Chapter 10

:
Computer Controls for Organizations and
Accounting Information Systems

Introduction
Enterprise Level Controls
General Controls for Information Technology
Application Controls for Transaction
Processing

Chapter
10-1

Enterprise Level Controls
Consistent policies and procedures
Management’s risk assessment process
Centralized processing and controls
Controls to monitor results of operations

Chapter
10-2

Enterprise Level Controls
Controls to monitor the internal audit
function, the audit committee, and selfassessment programs
Period-end financial reporting process
Board-approved policies that address
significant business control and risk
management practices
Chapter
10-3

Risk Assessment and
Security Policies

Chapter
10-4

Integrated Security for
the Organization
Physical Security
 Measures

used to protect its facilities, resources,
or proprietary data stored on physical media

Logical Security
 Limit

access to system and information to
authorized individuals

Integrated Security
 Combines

physical and logical elements
 Supported by comprehensive security policy

Chapter
10-5

Physical and Logical Security Chapter 10-6 .

Hardware.General Controls for Information Technology Access to Data. and Software Protection of Systems and Data with Personnel Policies Protection of Systems and Data with Technology and Facilities Chapter 10-7 .

theft. and Chapter approved before usage 10-8 . tested. and loss  Computer programs are authorized.General Controls for Information Technology IT general controls apply to all information systems Major Objectives  Access to programs and data is limited to authorized users  Data and systems protected from change.

symbols Biometric identification  Distinctive user physical characteristics  Voice patterns.or longer  Different types of characters  Letters. and Software Utilization of strong passwords 8 or more characters in length…. numbers. facial patterns. retina prints Chapter 10-9 .Access to Data.. fingerprints. Hardware.

Security for Wireless Technology Utilization of wireless local area networks Virtual Private Network (VPN)  Allows remote access to entity resources Data Encryption  Data converted into a scrambled format  Converted back to meaningful format following transmission Chapter 10-10 .

Data Encryption Chapter 10-11 .

Controls for Networks Control Problems  Electronic eavesdropping  Hardware or software malfunctions  Errors in data transmission Control Procedures  Checkpoint control procedure  Routing verification procedures  Message acknowledgment procedures Chapter 10-12 .

Controls for Personal Computers Take an inventory of personal computers Identify applications utilized by each personal computer Classify computers according to risks and exposures Enhance physical security Chapter 10-13 .

Additional Controls for Laptops Chapter 10-14 .

Personnel Policies Separation of Duties  Separate Accounting and Information Processing from Other Subsystems  Separate Responsibilities within IT Environment Use of Computer Accounts  Each employee has password protected account  Biometric identification Chapter 10-15 .

Separation of Duties Chapter 10-16 .

Division of Responsibility in IT Environment Chapter 10-17 .

Division of Responsibility in IT Environment Chapter 10-18 .

Personnel Policies Identifying Suspicious Behavior  Protect against fraudulent employee actions  Observation of suspicious behavior  Highest percentage of fraud involved employees in the accounting department  Must safeguard files from intentional and unintentional errors Chapter 10-19 .

Safeguarding Computer Files Chapter 10-20 .

File Security Controls Chapter 10-21 .

Business Continuity Planning Definition  Comprehensive approach to ensuring normal operations despite interruptions Components  Disaster Recovery  Fault Tolerant Systems  Backup Chapter 10-22 .

Disaster Recovery Definition  Process and procedures  Following disruptive event Summary of Types of Sites  Hot Site  Flying-Start Site  Cold Site Chapter 10-23 .

Fault Tolerant Systems Definition  Used to deal with computer errors  Ensure functional system with accurate and complete data (redundancy) Major Approaches  Consensus-based protocols  Watchdog processor  Utilize disk mirroring or rollback processing Chapter 10-24 .

Backup Batch processing  Risk of losing data before. and after processing  Grandfather-parent-child procedure Types of Backups  Hot backup  Cold Backup  Electronic Vaulting Chapter 10-25 . during.

Batch Processing Chapter 10-26 .

Computer Facility Controls Locate Data Processing Centers in Safe Places  Protect from the public  Protect from natural disasters (flood. earthquake) Limit Employee Access  Security Badges (color-coded with pictures)  Man Trap Buy Insurance Chapter 10-27 .

