INFOTECH 3: AUDITING ACCOUNTING INFORMATION SYSTEM
INTRODUCTION 1) INTERNAL STORAGE
AUDITING AND EDP
AUDITING- a systematic process of objectively obtaining and evaluating
evidence regarding assertions about economic actions and events to
ascertain the degree of correspondence between those assertions and
established criteria and communicating the results thereof.
AUDITING
 SYSTEMATIC PROCESS
- It is a structured as a dynamic activity in a logical
manner
 OBTAINING AND EVALUATING EVIDENCE
- Auditor is concerned about assertions relating to the
reliability of the system of internal control and the
content of the files or outputs produced by computer
processing
- He performs both compliance testing and substantive
testing
 ASCERTAIN THE DEGREE OF CORRESPONDENCE BETWEEN THOSE
ASSERTIONS AND ESTABLISHED CRITERIA
- It requires judgment on the auditor’s part as to what
constitutes a non-compliance
 COMMUNICATING THE RESULTS
- To the client and other interested parties
- Preparation of the audit report
WHO SHALL PERFORM THE AUDIT?
- A person or persons having adequate technical training
and proficiency as an auditor
IMPACT OF COMPUTERS ON THE ACCOUNTING AND AUDITING PROCESS
- With the representation of information in electronic
form inside the computer, the auditor us no longer able
to observe the processing of data to determine if the
proper procedure are being used
2) PROGRAMS CAN BE CHANGE WITHOUT THE AUDITOR’S
KNOWLEDGE
- Such change can occur through a console intervention,
or with codes that can modify themselves which the
program is running
3) ELIMINATION OF AUDIT TRAIL
- Partial elimination/disappearance of those documents,
records, journals, ledgers and other documents that
enable the auditor to trace a transaction
4) MULTI-PROCESSING OR MULTI-PROCESSING
- With the ability of computer systems to process several
applications simultaneously, files currently being
received can be modified during data processing by
another program
5) REMOTE PROCESSING (TELE-PROCESSING)
- A major threat is the potential loss of assets from
unauthorized access to programs and files
- Data might be lost during transmission
- Phishing- is the attempt to acquire sensitive information
such as usernames, passwords, bank accounts and
credit card details for malicious reasons, by
masquerading, as a trustworthy entity in an electronic
communication
6) SPEED, ON-LINE/REAL-TIME PROCESSING
- Since amount balances are updated immediately upon
entering the system, it could mean that before the
auditor had finished reading and adding the balances,
some of the balances may have already changed
 7) MULTIPLE LOCATIONS
- Multi-processing, on-line/real-time system
compounded by processing in several locations
o Several flows and offices in a building
o Several buildings in a compound
o Several geographical locations
8) RAPID CHANGES: TECHNOLOGY, BUSINESS NEEDS
is
INTERNAL CONTROL SYSTEM
ADMINISTRATIVE CONTROLS
- The plan of the organization and the methods and
procedures to promote operational efficiency and
encourage adherence to prescribed managerial policies

ACCOUNTING CONTROLS
AUDITING APPROACHES
- The plan of the organization and the methods and
1) Auditing around the computer procedures used to safeguard assets and to check the
2) Auditing with the computer reliability of accounting data
3) Auditing through computer - AIS controls:
o General controls
AUDITING STANDARDS AND COMPUTER AUDITING CONCEPTS o Application controls
STANDARDS OF FIELDWORK

 COMPLIANCE TESTING AIS CONTROL

- The auditor must obtain sufficient understanding of the
entry and its environment, including its internal control 1. GENERAL CONTROL – having pervasive effects
 If they are weak or absent, they negate the
- To assess the risk of material misstatement of the
effects of the application method
financial statements whether due to error or fraud , and
- To design the nature, timing, and extent of further audit General Controls:
procedures
1) Organizational controls
INTERNAL CONTROL 2) Sound personnel practices
- Comprises the plan of the organization and all of the 3) Standard operating procedures
4) System development controls
methods and procedures adopted by a business to:
5) Documentation control
OBJECTIVES OF INTERNAL CONTROL
 Safeguard its assets 6) Hardware control
 Check the accuracy and reliability of its 7) System software controls
8) System security control
accounting data
 Promote operational efficiency and
effectiveness  SUBSTANTIVE TESTING
 Encourage adherence to prescribed managerial - The auditor must obtain sufficient appropriate audit
policies evidenced by performing audit procedures to afford a
 reasonable basis for an opinion regarding the financial
statements under audit
1) TEST OF DETAILS OF TRANSACTIONS AND BALANCES
- Complexities include automatic:
 Authorization of sales within certain limits
 Issuance of checks to vendors on due dates
2) ANALYTICAL REVIEW PROCEDURES
- Performed to detect unused relationships among
financial information
- Review may include comparison of this years; amount
with last years’ actual results with budget or forecast;
review of financial ratios
- Not significantly different from a manual or mechanical
system
 DUAL-PURPOSE TESTING
- Both types of tests, compliance and substantive, and
performed at the same time
WHO PERFORMS THE COMPUTER AUDITING TASK?
