advanced accounting information systems day 19 control and security frameworks october 7, 2009
TRANSCRIPT
Advanced Accounting Information Systems
Advanced Accounting Information Systems
Day 19
Control and Security FrameworksOctober 7, 2009
announcementsannouncements
– Assignment 3 • Game plan
– Identify potential misclassified minutes– Calculate rates by first identifying most recent contracts (i.e.
max(Startdate)– Separate into flexible and fixed plans– Calculate minutes – Calculate charges per flexible– Calculate charges per fixed– Combine calculated charges per flexible and fixed (UNION)– Compare calculated to InvoiceLine charges
announcementsannouncements
– Assignment 4 • Merger/acquisition due diligence – significantly
shorter time frame• What are the due diligence / audit objectives?• Some of the due diligence work is already done
– Identified due diligence objectives (See Figure 3)– Started with prior audit procedures (see Figure 3)
• No manufacturing costs since Threadchic is a retailer
•
announcementsannouncements
– Assignment 4 • Existence procedure
– Verify Threadchic paid for all purchases in a timely manner
» join invoice and payment table using outer join to identify any invoices that were not paid yet
– Verify inventory consistent with sales» For all items, sales price is 100 percent markup
over cost except for marked down items with no sale in the last 21 days. List cost, lastSalesPrice, and calculate salesToCost to determine if each item markup is 100 percent
announcementsannouncements
– Assignment 4 • Completeness procedure
– Verify inclusion of all purchases in inventory» Match purchases to inventory on SKU to find
purchases with no entry in inventoryMaster.QOH» Match purchases to counted inventory on SKU to
find purchases with no entry in inventoryCount.obsvQOH
» Remember – inventoryMaster is Threadchic’s records
» inventoryCount – contains number counted by the auditors
ObjectivesObjectives
Understand risks faced by information assets Comprehend relationship between risk and asset
vulnerabilities Understand nature and types of threats faced by the
asset Understand objectives of control and security of
information assets and how these objectives are interrelated
Understand the building blocks of control (and security) frameworks for information systems
Apply a controls framework to a financial accounting system
Hot Dog Cart CaseHot Dog Cart Case
What business objectives do you expect your new employee to achieve?
What operational and financial risks do you face with allowing an employee to run your hot dog cart?
Hot Dog Cart CaseHot Dog Cart Case
How can the problem of lack of segregation of duties be addressed when you are away from the business?
Hot Dog Cart CaseHot Dog Cart Case
What controls could you develop to mitigate (notice I did NOT say completely eliminate) the operational and financial risks identified above while achieving your business objectives?
Hot Dog Cart CaseHot Dog Cart Case
How can we organize the controls identified above to ensure that our business objective is achieved?
Questions for WednesdayQuestions for Wednesday
Identify two control frameworks discussed in our textbook and determine if either framework would be useful if you were considering expanding your hot dog cart business
CountermeasuresCountermeasures
Designed to minimize or eliminate the risks stemming from vulnerabilities
To design countermeasures
Definition of internal controlDefinition of internal control
Procedures designed by management to provide reasonable assurance regarding achievement of specific objectives
Classification of internal controls– General vs application– Detective, preventive, or corrective
Definition of Information SecurityDefinition of Information Security
Protection from harm Being able to depend on the information
system Two categories
– Physical security– Logical security
COBIT control objectivesCOBIT control objectives
Acquire and develop applications and system software Acquire technology infrastructure Develop and maintain policies and procedures Install and test application software and technology infrastructure Manage change Define and manage service levels Manage third-party services Ensure systems security Manage the configuration Manage problems and incidents Manage data Manage operations
ISO 17799ISO 17799
Ten categories or sections– Security policy– Security organization– Asset classification and control– Personnel security– Physical and environmental security– Computer and operations management– System access control– System development and maintenance– Compliance
COSOCOSO
Control environment Risk assessment Control activities Information and communication Monitoring