Unit 14 Internal Controls- Controls and Security

Measures

14.1 Control Procedures

1. Control Activities (Process)

Control requires feedback on the results of the organizational activities for the purpose of
measurement and correction. The controls process includes:
❖ Establish standards (procedures) for the operation to be controlled
❖ Measure performance against the standards (procedures)
❖ Examine and Analyze deviations (non-complying to control procedures)
❖ Take corrective actions
❖ Re-appraising the standards based on experience

2. Types of Control Procedures

There are 5 classifications of controls:
I. Primary Controls
II. Secondary Controls
III. Time-Based Controls
IV. Financial VS Operating Controls
V. People VS System Controls

1|Page
The Primary Control have the following:
1) Preventive Controls- deter/prevent the occurrence of unwanted events. Therefore,
effective controls stop problems before they occur.
❖ Segregation of duties
❖ Storing petty cash in a locked safe
❖ Pre-numbered documents
❖ Designing a database so that users cannot enter a letter in a foiled that requires
a social security number
❖ Requiring the number of invoices in a batch to be entered before processing
begins
❖ Establishing a formal security policy
❖ Not using shareware software
❖ Checking new software with antivirus
❖ Restricting access
❖ Educating users
❖ Using edit (field) checks to prevent certain types of incorrect data from being
entered in a system
❖ Pre-formatting a data entry screen so that certain field must be filled before
processing

2) Detective Controls- alert the proper people after an unwanted event occurs. They are
effective when detection occurs before material (huge) harm occurs.
❖ Automatic reporting to the AP department of all rejected batches pf invoices
❖ Using hash totals to detected data entry errors OR test for completeness
❖ Installing burglar alarms OR fire alarms
❖ Examining system logs of actions that require scrutiny (inspection), such as
repeated failed login attempts and the use of powerful utility programs

3) Corrective Controls- correct the negative effects of unwanted events.

❖ Requiring all cost variances over a certain amount to be justified
❖ Correcting errors reported on error listing
❖ Isolating and removing viruses
❖ Restarting from system crashes
❖ Comparing actual purchased material VS budgeted amounts

2|Page
 4) Directive Controls- cause OR encourage the occurrence of desirable events
❖ Policy and Procedures
❖ Operating manuals

The Secondary Control, used when the primary controls fail and have the following:
1) Compensatory (mitigative) Controls- these controls may reduce risks when the primary
controls are ineffective; however, by themselves they do not reduce risk to an acceptable
level.
❖ Warehouse counting the delivered goods if receiving function did not perform
their duties
❖ Supervisory review when segregation of duties is not feasible

2) Complementary Controls- controls that work with other controls to reduce risks to an
acceptable level.
❖ Both departments after the segregation of duties perform their completeness
checks before issuing payment.
❖ Segregating functions of recording and custody of cash receipts is
complemented by obtaining deposit slips validated by the bank

The Time-Based Control have the following:

1) Feedback Controls- reports the information about completed activities. They permit
improvement in future performance by learning from passed mistakes.
❖ Inspection of completed goods

2) Con-current Controls- concurrent controls adjust ongoing process. These real-time

controls monitor activities in the present to prevent them from deviating too far from
standards.
❖ Supervision of production line workers

3) Feed forward (Preventive) Controls- anticipate and prevent problems. These controls
require a long-term perspective.
❖ Policies and procedures
❖ Segregation of duties

3|Page
The Financial VS Operating Controls have the following:
1) Financial Controls (accounting controls)- based on accounting principles used.
Objectives of financial controls may include proper authorization, appropriate
recordkeeping, safeguarding of assets, and compliance with laws.

2) Operating Controls (administrative controls)- operational controls apply to production

and supporting activities (procurement, HR, etc.). Since they lack an established criteria
OR standards, they should be based on management principles and methods.

