CH 8

C HAPTER 8
Information Systems Controls

for System Reliability
Part 2: Confidentiality, Privacy,
Processing Integrity, and
Availability
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 1 of 136
INTRODUCTION
• Questions to be addressed in this chapter

include:
– What controls are used to protect the confidentiality of
sensitive information?
– What controls are designed to protect privacy of
customers’ personal information?
– What controls ensure processing integrity?
– How are information systems changes controlled to
ensure that the new system satisfies all five principles
of systems reliability?
INTRODUCTION
• Reliable systems satisfy

SYSTEMS five principles:
RELIABILITY
– Information Security
PROCESSING INTEGRITY
(discussed in Chapter 7)
CONFIDENTIALITY
AVAILABILITY
– Confidentiality
PRIVACY
– Privacy
– Processing integrity
– Availability
SECURITY
• Three categories/groups of integrity

controls are designed to meet the
preceding objectives:
– Input controls
– Processing controls
– Output controls
• Input Controls
– If the data entered into a system is inaccurate or
incomplete, the output will be, too. (Garbage in 
garbage out.)
– Companies must establish control procedures to
ensure that all source documents are authorized,
accurate, complete, properly accounted for, and
entered into the system or sent to their intended
destination in a timely manner.
• The following input controls (source data

controls) regulate integrity of input:
– Forms design
• Source documents and other forms should be
designed to help ensure that errors and omissions
are minimized e.g. using prenumbered forms.
• The following input controls regulate integrity of

input:
– Forms design
– Cancellation and storage of documents
• Documents that have been entered should be
canceled
– Paper documents are stamped “paid” or
otherwise defaced
– A flag field is set on electronic documents.
• Canceling documents does not mean destroying
documents.
• They should be retained as long as needed to satisfy
legal and regulatory requirements.

input:
– Forms design
– Authorization and segregation of duties
• Source documents should be prepared only by

authorized personnel acting within their authority.
• Employees who authorize documents should not be
assigned incompatible functions.

input:
– Forms design
– Authorization and segregation of duties
– Visual scanning
• Documents should be scanned for reasonableness

and propriety.
• Once data is collected, data entry control procedures are

needed to ensure that it’s entered correctly. Common
tests to validate input (data entry controls) include:
– Field check
• Determines if the characters in a field are of the
proper type.
• Example: The characters in a social security field
should all be numeric.

tests to validate input include:
– Field check
– Sign check
• Determines if the data in a field have the appropriate
arithmetic sign.
• Example: The number of hours a student is enrolled
in during a semester could not be a negative number.

– Field check
– Sign check
– Limit check
• Tests whether an amount exceeds a predetermined
value.
• Example: A university might use a limit check to
make sure that the hours a student is enrolled in do
not exceed 21.

– Field check
– Sign check
– Limit check
– Range check
• Similar to a field check, but it checks both ends of a
range.
• Example: Perhaps a wage rate is checked to ensure
that it does not exceed $15 and is not lower than the
minimum wage rate.

– Field check
– Sign check
– Limit check
– Range check
– Size (or capacity) check
• Ensures that the data will fit into the assigned field.
• Example: A social security number of 10 digits would
not fit in the 9-digit social security field.
• Common tests to validate input include:

– Field check
– Sign check
– Limit check
– Range check
– Completeness check
• Determines if all required items have been entered.

• Example: Has the student’s billing address been
entered along with enrollment details?

– Field check
– Sign check
– Limit check
– Range check
– Validity check
• Compares the value entered to a file of acceptable
values.
• Example: Does the state code entered for an address
match one of the 50 valid state codes?

