Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information...
-
Upload
rosa-watson -
Category
Documents
-
view
223 -
download
0
Transcript of Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information...
Computer Based Information Systems Control
UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee
Control Classifications
By Objectives By Settings By Risk Aversion
Administrative
Accounting
General
Application
Input Processing
Output
Corrective
Preventive
Detective
By System ArchitecturesManual Systems
Computer Based Systems
Batch Processing
Online Processing
Data Base
SAS 29 (1958)
Text Chapter 7
This Chapter
Control Classifications
By Objectives By Settings By Risk Aversion
Administrative
Accounting
General
Application
Input Processing
Output
Corrective
Preventive
Detective
By System ArchitecturesManual Systems
Computer Based Systems
Batch Processing
Online Processing
Data Base
Encourage adherence to management policies and procedures.
Promote operational efficiency.
Safeguard assets
Ensure accuracy of accounting data and information.
Input Process Output
Sensor
Bench-mark
Detective and Corrective Controls
Corrective Controls
Preventive, Detective, and Corrective Controls
Discover the occurrence of adverse events.
Tend to be active in nature.
After the fact controls
Lead to the righting of effects caused by adverse events.
Tend to be more active than detective controls.
Block adverse events, such as errors or losses from occurring.
Tend to be passive in nature.
Control Classifications
By Objectives By Settings By Risk Aversion
Administrative
Accounting
General
Application
Input Processing
Output
Corrective
Preventive
Detective
By System ArchitecturesManual Systems
Computer Based Systems
Batch Processing
Online Processing
Data Base
Ensure that overall IS is stable and well maintained. Ensure the
accuracy of specific applications, inputs, files, programs & outputs.
Control Classifications
By Objectives By Settings By Risk Aversion
Administrative
Accounting
General
Application
Input Processing
Output
Corrective
Preventive
Detective
By System ArchitecturesManual Systems
Computer Based Systems
Batch Processing
Online Processing
Data Base
What Constitutes A Reliable System
What Constitutes Reliability?
Availability
Security
Maintainability
Integrity
Corrective
Preventive
Detective
General
Application
Input Processing
Output
Administrative
Accounting
By Risk AversionBy SettingsBy Objectives
Control Classifications
By System ArchitecturesManual Systems
Computer Based SystemsBatch ProcessingOnline Processing
Data Base
Controls – The Text Approach
Key General Reliability Controls (> than one reliability principle) - Table 8-1
Key Availability Controls - Table 8-2
Key Security Controls - Table 8-3
Key Maintainability Controls - Table 8-4
Key Integrity Controls – Table 8-5
General Reliability Controls
Strategic Planning & Budgeting
Developing a System Reliability Plan
Documentation
Key Availability Controls
Minimizing System Downtime
Disaster Recovery Plan
Key Security Controls
Segregation of Duties in Systems Function
The Text Notes . . .
In a highly integrated AIS, procedures that used to be performed by separate individuals are combined.
Therefore, any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.
The Text Notes . . .
To combat this threat, organizations must implement compensating control procedures such as the effective segregation of duties within the AIS function.
Organizational Independence Within the
Information Systems Function of a Firm using
Computer-Based processing
Source: AIS, Wilkinson & Cerullo
InformationSystemsManager
SteeringCommittee
PlanningStaff
Data-BaseAdministrator
TechnicalServicesManager
SystemsDevelopment
Manager
DataProcessingManager
InformationCenter
SystemsAnalysis &
ProjectsProgramming
DataPreparation
ComputerOperations
DataLibrary
DataControl
Tasks which CREATE systems.
Tasks which OPERATE systems.
These two functions need to be ORGANIZATIONALLY and
PHYSICALLY separated
Flow of batched data within several units of an organization using computer-based
processing.
Source: AIS, Wilkinson & Cerullo
DataInput
DataInput
OutputsOutputs
Errors to becorrected
Errors to becorrected
Receive& Log
Receive& Log
ConvertData
ConvertData ProcessProcess FilesFiles
Log &Distribute
Log &Distribute OutputsOutputs
ErrorListing
ErrorListing
FilesFiles
User Departments
Computer-Based Data Processing Department
Control Section
Data Preparation Section
Computer Operations
Data Library
Record input data in control log. Follow progress of processing. Maintains control totals Reconciles totals during processing. Distribute output. Monitors correction of errors.
DataInput
DataInput
OutputsOutputs
Errors to becorrected
Errors to becorrected
Receive& Log
Receive& Log
ConvertData
ConvertData ProcessProcess FilesFiles
Log &Distribute
Log &Distribute OutputsOutputs
ErrorListing
ErrorListing
FilesFiles
User Departments
Computer-Based Data Processing Department
Control Section
Data Preparation Section
Computer Operations
Data Library
Prepare and verify data for entry into processing.
What controls do we have here?Batch controlsVarious computer input controls.
DataInput
DataInput
OutputsOutputs
Errors to becorrected
Errors to becorrected
Receive& Log
Receive& Log
ConvertData
ConvertData ProcessProcess FilesFiles
Log &Distribute
Log &Distribute OutputsOutputs
ErrorListing
ErrorListing
FilesFiles
User Departments
Computer-Based Data Processing Department
Control Section
Data Preparation Section
Computer Operations
Data Library
Processes data to produce outputs.