Demands as to the expertise placed on the auditor:
“if clients uses electronic processing in its accounting system,
whether the application is simple or complex, the auditor
needs to understand the entire system sufficiently to enable him to identify
and evaluate is essential accounting control features.”
WHERE IN THE PROCESSING CYCLE THE AUDIT SHOULD BE PERFORMED?
Auditing the phases of processing
- Refer to the study and evaluation of internal control
Auditing the results of processing
- Refer to the collection of evidential matter; emphasis is
on the direct test of amount balances
WHEN TO PERFORM THE PROCEDURES?
Auditing concurrently with processing
- Information is available to the auditor while program is
running
Auditing after processing
- Audit procedures are performed after a computer
program is finished
WHICH PART OF THE SYSTEM THE AUDIT SHOULD BE PERFORMED?
Auditing computer programs
Auditing computer files
Auditing computer systems
GENERAL CONTROLS
1. ORGANIZATIONAL CONTROLS (PLAN OF ORGANIZATION)
- Relate to the segregation of duties in order to reduce
error or fraud:
(1) Segregation of EDP and user functions
(2) Segregation of function within EDP
(3) Segregation of functions among users
(1) Segregation of EDP and User Functions
a. Error detection, correction and resubmission
 System tests performed during systems
development ensures the elimination of errors
 Where errors occur, generally they are
converted and resubmitted at source
b. Segregation of incompatible functions
 Authorization
o As a general rule, EDP should not be
permitted to authorize transactions;
however, some authorization functions
 are incorporated in the computer
program
o Examples: materials reordering system,
customer order processing
 Execution
o Steps in the transaction processing
cycles and changes to master files are
to be performed by the users; today,
execution is done automatically through
instructions in the program
o Examples: systems s-generated financial
entries, automatic reversing entries
 Accountability
o EDP should not have custody of non-
EDP assets
o Access is normally indirect, e.g., the
computer program contains the
instructions to release inventory for
shipment
(2) Segregation of functions within EDP
a. System development
 System analysis
 Application programming
 Systems programming
b. Operations
c. Data base administration
 Independent librarian function
(3) Segregation of functions among users
Compensatory Controls
- Generally manual controls, that are performed to
compensate for the internal control weakness arising
from the non-segregation of duties
 Review and approval of purchasing department
 Review of exception lists from credit approval
runs
2. SOUND PERSONNEL PRACTICES
- Provide control over the quality of work by ensuring
that personnel are competent and honest
- Provide policies that encourages compliance
(1) Hiring and Evaluation of Personnel
a. Hiring Test
 Mostly behavioral and personality tests
b. Background check
 Checking the character references,
recommendations from previous employees,
NBI and police clearances
c. Fidelity bonds
(2) Personnel scheduling
- Irregularities maybe discovered during an employee’s
absence
(3) Rotation of duties
- Enable the employee to master other tasks, thus,
effectiveness is improved
- When a task is performed by another, opportunities for
improvement can be identified
(4) Performance evaluation
- A tool to identify strengths and areas of improvement
- A food basis for rewards and remunerations
(5) Training and development
- Enhances employee performance and potential for
more responsible roles
- CPE
(6) Career’s Path
- A tool to formalize target positions
- Helps identify training needs
- Encourages loyalty and dedication
(7) Rewards and Remuneration
- Induces employees to perform their best
(8) Formalization of Personnel Practices
- Conveys the company’s sincerity to its commitments
 (9) Psychological Control
- Employees tend to display positive behavior if it goes
with a reward or punishment as the case may be
REVIEW AND TESTS OF COMPLIANCE- ORGANIZATIONAL CONTROLS
1. Review organization charts.
2. Review job description of EDP and users pertaining to error
handling.
