Professional Documents
Culture Documents
ACCOUNTING CONTROLS
AUDITING APPROACHES
- The plan of the organization and the methods and
1) Auditing around the computer procedures used to safeguard assets and to check the
2) Auditing with the computer reliability of accounting data
3) Auditing through computer - AIS controls:
o General controls
AUDITING STANDARDS AND COMPUTER AUDITING CONCEPTS o Application controls
STANDARDS OF FIELDWORK
g. A record of all program changes, including tests results, a. A non-technical description of the system including
authorization for the changes, and their effective data the benefits the user may derive from it.
b. A description of the types of source documents
4) Operations documentation required, such as purchase orders.
- The information provided to enable the computer c. A description of the form and purpose of each
operator to run the computer program output received by the users.
- It is known as systems and procedures manual or simply d. Detailed instructions for the use of control
operation manual procedures with identification of responsibility for
the performance of these control procedures.
Inclusions:
Responsibility is defined by position and not by
a. A brief narrative that indicates the purpose of the individual person
program. e. Procedures for correcting errors in input data or in
b. An input/output chart that lists all the input and processing that are detected by the user
outputs required for processing the program and the f. Instructions for handling additions, detections, or
sequence in which they are to be used. corrections to files.
c. A description of input/output forms and formats, g. Procedures for cut-off of data submitted for
including an output distribution cost, provided for the processing, including dates and times for final
operator’s guidance. submission of data.
d. A list of set-up instructions and operating systems h. A checklist for review of reports for completeness
requirements. and accuracy.
e. A list of all program error messages and halts with the
description of the action to be taken in response to
each error message and halt condition.
f. Detailed instructions regarding recovery and restart
procedures to be used in the event of hardware or
software malfunction
g. A list of estimated normal and maximum runtime.
h. A list of instructions to the operator in case of
emergency.
6. HARDWARE CONTROLS - The peripherals or remote equipment send back (echo) a
- provided by hardware manufacturers signal verifying that the command has been received and
o today’s computers are design to be very reliable complied with
and most of them have built-in hardware controls 4) Equipment check
o even with this, it is essential that the auditor - Controls built in into the circuity of the computer to ensure
evaluate the impact of hardware controls o the that the equipment is functioning properly and where
system reliability necessary, automatic error correction
1) Redundant character check - These automatic error correction are either:
2) Duplicate process check o Automatic error diagnosis, or
3) Echo check o Automatic retry
4) Equipment check 5) Validity check
5) Validity check - To ensure that actions taken by the computer are valid
6) Power protection o Operation validity: ensures that only valid
7) Operational manual controls institutions are performed
o Character or filed validity check: compares data
1) Redundant Character Check characters or field that are written or read with a
- A bit, two bits, or a set of bits for the purpose of detecting set of all valid characters or field
errors o Address validity: check of storage location in
- Data are stored in binary codes: sequence of zeros and ones memory or in a peripheral device
(bits) 6) Power protection
- A single parity but is the creation of an additional bit for - Protects the hardware from power fluctuations (spikes or
each character processed surges)
- The computer counts the number of 1 bits in each character - Enable the computer to continue operations in case of
to determine if the count is odd or even power interruptions (4Ps)
- In an odd parity bit check , the computer will add a parity bit 7) Operational manual controls
“0” if the count is odd, and a “1” if the count is even a. Equipment failure logs
2) Duplicate Process Check b. Environmental controls
- Uses the principle of complimentary operations to detect Dust, temperature, humidity
and correct errors c. Formal recovery procedures
- An operation is performed twice, then the results are d. Preventive and corrective maintenance
compared; any difference indicates a hardware induced
error 7. SYSTEMS SOFTWARE CONTROLS
3) Echo check SYSTEM SOFTWARE
- The purpose is to ensure that commands sent to peripherals - A set program routines that perform level functions of
or remote equipment are obeyed and the data are received management, application program support, tasks
correctly common to many application
- Includes both the control of all operations and the Library software control reports:
allocation of the resources, i.e. CPU time, memory, program testing identifying the version
input/output devices among the various application of each program, rundate, last copied,
programs last changed to ensure that the current
authorized version is used.
