Chapter 12-1

Chapter 12-2

Chapter 12:Computer Controls for Organizations and

Accounting Information Systems

Introduction

General Controls for Organizations

General Controls for Information Technology

Application Controls for Transaction Processing

Chapter 12-3

General Controls For Organizations

Integrated Security for the Organization

Organization-Level Controls

Personnel Policies

File Security Controls

Business Continuity Planning

Computer Facility Controls

Computer Access Controls

Chapter 12-4

Developing a Security Policy

Chapter 12-5

Integrated Security forthe Organization

Physical Security Measures used to protect its facilities, resources,

or proprietary data stored on physical media

Logical Security Limit access to system and information to

authorized individuals

Integrated Security Combines physical and logical elements Supported by comprehensive security policy

Chapter 12-6

Physical and Logical Security

Chapter 12-7

Organization-Level Controls

Consistent policies and procedures

Management’s risk assessment process

Centralized processing and controls

Controls to monitor results of operations

Chapter 12-8

Organization-Level Controls

Controls to monitor the internal audit function, the audit committee, and self-assessment programs

Period-end financial reporting process

Board-approved policies that address significant business control and risk management practices

Chapter 12-9

Personnel Policies

Separation of Duties Separate Accounting and Information Processing

from Other Subsystems Separate Responsibilities within IT Environment

Use of Computer Accounts Each employee has password protected account Biometrics

Chapter 12-10

Separation of Duties

Chapter 12-11

Division of Responsibility in IT Environment

Chapter 12-12

Division of Responsibility in IT Environment

Chapter 12-13

Personnel Policies

Informal Knowledge of Employees Protect against fraudulent employee actions Observation of suspicious behavior Highest percentage of fraud involved employees

in the accounting department Must safeguard files from intentional and

unintentional errors

Chapter 12-14

Safeguarding Computer Files

Chapter 12-15

File Security Controls

Chapter 12-16

Business Continuity Planning

Definition Comprehensive approach to ensuring normal

operations despite interruptions

Components Disaster Recovery Fault Tolerant Systems Backup

Chapter 12-17

Disaster Recovery

Definition Process and procedures Following disruptive event

Summary of Types of Sites Hot Site Flying-Start Site Cold Site

Chapter 12-18

Fault Tolerant Systems

Definition Used to deal with computer errors Ensure functional system with accurate and

complete data (redundancy)

Major Approaches Consensus-based protocols Watchdog processor Utilize disk mirroring or rollback processing

Chapter 12-19

Backup

Batch processing Risk of losing data before, during, and after

processing Grandfather-parent-child procedure

Types of Backups Hot backup Cold Backup Electronic Vaulting

Chapter 12-20

Batch Processing

Chapter 12-21

Computer Facility Controls

Locate Data Processing Centers in Safe Places Protect from the public Protect from natural disasters (flood, earthquake)

Limit Employee Access Security Badges Man Trap

Buy Insurance

Chapter 12-22

A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats.

A.Firewall

B.Security policy

C.Risk assessment

D.VPN

Study Break #1

Chapter 12-23

A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats.

A.Firewall

B.Security policy

C.Risk assessment

D.VPN

Study Break #1 - Answer

Chapter 12-24

All of the following are considered organization-level controls except:

A.Personnel controls

B.Business continuity planning controls

C.Processing controls

D.Access to computer files

Study Break #2

Chapter 12-25

All of the following are considered organization-level controls except:

A.Personnel controls

B.Business continuity planning controls

C.Processing controls

D.Access to computer files

Study Break #2 - Answer

Chapter 12-26

Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________.

A.Redundancy

B.COBIT

C.COSO

D.Integrated security

Study Break #3

Chapter 12-27

Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________.

