Accounting Information Systems

( Auditing in CIS Environment )

MODULE 1 ( Introduction : Auditing in CIS)

Auditing
- A systematic process of objectively obtaining and evaluating evidence regarding
assertions about economic actions and events to ascertain the degree of
correspondence between those assertions and established criteria and communicating
the results thereof.

1. systematic process
- It is structured as a dynamic activity in a logical manner.

2. obtaining and evaluating evidence

- auditor is concerned about assertions relating to the reliability of the system of
internal control and the content of the files or outputs produced by computer
processing
- he performs both compliance testing and substantive testing

3. ascertain the degree of correspondence between those assertions and

established criteria
- it requires judgment on the auditor’s part as to what constitutes a
non-compliance

4. communicating the results

- to the client and other interested parties
- preparation of the audit report

● Who shall perform the audit?

- a person or persons having adequate technical training and proficiency as an
auditor.
Impact of computers on the accounting and auditing process
( IPEM RSMR)

1. Internal storage
- with the representation of information in electronic form inside the computer, the
auditor is no longer able to observe the processing of data to determine if the
proper procedures are being used.

2. Programs can be changed without the auditor’s knowledge

- such change can occur through a console intervention, or with codes that can
modify themselves while the program is running.

3. Elimination of audit trail

- partial elimination or disappearance of those documents, records, journals,
ledgers and other documents that enable the auditor to trace a transaction from
source document to summarized totals in an accounting report, or vice versa.

4. Multiprogramming or multiprocessing

- with the ability of computer systems to process several applications simultaneously, files
currently being reviewed can be modified during data processing by another program.

5. Remote processing (tele-processing)

- A major threat is the potential loss of assets from unauthorized access to programs and
files data might be lost during transmission.
- PHISHING is the attempt to acquire sensitive information such as usernames,
passwords, bank account and credit card details for malicious reasons, by masquerading
as a trustworthy entity in an electronic communication.

6. Speed, On-line/Real-time processing

- since account balances are updated immediately upon entering the system, it could
mean that before the auditor had finished reading and adding the balances, some of the
balances may have already changed.
7. Multiple locations

- multi processing, on-line-/real-time systems is compounded by processing in

several locations :
- several floors and offices in a build
- several buildings in a compound
- several geographical locations

8. Rapid changes: technology, business needs

Auditing Approaches

1. Auditing around the computer

2. Auditing with the computer
3. Auditing through the computer

1. **Auditing around the computer:**

- This involves traditional auditing methods that don't heavily rely on computerized
systems.
- Auditors examine physical documents, interview personnel, and assess general
controls without directly involving computerized processes.

2. **Auditing with the computer:**

- Refers to using computer-assisted audit techniques (CAATs) to enhance audit
procedures.
- Auditors utilize software tools to analyze large datasets, perform calculations, and
detect anomalies, working alongside traditional audit methods.

3. **Auditing through the computer:**

- This involves a more integrated approach where auditors rely extensively on
computer systems and data.
- Auditors directly access and analyze electronic records, often in real-time, to assess
the integrity and accuracy of financial information.
MODULE 2 ( Auditing Standards and CIS Auditing Concepts)

Standards of Field Work

1. Compliance Testing

“The auditor must obtain a sufficient understanding of the entity and its environment, including
its internal control,
- to assess the risk of material misstatement of the financial statements whether due to error or
fraud, and
- to design the nature, timing, and extent of further audit procedures.”

Internal Control

- Comprises the plan of the organization and all of the methods and procedures
adopted by a business to:

OBJECTIVES OF INTERNAL CONTROL ( SCP)

1. Safeguard its assets
2. Check the accuracy and reliability of its accounting documents
3. Promote operational efficiency and encourage adherence to prescribed managerial
policies

Internal Control System

1. ADMINISTRATIVE CONTROLS

- the plan of the organization and the methods and procedures to promote operational
efficiency and encourage adherence to prescribed managerial policies.

2. ACCOUNTING CONTROLS

- the plan of the organization and the methods and procedures used to safeguard assets
and to check the reliability of accounting data.
 AIS Controls:
> General Controls
> Application Controls

1. GENERAL CONTROLS
- having pervasive effects
> if they are weak or absent,
- they negate the effects of the application controls.

