Transcript Financial Accounting and Accounting Standards

Chapter
4-1
Internal Controls
and Risks in IT
Systems
Chapter
4-2
Accounting Information Systems, 1st Edition
Study Objectives
1.
An overview of internal controls for IT systems
2. General controls for IT systems
3. General controls from a Trust Principles perspective
4. Hardware and software exposures in IT systems
5. Application software and application controls
6. Ethical issues in IT systems
Chapter
4-3
Internal Controls for IT Systems
Accounting Information System - collects, processes,
stores, and reports accounting information.
Computer-based systems have been described as being
of two types:
 General controls
 Application controls
Chapter
4-4
SO 1 An overview of internal controls for IT systems
Internal Controls for IT Systems
Exhibit 4-1
General and Application
Controls in IT Systems
Application controls
used to control inputs,
processing, and outputs.
General controls apply
overall to the IT
accounting system.
Chapter
4-5
SO 1 An overview of internal controls for IT systems
Internal Controls for IT Systems
Concept Check
Internal controls that apply overall to the IT system
are called
a. Overall controls.
b. Technology controls.
c. Application controls.
d. General controls.
Chapter
4-6
SO 1 An overview of internal controls for IT systems
General Controls in IT Systems
Five categories of general controls:
1. Authentication of users and limiting unauthorized
access
2. Hacking and other network break-ins
3. Organizational structure
4. Physical environment and physical security of the
system
5. Business Continuity
Chapter
4-7
SO 2 General controls for IT systems
General Controls in IT Systems
Authentication of Users and Limiting
Unauthorized Users
 Authentication of users
 Biometric devices
 Log-in
 Computer log
 User IDs
 Nonrepudiation
 Password
 User profile
 Smart card
 Authority table
 Security token
 Configuration tables
 Two factor authentication
Chapter
4-8
SO 2 General controls for IT systems
General Controls in IT Systems
Hacking and other Network Break-Ins
 Firewall
 Secure sockets layer
 Symmetric encryption
 Virus
 Public key encryption
 Antivirus software
 Wired equivalency privacy
 Vulnerability
assessment
 Wireless protected access
 Intrusion detection
 Service set identifier
 Penetration testing
 Virtual private network
Chapter
4-9
SO 2 General controls for IT systems
General Controls in IT Systems
Organizational Structure
IT governance committee, responsibilities include:
1. Align IT investments to business strategy.
2. Budget funds and personnel for the most effective use
of the IT systems.
3. Oversee and prioritize changes to IT systems.
4. Develop, monitor, and review all IT operational policies.
5. Develop, monitor, and review security policies.
Chapter
4-10
SO 2 General controls for IT systems
General Controls in IT Systems
Organizational Structure
Duties to be segregated are:
 Systems analysts
 Programmers
 Operators
 Database administrator
Chapter
4-11
SO 2 General controls for IT systems
General Controls in IT Systems
Physical Environment and Security
Physical access controls:
Chapter
4-12

Limited access to computer rooms through
employee ID badges or card keys

Video surveillance equipment

Logs of persons entering and exiting the
computer rooms

Locked storage of backup data and offsite backup
data
SO 2 General controls for IT systems
General Controls in IT Systems
Business Continuity
Business Continuity Planning (BCP)
Business continuity related to IT systems:
 A strategy for backup and restoration of IT
systems, to include redundant servers,
redundant data storage, daily incremental
backups, a backup of weekly changes, and
offsite storage of daily and weekly backups.
 A disaster recovery plan.
Chapter
4-13
SO 2 General controls for IT systems
General Controls in IT Systems
Concept Check
Which of the following is not a control intended to
authenticate users?
a. User log-in.
b. Security token.
c. Encryption.
d. Biometric devices.
Chapter
4-14
SO 2 General controls for IT systems
General Controls in IT Systems
Concept Check
An IT governance committee has several responsibilities.
