AIS08Computer Controls and Security

7/21/2019 AIS08Computer Controls and Security

http://slidepdf.com/reader/full/ais08computer-controls-and-security 1/53

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-

AccountingInformation

Systems9th Edition

Marshall B. Romney

Paul John Steinbart



©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 8-2

Comuter Controls

and Security

Chater !



"#$$% Prentice &all BusinessPublishing'

!)%

*earning +b,ecti-es

. Identify and e/lain the four rincilesof systems reliability and the threecriteria used to e-aluate 0hether the

rinciles ha-e been achie-ed.#. Identify and e/lain the controls that

aly to more than one rincile ofreliability.

%. Identify and e/lain the controls thathel e/lain that a system is a-ailableto users 0hen needed.




!)1

*earning +b,ecti-es

1. Identify and e/lain the security controlsthat re-ent unauthori2ed access toinformation' soft0are' and other systemresources.

3. Identify and e/lain the controls that helensure that a system can be roerlymaintained' 0hile still ro-iding for systema-ailability' security' and integrity.

4. Identify and e/lain the integrity controls

that hel ensure that system rocessing iscomlete' accurate' timely' and authori2ed.




!)3

Introduction

5uring his fifth month at 6orth0est

Industries' Jason Scott is assigned to

audit Seattle Paer Products 7SPP8. Jasons tas: is to re-ie0 randomly

selected ayable transactions' trac:

do0n all suorting documents' and

-erify that all transactions ha-e been

roerly authori2ed.




!)4

Introduction

Jason is satisfied that many of thetransactions are -alid and accurate.

&o0e-er' some transactions in-ol-e the

urchase of ser-ices from Pacific Electric. ;hese transactions 0ere rocessed onthe basis of -endor in-oices aro-ed bymanagement.

<i-e of these in-oices bear the initials=J*C.>




!)?

Introduction

J*C is Jac: Carlton' the generalsuer-isor.

Carlton denies initialing the in-oices'

and claims he has ne-er heard ofPacific Electric.

@hat uestions does Jason ha-eIs Carlton telling the truthIf Carlton is not telling the truth' 0hat is

he u to




!)!

Introduction

If Pacific Electric is a fictitiouscomany' ho0 could SPPs controlsystems allo0 its in-oices to berocessed and aro-ed forayment

;his chater discusses the many

different tyes of controls thatcomanies use to ensure the integrityof their AIS.




!)9

*earning +b,ecti-e

Identify the four rinciles of systems

reliability and the three criteria used to

e-aluate 0hether or not the rincilesha-e been achie-ed.




!)$

;he <our Princiles of a

Reliable System

. A-ailability of the system 0hen needed.

#. Security of the system against

unauthori2ed hysical and logical access.%. Maintainability of the system as reuired

0ithout affecting its a-ailability' security'

and integrity.

1. Integrity of the system to ensure thatrocessing is comlete' accurate' timely'

and authori2ed.




!)

;he Criteria sed ;o E-aluate

Reliability Princiles

<or each of the four rinciles of reliability' three

criteria are used to e-aluate 0hether or not the

rincile has been achie-ed.

. ;he entity has defined' documented' andcommunicated erformance ob,ecti-es' olicies' and

standards that achie-e each of the four rinciles.

#. ;he entity uses rocedures' eole' soft0are' data'

and infrastructure to achie-e each rincile in

accordance 0ith established olicies and standards.%. ;he entity monitors the system and ta:es action to

achie-e comliance 0ith the ob,ecti-es' olicies'

and standards for each rincile.




!)#

*earning +b,ecti-e #

Identify and e/lain the controls that

aly to more than one rincile of

reliability.




!)%

Controls Related to More ;han

+ne Reliability Princile

Strategic Planning D Budgeting

5e-eloing a Systems Reliability Plan

5ocumentation




!)1

Controls Related to More ;han

+ne Reliability Princile 5ocumentation may be classified into three

basic categories

Administrati-e documentation 5escribes the

standards and rocedures for datarocessing.

Systems documentation 5escribes each

alication system and its :ey rocessing

functions.

+erating documentation 5escribes 0hat is

needed to run a rogram.




!)3

*earning +b,ecti-e %


hel e/lain that a system is a-ailable

to users 0hen needed.




!)4

A-ailability

A-ailabilityMinimi2ing Systems 5o0ntime

F Pre-enti-e maintenance

F PS

F <ault tolerance

F 5isaster Reco-ery Plan

F Minimi2e the e/tent of disrution' damage' and

loss

F ;emorarily establish an alternati-e means ofrocessing information

F Resume normal oerations as soon as ossible




!)?

A-ailability

5isaster Reco-ery' continuedF ;rain and familiari2e ersonnel 0ith emergency

oerations

F Priorities for the reco-ery rocess

F Insurance

F Bac:u data and rogram filesF Electronic -aulting

F Grandfather)father)son concet

F Rollbac: rocedures

F Secific assignments

F Bac:u comuter and telecommunication facilities

F Periodic testing and re-ision

F Comlete documentation




!)!

