chapter 10 ais - a useful guide

1 of 31

C

© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart

HAPTER 10

Information Systems Controls for System Reliability

Part 3: Processing Integrity and Availability

2 of 31© 2012 Pearson Education, Inc. Accounting Information Systems, Romney/Steinbart

INTRODUCTION

• Questions to be addressed in this chapter include:– What controls ensure processing integrity?– What controls ensure that the system is

available when needed?


PROCESSING INTEGRITY

• A reliable system produces information that is accurate, timely, reflects results of only authorized transactions, and includes outcomes of all activities engaged in by the organization during a given period of time.

• Requires controls over both data input quality and the processing of the data.

SECURITY

CO

NF

IDE

NT

IAL

ITY

PR

IVA

CY

PR

OC

ES

SIN

G I

NT

EG

RIT

Y

AV

AIL

AB

ILIT

Y

SYSTEMSRELIABILITY


Controls Ensuring Processing Integrity

• Input

• Process

• Output


Input Controls

• Forms Design– Pre-numbered forms/ sequence test– Turnaround documents

• Authorization and segregation of duties

• Cancellation and storage of documents

• Visual scanning


Input Controls

• Data Entry Controls (Edit checks)– Field check– Sign check– Limit check– Range check– Size (or capacity) check– Completeness check– Validity check– Reasonableness test– Check digit verification– Key verification


Input Controls

• The preceding tests are used for batch processing and online real-time processing.

• Both processing approaches also have some additional controls that are unique to each approach.


Batch Input Controls

• Batch Processing– Input multiple source documents at once in a

group• In addition to the preceding controls, when using

batch processing, the following data entry controls should be incorporated.

• Sequence check• Error log• Batch totals


Batch Input Controls

• Batch Totals– Compare input totals to output totals

• Financial– Sums a field that contains monetary values

• Hash– Sums a nonfinancial numeric field

• Record count– The number of records in a batch


Online Data Entry Controls

• Additional online data entry controls– Online processing data entry controls include:

• Automatic entry of data• Prompting• Closed-loop verification• Transaction logs• Error messages


Processing Controls

• Processing controls to ensure that data is processed correctly include:

• Data matching• File labels• Recalculation of batch totals• Cross-footing balance test• Write-protection mechanisms• Concurrent update controls


Output Controls

• Careful checking of system output provides additional control over processing integrity.

• Output controls include:– User review of output– Reconciliation procedures– External data reconciliation– Data transmission controls


Output Controls

• Data Transmission Controls– Two basic types of data transmission controls:

1. Checksums – hash of file transmitted, comparison made of hash before and after transmission

2. Parity checking


Output Controls

• Parity checking– Computers represent characters as a set of binary

digits (bits).– For example, “5” is represented by the seven-bit

pattern 0000101.– When data are transmitted some bits may be lost or

received incorrectly.– Two basic schemes to detect these events are

referred to as even parity and odd parity.– In either case, an additional bit is added to the digit

being transmitted.


AVAILABILITY

• Reliable systems are available for use whenever needed.

• Threats to system availability originate from many sources, including:– Hardware and software failures– Natural and man-made disasters– Human error– Worms and viruses– Denial-of-service attacks and

other sabotage

SECURITY

CO

NF

IDE

NT

IAL

ITY

PR

IVA

CY

PR

OC

ES

SIN

G I

NT

EG

RIT

Y

AV

AIL

AB

ILIT

Y

SYSTEMSRELIABILITY


Controls Ensuring Availability

• Systems or information need to be available 24/7– It is not possible to ensure this so:


AVAILABILITY

• Minimizing Risk of System Downtime– Loss of system availability can cause

significant financial losses, especially if the system affected is essential to e-commerce.

– Organizations can take a variety of steps to minimize the risk of system downtime.


AVAILABILITY

• Preventive maintenance can reduce risk of hardware and software failure. Examples:– Cleaning disk drivers– Properly storing magnetic and optical media

• Use of redundant components can provide fault tolerance, which enables the system to continue functioning despite failure of a component. Examples:– Dual processors– Arrays of multiple hard drives.


