Computer Based Information Systems Control UAA ACCT 316
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee
Control Classifications By Objectives Administrative By Settings General By Risk Aversion Corrective Preventive Accounting Application Input Processing Output SAS 29 (1958) Detective By System Architectures Manual Systems This Batch Processing Chapter Computer Based Systems Online Processing Data Base Text Chapter 7
Control Classifications l to By Objectives By. Encourage Settings adherence By Risk Aversion management policies and Administrative General Corrective procedures. Accounting Preventive l. Application Promote operational efficiency. Input Processing Output l Safeguard assets l Manual Ensure accuracy of Systems accounting Computer Based Systems data and information. By System Architectures Batch Processing Online Processing Data Base Detective
Preventive, Detective, and Corrective Controls Input Process Output Sensor Corrective Controls Benchmark Detective and Corrective Controls
l Discover the occurrence of adverse events. l Tend to be active in nature. l After the fact controls
l Lead to the righting of effects caused by adverse events. l Tend to be more active than detective controls.
l Block adverse events, such as errors or losses from occurring. l Tend to be passive in nature.
Control Classifications By Objectives l Administrative Ensure that overall IS is. Accounting stable and well maintained. By Settings General By Risk Aversion Corrective Preventive Application Input Processing Output the Detective accuracy of specific By System Architectures applications, Manual Systems Computer Based Systemsinputs, files, programs & Batch Processing Online Processing outputs. Data Base l Ensure
Control Classifications By Objectives Administrative By Settings General By Risk Aversion Corrective Preventive Accounting Application Input Processing Output By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base Detective
What Constitutes A Reliable System
What Constitutes Reliability? l Availability l Security l Maintainability l Integrity
Control Classifications By Objectives Administrative By Settings General By Risk Aversion Corrective Preventive Accounting Application Input Processing Output By System Architectures Manual Systems Computer Based Systems Batch Processing Online Processing Data Base Detective
Controls – The Text Approach l Key General Reliability Controls (> than one reliability principle) - Table 8 -1 l Key Availability Controls - Table 8 -2 l Key Security Controls - Table 8 -3 l Key Maintainability Controls - Table 8 -4 l Key Integrity Controls – Table 8 -5
General Reliability Controls l Strategic Planning & Budgeting l Developing a System Reliability Plan l Documentation
Key Availability Controls l Minimizing l Disaster System Downtime Recovery Plan
Key Security Controls l Segregation Function of Duties in Systems
The Text Notes. . . l In a highly integrated AIS, procedures that used to be performed by separate individuals are combined. l Therefore, any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.
The Text Notes. . . l To combat this threat, organizations must implement compensating control procedures such as the effective segregation of duties within the AIS function.
Organizational Independence Within the Information Systems Function of a Firm using Computer-Based processing Source: AIS, Wilkinson & Cerullo
Tasks which Planning Staff. CREATE Information Systems Manager systems. Systems Development Manager Programming Technical Services Manager Tasks which Steering Committee OPERATE systems. Data-Base Administrator Data Processing Manager These two functions need to be ORGANIZATIONALLY and Systems Information Analysis & Center PHYSICALLY separated Projects Data Preparation Computer Operations Data Library Data Control
Flow of batched data within several units of an organization using computer-based processing. Source: AIS, Wilkinson & Cerullo
User Departments Computer-Based Data Processing Department Control Data Preparation Computer Section Operations Data Input Receive & Log Outputs Log & Distribute Convert Data l l l Errors to be corrected l l l Process Data Library Files Outputsin control log. Record input data Files Follow progress of processing. Maintains control totals Reconciles totals during processin Error Listing Distribute output. Monitors correction of errors.