*earning +b,ecti-e 1

Identify and e/lain the security

controls that re-ent unauthori2ed

access to information' soft0are' andother system resources.




!)9

5e-eloing a Security Plan

5e-eloing and continuously udating acomrehensi-e security lan is one ofthe most imortant controls a comanycan identify.@hat uestions need to be as:edWho needs access to what information

When do they need it+n which systems does the information

reside




!)#$

Segregation of 5uties @ithin

the Systems <unction

In a highly integrated AIS' rocedures thatused to be erformed by searateindi-iduals are combined.

Any erson 0ho has unrestricted access tothe comuter' its rograms' and li-e datacould ha-e the oortunity to botheretrate and conceal fraud.

;o combat this threat' organi2ations mustimlement comensating controlrocedures.




!)#



Authority and resonsibility must be clearly di-idedamong the follo0ing functions

. Systems administration

#. 6et0or: management%. Security management

1. Change management

3. sers

4. Systems analysis

?. Programming!. Comuter oerations

9. Information system library

$. 5ata control




!)##



It is imortant that different eole

erform these functions.

Allo0ing a erson to erform t0o ormore of them e/oses the comany to

the ossibility of fraud.




!)#%

Physical Access Controls &o0 can hysical access security be achie-ed

H Place comuter euiment in loc:ed rooms and restrictaccess to authori2ed ersonnel

H &a-e only one or t0o entrances to the comuter room H Reuire roer emloyee I5 H

Reuire that -isitors sign a log H se a security alarm system H Restrict access to ri-ate secured telehone lines and

terminals or PCs. H Install loc:s on PCs. H Restrict access of off)line rograms' data and euiment H *ocate hard0are and other critical system comonents

a0ay from ha2ardous materials. H Install fire and smo:e detectors and fire e/tinguishers

that don not damage comuter euiment




!)#1

*ogical Access Controls

sers should be allo0ed access only to the

data they are authori2ed to use and then

only to erform secific authori2ed

functions.

@hat are some logical access controls

H ass0ords

H

hysical ossession identification H biometric identification

H comatibility tests




!)#3

Protection of PCs and

Client(Ser-er 6et0or:s

Many of the olicies and rocedures for

mainframe control are alicable to PCs

and net0or:s.

;he follo0ing controls are also imortant

;rain users in PC)related control concets.

Restrict access by using loc:s and :eys on

PCs.Establish olicies and rocedures.




!)#4

Protection of PCs and

Client(Ser-er 6et0or:s

Portable PCs should not be stored in cars. ee sensiti-e data in the most secure en-ironment

ossible. Install soft0are that automatically shuts do0n a

terminal after its been idle for a certain amount oftime. Bac: u hard dis:s regularly. Encryt or ass0ord rotect files. Build rotecti-e 0alls around oerating systems. Ensure that PCs are booted u 0ithin a secure

system. se multile-el ass0ord controls to limit emloyee

access to incomatible data. se secialists to detect holes in the net0or:.




!)#?

Internet and e)Commerce

Controls

@hy caution should be e/ercised

0hen conducting business on the

Internet. H the large and global base of eole

that deend on the Internet

H the -ariability in uality' comatibility'

comleteness' and stability of net0or:

roducts and ser-ices




!)#!


Controls

H access of messages by others

H security fla0s in @eb sites

H attraction of hac:ers to the Internet @hat controls can be used to secure

Internet acti-ity

H ass0ords H encrytion technology

H routing -erification rocedures




!)#9


Controls Another control is installing a fire0all'

hard0are and soft0are that controlcommunications bet0een a comanysinternal net0or: 7trusted net0or:8 and an

e/ternal net0or:.;he fire0all is a barrier bet0een the

net0or:s that does not allo0 information to

flo0 into and out of the trusted net0or:.

Electronic en-eloes can rotect e)mailmessages




!)%$



hel ensure that a system can be

roerly maintained' 0hile stillro-iding for system a-ailability'

security' and integrity.




!)%

Maintainability

;0o categories of controls hel

ensure the maintainability of a system

Pro,ect de-eloment and acuisitioncontrols

Change management controls




!)%#

Pro,ect 5e-eloment and

Acuisition Controls

Pro,ect de-eloment and acuisition

controls include

Strategic Master PlanPro,ect Controls

5ata Processing Schedule

System Performance MeasurementsPostimlementation Re-ie0




!)%%

Change Management

Controls

Change management controls include Periodically re-ie0 all systems for needed

changes Reuire all reuests to be submitted in

standardi2ed format *og and re-ie0 reuests form authori2ed

users for changes and additions to systems Assess the imact of reuested changes on

system reliability ob,ecti-es' olicies andstandards




!)%1

Change Management

Controls' continued

Categori2e and ran: all changes usingestablished riorities

Imlement rocedures to handle urgent

matters Communicate all changes to management Reuire I; management to re-ie0' monitor'

and aro-e all changes to soft0are'hard0are and ersonnel resonsibilities

Assign secific resonsibilities to thosein-ol-ed in the change and monitor their0or:.