– Field check
– Sign check
– Limit check
– Range • check
Determines whether a logical relationship seems to
– Size (or be
capacity) check
correct.
– • Example:
Completeness checkA freshman with annual financial aid of
– $60,000 is probably not reasonable.
Validity check
– Reasonableness test

• An additional digit called a check digit can be
needed toappended
ensure that it’s entered correctly. Common
to account numbers, policy numbers, ID
tests to validate
numbers,input
etc.include:
– Field •check
Data entry devices then perform check digit
– Sign check
verification by using the original digits in the number
– to recalculate the check digit.
Limit check
– Range • check
If the recalculated check digit does not match the
– Size (or digit recorded
capacity) checkon the source document, that result
suggests that an error was made in recording or
entering the number.
– Validity check
– Reasonableness test
– Check digit verification
• Additional Batch Processing Data Entry

Controls
– In addition to the preceding controls, when
using batch processing, the following data
entry controls should be incorporated.
• Sequence check
• Tests whether the data is in the proper numerical or
alphabetical sequence.
• Records information about data input or processing
errors (when they occurred, cause, when they were
corrected and resubmitted).
• Errors should be investigated, corrected, and
Controls resubmitted on a timely basis (usually with the next
batch) and subjected to the same input validation
– In addition to the preceding controls, when
routines.
using
• batch
The log processing, the periodically
should be reviewed following todata
ensure
that all errors
entry controls have been
should corrected and then used to
be incorporated.
prepare an error report, summarizing errors by record
• Sequence check
type, error type, cause, and disposition.
• Error log
• Summarize key values for a batch of input records.
Commonly used batch totals include:
– Financial totals—sums of fields that contain dollar
values, such as total sales.
Controls– Hash totals—sums of nonfinancial fields, such as
the sum of all social security numbers of
– In addition to the preceding
employees being paid. controls, when
using batch processing,
– Record count—countthe following
of the number ofdata
records in
a batch.
entry controls should be incorporated.
• These batch totals are calculated and recorded when
• Sequence check
data is entered and used later to verify that all input
• Errorwas
log processed correctly.
• Batch totals
• Additional online data entry controls

– Online processing data entry controls include:
• Automatic entry of data
• Whenever possible, the system should automatically
enter transaction data, such as next available
document number or new ID number.
• Saves keying time and reduces errors.

• Prompting
• System requests each input item and waits for an
acceptable response.

• Prompting
• Pre-formatting
• Fields that need to be completed are highlighted.

• Prompting
• Pre-formatting
• Closed-loop verification
• Checks accuracy of input data by retrieving related
information.
• Example: When a customer’s account number is
entered, the associated customer’s name is displayed
on the screen so the user can verify that entries are
being made for the correct account.
• Maintains a detailed record of all transaction data,
including:
– A unique transaction identifier
– Date and time of entry
– Terminal from which entry is made
– Transmission line
– Operator identification
• Automatic entry of in
– Sequence data
which transaction is entered
• The log can be used to reconstruct a file that is
• Prompting
damaged or can be used to ensure transactions are
• Pre-formatting
not lost or entered twice if a malfunction shuts down
• Closed-loop verification
the system.
• Transaction logs
AVAILABILITY
• Reliable systems are available

SYSTEMS for use whenever needed.
RELIABILITYPROCESSING INTEGRITY
• Threats to system availability
originate from many sources,
CONFIDENTIALITY
AVAILABILITY including:
– Hardware and software failures
PRIVACY
– Natural and man-made disasters

– Human error
– Worms and viruses
– Denial-of-service attacks and
other sabotage
SECURITY
AVAILABILITY
• Minimizing Risk of System Downtime

– Loss of system availability can cause
significant financial losses, especially if the
system affected is essential to e-commerce.
– Organizations can take a variety of steps to
minimize the risk of system downtime.
• E.g. Uninterruptible power supply (UPS)
• E.g. Location and design of rooms housing critical
servers and databases.
• E.g. Adequate air conditioning, fire detection
devices, etc.
AVAILABILITY
• Key components of effective disaster

recovery and business continuity plans
include:
– Data backup procedures
– Provisions for access to replacement
infrastructure (equipment, facilities, phone
lines, etc.)
– Thorough documentation
– Periodic testing
AVAILABILITY
• Data Backup Procedures

– Data need to be backed up regularly and
frequently.
– A backup is an exact copy of the most current
version of a database. It is intended for use in
the event of a hardware or software failure.
– The process of installing the backup copy for
use is called restoration.
AVAILABILITY
• Several different backup procedures exist.

