is the operating system’s first line of defense against
unauthorized access which use the user IDs and passwords. You should be
familiar with user IDs and passwords.
b. Access token
After log-on, the operating system creates an access token that internal
information used to approve actions.
c. Access Control List

Access control is a system which enables an authority to control access to areas
and resources in a given physical facility or computer-based information
system. An access control system, within the field of physical security, is
generally seen as the second layer in the security of a physical structure.
Access to system resources such as directories, files, programs, and printers are
controlled by an access control list assigned to each resources. These lists
contain information that defines the access privileges for valid users of the
resources.
d. Discretionary Access Control

In computer security, discretionary access control (DAC) is a kind of access
control means of restricting access to objects based on the identity of subjects
and/or groups to which they belong. The controls are discretionary in the sense
12
that a subject with certain access permission is capable of passing that

permission (perhaps indirectly) on to any other subject (unless restrained by
mandatory access control). Resources owner in this setting may be granted
discretionary access control which gives users in distributed systems specific
powers.
Threats in Operating Systems Control
This section is very important. Because, the operating system control

objectives are sometimes not achieved because of flaws in the operating system
that are threatened. The operating system is threatened by both accident and
intent. Accidental threats include hardware failures that cause the operating
system to crash. Operating systems failures are also caused by errors in user
application programs that the operating system cannot interpret.
Intentional threats to the operating system are most commonly attempts to

illegally access data or violate user privacy for financial gain. It is also include
intentionally destructive programs. James Hall mentions that these exposures
come from three sources:
1. Privileged personnel who abuse their authority. Systems administrators and

systems programmers require unlimited access to the operating systems to
perform maintenance and to recover from systems failures. Such individuals
may use this authority to access user’s programs and data files.
2. Individuals, both internal and external to the organization, who browse the
operating systems to identify and exploit security flaws,
3. An individual who intentionally (or accidentally) inserts a computer virus or
other form of destructive program in the operating system.
Operating System Control Techniques
This section describes a variety of control techniques for preserving
operating systems integrity. They are:
1. Controlling access privileges

13
User access privileges are assigned to individuals and to entire workgroups

authorized to use the system. Privileges determine which directories, files,
applications, and the other resources an individual or group may access.
Overall systems security is influenced by the way access privileges are
assigned. Privileges should, therefore, be carefully administrated and closely
monitored for compliance with organizational policy and principles of internal
control.
2. Password controls
A password is a secret word or string of characters that is used for
authentication, to prove identity or gain access to a resource (example: an
access code is a type of password).
Many of method in password control. The most common method of password

control is the reusable password. The user defines the password to the
systems once and then reuses it to gain future access. The quality of the
security provided by reusable password depends on the quality of the
password itself. To improve access control, management should require that
passwords be change regularly and disallow “weak” passwords. An alternative
to standard reusable password is the one-time password. The one-time
password was designed to overcome the problems just discussed. Under this
approach, the user’s password changes continuously. To access the network,
the user enters the PIN followed by the current password displayed on the
card.
3. Controlling malicious and destructive programs

In the popular press, the word “virus” is used broadly to describe many types
of nasty software, including worms, Trojan horses, logic bombs, etc.
Computer viruses are a fact of life. It can make lose. The losses are measured
in terms of data corruption and destruction, degraded computer performance,
hardware destruction, violations of privacy, and the personnel time devoted to
14
repairing the damage. Malicious and destructive program are responsible for
millions of dollars of corporate losses annually.
Threats from destructive programs can be substantially reduced through a

combination of technology controls and administrative procedures. For
example of this, the company can reduce the virus with use software
application (antiviral software). It is an applications and operating system
programs for the presence of a virus and removes it from the affected
program.
4. System audit trail controls

Audit trails are logs that record activity at the systems, application, and user
level. Operating systems allow management to select the level of auditing to
be recorded in the log. Base on James Hall, audits trails typically consist of
two types of audit logs:
a. Keystroke Monitoring
Keystroke monitoring is the computer equivalent of a telephone wiretap.
Keystroke monitoring involves recording both the user’s keystroke and the
system’s responses. This form of log may be used after the fact to
reconstruct the detailed of an event or as a real-time control to prevent
unauthorized intrusion.
b. Event Monitoring
Event monitoring summarized key activities related to systems resources.
They are: Event logs typically record the IDs of all users accessing the
systems, the time and duration of a user’s session, programs that were
executed during the session and the files, databases, printers, and other
resources accessed.
5. Audit trail objectives

Audits trail can be used to support security objectives. The objectives of audit
trail can be explained in three ways:
15
a. Detecting Unauthorized Access

In the real-time, the detecting unauthorized access can be occurred. Using
of real-time detection make company can protect their systems from
outsiders who are attempting to breach systems control. A real time audit
trail can also be used to report on changes in systems performance that
may indicate infestation by virus or worm.
b. Reconstructing Events
Audit trail analysis can be used to reconstruct the steps that led to events
such as systems failure, or security violations by individuals. Knowledge
of the conditions that existed at the time of a system failure can be used to
assign responsibility and to avoid similar situations.
c. Personal Accountability
An audit log can serve as a detective control to assign personal
accountability for actions taken such as abuse of authority. For example,
consider an accounts receivable clerk with authority to access customer
record.
6. Implementing the audit trail

The important information can easily get lost among the superfluous details of
daily operation. The information contained in audit logs is useful to
accountants in measuring the potential damage and financial loss associated
with applications errors, abuse of authority, or unauthorized access by outside
intruders. Thus, poorly designed logs can actually be dysfunctional. For this
reason, the company has to protect exposures with the potential for material
financial loss should drive management’s decision as to which users,
applications, or operations to monitor, and how much detailed to log. As with
all controls, the benefits of audit logs must be balanced against the costs of
implementing them.
7. Fault tolerance controls

16
James Hall mention that fault tolerance is the ability of the systems to
continue operation when part of the systems fails due to hardware failure,
application programs error, or operator error. Implementing fault tolerance
control ensures that there is no single point of potential system failure. Total
failure can occur only in the event of the failure of multiple components.
Various levels of fault tolerance can be achieved by implementing redundant

systems components. These include2:
- Redundant arrays of independent disks (RAID)

There are several types of RAID configuration. Essentially, each method
involves the use of parallel disks that contain redundant elements of data
and applications. If one disk fails, the last data are automatically
reconstructed from the redundant components stored on the other disks.
- Uninterruptible power supplies

In the event of a power supply failure, short-term backup power is provide
d to allow the system to shut down in a controlled manner. This will
prevent data loss and corruption that would otherwise result from an
uncontrolled system crash.
- Multiprocessing
The simultaneous use of two or more processors improves throughput
under normal operation. During a processor failure, the redundant
processors balance the workload and provide complete backup.
DATA MANAGEMENT CONTROLS
Organizations store data because it has value and will be useful in the
future. These reasons for storing data create some concerns. If it has value, it
should not be available to just anyone. The access should be controlled. If it will
be useful or needed in the future, it must be available and backups must be
2
A. Hall, James. Accounting Information System, 4th Edition, Thomson
South-Western, 2004
17
assured. Control over data management fall into two general categories: access
controls and backup controls.
1. Access Controls
Access control is a system which enables an authority to control access to
areas and resources in a given physical facility or computer-based information
system. An access control system, within the field of physical security, is
generally seen as the second layer in the security of a physical structure.
Because of the “shared” nature of database management systems, access
control becomes an issue in this setting. Risks to corporate databases include
corruption, theft, misuse, and destruction of data. These threats originate from
both unauthorized intruders and authorized users who exceed their access
privileges. Several databases control features that reduce these risks are
explained below:
a. User views
The databases administrator (DBA) typically is responsible for defining
user views. The user view (subschema) is a subset of the total databases
that defines the user’s data domain and restricts his or her access to
databases accordingly. The auditor is concerned that such access privileges
are commensurate with the users’ legitimate.
Subschema Restricting Access to Database3
3
James A. Hall, Accounting Information Systems, 6th edition
18
b. Database authorization table

