Accounting Information Systems: 9 Edition

Accounting
Information
Systems
9th Edition
Marshall B. Romney
Paul John Steinbart
2003 Prentice Hall Business Publishing,

Accounting Information Systems, 9/e, Romney/Steinbart
8-1
Computer Controls
and Security
Chapter 8
2003 Prentice Hall Business Publishing,

Accounting Information Systems, 9/e, Romney/Steinbart
8-2
Learning Objectives
1.
2.
3.
Identify and explain the four principles

of systems reliability and the three
criteria used to evaluate whether the
principles have been achieved.
Identify and explain the controls that
apply to more than one principle of
reliability.
help explain that a system is available
to users when needed.
2003 Prentice Hall Business
Publishing,
8-3
Learning Objectives
4.
5.
6.
Identify and explain the security controls

that prevent unauthorized access to
information, software, and other system
resources.
Identify and explain the controls that help
ensure that a system can be properly
maintained, while still providing for system
availability, security, and integrity.
Identify and explain the integrity controls
that help ensure that system processing is
complete, accurate, timely, and authorized.

Publishing,
8-4
Introduction
During his fifth month at Northwest
Industries, Jason Scott is assigned to
audit Seattle Paper Products (SPP).
Jasons task is to review randomly
selected payable transactions, track
down all supporting documents, and
verify that all transactions have been
properly authorized.

Publishing,
8-5
Introduction
Jason is satisfied that many of the
transactions are valid and accurate.
However, some transactions involve the
purchase of services from Pacific Electric.
These transactions were processed on
the basis of vendor invoices approved by
management.
Five of these invoices bear the initials
JLC.

Publishing,
8-6
Introduction
JLC is Jack Carlton, the general
supervisor.
Carlton denies initialing the invoices,
and claims he has never heard of
Pacific Electric.
What questions does Jason have?
Is
Carlton telling the truth?

If Carlton is not telling the truth, what is
he up to?
Publishing,
8-7
Introduction
If
Pacific Electric is a fictitious

company, how could SPPs control
systems allow its invoices to be
processed and approved for
payment?
This chapter discusses the many

different types of controls that
companies use to ensure the integrity
of their AIS.
Publishing,
8-8
Learning Objective 1
Identify the four principles of systems

reliability and the three criteria used to
evaluate whether or not the principles
have been achieved.

Publishing,
8-9
The Four Principles of a

Reliable System
1.
2.
3.
4.
Availability of the system when needed.

Security of the system against
unauthorized physical and logical access.
Maintainability of the system as required
without affecting its availability, security,
and integrity.
Integrity of the system to ensure that
processing is complete, accurate, timely,
and authorized.
Publishing,
8-10
The Criteria Used To Evaluate

Reliability Principles
For each of the four principles of reliability, three

criteria are used to evaluate whether or not the
principle has been achieved.
1.
2.
3.
The entity has defined, documented, and

communicated performance objectives, policies, and
standards that achieve each of the four principles.
The entity uses procedures, people, software, data,
and infrastructure to achieve each principle in
accordance with established policies and standards.
The entity monitors the system and takes action to
achieve compliance with the objectives, policies,
and standards for each principle.
Publishing,
8-11

apply to more than one principle of
reliability.

Publishing,
8-12
Controls Related to More Than

One Reliability Principle
Strategic Planning & Budgeting

Developing a Systems Reliability Plan
Documentation

Publishing,
8-13
Controls Related to More Than

One Reliability Principle
Documentation may be classified into three

basic categories:
Administrative
documentation: Describes the

standards and procedures for data
processing.
Systems documentation: Describes each
application system and its key processing
functions.
Operating documentation: Describes what is
needed to run a program.
Publishing,
8-14

help explain that a system is available
to users when needed.

Publishing,
8-15
Availability
Availability
Minimizing
Systems Downtime
Preventive maintenance
UPS
Fault tolerance
Disaster Recovery Plan
Minimize the extent of disruption, damage, and
loss
Temporarily establish an alternative means of
processing information
Resume normal operations as soon as possible

Publishing,
8-16
Availability
Disaster Recovery, continued
Train and familiarize personnel with emergency
operations
Priorities for the recovery process
Insurance
Backup data and program files
Electronic vaulting
Grandfather-father-son concept
Rollback procedures
Specific assignments
Backup computer and telecommunication facilities
Periodic testing and revision
Complete documentation
Publishing,
8-17
Identify and explain the security

controls that prevent unauthorized
access to information, software, and
other system resources.

Publishing,
8-18
Developing a Security Plan
Developing and continuously updating a

comprehensive security plan is one of
the most important controls a company
can identify.
What
questions need to be asked?