– A full backup is an exact copy of the data
recorded on another physical media (tape,
magnetic disk, CD, DVD, etc.)
– Restoration involves bringing the backup copy
online.
– Full backups are time consuming, so most
organizations:
• Do full backups weekly
• Supplement with daily partial backups.
AVAILABILITY
• Two types of partial backups are

possible:
– Incremental backup
• Involves copying only the data items that have
changed since the last backup.
• Produces a set of incremental backup files, each
containing the results of one day’s transactions.
• Restoration:
– First load the last full backup.
– Then install each subsequent incremental
backup in the proper sequence.
AVAILABILITY
• Two types of partial backups are

possible:
– Incremental backup
– Differential backup
• All changes made since the last full backup are copied.
• Each new differential backup file contains the cumulative
effects of all activity since the last full backup.
• Will normally take longer to do the backup than when
incremental backup is used.
• Restoration:
– First load the last full backup.
– Then install the most recent differential backup file.
• The least expensive approach.
AVAILABILITY • The organization enters into an
agreement with another
organization that uses similar
• Organizations have three basic equipment to have temporary
access to and use of their
options for replacing computer and information system resources in
the event of a disaster.
networking equipment. • Effective solutions for disasters
– Reciprocal of limited duration and
agreements
magnitude, especially for small
organizations.
• Not optimal in major disasters
as:
– The host organization may
also be affected.
– The host also needs the
resources.
AVAILABILITY
• Organizations have three basic

options for replacing computer and
networking equipment.
– Reciprocal agreements
– Cold sites
• An empty building is purchased or leased and pre-wired for
necessary telephone and Internet access.
• Contracts are created with vendors to provide all necessary
computer and office equipment within a specified period of time.
• Still leaves the organization without use of the IS for a period of time.
AVAILABILITY
• Organizations have three basic

• Most expensive solution but used by organizations like financial
options for replacing computer and
institutions and airlines which cannot survive any appreciable time
without there IS.
networking equipment.
• The hot site is a facility that is pre-wired for phone and Internet (like
the cold site) but also contains the essential computing and office
– Reciprocal agreements
equipment.
• It is a backup infrastructure designed to provide fault tolerance in
the–event
Cold of asites
major disaster.
– Hot sites
CHANGE MANAGEMENT CONTROLS
• Organizations constantly modify their information

systems to reflect new business practices and to take
advantage of advances in IT.
• Controls are needed to ensure such changes don’t
negatively impact reliability.
• Existing controls related to security, confidentiality,
privacy, processing integrity, and availability should be
modified to maintain their effectiveness after the change.
• Change management controls need to ensure adequate
segregation of duties is maintained in light of the
modifications to the organizational structure and
adoption of new software.
SUMMARY
• In this chapter, you’ve learned about the

controls used to protect the confidentiality
of sensitive information and the controls
used to protect the privacy of customer
information.
• You’ve also learned about controls that
help ensure processing integrity.
• Finally, you’ve learned about controls to
ensure that the system is available when
needed.

CH 8

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CH 8

Uploaded by

Copyright:

Available Formats

C HAPTER 8

Information Systems Controls

• Questions to be addressed in this chapter

• Reliable systems satisfy

• Three categories/groups of integrity

• The following input controls (source data

• The following input controls regulate integrity of

• The following input controls regulate integrity of

• Source documents should be prepared only by

• The following input controls regulate integrity of

• Documents should be scanned for reasonableness

• Once data is collected, data entry control procedures are

• Once data is collected, data entry control procedures are

• Once data is collected, data entry control procedures are

• Once data is collected, data entry control procedures are

• Once data is collected, data entry control procedures are

• Common tests to validate input include:

• Determines if all required items have been entered.

• Once data is collected, data entry control procedures are

• Once data is collected, data entry control procedures are

• Once data is collected, data entry control procedures are

• Additional Batch Processing Data Entry

• Additional online data entry controls

• Additional online data entry controls

• Additional online data entry controls

• Additional online data entry controls

• Reliable systems are available

– Natural and man-made disasters

• Minimizing Risk of System Downtime

• Key components of effective disaster

• Data Backup Procedures

• Several different backup procedures exist.

• Two types of partial backups are

• Two types of partial backups are

• Organizations have three basic

• Organizations have three basic

• Organizations constantly modify their information

• In this chapter, you’ve learned about the

You might also like