GENERAL CONTROLS ( OSSSD HSS)

1. Organizational controls
2. Sound personnel practices
3. Standard operating procedures
4. Systems development controls
5. Documentation controls
6. Hardware control
7. System software controls
8. Systems security controls

2. APPLICATION CONTROLS
- Relate to the specific tasks performed by the computer

> Input controls

> Processing controls
> Output controls

Standards of Field Work

2. Substantive Testing
- The auditor must obtain sufficient appropriate audit evidence by performing audit
procedures to afford a reasonable basis for an opinion regarding the financial statements
under audit.

1. Test of details of transactions and balances

> complexities include automatic:
- authorization of sales within certain limits
- issuance of checks to vendors on due dates

2. Analytical review procedures

> performed to detect unusual relationships among financial information
> review may include comparison of this year’s amounts with last year’s; actual results with
budget or forecast; review of financial ratios.
> not significantly different from a manual or mechanical system
Standards of Field Work

3. Dual-purpose testing
- Both types of tests, compliance and substantive, are performed at the same time.

● Who Performs the Computer Auditing Tasks?

- Demands as to expertise placed on the auditor: “If clients use electronic
processing in its accounting system, whether the application is
simple or complex, the auditor needs to understand the entire
system sufficiently to enable him to identify and evaluate its
essential accounting control features.”

● When to Perform the Procedures?

1. Auditing concurrently with processing

- information is available to the auditor while a program is running.

2. Auditing after processing

- audit procedures are performed after a computer program is
finished.

● Where in the Processing Cycle the Audit Should be Performed?

1. Auditing the phases of processing

- refers to the study and evaluation of internal control.

2. Auditing the results of processing

- refers to the collection of evidential matter; emphasis is on the direct test
of account balances.

● Which Parts of the System the Audit Should be Performed? ( PFS)

1. Auditing computer programs

2. Auditing computer files

3. Auditing computer systems

MODULE 3 ( General Controls)

GENERAL CONTROLS

1. Organizational controls
2. Sound personnel practices
3. Standard operating procedures
4. Systems development controls
5. Documentation controls
6. Hardware control
7. System software controls
8. Systems security controls

1. Organizational Controls (Plan of Organization)

- relate to the segregation of duties in order to reduce error or fraud:

1. segregation of EDP and user functions

2. segregation of functions within EDP
3. segregation of functions among users

1. Segregation of EDP and User Functions ( ES)

a. Error detection, correction and resubmission

b. Segregation of incompatible functions

1. a Error detection, correction and resubmission

> systems tests performed during systems development

ensures the elimination of errors,

> when errors occur, generally, they are corrected and

resubmitted at Source.

1.b. Segregation of Incompatible functions ( AEA )

I. Authorization
ii. Execution
iii. Accountability
i. Authorization

- as a general rule, IT should not be permitted to authorize transactions; however, some

authorization functions are incorporated in the computer program
- examples: materials reordering system, customer order processing

ii. Execution

- steps in the transaction processing cycles and changes to master files are to be
performed by the users; today, execution is done automatically through instructions in
the program
- examples: systems- generated financial entries, automatic reversing entries

iii Accountability

- EDP should not have custody of non-EDP assets

- access is normally indirect, e.g., the computer program contains the instructions to
release inventory for shipment

2. Segregation of functions within EDP ( SOD)

a. Systems Development ( SAS)

> Systems Analysis
> Application Programming
> Systems Programming

b. Operations
c. Database administration
> Independent librarian function

3. Segregation of functions among users

 ● Compensatory controls
- generally manual controls that are performed to compensate for the internal control
weakness arising from the non-segregation of duties.
> review and approval of purchase orders by Purchasing Department
> review of exception lists from credit approval runs

2. Sound Personnel Practices ( HPR PT CR FP)

- provide control over the quality of work by ensuring that personnel are
competent and honest
- provide policies that encourages compliance

a) Hiring and evaluation of Personnel

i. Hiring test
> mostly behavioral and personality tests

ii. Background check

> checking of character references, recommendations from

previous employers, NBI and police clearances

iii. Fidelity bonds

b) Personnel scheduling
- Irregularities may be discovered during an employee’s absence.

c) Rotation of duties
- Enable the employee to master other tasks, thus, effectiveness is
improved.
- When a task is performed by another, opportunities for improvement can
be identified.
 d) Performance Evaluation
- a tool to identify strengths and areas of improvement.
- a good basis for rewards and remunerations.

