Chapter 10 AIS - A Useful Guide
description
Transcript of Chapter 10 AIS - A Useful Guide
1 of 31
C
© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
HAPTER 10
Information Systems Controls for System Reliability
Part 3: Processing Integrity and Availability
2 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
INTRODUCTION
• Questions to be addressed in this chapter include:– What controls ensure processing integrity?– What controls ensure that the system is
available when needed?
3 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
PROCESSING INTEGRITY
• A reliable system produces information that is accurate, timely, reflects results of only authorized transactions, and includes outcomes of all activities engaged in by the organization during a given period of time.
• Requires controls over both data input quality and the processing of the data.
SECURITY
CO
NF
IDE
NT
IAL
ITY
PR
IVA
CY
PR
OC
ES
SIN
G I
NT
EG
RIT
Y
AV
AIL
AB
ILIT
Y
SYSTEMSRELIABILITY
4 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
Controls Ensuring Processing Integrity
• Input
• Process
• Output
5 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
Input Controls
• Forms Design– Pre-numbered forms/ sequence test– Turnaround documents
• Authorization and segregation of duties
• Cancellation and storage of documents
• Visual scanning
6 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
Input Controls
• Data Entry Controls (Edit checks)– Field check– Sign check– Limit check– Range check– Size (or capacity) check– Completeness check– Validity check– Reasonableness test– Check digit verification– Key verification
7 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
Input Controls
• The preceding tests are used for batch processing and online real-time processing.
• Both processing approaches also have some additional controls that are unique to each approach.
8 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
Batch Input Controls
• Batch Processing– Input multiple source documents at once in a
group• In addition to the preceding controls, when using
batch processing, the following data entry controls should be incorporated.
• Sequence check• Error log• Batch totals
9 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
Batch Input Controls
• Batch Totals– Compare input totals to output totals
• Financial– Sums a field that contains monetary values
• Hash– Sums a nonfinancial numeric field
• Record count– The number of records in a batch
10 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
Online Data Entry Controls
• Additional online data entry controls– Online processing data entry controls include:
• Automatic entry of data• Prompting• Closed-loop verification• Transaction logs• Error messages
11 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
Processing Controls
• Processing controls to ensure that data is processed correctly include:
• Data matching• File labels• Recalculation of batch totals• Cross-footing balance test• Write-protection mechanisms• Concurrent update controls
12 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
Output Controls
• Careful checking of system output provides additional control over processing integrity.
• Output controls include:– User review of output– Reconciliation procedures– External data reconciliation– Data transmission controls
13 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
Output Controls
• Data Transmission Controls– Two basic types of data transmission controls:
1. Checksums – hash of file transmitted, comparison made of hash before and after transmission
2. Parity checking
14 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
Output Controls
• Parity checking– Computers represent characters as a set of binary
digits (bits).– For example, “5” is represented by the seven-bit
pattern 0000101.– When data are transmitted some bits may be lost or
received incorrectly.– Two basic schemes to detect these events are
referred to as even parity and odd parity.– In either case, an additional bit is added to the digit
being transmitted.
15 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Reliable systems are available for use whenever needed.
• Threats to system availability originate from many sources, including:– Hardware and software failures– Natural and man-made disasters– Human error– Worms and viruses– Denial-of-service attacks and
other sabotage
SECURITY
CO
NF
IDE
NT
IAL
ITY
PR
IVA
CY
PR
OC
ES
SIN
G I
NT
EG
RIT
Y
AV
AIL
AB
ILIT
Y
SYSTEMSRELIABILITY
16 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
Controls Ensuring Availability
• Systems or information need to be available 24/7– It is not possible to ensure this so:
17 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Minimizing Risk of System Downtime– Loss of system availability can cause
significant financial losses, especially if the system affected is essential to e-commerce.
– Organizations can take a variety of steps to minimize the risk of system downtime.
