AIS08 Sistem Informasi Akuntansi BAB 8

2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart

8-*Accounting Information Systems9th EditionMarshall B. Romney Paul John Steinbart



8-*Computer Controls and SecurityChapter 8



8-*Learning ObjectivesIdentify and explain the four principles of systems reliability and the three criteria used to evaluate whether or not the principles have been achieved.Identify and explain the controls that apply to more than one principle of reliability.Identify and explain the controls that help explain that a system is available to users when needed.



8-*Learning ObjectivesIdentify and explain the security controls that prevent unauthorized access to information, software, and other systems resources.Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity.Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized.



8-*IntroductionDuring his fifth month at Northwest Industries, Jason Scott is assigned to audit Seattle Paper Products (SPP).Jasons task is to review randomly selected payable transactions, track down all supporting documents, and verify that all transactions have been properly authorized.



8-*IntroductionJason is satisfied that many of the transactions are valid and accurate.However, some transactions involve the purchase of services from Pacific Electric.These transactions were processed on the basis of vendor invoices approved by management.Five of these invoices bear the initials JLC.



8-*IntroductionJLC is Jack Carlton, the general supervisor.Carlton denies initialing the invoices, and claims he has never heard of Pacific Electric.What questions does Jason have?Is Carlton telling the truth?If Carlton is not telling the truth, what is he up to?



8-*IntroductionIf Pacific Electric is a fictitious company, how could SPPs control systems allow its invoices to be processed and approved for payment?This chapter discusses the many different types of controls that companies use to ensure the integrity of their AIS.



8-*Learning Objective 1The four principles of systems reliability and the three criteria used to evaluate whether or not the principles have been achieved.



8-*The Four Principles of a Reliable SystemAvailability of the system when needed.Security of the system against unauthorized physical and logical access.Maintainability of the system as required without affecting its availability, security, and integrity.Integrity of the system to ensure that processing is complete, accurate, timely, and authorized.



8-*The Criteria Used To Evaluate Reliability PrinciplesFor each of the four principles of reliability, three criteria are used to evaluate whether or not the principle has been achieved.The entity has defined, documented, and communicated performance objectives, policies, and standards that achieve each of the four principles.The entity uses procedures, people, software, data, and infrastructure to achieve each principle in accordance with established policies and standards.The entity monitors the system and takes action to achieve compliance with the objectives, policies, and standards for each principle.



8-*Learning Objective 2Identify and explain the controls that apply to more than one principle of reliability.



8-*Controls Related to More Than One Reliability PrincipleStrategic Planning & BudgetingDeveloping a Systems Reliability PlanDocumentationAdministrative documentation: Describes the standards and procedures for data processing.Systems documentation: Describes each application system and its key processing functions.



8-*Controls Related to More Than One Reliability PrincipleOperating documentation: Describes what is needed to run a program.Equipment configurationProgram and data filesProcedures to set up and execute jobsConditions that may interrupt program executionCorrective actions for program interruptions



8-*Learning Objective 3Identify and explain the controls that help explain that a system is available to users when needed.



8-*AvailabilityAvailabilityMinimizing Systems DowntimePreventive maintenanceUPSFault toleranceDisaster Recovery PlanMinimize the extent of disruption, damage, and lossTemporarily establish an alternative means of processing informationResume normal operations as soon as possible



8-*AvailabilityTrain and familiarize personnel with emergency operationsPriorities for the recovery processInsuranceBackup data and program filesElectronic vaultingGrandfather-father-son conceptRollback proceduresSpecific assignmentsBackup computer and telecommunication facilitiesPeriodic testing and revisionComplete documentation



8-*Learning Objective 4Identify and explain the security controls that prevent unauthorized access to information, software, and other system resources.



8-*Developing a Security PlanDeveloping and continuously updating a comprehensive security plan is one of the most important controls a company can identify.What questions need to be asked?Who needs access to what information? When do they need it?On which systems does the information reside?



8-*Segregation of Duties Withinthe Systems FunctionIn a highly integrated AIS, procedures that used to be performed by separate individuals are combined.Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.



8-*Segregation of Duties Withinthe Systems FunctionTo combat this threat, organizations must implement compensating control procedures.Authority and responsibility must be clearly divided among the following functions:Systems analysisProgrammingComputer operations



8-*Segregation of Duties Withinthe Systems FunctionUsersAIS libraryData controlIt is important that different people perform these functions.Allowing a person to perform two or more of them exposes the company to the possibility of fraud.



8-*Physical Access ControlsHow can physical access security be achieved? placing computer equipment in locked rooms and restricting access to authorized personnelhaving only one or two entrances to the computer roomrequiring proper employee IDrequiring that visitors sign a loginstalling locks on PCs



8-*Logical Access ControlsUsers should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions. What are some logical access controls?passwordsphysical possession identificationbiometric identificationcompatibility tests



8-*Protection of PCs and Client/Server NetworksMany of the policies and procedures for mainframe control are applicable to PCs and networks.The following controls are also important:Train users in PC-related control concepts.Restrict access by using locks and keys on PCs.Establish policies and procedures.



8-*Protection of PCs and Client/Server NetworksPortable PCs should not be stored in cars.Back up hard disks regularly.Encrypt or password protect files.Build protective walls around operating systems.Use multilevel password controls to limit employee access to incompatible data.



8-*Internet ControlsWhy caution should be exercised when conducting business on the Internet.the large and global base of people that depend on the Internetthe variability in quality, compatibility, completeness, and stability of network products and services



8-*Internet Controlsaccess of messages by otherssecurity flaws in Web sitesattraction of hackers to the InternetWhat controls can be used to secure Internet activity?passwordsencryption technologyrouting verification procedures



8-*Internet ControlsAnother control is installing a firewall, hardware and software that control communications between a companys internal network (trusted network) and an external network.The firewall is a barrier between the networks that does not allow information to flow into and out of the trusted network.



