Blue Red-Lines Background - University of Alaska | Home
Download
Report
Transcript Blue Red-Lines Background - University of Alaska | Home
Computer Based Information
Systems Control
UAA – ACCT 316 – Fall 2003
Accounting Information Systems
Dr. Fred Barbee
Control Classifications
By Objectives
Administrative
By Settings
General
By Risk Aversion
Corrective
Preventive
Accounting
Application
Input
Processing
Output
SAS 29
(1958)
Detective
By System Architectures
Manual Systems
ComputerThis
Based Systems
Batch
Processing
Chapter
Online Processing
Data Base
Text
Chapter 7
Control Classifications
By Objectives
Administrative
to
ByEncourage
Settings adherence
By Risk Aversion
management
policies
and
General
Corrective
procedures.
Preventive
Accounting
Application
Promote operational
efficiency.
Input
Processing
Output
Safeguard assets
By System Architectures
Manual
Ensure accuracy
of Systems
accounting
Computer Based Systems
data and information.
Batch Processing
Online Processing
Data Base
Detective
Preventive, Detective, and Corrective Controls
Input
Process
Output
Sensor
Corrective
Controls
Benchmark
Detective and
Corrective
Controls
Discover
the
occurrence of adverse
events.
Tend
to be active in
nature.
After
the fact controls
Lead
to the righting of
effects caused by
adverse events.
Tend
to be more active
than detective controls.
Block
adverse events,
such as errors or
losses from occurring.
Tend
to be passive in
nature.
Control Classifications
By Objectives
Administrative
Ensure that
overall IS
isAccounting
stable
and well
maintained.
By Settings
General
By Risk Aversion
Corrective
Preventive
Application
Input
Processing
Output
Ensure the
Detective
accuracy
of
specific
By System Architectures
applications,
Manual Systems
Computer Based Systemsinputs, files,
programs &
Batch Processing
Online Processing
outputs.
Data Base
Control Classifications
By Objectives
Administrative
By Settings
General
By Risk Aversion
Corrective
Preventive
Accounting
Application
Input
Processing
Output
By System Architectures
Manual Systems
Computer Based Systems
Batch Processing
Online Processing
Data Base
Detective
What Constitutes A
Reliable System
What Constitutes Reliability?
Availability
Security
Maintainability
Integrity
Control Classifications
By Objectives
Administrative
By Settings
General
By Risk Aversion
Corrective
Preventive
Accounting
Application
Input
Processing
Output
By System Architectures
Manual Systems
Computer Based Systems
Batch Processing
Online Processing
Data Base
Detective
Controls – The Text Approach
Key General Reliability Controls (> than
one reliability principle) - Table 8-1
Key Availability Controls - Table 8-2
Key Security Controls - Table 8-3
Key Maintainability Controls - Table 8-4
Key Integrity Controls – Table 8-5
General Reliability Controls
Strategic Planning & Budgeting
Developing a System Reliability Plan
Documentation
Key Availability Controls
Minimizing System Downtime
Disaster Recovery Plan
Key Security Controls
Segregation of Duties in Systems
Function
The Text Notes . . .
In a highly integrated AIS, procedures
that used to be performed by separate
individuals are combined.
Therefore, any person who has
unrestricted access to the computer, its
programs, and live data could have the
opportunity to both perpetrate and
conceal fraud.
The Text Notes . . .
To combat this threat, organizations must
implement compensating control
procedures such as the effective
segregation of duties within the AIS
function.
Organizational
Independence Within the
Information Systems
Function of a Firm using
Computer-Based
processing
Source: AIS, Wilkinson & Cerullo
Tasks which
Planning
StaffCREATE
Information
Systems
Manager
systems.
Systems
Development
Manager
Programming
Technical
Services
Manager
Tasks which
Steering
Committee
OPERATE
systems.
Data-Base
Administrator
Data
Processing
Manager
These two functions need to be
ORGANIZATIONALLY
and
Systems
Information
Analysis &
Center
PHYSICALLY
separated
Projects
Data
Preparation
Computer
Operations
Data
Library
Data
Control
Flow of batched data within
several units of an
organization using
computer-based
processing.
Source: AIS, Wilkinson & Cerullo
User
Departments
Computer-Based Data Processing Department
Control
Data Preparation
Computer
Section
Section
Operations
Data
Input
Receive
& Log
Outputs
Log &
Distribute
Convert
Data
Errors to be
corrected
Process
Data
Library
Files
Outputs in control log.
Record input data
Files
Follow progress of processing.
Maintains control totals
Reconciles totals during
Error
processing. Listing
Distribute output.
Monitors correction of errors.
Computer-Based Data Processing Department
Control
Data Preparation
Computer
Section
Section
Operations
User
Departments
Data
Input
Outputs
Errors to be
corrected
Receive
& Log
Convert
Data
Process
Data
Library
Files
Log &
Prepare
Distribute
and verify data forOutputs
entry
into processing.
What controls do we have here?
Batch controls
Error
Various computer input controls.
