chapter 12-1. chapter 12-2 chapter 12: computer controls for organizations and accounting...
TRANSCRIPT
Chapter 12-1
Chapter 12-2
Chapter 12:Computer Controls for Organizations and
Accounting Information Systems
Introduction
General Controls for Organizations
General Controls for Information Technology
Application Controls for Transaction Processing
Chapter 12-3
General Controls For Organizations
Integrated Security for the Organization
Organization-Level Controls
Personnel Policies
File Security Controls
Business Continuity Planning
Computer Facility Controls
Computer Access Controls
Chapter 12-4
Developing a Security Policy
Chapter 12-5
Integrated Security forthe Organization
Physical Security Measures used to protect its facilities, resources,
or proprietary data stored on physical media
Logical Security Limit access to system and information to
authorized individuals
Integrated Security Combines physical and logical elements Supported by comprehensive security policy
Chapter 12-6
Physical and Logical Security
Chapter 12-7
Organization-Level Controls
Consistent policies and procedures
Management’s risk assessment process
Centralized processing and controls
Controls to monitor results of operations
Chapter 12-8
Organization-Level Controls
Controls to monitor the internal audit function, the audit committee, and self-assessment programs
Period-end financial reporting process
Board-approved policies that address significant business control and risk management practices
Chapter 12-9
Personnel Policies
Separation of Duties Separate Accounting and Information Processing
from Other Subsystems Separate Responsibilities within IT Environment
Use of Computer Accounts Each employee has password protected account Biometrics
Chapter 12-10
Separation of Duties
Chapter 12-11
Division of Responsibility in IT Environment
Chapter 12-12
Division of Responsibility in IT Environment
Chapter 12-13
Personnel Policies
Informal Knowledge of Employees Protect against fraudulent employee actions Observation of suspicious behavior Highest percentage of fraud involved employees
in the accounting department Must safeguard files from intentional and
unintentional errors
Chapter 12-14
Safeguarding Computer Files
Chapter 12-15
File Security Controls
Chapter 12-16
Business Continuity Planning
Definition Comprehensive approach to ensuring normal
operations despite interruptions
Components Disaster Recovery Fault Tolerant Systems Backup
Chapter 12-17
Disaster Recovery
Definition Process and procedures Following disruptive event
Summary of Types of Sites Hot Site Flying-Start Site Cold Site
Chapter 12-18
Fault Tolerant Systems
Definition Used to deal with computer errors Ensure functional system with accurate and
complete data (redundancy)
Major Approaches Consensus-based protocols Watchdog processor Utilize disk mirroring or rollback processing
Chapter 12-19
Backup
Batch processing Risk of losing data before, during, and after
processing Grandfather-parent-child procedure
Types of Backups Hot backup Cold Backup Electronic Vaulting
Chapter 12-20
Batch Processing
Chapter 12-21
Computer Facility Controls
Locate Data Processing Centers in Safe Places Protect from the public Protect from natural disasters (flood, earthquake)
Limit Employee Access Security Badges Man Trap
Buy Insurance
Chapter 12-22
A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats.
A.Firewall
B.Security policy
C.Risk assessment
D.VPN
Study Break #1
Chapter 12-23
A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats.
A.Firewall
B.Security policy
C.Risk assessment
D.VPN
Study Break #1 - Answer
Chapter 12-24
All of the following are considered organization-level controls except:
A.Personnel controls
B.Business continuity planning controls
C.Processing controls
D.Access to computer files
Study Break #2
Chapter 12-25
All of the following are considered organization-level controls except:
A.Personnel controls
B.Business continuity planning controls
C.Processing controls
D.Access to computer files
Study Break #2 - Answer
Chapter 12-26
Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________.
A.Redundancy
B.COBIT
C.COSO
D.Integrated security
Study Break #3
Chapter 12-27
Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________.