The databases authorization table contains rules that limit the actions a
user can take. Each user is granted certain privileges that are coded in the
authority table, which is used to verify the user’s action request.
c. User-defined procedures
A user-defined procedure allows the user to create a personal security
program or routine to provide more positive user identification than a
password can.
d. Data encryption
Data encryption uses an algorithm to scramble selected data, thus making
it unreadable to an intruder “browsing” the database. Many database
systems use encryption procedures to protect highly sensitive data, such as
product formulas, personnel pay rates, password files, and certain financial
data. For protect the store data, encryption is used for protecting data that
are transmitted across networks.
e. Biometric devices
The use of biometric devices is the ultimate in user authentication
procedures, which measure various personal characteristics such as
19
fingerprints, voiceprints, retina prints, or signature characteristic. These

user characteristic are digitized and stored permanently in a databases
security file or on an identification card that the user carries. When an
individual attempts to access the databases, a special scanning device
captures his or her biometric characteristics, which it compares with the
profile data stored internally or on the ID card. If the data do not match,
access is denied.
2. Backup Controls
If the other controls fail, an organization still must function. Most database
systems use a backup system to recover the data from some disaster like
corruption by malicious acts from external hackers, disgruntled employees,
disk failure, program errors, fires, flood, and earthquakes. This system
provides four backup and recovery features, which are:
a. Backup
Backup feature makes a periodic backup of the entire database which is an
automatic procedure that should be performed at least once day and then
the backup copy should be stored in a secure remote area.
b. Transaction log (journal)

Transaction log feature provides an audit trail of all processed transaction.
It list transaction in a transaction log file and records the resulting changes
to the database n a separate database change log.
c. Checkpoint feature
The checkpoint facility suspends all data processing while the system
reconciles the transaction log and the databases change log against the
database.
d. Recovery module
The recovery module uses the logs and backup files to restart the system
after a failure.
20
ORGANIZATION STRUCTURE CONTROLS
The importance of segregation of duties in a Computer-based Information

Systems (CBIS) environment is shifted to the systems functions. This looks at
how this should be addressed in two possible settings which are a firm with
centralized computer services and one with a distributed arrangement.
The tendency in a Computer-based Information Systems (CBIS)

environment is to consolidate activities. A single application may authorize,
process, and record all aspect of a transaction. Thus, the focus of segregation
control shifts from the operational level to higher level organizational
relationships within the computer service function. The interrelationship among
systems development, systems maintenance, database administration, and
computer operations activities are of particular concern.
Segregation of Duties within the Centralized Firm
With regard to the segregation of duties in a Computer-based Information

Systems (CBIS), the key points are to:
1. Separate systems developments from computer operations

The segregation of system development and maintenance also operations
activities is importance. Because, they have responsibility to creates and
maintain the systems for user.
2. Separate database administration from other functions

The segregation of the database administration function from other computer
services function is also importance. Because, the database administration
responsible for a number of critical tasks pertaining to database security,
including creating the database schema, creating user subschema (views),
assigning access authority to users, monitoring database usage, and planning
for future expansion.
3. Separate new systems development from maintenance

21
In this approach, the programmer who codes the original programs also
maintains new systems development during the maintenance phase of Systems
Development Life Cycle (SDLC). This approach promotes two potential
problems which are inadequate documentation and program fraud. When a
system is poorly documented, it is difficult to interpret, test, and debug. So,
the programmers who understand the system have to maintain it. Then, when
the original programmer of a system also has maintenance responsibility, the
potential for fraud is increased. Because, program fraud involve making
unauthorized changes to program modules for the purpose of committing an
illegal act.
4. A superior structure for systems development

A superior organizational structure in the system development function is
separated into two different groups. First, new system development group
which is responsible for designing, programming, and implementing new
systems project and systems maintenance. The second is systems maintenance
which is responsible for completing the documentation and denying the
original programmer future access to the program deters program fraud.
The Distributed Model
The effect of moving to a distributed data processing model in computer

services is to consolidate some computer function that are traditionally separated
and to distribute some activities that are consolidated under the centralized model.
Several control implications should recognized by accountants which is such as
different departments using different software, etc. These issues are real. When
computers (PCs) began to proliferate in organizations, things happened without
thought.
Creating a Corporate Computer Services Function

22
The concept of a corporate computer services function to support

distributed computing is presented. Some of the support services provided are
central testing of commercial software and hardware, user services, standard-
setting body, and personnel review. It aims for the best of both worlds: user
ownership and professional support capability.
SYSTEMS DEVELOPMENT & MAINTENANCE CONTROLS
The Systems Development Life Cycle (SDLC) is a multiple processes by

which organization satisfy their formal information needs. Although accountants
do not develop systems, their confidence in the output of the system requires that
they should focus on the controllable activities common to all systems
development and the control is adequate.
Controlling New Systems Development Activities
Six activities within development and related controls will be discussed in

the below:
1. Systems authorization activities; all system must be properly authorized to

ensure their economic justification and feasibility.
2. User specification activities; user need to be actively involved in the systems
development process.
3. Technical design activities; it translate user specification into set of detailed
technical specification for a system that meets the user’s needs.
4. Internal audit participation; to control the systems development activities,
internal auditor serve as a liaison between users and the systems professionals
to ensure an effective transfer of knowledge.
5. Program testing; before the program modules are implemented, they must be
tested to identify programming and logic errors. Then, to facilitate the efficient
implementation of audit objectives, test data prepared during the
implementation phase should be preserved for future use.
23
6. User test and acceptance procedures; if the test team is satisfied that the system
meets its stated requirements, the system can be formally accepted by the user
department(s).
Controlling Systems Maintenance Activities
We have mentioned that the final controllable activities pertain to systems

maintenance. Upon implementation, the information system enters the
maintenance phase of SDLC. The nature and extent of systems maintenance
activities create great potential for exposure, which requires effective control
procedures. To minimize the potential exposure, all maintenance actions should
require, as a minimum, four controls: formal authorization, technical
specifications, testing, and documentation updates. In other words, maintenance
activities should be given essentially the same treatment as new development.
Source Program Library Controls
The concept of a source program library is application program modules

that stored in source code form on magnetic disks. Figure in this below illustrated
the relationship between the source program library and other key component of
the operating environment. This material presumes an understanding of the
program compilation process.
Uncontrolled Access to the SPL4
4
24
In the figure above, shows the source program library without control.
This arrangement has the potential to create two serious forms exposure:
1. Access to programs is completely unrestricted. Programmers and others can

access any programs stored in the library, and there is no provision for
detecting an authorized intrusion.
2. Because of these control weakness, programs are subject to unauthorized
changes. In other words, with no provision for detecting unauthorized access to
source program library, the program’s integrity cannot be established.
For these exposure in the above, control the source program library (SPL)
environment is needed. Source Program Library Management Systems (SPLMS)
protect the source program library by controlling the following functions:
25
a. Storing programs on the source program library; to store program on SPL, we

need to password control. Because, when more than one person is authorized to
access a program, preserving the secrecy of a shared password is a problem.
b. Retrieving programs for maintenance purposes; a strict separation is
maintained between the production programs that are subject to maintenance in
the source program library and those being developed.
c. Deleting obsolete programs from the library.
d. Documenting program changes to provide an audit trail of the changes; the
report of all program changes (additions and deletions) to each module should
be part of the documentation file of each application to form an audit trail of
program changes over the life of the application. During an audit, these reports
can be reconciled against program maintenance request to verify that only
those changes requested were actually implemented.
COMPUTER CENTER SECURITY AND CONTROLS