Which of the following is least likely to be a responsibility
of the IT governance committee?
a. Develop and maintain the database and ensure
adequate controls over the database.
b. Develop, monitor, and review security policies.
c. Oversee and prioritize changes to IT systems.
d. Align IT investments to business strategy.
Chapter
4-15
SO 2 General controls for IT systems
General Controls from an AICPA Trust
Principles Perspective
AICPA Trust Principles categorizes IT controls and
risks into five categories:
a. Security
b. Availability
c. Processing integrity
d. Online privacy
e. Confidentiality
Chapter
4-16
SO 3 General controls from a Trust Principles perspective
General Controls from an AICPA Trust
Principles Perspective
Risks In Not Limiting Unauthorized Users
IT controls that lessen risk of unauthorized users
gaining access to the IT system:
a. user ID,
f. access levels,
b. password,
g. computer logs, and
c. security token,
h. authority tables.
d. biometric devices,
e. log-in procedures,
Chapter
4-17
SO 3 General controls from a Trust Principles perspective
General Controls from an AICPA Trust
Principles Perspective
Risks From Hacking or Other Network Break-Ins
Controls that may be applied are,
a. firewalls
b. encryption of data,
c. security policies,
d. security breach resolution,
e. secure socket layers (SSL),
f. virtual private network (VPN),
g. network (VPN),
Chapter
4-18
SO 3 General controls from a Trust Principles perspective
General Controls from an AICPA Trust
Principles Perspective
Risks From Hacking or Other Network Break-Ins
Controls that may be applied are,
h. wired equivalency privacy (WEP),
i.
wireless protected access (WPA),
j. service set identifier (SSID),
k. antivirus software,
l.
vulnerability assessment,
m. penetration testing, and
n. intrusion detection.
Chapter
4-19
SO 3 General controls from a Trust Principles perspective
General Controls from an AICPA Trust
Principles Perspective
Risks From Environmental Factors
Environmental changes that affect the IT system
can cause availability risks and processing integrity
risks.
Physical Access Risks
Business Continuity Risks
Chapter
4-20
SO 3 General controls from a Trust Principles perspective
General Controls from an AICPA Trust
Concept Check
AICPA Trust Principles describe five categories of IT
risks and controls. Which of these five categories would
best be described by the statement, “The system is
protected against unauthorized access”?
a. Security.
b. Confidentiality.
c. Processing integrity.
d. Availability.
Chapter
4-21
SO 3 General controls from a Trust Principles perspective
General Controls from an AICPA Trust
Concept Check
The risk that an unauthorized user would shut down
systems within the IT system is a(n)
a. Security risk.
b. Availability risk.
c. Processing integrity risk.
d. Confidentiality risk.
Chapter
4-22
SO 3 General controls from a Trust Principles perspective
Hardware and Software Exposures
Typical IT system components that represent “entry
points” where the risks must be controlled.
1. The operating system
2. The database
3. The database management system (DBMS)
4. Local area networks (LANs)
5. Wireless networks
6. E-business conducted via the Internet
7. Telecommuting workers
8. Electronic data interchange (EDI)
9. Application software
Chapter
4-23
SO 4 Hardware and software exposures in IT systems
Hardware and Software Exposures
Typical
“entry points”
Chapter
4-24
Exhibit 4-6
Hardware and Software Exposures
The Operating System
The software that controls the basic input and
output activities of the computer.
Provides the instructions that enable the CPU to:
 read and write to disk,
 read keyboard input,
 control output to the monitor,
 manage computer memory, and
 communicate between the CPU, memory, and
disk storage.
Chapter
4-25
SO 4 Hardware and software exposures in IT systems
Hardware and Software Exposures
The Operating System
Unauthorized access would allow an unauthorized user to:
1. Browse disk files or memory for sensitive data or
passwords.
2. Alter data through the operating system.
3. Alter access tables to change access levels of
users.
4. Alter application programs.
5. Destroy data or programs.
Chapter
4-26
SO 4 Hardware and software exposures in IT systems
Hardware and Software Exposures
The Database
A large disk storage for accounting and operating data.
