Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in...

Chapter 4-1

Chapter 4-2 Accounting Information Systems, 1st Edition

Internal Controls and Risks in IT Systems

Chapter 4-3

1. An overview of internal controls for IT systems

2. General controls for IT systems

3. General controls from a Trust Principles perspective

4. Hardware and software exposures in IT systems

5. Application software and application controls

6. Ethical issues in IT systems

Study ObjectivesStudy ObjectivesStudy ObjectivesStudy Objectives

Chapter 4-4 SO 1 An overview of internal controls for IT systemsSO 1 An overview of internal controls for IT systems

Internal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT Systems

Accounting Information System - collects, processes, stores, and reports accounting information.

Computer-based systems have been described as being of two types:

General controls

Application controls

Chapter 4-5 SO 1 An overview of internal controls for IT systemsSO 1 An overview of internal controls for IT systems


Application controls used to control inputs, processing, and outputs.

Exhibit 4-1 General and Application Controls in IT Systems

General controls apply overall to the IT accounting system.

Chapter 4-6

b. Technology controls.

Internal controls that apply overall to the IT system are called

Concept CheckConcept Check

c. Application controls.

d. General controls.

a. Overall controls.

SO 1 An overview of internal controls for IT systemsSO 1 An overview of internal controls for IT systems


Chapter 4-7 SO 2 General controls for IT systemsSO 2 General controls for IT systems

General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems

Five categories of general controls:

1. Authentication of users and limiting unauthorized access

2. Hacking and other network break-ins

3. Organizational structure

4. Physical environment and physical security of the system

5. Business Continuity

Chapter 4-8

Authentication of Users and Limiting Unauthorized Users

Authentication of users

Log-in

User IDs

Password

Smart card

Security token

Two factor authentication

SO 2 General controls for IT systemsSO 2 General controls for IT systems


Biometric devices

Computer log

Nonrepudiation

User profile

Authority table

Configuration tables

Chapter 4-9

Hacking and other Network Break-Ins

Firewall

Symmetric encryption

Public key encryption

Wired equivalency privacy

Wireless protected access

Service set identifier

Virtual private networkSO 2 General controls for IT systemsSO 2 General controls for IT systems


Secure sockets layer

Virus

Antivirus software

Vulnerability assessment

Intrusion detection

Penetration testing

Chapter 4-10

Organizational Structure

IT governance committee, responsibilities include:

1. Align IT investments to business strategy.

2. Budget funds and personnel for the most effective use of the IT systems.

3. Oversee and prioritize changes to IT systems.

4. Develop, monitor, and review all IT operational policies.

5. Develop, monitor, and review security policies.



Chapter 4-11

Organizational Structure

Duties to be segregated are:

Systems analysts

Programmers

Operators

Database administrator



Chapter 4-12

Physical Environment and Security

Physical access controls:

Limited access to computer rooms through employee ID badges or card keys

Video surveillance equipment

Logs of persons entering and exiting the computer rooms

Locked storage of backup data and offsite backup data



Chapter 4-13

Business Continuity

Business Continuity Planning (BCP)

Business continuity related to IT systems:

A strategy for backup and restoration of IT systems, to include redundant servers, redundant data storage, daily incremental backups, a backup of weekly changes, and offsite storage of daily and weekly backups.

A disaster recovery plan.



Chapter 4-14

b. Security token.

Which of the following is not a control intended to authenticate users?


c. Encryption.

d. Biometric devices.

a. User log-in.



Chapter 4-15

b. Develop, monitor, and review security policies.

An IT governance committee has several responsibilities. Which of the following is least likely to be a responsibility of the IT governance committee?


c. Oversee and prioritize changes to IT systems.

d. Align IT investments to business strategy.

a. Develop and maintain the database and ensure adequate controls over the database.



Chapter 4-16

AICPA Trust Principles categorizes IT controls and risks into five categories:

a. Security

b. Availability

c. Processing integrity

d. Online privacy

e. Confidentiality

SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective

General Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles PerspectiveGeneral Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles Perspective

Chapter 4-17

IT controls that lessen risk of unauthorized users gaining access to the IT system:

a. user ID,

b. password,

c. security token,

d. biometric devices,

e. log-in procedures,



Risks In Not Limiting Unauthorized Users

f. access levels,

g. computer logs, and

h. authority tables.