Many bad events cannot be avoided by the companies such as fire, flood,
wind, sabotage, earthquakes, or even the power outages. If these bad events occur,
of course the company not only loses its tangible assets such as the computer,
table or even the building its self, but the company will lose its intangible assets
too, maybe like the data about the company’s important information or even it
will loses its ability to do business again because the owner maybe has already
pressured by the condition.
To avoid these things, we must know how to control it. And the ways to
control will be explained in this section by present computer center controls that
help create a secure environment. Whatever if the company has already invested
much money in controls, but if the disasters or that bad events come, who can
control it again? So what the company must do to prepare its self for these events?
All of these questions will be explained in this section too by present the Disaster
Recovery Plan (DRP).
Controls:
26
 Computer Center Controls

Computer center controls have six particular areas in order to give
a better performance:
a. Physical location, the place of the computer center that company has,
must be organized well. Do not put or place that computer center near
the error that will be made by human or natural hazards, such as
processing plants, gas and water mains, airports, high crime areas,
flood plains, and geological faults.
b. Construction, A computer center should be located in a single-story
building of solid construction with controlled access. All of the cables
of the telecommunications line or maybe the power line should be
allocated underground, the building window do not be opened, and for
the air filtration system, it should be in the place that suitable with the
position to exclude the dust, pollens, and dust mites.
c. Access, No excuse for all the employees of the company can access
the company’s database except for the owner or the man who has a
high position (based on the company’s policy). So, the programmers
and analysts can build one systems that give the accurate security for
the database. For example, every employee in the company must have
their own id and password to unlock the company database but the
database that could be unlock just based on their position. For
entrance to the computer center, it should be to have just one door to
come in or come out through fire exits with alarms are necessary. And
for a better computer center security, in the room should be completed
with the closed-circuit cameras and video recording systems.
d. Air conditioning, this item is very important for the company that uses
the computer center. Air conditioner can make computer center to
work best. Many reasons can approve this statement, which are: first,
computer center can work best in a temperature range of 70 to 75
degrees Fahrenheit and a relative humidity of 50 percent. Second, if
the computer center is hot or not in suitable degrees, logic errors can
27
occur in computer hardware, and also the risk of circuit damage from
static electricity is increased when humidity drops.
e. Fire Suppression, Fire is the most reason for the company why cannot
continue its business. Because if the company suffer a fire event, it
means that the company loss its critical records, such as accounts
receivable. If this data is loss, the company will not know again who
have credits and when the maturity is. To avoid or reduce the
possibility, some of the major features can be implemented by the
company, they are:5
 Automatic and manual alarms should be placed in strategic
locations around the installation. These alarms should be
connected to permanently staff firefighting stations.
 There must be an automatic fire extinguishing system that
dispenses the appropriate type of suppressant (carbon dioxide)
for the location. For example, spraying water and certain
chemicals on a computer can do as much damage as the fire.
 There should be manual fire extinguishers placed at strategic
locations.
 The building should be of sound construction to withstand
water damage caused by fire suppression equipment.
 Fire exits should be clearly marked and illuminated during a
fire.
f. Power supply, Although this equipment is expensive but this
equipment is really useful for the company to has, because this
equipment can stabilize the voltage regulators, surge protectors,
generators and batteries. Many companies that do not use power
supply will have common problems, which are the computer center
operations disrupted, total power failures, brownouts, power
fluctuations and frequency variations.
 Disaster Recovery Plan (DRP)
5
28
6
DRP is a comprehensive statement of all actions to be taken
before, during, and after a disaster, along with documented, tested
procedures that will ensure the continuity of operations. Many ways that
can be adopted to do a DRP, they are:
 Providing Second-Site Backup:
a) The Empty Shell is an agreement where the company buys or leases
a building and remodels it into a computer site. In the event of
disaster, the shell is available and ready to receive whatever the
hardware users need to run essential systems.
b) The Recovery Operation Center is a completely equipped site, very
costly because ROC service give an extra services to their clients
who pay an annual fee for access rights, such as technical services
and the backup data center typically shared among many
companies.
c) Internally Provided Backup, the company that has multiple data
should be has the self-reliance by creating excess capacity. The
facility is equipped with high-capacity storage devices and all
transactions are processed in the real time along fiber-optic cables
to remote backup facility.
 Identifying Critical Applications
In making DRP, the company must identify first, what
applications that have priorities places (short-term survival) and
what’re not. Many items can affect cash flow position if they are not
included in priorities places, for example:7 Customer sales and service,
Fulfillment of legal obligations, account receivable maintenance and
collection, production and distribution decisions, purchasing
functions, communications between branches or agencies, and public
relations.
6
7
29
But for applications priorities, they can change follow the time,
so the DRP must be updated to reflect new developments and identify
critical applications.
 Performing Backup and Off-Site Storage Procedures
Database, master files and transaction files should be copied
daily to tape or disks and secured off-site. The company also should
backup documentations, supplies and source documents.
 Creating a Disaster Recovery Team
To have a good DRP and timely for recovering from a disaster,
it must have a great DRP team. The team members should be experts
in their areas and have assigned tasks.
 Testing DRP
The test of DRP is very important and should be performed
periodically. Tests measures of the preparedness of personnel and
identify omissions or bottlenecks in the plan.
INTERNET AND INTRANET CONTROLS

Internet means that the company can share its data in the worldwide and
everybody who uses the internet can see and know about the data that have been
organized by the company. Intranet means that the company set up
communication which uses cable and it is related in all of the computers that the
company has.
Objectives:
1. Prevent and detect illegal internal and Internet network access
2. Render useless any data captured by a perpetrator
3. Preserve the integrity and physical security of data connected to the
network
Threats:
30
Two general categories of risk:8

1. Risks from subversive threats. These include, but are not limited to, a
computer criminal intercepting a message transmitted between the sender and
the receiver, a computer hacker gaining unauthorized access to the
organization’s network, and a denial of service attack from a remote location
of the Internet.
2. Risks from equipment failure. For example, transmissions between senders
and receivers can be disrupted, destroyed, or corrupted by equipment failures
in the communications system. Equipment failure can also result in the loss of
databases and programs stored on network servers.
Controls:
1. Controlling risks from subversive threats