A.Redundancy
B.COBIT
C.COSO
D.Integrated security
Study Break #3 - Answer
Chapter 12-28
General Controls for Information Technology
Security for Wireless Technology
Controls for Networks
Controls for Personal Computers
IT Control Objectives for Sarbanes-Oxley
Chapter 12-29
General Controls for Information Technology
IT general controls apply to all information systems
Major Objectives Computer programs are authorized, tested, and
approved before usage Access to programs and data is limited to
authorized users
Chapter 12-30
Control Concerns
Chapter 12-31
Security for Wireless Technology
Utilization of wireless local area networks
Virtual Private Network (VPN) Allows remote access to entity resources
Data Encryption Data converted into a scrambled format Converted back to meaningful format following
transmission
Chapter 12-32
Controls for Networks
Control Problems Electronic eavesdropping Hardware or software malfunctions Errors in data transmission
Control Procedures Checkpoint control procedure Routing verification procedures Message acknowledgment procedures
Chapter 12-33
Controls for Personal Computers
Take an inventory of personal computers
Applications utilized by each personal computer
Classify computers according to risks and exposures
Physical security
Chapter 12-34
Additional Controls for Laptops
Chapter 12-35
IT Control Objectives for Sarbanes-Oxley
“IT Control Objectives for Sarbanes-Oxley” Issued by IT Governance Institute (ITGI) Provides guidance for compliance with SOX and
PCAOB requirements
Content IT controls from COBIT Linked to PCAOB standards Linked to COSO framework
Chapter 12-36
Application Controlsfor Transaction
Processing
Purpose Embedded in business process applications Prevent, detect, and correct errors and
irregularities
Application Controls Input Controls Processing Controls Output Controls
Chapter 12-37
Application Controlsfor Transaction
Processing
Chapter 12-38
Input Controls
Purpose Ensure validity Ensure accuracy Ensure completeness
Categories Observation, recording, and transcription of data Edit tests Additional input controls
Chapter 12-39
Observation, Recording,and Transcription of Data
Confirmation mechanism
Dual observation
Point-of-sale devices (POS)
Preprinted recording forms
Chapter 12-40
Preprinted Recording Form
Chapter 12-41
Edit Tests
Input Validation Routines (Edit Programs) Programs or subroutines Check validity and accuracy of input data
Edit Tests Examine selected fields of input data Rejects data not meeting preestablished standards
of quality
Chapter 12-42
Edit Tests
Chapter 12-43
Edit Tests
Chapter 12-44
Additional Input Controls
Unfound-Record Test Transactions matched with master data files Transactions lacking a match are rejected
Check-Digit Control Procedure
Modulus 11 Technique
Chapter 12-45
Processing Controls
Purpose Focus on manipulation of accounting data
Contribute to a good audit trail
Two Types Control totals
Data manipulation controls
Chapter 12-46
Audit Trail
Chapter 12-47
Control Totals
Common Processing Control Procedures Batch control total Financial control total Nonfinancial control total Record count Hash total
Chapter 12-48
Data Manipulation Controls
Data Processing Following validation of input data Data manipulated to produce decision-useful
information
Processing Control Procedures Software Documentation Error-Testing Compiler Utilization of Test Data
Chapter 12-49
Output Controls
Purpose Ensure validity Ensure accuracy Ensure completeness
Major Types Validating Processing Results Regulating Distribution and Use of Printed Output
Chapter 12-50
Output Controls
Validating Processing Results Preparation of activity listings Provide detailed listings of changes to master files
Regulating Distribution and Use of Printed Output Forms control Pre-numbered forms Authorized distribution list
Chapter 12-51
A ______ is a security appliance that runs behind a firewall and allows remote users to access entity resources by using wireless, hand-held devices.
A.Data encryption
B.WAN
C.Checkpoint
D.VPN
Study Break #4
Chapter 12-52
A ______ is a security appliance that runs behind a firewall and allows remote users to access entity resources by using wireless, hand-held devices.
A.Data encryption
B.WAN
C.Checkpoint
D.VPN
Study Break #4 - Answer
Chapter 12-53
Organizations use ______ controls to prevent, detect, and correct errors and irregularities in transactions that are processed.
A.Specific
B.General
C.Application
D.Input
Study Break #5
Chapter 12-54
Organizations use ______ controls to prevent, detect, and correct errors and irregularities in transactions that are processed.
A.Specific
B.General
C.Application
D.Input
Study Break #5 - Answer
Chapter 12-55
Copyright
Copyright 2010 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchasermay make backup copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.
Chapter 12-56
Chapter 12