e) Training and Development

- enhances employee performance and potential for more responsible
roles.
- CPE (Continuing Professional Education)

f) Career Path
- a tool to formalize target positions
- helps identify training needs
- encourages loyalty and dedication
g) Rewards and Remuneration
- induces employees to perform their best

h) Formalization of Personnel Practices

- conveys the company’s sincerity to its commitments

i) Psychological Control
- employees tend to display positive behavior if it goes with a reward or
punishment as the case may be

3. Standard Operating Procedures ( SM MJ CH FAE)

- identify procedures that ensure high quality processing and limit the opportunity for
errors, and unauthorized use of files, programs and reports.

● Scheduling
● Machine operations
● Machine performance
● Job-run procedures
● Console log and personnel time record
● Housekeeping
● File control standards
● Adequate supervision
● Emergency and physical security procedures
 1. Scheduling

- the operations of the computer should follow realistic schedules to allow for
assembly and preventive maintenance

2. Machine operations

- include procedures for loading programs and storage devices

- requirement that console error messages be responded to uniformly

3. Machine performance

- identification and correction of equipment snags help reduce the incidence of

hardware-induced errors.
- standards are set for elapsed time usage, maintenance time, expected downtimes and
other conditions
- periodic review of equipment maintenance and failure logs, and comparison of actual
equipment performance with standards

4. Job-run procedures

- these procedures generally outline the sequence of the programs to ensure that the
required processes are performed in the correct order
- example: Variance Report Preparation
> update physical standards
> input volume of production
> enter actual quantities consumed
> calculate variances

5. Console logs and personnel time record

- should be prepared by the operating system to record all operating and application
system activities, maintain an equipment utilization record and identify operator and
user initiated actions.
- it provides an important control over unauthorized system use.

6. Housekeeping
 - procedures relating to the use of supplies, storage of programs, and handling of files
are designed to reduce the risk of loss or destruction of programs and data.
- it ensures that sensitive output does not fall into unauthorized hands.

7. File control standards

- standards for the handling of files are necessary to minimize opportunities for misuse,
damage or loss of files.
- standards include file names, retention dates, reconstruction procedures and storage
location.
- the files are controlled by a librarian.

8. Adequate supervision

- control and review of operating activities which include periodic examination and
comparison of console logs, job records and personnel time records.

9. Emergency and physical security procedures

- plans and procedures to protect programs, files and equipment from fire, theft, natural
disasters, power failure, or failure of communications.
- emergency and physical security procedures should be written and included in the
systems and procedures manual.

4. Systems Development Control ( SP PUTS FCPP)

-The best time to build-in the application controls is during the development of a system.

- it would be easier compared with doing the program revisions later in order to incorporate the
control.

1. Systems development methodology

2. Project management
3. Programming conventions and procedures
4. User, Accounting , and Audit Participation
5. Technical, Management, User, and Auditor Review and Approval
6. System Testing
7. Final Approval
8. Conversion and Migration Control
9. Post-implementation Review
10. Program Change Control

1. Systems development methodology

a. SDLC
- planning, analysis, design, development and implementation
- building-in of required application control
- users’ training and users’ procedures manual

b. Post implementation optimization

- Was there an evaluation that the new system meets the business
requirements?

c. Documentation
- provides control over the prevention, detection and correction of errors.

2. Project management

-The systems development methodology will be of little value if development projects are not
adequately managed.

3. Programming conventions and procedures ( FDC SSS DA)

Conventions

- refer to the agreed standards, for example, in the use of symbols, charts, texts,
graphs or writing of manuals.
- also pertain to the uniform procedures followed in order to ensure the same
accurate results every time a job is performed.

● Flowcharting conventions
● Decision table conventions
● Coding conventions
● Standard glossary and standard abbreviations
● Standard program routines
● Standard job control procedures
● Debugging
● Auditing conventions
 Coding conventions

1. Computer code or program code

- the set of instructions forming a computer program which is executed by a computer.

2. Data code

- a number, letter, character, or any combination thereof used to represent a data

element or data item.