Controls such as:
 user IDs, passwords,
 authority tables,
 firewalls, and
 encryption
are examples of controls that can limit exposure.
Chapter
4-27
SO 4 Hardware and software exposures in IT systems
Hardware and Software Exposures
The Database Management System
A software system that manages the interface between
many users and the database.
Exhibit 4-7
Chapter
4-28
SO 4 Hardware and software exposures in IT systems
Hardware and Software Exposures
The Database
Management System
Exhibit 4-6
A software system
that manages the
interface between
many users and the
database.
Chapter
4-29
SO 4 Hardware and software exposures in IT systems
Hardware and Software Exposures
The Database Management System
A software system that manages the interface between
many users and the database.
Physical access, environmental, and business continuity
controls can help guard against the loss of the data or
alteration to the DBMS.
Chapter
4-30
SO 4 Hardware and software exposures in IT systems
Hardware and Software Exposures
LANS and WANS
A local area network, or LAN, is a computer network
covering a small geographic area.
A group of LANs connected to each other is called a wide
area network, or WAN.
Chapter
4-31
SO 4 Hardware and software exposures in IT systems
Hardware and Software Exposures
LANS and WANS
Exhibit 4-6
Controls:
 limit unauthorized
users
 firewalls
 encryption
 virtual private
networks
Chapter
4-32
SO 4 Hardware and software exposures in IT systems
Hardware and Software Exposures
Wireless Networks
Exhibit 4-6
Same kind of
exposures as a
local area
network.
Chapter
4-33
SO 4 Hardware and software exposures in IT systems
Hardware and Software Exposures
Wireless Networks
Same kind of exposures as a local area network.
Controls include:
 wired equivalency privacy (WEP) or wireless
protected access (WPA),
 station set identifiers (SSID), and
 encrypted data.
Chapter
4-34
SO 4 Hardware and software exposures in IT systems
Hardware and Software Exposures
Internet and World Wide Web
Exhibit 4-6
The use of dual
firewalls can help
prevent hackers or
unauthorized users
from accessing the
organization’s
internal network
of computers.
Chapter
4-35
SO 4 Hardware and software exposures in IT systems
Hardware and Software Exposures
Telecommuting Workers
The organization’s security
policy should address the
security expectations of
workers who telecommute,
and such workers should
connect to the company
network via a virtual
private network.
Chapter
4-36
Exhibit 4-6
Hardware and Software Exposures
Electronic Data Interchange
Company-to-company
transfer of standard
business documents in
electronic form.
EDI controls include:
 authentication,
 computer logs, and
 network break-in
controls.
Chapter
4-37
Exhibit 4-6
Hardware and Software Exposures
Concept Check
The risk of an unauthorized user gaining access is likely
to be a risk for which of the following areas?
a. Telecommuting workers.
b. Internet.
c. Wireless networks.
d. All of the above.
Chapter
4-38
SO 4 Hardware and software exposures in IT systems
Application Software and Application Controls
Applications software accomplishes end user tasks
such as:
 word processing,
 spreadsheets,
 database maintenance, and
 accounting functions.
Applications controls - intended to improve the accuracy,
completeness, and security of input, process, and output.
Chapter
4-39
SO 5 Application software and application controls
Application Software and Application Controls
Input Controls
Date input - data converted from human readable
form to computer readable form.
Input controls are of four types:
1. Source document controls
2. Standard procedures for data preparation and error
handling
3. Programmed edit checks
4. Control totals and reconciliation
Chapter
4-40
SO 5 Application software and application controls
Application Software and Application Controls
Source Document Controls
Source document -paper form used to capture and
record the original data of an accounting transaction.
Note:
 Many IT systems do not use source documents.
 General controls such as computer logging of
transactions and keeping backup files, become
important.
 Where source documents are used, several source
document controls should be used.
Chapter
4-41
SO 5 Application software and application controls
Application Software and Application Controls
Source Document Controls
Form Design - Both the source document and the
input screen should be well designed so that they are
easy to understand and use, logically organized into
groups of related data.