Chapter 4-18

Controls that may be applied are,

a. firewalls

b. encryption of data,

c. security policies,

d. security breach resolution,

e. secure socket layers (SSL),

f. virtual private network (VPN),

g. network (VPN),



Risks From Hacking or Other Network Break-Ins

Chapter 4-19

Controls that may be applied are,

h. wired equivalency privacy (WEP),

i. wireless protected access (WPA),

j. service set identifier (SSID),

k. antivirus software,

l. vulnerability assessment,

m. penetration testing, and

n. intrusion detection.



Risks From Hacking or Other Network Break-Ins

Chapter 4-20

Environmental changes that affect the IT system can cause availability risks and processing integrity risks.



Risks From Environmental Factors

Physical Access Risks

Business Continuity Risks

Chapter 4-21

b. Confidentiality.

AICPA Trust Principles describe five categories of IT risks and controls. Which of these five categories would best be described by the statement, “The system is protected against unauthorized access”?


c. Processing integrity.

d. Availability.

a. Security.


General Controls from an AICPA General Controls from an AICPA TrustTrustGeneral Controls from an AICPA General Controls from an AICPA TrustTrust

Chapter 4-22

b. Availability risk.

The risk that an unauthorized user would shut down systems within the IT system is a(n)


c. Processing integrity risk.

d. Confidentiality risk.

a. Security risk.


General Controls from an AICPA General Controls from an AICPA TrustTrustGeneral Controls from an AICPA General Controls from an AICPA TrustTrust

Chapter 4-23

Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures

Typical IT system components that represent “entry points” where the risks must be controlled.

1. The operating system

2. The database

3. The database management system (DBMS)

4. Local area networks (LANs)

5. Wireless networks

6. E-business conducted via the Internet

7. Telecommuting workers

8. Electronic data interchange (EDI)

9. Application software

SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems

Chapter 4-24

Typical “entry points”


Exhibit 4-6

Chapter 4-25

The software that controls the basic input and output activities of the computer.

Provides the instructions that enable the CPU to:

read and write to disk,

read keyboard input,

control output to the monitor,

manage computer memory, and

communicate between the CPU, memory, and disk storage.

The Operating System



Chapter 4-26

Unauthorized access would allow an unauthorized user to:

1. Browse disk files or memory for sensitive data or passwords.

2. Alter data through the operating system.

3. Alter access tables to change access levels of users.

4. Alter application programs.

5. Destroy data or programs.

The Operating System



Chapter 4-27

A large disk storage for accounting and operating data.

Controls such as:

user IDs, passwords,

authority tables,

firewalls, and

encryption

are examples of controls that can limit exposure.

The Database



Chapter 4-28

A software system that manages the interface between many users and the database.

The Database Management System



Exhibit 4-7

Chapter 4-29





Exhibit 4-6

Chapter 4-30


Physical access, environmental, and business continuity controls can help guard against the loss of the data or alteration to the DBMS.




Chapter 4-31

A local area network, or LAN, is a computer network covering a small geographic area.

A group of LANs connected to each other is called a wide area network, or WAN.

LANS and WANS



Chapter 4-32

LANS and WANS



Controls: limit

unauthorized users

firewalls encryption virtual private

networks

Exhibit 4-6

Chapter 4-33

Same kind of exposures as a local area network.

Wireless Networks



Exhibit 4-6

Chapter 4-34

Same kind of exposures as a local area network.

Controls include:

wired equivalency privacy (WEP) or wireless protected access (WPA),

station set identifiers (SSID), and

encrypted data.

Wireless Networks



Chapter 4-35

The use of dual firewalls can help prevent hackers or unauthorized users from accessing the organization’s internal network of computers.

Internet and World Wide Web



Exhibit 4-6

Chapter 4-36

The organization’s security policy should address the security expectations of workers who telecommute, and such workers should connect to the company network via a virtual private network.

Telecommuting Workers


Exhibit 4-6

Chapter 4-37

Company-to-company transfer of standard business documents in electronic form.