-Data coding conventions provide a common understanding of the meaning of

the codes. ( SSM LIC)

> significant digit code

> sequence code
> mnemonic code
> last digit code
> identifiers
> check digit code

Standard glossary and standard abbreviations

-terms and abbreviations that are unique to a particular installation should be

carefully defined.
-use of non-standard terms and abbreviations should be prohibited to make
review of documentation easier.

Standard program routines

- a subroutine is a portion of code within a larger program that performs a specific

task and is relatively independent of the remaining code.
- also called procedure, function, routine, method, or subprogram.
- the main sequence of logic in a program can branch off to a common routine when
necessary. When finished, the routine branches back to the next sequential instruction
following the instruction that branched to it.
Standard job control routines

- provides the interface between the application program and the operating system.

Debugging

- standard technique for debugging increases the chance that errors will be found and
provide a trail of program changes, thereby, reducing the opportunity for unauthorized
program change.

Auditing conventions

the programming standards manual should include a list of required controls and audit
features.

4. User, Accounting , and Audit Participation

- Ensures that users’ requirements are met by the system.

- User participation represents commitment and approval.
- Users recognize their responsibility and their dependence on the output.
- Audit participation provides the opportunity to make suggestions regarding
improvements in internal control.

5. Technical, Management, User, and Auditor Review and Approval

Technical level

- work outputs for each phase should be reviewed and approved by the systems
and programming supervisors before submission to users, auditors and management
for approval.

Output level

- requires that users, auditors and management review and approve the work
output at the end of each phase Technical, Management, User, and Auditor Review and
Approval
6. System Testing

- an important control because it is the last opportunity to discover and

correct problems before implementation of the system.

- Purpose:

> to ensure that the system will operate in conformance with the design
specifications.
> to determine whether the system’s operations meet user requirements.
> to test all application controls if they will work as intended.
> to verify that errors in input, processing and output will be detected.

● Program tests
- testing of the processing logic of the programs.

● String tests
- instead of a single program, they are applied to a string of logically
related programs.

● System tests
- applied to all programs in the systems to check if they will function if they
run at the same time.

7. Final Approval

- Provides an opportunity to examine the final test results to make a final judgment.
-Final approval should be given by management, users and IT or EDP personnel before
the system is implemented.

8. Conversion and Migration Control

- controls to prevent and detect errors when converting and migrating files
to the new system.
 ● Data conversion

- the translation of computer data from one format to another.

● Data Migration

- the process of transferring data from one system to another; generally,

migration requires data conversion.

Control procedures:

- file conversion approval should be obtained before the process begins to

ensure that the files being converted are fully controlled.
- the original and the new files can be reconciled through record counts, hash
totals or amount totals.
- compare records from the original files and with the new files to ensure that
there are no discrepancies.
- confirmation requests may be sent to third parties asking them to confirm the
data that relates to them.
- operational approval should be obtained from the users after they had used
the system a few times, which served as the “acceptance tests”.

> approval indicates their satisfaction with the way the system is
operating.

9. Post-implementation Review

Conducted to:

> determine if the system is operating as intended

> evaluate the effectiveness of the entire process of developing the system.
“the feedback from this review is useful to the external auditor as it
indicates that controls are either functioning as desired or not.”
10. Program Change Control

- Strong systems development controls are negated if subsequently, unauthorized

modifications to the programs are performed due to inadequate program change
control.

- Program changes result from a desire to improve the system, the need to adjust
to changing business conditions or the need to incorporate new operating,
accounting and control policies. These changes are referred to as program
maintenance.

-The objective of program change control is to ensure that all program change requests
are approved and authorized and that all approved and authorized program change
requests are completed.

Controls:

1. program changes should be in accordance with established systems, programming

and documentation standards.

2. program changes should be restricted to systems personnel; operating personnel

should not make changes to programs – even temporary changes to facilitate the
running of a program.

3. the changes should be reviewed and approved by the user to ensure conformity with
the purpose of the change.

4. changes should be made to the test program and not the production program to limit
the opportunities to make unauthorized changes to the production program.

5. changes should be tested thoroughly before implementation.

6. program changes and test results should be reviewed and approved.

7. user and operating personnel should be retrained, if needed, to handle new
procedures.
8.all documentation affected by the change should be updated.

9. control should be established over the conversion to the new program;

the conversion is accomplished by:
> changing the new program to a production status
> copying the old program to a back-up file and deleting it from the library of
production programs.