1) Controls to handle errors 3) Controls for file protection
2) Controls for program protection - To protect unauthorized use or modification of data
3) Controls for file protection a. Checking internal file labels – to prevent processing
4) Security protection of wrong files, and premature destructions
5) Self protection b. Storage protection – prevents inadvertent
overwriting
1) Controls to handle errors c. Memory clear – remove the risk of sensitive data
a. Read or write error routines being available for subsequent access
Retry, diagnose, propose action – close, etc., 4) Security protection
prevents erroneous overwriting of existing a. Maintenance of logs and activity information
record or files b. Password monitoring
b. Record length checks 5) Self-protection (manual)
c. Storage device checks a. Segregation of duties
Signals if a storage device is not operational Assignment of responsibilities for system
2) Controls for program protection software, application software, library and
- Prevents application programs with interfering with operations should be separated
each other during processing b. Hardwiring
a. Boundary protection Encode the software logic in hardware;
Assignment of memory practitioners to modification can only be done by the removal
program in a multiprogramming environment and replacement of the hardware
b. Control over external reference (sub-routines) in
linkage editing 8. SYSTEMS SECURITY CONTROLS
c. Library program software SYSTEM SECURITY
Restriction of access to use and change of - The protection of computer facilities, equipment,
programs: programs and data from destruction by environmental
Passwords: used to limit access to hazards, by equipment error, software error or human
programs under test status only but not error, or by computer abuse
on the programs used in production
ENVIRONMENTAL HAZARD
Encryption: secret coding that prevents
- Include fires, floods, tornadoes, earthquake, and other
understanding of the program without
acts of God. Generally occur infrequently but with a
the necessary key high cost of occurrence
ERRORS b. Facility security controls
- Include damage to disk storage by faulty disk drives, i. Location controls
mistakes in application programs that destroy or ii. Construction controls
damage data, and operator amounting of incorrect files. iii. Access controls
Generally frequent but at low cost per incident Conventional logs
Magnetic stripe cards
COMPUTER ABUSE Devices that can read physical characteristics,
- The violation of a computer system to perform e.g. finger prints
malicious damage, crime or invasion of privacy Signature verification system
Malicious damage includes looting and c. Library controls
sabotage i. Library function for access controls
Crime includes embezzlement, industrial Authorized users
espionage, and the sale of commercial secrets Usage log
Invasion of privacy includes discovery of ii. Physical file control
confidential salary information, and the review Internal header and trailer labels
of sensitive data by or competing company External labels
(financial information) Protection rings
Read-only switch
SYSTEMS SECURITY CONTROLS d. On-line access controls
- Are general controls that prevent failures in system i. Physical security of terminals
security and provide for recovery from failures in Use of terminal locks
system security; they are generally categorized as: ii. Authorization controls
1) Controls that provide a secure system Authorized users
2) Controls for detecting failures in system security Programs and data files that each user
3) Controls for recovery from system security failures can access should be identified in the
authorization scheme
The three general categories pertain to: Authorized terminals
1. Prevention iii. Identification controls
2. Detection Terminal identification
3. Correction and recovery User identification (passwords)
Physiological key
1) Controls that provide a secure system Hand points, thumb points
a. Security management Special key
i. Establish security objectives Magnetic stripe cards
ii. Evaluate security risks Optically encoded badge
iii. Develop security plan
iv. Assign responsibilities SOME RULES CONCERNING PASSWORDS
v. Test system security Passwords should not be chosen because they are easy to
vi. Evaluate system security remember
Should not be shared nor displayed
Passwords file should be protected by the operating system iii. Data/source documents
Unsuccessful attempts should be monitored iv. Personnel
Should be changed periodically Who is responsible for what
More effective when used in combinations with other techniques Substitute in case of injury