EDI controls include:

authentication,

computer logs, and

network break-in controls.


Electronic Data Interchange

Exhibit 4-6

Chapter 4-38

b. Internet.

The risk of an unauthorized user gaining access is likely to be a risk for which of the following areas?


c. Wireless networks.

d. All of the above.

a. Telecommuting workers.



Chapter 4-39

Applications software accomplishes end user tasks such as:

word processing,

spreadsheets,

database maintenance, and

accounting functions.

Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls

SO 5 Application software and application controlsSO 5 Application software and application controls

Applications controls - intended to improve the accuracy, completeness, and security of input, process, and output.

Chapter 4-40

Date input - data converted from human readable form to computer readable form.

Input controls are of four types:

1. Source document controls

2. Standard procedures for data preparation and error handling

3. Programmed edit checks

4. Control totals and reconciliation

Input Controls



Chapter 4-41

Source document -paper form used to capture and record the original data of an accounting transaction.

Note:

Many IT systems do not use source documents.

General controls such as computer logging of transactions and keeping backup files, become important.

Where source documents are used, several source document controls should be used.

Source Document Controls



Chapter 4-42

Form Design - Both the source document and the input screen should be well designed so that they are easy to understand and use, logically organized into groups of related data.

Form Authorization and Control:

Area for authorization by appropriate manager

Prenumbered and used in sequence

Blank source documents should be controlled




Chapter 4-43

Retention of Source Documents:

Retained and filed for easy retrieval

Part of the audit trail.




Chapter 4-44

Data Preparation – standard data collection procedures reduce the chance of lost, misdirected, or incorrect data collection from source documents.

Error Handling:

Errors should be logged, investigated, corrected, and resubmitted for processing

Error log should be regularly reviewed by an appropriate manager

Standard Procedures for Data Input



Chapter 4-45

Data should be validated and edited to be as close to the original source of data as possible.

Input validation checks include:

Programmed Input Validation Checks



1. Field check

2. Validity check

3. Limit check

4. Range check

5. Reasonableness check

6. Completeness check

7. Sign check

8. Sequence check

9. Self-checking digit

Chapter 4-46

Control totals are subtotals of selected fields for an entire batch of transactions.

Three types:

record counts,

batch totals, and

hash totals.

Control Totals and Reconciliation



Chapter 4-47

Intended to prevent, detect, or correct errors that occur during processing.

Ensure that application software has no errors.

Control totals, limit and range tests, and reasonableness and sign tests.

Computer logs of transactions processed, production run logs, and error listings.

Processing Controls



Chapter 4-48

Reports from the various applications.

Two primary objectives of output controls:

to assure the accuracy and completeness of the output, and

to properly manage the safekeeping of output reports to ascertain that security and confidentiality of the information is maintained.

Output Controls



Chapter 4-49

b. Validity check.

Which programmed input validation check compares the value in a field with related fields with determine whether the value is appropriate?


c. Reasonableness check.

d. Completeness check.

a. Completeness check.



Chapter 4-50

b. Validity check.

Which programmed input validation check determines whether the appropriate type of data, either alphabetic or numeric, was entered?



d. Field check.




Chapter 4-51

b. Validity check.

Which programmed input validation makes sure that a value was entered in all of the critical fields?



d. Field check.




Chapter 4-52

b. Hash total.

Which control total is the total of field values that are added for control purposes, but not added for any other purpose?


c. Batch total.

d. Field total.

a. Record count.



Chapter 4-53

Besides fraud, there are many kinds of unethical behaviors related to computers, such as:

Misuse of confidential customer information.

Theft of data, such as credit card information, by hackers.

Employee use of IT system hardware and software for personal use or personal gain.

Using company e-mail to send offensive, threatening, or sexually explicit material.

Ethical Issues in Information Ethical Issues in Information TechnologyTechnologyEthical Issues in Information Ethical Issues in Information TechnologyTechnology

SO 6 Ethical issues in IT systemsSO 6 Ethical issues in IT systems

Chapter 4-54

Copyright © 2008 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

CopyrightCopyrightCopyrightCopyright

Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in...

Documents

Transcript of Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in...