The People-Based VS System-Based Controls have the following:

1) People-Based Controls- these are controls dependent on the intervention of humans for
their proper operations.
❖ Performing bank reconciliations

2) System-Based Controls- are executed whenever needed by system without human

intervention.
❖ Computerized purchasing system that prevents any purchase order over a specific
limit to be submitted without the approval of management.
❖ Control totals
❖ Reasonableness checks
❖ Sequence tests

NOTE
Compensating Controls- replace the normal controls, such as segregation of duties, when it
cannot be feasibly implemented. Providing oversight is an alternative to the performance of each
function by at least two people.

4|Page
 3. Controls Procedures
There are several procedures/actions that can be taken, including:
1) Segregation of Duties- is vital because a separation of
functions (authorization, recording, and access to assets)
may not be feasible in an IT environment. It involves
assigning different employees to perform functions such that
an employee acting along is prevented from committing an
error or concealing a fraud in the normal course of his/her
duties.
a. Custody
b. Authorization
c. Record Keeping
d. Reconciliation
Segregation of duties can be compromised (failed) through collusion among employees.

2) Independent Checks and Verification (Reconciliation)- the reconciliation of recorded

accountability with assets must be performed by a person/department who either has:
a. Unconnected with original transaction
b. Without custody of the asset
A comparison revealing that the assets do not agree with the books of the entity provides
evidence of unrecorded OR improperly recorded transactions. The frequency of
comparison for the purpose of safeguarding assets depends on the nature, amount of
assets involved, and the costs of making comparison.

3) Safeguarding Controls- safeguarding controls limit access to organization’s assets

(cash, inventory or fixed assets) to authorized personnel. Access includes both direct
physical access (authorized access) and indirect access through preparation or processing
of documents that authorize the use OR disposition of asset.

4) Pre-Numbered Forms- sequential pre-numbered forms are the basis for a strong set of
internal controls. During the periodic reconciliation, missing documents could be
detected and such procedure can detected unrecorded and unauthorized transactions.

5|Page
 5) Specific Document/Process Flow- as an organization conducts its business, documents
and other evidences should be created.

❖ Tracing- follows a transaction forward from the original source of document to

accounting records. (transaction was properly recorded). Tracing is used to gain
assurance that liability was properly accrued for all goods received.

❖ Vouching- follows a transaction backward from accounting records to original

source of documents. (transaction was actually occurred). Vouching is used to
gain assurance that receivable claimed is supported by a sale to a customer.

By searching for missing document flow, auditors can detect errors OR fraud.

6|Page
 4. Transaction Cycles
There are several accounting / transactions cycles involved in a business including:
1) Sales – Receivables Cycle
2) Cash – Receipts Cycle
3) Purchases – Payables Cycle
4) Cash Disbursements Cycle
5) Payroll Cycle

1) Sales – Receivables Cycle

Function Authorization Custody Recording

Department Customer Sales Credit Billing Shipping Warehouse Inventory Accounts General
Control Receivables Ledger
7|Page
 Function Authorization Custody Recording
Department Customer Sales Credit Billing Shipping Warehouse Inventory Accounts General
Control Receivables Ledger

8|Page
 2) Cash – Receipts Cycle

Function Authorization Custody Recording

Department Customer Bank Mail Room Cash Accounts General
Receipts Receivables Ledger

9|Page
 Function Authorization Custody Recording
Department Customer Bank Mail Room Cash Accounts General
Receipts Receivables Ledger

10 | P a g e
 3) Purchases – Payables Cycle

Functions Authorization Custody Recording

Department Inventory Purchasing Vendor Receiving Warehouse Accounts General
Control Payables Ledger

11 | P a g e
 Functions Authorization Custody Recording
Department Inventory Purchasing Vendor Receiving Warehouse Accounts General
Control Payables Ledger

12 | P a g e
 4) Cash Disbursements Cycle

Function Authorization Custody Receivables

Department Vendor Purchasing Cash Accounts General Ledger
Disbursement Payables

13 | P a g e
 Function Authorization Custody Receivables
Department Vendor Purchasing Cash Accounts General Ledger
Disbursement Payables

14 | P a g e
 5) Payroll Cycle

Function Authorization Custody Recording

Department Human Production Cash Bank Time- Cost Payroll Accounts General
Resources Disbursement Keeping Accounting Payables Ledger

15 | P a g e
 Function Authorization Custody Recording
Department Human Production Cash Bank Time- Cost Payroll Accounts General
Resources Disbursement Keeping Accounting Payables Ledger

16 | P a g e
14.2 Information Security and System Controls

1. Goals of Information Security

Integrity- maintained by preventing the unauthorized personnel to
access or accidental modification of programs or data.
Availability- ability of the authorized users to access computer
resources anytime to perform their duties and meet organizational
goals.
Confidentiality- assurance of the secrecy of information that could
adversely affect the organization of revealed to the public or
competitors.