A firewall is a hardware or software system that prevents unauthorized
access to or from a network. They can be implemented in both hardware and
software, or a combination of both. Firewalls are frequently used to prevent
unauthorized Internet users from accessing private networks connected to the
Internet. All data entering or leaving the Intranet pass through the firewall,
which examines each packet and blocks those that do not meet the specified
security criteria.
Commonly, there are two types of firewalls, they are:
a) Network-Level Firewalls
Network level firewalls route traffic directly through them, which means
in order to use one, the user either need to have a validly-assigned IP
address block or a private Internet address block. Network level firewalls
tend to be very fast and almost transparent to their users.
b) Application-Level Control
Recently, application-level firewalls (sometimes called proxies) have
been looking more deeply into the application data going through their
filters. By considering the context of client requests and application
8
31
responses, these firewalls attempt to enforce correct application behavior;

block malicious activity and help organizations ensure the safety of
sensitive information and systems. They can log user activity too.
Application-level filtering may include protection against spam and
viruses as well, and be able to block undesirable Web sites based on
content rather than just their IP address.
But the highest level of firewall security is dual-homed systems. It
consists of a host system with two network interfaces, and with the host's IP
forwarding capability disabled (i.e., the default condition is that the host can
no longer route packets between the two connected networks). In addition, a
packet filtering router can be placed at the Internet connection to provide
additional protection. These firewalls deny all services unless they are
specifically permitted. The ability of the host to accept source-routed packets
would be disabled, so that no other packets could be passed by the host to the
protected subnet.
Figure 2.2 Dual-Homed Systems
32
Adopted from James A. Hall, Accounting Information Systems, 6th edition
2. Controlling denial of service attacks
In a typical connection, the user sends a message asking the server to

authenticate it. The server returns the authentication approval to the user. The
user acknowledges this approval and then is allowed onto the server.
In a denial of service attack, the user types a URL for a particular
website into the browser and sends several authentication requests to the
server. If an attacker overloads the server with requests, it can't process the
user’s request because the server can only process a certain number of
requests at once. All requests have false return addresses, so the server can't
find the user when it tries to send the authentication approval.
Unfortunately, there are no effective ways to prevent being the victim
of a denial of server attack, but there are steps user can take to reduce the
likelihood that an attacker will use the user’s computer to attack other
computers:9
 Install and maintain anti-virus software.
 Install a firewall, and configure it to restrict traffic coming into and
leaving user’s computer.
 Follow good security practices for distributing email address and also
reducing spam.
3. Encryption
Encryption is the conversion of data into a form, called ciphertext that

cannot be easily understood by unauthorized people. Encryption involves
using a password or digital key to scramble a readable message (cleartext)
into an unreadable message (ciphertext). The intended recipient of the
message then uses the same or another digital key to convert the ciphertext
message back into cleartext.
9
http://www.us-cert.gov/cas/tips/ST04-015.html
33
The earliest encryption method is called the Caesar Cipher, which is

said to have been used by Julius Caesar to send coded messages to his
generals in the field. The Caesar Cipher has two fundamental components,
which is a key and algorithm. The key is a mathematical value that is selected
by the sender of the message. The algorithm is the simple procedure of
shifting each letter in cleartext message the number of positions indicated by
the key value. Thus a key value of +3 would shift each letter three places to
the right. For example, the letter “A” in cleartext would be represented as the
letter “D” in the ciphertext message. The receiver of the ciphertext message
decodes it and recreates the cleartext by reversing the process. Obviously,
both the sender and the receiver of the message must know the key.
And next, there is Public Key Encryption. This method uses two
different keys, which is one for encoding messages and the other for decoding
message. The recipient has a private key used for decoding that is kept secret.
But public key is for encoding and published for everyone to use. Receivers
never need to share private keys with the senders, thus reducing the likelihood
that they fall into the hands of an intruder. The most trusted public key
encryption is RSA (Rivest-Shamir-Adleman). This method is, however,
computationally intensive and much slower than DES encryption. Sometimes,
both DES and RSA are used together in what is called digital envelope.
Figure 2.3: Encryption

34
Adopted from: http://www.data-processing.hk/uploads/images/public-key-encryption-example.gif
4. Digital Signatures
Digital signature occurs when someone uses this security to encrypt

the text message with his or her own private key. The digital signature is
made in the document that has been encrypted with the sender’s private key.
Both digital signature and text message are together encrypted and then the
sender transmitted to the receiver.
Many companies believe that digital signature is more secure than

conventional handwritten signatures because conventional handwritten
signature can be copied very easy but for digital signature, it is impossible to
copy. Furthermore, the digital signature not only proves about the signer of
the message but also that the message has not been altered in any way. If a
digitally signed message is altered its digest will no longer match with the
decrypted signature. Similarly, a company could transmit a digitally signed
purchase order over the Internet. The receiving company could then readily
verify the authenticity of the purchase order. Another company might want to
issue employees digital credentials (such as identification cards) with digital
signature.
35
Figure: Digital Signature
Adopted from http://www.google.co.id/imglanding?q=digital

%20signature&imgurl=http://www.infosec.gov.hk/english/itpro/images/digital_signature.gif&imgrefurl=http://
www.infosec.gov.hk/english/itpro/public_main.html&usg=__fpnEy2O_cbQw7l9-
JgfoXV5VNlg=&h=335&w=477&sz=30&hl=id&itbs=1&tbnid=list9uO71FKNNM:&tbnh=91&tbnw=129&pre
v=/images%3Fq%3Ddigital%2Bsignature%26hl%3Did%26gbv%3D2%26tbs
%3Disch:1&gbv=2&tbs=isch:1&start=0
5. Digital Certificate
What about authentication? How does a customer know that the

website receiving sensitive information is not set up by some other party
posing as the e-merchant? They check the digital certificate. This is a digital
document issued by the CA (certification authority: Verisign, Thawte, etc.)
that uniquely identifies the merchant. Digital certificates are sold for emails,
e-merchants and web-servers.
6. Message Sequence Numbering

36
Sometimes, the intruder in the company can change the order of the
message, duplicate the message or delete the message without anyone know
about that. So to avoid this, the company can implement one system that
called Message Sequence Numbering. This system gives the number of each
message and it also sequential.
7. Message Transaction Log
In message transaction log, all the outgoing and ingoing messages
must be recorded in this system because it can record the user ID, the time of
the access, and the terminal location or even the phone number which the
access originated, so the intruder cannot log in to the system with “trial and
error” way because it record anything that have been happened.
8. Request-Response Technique
In request-response technique, it controls the message from the sender
and the response from the receiver. Why this technique is useful? Because
sometimes the intruder can interrupt or delay the message from the sender
and the receiver doesn’t know about this event.
9. Call-Back Devices
A call-back device requires the dial-in user to enter a password and be
identified. After that the system can stop the connection for a while to check
the authentication, when the system have already known about the
caller(authorized), the call-back device can start a new connection by dialing
the caller’s number.
10. Line Errors
The most common problem why the data communications can loss the
data due to line error is. This line error can happen because of the noise,
which is the signal random that can interfere with the signal of the message
when it reaches at a certain level and the result of this noise is the bit structure
of the message can be corrupted. There are 2 common techniques to detect
and correct these data errors before they are processed:
37
 Echo Check is the acts that the receiver of the message sends back the
message to the sender. The sender can compare the message that he/she
receives again with a stored copy of original.
 Parity Check incorporates an extra bit (the parity bit) into the structure of a
bit string when it is created or transmitted.10
11. Backup Control for Networks
Every company that uses network should be back up its data because
in enterprise-level network can be very large and include multiple server
level. If the data has already backup by the company, it can eliminate the
probability of the missing data because of the disaster or unwanted event,
such as fire, flood, etc.
ELECTRONIC DATA INTERCHANGE CONTROLS

