Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information...

Computer Based Information Systems Control

UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee

Control Classifications

By Objectives By Settings By Risk Aversion

Administrative

Accounting

General

Application

Input Processing

Output

Corrective

Preventive

Detective

By System ArchitecturesManual Systems

Computer Based Systems

Batch Processing

Online Processing

Data Base

SAS 29 (1958)

Text Chapter 7

This Chapter



Administrative

Accounting

General

Application

Input Processing

Output

Corrective

Preventive

Detective



Batch Processing

Online Processing

Data Base

Encourage adherence to management policies and procedures.

Promote operational efficiency.

Safeguard assets

Ensure accuracy of accounting data and information.

Input Process Output

Sensor

Bench-mark

Detective and Corrective Controls

Corrective Controls

Preventive, Detective, and Corrective Controls

Discover the occurrence of adverse events.

Tend to be active in nature.

After the fact controls

Lead to the righting of effects caused by adverse events.

Tend to be more active than detective controls.

Block adverse events, such as errors or losses from occurring.

Tend to be passive in nature.



Administrative

Accounting

General

Application

Input Processing

Output

Corrective

Preventive

Detective



Batch Processing

Online Processing

Data Base

Ensure that overall IS is stable and well maintained. Ensure the

accuracy of specific applications, inputs, files, programs & outputs.



Administrative

Accounting

General

Application

Input Processing

Output

Corrective

Preventive

Detective



Batch Processing

Online Processing

Data Base

What Constitutes A Reliable System

What Constitutes Reliability?

Availability

Security

Maintainability

Integrity

Corrective

Preventive

Detective

General

Application

Input Processing

Output

Administrative

Accounting

By Risk AversionBy SettingsBy Objectives



Computer Based SystemsBatch ProcessingOnline Processing

Data Base

Controls – The Text Approach

Key General Reliability Controls (> than one reliability principle) - Table 8-1

Key Availability Controls - Table 8-2

Key Security Controls - Table 8-3

Key Maintainability Controls - Table 8-4

Key Integrity Controls – Table 8-5

General Reliability Controls

Strategic Planning & Budgeting

Developing a System Reliability Plan

Documentation

Key Availability Controls

Minimizing System Downtime

Disaster Recovery Plan

Key Security Controls

Segregation of Duties in Systems Function

The Text Notes . . .

In a highly integrated AIS, procedures that used to be performed by separate individuals are combined.

Therefore, any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.

The Text Notes . . .

To combat this threat, organizations must implement compensating control procedures such as the effective segregation of duties within the AIS function.

Organizational Independence Within the

Information Systems Function of a Firm using

Computer-Based processing

Source: AIS, Wilkinson & Cerullo

InformationSystemsManager

SteeringCommittee

PlanningStaff

Data-BaseAdministrator

TechnicalServicesManager

SystemsDevelopment

Manager

DataProcessingManager

InformationCenter

SystemsAnalysis &

ProjectsProgramming

DataPreparation

ComputerOperations

DataLibrary

DataControl

Tasks which CREATE systems.

Tasks which OPERATE systems.

These two functions need to be ORGANIZATIONALLY and

PHYSICALLY separated

Flow of batched data within several units of an organization using computer-based

processing.


DataInput

DataInput

OutputsOutputs

Errors to becorrected


Receive& Log

Receive& Log

ConvertData

ConvertData ProcessProcess FilesFiles

Log &Distribute

Log &Distribute OutputsOutputs

ErrorListing

ErrorListing

FilesFiles

User Departments

Computer-Based Data Processing Department

Control Section

Data Preparation Section

Computer Operations

Data Library

Record input data in control log. Follow progress of processing. Maintains control totals Reconciles totals during processing. Distribute output. Monitors correction of errors.

DataInput

DataInput

OutputsOutputs



Receive& Log

Receive& Log

ConvertData


Log &Distribute


ErrorListing

ErrorListing

FilesFiles

User Departments


Control Section


Computer Operations

Data Library

Prepare and verify data for entry into processing.

What controls do we have here?Batch controlsVarious computer input controls.