Listing
Files
User
Departments
Data
Input
Computer-Based Data Processing Department
Control
Data Preparation
Computer
Section
Section
Operations
Receive
& Log
Log &
Processes Distribute
data to
Outputs
Convert
Data
produce
outputs.
What controls do we have here?
Various computer processing
Errors to be
controls.
corrected
Process
Data
Library
Files
Outputs
Files
Error
Listing
Simplified organizational
separation in a computerbased system using on-line
processing.
Source: AIS, Wilkinson & Cerullo
User
Departments
Computer
Operations
Batch
Files
Data Inputs
Displayed
Outputs
Printed
Outputs
On-Line Files
(Data Library)
Process
OnLine
Files
Subdivisions of transaction
(application) controls and
typical control points.
Source: AIS, Wilkinson & Cerullo
Processing
Controls
Input Controls
Source
Document
Convert
To MRF
Source
Document
Trans.
Data
Control Point
Transaction
Via Terminal
Computer-Based
Data Processing
Editing
Manual
Entry
Output
Controls
Soft-Copy
Output
User
User
Key Security Controls
Segregation of Duties in Systems
Function
Physical Access Controls
Physical Access Controls
Perimeter Control
Building Controls
Computer
Facility
Controls
Key Security Controls
Segregation of Duties in Systems
Function
Physical Access Controls
Logical Access Controls
Logical Access Controls
Identification
Authentication
Access Rights
Threat
Monitoring
Key Security Controls
Protection of Personal Computers and
Client/Server Networks
Internet and e-commerce Controls
Key Maintainability Controls
Project Development and Acquisition
Controls.
Change Management Controls
Control Classifications
By Objectives
Administrative
Ensure that
overall IS
isAccounting
stable
and well
maintained.
By Settings
General
By Risk Aversion
Corrective
Preventive
Application
Input
Processing
Output
Ensure the
Detective
accuracy
of
specific
By System Architectures
applications,
Manual Systems
Computer Based Systemsinputs, files,
programs &
Batch Processing
Online Processing
outputs.
Data Base
Objectives of Application Controls
To prevent, detect, and correct errors in
transactions
Input
Process
Output
as they flow through the various stages
of a specific data processing program.
Objectives of Application Controls
The text correctly notes . . .
If application controls are weak
AIS output is likely to contain errors.
Erroneous data leads to significant
potential problems
Key Integrity Controls
Source Data Controls
Input Validation Controls
On-Line Data Entry Controls
Data Processing and Storage Controls
Key Integrity Controls
Output Controls
Data Transmission Controls
Source Data
Data Transmission
Input Validation
Output
On-line Data Entry
Input
Process
Data Processing
Storage
Output
Key Integrity Controls
Source Data Controls
Source Data Controls
Ensure that all source documents are
authorized, accurate, complete, properly
accounted for and entered into the
system or sent to their intended
destinations in a timely manner.
Source Data Controls
Forms Design
Prenumbered Forms Sequence Test
Turnaround Documents
Cancelation and Storage of Documents
Source Data Controls
Authorization and Segregation of Duties
Visual Scanning
Check Digit Verification
Key Verification
Key Integrity Controls
Input Validation Controls
Input Validation Routines
Routines that check the integrity of input
data as the data are entered into the
system.
Edit Programs
Edit Checks
Input Validation Routines
Sequence Check
Field Check
Sign Check
Validity Check
Limit Check
Input Validation Routines
Range Check
Reasonableness Test
Redundant Data Check
Capacity Check
Key Integrity Controls
On-Line Data Entry Controls
On-Line Data Entry Controls
To ensure the integrity of transaction
data entered from on-line terminals and
PCs by minimizing errors and omissions.
On-Line Data Entry Controls
Input Validation Routines
User ID and Passwords
Automatic Entering of Data
Prompting
Preformatting
On-Line Data Entry Controls
Completeness Check
Closed-Loop Verification
Transaction Log
Error Messages
Record Retention
Key Integrity Controls
Data Processing and Storage
Controls
Processing/Storage Controls
Preserve the integrity of data processing
and stored data.
Processing/Storage Controls
Policies and procedures
Data Control Function
Reconciliation procedures
External data Reconciliation
Exception reporting
User
Departments
Computer-Based Data Processing Department
Control
Data Preparation
Computer
Section
Section
Operations
Data
Input
Receive
& Log
Outputs
Log &
Distribute
Convert
Data
Process
Data
Library
Files
Outputs
Files
Errors to be
corrected
Error
Listing
Processing/Storage Controls
Data currency checks
Default values
Data matching
File labels
Write Protection mechanisms
Processing/Storage Controls
Database Protection Mechanisms
Data Conversion Controls
Data Security
Key Integrity Controls
Output Controls
Output Controls
Review all output for reasonableness
and proper format
Reconcile output and input control totals
daily
Distribute output to appropriate user
departments
Output Controls
Protect sensitive or confidential outputs
Store sensitive/confidential data in
secure area
Require users to review completeness
and accuracy of all output
Output Controls
Shred or otherwise destroy sensitive
data.
Correct errors found on output reports.
Key Integrity Controls
Transmission Controls