Chapter

9-1

Chapter 9
Computer Controls for
Accounting Information Systems

Introduction
General Controls For Organizations
Integrated Security for the Organization
Organization-Level, Personnel, File Security
Controls
Fault-Tolerant Systems, Backup, and Contingency
Planning and Computer Facility Controls
Access to Computer Files
Chapter
9-2

Chapter 9
Computer Controls for
Accounting Information Systems

Information Technology General Controls

Security for Wireless Technology
Controls for Hardwired Network Systems
Security and Controls for Microcomputers
IT Control Objectives for Sarbanes-Oxley

Application Controls For Transaction Processing

Input, Processing, and Output Controls
Chapter
9-3

Introduction
Internal control systems with focus on
specific security in organizations
control procedures to ensure

effective use of resources

efficient utilization of resources

Primary challenges associated with connectivity

protection of sensitive data and information

stored or
transferred

providing appropriate security and control procedures

Chapter
9-4

General Controls For

Organizations
Developing an appropriate security policy
involves
Identifying and evaluating assets
Identifying threats
Assessing risk
Assigning responsibilities
Establishing security policies platforms
Implementing across the organization
Managing the security program
Chapter
9-5

Integrated Security for

the Organization
Organizations
are dependent on networks for transactions,
data sharing, and communications.
need to give access to customers, suppliers,
partners, and others
Security threats for organizations arise from
the complexity of these networks
the accessibility requirements present
Chapter
9-6

Integrated Security for

the Organization
Key security technologies that can be
integrated include
intrusion detection systems
firewalls
biometrics and others

An integrated security system

reduces the risk of attack
increases the costs and resources needed by an
Chapter
intruder
9-7

General Controls within

IT Environments
Organizational level controls
Personnel Controls
File Security Controls
Fault-Tolerant Systems, Backup,
and Contingency Planning
Computer Facility Controls
Access to Computer Files
Chapter
9-8

Organization-Level
Controls
Important controls include
consistent policies and procedures
managements risk assessment process
centralized processing and controls
controls to monitor results of operations
controls to monitor the internal audit function, the audit
committee, and self-assessment programs
the period-end financial reporting process
Board-approved policies that address significant business
control and risk management practices
Chapter
9-9

Personnel Controls
An AIS depends heavily on people for the
creation of the system,
the input of data into the system,
the supervision of data processing
distribution of processed data, and
the use of approved controls
Chapter
9-10

Personnel Controls
General controls that affect personnel
include
separation of duties
use of computer accounts
separation of duties control procedures

Chapter
9-11

Separation of Duties
Separation of duties should be designed and
implemented in two ways:
separate accounting and information
processing subsystems
separate the responsibilities within the IT
environment

Chapter
9-12

Separation of Duties
Separate Responsibilities within IT
Environment.
Designated operational subsystems
initiate and authorize asset custody
detect errors in processing data
enter them on an error log, and
refer them back to the specific user subsystem
for correction.
Chapter
9-13

Division of Responsibility
Division of responsibility functions within an
IT environment can be on the following lines:
Systems Analysis Function
Data Control Function
Programming Function
Computer Operations Function
Transaction Authorization Function
AIS Library Function
Chapter
9-14

Use of Computer Accounts

Use of computer accounts helps to
ensure access is limited to specific users

mostly by using passwords

nowadays by use of biometrics
(digital fingerprinting)

protects use of scarce resources

Chapter
9-15

Use of Computer Accounts

limit user access to particular computer files
or programs
protect files from unauthorized use
protect computer time from unauthorized use
place resource limitations on account
numbers

Chapter
9-16

which limits programmer/operator errors

File Security Controls

The purpose of file security controls is to
protect computer files from
accidental abuse
intentional abuse

Chapter
9-17

File Security Controls

Some examples of file security controls are
external file labels
internal file labels
lockout procedures
file protection rings
read-only file designation
Chapter
9-18

Fault-Tolerant Systems
Fault-tolerant systems
are designed to tolerate computer errors
and keep functioning
are often based on the concept of redundancy
are created by instituting duplicate
communication paths and communications
processors
Chapter
9-19

Fault-Tolerant Systems
Redundancy in CPU processing can be
achieved
with consensus-based protocols
with a second watchdog processor

Disks can be made fault-tolerant

by a process called disk mirroring
by rollback processing
Chapter
9-20

Backup
Backup
is essential for vital documents
is batch processed using Grandfather-parentchild procedure
can be electronically transmitted
to remote sites (vaulting)
needs an uninterruptible power system (UPS) as
an auxiliary power supply
Chapter
9-21

Backup
similar to the redundancy concept in
fault-tolerant systems

a hot backup is performed while the database

is online and available for read/write

a cold backup is performed while the database is

offline and unavailable to its users

Chapter
9-22

Contingency Planning
Contingency planning
includes the development of a formal disaster
recovery plan.
describes procedures to be followed in an emergency
describes the role of each member of the team.
appoint one person to be in command and another
to be second-in-command
involves a recovery site that can either be
a hot site or cold site
Chapter
9-23

Computer Facility
Controls
Locate the Data Processing Center in a
safe place where
the public does not have access
it is guarded by personnel
there are limited number of
secured entrances
there is protection against
natural disasters
Chapter
9-24

Computer Facility
Controls
Limit employee access by
incorporating magnetic, electronic,
or optical coded identification badges

Buy insurance

Chapter
9-25

Access to Computer Files

Logical access to data is restricted
Password codes identifications (encourage
strong passwords)
biometric identifications with
voice patterns,
fingerprints, and
retina prints