2. Threats of Information System

There are several threats that are facing the information system of the organization including:
1) Input Manipulation- is an intrusion into a system by exploiting a vulnerability in a
legitimate electronic portal (Ex- inputting a code to access the system)

2) Program Alteration- is a deliberate (intentional) changing of the processing routines of

an application program (Ex- when CEO must authorize Purchase Order, the hacker
changes the CEO to CFO)

3) Direct File Alteration- is the deliberate (intentional) changing of database to the

intruder’s advantage. (Ex- hacker who uses unauthorized access to change their grade on
a test)

4) Data Theft- is the surreptitious (secret) copying of critical data elements from the
organization’s database. (Ex- copy credit card number)

5) Sabotage- is the disruption of an organization’s system, not for personal gain, but for
simple for revenge or in the spirit of vandalism (damage). (Ex- changing a company’s
website to include incorrect information that is not immediately noticeable)

17 | P a g e
 6) Viruses- are computer programs that propagate (spread) themselves from one computer
to another without the knowledge of the user. A common way of spreading a virus is by
an email attachments and downloads. A virus can cause an annoying message to appear
on the screen. A symptom of virus is that programs load OR execute slowly.

7) Logic Bombs- also destroy data, but unlike viruses, they remain on a single computer
and do not replicate itself. The do not copy themselves or spread from one computer to
the other. They lie dormant until triggered by arrival of a certain date.

8) Worms- are pieces of code that do not threaten the data on the computer (unlike viruses
and logic bombs) but are destructive as they rapidly replicate themselves. A released
worm can propagate (spread) from network to the other, they eventually slow down the
processing speed of the computer.

9) Trojan Horse- are voluntarily installed on a computer by the user because they are
misunderstood as a program that the user wants. While the program may seem like a
video game, it contains codes that a hacker can activate later to take over the computer,
retrieving sensitive information or using it to launch proxy (indirect) attacks on the
computer.

10) Back Doors- are means of obtaining access to a system while bypassing the usual
password controls. IT personnel often design a back door to allow the access to the
system in unusual circumstances.

11) Spyware- spies on a user without their knowledge and collects data. Programs that
capture keystrokes are called keylogger software. (Ex- keystroking apps)

12) Ransom-ware- holds a computer or file storage as a hostage and demand a random
payment. Ransom ware distributors do not really want to cause major trouble, but they
want a quick payment from the computer user.

13) Phishing- is the attempt to acquire sensitive information by being a trustworthy entity
(Ex- creating a fake amazon website to obtain credit card details)

14) Malware- is a short for malicious software (sabotage, viruses, logic bombs, worms,
Trojan horse, back doors, ransom ware, phishing)

18 | P a g e
 3. System Development Controls
All information systems, automated OR manual perform 4 basic functions:
1) Input
2) Processing
3) Output
4) Storage
Proper management of system development process can enhance the accuracy, validity, safety,
security, and adaptability of the controls over these functions.

Effective system development requires the setting of priorities. This can be achieved through a
steering committee composed of managers from IT functions and end users. The committee
approves development projects, assigns resources, and reviews progress. The steering committee
also ensures that requests for news systems are aligned with the overall strategic plan of the
organization.

The most critical separation of duties in an information system is between the computer
operators, files, equipment and production programs AND programmers and system analysts.
Furthermore, computer operators and system analysis should be separated and none of them
should be allowed to perform programming duties. In addition, an operator should not have
custody of files.

