Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in...
-
date post
20-Dec-2015 -
Category
Documents
-
view
220 -
download
1
Transcript of Chapter 4-1. Chapter 4-2 Accounting Information Systems, 1 st Edition Internal Controls and Risks in...
Chapter 4-1
Chapter 4-2 Accounting Information Systems, 1st Edition
Internal Controls and Risks in IT Systems
Chapter 4-3
1. An overview of internal controls for IT systems
2. General controls for IT systems
3. General controls from a Trust Principles perspective
4. Hardware and software exposures in IT systems
5. Application software and application controls
6. Ethical issues in IT systems
Study ObjectivesStudy ObjectivesStudy ObjectivesStudy Objectives
Chapter 4-4 SO 1 An overview of internal controls for IT systemsSO 1 An overview of internal controls for IT systems
Internal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT Systems
Accounting Information System - collects, processes, stores, and reports accounting information.
Computer-based systems have been described as being of two types:
General controls
Application controls
Chapter 4-5 SO 1 An overview of internal controls for IT systemsSO 1 An overview of internal controls for IT systems
Internal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT Systems
Application controls used to control inputs, processing, and outputs.
Exhibit 4-1 General and Application Controls in IT Systems
General controls apply overall to the IT accounting system.
Chapter 4-6
b. Technology controls.
Internal controls that apply overall to the IT system are called
Concept CheckConcept Check
c. Application controls.
d. General controls.
a. Overall controls.
SO 1 An overview of internal controls for IT systemsSO 1 An overview of internal controls for IT systems
Internal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT SystemsInternal Controls for IT Systems
Chapter 4-7 SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
Five categories of general controls:
1. Authentication of users and limiting unauthorized access
2. Hacking and other network break-ins
3. Organizational structure
4. Physical environment and physical security of the system
5. Business Continuity
Chapter 4-8
Authentication of Users and Limiting Unauthorized Users
Authentication of users
Log-in
User IDs
Password
Smart card
Security token
Two factor authentication
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
Biometric devices
Computer log
Nonrepudiation
User profile
Authority table
Configuration tables
Chapter 4-9
Hacking and other Network Break-Ins
Firewall
Symmetric encryption
Public key encryption
Wired equivalency privacy
Wireless protected access
Service set identifier
Virtual private networkSO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
Secure sockets layer
Virus
Antivirus software
Vulnerability assessment
Intrusion detection
Penetration testing
Chapter 4-10
Organizational Structure
IT governance committee, responsibilities include:
1. Align IT investments to business strategy.
2. Budget funds and personnel for the most effective use of the IT systems.
3. Oversee and prioritize changes to IT systems.
4. Develop, monitor, and review all IT operational policies.
5. Develop, monitor, and review security policies.
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
Chapter 4-11
Organizational Structure
Duties to be segregated are:
Systems analysts
Programmers
Operators
Database administrator
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
Chapter 4-12
Physical Environment and Security
Physical access controls:
Limited access to computer rooms through employee ID badges or card keys
Video surveillance equipment
Logs of persons entering and exiting the computer rooms
Locked storage of backup data and offsite backup data
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
Chapter 4-13
Business Continuity
Business Continuity Planning (BCP)
Business continuity related to IT systems:
A strategy for backup and restoration of IT systems, to include redundant servers, redundant data storage, daily incremental backups, a backup of weekly changes, and offsite storage of daily and weekly backups.
A disaster recovery plan.
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
Chapter 4-14
b. Security token.
Which of the following is not a control intended to authenticate users?
Concept CheckConcept Check
c. Encryption.
d. Biometric devices.
a. User log-in.
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
Chapter 4-15
b. Develop, monitor, and review security policies.
An IT governance committee has several responsibilities. Which of the following is least likely to be a responsibility of the IT governance committee?
Concept CheckConcept Check
c. Oversee and prioritize changes to IT systems.
d. Align IT investments to business strategy.
a. Develop and maintain the database and ensure adequate controls over the database.
SO 2 General controls for IT systemsSO 2 General controls for IT systems
General Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT SystemsGeneral Controls in IT Systems
Chapter 4-16
AICPA Trust Principles categorizes IT controls and risks into five categories:
a. Security
b. Availability
c. Processing integrity
d. Online privacy
e. Confidentiality
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles PerspectiveGeneral Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles Perspective
Chapter 4-17
IT controls that lessen risk of unauthorized users gaining access to the IT system:
a. user ID,
b. password,
c. security token,
d. biometric devices,
e. log-in procedures,
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles PerspectiveGeneral Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles Perspective
Risks In Not Limiting Unauthorized Users
f. access levels,
g. computer logs, and
h. authority tables.