Chapter
9-26

INFORMATION TECHNOLOGY
GENERAL CONTROLS
The objectives of controls is to provide
assurance that
the development of and changes to computer
programs are authorized, tested, and
approved before their usage
access to data files is restricted
processed accounting data are accurate and
complete
Chapter
9-27

Control Concerns

Errors may be magnified

Inadequate separation of duties
Audit trails
Greater access to data
Characteristics of magnetic or optical
media
Chapter
9-28

INFORMATION TECHNOLOGY
GENERAL CONTROLS
IT general controls involve
Security for Wireless Technology
Controls for Hardwired Network Systems
Security and Controls for Microcomputers
IT Control Objectives for Sarbanes-Oxley

Chapter
9-29

Security for Wireless Technology

Security for wireless technology involves

Chapter
9-30

A virtual private network (VPN)

Data encryption

Controls for Hardwired

Network Systems
The routine use of systems such as DDP
and client/server computing increases
control problems for companies, which
include

electronic eavesdropping

hardware or software malfunctions causing

computer network system failures

errors in data transmission

Chapter
9-31

Controls for Hardwired

Network Systems
To reduce the risk of system failures, networks are
designed
to handle periods of peak transmission volume
to use redundant components,such as modems,
to recover from failure using checkpoint
control
procedure
to use routing verification procedures
to use message acknowledgment procedures
Chapter
9-32

Security and Controls for

Microcomputers
General and application control procedures
are important to microcomputers.
Most risks associated with AISs result from

errors,
irregularities or fraud
general threats to security (such as a computer
virus)

Some of the risks that are unique to the

microcomputer are

Chapter
9-33

Hardware - microcomputers can be easily stolen or

destroyed
Data and software - easy to access, modify, copy or
destroy; therefore are difficult to control

Control Procedures for

Microcomputers
Some cost effective control procedures are
take inventory
install Keyboard locks
lock laptops in cabinets
follow software protection
procedures
create back-up files and
lock office doors
Chapter
9-34

Additional Controls for

Laptops
Some specific controls for the laptop are
identify your laptop
use nonbreakable cables to attach
laptops to stationary furniture
load antivirus software
keep laptop information
backed up
Chapter
9-35

IT Control Objectives for

Sarbanes-Oxley
The Sarbanes-Oxley Act of 2002 (SOX)
profoundly impacts
public companies
managers
the internal auditors
the external auditors
Chapter
9-36

IT Control Objectives for

Sarbanes-Oxley
The IT Governance Institute (ITGI) issued IT Control
Objectives for Sarbanes-Oxley in April 2004, which
helps organizations comply with

SOX requirements and

the PCAOB requirements

includes detailed guidance for organizations

Chapter
9-37

by starting with the IT controls from CobiT and

linking those to the IT general control categories in the PCAOB

standard,

and then linking to the COSO framework

Application Controls for

Transaction Processing
Application controls are designed to

prevent,
detect, and
correct errors and irregularities

in transactions in

Chapter
9-38

the input
processing
the output stages of data processing

Application Controls
for Transaction
Processing

Chapter
9-39

Input Controls
Input controls attempt to ensure the
validity
accuracy
completeness of the data entered into an AIS

The categories of input controls include

observation, recording, and transcription of data
edit tests
additional input controls
Chapter
9-40

Observation, Recording,
and Transcription of Data
The observation control procedures to
assist in collecting data are
feedback mechanism
dual observation
point-of-sale (POS) devices
preprinted recording forms
Chapter
9-41

Data Transcription
Data transcription

the preparation of data for computerized

processing

Preformatted screens

Chapter
9-42

Make the electronic version

look like the printed version

Edit Tests
Input validation routines (edit programs)

check the validity

check the accuracy

after the data have been

Chapter
9-43

entered, and
recorded on a machine-readable file of input data

Edit Tests
Edit tests

examine selected fields of input data and

reject those transactions whose data fields do not

meet the pre-established standards of data
quality

Real-time systems use edit checks during

data-entry.
Chapter
9-44

Examples of Edit Tests

The following are the tests for copy editing
Numeric field
Alphabetic field
Alphanumeric field
Valid code
Reasonableness
Sign
Completeness
Sequence
Consistency
Chapter
9-45

Processing Controls
Processing controls focus on the
manipulation of accounting data after
they are input to the computer system.
Key objective is a clear audit trail
Processing controls are of two kinds:

Data-access controls

Data manipulation controls

Chapter
9-46

Data-Access Control
Totals
Some common processing control procedures
are
batch control total
financial control total
nonfinancial control total
hash total
record count
Chapter
9-47

Data Manipulation
Controls
Once data has been validated by earlier portions
of data processing, they usually must be
manipulated in some way to produce useful
output.
Data manipulation controls include:
Software documentation,
i.e. flow charts and diagrams
Compiler
Test Data
Chapter
9-48

Output Controls
The objectives of output controls
is to ensure
validity
accuracy
completeness

Two major types of output application controls are

validating processing results by

Chapter
9-49

Activity (or proof) listings

Output Controls
regulating the distribution and
use of printed output through

Forms

Prenumbered forms

authorized distribution list

Shredding sensitive documents

Chapter
9-50

Copyright
Copyright 2008 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchaser
may make backup copies for his/her own use only and not for
distribution or resale. The Publisher assumes no responsibility for errors,
omissions, or damages, caused by the use of these programs or from the
use of the information contained herein.

Chapter
9-51

Chapter 9

Chapter
9-52