Changes to an existing system should be subject to strict controls. Requests for changes should
be initiated by an end user and authorized by the management OR steering committee. All
changes should be made to a working copy of the program. Production code should never be
directly altered by a programmer.
All changes should be adequately tested before being place in production environment. The test
results should indicate the acceptance by the end user, who requested the change. Adequate
testing must involve using incorrect data. The program must be able to appropriately handle data
that do not confirm. Unauthorized program changes can be detected by code comparison.

19 | P a g e
 4. Physical Controls
Physical controls limit physical access and environmental damage to computer equipment and
important documents.
There are 2 types of physical controls:
I. Access Controls
II. Environmental Controls

I. Access Controls
Access controls prevent improper use OR manipulation of data files and programs. They ensure
that only those people with purpose and authorization have access.
No person except operators should be allowed un-monitored access to the processing facility.
This can be done by guard desks, keypads, and a magnetic reader.
Access controls include:
1) Passwords and ID Numbers
2) Devise Authorization Table
3) System Access Log
4) Encryption
5) Callback
6) Controlled Disposal of documents
7) Biometric Technologies
8) Automatic Log-off
9) Security Personnel

1) Passwords and ID Numbers

The use of passwords and identification numbers is an effective control in an online system to
prevent unauthorized access to files. A list of authorized users must be maintained online.
To avoid unauthorized access, the firm may combine:
❖ The entry of passwords OR identification numbers
❖ A pre-arranged set of personal questions
❖ The use of badges, magnetic cards, optically scanned cards, and biometrics

2) Devise Authorization Table

This control grants access to only those physical devices that should need access to. (Ex- only
accounting department can access the AR file, even if the correct password was used by other
departments, access will not be granted)

20 | P a g e
 3) System Access Log
This log records all uses and attempted uses of the system. The date, time, codes used, mode of
access, data involved, and interventions by operators are recorded.

4) Encryption
Encoding the data before transmission over communication lines makes it more difficult for
someone with access to the transmission to understand OR modify its contents. Encryption
technology converts data into a code.
Unauthorized users may still be able to access the data, but with the encryption key, they will be
unable to decode the information.

5) Callback
This feature requires a remote user to call, give identification, hang up, and wait for an
authorization number. This control ensures acceptance of data only from the authorized modems.
However, a call-forwarding device may thwart (prevent) this control by transferring access from
an authorized to an unauthorized number.

6) Controlled Disposal of Documents

One method of enforcing access restrictions is to destroy data when they are no longer used.
Therefore, paper documents can be shredded, and magnetic media can be erased.

7) Biometric Technologies
These are automated methods of establishing an individual’s identify using physiological OR
behavioral traits. These include fingerprints, retina patters, hand geometry, signature dynamic,
speech, and keystroke dynamic.

8) Automatic Log-off
The dis-connection of inactive data terminals may prevent the viewing of sensitive data on an
un-attended workstation.

9) Security Personnel
An entity may hire security specialists. (Ex- developing an information security policy,
commenting on new controls, monitoring, and investigating unsuccessful attempts)

21 | P a g e
 II. Environmental Controls
The processing facility should be equipped with both cooling and heating system to maintain a
constant level of temperature and humidity, as well as a fire suppression system,

5. Logical Controls
Logical Controls are established to limit system access to authorized people and to the extent
necessary to perform their duty. (Ex- database access lists should be reconciled with current
payroll lists)
There are 2 items involved in logical controls:
1) Authentication
2) Authorization

1) Authentication- is the act of ensuring that the person attempting to access the system is
in fact who he says he is. The most widespread means of achieving this is through the
use of IDs and passwords.
The elements of users account management include:
❖ Anyone attempting to access the organization’s system must supply a unique identifier
and a password, which must not be stored anywhere on the system.

❖ Passwords must be difficult to guess and must be changed periodically.

❖ Password fatigue results when users must log on a system several time during a day.
Single sign on must be established in the organization, as well as high level of
maintenance and security awareness is required.