Security policy C. VPN Chapter 10-28 . Firewall B. Risk assessment D. A.Study Break #1 A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats.

A. Firewall B.Study Break #1 . Security policy C. VPN Chapter 10-29 .Answer A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats. Risk assessment D.

Cold C. software.Study Break #2 A _____ site is a disaster recovery site that includes a computer system similar to the one the company regularly uses. Flying start D. Backup Chapter 10-30 . Hot B. A. and up-to-date data so the company can resume full data processing operations within seconds or minutes.

Flying start D. and up-to-date data so the company can resume full data processing operations within seconds or minutes. Backup Chapter 10-31 . A.Answer A _____ site is a disaster recovery site that includes a computer system similar to the one the company regularly uses. Cold C. software. Hot B.Study Break #2 .

Study Break #3 Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________. COSO D. COBIT C. Redundancy B. Integrated security Chapter 10-32 . A.

COSO D. A. COBIT C. Integrated security Chapter 10-33 .Study Break #3 .Answer Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________. Redundancy B.

and correct errors and irregularities Application Controls  Input Controls  Processing Controls  Output Controls Chapter 10-34 . detect.Application Controls for Transaction Processing Purpose  Embedded in business process applications  Prevent.

Application Controls for Transaction Processing Chapter 10-35 .

recording.Input Controls Purpose  Ensure validity  Ensure accuracy  Ensure completeness Categories  Observation. and transcription of data  Edit tests  Additional input controls Chapter 10-36 .

Recording.Observation. and Transcription of Data Confirmation mechanism Dual observation Point-of-sale devices (POS) Preprinted recording forms Chapter 10-37 .

Preprinted Recording Form Chapter 10-38 .

Edit Tests Input Validation Routines (Edit Programs)  Programs or subroutines  Check validity and accuracy of input data Edit Tests  Examine selected fields of input data  Rejects data not meeting preestablished standards of quality Chapter 10-39 .

Edit Tests Chapter 10-40 .

Edit Tests Chapter 10-41 .

Additional Input Controls Validity Test  Transactions matched with master data files  Transactions lacking a match are rejected Check-Digit Control Procedure Chapter 10-42 .

Processing Controls Purpose  Focus on manipulation of accounting data  Contribute to a good audit trail Two Types  Control  Data totals manipulation controls Chapter 10-43 .

Audit Trail Chapter 10-44 .

Control Totals Common Processing Control Procedures  Batch control total  Financial control total  Nonfinancial control total  Record count  Hash total Chapter 10-45 .

Data Manipulation Controls Data Processing  Following validation of input data  Data manipulated to produce decision-useful information Processing Control Procedures  Software Documentation  Error-Testing Compiler  Utilization of Test Data Chapter 10-46 .

Output Controls Purpose  Ensure validity  Ensure accuracy  Ensure completeness Major Types  Validating Processing Results  Regulating Distribution and Use of Printed Output Chapter 10-47 .

Output Controls Validating Processing Results  Preparation of activity listings  Provide detailed listings of changes to master files Regulating Distribution and Use of Printed Output  Forms control  Pre-numbered forms  Authorized distribution list Chapter 10-48 .

VPN Chapter 10-49 . A. Data encryption B. Checkpoint D.Study Break #4 A ______ is a security appliance that runs behind a firewall and allows remote users to access entity resources by using wireless. WAN C. handheld devices.

handheld devices.Answer A ______ is a security appliance that runs behind a firewall and allows remote users to access entity resources by using wireless. A. Data encryption B.Study Break #4 . WAN C. VPN Chapter 10-50 . Checkpoint D.

Specific B. Input Chapter 10-51 . detect. A. General C. and correct errors and irregularities in transactions that are processed.Study Break #5 Organizations use ______ controls to prevent. Application D.

Application D. Input Chapter 10-52 . Specific B. detect. and correct errors and irregularities in transactions that are processed. General C.Study Break #5 .Answer Organizations use ______ controls to prevent. A.

Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Chapter 10-53 . Inc. caused by the use of these programs or from the use of the information contained herein. or damages. The purchaser may make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors. John Wiley & Sons. All rights reserved. Inc.Copyright Copyright 2012 John Wiley & Sons. omissions. Request for further information should be addressed to the Permissions Department.

Chapter 10 Chapter 10-54 .