AVAILABILITY

• Risks associated with natural and man-made disasters can be reduced with proper location and design of rooms housing mission-critical servers and databases.– Raised floors protect from flood damage.– Fire protection and suppression devices reduce

likelihood of fire damage.– Adequate air conditioning reduces likelihood of

damage from over-heating or humidity.– Cables with special plugs that cannot be easily

removed reduce risk of damage due to accidentally unplugging.


AVAILABILITY

– Surge protection devices provide protection against temporary power fluctuations.

• An uninterruptible power supply (UPS) provides protection from a prolonged power outage and buys the system enough time to back up critical data and shut down safely.


AVAILABILITY

• Training– Well-trained operators are less likely to make

mistakes and more able to recover if they do.– Security awareness training, particularly concerning

safe email and web-browsing practices, can reduce risk of virus and worm infection.

• Patch management and antivirus software– Anti-virus software should be installed, run, and kept

current.– Email should be scanned for viruses at both the

server and desktop levels.– Newly acquired software and disks, CDs, or DVDs

should be scanned and tested first on a machine that is isolated from the main network.


AVAILABILITY

• Recovery and Resumption of Normal Operations– Data backup procedures– Disaster recovery plan (DRP)– Business continuity plan (BCP)


AVAILABILITY

• Data Backup Procedures– Data need to be backed up regularly and

frequently.– A backup is an exact copy of the most current

version of a database, file, or software program. It is intended for use in the event of a hardware or software failure.

– The process of installing the backup copy for use is called restoration.


AVAILABILITY

• A full backup is an exact copy of the data recorded on another physical media (tape, magnetic disk, CD, DVD, etc.)

• Full backups are time consuming, so most organizations:– Do full backups weekly– Supplement with daily partial backups.

• incremental backup - copy only data that changed since the last partial backup

• differential backup – copy only data that changed from last full back-up


AVAILABILITY

• Whichever backup procedure is used, multiple backup copies should be created:– One can be stored on-site for use in minor

incidents.– At least one additional copy should be stored

off-site to be safe should a disaster occur


AVAILABILITY

• Disaster Recovery and Business Continuity Planning Objectives:– Minimize the extent of the disruption, damage, and

loss– Temporarily establish an alternative means of

processing information– Resume normal operations as soon as possible– Train and familiarize personnel with emergency

operations

• Recovery point objective (RPO)• Recovery time objective (RTO)


AVAILABILITY

• Infrastructure Replacement– Major disasters can totally destroy an organization’s

information processing center or make it inaccessible.– A key component of disaster recovery and business

continuity plans incorporates provisions for replacing the necessary computing infrastructure, including:

• Computers• Network equipment and access• Telephone lines• Office equipment• Supplies

– It may even be necessary to hire temporary staff.


AVAILABILITY

• Organizations have three basic options for replacing computer and networking equipment.– Reciprocal agreements

– Cold sites

– Hot sites


AVAILABILITY

• Documentation– An important and often overlooked component.

Should include:• The disaster recovery plan itself, including instructions for

notifying appropriate staff and the steps to resume operation, needs to be well documented.

• Assignment of responsibility for the various activities.• Vendor documentation of hardware and software.• Documentation of modifications made to the default

configuration (so replacement will have the same functionality).

• Detailed operating instructions.– Copies of all documentation should be stored both on-

site and off-site.


AVAILABILITY

• Testing– Periodic testing and revision is probably the

most important component of effective disaster recovery and business continuity plans.

• Most plans fail their initial test, because it’s impossible to anticipate everything that could go wrong.

• The time to discover these problems is before the actual emergency and in a setting where the weaknesses can be carefully analyzed and appropriate changes made.


AVAILABILITY

• Insurance– Organizations should acquire adequate

insurance coverage to defray part or all of the expenses associated with implementing their disaster recovery and business continuity plans.

chapter 10 ais - a useful guide

Documents