Chapter 4-18
Controls that may be applied are,
a. firewalls
b. encryption of data,
c. security policies,
d. security breach resolution,
e. secure socket layers (SSL),
f. virtual private network (VPN),
g. network (VPN),
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles PerspectiveGeneral Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles Perspective
Risks From Hacking or Other Network Break-Ins
Chapter 4-19
Controls that may be applied are,
h. wired equivalency privacy (WEP),
i. wireless protected access (WPA),
j. service set identifier (SSID),
k. antivirus software,
l. vulnerability assessment,
m. penetration testing, and
n. intrusion detection.
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles PerspectiveGeneral Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles Perspective
Risks From Hacking or Other Network Break-Ins
Chapter 4-20
Environmental changes that affect the IT system can cause availability risks and processing integrity risks.
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles PerspectiveGeneral Controls from an AICPA General Controls from an AICPA Trust Principles PerspectiveTrust Principles Perspective
Risks From Environmental Factors
Physical Access Risks
Business Continuity Risks
Chapter 4-21
b. Confidentiality.
AICPA Trust Principles describe five categories of IT risks and controls. Which of these five categories would best be described by the statement, “The system is protected against unauthorized access”?
Concept CheckConcept Check
c. Processing integrity.
d. Availability.
a. Security.
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA TrustTrustGeneral Controls from an AICPA General Controls from an AICPA TrustTrust
Chapter 4-22
b. Availability risk.
The risk that an unauthorized user would shut down systems within the IT system is a(n)
Concept CheckConcept Check
c. Processing integrity risk.
d. Confidentiality risk.
a. Security risk.
SO 3 General controls from a Trust Principles perspectiveSO 3 General controls from a Trust Principles perspective
General Controls from an AICPA General Controls from an AICPA TrustTrustGeneral Controls from an AICPA General Controls from an AICPA TrustTrust
Chapter 4-23
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
Typical IT system components that represent “entry points” where the risks must be controlled.
1. The operating system
2. The database
3. The database management system (DBMS)
4. Local area networks (LANs)
5. Wireless networks
6. E-business conducted via the Internet
7. Telecommuting workers
8. Electronic data interchange (EDI)
9. Application software
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Chapter 4-24
Typical “entry points”
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
Exhibit 4-6
Chapter 4-25
The software that controls the basic input and output activities of the computer.
Provides the instructions that enable the CPU to:
read and write to disk,
read keyboard input,
control output to the monitor,
manage computer memory, and
communicate between the CPU, memory, and disk storage.
The Operating System
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Chapter 4-26
Unauthorized access would allow an unauthorized user to:
1. Browse disk files or memory for sensitive data or passwords.
2. Alter data through the operating system.
3. Alter access tables to change access levels of users.
4. Alter application programs.
5. Destroy data or programs.
The Operating System
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Chapter 4-27
A large disk storage for accounting and operating data.
Controls such as:
user IDs, passwords,
authority tables,
firewalls, and
encryption
are examples of controls that can limit exposure.
The Database
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Chapter 4-28
A software system that manages the interface between many users and the database.
The Database Management System
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Exhibit 4-7
Chapter 4-29
A software system that manages the interface between many users and the database.
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
The Database Management System
Exhibit 4-6
Chapter 4-30
A software system that manages the interface between many users and the database.
Physical access, environmental, and business continuity controls can help guard against the loss of the data or alteration to the DBMS.
The Database Management System
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Chapter 4-31
A local area network, or LAN, is a computer network covering a small geographic area.
A group of LANs connected to each other is called a wide area network, or WAN.
LANS and WANS
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Chapter 4-32
LANS and WANS
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Controls: limit
unauthorized users
firewalls encryption virtual private
networks
Exhibit 4-6
Chapter 4-33
Same kind of exposures as a local area network.
Wireless Networks
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Exhibit 4-6
Chapter 4-34
Same kind of exposures as a local area network.
Controls include:
wired equivalency privacy (WEP) or wireless protected access (WPA),
station set identifiers (SSID), and
encrypted data.
Wireless Networks
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Chapter 4-35
The use of dual firewalls can help prevent hackers or unauthorized users from accessing the organization’s internal network of computers.
Internet and World Wide Web
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Exhibit 4-6
Chapter 4-36
The organization’s security policy should address the security expectations of workers who telecommute, and such workers should connect to the company network via a virtual private network.
Telecommuting Workers
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
Exhibit 4-6
Chapter 4-37
Company-to-company transfer of standard business documents in electronic form.
EDI controls include:
authentication,
computer logs, and
network break-in controls.