DataInput

DataInput

OutputsOutputs



Receive& Log

Receive& Log

ConvertData


Log &Distribute


ErrorListing

ErrorListing

FilesFiles

User Departments


Control Section


Computer Operations

Data Library

Processes data to produce outputs.

What controls do we have here?Various computer processing

controls.

Simplified organizational separation in a computer-

based system using on-line processing.


User Departments

Computer Operations

On-Line Files (Data Library)

Data InputsData Inputs

DisplayedOutputs

DisplayedOutputs

PrintedOutputs

PrintedOutputs

ProcessProcess

BatchFiles

BatchFiles

On-LineFiles

On-LineFiles

Subdivisions of transaction (application) controls and

typical control points.


SourceDocument

ManualEntry

ConvertTo MRF

Trans.Data

Ed

iting

Com

pu

ter-Based

Data P

rocessing

SourceDocument

User

User

Transaction Via Terminal

Soft-CopyOutput

Input ControlsProcessing

ControlsOutput

Controls

Control Point



Physical Access Controls

Physical Access ControlsPerimeter Control

Building Controls

Computer Facility

Controls



Physical Access Controls

Logical Access Controls

Logical Access ControlsIdentification

Authentication

Access Rights

Threat Monitoring


Protection of Personal Computers and Client/Server Networks

Internet and e-commerce Controls

Key Maintainability Controls

Project Development and Acquisition Controls.

Change Management Controls



Administrative

Accounting

General

Application

Input Processing

Output

Corrective

Preventive

Detective



Batch Processing

Online Processing

Data Base

Ensure that overall IS is stable and well maintained. Ensure the

accuracy of specific applications, inputs, files, programs & outputs.

Objectives of Application Controls

To prevent, detect, and correct errors in transactions

as they flow through the various stages of a specific data processing program.


The text correctly notes . . .

If application controls are weak

AIS output is likely to contain errors.

Erroneous data leads to significant potential problems

Objectives of Application Controls

Key Integrity Controls

Source Data Controls

Input Validation Controls

On-Line Data Entry Controls

Data Processing and Storage Controls


Output Controls

Data Transmission Controls


Source Data

Input Validation

On-line Data Entry

Data Processing

Storage

Data Transmission

Output


Ensure that all source documents are authorized, accurate, complete, properly accounted for and entered into the system or sent to their intended destinations in a timely manner.


Forms Design

Prenumbered Forms Sequence Test

Turnaround Documents

Cancelation and Storage of Documents


Authorization and Segregation of Duties

Visual Scanning

Check Digit Verification

Key Verification


Input Validation Controls

Input Validation Routines

Routines that check the integrity of input data as the data are entered into the system.

Edit ProgramsEdit Checks


Sequence Check

Field Check

Sign Check

Validity Check

Limit Check


Range Check

Reasonableness Test

Redundant Data Check

Capacity Check


To ensure the integrity of transaction data entered from on-line terminals and PCs by minimizing errors and omissions.



User ID and Passwords

Automatic Entering of Data

Prompting

Preformatting


Completeness Check

Closed-Loop Verification

Transaction Log

Error Messages

Record Retention


Data Processing and Storage Controls

Processing/Storage Controls

Preserve the integrity of data processing and stored data.


Policies and procedures

Data Control Function

Reconciliation procedures

External data Reconciliation

Exception reporting

DataInput

DataInput

OutputsOutputs



Receive& Log

Receive& Log

ConvertData


Log &Distribute


ErrorListing

ErrorListing

FilesFiles

User Departments


Control Section


Computer Operations

Data Library


Data currency checks

Default values

Data matching

File labels

Write Protection mechanisms


Database Protection Mechanisms

Data Conversion Controls

Data Security


Output Controls

Output Controls

Review all output for reasonableness and proper format

Reconcile output and input control totals daily

Distribute output to appropriate user departments

Output Controls

Protect sensitive or confidential outputs

Store sensitive/confidential data in secure area

Require users to review completeness and accuracy of all output

Output Controls

Shred or otherwise destroy sensitive data.

Correct errors found on output reports.


Transmission Controls

Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information...

Documents

Transcript of Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information...