2) Authorization- is the act of ensuring that once in the system, the user can only access
those programs and data elements necessary to carry out their duties. (Ex- AR clerk can
only view customer’s credit limits but cannot change them. AND only the head of AR is
allowed to execute the program that updates the AR in the master file)

22 | P a g e
 6. Function Controls
Operations is part of information system involved in daily processing of data and producing
results. Controls apply to input, processing, output, and storage.
1) Input Controls- provide reasonable assurance that data submitted for processing are
authorized, complete, and accurate.
There are 2 types of input controls:
❖ Online Input
❖ Batch Input

❖ Online Input Controls can be used when data are in keyed into an input screen.

1) Pre-formatting- the data entry screen mimics (represents) the old hardcopy document,
forcing data entry in all fields.

2) Edit (field) checks- the data entry screen prevents certain types of incorrect data from
entering in the system. (Ex- the system rejects any attempts to enter a number in the name
field.) Dropdown menus can restrict the user’s choice to only valid selections.

3) Limit (reasonableness) checks- certain amounts can be restricted to appropriate ranges

(Ex- hours worked per day < 20 hours OR invoices > $100,000 requires a supervisor
approval)

4) Check Digits- an algorithm is applied to any kind of serial identifier to derive a check
digit. During the entry of data, the check digit checks the data to ensure proper entry.
Check digits also eliminates the possibility of dropped OR transposed digits. However, if
check digit is a sum of digit, errors will not be detected (Ex- 1,3,6 is same as 3,6,1)

5) Promoting- asking questions to the user to ensure proper data entry

❖ Batch Input Controls can be used when data are grouped for processing in batches.

1) Management Release- a batch is not released for processing until a manager reviews and
approves it.

2) Record Count- a batch is not released for processing unless the number of records in
batch is same as reported by the system (matching the number calculated by the user).

23 | P a g e
 3) Control Total Validation Routines- a batch is not released for processing unless the
sum of the dollar amounts of the individual items is the same as reported by the system
(matching the number calculated by the user).

4) Hash Total- is arithmetic sum of the numeric field, it has no meaning by itself and can
serve as a check that the same records should have been processed, were actually
processed. (Ex- sum of all social security numbers).

2) Processing Controls- provides reasonable assurance that all data submitted for
processing are actually processed AND only approved data are processed. These controls
are built into the application code by programmers during the development process of the
system.
Furthermore, some processing controls repeat the steps performed in the input controls,
such as limit checks and control totals.

1) Validation- identifiers are matched against master files to determine existence. (Ex- any
AP transaction is rejected if the vendor’s number does not match the master file).

2) Completeness- any record with missing data is rejected.

3) Arithmetic Controls- cross footing compares an amount to the sum of its components.
Zero balance checking adds the debt and credit in a transaction to ensure the sum is zero.
(Dr = Cr)

4) Sequence Check- computer effort is expended most efficiently when data are processed
in logical order (Ex- customer number). This check ensures the batch is sorted in this
order before processing begins. Therefore, it is not appropriate for real-time environment.

5) Run to Run Control Totals- the control associated with a given batch are checked after
each stage of processing to ensure all transactions have been processed.

6) Key Integrity- a record’s key is the group of values in the fields that uniquely identify
the record. No application should be able to alter the data in these key fields.

24 | P a g e
 3) Output Controls- provides assurance that processing was complete and accurate.

1) Audit Trail- a complete audit trail should be generated by each process; batch number,
time of submission, time of completion, number of records in batch, total dollars in batch,
number of records rejected, total dollars rejected, etc. The audit trail is immediately
submitted to reasonableness check to the suer, who is the most qualified to judge the
adequacy of processing and the proper treatment of erroneous (incorrect) transactions.

2) Error Listing- is a report with all transactions rejected by the system. These should be
corrected and re-submitted by the user.

4) Storage Controls

1) Program Documentation- complete, up to date documentation of all programs and

associated operating procedures is necessary for efficient operation of an information
system. Maintenance of programs is important to provide continuity and consistency of
data processing services to users.

2) Dual Writes Routines- the data can be stored on two separate physical devices (hard
drives) so that a mishap (accident) to one does not destroy the organization’s data.
Spooling is sending data to an intermediate storage that is accessible by device when
needed.

3) Validity Checks- hardware that transmits OR receives data, compares bytes to the
permissible (allowed) combinations to determine whether they constitute a valid
structure.