Who needs access to what information?
When do they need it?
On which systems does the information
reside?
Publishing,
8-19
Segregation of Duties Within

the Systems Function
In a highly integrated AIS, procedures that

used to be performed by separate
individuals are combined.
Any person who has unrestricted access to
the computer, its programs, and live data
could have the opportunity to both
perpetrate and conceal fraud.
To combat this threat, organizations must
implement compensating control
procedures.
Publishing,
8-20

Authority and responsibility must be clearly divided

among the following functions:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Systems administration
Network management
Security management
Change management
Users
Systems analysis
Programming
Computer operations
Information system library
Data control
Publishing,
8-21

It is important that different people
perform these functions.
Allowing a person to perform two or
more of them exposes the company to
the possibility of fraud.

Publishing,
8-22
Physical Access Controls
How can physical access security be achieved?

Place computer equipment in locked rooms and restrict
access to authorized personnel
Have only one or two entrances to the computer room
Require proper employee ID
Require that visitors sign a log
Use a security alarm system
Restrict access to private secured telephone lines and
terminals or PCs.
Install locks on PCs.
Restrict access of off-line programs, data and equipment
Locate hardware and other critical system components
away from hazardous materials.
Install fire and smoke detectors and fire extinguishers
that don not damage computer equipment
Publishing,
8-23
Logical Access Controls
Users should be allowed access only to the

data they are authorized to use and then
only to perform specific authorized
functions.
What are some logical access controls?
passwords
physical possession identification
biometric identification
compatibility tests
Publishing,
8-24
Protection of PCs and

Client/Server Networks
Many of the policies and procedures for

mainframe control are applicable to PCs
and networks.
The following controls are also important:
Train
users in PC-related control concepts.

Restrict access by using locks and keys on
PCs.
Establish policies and procedures.

Publishing,
8-25
Protection of PCs and

Client/Server Networks
Portable PCs should not be stored in cars.

Keep sensitive data in the most secure environment
possible.
Install software that automatically shuts down a
terminal after its been idle for a certain amount of
time.
Back up hard disks regularly.
Encrypt or password protect files.
Build protective walls around operating systems.
Ensure that PCs are booted up within a secure
system.
Use multilevel password controls to limit employee
access to incompatible data.
Use specialists to detect holes in the network.
Publishing,
8-26
Internet and e-Commerce

Controls
Why caution should be exercised

when conducting business on the
Internet.
the large and global base of people

that depend on the Internet
the variability in quality, compatibility,
completeness, and stability of network
products and services
Publishing,
8-27

Controls
access of messages by others

security flaws in Web sites
attraction of hackers to the Internet
What controls can be used to secure

Internet activity?
passwords
encryption technology
routing verification procedures
Publishing,
8-28

Controls
Another control is installing a firewall,

hardware and software that control
communications between a companys
internal network (trusted network) and an
external network.
The
firewall is a barrier between the

networks that does not allow information to
flow into and out of the trusted network.
Electronic envelopes can protect e-mail

messages

Publishing,
8-29

help ensure that a system can be
properly maintained, while still
providing for system availability,
security, and integrity.

Publishing,
8-30
Maintainability
Two categories of controls help

ensure the maintainability of a system:
Project
development and acquisition

controls
Change management controls

Publishing,
8-31
Project Development and

Acquisition Controls
Project development and acquisition

controls include:
Strategic
Master Plan
Project Controls
Data Processing Schedule
System Performance Measurements
Postimplementation Review
Publishing,
8-32
Change Management
Controls
Change management controls include:

Periodically review all systems for needed
changes
Require all requests to be submitted in
standardized format
Log and review requests form authorized
users for changes and additions to systems
Assess the impact of requested changes on
system reliability objectives, policies and
standards
Publishing,
8-33
Change Management
Controls, continued
Categorize and rank all changes using

established priorities
Implement procedures to handle urgent
matters
Communicate all changes to management
Require IT management to review, monitor,
and approve all changes to software,
hardware and personnel responsibilities
Assign specific responsibilities to those
involved in the change and monitor their
work.
Publishing,
8-34
Change Management
Controls, continued
Control system access rights to avoid

unauthorized systems and data access
Make sure all changes go through the
appropriate steps
Test all changes
Make sure there is a plan for backing our of
any changes in the event they dont work
properly
Implement a quality assurance function
Update all documentation and procedures
when change is implemented
Publishing,
8-35
Identify and explain the integrity

controls that help ensure that system
processing is complete, accurate,
timely, and authorized.