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
Electronic Data Interchange
Exhibit 4-6
Chapter 4-38
b. Internet.
The risk of an unauthorized user gaining access is likely to be a risk for which of the following areas?
Concept CheckConcept Check
c. Wireless networks.
d. All of the above.
a. Telecommuting workers.
Hardware and Software ExposuresHardware and Software ExposuresHardware and Software ExposuresHardware and Software Exposures
SO 4 Hardware and software exposures in IT systemsSO 4 Hardware and software exposures in IT systems
Chapter 4-39
Applications software accomplishes end user tasks such as:
word processing,
spreadsheets,
database maintenance, and
accounting functions.
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Applications controls - intended to improve the accuracy, completeness, and security of input, process, and output.
Chapter 4-40
Date input - data converted from human readable form to computer readable form.
Input controls are of four types:
1. Source document controls
2. Standard procedures for data preparation and error handling
3. Programmed edit checks
4. Control totals and reconciliation
Input Controls
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Chapter 4-41
Source document -paper form used to capture and record the original data of an accounting transaction.
Note:
Many IT systems do not use source documents.
General controls such as computer logging of transactions and keeping backup files, become important.
Where source documents are used, several source document controls should be used.
Source Document Controls
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Chapter 4-42
Form Design - Both the source document and the input screen should be well designed so that they are easy to understand and use, logically organized into groups of related data.
Form Authorization and Control:
Area for authorization by appropriate manager
Prenumbered and used in sequence
Blank source documents should be controlled
Source Document Controls
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Chapter 4-43
Retention of Source Documents:
Retained and filed for easy retrieval
Part of the audit trail.
Source Document Controls
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Chapter 4-44
Data Preparation – standard data collection procedures reduce the chance of lost, misdirected, or incorrect data collection from source documents.
Error Handling:
Errors should be logged, investigated, corrected, and resubmitted for processing
Error log should be regularly reviewed by an appropriate manager
Standard Procedures for Data Input
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Chapter 4-45
Data should be validated and edited to be as close to the original source of data as possible.
Input validation checks include:
Programmed Input Validation Checks
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
1. Field check
2. Validity check
3. Limit check
4. Range check
5. Reasonableness check
6. Completeness check
7. Sign check
8. Sequence check
9. Self-checking digit
Chapter 4-46
Control totals are subtotals of selected fields for an entire batch of transactions.
Three types:
record counts,
batch totals, and
hash totals.
Control Totals and Reconciliation
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Chapter 4-47
Intended to prevent, detect, or correct errors that occur during processing.
Ensure that application software has no errors.
Control totals, limit and range tests, and reasonableness and sign tests.
Computer logs of transactions processed, production run logs, and error listings.
Processing Controls
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Chapter 4-48
Reports from the various applications.
Two primary objectives of output controls:
to assure the accuracy and completeness of the output, and
to properly manage the safekeeping of output reports to ascertain that security and confidentiality of the information is maintained.
Output Controls
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Chapter 4-49
b. Validity check.
Which programmed input validation check compares the value in a field with related fields with determine whether the value is appropriate?
Concept CheckConcept Check
c. Reasonableness check.
d. Completeness check.
a. Completeness check.
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Chapter 4-50
b. Validity check.
Which programmed input validation check determines whether the appropriate type of data, either alphabetic or numeric, was entered?
Concept CheckConcept Check
c. Reasonableness check.
d. Field check.
a. Completeness check.
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Chapter 4-51
b. Validity check.
Which programmed input validation makes sure that a value was entered in all of the critical fields?
Concept CheckConcept Check
c. Reasonableness check.
d. Field check.
a. Completeness check.
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Chapter 4-52
b. Hash total.
Which control total is the total of field values that are added for control purposes, but not added for any other purpose?
Concept CheckConcept Check
c. Batch total.
d. Field total.
a. Record count.
Application Software and Application Application Software and Application ControlsControlsApplication Software and Application Application Software and Application ControlsControls
SO 5 Application software and application controlsSO 5 Application software and application controls
Chapter 4-53
Besides fraud, there are many kinds of unethical behaviors related to computers, such as:
Misuse of confidential customer information.
Theft of data, such as credit card information, by hackers.
Employee use of IT system hardware and software for personal use or personal gain.
Using company e-mail to send offensive, threatening, or sexually explicit material.
Ethical Issues in Information Ethical Issues in Information TechnologyTechnologyEthical Issues in Information Ethical Issues in Information TechnologyTechnology
SO 6 Ethical issues in IT systemsSO 6 Ethical issues in IT systems
Chapter 4-54
Copyright © 2008 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.
CopyrightCopyrightCopyrightCopyright