10. conversion should not be permitted before approval of the test results and
completion of changes to documentations.

11. final approval should be given by data processing management and the user.

5. Documentation Control ( PS POU)

● Documentation
-which describe the system and procedures for performing a data
processing task.
- a means of communicating both the essential elements of a system and
the logic followed by the computer programs.
- an integral part of the systems design and the documentation process.

Purposes of Documentation (SET DCC PA)

1. Provides a source of information for systems analyst and programmers who are
responsible for maintaining and changing existing systems and programs.

2. Provides explanatory information necessary for review of proposed systems and

programs.

3. Serves as the basis for training new personnel.

4.Provides data necessary for responding to inquiries regarding the operation of a
computer program.

5. Basis for communicating common information to systems analysts, programmers

and computer operators.

6.It provides computer operators with current operating instructions.

7. Preserves continuity when experienced personnel leave the organization.

8.It is a source of information about accounting controls.

What Constitute Adequate Documentation ( PS POU)

1. Problem Definition Documentation

2. Systems Documentation
3. Program Documentation
4. Operations Documentation
5. User Documentation

1. Problem Definition Documentation ( DSE )

- A permanent summary of the problem solved by the systems.

- It represents the basic source of information regarding the
purpose of the system.
- In organizations that utilize a standard systems development
approach, the original source of the problem definition information
is the Project Plan, also called Project Charter or Systems Planning
Study Report.

Inclusions:
1. Description of the reasons for implementing the system
including the objectives and scope of the project.
2. System specifications describing the operations
performed by the system.
3. Evidence of approval and any subsequent changes in
systems specifications.
2. Systems Documentation ( SIOF CC)

- A record of the way information flows through the system

from input to file medium and then onto output.
- It permits the tracing of the theoretical flow of accounting
data from the original entry to the system output.
> useful for the auditors in evaluating the
adequacy of the audit trail provided by the systems.

Inclusions:
1. Systems flowchart
2. Input descriptions
- identify the type of source documents used.
- for example, this may be a description of the Time Keeping
System as a source of time data in a payroll or labor
distribution system.
3. Output descriptions
- show each type of output generated by the system.
- defines where the output is stored, what files are updated,
the medium of providing the users (screen displays or
printed copies), the use of the output, who uses it, when it is
used and the frequency of need.
4. File description
- lists individual files and describes the scope and functions
of each file.
- for example, a customer master file may be described as
containing customer data, i.e., customer name, delivery
address, billing address, contact number, credit limit,
payment terms etc.
5. Control descriptions
- summarize the main control features that are designed into
the system, e.g., general controls and application program
controls.
6. Change summary
- list of all changes that have been made and their effective
dates along with copies of authorizations of these changes.
3. Program Documentation ( BP LAD CP)

- Focuses on detailed information regarding each

program in the system.
- The detailed information is used to maintain effective
control over program changes and to define the current
status of each program.

Inclusions:
1. Brief narrative description of the functions of the program.
2. Program flowcharts, or detailed logical narrative showing
how the program operates, e.g., whether all account
balances should be printed or just those with abnormal
balances.
3. Listing of parameters used in the program such as tax
withholding tables.
4. A list of application controls such as data entry validation
and output controls.
5. Detailed description of file formats and record layouts;
typical information includes the names of all fields within a
record, field location, field sizes and field data character
type.

6. A description of code values, for example codes used to

identify transactions being processed.
 7. A record of all program changes, including test results,
authorization for the changes, and their effective dates.

4. Operations Documentation ( PID SEREI)

- The information provided to enable the computer operator

to run the computer program.
- It is known as Systems and Procedures Manual, or simply
Operations Manual.

Inclusions:
1. A brief narrative that indicates the purpose of the
program.
2. An input/output chart that lists all the inputs and outputs
required for processing the program and the sequence in
which they are to be used.
3. A description of input/output forms and formats, including
an output distribution list, provided for the operators’
guidance.
4. A list of set-up instructions and operating systems
requirements.
5. A list of all program error messages and halts with the
description of the action to be taken in response to each
error message and halt condition.
6. Detailed instructions regarding recovery and restart
procedures to be used in the event of hardware or software
malfunction.
7. A list of estimated normal and maximum runtime.
8.A list of instructions to the operator in case of emergency.