4) Physical Controls- mounting hard drives in physical, securing rooms, and storing
portable media in locked storage areas are vital to preventing the compromising of
confidential data.

5) Snapshot- it copies often used data files and allows the file to be used while it is being
backed up. However, the risk is that this file may not be current.

6) Cloud Computing- the standardized IT capability delivered via the internet in a pay per
use service. Advantages of cloud computing include a lower infrastructure investment,
lower maintenance costs, increased mobility, and lower personnel costs. Disadvantages
of cloud computing include less control over than an internal IT department, more
difficulty in data security, and less compatibility.

25 | P a g e
 Input Controls

26 | P a g e
 Processing Controls

27 | P a g e
 Output Controls

28 | P a g e
 7. System Audit Techniques
There are 2 methods for auditing:
I. Auditing around the computer- is not appropriate when the system is sophisticated OR
the major controls are included in the computer programs. It may be appropriate for very
simple systems that produce appropriate printed output.
The auditor manually processes the transactions and compares it with the results of the
client’s computer results. Since small number of transactions can be tested, the
effectiveness of the tests of controls must be questioned.

II. Auditing through the computer (con-current auditing)- uses the computer to test the
processing logic and controls within the system and the produced records.
(from 1 to 5 are con-current auditing techniques)
Computer Assisted Audit Techniques (CAAT) can be used for a system based on
transaction based and can provide automated methods for extracting and analyzing data.

1) Test Data- consists of set of dummy inputs containing both good and bad data elements.
This approach tests the client’s program. The auditor can assess the controls embedded in
the application by observing how the system treats good and bad data elements.
Test data must never be mingled (mixed) with the real data and test data must not
interfere with the production processing.

2) Parallel Simulation- subjects the client data to auditor created programs. The goal is to
determine whether the data is what the client claims is or not. Parallel simulation requires
the auditor to have some technical knowledge. The auditor must also have an extensive
communication with the client to learn about the functions of the applications being
imitated (copied).

3) Generalized Audit Software (GAS)- allows the auditor to lead a copy of the client’s
production data onto the auditor’s computer and perform the analysis. The auditor can
search for duplicate records, gaps in numbers, and high-monetary transactions. The issue
is making sure that the data obtained is the correct data being tested. (Ex- IDEA and
ACL)

4) Spreadsheet Analysis- permit easy analysis of huge amounts of client’s data and
performing the what if scenarios (Ex- Excel)

5) Integrated Test Facility (ITF)- the auditor creates dummy files on the client’s live
production system. The objective is to determine whether a read time system contains
adequate controls or not. ITF requires great care to ensure no transactions of the dummy
files are included in the production reports and output files.

29 | P a g e
 6) Embedded Audit Module- is an integral part of an application system. It is designed to
identify and report actual transactions and other information that meets the criteria of
having an audit significance. An advantage is that it permits continuous monitoring of
online, real time systems. A disadvantage is that audit hooks must be programed into the
system to permit inserting audit modules.

7) Application Tracing- uses a feature of the programming language in which the

application was written. Tracing helps programmers and auditors in step-by-step
operations of the computer codes.

8) System Mapping- is similar to application tracing, but mapping is performed by another

programmer, but not an auditor. A mapping searches for unused code.

30 | P a g e
14.3 Security Measures and Business Continuity Planning

1. Risks of Internet
The use of internet has several risks including:
1) Brute-Force Attack- uses password cracking software to try large number of letter and
number combinations to access a network. A simple variation is the use of password
cracking software that tries all the words in the dictionary

2) Spoofing (phishing)- is identity mis-presentation in cyberspace (Ex- using a false

website to obtain details from the visitor )

3) Sniffing- is the use of software to eavesdrop (spy) on information sent by a user to the
host computer of a website. (Ex- a hacker viewing information exchanged between 2
users)

4) Man in the Middle (sniffing) - attacks that take advantage of networking sniffing. These
attacks may be used to steal data, obtain access, OR analyze the traffic in the network and
learn about its operations.