Computer-Based Data Processing Department Control Data Preparation Computer Section Operations User Departments Data Input Outputs Errors to be corrected Receive & Log Convert Data Process Library Files Log & Prepare Distribute and verify data for. Outputs entry into processing. l What controls do we have here? l Batch controls Error l Various computer input controls. Listing l Data Files
User Departments Data Input Computer-Based Data Processing Department Control Data Preparation Computer Section Operations Receive & Log Convert Data Process Library Files Log & Processes Distribute data to Outputs produce outputs. Outputs l What controls do we have here? l Various computer processing controls. l Data Errors to be corrected Error Listing Files
Simplified organizational separation in a computerbased system using on-line processing. Source: AIS, Wilkinson & Cerullo
User Departments Computer Operations Batch Files Data Inputs Displayed Outputs Printed Outputs On-Line Files (Data Library) Process On. Line Files
Subdivisions of transaction (application) controls and typical control points. Source: AIS, Wilkinson & Cerullo
Processing Controls Input Controls Source Document Convert To MRF Source Document Trans. Data Control Point Transaction Via Terminal Computer-Based Data Processing Editing Manual Entry Output Controls Soft-Copy Output User
Key Security Controls l Segregation of Duties in Systems Function l Physical Access Controls
Physical Access Controls Perimeter Control Building Controls Computer Facility Controls
Key Security Controls l Segregation of Duties in Systems Function l Physical l Logical Access Controls
Logical Access Controls Identification Authentication Access Rights Threat Monitoring
Key Security Controls l Protection of Personal Computers and Client/Server Networks l Internet and e-commerce Controls
Key Maintainability Controls l Project Development and Acquisition Controls. l Change Management Controls
Control Classifications By Objectives l Administrative Ensure that overall IS is. Accounting stable and well maintained. By Settings General By Risk Aversion Corrective Preventive Application Input Processing Output the Detective accuracy of specific By System Architectures applications, Manual Systems Computer Based Systemsinputs, files, programs & Batch Processing Online Processing outputs. Data Base l Ensure
Objectives of Application Controls l To prevent, detect, and correct errors in transactions Input l as Process Output they flow through the various stages of a specific data processing program.
Objectives of Application Controls l The l If text correctly notes. . . application controls are weak l AIS output is likely to contain errors. l Erroneous data leads to significant potential problems
Key Integrity Controls l Source l Input Data Controls Validation Controls l On-Line l Data Entry Controls Processing and Storage Controls
Key Integrity Controls l Output l Data Controls Transmission Controls
Source Data Transmission Input Validation Output On-line Data Entry Input Process Data Processing Storage Output
Key Integrity Controls Source Data Controls
Source Data Controls l Ensure that all source documents are authorized, accurate, complete, properly accounted for and entered into the system or sent to their intended destinations in a timely manner.
Source Data Controls l Forms Design l Prenumbered Forms Sequence Test l Turnaround Documents l Cancelation and Storage of Documents
Source Data Controls l Authorization and Segregation of Duties l Visual Scanning l Check Digit Verification l Key Verification
Key Integrity Controls Input Validation Controls
Input Validation Routines l Routines that check the integrity of input data as the data are entered into the system. l Edit Programs l Edit Checks
Input Validation Routines l Sequence Check l Field Check l Sign Check l Validity l Limit Check
Input Validation Routines l Range Check l Reasonableness l Redundant l Capacity Test Data Check
Key Integrity Controls On-Line Data Entry Controls
On-Line Data Entry Controls l To ensure the integrity of transaction data entered from on-line terminals and PCs by minimizing errors and omissions.
On-Line Data Entry Controls l Input Validation Routines l User ID and Passwords l Automatic Entering of Data l Prompting l Preformatting
On-Line Data Entry Controls l Completeness l Closed-Loop l Transaction l Error Check Verification Log Messages l Record Retention
Key Integrity Controls Data Processing and Storage Controls
Processing/Storage Controls l Preserve the integrity of data processing and stored data.
Processing/Storage Controls l Policies l Data and procedures Control Function l Reconciliation l External procedures data Reconciliation l Exception reporting
User Departments Computer-Based Data Processing Department Control Data Preparation Computer Section Operations Data Input Receive & Log Outputs Log & Distribute Convert Data Process Data Library Files Outputs Files Errors to be corrected Error Listing
Processing/Storage Controls l Data currency checks l Default l Data l File values matching labels l Write Protection mechanisms
Processing/Storage Controls l Database Protection Mechanisms l Data Conversion Controls l Data Security
Key Integrity Controls Output Controls
Output Controls l Review all output for reasonableness and proper format l Reconcile output and input control totals daily l Distribute output to appropriate user departments
Output Controls l Protect sensitive or confidential outputs l Store sensitive/confidential data in secure area l Require users to review completeness and accuracy of all output
Output Controls l Shred or otherwise destroy sensitive data. l Correct errors found on output reports.
Key Integrity Controls Transmission Controls
- Slides: 63