5. User Documentation (NSU CP HCR )

- A step by step guide that the users can refer to as they use
the system.
- Useful in training new or replacement personnel.
- Valuable for the auditor in understanding the user’s role in
the processing of data and evaluating the Inclusions
Inclusions:
 1. A nontechnical description of the system including the
benefits the user may derive from it.
2. A description of the types of source documents required,
such as purchase orders.
3. A description of the form and purpose of each output
received by the users degree of control provided by the
user.

4. Detailed instructions for the use of control procedures

with identification of responsibility for the performance of
these control procedures.
- responsibility is defined by positions and not by
individual person.

5. Procedures for correcting errors in input data or in

processing that are detected by the user.
6.Instructions for handling additions, deletions, or
corrections to files.
7. Procedures for cutoff of data submitted for processing,
including dates and times for final submission of data.
8.A checklist for review of reports for completeness and
accuracy.

6. Hardware Controls ( RDEEV PO)

- Provided by hardware manufacturers

-Today’s computers are designed to be very reliable and most of them have built-in
hardware controls.
-Even with this, it is essential that the auditor evaluates the impact of hardware controls
on the system reliability.

1. Redundant character check

2. Duplicate process check
3. Echo check
4. Equipment check
5. Validity check
 6. Power protection
7. Operational manual controls

1. Redundant character check

- a bit, two bits or a set of bits for the purpose of detecting errors.
- data are stored in binary codes:
sequence of zeros and ones (bits)
- the single parity bit is the creation of an additional bit for each character
processed.
- the computer counts the number of 1 bits in each character to determine if the
count is odd or even.
- in an odd parity bit check, the computer will add a parity bit of 0 if the count is
odd, and a 1 if the count is even.

2. Duplicate Process Check

- uses the principle of complementary operations to detect and correct errors.

-an operation is performed twice, then the results are compared; any difference
indicates a hardware induced error.
3. Echo Check

- the purpose is to ensure that commands sent to peripherals or remote

equipment are obeyed and that data is received correctly.
-the peripherals or remote equipment send back (echo) a signal verifying that the
command has been received and complied with.

4. Equipment Check

- controls built in into the circuitry of the computer to ensure that the equipment is
functioning properly and, where necessary, automatic error correction.
- these automatic error correction are either:

- > automatic error diagnosis, or

- > automatic retry

5. Validity Check ( OCA)

-to ensure that actions taken by the computer are valid.

-> operation validity: ensures that only valid instructions are performed.
- > character or field validity check: compares data characters or files that are
written or read with a set of all valid characters or fields.
- > address validity: check of storage location in memory or in a peripheral
device.

6. Power Protection
- protects the hardware from power fluctuations (spikes or surges)
- enable the computer to continue operations in case of power interruptions
(UPS)

7. Operational manual controls ( EEFP)

a. Equipment failure logs

b. Environmental controls
- Dust, temperature, humidity
c. Formal recovery procedures
d. Preventive and corrective maintenance
7. Systems Software Controls ( CCCSS)

● Systems software

- a set of program routines that perform system level functions of management* ,

application program support, tasks common to many applications.
* includes both the control of all operations and the allocation of the resources,
i.e., CPU time, memory, input/output devices among the various application
programs.

1. Controls to handle errors

2. Controls for program protection
3. Controls for file protection
4. Security protection
5. Self protection

1. Controls to handle errors ( RRS)

a. Read or write error routines

> retry, diagnose, propose action – close, etc.; prevents
erroneous overwriting of existing records or files.
b. Record length checks
c. Storage device checks
> signals if a storage device is not operational

2. Controls for program protection ( BEL)

- prevent application programs with interfering with each other during

processing

a. Boundary protection
> assignment of memory partitions to programs in a
multiprogramming environment

b. Control over external reference (subroutines) in linkage editing

 c. Library program software ( PEL)
> restriction of access to use and change of programs:
- Passwords: used to limit access to
programs.
-Encryption: secret coding that prevents
understanding of the program without the necessary
key.
- Library software control reports: program
listing identifying the version of each program, run
date, last copied, last changed to ensure that the
current authorized version is used.