!)%3

Change Management

Controls' continued

Control system access rights to a-oidunauthori2ed systems and data access

Ma:e sure all changes go through the

aroriate stes ;est all changes Ma:e sure there is a lan for bac:ing our of

any changes in the e-ent they dont 0or:roerly

Imlement a uality assurance function date all documentation and rocedures

0hen change is imlemented




!)%4


Identify and e/lain the integrity

controls that hel ensure that system

rocessing is comlete' accurate'timely' and authori2ed.




!)%?

Integrity

A comany designs general controls

to ensure that its o-erall comuter

system is stable and 0ell managed.

Alication controls re-ent' detect

and correct errors in transactions as

they flo0 through the -arious stagesof a secific data rocessing rogram.




!)%!

Integrity

Source 5ata Controls

Comanies must establish controlrocedures to ensure that all sourcedocuments are authori2ed' accurate 'comlete and roerly accounted for'and entered into the system or sent ottheir intended destination in a timely

manner.

Source data controls include




!)%9

Integrity

Source 5ata Controls <orms design

Prenumbered forms seuence test

;urnaround documents

Cancellation and storage of documents

Authori2ation and segregation of duties

isual scanning

Chec: digit -erification ey -erification




!)1$

Integrity

Inut alidation Routines

Inut -alidation routines are rograms the chec:

the integrity of inut data. ;hey include

*imit chec:

Range chec:

Reasonableness test

Redundant data chec:

Seuence chec:

<ield chec:

Sign chec:

alidity chec:

Caacity chec:




!)1

Integrity

+n)line 5ata Entry Controls

;he goal of on)line data entry control is

to ensure the integrity of transaction

data entered from on)line terminalsand PCs by minimi2ing errors and

omissions.

;hey include




!)1#

Integrity

+n)line 5ata Entry Controls

<ield' limit' range' reasonableness' sign' -alidity'redundant data chec:s

ser I5 numbers Comatibility tests Automatic entry of transaction data' 0here ossible Promting Preformatting Comleteness chec: Closed)lo -erification ;ransaction log Error messages Retain data for legal uroses




!)1%

Integrity 5ata Processing

and Storage Controls

Controls to hel reser-e the integrity of

data rocessing and stored data

Policies and rocedures 5ata control function

Reconciliation rocedure

E/ternal data reconciliation E/cetion reorting




!)11

Integrity 5ata Processing and

Storage Controls' continued

5ata currency chec:s 5efault -alues

5ata matching <ile labels @rite rotection mechanisms

5atabase rotection mechanisms 5ata con-ersion controls 5ata security




!)13

+utut Controls

;he data control functions should

re-ie0 all outut for reasonableness

and roer format and shouldreconcile corresonding outut and

inut control totals.

5ata control is also resonsible for

distributing comuter outut to the

aroriate user deartments.




!)14

+utut Controls

sers are resonsible for carefully

re-ie0ing the comleteness and

accuracy of all comuter outut thatthey recei-e.

A shredder can be used to destroy

highly confidential data.




!)1?

5ata ;ransmission Controls

;o reduce the ris: of data transmissionfailures' comanies should monitor thenet0or:.

&o0 can data transmission errors be

minimi2ed H using data encrytion 7crytograhy8

H imlementing routing -erificationrocedures

H adding arity H using message ac:no0ledgment

techniues




!)1!


5ata ;ransmission Controls ta:e on

added imortance in organi2ations

that utili2e electronic data interchange7E5I8 or electronic funds transfer

7E<;8.




!)19


In these tyes of en-ironments' sound internal

control is achie-ed using the follo0ing control

rocedures

Physical access to net0or: facilities should bestrictly controlled.

# Electronic identification should be reuired for all

authori2ed net0or: terminals.

% Strict logical access control rocedures areessential' 0ith ass0ords and dial)in hone

numbers changed on a regular basis.




!)3$


Control rocedures' continued

1 Encrytion should be used to secure

stored data as 0ell as data beingtransmitted.

3 5etails of all transactions should be

recorded in a log that is eriodically

re-ie0ed.




!)3

Case Conclusion

@ere Jason and his suer-isor able toidentify the source of the fictitiousin-oices 6o.

;hey as:ed the olice to identify theo0ner of the Pacific Electric ban:account. @hat did the olice

disco-er Patricia Simson' a dataentry cler: at SPP' 0as the o0ner ofthe account.




!)3#

End of Chapter 8



Documents

AIS08Computer Controls and Security