Electronic Data Interchange, we can define as the exchange of business
data from one organization’s computer application to the computer application of
a trading partner". It facilitates computer-to-computer exchange of electronic
documents (such as purchase orders, advance shipment notices, and invoices)
without human intervention or human readable (paper or electronic) documents.
EDI eliminates manual re-keying of data, cuts order processing costs, increases
data accuracy, improves cycle time, and makes just-in-time deliveries possible.
10
38
Figure 2.3 EDI System (Adopted from)
http://www.google.co.id/imglanding?q=tps
%20edi&imgurl=http://www.cybertext.com/images/tps_edi.gif&imgrefurl=https://www.cybertext.com/books/primer
/chapters/ch2.htm&usg=__RINb4kXBndK7pbrywypuZoZjZsI=&h=429&w=530&sz=13&hl=id&itbs=1&tbnid=9mr
03P7L280msM:&tbnh=107&tbnw=132&prev=/images%3Fq%3Dtps%2Bedi%26hl%3Did%26gbv%3D2%26tbs
%3Disch:1&gbv=2&tbs=isch:1&start=0
But, even the human intervention is not included in EDI system, but it
doesn’t mean the problem will not exist. For example, make sure the transactions
are authorized and valid, preventing the unauthorized person to access the data
files, and also maintaining an audit trail. There 3 ways to accomplish the three
above:
39
 Transaction Authorized and Validation

Either Supplier or the customer must to ensure that the transaction being
processed is a valid transaction and it is authorized too. The ways to
accomplish them are by:11
1. Using VAN to matching the validity password and user ID codes with the
valid customer files that the vendor has. The unauthorized trading partner
will be rejected by the VAN before it reaches the vendor’s system.
2. Before being converted, the translation software can validate the trading
partner’s ID and password against a validation file in the firm’s database.
3. Before processing, the trading partner’s application software can validate
the transaction by referencing the valid customer and vendor files.
 Access Control
The degree of access control in the system will be determined by the trading
agreement between the trading partners. EDI trading partner must have a
degree to access the private data files, such as inventory which is available or
not and maybe the price. It is very useful to against the unauthorized person
to access the data files. Again, some VANs can screen and reject
unauthorized access attempts by trading partners.
 EDI Audit Trail
EDI audit trail has a different manner with the traditional audit trail, because
it doesn’t have source documents. The technique to do an audit trail in EDI is
to maintain a control log, which records the flow transaction of the
organization in EDI system.
PERSONAL COMPUTER CONTROLS

In using computer, there are so many weaknesses that must be controlled,
such as the weakness of operating systems, inadequate segregation of duties,
inadequate backup procedures and inadequate systems development and
maintenance procedures. All of these weaknesses will be controlled by:
 For Weakness of operating systems:
11
40
Personal computer likes PC provide many functions for the users but
also provide minimal security for stored data and programs. For example, the
user saves the data or the programs in the microcomputer, and it is unsecured
from unauthorized people to access it, or manipulate it or even destruction.
Thus, the auditor must ensure that the data in the personal computer are saved
and also ensure the integrity of the data from the computer criminal.
To prevent this, the user of the company can use a system that called
“Disk Lock”. Disk Lock is an application to hide the existing data in Flash
Disk and also lock the access to the Flash Disk. To be able to access the Flash
Disk is needed passwords. It also avoid the viruses that exploit the auto run
function and also as an early prevention against the virus because it provided
the scan functions to file foreign or viruses that hide inside the root directory
of Flash Disk.
 For Inadequate Segregation of Duties
In particularly, many companies hire the employees without detail
explanation about their job. For example, one employee can do multiple jobs,
such as recording purchase transaction, sales transaction, and cash receipts
and cash disbursements. If this is happen, the fraud will exist so high, it will
support the opportunity to do the fraud, and if the employee under pressure,
he/she can do the fraud very easily because the internal control is weak and it
also supported with rationalization.
To avoid this, the company must encourage the internal control by
segregation of duties. Segregation of Duties (SoD) separates roles and
responsibilities to ensure that an individual cannot process a transaction from
initiation through to reporting without the involvement of others and thereby
SoD reduces the risk of fraud or error to an acceptable level.
 Inadequate Backup Procedures
Disk failure is the most reason for the company which is not using
back up for its data and programs and it is usually happen in the lower level
user in the PC environment that have not adequate experience and training.
Some common backup approaches are outlined below:
41
 Disk and Tape Backup

In this approach, the user can back up the data into floppy disk
other type of magnetic disk. The user must backup the data periodically
and it must consistent. Because if once the user does not backup the data,
it can result in permanent loss.
 Dual Internal Hard Drives
The user can use dual internal hard drives in the microcomputers,
when one of the hard drives uses to store production data and the other to
store the backup files.
 External Hard Drives

The most popular approach that the user uses is external hard
drives for example USB. Because the user thinks that USB is saver and it
also has unlimited storage capacity and also portability.
 Inadequate Systems Development and Maintenance Procedures
To reduce this risk, the company can do two things, which are:
 Use Commercial Software
The company that uses software for its accounting application must
acquire that software from reputable vendors. Commercial software
normally be tested and is highly reliable.
 Software Selection Procedures
Both of small and big company must adopted formal software
selection procedures, the steps are:12
1. Conduct a formal analysis of the problems and user needs
2. Solicit bids from several vendors
3. Evaluate the competing products in terms of their ability to meet the
identified needs. (At this point, it is often wise to seek the help of a
professional consultant.)
4. Contact current users of prospective commercial packages to get
their opinions about the product.
12
42
5. Make a selection. (The firm should keep in mind the degree of

support it will need and should be sure that the vendor is willing and
able to provide that support.
APPLICATION CONTROLS
Application controls deals with the specific areas, such as payroll and
account receivables. That’s why, application controls have three board categories,
which are: Input, Process and Output controls.
Input Controls
Input controls attempt to ensure the transactions that are inputted in the
system are valid, accurate and complete. But how to make sure the input controls
are implemented in best, these are the classes of input controls:
 Source document controls