A.Redundancy

B.COBIT

C.COSO

D.Integrated security

Study Break #3 - Answer

Chapter 12-28

General Controls for Information Technology

Security for Wireless Technology

Controls for Networks

Controls for Personal Computers

IT Control Objectives for Sarbanes-Oxley

Chapter 12-29

General Controls for Information Technology

IT general controls apply to all information systems

Major Objectives Computer programs are authorized, tested, and

approved before usage Access to programs and data is limited to

authorized users

Chapter 12-30

Control Concerns

Chapter 12-31

Security for Wireless Technology

Utilization of wireless local area networks

Virtual Private Network (VPN) Allows remote access to entity resources

Data Encryption Data converted into a scrambled format Converted back to meaningful format following

transmission

Chapter 12-32

Controls for Networks

Control Problems Electronic eavesdropping Hardware or software malfunctions Errors in data transmission

Control Procedures Checkpoint control procedure Routing verification procedures Message acknowledgment procedures

Chapter 12-33

Controls for Personal Computers

Take an inventory of personal computers

Applications utilized by each personal computer

Classify computers according to risks and exposures

Physical security

Chapter 12-34

Additional Controls for Laptops

Chapter 12-35

IT Control Objectives for Sarbanes-Oxley

“IT Control Objectives for Sarbanes-Oxley” Issued by IT Governance Institute (ITGI) Provides guidance for compliance with SOX and

PCAOB requirements

Content IT controls from COBIT Linked to PCAOB standards Linked to COSO framework

Chapter 12-36

Application Controlsfor Transaction

Processing

Purpose Embedded in business process applications Prevent, detect, and correct errors and

irregularities

Application Controls Input Controls Processing Controls Output Controls

Chapter 12-37

Application Controlsfor Transaction

Processing

Chapter 12-38

Input Controls

Purpose Ensure validity Ensure accuracy Ensure completeness

Categories Observation, recording, and transcription of data Edit tests Additional input controls

Chapter 12-39

Observation, Recording,and Transcription of Data

Confirmation mechanism

Dual observation

Point-of-sale devices (POS)

Preprinted recording forms

Chapter 12-40

Preprinted Recording Form

Chapter 12-41

Edit Tests

Input Validation Routines (Edit Programs) Programs or subroutines Check validity and accuracy of input data

Edit Tests Examine selected fields of input data Rejects data not meeting preestablished standards

of quality

Chapter 12-42

Edit Tests

Chapter 12-43

Edit Tests

Chapter 12-44

Additional Input Controls

Unfound-Record Test Transactions matched with master data files Transactions lacking a match are rejected

Check-Digit Control Procedure

Modulus 11 Technique

Chapter 12-45

Processing Controls

Purpose Focus on manipulation of accounting data

Contribute to a good audit trail

Two Types Control totals

Data manipulation controls

Chapter 12-46

Audit Trail

Chapter 12-47

Control Totals

Common Processing Control Procedures Batch control total Financial control total Nonfinancial control total Record count Hash total

Chapter 12-48

Data Manipulation Controls

Data Processing Following validation of input data Data manipulated to produce decision-useful

information

Processing Control Procedures Software Documentation Error-Testing Compiler Utilization of Test Data

Chapter 12-49

Output Controls

Purpose Ensure validity Ensure accuracy Ensure completeness

Major Types Validating Processing Results Regulating Distribution and Use of Printed Output

Chapter 12-50

Output Controls

Validating Processing Results Preparation of activity listings Provide detailed listings of changes to master files

Regulating Distribution and Use of Printed Output Forms control Pre-numbered forms Authorized distribution list

Chapter 12-51

A ______ is a security appliance that runs behind a firewall and allows remote users to access entity resources by using wireless, hand-held devices.

A.Data encryption

B.WAN

C.Checkpoint

D.VPN

Study Break #4

Chapter 12-52

A ______ is a security appliance that runs behind a firewall and allows remote users to access entity resources by using wireless, hand-held devices.

A.Data encryption

B.WAN

C.Checkpoint

D.VPN

Study Break #4 - Answer

Chapter 12-53

Organizations use ______ controls to prevent, detect, and correct errors and irregularities in transactions that are processed.

A.Specific

B.General

C.Application

D.Input

Study Break #5

Chapter 12-54

Organizations use ______ controls to prevent, detect, and correct errors and irregularities in transactions that are processed.

A.Specific

B.General

C.Application

D.Input

Study Break #5 - Answer

Chapter 12-55

Copyright

Copyright 2010 John Wiley & Sons, Inc. All rights reserved.

Reproduction or translation of this work beyond that permitted in

Section 117 of the 1976 United States Copyright Act without the

express written permission of the copyright owner is unlawful.

Request for further information should be addressed to the

Permissions Department, John Wiley & Sons, Inc. The purchasermay make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Chapter 12-56

Chapter 12