Form Authorization and Control:
 Area for authorization by appropriate manager
 Prenumbered and used in sequence
 Blank source documents should be controlled
Chapter
4-42
SO 5 Application software and application controls
Application Software and Application Controls
Source Document Controls
Retention of Source Documents:
 Retained and filed for easy retrieval
 Part of the audit trail.
Chapter
4-43
SO 5 Application software and application controls
Application Software and Application Controls
Standard Procedures for Data Input
Data Preparation – standard data collection
procedures reduce the chance of lost, misdirected, or
incorrect data collection from source documents.
Error Handling:
 Errors should be logged, investigated, corrected,
and resubmitted for processing
 Error log should be regularly reviewed by an
appropriate manager
Chapter
4-44
SO 5 Application software and application controls
Application Software and Application Controls
Programmed Input Validation Checks
Data should be validated and edited to be as close to
the original source of data as possible.
Input validation checks include:
1. Field check
6. Completeness check
2. Validity check
7. Sign check
3. Limit check
8. Sequence check
4. Range check
9. Self-checking digit
5. Reasonableness check
Chapter
4-45
SO 5 Application software and application controls
Application Software and Application Controls
Control Totals and Reconciliation
Control totals are subtotals of selected fields for an
entire batch of transactions.
Three types:
 record counts,
 batch totals, and
 hash totals.
Chapter
4-46
SO 5 Application software and application controls
Application Software and Application Controls
Processing Controls
Intended to prevent, detect, or correct errors that
occur during processing.
 Ensure that application software has no errors.
 Control totals, limit and range tests, and
reasonableness and sign tests.
 Computer logs of transactions processed, production
run logs, and error listings.
Chapter
4-47
SO 5 Application software and application controls
Application Software and Application Controls
Output Controls
Reports from the various applications.
Two primary objectives of output controls:
 to assure the accuracy and completeness of the
output, and
 to properly manage the safekeeping of output reports
to ascertain that security and confidentiality of the
information is maintained.
Chapter
4-48
SO 5 Application software and application controls
Application Software and Application Controls
Concept Check
Which programmed input validation check compares the
value in a field with related fields with determine
whether the value is appropriate?
a. Completeness check.
b. Validity check.
c. Reasonableness check.
d. Completeness check.
Chapter
4-49
SO 5 Application software and application controls
Application Software and Application Controls
Concept Check
Which programmed input validation check determines
whether the appropriate type of data, either alphabetic
or numeric, was entered?
a. Completeness check.
b. Validity check.
c. Reasonableness check.
d. Field check.
Chapter
4-50
SO 5 Application software and application controls
Application Software and Application Controls
Concept Check
Which programmed input validation makes sure that a
value was entered in all of the critical fields?
a. Completeness check.
b. Validity check.
c. Reasonableness check.
d. Field check.
Chapter
4-51
SO 5 Application software and application controls
Application Software and Application Controls
Concept Check
Which control total is the total of field values that are
added for control purposes, but not added for any
other purpose?
a. Record count.
b. Hash total.
c. Batch total.
d. Field total.
Chapter
4-52
SO 5 Application software and application controls
Ethical Issues in Information Technology
Besides fraud, there are many kinds of unethical
behaviors related to computers, such as:
 Misuse of confidential customer information.
 Theft of data, such as credit card information, by
hackers.
 Employee use of IT system hardware and software
for personal use or personal gain.
 Using company e-mail to send offensive, threatening,
or sexually explicit material.
Chapter
4-53
SO 6 Ethical issues in IT systems
Copyright
Copyright © 2008 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted
in Section 117 of the 1976 United States Copyright Act without
the express written permission of the copyright owner is
unlawful. Request for further information should be addressed
to the Permissions Department, John Wiley & Sons, Inc. The
purchaser may make back-up copies for his/her own use only
and not for distribution or resale. The Publisher assumes no
responsibility for errors, omissions, or damages, caused by the
use of these programs or from the use of the information
contained herein.
Chapter
4-54