Publishing,
8-36
Integrity
A company designs general controls

to ensure that its overall computer
system is stable and well managed.
Application controls prevent, detect

and correct errors in transactions as
they flow through the various stages
of a specific data processing program.
Publishing,
8-37
Integrity:
Source Data Controls
Companies must establish control
procedures to ensure that all source
documents are authorized, accurate ,
complete and properly accounted for,
and entered into the system or sent ot
their intended destination in a timely
manner.
Source data controls include:
Publishing,
8-38
Integrity:
Source Data Controls
Forms design
Prenumbered forms sequence test
Turnaround documents
Cancellation and storage of documents
Authorization and segregation of duties
Visual scanning
Check digit verification
Key verification
Publishing,
8-39
Integrity:
Input Validation Routines
Input validation routines are programs the check
the integrity of input data. They include:
Sequence check
Limit check
Field check
Range check
Sign check
Reasonableness test
Validity check
Redundant data check
Capacity check
Publishing,
8-40
Integrity:
On-line Data Entry Controls
The goal of on-line data entry control is
to ensure the integrity of transaction
data entered from on-line terminals
and PCs by minimizing errors and
omissions.
They include:

Publishing,
8-41
Integrity:
On-line Data Entry Controls
Field, limit, range, reasonableness, sign, validity,

redundant data checks
User ID numbers
Compatibility tests
Automatic entry of transaction data, where possible
Prompting
Preformatting
Completeness check
Closed-lop verification
Transaction log
Error messages
Retain data for legal purposes
Publishing,
8-42
Integrity: Data Processing

and Storage Controls
Controls to help preserve the integrity of
data processing and stored data:
Policies and procedures
Data control function
Reconciliation procedure
External data reconciliation
Exception reporting
Publishing,
8-43
Integrity: Data Processing and

Storage Controls, continued
Data currency checks
Default values
Data matching
File labels
Write protection mechanisms
Database protection mechanisms
Data conversion controls
Data security

Publishing,
8-44
Output Controls
The data control functions should
review all output for reasonableness
and proper format and should
reconcile corresponding output and
input control totals.
Data control is also responsible for
distributing computer output to the
appropriate user departments.

Publishing,
8-45
Output Controls
Users are responsible for carefully
reviewing the completeness and
accuracy of all computer output that
they receive.
A shredder can be used to destroy
highly confidential data.

Publishing,
8-46
Data Transmission Controls
To reduce the risk of data transmission

failures, companies should monitor the
network.
How can data transmission errors be
minimized?
using data encryption (cryptography)

implementing routing verification
procedures
adding parity
using message acknowledgment
techniques
Publishing,
8-47

Data Transmission Controls take on
added importance in organizations
that utilize electronic data interchange
(EDI) or electronic funds transfer
(EFT).

Publishing,
8-48
In these types of environments, sound internal

control is achieved using the following control
procedures:
1
2
3
Physical access to network facilities should be

strictly controlled.
Electronic identification should be required for all
authorized network terminals.
Strict logical access control procedures are
essential, with passwords and dial-in phone
numbers changed on a regular basis.
Publishing,
8-49

Control procedures, continued
4
Encryption should be used to secure

stored data as well as data being
transmitted.
Details of all transactions should be
recorded in a log that is periodically
reviewed.

Publishing,
8-50
Case Conclusion
Were Jason and his supervisor able to
identify the source of the fictitious
invoices? No.
They asked the police to identify the
owner of the Pacific Electric bank
account. What did the police
discover? Patricia Simpson, a data
entry clerk at SPP, was the owner of
the account.

Publishing,
8-51
End of Chapter 8

Publishing,
8-52

Publishing,
8-53

Accounting Information Systems: 9 Edition

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Accounting Information Systems: 9 Edition

Hochgeladen von

Copyright:

Verfügbare Formate

Accounting

2003 Prentice Hall Business Publishing,

2003 Prentice Hall Business Publishing,

Identify and explain the four principles

Identify and explain the security controls

2003 Prentice Hall Business

2003 Prentice Hall Business

2003 Prentice Hall Business

Carlton telling the truth?

Pacific Electric is a fictitious

This chapter discusses the many

Identify the four principles of systems

2003 Prentice Hall Business

The Four Principles of a

Availability of the system when needed.

The Criteria Used To Evaluate

For each of the four principles of reliability, three

The entity has defined, documented, and

Identify and explain the controls that

2003 Prentice Hall Business

Controls Related to More Than

Strategic Planning & Budgeting

2003 Prentice Hall Business

Controls Related to More Than

Documentation may be classified into three

documentation: Describes the

Identify and explain the controls that

2003 Prentice Hall Business

2003 Prentice Hall Business

Identify and explain the security

2003 Prentice Hall Business

Developing a Security Plan

Developing and continuously updating a

questions need to be asked?

Segregation of Duties Within

In a highly integrated AIS, procedures that

Segregation of Duties Within

Authority and responsibility must be clearly divided

Segregation of Duties Within

2003 Prentice Hall Business

Physical Access Controls

How can physical access security be achieved?

Logical Access Controls

Users should be allowed access only to the

Protection of PCs and

Many of the policies and procedures for

users in PC-related control concepts.

2003 Prentice Hall Business

Protection of PCs and

Portable PCs should not be stored in cars.

Internet and e-Commerce

Why caution should be exercised

the large and global base of people

Internet and e-Commerce

access of messages by others

What controls can be used to secure

Internet and e-Commerce

Another control is installing a firewall,

firewall is a barrier between the

Electronic envelopes can protect e-mail

2003 Prentice Hall Business

Identify and explain the controls that

2003 Prentice Hall Business