Professional Documents
Culture Documents
Controlling Computer-Based Information Systems, Part I
Controlling Computer-Based Information Systems, Part I
Controlling
Computer-Based
Information
Systems, Part I
Objectives for Chapter 15
● Features of a CBIS environment and the control objectives in SAS
78
● Threats to the operating system and controls used to minimize
exposures
● Techniques used to control access to the database
● Incompatible functions in a CBIS environment
● Controls necessary to regulate systems development and
maintenance activities
● Controls of an organization’s computer facilities and the disaster
recovery options
2
Controls, CBIS & SAS 78
● TRANSACTION AUTHORIZATION
● may be embedded into the programs
● SEGREGATION OF DUTIES
● Duties that must be separated in a manual
system may be combined in a computerized
setting.
● The computer-based functions of
programming, processing, and maintenance
must be separated.
3
Segregation of Duties
Control Objectives
● Transaction authorization is separate
from transaction processing.
● Asset custody is separate from
recordkeeping responsibilities.
● The sub-tasks needed to process the
transactions are separated so that no
individual or group is responsible for
transaction authorization, transaction
recording, and asset custody.
4
Segregation of Duties
Custody Recording
TRANSACTION
5
Controls, CBIS & SAS 78
6
Controls, CBIS & SAS 78
● ACCOUNTING RECORDS
● Source documents and ledgers may be stored
magnetically with no “paper trail.”
● Expertise is required to understand the links.
● ACCESS CONTROL
● Tight control is necessary over access to
programs and files.
● Fraud is easier to commit since records are
located in one data repository.
7
Controls, CBIS & SAS 78
(continued)
● INDEPENDENT VERIFICATION
● need to review the internal logic of
programs and comparison of accounting
records and physical assets
● management must assess:
▪ the performance of individuals
▪ the integrity of the transaction processing system
▪ the correctness of data contained in accounting
records
8
General Control Framework
for CBIS Exposures
10 control components need to be addressed:
● Operating system
● Data management
● Organizational structure
● Systems development
● Systems maintenance
● Computer center security
● Internet and Intranet
● EDI
● Personal computer
● Applications 9
Organizational Structure
Internet
& Intranet
Systems
Development
10
General Control Framework for CBIS Exposures
Organizational Structure
Internet
& Intranet
Systems
Development
11
General Control Framework for CBIS Exposures
Operating System Controls
12
For An Operating System To Perform
These Tasks Consistently And Reliably, It
Must
13
Operating System Security
● Log-On Procedure
● first line of defense--user IDs and passwords
● Access Token
● contains key information about the user
● Access Control List
● defines access privileges of users
● Discretionary Access Control
● allows user to grant access to another user
14
Other Good Security
Policies
18
Anti-Virus
Software
Internet
& Intranet
Systems
Development
20
General Control Framework for CBIS Exposures
Data Management Controls
Access controls
Backup
controls
21
Access Controls
23
Computer Resource
Authority Table
List
Resource Employee Line Cash Receipts
User AR File File Printer Program
Read data
Ticket User 1 Change No Access Use No Access
Add
Delete
Read only Read code
User 2 No Access Use Modify
Delete
24
Backup Controls
● Flat-file environment
● grandparent-parent-child (GPC) used in sequential file
batch systems
● direct access backup called destructive replacement
● offsite storage
● Database environment
● database backup - automatic periodic backup
● transaction log (journal) - a list of transactions which
provides an audit trail of all processed transactions
● checkpoint features - suspends all data processing while
the system performs reconciliation
● recovery module - restarts the system after 25 a failure
Organizational Structure
Internet
& Intranet
Systems
Development
26
General Control Framework for CBIS Exposures
Organizational Structure
Controls
Centralized DP Distributed DP
27
CENTRALIZED COMPUTER President
SERVICES FUNCTION
VP VP Computer VP VP
Marketing Services Operations Finance
VP VP VP VP
Marketing Finance Administration Operations
Internet
& Intranet
Systems
Development
32
General Control Framework for CBIS Exposures
SDLC
33
Systems Development
Controls
● New systems must be authorized.
● User needs and requests should be formally
documented.
● Technical design activities should be documented.
● Internal auditors should participate in the
development process.
● New programs must be thoroughly tested before they
are implemented.
● New systems must be tested by a team of users,
internal audit staff, and systems professionals.
34
Organizational Structure
Internet
& Intranet
Systems
Development
35
General Control Framework for CBIS Exposures
System Maintenance
Controls
● Last, longest and most costly phase of SDLC
● 80-90% of entire cost of a system
● All maintenance actions should require
● technical specifications
● testing
● documentation updates
● formal authorizations for any changes made
36
SPL
37
Uncontrolled Access to the
Source Program Library
Systems Source
Development Program Production
Programmers Library Load
Library
Systems
Maintenance Production
Programmers Application
38
A Controlled SPL
Environment
● An SPL Management System (SPLMS)
can be used to protect the SPL
environment by controlling the following
functions:
● storing programs on the SPL
● retrieving programs for maintenance
purposes
● deleting obsolete programs from the library
● documenting program changes to provide
an audit trail of the changes 39
Source Program Library under the Control of SPL Management Software
Report
Load
Documen-
Library
tation
Production
File
40
SPL Control Features
● Password control
● Separation of test libraries
● Reports that enhance management control and
the audit function
● Assigns program version numbers automatically
● Controlled access to maintenance commands
● Documentation and authorization of changes
41
Organizational Structure
Internet
& Intranet
Systems
Development
42
General Control Framework for CBIS Exposures
Computer Center Controls
Considerations:
● location away from human-made and natural hazards
● utility and communications lines underground
● windows closed and air filtration systems in place
● access limited to the operators and other necessary
workers; others required to sign in and out
● fire suppressions systems should be installed
● backup power supplies
43
Disaster Recovery
Planning
● Disaster recovery plan (DRP)
● all actions to be taken before, during, and after
a disaster
● Disaster Recovery Team (DRT) identified
● critical applications must be identified
● restore these applications first
● Backups and off-site storage procedures
● databases and applications
● documentation
● supplies
44
Second-Site Disaster
Backups
● Mutual Aid Pact - an agreement between two or more
organizations (with compatible computer facilities) to aid
each other with their data processing needs
● The Empty Shell - involves two or more user
organizations that buy or lease a building and remodel it
into a computer site, but without computer equipment
● The Recovery Operations Center - a completely
equipped site; very costly and typically shared among
many companies
● Internally Provided Backup - companies with multiple
data processing centers may create internal excess
capacity
45