What controls do we have here?Various computer processing
controls.
Simplified organizational separation in a computer-
based system using on-line processing.
Source: AIS, Wilkinson & Cerullo
User Departments
Computer Operations
On-Line Files (Data Library)
Data InputsData Inputs
DisplayedOutputs
DisplayedOutputs
PrintedOutputs
PrintedOutputs
ProcessProcess
BatchFiles
BatchFiles
On-LineFiles
On-LineFiles
Subdivisions of transaction (application) controls and
typical control points.
Source: AIS, Wilkinson & Cerullo
SourceDocument
ManualEntry
ConvertTo MRF
Trans.Data
Ed
iting
Com
pu
ter-Based
Data P
rocessing
SourceDocument
User
User
Transaction Via Terminal
Soft-CopyOutput
Input ControlsProcessing
ControlsOutput
Controls
Control Point
Key Security Controls
Segregation of Duties in Systems Function
Physical Access Controls
Physical Access ControlsPerimeter Control
Building Controls
Computer Facility
Controls
Key Security Controls
Segregation of Duties in Systems Function
Physical Access Controls
Logical Access Controls
Logical Access ControlsIdentification
Authentication
Access Rights
Threat Monitoring
Key Security Controls
Protection of Personal Computers and Client/Server Networks
Internet and e-commerce Controls
Key Maintainability Controls
Project Development and Acquisition Controls.
Change Management Controls
Control Classifications
By Objectives By Settings By Risk Aversion
Administrative
Accounting
General
Application
Input Processing
Output
Corrective
Preventive
Detective
By System ArchitecturesManual Systems
Computer Based Systems
Batch Processing
Online Processing
Data Base
Ensure that overall IS is stable and well maintained. Ensure the
accuracy of specific applications, inputs, files, programs & outputs.
Objectives of Application Controls
To prevent, detect, and correct errors in transactions
as they flow through the various stages of a specific data processing program.
Input Process Output
The text correctly notes . . .
If application controls are weak
AIS output is likely to contain errors.
Erroneous data leads to significant potential problems
Objectives of Application Controls
Key Integrity Controls
Source Data Controls
Input Validation Controls
On-Line Data Entry Controls
Data Processing and Storage Controls
Key Integrity Controls
Output Controls
Data Transmission Controls
Input Process Output
Source Data
Input Validation
On-line Data Entry
Data Processing
Storage
Data Transmission
Output
Key Integrity Controls
Source Data Controls
Source Data Controls
Ensure that all source documents are authorized, accurate, complete, properly accounted for and entered into the system or sent to their intended destinations in a timely manner.
Source Data Controls
Forms Design
Prenumbered Forms Sequence Test
Turnaround Documents
Cancelation and Storage of Documents
Source Data Controls
Authorization and Segregation of Duties
Visual Scanning
Check Digit Verification
Key Verification
Key Integrity Controls
Input Validation Controls
Input Validation Routines
Routines that check the integrity of input data as the data are entered into the system.
Edit ProgramsEdit Checks
Input Validation Routines
Sequence Check
Field Check
Sign Check
Validity Check
Limit Check
Input Validation Routines
Range Check
Reasonableness Test
Redundant Data Check
Capacity Check
Key Integrity Controls
On-Line Data Entry Controls
On-Line Data Entry Controls
To ensure the integrity of transaction data entered from on-line terminals and PCs by minimizing errors and omissions.
On-Line Data Entry Controls
Input Validation Routines
User ID and Passwords
Automatic Entering of Data
Prompting
Preformatting
On-Line Data Entry Controls
Completeness Check
Closed-Loop Verification
Transaction Log
Error Messages
Record Retention
Key Integrity Controls
Data Processing and Storage Controls
Processing/Storage Controls
Preserve the integrity of data processing and stored data.
Processing/Storage Controls
Policies and procedures
Data Control Function
Reconciliation procedures
External data Reconciliation
Exception reporting
DataInput
DataInput
OutputsOutputs
Errors to becorrected
Errors to becorrected
Receive& Log
Receive& Log
ConvertData
ConvertData ProcessProcess FilesFiles
Log &Distribute
Log &Distribute OutputsOutputs
ErrorListing
ErrorListing
FilesFiles
User Departments
Computer-Based Data Processing Department
Control Section
Data Preparation Section
Computer Operations
Data Library
Processing/Storage Controls
Data currency checks
Default values
Data matching
File labels
Write Protection mechanisms
Processing/Storage Controls
Database Protection Mechanisms
Data Conversion Controls
Data Security
Key Integrity Controls
Output Controls
Output Controls
Review all output for reasonableness and proper format
Reconcile output and input control totals daily
Distribute output to appropriate user departments
Output Controls
Protect sensitive or confidential outputs
Store sensitive/confidential data in secure area
Require users to review completeness and accuracy of all output
Output Controls
Shred or otherwise destroy sensitive data.
Correct errors found on output reports.
Key Integrity Controls
Transmission Controls