8-*Learning Objective 5Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity.



8-*Minimizing System DowntimeSignificant financial losses can be incurred if hardware or software malfunctions cause an AIS to fail.What are some methods used to minimize system downtime?preventive maintenanceuninterruptible power systemfault tolerance



8-*Disaster Recovery PlanEvery organization should have a disaster recovery plan so that data processing capacity can be restored as smoothly and quickly as possible in the event of a major disaster.What are the objectives of a recovery plan?Minimize the extent of the disruption, damage, and loss.Temporarily establish an alternative means of processing information.



8-*Disaster Recovery PlanResume normal operations as soon as possible.Train and familiarize personnel with emergency operations.A sound disaster plan should contain the following elements:Priorities for the recovery processBackup data and program files



8-*Disaster Recovery PlanSpecific assignmentsComplete documentationBackup computer and telecommunications facilitiesreciprocal agreementshot and cold sites



8-*Disaster Recovery PlanThere are other aspects of disaster recovery planning that deserve mention:The recovery plan is incomplete until it has been satisfactorily tested by simulating a disaster.The recovery plan must be continuously reviewed and revised to ensure that it reflects current situation.The plan should include insurance coverage.



8-*Protection of PCs and Client/Server NetworksWhy are PCs more vulnerable to security risks than are mainframes?It is difficult to restrict physical access.PC users are usually less aware of the importance of security and control.Many people are familiar with the operation of PCs.Segregation of duties is very difficult.



8-*Data Processing and File Maintenance ControlsWhat are some of the more common controls that help preserve the accuracy and completeness of data processing?data currency checksdefault valuesdata matchingexception reporting


Data Processing and File Maintenance Controlsexternal data reconciliationcontrol account reconciliationfile securityfile conversion controls



8-*Learning Objective 6Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized.



8-*General ControlsA company designs general controls to ensure that its overall computer system is stable and well managed.The following are categories of general controls:Developing a security planSegregation of duties within the systems function



8-*General ControlsProject development controlsPhysical access controls Logical access controlsData storage controlsData transmission controlsDocumentation standardsMinimizing system downtime



8-*General Controls10 Disaster recovery plans11 Protection of personal computers andclient/server networks12 Internet controls



8-*Documentation StandardsAnother important general control is documentation procedures and standards to ensure clear and concise documentation.Documentation may be classified into three basic categories:Administrative documentationSystems documentationOperating documentation



8-*Application ControlsThe primary objective of application controls is to ensure the accuracy of a specific applications inputs, files, programs, and outputs.This section will discuss five categories of application controls:Source data controlsInput validation routines



8-*Application ControlsOnline data entry controlsData processing and file maintenance controlsOutput controls



8-*Source Data ControlsThere are a number of source data controls that regulate the accuracy, validity, and completeness of input:key verificationcheck digit verificationprenumbered forms sequence testturnaround documentsauthorization



8-*Input Validation RoutinesInput validation routines are programs that check the validity and accuracy of input data as they are entered into the system.These programs are called edit programs.The accuracy checks they perform are called edit checks.What are some edit checks used in input validation routines?



8-*Input Validation Routinessequence checkfield checksign checkvalidity checklimit checkrange checkreasonableness test



8-*Online Data Entry ControlsThe goal of online data entry controls is to ensure the accuracy and integrity of transaction data entered from online terminals and PCs.What are some online data entry controls?data checksuser ID numbers and passwordscomparability testsprompting



8-*Online Data Entry Controlspreformattingcompleteness checkautomatic transaction data entryclosed-loop verificationstransaction logclear error messages



8-*Data Transmission ControlsTo reduce the risk of data transmission failures, companies should monitor the network.How can data transmission errors be minimized?using data encryption (cryptography)implementing routing verification proceduresadding parityusing message acknowledgment techniques



8-*Data Transmission ControlsData Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT).In these types of environments, sound internal control is achieved using the following control procedures:Physical access to network facilities should be strictly controlled.



8-*Data Transmission ControlsElectronic identification should be required for all authorized network terminals.Strict logical access control procedures are essential, with passwords and dial-in phone numbers changed on a regular basis.Encryption should be used to secure stored data as well as data being transmitted.Details of all transactions should be recorded in a log that is periodically reviewed.



8-*Data Storage ControlsInformation is generally what gives a company a competitive edge and makes it viable.A company should identify the types of data maintained and the level of protection required for each.A company must also document the steps taken to protect data.



8-*Data Storage ControlsA properly supervised file library is one essential means of preventing loss of data.A file storage area should also be protected against fire, dust, excess heat, or humidity.Following are types of file labels that can be used to protect data files from misuse:external labelsinternal labels (volume, header, trailer)



8-*Output ControlsThe data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control totals.Data control is also responsible for distributing computer output to the appropriate user departments.



8-*Output ControlsUsers are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive.A shredder can be used to destroy highly confidential data.



8-*Project Development ControlsTo minimize failures, the basic principles of responsibility accounting should be applied to the AIS function.What key elements are included in project development control?Long-range master planProject development planData processing schedule



8-*Project Development ControlsAssignment of responsibility Periodic performance evaluationPostimplementation reviewSystem performance measurements



8-*Case ConclusionWere Jason and his supervisor able to identify the source of the fictitious invoices?No.They asked the police to identify the owner of the Pacific Electric bank account.What did the police discover?Patricia Simpson, a data entry clerk at SPP, was the owner of the account.



8-*End of Chapter 8


***********************************************

Documents

AIS08 Sistem Informasi Akuntansi BAB 8