In the systems that use source document must to ensure that this
document is in a good security because this document can be used to do fraud
activities, for example to remove the asset from the company. How to control
this source document, so the fraud cannot exist again? There are 3 ways to
control, first use pre numbered source document, this action means that every
source document which are produced by the company must be used
sequential number on each document and this action can support the accurate
accounting record through audit trail. Second use the source document is
sequence users, if the source document is not in use, it must be locked and the
access of the source document also must be limited. Third periodically audit
source document, this action can compare about the number of documents
that used to date with the remaining inventory. If there is something wrong
can be known directly and take the action as soon as possible.
 Data coding controls
43
Example for the data code is like a customer’s account number, an

inventory item number, and a chart of account number. There are three types
of data coding error, which are transcription error, single transposition and
multiple transposition error.
Transcription error:
1. There is an extra digit in the account number.
2. There is an inadequate account number.
3. There is an error when use account number. (Not use the appropriate
account number).
Single transposition error occurs when two adjacent digits are reserved;
example 32111 is recorded as 23111. Multiple transposition error occurs when
nonadjacent are transposed, example 32114 is recorded as 34121.
Control:
Check Digits. Number added to a code (such as a bar code or account number)

to derive a further number as a means of verifying the accuracy or validity of
the code as it is printed or transmitted. A code consisting of three digits, for
example, such as 135 may include 9 (sum of 1, 3, and 5) as the last digit and be
communicated as 1359. But this technique just can detect transcription error,
but for the transposition error, it will be not detected. For example, 135 is
recorded as 531, the sum is still same which 9 is. The best technique to check
digits is Modulus 11. The procedure for calculating the check digit, which may
be carried out automatically in a computer, is as follows:
1. Take the first seven digits of the ISSN (the check digit is the eighth and
last digit): 0 3 1 7 8 4 7
2. Take the weighting factors associated with each digit : 8 7 6 5 4 3 2
3. Multiply each digit in turn by its weighting factor: 0 21 6 35 32 12 14
4. Add these numbers together: 0+21+6+35+32+12+14 = 120
5. Divide this sum by the modulus 11: 120:11 =10 remainder 10
6. Subtracts the remainder from 11: 11-10 = 1
44
7. Add the remainder, which is the check digit, to the extreme right (low
order) position of the base number of the ISSN: 0317-8471
If the remainder is 10, substitute an upper case X in the check digit position. If
there is no remainder, put a zero in the check digit position. It should be noted
that the check digit is an essential and inseparable part of the ISSN.
 Batch controls
The main objectives why the company should use batch controls
because the batch control is useful to reconcile the output with the originally
input that entered into the system. In batch control, the system requires the
same type of input can be collected together first and after that input them
into the systems and control it throughout the processing. Two documents are
used to accomplish this task. First, a batch transmittal sheet and a batch
control log.
In batch transmittal sheet captures many relevant data like as below,
an unique batch number, transaction code (for example the data is about sales
order), date, the user, prepared by, record count, control total (the sum of the
dollar value in the financial field) and hash total (the total of a unique
nonfinancial field for example the total of SO number).
The transmittal sheet is very useful to ensure the batch record is this
sheet is also used to assess the integrity of the batch during processing. After
processing, the output results are distributed to the control clerk in order to
reconcile and make sure the batch is right and distributed it to the user. But
before that, the control clerk must to update the batch control log.
 Validation controls
Validation control is useful to detect the fraud when the data is
inputted before they are processed. Input validation controls are seen at all
three levels of the data hierarchy:
1. Field (attribute) interrogation
2. Record interrogation
45
3. File interrogation
Field Interrogation is consists of many types:
- Missing data checks, If the value in the field is missing or blank, the
validation program will detect this as an error.
- Numeric-alphabetic data checks, for example the validation program will
detect an error if the account number of the customer number is consisting
of alphabetic data.
- Zero-value checks, used to verify that the certain field contains of the zero
value. Because some programs requires zero value in the mathematical
operation. If the control does not detect a zero value, it may automatically
replace a zero value in the field.
- Limit checks, this system can control the field that contain a value exceed
the authorized limit.
- Range checks, this system just control about the upper and lower limits of
the data in the field. For example, the payroll field is between 5 and 15. If
the payroll is entered more than 15, the system will detect this.
- Validity checks, this system is compare the actual values in the field with
the acceptable values, example in the cash disbursement systems, the
fraudulent usually does a payment to nonexistent vendor, and to prevent
this, the company can make list of valid vendor. If the fraudulent makes
payment not with the appropriate vendor number in the cash disbursement
with the valid vendor list in the validation program, the validation program
will detect this as an error and cannot make a payment.
- Check digits, this system identifies about the keystroke errors in the field.
Record Interrogation, validate about the interrelationship in the fields in the

entire record. The test will be discussed as below:
- Reasonableness check, determine if a value in one field, which has already

passed a limit check and a range check, is reasonable when considered
along with other data fields in the record.
46
- Sign check, this is check about the sign of the recorded transaction. The
sign is correct for every account or not.
- Sequence check, used to determine if a record is out of order. The
transaction files that are stored must be in the same order with the master
files when the batch system is done.
File Interrogation, this control ensure the correct file is being processed by the
system. This is a particular control because it focuses in the master file that
contain of permanent data about the company. The test will be explained as
below:
- Internal label check, internal check label is useful when the external label
is incorrect to create the correct stored data. Because the external label is
made manually and it is very prone occur the error. For example, when the
user create the stored data and make a wrong label outside the data, after
that the user wants to retrieve the data again, it will process the wrong
data. So to prevent this, the company can use internal label to check the
appropriate label for data. When the user process the wrong data with the
wrong external label, the system will give a notification that the data is not
suitable with the label and it will stop the process.
- An expiration date check, this system can give a notification to the user
whether the data is expired or not before replace it with the newer. For
example for backup system, when the user backup the newest data in the
master file, usually the user will replace it with the older one in order to
provide a free space for the new one.
 Input error correction
When the error is detected, it must be corrected to prevent the further
error. There are three common techniques to do this:
1. Immediate correction, when the user find unusual relationship within the
data or the keystroke error, the user can directly correct that at the same
time when the user detects that error.
47
2. Create an error file, when the user find unusual relationship within the
data or the keystroke error, the user give a flag sign in each data that are
detected as an error. After the validation procedure is finish, the user can
removed all of the flags data and put it in one file or quarantine it until
they can investigated.
3. Reject the batch, it occur when the user find the total sales order (hash
total) in the transmittal sheet is not compatible with the sales order in the
data input procedures. The user can cancel or reject the batch and
investigated why it can happen and resolve it and the last resubmit it
again.
 Generalized data input systems

Many companies implement Generalized Data Input Systems (GDIC)
to improve the degree of the control. Why? Because GDIC has centralized
procedures of the data input. GDIC can ensure that all the systems or the
procedures of the data input are same and it can improve the efficiency of the
systems development. To perform this system, it must be consisted of 5
components:
- Generalized validation module, this module performs about the
standardization of the system.
- Validation data file, this is a temporary holding for the data input that
validated by the GVM.
- Error File, All the error that are detected by the GVM are stored in the file
that name error file and then corrected and resubmitted again to the GVM.
- Error Reports, when error are detected, the system will report the error to
the user to facilitate error correction.
- Transaction Log, all the transactions that happened in this system will be
recorded in the transaction log and it is permanent and this transaction log
is very important for audit trail.
Processing Controls
48
 Run-to-run Controls
Run-to-run controls are used in the batch process; it is ensure that all
the process when to do the batch is run well and completely. Run-to-run
control can be done by this: Recalculated control totals (recalculated all the
field that have been done in the batch to ensure all are correct), transaction
codes (it is just compare the codes that have been processed in the batch are
same with the codes in the control records), Sequence checks (because all the
transaction records in the batch must be restored to the master file, it must be
in the sequence to ensure that the batch record is properly sorting took place).
 Operator Intervention Controls

It is impossible to eliminate operator intervention when use the
system, for example like entering the total of batch record, and that’s why
operation intervention controls are needed to reduce the human error.
 Audit Trail Controls