5) Denial of Service (DOS) – attack is an attempt to overload an organization’s network

with so many messages that cannot function, which results in system crash.

6) Distributed Denial of Service (DDOS) – it is an attack to overload the organization’s

network with multiple sources.

31 | P a g e
 2. Segregation of Duties in an IT Department
Computer operators, programmer, analysts and librarians should not have overlapping
responsibilities. These functions should be segregated (not combined by one person). The
segregation of accounting duties can enhanced system security, as it involves separation of
functions to minimize the opportunity for a person to be able to penetrate and conceal errors or
fraud in the normal course of his/her duties.

➢ Network and Information Security- these people protect and monitor the company’s
network and information (Ex- LAN, firewall internet)

➢ System Analysts- they provide the design specification to the programmers of the new
system. System analysts should not do the programming or even have access to hardware,
software or data files.

➢ Programmers- are the individuals who write, test, revise and document system. They
should not have access to computers and programs that are in actual use by employees
foe processing.

➢ Librarians- maintain the documentation. Programs and data files. They should have no
access to equipment or servers.

➢ Database Administrator (DBA) - controls access to several files/data to authorized

personnel and making program changes.

➢ Computer Operators- oversee the running of computer systems, ensuring that the
machines and computers are running properly. They can either run it remotely or in the
server room.

➢ Data Control Group- receives input, logs it monitors the processing of data, reconciles
input and output, distributes output to authorized users and check to see that errors are
corrected.

➢ Help Desk- provides IT support to the various systems and application users

➢ IT Infrastructure- maintains and controls inventory if hardware and IT infrastructure

(servers, laptops, etc.)

32 | P a g e
 3. Encryption
Encryption technology converts data into a code. Unauthorized users may still be able to access
the data, but with the encryption key, they will be unable to decode the information.

There are 2 types of Encryption:

a. Public Key Encryption (Asymmetric)
Under this method, it requires 2 keys, one for
coding (widely known) and other for decoding
(secret and know by the receiver)

b. Private Key Encryption (Symmetric)

Less secure, it requires a single key for both coding and decoding

33 | P a g e
 4. Firewalls
A firewall is a combination of hardware and software that
separates an internal network from an external network,
such as the internet and prevents the passage of specific
types of traffic. A firewall alone is not an adequate defense
against computer virus. So anti-virus software is very
crucial.
Network firewalls- regulate traffic to an entire network
(Ex- LAN). The firewall examines each query and
depending on the rules set up by the network security it gives and denies access.

5. Routine Backup and Offsite Rotation

A typical backup routine involves duplicating all data files and application programs once a
month. In case of interruption of normal processing, the organization’s system can be restored in
3 weeks.
An offsite location must be temperature and humidity controlled and guarded against physical
access.

34 | P a g e
 6. Business Continuity Planning
Disaster Recovery is the process of resuming normal information processing operations after the
occurrence of a major interruption. (Information was recovered)
Business Continuity Planning is the continuation of business by other means during the period
in which the computer processing is unavailable or less than the normal. (Operation after
recovering the data lost)

There are 2 types of disasters:

a. Processing and System Disaster
This includes power failures which can be guarded by purchase of backup
electrical generators. This also includes attacks (viruses, denials of services,
hacker) where the system must be brought down to halt the spread of infection.
The IT staff must be well trained to isolate and bring the system to full operation

b. Natural Disaster
The most extreme disaster is when the organization main facility is not accessible
due to floods, fires, hurricanes, earthquakes. The firm must prepare to operate
from through another physical location.

Power Failures- can be guarded by purchasing an electrical backup generator.

Viruses and DOS- anti-virus software will stop most attacks, but some viruses may not be
detected.

Recovery can take forms in:

❖ HOT SITE- is fully operational processing facility that is immediately available. It
usually has the latest data and software and ready in a few minutes. (Ex- mirrored data
center, which runs parallel to a computer’s main center of operation)

❖ WARM SITE- has limited hardware, but is already installed and lacks servers and client
terminals

❖ COLD SITE- is a shell facility that lacks most infrastructure, but readily available for
quick installation of hardware.

35 | P a g e