3. Interview management and operating staff to determine the degree
of effectiveness of supervision.
4. Prepare a systems flowchart for each transaction processing cycle
and review the segregation of duties.
5. Review pre-processing controls, such as prior approval of mater file
change.
6. Review the audit program of internal auditors to determine the
completeness and adequacy of their review and tests of internal
control.
REVIEW AND TESTS OF COMPLIANCE- SOUND PERSONNEL PRACTICES
1. Review hiring and evaluation procedures, for example, aptitude
tests and background checks.
2. Review performance appraisals and its link to rewards and
remuneration.
3. Review staff development programs and continuing professional
education.
4. Review promotion policies and recent promotions, to ensure that
movements post no threat to control.
5. Review staff turnover statistics and frequency of staff firing to
ensure that the attitude of staff poses no undue risk of control.
3. STANDARD OPERATING PROCEDURES
- Identify procedures that ensure high quality processing
and limit the opportunity for errors, and unauthorized
use of files, programs and reports.
(1) Scheduling
- The operations of the computer should follow realistic
schedules to allow for assembly and preventive
maintenance
(2) Machine Operations
- Include procedures for loading programs and storage
devices
- Requirement that console error messages be responded
to uniformly.
(3) Machine Performance
- Identification and correction of equipment snags help
reduce the incidence of hardware-induced errors
- Standards are set for elapsed time usage, maintenance
time, expected downtimes and other conditions.
- Periodic review of equipment maintenance and failure
logs, and comparison of actual equipment performance
with standards
(4) Job-run procedures
- These procedures generally outline the sequence of the
programs to ensure that the required processes are
performed in the correct order
- Examples: variance report preparation
 Update physical standards
 Input volume of production
 Enter actual quantities consumed
 Calculate variances
(5) Console log and personnel time record
- Should be prepared by the operating system to record
to all operating and application system activities,
maintain an equipment utilization record and identify
operator and user initiated actions
- It provides and important control over unauthorized
system use
(6) Housekeeping
- Procedures relating to the use of supplies, storage of
programs, and handling of files are designed to reduce
take risk of loss or destruction of programs and data
- It ensures that sensitive output does not fall into
unauthorized hands
 (7) File Control Standards
- Standards for the handling file are necessary to
minimize opportunities for misuse, damage or loss of
files
- Standards include file names, retention dates
reconstruction procedures and storage location
- The files are controlled by a librarian
(8) Adequate Supervision
- Control and review of operating activities which include
periodic examination and comparison of console logs,
job records and personnel time records
(9) Emergency and Physical Security Procedures
- Plans and procedures to protect programs, files and
equipment from fire, theft, natural disaster, power
failure, or failure of communication
- Emergency any physical security procedures should be
written and included in the systems and procedures
manual
4. SYSTEM DEVELOPMENT CONTROLS
- The best time to build-in the application controls is
during the development of a system
- It would be easier compared with doing the program
revisions later in order to incorporate the control
(1) System development methodology
a. SDLC
 Planning, analysis, design, development, and
implementation
 Building-in of required application control
 Users’ training and users’ procedures manual
b. Post implementation optimization
 Was there an evaluation that the new system
meets the business requirements?
c. Documentation
 Provides control over the prevention, detection
and correction of errors
(2) Project management
- The system development methodology will be of little
value if development projects are not adequately
manage
(3) Programming conventions and procedures
Conventions
- Refer to the agreed standards, for example, in the use
of symbols, charts, texts, graphs or writing of manuals
- Also pertains to the uniform procedures followed in
order to ensure the same accurate results every time a
job is performed
- Flowcharting conventions
- Decision table conventions
- Coding conventions
- Standard glossary and standard abbreviation
- Standard program routines
- Debugging
- Auditing conventions
o Coding Conventions
a. Computer code or program code
 The set of instructions forming a computer
program which is executed by a computer
b. Data code
 A number, letter, character, or any combination
thereof used to represent a data element or
data item
Data coding conventions provide a common
understanding of the meaning of the codes
o Significant digit code
o Sequence code
o Mnemonic code
o Last digit code
o Identifiers
o Check digit code
o Standard glossary and standard abbreviations
- Terms and abbreviations that are unique to a particular
installation should be carefully defined
 - Use of non-standard terms and abbreviations should be
prohibited to make review of documentation easer
o Standard program routines
- A substantive (also called procedure, function, routine,
method, or subprogram) is a portion of code within a
larger program that performs specific task and is
relatively independent of the remaining code
- Any sequenceof the code that is intended to be called
and used repeatedly during the execution of a program.