3. Controls for file protection ( CSM)

- to prevent unauthorized use or modification of data

a. Checking internal file labels – to prevent processing of wrong files, and

premature destruction.
b. Storage protection – prevents inadvertent overwriting
c. Memory clear – removes the risk of sensitive data being available for
subsequent access

4. Security protection ( MP)

a. Maintenance of logs and activity information

b. Password monitoring

5. Self-protection (manual) ( SH)

a. Segregation of duties
- Assignment of responsibilities for systems software, application
software, library and operations should be separated.

b. Hardwiring
- encode the software logic in hardware; modification can only be
done by the removal and replacement of the Hardware.
8. Systems Security Controls

● System Security ( HESHC)

- the protection of computer facilities, equipment, programs and data from destruction
by environmental hazards, by equipment error, software error or human error, or
by computer abuse.

Environmental hazards
- include fires, floods, tornadoes, earthquakes and other acts of God. Generally
occur infrequently but with a high cost of occurrence.

Errors
- include damage to disk storage by faulty disk drives , mistakes in application
programs that destroy or damage data, and operator mounting of incorrect files.
Generally frequent but at low cost per incident.

Computer abuse
- the violation of a computer system to perform malicious damage, crime or
invasion of privacy.

-> Malicious damage includes looting and sabotage.

-> Crime includes embezzlement, industrial espionage, and the sale of
commercial secrets.
-> Invasion of privacy includes discovery of confidential salary information, and
the review of sensitive data by a competing company (financial information).

8. Systems Security Controls

- are general controls that prevent failures in systems security and provide for recovery
from failures in system security; they are generally categorized as:

1. Controls that provide a secure system

2. Controls for detecting failures in systems security
3. Controls for recovery from systems security failures
The three general categories pertain to:
1. Prevention
2. Detection
3. Correction and recovery

1. Controls that provide a secure system ( SF LOD )

a. Security Management
i. Establish security objectives
ii. Evaluate security risks
iii. Develop a security plan
iv. Assign responsibilities
v. Test system security
vi. Evaluate system security

b. Facilities Security Controls

i. Location controls
ii. Construction controls
iii. Access controls
- Conventional keys
- Magnetic stripe cards
-Devices that can read physical characteristics,
e.g. finger prints
- Signature verification system

c. Library Controls

i. Library function for access controls

- authorized users
- usage log

ii. Physical file control

- Internal header and trailer labels
- External labels
- Protection rings
- Read-only switch
 d. On-line Access Controls ( PAI)

i. Physical security of terminals

- use of terminal locks
ii. Authorization controls
- Authorized users
> Programs and data files that each user can
access should be identified in the authorization
scheme
- Authorized terminals

iii. Identification controls ( TUPS )

- Terminal identification
- User identification (passwords)
- Physiological key
> handprints, thumbprints

- Special key
> magnetic stripe cards
> optically encoded badge

Some rules concerning passwords:

- Passwords should not be chosen because they are easy to remember

- Should not be shared nor displayed
- Password file should be protected by the operating system
- Unsuccessful attempts should be monitored
- Should be changed periodically
- More effective when used in combination with other techniques

e. Data communication access control ( FIE)

i. Fragmentation – communication of a message one part

(fragment) at a time.
 ii. Intermixing – communication of several messages
simultaneously

iii. Encryption – encoding of data to disguise their meaning

2. Controls for Detecting Failures in System Security ( UFAS )

a. Unauthorized Access Detection Devices ( MBUM)

i. Micro-switches detects the presence of an intruder by breaking or

completing an electrical circuit
ii. Beams – could be light, laser, ultraviolet or infrared
iii.Ultrasonic (soundwaves) and radar detectors; these detect
movements
iv. Microphones – sound can trigger an Alarm

b. Fire Detection Devices ( HS)

i. Heat-sensitive devices – fusible links built into the nozzles of

sprinkler systems
ii. Smoke-sensitive devices

c. Authentication ( FDA)

i. Further identification information made periodically during use of

the terminal
ii. Disconnecting and calling back the terminal
iii. Authenticity code

d. Systems Monitoring (CDL)

i. CCTV (closed-circuit television)

ii. Disconnection after repeated unsuccessful attempts
iii. Log of all access failures
3. Controls for Recovery from System Security Failures ( FRR )

a. Failure Bypass Procedures

b. Recovery Plan (Business Continuity Plan)
c. Recovery Procedures
i. Computer facilities and equipment
ii. Software
iii. Data / source documents
iv. Personnel
- who is responsible for what
- substitute in case of injury