18 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Preventive maintenance can reduce risk of hardware and software failure. Examples:– Cleaning disk drivers– Properly storing magnetic and optical media
• Use of redundant components can provide fault tolerance, which enables the system to continue functioning despite failure of a component. Examples:– Dual processors– Arrays of multiple hard drives.
19 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Risks associated with natural and man-made disasters can be reduced with proper location and design of rooms housing mission-critical servers and databases.– Raised floors protect from flood damage.– Fire protection and suppression devices reduce
likelihood of fire damage.– Adequate air conditioning reduces likelihood of
damage from over-heating or humidity.– Cables with special plugs that cannot be easily
removed reduce risk of damage due to accidentally unplugging.
20 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
– Surge protection devices provide protection against temporary power fluctuations.
• An uninterruptible power supply (UPS) provides protection from a prolonged power outage and buys the system enough time to back up critical data and shut down safely.
21 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Training– Well-trained operators are less likely to make
mistakes and more able to recover if they do.– Security awareness training, particularly concerning
safe email and web-browsing practices, can reduce risk of virus and worm infection.
• Patch management and antivirus software– Anti-virus software should be installed, run, and kept
current.– Email should be scanned for viruses at both the
server and desktop levels.– Newly acquired software and disks, CDs, or DVDs
should be scanned and tested first on a machine that is isolated from the main network.
22 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Recovery and Resumption of Normal Operations– Data backup procedures– Disaster recovery plan (DRP)– Business continuity plan (BCP)
23 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Data Backup Procedures– Data need to be backed up regularly and
frequently.– A backup is an exact copy of the most current
version of a database, file, or software program. It is intended for use in the event of a hardware or software failure.
– The process of installing the backup copy for use is called restoration.
24 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• A full backup is an exact copy of the data recorded on another physical media (tape, magnetic disk, CD, DVD, etc.)
• Full backups are time consuming, so most organizations:– Do full backups weekly– Supplement with daily partial backups.
• incremental backup - copy only data that changed since the last partial backup
• differential backup – copy only data that changed from last full back-up
25 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Whichever backup procedure is used, multiple backup copies should be created:– One can be stored on-site for use in minor
incidents.– At least one additional copy should be stored
off-site to be safe should a disaster occur
26 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Disaster Recovery and Business Continuity Planning Objectives:– Minimize the extent of the disruption, damage, and
loss– Temporarily establish an alternative means of
processing information– Resume normal operations as soon as possible– Train and familiarize personnel with emergency
operations
• Recovery point objective (RPO)• Recovery time objective (RTO)
27 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Infrastructure Replacement– Major disasters can totally destroy an organization’s
information processing center or make it inaccessible.– A key component of disaster recovery and business
continuity plans incorporates provisions for replacing the necessary computing infrastructure, including:
• Computers• Network equipment and access• Telephone lines• Office equipment• Supplies
– It may even be necessary to hire temporary staff.
28 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Organizations have three basic options for replacing computer and networking equipment.– Reciprocal agreements
– Cold sites
– Hot sites
29 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Documentation– An important and often overlooked component.
Should include:• The disaster recovery plan itself, including instructions for
notifying appropriate staff and the steps to resume operation, needs to be well documented.
• Assignment of responsibility for the various activities.• Vendor documentation of hardware and software.• Documentation of modifications made to the default
configuration (so replacement will have the same functionality).
• Detailed operating instructions.– Copies of all documentation should be stored both on-
site and off-site.
30 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Testing– Periodic testing and revision is probably the
most important component of effective disaster recovery and business continuity plans.
• Most plans fail their initial test, because it’s impossible to anticipate everything that could go wrong.
• The time to discover these problems is before the actual emergency and in a setting where the weaknesses can be carefully analyzed and appropriate changes made.
31 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart
AVAILABILITY
• Insurance– Organizations should acquire adequate
insurance coverage to defray part or all of the expenses associated with implementing their disaster recovery and business continuity plans.