This makes the program shorter and easier to write (and
also to read when necessary)
- The main sequence of logic in a program can branch off
to a common routine when necessary. When finished,
the routine branches back to it (6) System testing
- A routine may also be useful in more than one program
and save other programmers from having to units code
that can be shared
o Standard job control routines
- Provides the interface between the application program
and the operating system
o Debugging
- Standard technique for debugging increases the chance
that errors will be found and provided a trail if program
changes, thereby, reducing, the opportunity for
unauthorized program change
o Auditing conventions
- The programming standards manual should include a
list of required controls and audit features
(4) User, Accounting, and Audit Participation
- Assures that users’ requirements are met by the system
- Users participation represents commitment and
approval
- Users recognize their responsibility and their
dependence on the output
- Audit participation provides the opportunity to make
suggestions regarding improvements in internal control
(5) Technical, management, user, and auditor review and approval
- Review and approval ensures that the system has
adequate controls and is acceptable to all stakeholders
Technical Level
 Work outputs for each phase should be
reviewed and approved by the systems and
programming supervisors before submission to
users, auditors and management for approval
Output level
 Requires that users, auditors and management
review and approve the work output at the end
of each phase
- An important control because it is the last opportunity
to discover and correct problems before
implementation of the system
- Purpose:
 To ensure that the system will operate in
conformance with the design specifications
 To determine whether the systems’ operations
meets user requirements
 To test all application control if they will work as
intended
 To verify that errors in input, processing and
output will be detected
o Program tests
- Testing of the processing logic of the programs
o String tests
- Instead of a single program, they are applied to a string
of logically related programs
o System tests
- Applied to all programs in the systems to check if they
will function if they run at the same time
 o Pilot tests
- Involve the processing of actual transaction on the new
system on an after-the fact basis, then comparing the
results from the existing system
o Parallel tests
- The old and the new systems are ran simultaneously
using the same inputs, and the outputs are compared to
detect system errors
(7) Final approval
- Provides and opportunity to examine the final best
results to make a final judgment
- Final approval should be given by management, users
and EDP personnel before the system is implemented
(8) Conversion and migration control
- Controls to prevent and detect errors when converting
and migrating files to the new system
 Data Conversion
 The translation of computer data from one
format to another
 Data Migration
 The process of transferring data from one
system to another; generally, migration requires
data conversion
 Control Procedure:
 File conversion approval should be obtained
before te process begins to ensure that the files
being converted are fully controlled
 The original and new files can be reconciled
through record, counts, hash totals or amount
totals
 Compare records from the original files and
with the new files to ensure that those are no
discrepancies
 Confirmation requests may be sent to third
parties asking them to confirm the data that
relates to them
 Operational approval should be obtained from
the users after they had used the system a few
times, which served as the “acceptance test”
o Approval indicates their satisfaction
with the way the system is operating
(9) Post-implementation review
Conducted to:
 Determine if the system is operating as
intended
 Evaluate the effectiveness of the entire process
of developing the system
“ the feedback from this review is useful to the external
auditoras it indicates that controls are either functioning as
desired or not.”