If the auditor wants to do the audit trail, it is very difficult and very
complex to follow. That’s way the company must ensure that all the
transactions have already been documented. Many techniques that the
company can do:
1. Transaction Logs and Transaction Listings, all the transactions
successfully processed must be stored in the transaction logs and after that
the system should produce a hard-copy that contains the listing of all
successful transactions. Besides that, all the automatic transactions must be
stored in the transaction logs and transaction listings too.
2. Unique Transaction Identifiers, its maybe like the unique number or the
unique sign for the transaction that do not use source document.
3. Error Listing, all the error transaction must be reported to the appropriate
users to correct and resubmit.
49
Output Controls
Output controls are very important to ensure all the outputs of the
transactions are free from the misdirected, lost or corrupted. How to ensure that?
These are the control:
 Controlling Batch Systems Output

- Output Spooling
Spooling means that all the data that want to be printed are saved
to the magnetic first because in fact, when the user wants to print out the
data, the printer maybe in the “busy” mode, like many users
simultaneously demanding to print out the data and the printer cannot print
out the data in simultaneously too, and it affect the applications that are
waiting for the printer cannot process the other data.
The output that has been printed can be used for the unauthorized
individual to do the fraud, for example access the output and change the
critical data values, change the number of copies of output to be printed,
copy the output file to produce the illegal act or destroy the output file.
The auditor must aware of this act and ensure the backup
procedures are in place to protect the output files.
- Print Programs
The operator does the fraud when uses the printer like these; pause
the printer program to load the correct type of output documents, restarting
the printer, removing the printed output for review and distribution. Why
the operator wants to do these? For browsing the sensitive data or
producing the unauthorized copies of output are the reason why the
operator does these act.
To prevent these acts, maybe the company can implement
multipart paper, such as grayed-out top copy to prevent operator read that.
- Bursting
The concern in here is maybe the clerk burst the output data
without the authorized from the user of the data or maybe read the
50
sensitive data before he/she burst the output. To prevent this, the company
can use supervision control.
- Waste
The aborted report or the output data that have been affected by the
ink, the user usually throw it away to the trash can, and the computer
criminal may search the careless disposed output in there and read the
sensitive data for example the firm’s market research or even the trade
secrets.
To prevent these acts, all the disposed output must be passed
through a paper shredder.
- Data Control
Normally, the data clerk will check all the batch control to ensure
all the output will free from illegible and missing data and also record the
recipients of the report in the data control batch control log.
- Report Distribution
In report distribution, it is very risky from lost, stolen, or
misdirected in transit to the user if there is not in good control. These are
techniques to control the report distribution:
1. The report may store in the secure mailbox and just the user that has
the key can open it.
2. At distribution and sign for the report, the user may appear in person.
3. The report may send to the user by special courier or security officer.
- End-User Controls
The report that has already in the hand user should be reexamined
to ensure the report are free of error and after the retention date has passed,
reports should be destroyed by the shredder.
 Controlling Real-Time Systems Output
This method can eliminated the intermediaries’ fraud like in the batch
system output because the data output is direct send to the user’s computer
screen, terminal or printer, but the primary error in the real-time system
51
output is like disruption, destruction, or corruption of the output message in

the communication reports.
To prevent this, the company can control it with the communication
control like in the internet and intranet controls, such as using firewalls,
encryption, etc.
2.2 COSO AND COBIT FRAMEWORKS

The COBIT framework
Control Objectives for Information and Related Technology (COBIT)
framework developed by the Information Systems Audit and Control Foundation
(ISACF). It is a framework of generally applicable information systems security
and control practices for IT control. The COBIT framework provides
comprehensive guidance for effectively controlling and managing information
systems. It shows that achieving the organization’s business and governance
objectives requires adequate control over IT resources to ensure that information
provided to management satisfied.
Based on Romney, the framework addresses the issue of control from
three vantage points or dimensions:
52
– Business objectives
To satisfy business objectives, information must conform to certain criteria
referred to as “business requirements for information.”
The criteria are divided into seven distinct yet overlapping categories that map
into COBIT objectives:
1. Effectiveness: the information must be relevant and timely.
2. Efficiency: the information must be produced in a cost-effective
manner.
3. Confidentiality: sensitive information must be protected from
unauthorized disclosure.
4. Integrity: the information must be accurate, complete, and valid.
5. Availability: the information must be available whenever needed.
6. Compliance with legal requirements: control must ensure
compliance with internal policies and with external legal and
regulatory requirements.
7. Reliability: management must have access to appropriate information
needed to conduct daily activities and to exercise its fiduciary and
governance responsibilities.
53
– IT resources include: people, application systems, technology,

facilities, and data.
– IT processes, are broken into four domains:
1. Planning and organization
2. Acquisition and implementation
3. Delivery and support
4. Monitoring
The COBIT frameworks identify a variety of specific control procedures
and tools that can be used to mitigate variety threats. The various options differ in
terms of both implementation cost and effectiveness. To mitigate the threats, we
can take some actions which are preventive, detective, and corrective control.
The role of preventive control is to limit actions to those in accord with the
organization’s security policy and to not allow undesired actions. The role of
detective controls is to identify when preventive control have been breached. The
role of corrective controls is to repair damage from any problems that occurred
and to improve the functioning of both preventive and detective controls in order
to reduce the likelihood of future problems.
COSO’s Internal Control Framework

The Committee of Sponsoring Organizations (COSO) is a private sector
group consisting of: The American Accounting Association, the AICPA, the
Institute of Internal Auditors, the Institute of Management Accountants, and the
Financial Executives Institute.
54
Source: http://www.glovia.com/html/news/newsletter/02_04/feature.asp
COSO focuses on broader, in general how to make sure the internal control in the
company has been implemented by the company.
Columns at the top represent the four types of objectives that management
must meet to achieve company goals.
– Strategic objectives
– Operations objectives
– Reporting objectives
– Compliance objectives
Columns on the right represent the company’s units:
– Entire company
– Division
– Business unit
– Subsidiary
55
COSO’s internal control integrated framework model has five crucial

components:
– Control environment
The core of any business is its people – their individual attributes, including
integrity, ethical values, and competence – and the environment which they
operate. Internal environment consists of the following:
• Management’s philosophy, operating style, and risk appetite
• The board of directors
• Commitment to integrity, ethical values, and competence
• Organizational structure
• Methods of assigning authority and responsibility
• Human resource standards
• External influences
– Control activities
Control Activities are rules that provide reasonable assurance so that
management control objective’s can meet their risk responses are carried out.
Control policies and procedures must be established and executed to ensure
that actions identified by management as necessary to address risks are, in
fact, carried out. Generally, control procedures fall into one of the following
categories:
• Proper authorization of transactions and activities
• Segregation of duties
• Project development and acquisition controls
• Change management controls
• Design and use of documents and records
• Safeguard assets, records, and data
• Independent checks on performance
56
– Risk assessment
The organization must be aware of and deal with the risks it faces. It must set
objectives for its diverse activities and establish mechanisms to identify,
analyze, and manage the related risks.
– Information and communication
Surrounding the control activities are information and communication systems
that enable the organization to capture and exchange the information needed to
conduct, manage, and control its operations.
– Monitoring
The entire process must be monitored and modified as necessary so the system
can react dynamically and change as conditions warrants.
Key methods of monitoring performance include:
• Perform ERM evaluation
• Implement effective supervision
• Use responsibility accounting
• Monitor system activities
• Track purchased software
• Conduct periodic audits
• Employ a computer security officer, a Chief Compliance Officer, and security
consultants
• Engage forensic specialists
• Install fraud detection software
• Implement a fraud hotline
57
CHAPTER III
CASE - DATABASE ENCRYPTION IN ORACLE9i
3.1 SECURING SENSITIVE INFORMATION