(10) Program change control
- Strong system development controls are negated if
subsequently, unauthorized modifications to the
programs are performed due to inadequate program
change control
- Program changes results from a desire to improve the
system, the need to adjust to changing business
conditions or the need to incorporate new operating,
accounting and control policies. These changes are
referred to as program maintenance
- The objective if program change control is to ensure
that all program change authorized program change
requests are completed
Controls:
1. Program changes should be in accordance with
established systems, programming and documentation
standards
2. Program changes should be restricted to system
personnel; operating personnel should not make
changes to programs – even temporary changes to
facilitate the running of a program
 3. The changes should be reviewed and approved by the
user to ensure conformity with the purpose of the
change
4. Changes should be made to the test program and not in
the production program to limit the opportunities to
make unauthorized changes to the production program
5. Changes should be tested thoroughly before
implementation
6. Program changes and test results should be reviewed
and approved
7. User and operating personnel should be retrained, if
needed, to handle new procedure
8. All documentation affected by the change should be
updated
9. Control should be established over the conversion to
the new program; the conversion is accomplished by:
 Changing the new program to a production
status
 Copying the old program to a back-up file and
deleting it from the library of production
programs
10. Conversion should not be permitted before approval of
the test results and completion of changes to
documentations
11. Final approval should be given by data processing
management and the user
5. DOCUMENTATION CONTROLS
Documentation
- Consists of documentation and records which describe
the system and procedures for performing data
processing task
- A means of communicating both the essential elements
of a system and the logic followed by the computer
programs
- An integral part of a system design and documentation
process
Purposes of Documentation:
1) Provides a source of information doe system analyst and
programmers who are responsible for maintaining and changing
existing systems and programs.
2) Provides explanatory information necessary for review of proposed
systems and programs
3) Serves as basis for training new personnel
4) Provides data necessary for responding to inquiries regarding the
operation of a computer program
5) Basis for communicating common information to systems analyst,
programmers and computer operators
6) It provides computer operators with current operating instruction
7) Preserves continuity when experienced personnel leave the
organization
8) It is a source of information about accounting controls
WHAT CONSTITUTE ADEQUATE DOCUMENTATION
1) Problem definition documentation
- A permanent summary of the problem solved by the
systems
- It represents the basic source of information regarding
the purpose of the system
- In organizations that utilizes a standard systems
development approach, the original source of the
problem definition information is the Project Plan, also
called Project Charter or System Planning Study Report
Inclusions:
a. Description of the reasons for implementing the system
including the objectives and scope of the project
b. System specifications describing the operations
performed by the systems
c. Evidence of approval and any subsequent changes in
the systems specifications
2) System documentation f. Change summary
- A record of the way information flows through the  List of all changes that have been ,made and
system from input to file medium and then onto output their effective dates along with copies of
- It permits the tracing of the theoretical flow of authorization of the changes
accounting data from the original entry to the system 3) Program documentation
output - Focuses in detailed information regarding lack program
 Useful for the auditors in evaluating the in the system
adequacy of the audit trail provided by the - The detailed information is used to maintain effective
systems control over program changes and to define the current
status of each program
Inclusions:
Inclusions:
a. System flowchart
b. Input descriptions a. Brief narrative description of the functions of the
 Identify the type of source document use programs.
 For example, this may be a description of the b. Programs flowcharts, or detailed logical narrative
time keeping system as a source of time data in showing how the program operates, e.g., whether all
a payroll or labor distributions system account balances should be printed or just those with
c. Output description abnormal balances.
 Show each type of output generated by the c. Listing of parameters used in the program such as tax
system withholding table
 Define where the output is stored, what files d. A list of application controls such as data entry
are updated, the medium of providing the users validation and output controls
(screen displays or printed copies), the use of e. Detailed description of file formats and record layouts;
the output who uses it, when is it used and the typical information includes the names of all fields
frequency of need within a record, field location, field sizes, and field data
d. File description character type.
 Lists individual files and describe the scope and Code Customer # Customer Customer Credit
functions of each file Right Name Address Limit
 For example a customer master file may be Justified Right
described as continuing customer data i.e. Justified
customer name, delivery address, billing 1 2-18 19-28 29-68 69-75
address, contact number, credit limit, payment 999 XX99 XX99 999
terms, etc. f. A description of code values, for example, codes used
e. Control description to identify transaction being processed.
 Summarize the main controls features that are Code Customer # Customer Customer Credit
design into the system, e.g. general controls Right Name Address Limit
Justified Right
and application programs controls
 Justified 5) Users documentation
1 2-18 19-28 29-68 69-75 - A step by step guide that the user can refer to as they
999 XX99 XX99 999 use the system
- Useful in training new/replacement personnel
Common Code: - Valuable for the auditor in understanding the users’ role
in the processing of control provided by the user.
A - add a customer M – modify a customer
D - delete a customer P – print content of master file Inclusions:

g. A record of all program changes, including tests results,
authorization for the changes, and their effective data
4) Operations documentation
- The information provided to enable the computer
operator to run the computer program
- It is known as systems and procedures manual or simply
operation manual
Inclusions:
a. A brief narrative that indicates the purpose of the
program.
b. An input/output chart that lists all the input and
outputs required for processing the program and the
sequence in which they are to be used.
c. A description of input/output forms and formats,
including an output distribution cost, provided for the
operator’s guidance.
d. A list of set-up instructions and operating systems
requirements.
e. A list of all program error messages and halts with the
description of the action to be taken in response to
each error message and halt condition.
f. Detailed instructions regarding recovery and restart
procedures to be used in the event of hardware or
software malfunction
g. A list of estimated normal and maximum runtime.
h. A list of instructions to the operator in case of
emergency.
a. A non-technical description of the system including
the benefits the user may derive from it.
b. A description of the types of source documents
required, such as purchase orders.
c. A description of the form and purpose of each
output received by the users.
d. Detailed instructions for the use of control
procedures with identification of responsibility for
the performance of these control procedures.
 Responsibility is defined by position and not by
individual person
e. Procedures for correcting errors in input data or in
processing that are detected by the user
f. Instructions for handling additions, detections, or
corrections to files.
g. Procedures for cut-off of data submitted for
processing, including dates and times for final
submission of data.
h. A checklist for review of reports for completeness
and accuracy.
6. HARDWARE CONTROLS - The peripherals or remote equipment send back (echo) a
- provided by hardware manufacturers signal verifying that the command has been received and
o today’s computers are design to be very reliable complied with
and most of them have built-in hardware controls 4) Equipment check
o even with this, it is essential that the auditor - Controls built in into the circuity of the computer to ensure
evaluate the impact of hardware controls o the that the equipment is functioning properly and where
system reliability necessary, automatic error correction
1) Redundant character check - These automatic error correction are either:
2) Duplicate process check o Automatic error diagnosis, or
3) Echo check o Automatic retry
4) Equipment check 5) Validity check
5) Validity check - To ensure that actions taken by the computer are valid
6) Power protection o Operation validity: ensures that only valid
7) Operational manual controls institutions are performed
o Character or filed validity check: compares data
1) Redundant Character Check characters or field that are written or read with a
- A bit, two bits, or a set of bits for the purpose of detecting set of all valid characters or field
errors o Address validity: check of storage location in
- Data are stored in binary codes: sequence of zeros and ones memory or in a peripheral device
(bits) 6) Power protection
- A single parity but is the creation of an additional bit for - Protects the hardware from power fluctuations (spikes or
each character processed surges)
- The computer counts the number of 1 bits in each character - Enable the computer to continue operations in case of
to determine if the count is odd or even power interruptions (4Ps)
- In an odd parity bit check , the computer will add a parity bit 7) Operational manual controls
“0” if the count is odd, and a “1” if the count is even a. Equipment failure logs
2) Duplicate Process Check b. Environmental controls
- Uses the principle of complimentary operations to detect  Dust, temperature, humidity
and correct errors c. Formal recovery procedures
- An operation is performed twice, then the results are d. Preventive and corrective maintenance
compared; any difference indicates a hardware induced
error 7. SYSTEMS SOFTWARE CONTROLS
3) Echo check SYSTEM SOFTWARE
- The purpose is to ensure that commands sent to peripherals - A set program routines that perform level functions of
or remote equipment are obeyed and the data are received management, application program support, tasks
correctly common to many application
 - Includes both the control of all operations and the  Library software control reports:
allocation of the resources, i.e. CPU time, memory, program testing identifying the version
input/output devices among the various application of each program, rundate, last copied,
programs last changed to ensure that the current
authorized version is used.