The Internet poses new challenges in information security, especially for
those organizations seeking to become e-businesses. Many of these security
challenges can be addressed by the traditional arsenal of security mechanisms:
· strong user authentication to identify users
· granular access control to limit what users can see and do
· auditing for accountability
· network encryption to protect the confidentiality of sensitive data in
transmission
Encryption is an important component of several of the above solutions.
Oracle has provided network encryption between database clients and the Oracle
database since Oracle7. Oracle Advanced Security, an option to Oracle9i,
provides encryption and cryptographic integrity check for any protocol supported
by Oracle9i, including Net8, Java Database Connectivity (JDBC) (both “thick”
and “thin” JDBC), and the Internet Intra-Orb Protocol (IIOP). Oracle Advanced
Security also supports SSL for Net8, “thick” JDBC and IIOP connections.
3.2 SOLUTIONS FOR STORED DATA ENCRYPTION IN ORACLE

Oracle9i Data Encryption Capabilities
While there are many security threats that encryption cannot address well,
it is clear that one can obtain an additional measure of security by selectively
encrypting sensitive data before storage in the database.
Examples of such data could include:
· credit card numbers
· national identity numbers
· passwords for applications whose users are not database users
To address the above needs, Oracle8i (release 8.1.6) introduced a PL/SQL
package to encrypt and decrypt stored data. The package,
58
DBMS_OBFUSCATION_TOOLKIT, is provided in both Standard Edition and

Enterprise Edition Oracle9i. The package is documented in the Oracle9i Supplied
PL/SQL Packages Reference Guide.
The package currently supports bulk data encryption using the Data
Encryption Standard (DES) algorithm, and includes procedures to encrypt
(DESEncrypt) and decrypt (DESDecrypt) using DES. The package does not
currently support the Advanced Encryption Standard, the successor algorithm to
DES, though this is planned for a future release of Oracle9i.
Key management is programmatic, that is, the application (or caller of the
function) has to supply the encryption key, which means that the application
developer has to find a way of storing and retrieving keys securely. The
DBMS_OBFUSCATION_TOOLKIT package, which can handle both string and
raw data, requires the submission of a 64-bit key. The DES algorithm itself has an
effective key length of 56-bits. The DBMS_OBFUSCATION_TOOLKIT package
is granted to PUBLIC by default.
Oracle has added support for triple DES (3DES) encryption in Oracle8i
release 8.1.7. The DBMS_OBFUSCATION_TOOLKIT package includes
additional functions to encrypt and decrypt using 2-key and 3-key 3DES, in outer
cipher-block-chaining mode. They will require key lengths of 128 and 192 bits,
respectively.
Oracle8i release 8.17 also added support for cryptographic check summing
using the MD5 algorithm (using the MD5 procedure of the
DBMS_OBFUSCATION_TOOLKIT package). Cryptographic checksums can
ensure data integrity; that is, that data has not been tampered with. For example,
an organization concerned that users not change salary values randomly could
store a checksum of salary values in a separate table. Only users changing the
salary through an application (e.g. through executing a procedure) would also
have the privileges to insert a checksum for the new salary into a salary audit
table.
59
CHAPTER IV
CONCLUSION AND REVIEW
 Computer-Based Information Systems is a data processing system that

processes the data into high-quality information and used for a decision-
making tool.
 Computer-Based Information Systems (CBIS) is a single set of hardware,
software, database, telecommunication, people, and procedure that are
configured to collect manipulate, store, and process data into information.
(Principles of Information Systems by Ralph M. Stair,George
Reynolds,George W. Reynolds)
 Two main of the controls are General Controls and Application Controls, they
are:
accounts receivables.
 The COBIT framework provides comprehensive guidance for effectively

controlling and managing information systems.
 COSO’s internal control integrated framework model has five crucial
components:
o Control environment
60
o Control activities
o Risk assessment
o Information and communication
o Monitoring

General Control Framework For Cbais Exposures - 1-4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

General Control Framework For Cbais Exposures - 1-4

Uploaded by

Copyright:

Available Formats

1

1.1 Definition of Computer Based Information Systems

An information system can defined technically as a set of interrelated

Information systems can be categorized into two which is manually and

Computer-Based Information Systems means that the computer plays an

Based on statements above, we can conclude that Computer-Based

Components of Computer-Based Information Systems (CBIS):

1.2 An Overview of Controlling Computer-Based Accounting Information

Information technology can represent a source of increased control, or a

A number of features of computer-based accounting information systems

The goal of most computer-based systems is the progressive automation of

Computer-based accounting systems are capable of executing accounting

boon to the enterprise. However, since accounting programs often replace

From a different perspective, once computer systems begin to exercise

For those reason in the above, the controlling of Computer-Based

In this paper, we explain about how to control the computer-based

1. Operating system controls

7. Internet and Intranet controls

Based on Romney, we will explain about Control Objectives for

2.1 GENERAL CONTROL FRAMEWORK FOR CBAIS EXPOSURES

In CBAIS (Computer Based Accounting Information Systems), there is

1. Operating system controls

Figure 2.1 Frameworks for Viewing CBAIS Exposures

OPERATING SYSTEMS CONTROLS

scheduling and multiprogramming. At any point in time, numerous user

1. Directly by the systems operator

To perform these tasks consistently and reliably, the operating systems

1. The operating systems must protect itself from users. User

able to achieve a controlled termination of activities from which it can later

Operating Systems Security

Operating system security is focused on who can access the operating

c. Access Control List

d. Discretionary Access Control

that a subject with certain access permission is capable of passing that

Threats in Operating Systems Control

This section is very important. Because, the operating system control

Intentional threats to the operating system are most commonly attempts to

1. Privileged personnel who abuse their authority. Systems administrators and

1. Controlling access privileges

User access privileges are assigned to individuals and to entire workgroups

Many of method in password control. The most common method of password

3. Controlling malicious and destructive programs

Threats from destructive programs can be substantially reduced through a

4. System audit trail controls

5. Audit trail objectives

a. Detecting Unauthorized Access

6. Implementing the audit trail

7. Fault tolerance controls

Various levels of fault tolerance can be achieved by implementing redundant

- Redundant arrays of independent disks (RAID)

- Uninterruptible power supplies

DATA MANAGEMENT CONTROLS

Subschema Restricting Access to Database3

b. Database authorization table

fingerprints, voiceprints, retina prints, or signature characteristic. These

b. Transaction log (journal)

ORGANIZATION STRUCTURE CONTROLS

The importance of segregation of duties in a Computer-based Information

The tendency in a Computer-based Information Systems (CBIS)

Segregation of Duties within the Centralized Firm

With regard to the segregation of duties in a Computer-based Information

1. Separate systems developments from computer operations

2. Separate database administration from other functions