1) Controls to handle errors 3) Controls for file protection
2) Controls for program protection - To protect unauthorized use or modification of data
3) Controls for file protection a. Checking internal file labels – to prevent processing
4) Security protection of wrong files, and premature destructions
5) Self protection b. Storage protection – prevents inadvertent
overwriting
1) Controls to handle errors c. Memory clear – remove the risk of sensitive data
a. Read or write error routines being available for subsequent access
 Retry, diagnose, propose action – close, etc., 4) Security protection
prevents erroneous overwriting of existing a. Maintenance of logs and activity information
record or files b. Password monitoring
b. Record length checks 5) Self-protection (manual)
c. Storage device checks a. Segregation of duties
 Signals if a storage device is not operational  Assignment of responsibilities for system
2) Controls for program protection software, application software, library and
- Prevents application programs with interfering with operations should be separated
each other during processing b. Hardwiring
a. Boundary protection  Encode the software logic in hardware;
 Assignment of memory practitioners to modification can only be done by the removal
program in a multiprogramming environment and replacement of the hardware
b. Control over external reference (sub-routines) in
linkage editing 8. SYSTEMS SECURITY CONTROLS
c. Library program software SYSTEM SECURITY
 Restriction of access to use and change of - The protection of computer facilities, equipment,
programs: programs and data from destruction by environmental
 Passwords: used to limit access to hazards, by equipment error, software error or human
programs under test status only but not error, or by computer abuse
on the programs used in production
ENVIRONMENTAL HAZARD
 Encryption: secret coding that prevents
- Include fires, floods, tornadoes, earthquake, and other
understanding of the program without
acts of God. Generally occur infrequently but with a
the necessary key high cost of occurrence
 ERRORS b. Facility security controls
- Include damage to disk storage by faulty disk drives, i. Location controls
mistakes in application programs that destroy or ii. Construction controls
damage data, and operator amounting of incorrect files. iii. Access controls
Generally frequent but at low cost per incident  Conventional logs
 Magnetic stripe cards
COMPUTER ABUSE  Devices that can read physical characteristics,
- The violation of a computer system to perform e.g. finger prints
malicious damage, crime or invasion of privacy  Signature verification system
 Malicious damage includes looting and c. Library controls
sabotage i. Library function for access controls
 Crime includes embezzlement, industrial  Authorized users
espionage, and the sale of commercial secrets  Usage log
 Invasion of privacy includes discovery of ii. Physical file control
confidential salary information, and the review  Internal header and trailer labels
of sensitive data by or competing company  External labels
(financial information)  Protection rings
 Read-only switch
SYSTEMS SECURITY CONTROLS d. On-line access controls
- Are general controls that prevent failures in system i. Physical security of terminals
security and provide for recovery from failures in  Use of terminal locks
system security; they are generally categorized as: ii. Authorization controls
1) Controls that provide a secure system  Authorized users
2) Controls for detecting failures in system security  Programs and data files that each user
3) Controls for recovery from system security failures can access should be identified in the
authorization scheme
The three general categories pertain to:  Authorized terminals
1. Prevention iii. Identification controls
2. Detection  Terminal identification
3. Correction and recovery  User identification (passwords)
 Physiological key
1) Controls that provide a secure system  Hand points, thumb points
a. Security management  Special key
i. Establish security objectives  Magnetic stripe cards
ii. Evaluate security risks  Optically encoded badge
iii. Develop security plan
iv. Assign responsibilities SOME RULES CONCERNING PASSWORDS
v. Test system security  Passwords should not be chosen because they are easy to
vi. Evaluate system security remember
 Should not be shared nor displayed
 Passwords file should be protected by the operating system iii. Data/source documents
 Unsuccessful attempts should be monitored iv. Personnel
 Should be changed periodically  Who is responsible for what
 More effective when used in combinations with other techniques  Substitute in case of injury

e. Data communication access control

i. Fragmentation – communication of a message one
point (fragment) at a time
ii. Intermixing – communication of several messages
simultaneously
iii. Encryption – encoding of data to disguise their
meaning

2) Controls for detecting failures in system security

a. Unauthorized access detection devices
i. Micro-switches –detects the presence of an intruder
by breaching or completing an electrical circuit
ii. Beams- could be light, laser, ultraviolet or infrared
iii. Ultrasonic (soundwaves) and radar detectors –
these detect movements
iv. Microphones – sound can trigger an alarm
b. Fire detection devices
i. Heat-sensitive devices- fusable links built into the
nozzles of sprinkler system
ii. Smoke sensitive devices
c. Authentication
i. Further identification information made periodically
ii. Disconnecting and calling back the terminal
iii. Authenticity code
d. System monitoring
i. CCTV
ii. Disconnection after repeated unsuccessful
iii. Log of all access failures

3) Controls from recovery from system security failures

a. Failure bypass procedures
b. Recovery plan (business continuity plan)
c. Recovery procedures
i. Computer facilities and equipment
ii. Software