1 / 56

Chapter 12: Computer Controls for Organizations and Accounting Information Systems

Chapter 12: Computer Controls for Organizations and Accounting Information Systems. Introduction General Controls for Organizations General Controls for Information Technology Application Controls for Transaction Processing. General Controls For Organizations.

jana
Télécharger la présentation

Chapter 12: Computer Controls for Organizations and Accounting Information Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 12:ComputerControls for Organizations and Accounting Information Systems • Introduction • General Controls for Organizations • General Controls for Information Technology • Application Controls for Transaction Processing

  2. General Controls For Organizations • Integrated Security for the Organization • Organization-Level Controls • Personnel Policies • File Security Controls • Business Continuity Planning • Computer Facility Controls • Computer Access Controls

  3. Developing a Security Policy

  4. Integrated Security forthe Organization • Physical Security • Measures used to protect its facilities, resources, or proprietary data stored on physical media • Logical Security • Limit access to system and information to authorized individuals • Integrated Security • Combines physical and logical elements • Supported by comprehensive security policy

  5. Physical and Logical Security

  6. Organization-Level Controls • Consistent policies and procedures • Management’s risk assessment process • Centralized processing and controls • Controls to monitor results of operations

  7. Organization-Level Controls • Controls to monitor the internal audit function, the audit committee, and self-assessment programs • Period-end financial reporting process • Board-approved policies that address significant business control and risk management practices

  8. Personnel Policies • Separation of Duties • Separate Accounting and Information Processing from Other Subsystems • Separate Responsibilities within IT Environment • Use of Computer Accounts • Each employee has password protected account • Biometrics

  9. Separation of Duties

  10. Division of Responsibility in IT Environment

  11. Division of Responsibility in IT Environment

  12. Personnel Policies • Informal Knowledge of Employees • Protect against fraudulent employee actions • Observation of suspicious behavior • Highest percentage of fraud involved employees in the accounting department • Must safeguard files from intentional and unintentional errors

  13. Safeguarding Computer Files

  14. File Security Controls

  15. Business Continuity Planning • Definition • Comprehensive approach to ensuring normal operations despite interruptions • Components • Disaster Recovery • Fault Tolerant Systems • Backup

  16. Disaster Recovery • Definition • Process and procedures • Following disruptive event • Summary of Types of Sites • Hot Site • Flying-Start Site • Cold Site

  17. Fault Tolerant Systems • Definition • Used to deal with computer errors • Ensure functional system with accurate and complete data (redundancy) • Major Approaches • Consensus-based protocols • Watchdog processor • Utilize disk mirroring or rollback processing

  18. Backup • Batch processing • Risk of losing data before, during, and after processing • Grandfather-parent-child procedure • Types of Backups • Hot backup • Cold Backup • Electronic Vaulting

  19. Batch Processing

  20. Computer Facility Controls • Locate Data Processing Centers in Safe Places • Protect from the public • Protect from natural disasters (flood, earthquake) • Limit Employee Access • Security Badges • Man Trap • Buy Insurance

  21. Study Break #1 • A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats. • Firewall • Security policy • Risk assessment • VPN

  22. Study Break #1 - Answer • A _______ is a comprehensive plan that helps protect the enterprise from internal and external threats. • Firewall • Security policy • Risk assessment • VPN

  23. Study Break #2 • All of the following are considered organization-level controls except: • Personnel controls • Business continuity planning controls • Processing controls • Access to computer files

  24. Study Break #2 - Answer • All of the following are considered organization-level controls except: • Personnel controls • Business continuity planning controls • Processing controls • Access to computer files

  25. Study Break #3 • Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________. • Redundancy • COBIT • COSO • Integrated security

  26. Study Break #3 - Answer • Fault-tolerant systems are designed to tolerate computer errors and are built on the concept of _________. • Redundancy • COBIT • COSO • Integrated security

  27. General Controls for Information Technology • Security for Wireless Technology • Controls for Networks • Controls for Personal Computers • IT Control Objectives for Sarbanes-Oxley

  28. General Controls for Information Technology • IT general controls apply to all information systems • Major Objectives • Computer programs are authorized, tested, and approved before usage • Access to programs and data is limited to authorized users

  29. Control Concerns

  30. Security for Wireless Technology • Utilization of wireless local area networks • Virtual Private Network (VPN) • Allows remote access to entity resources • Data Encryption • Data converted into a scrambled format • Converted back to meaningful format following transmission

  31. Controls for Networks • Control Problems • Electronic eavesdropping • Hardware or software malfunctions • Errors in data transmission • Control Procedures • Checkpoint control procedure • Routing verification procedures • Message acknowledgment procedures

  32. Controls for Personal Computers • Take an inventory of personal computers • Applications utilized by each personal computer • Classify computers according to risks and exposures • Physical security

  33. Additional Controls for Laptops

  34. IT Control Objectives for Sarbanes-Oxley • “IT Control Objectives for Sarbanes-Oxley” • Issued by IT Governance Institute (ITGI) • Provides guidance for compliance with SOX and PCAOB requirements • Content • IT controls from COBIT • Linked to PCAOB standards • Linked to COSO framework

  35. Application Controlsfor Transaction Processing • Purpose • Embedded in business process applications • Prevent, detect, and correct errors and irregularities • Application Controls • Input Controls • Processing Controls • Output Controls

  36. Application Controlsfor Transaction Processing

  37. Input Controls • Purpose • Ensure validity • Ensure accuracy • Ensure completeness • Categories • Observation, recording, and transcription of data • Edit tests • Additional input controls

  38. Observation, Recording,and Transcription of Data • Confirmation mechanism • Dual observation • Point-of-sale devices (POS) • Preprinted recording forms

  39. Preprinted Recording Form

  40. Edit Tests • Input Validation Routines (Edit Programs) • Programs or subroutines • Check validity and accuracy of input data • Edit Tests • Examine selected fields of input data • Rejects data not meeting preestablished standards of quality

  41. Edit Tests

  42. Edit Tests

  43. Additional Input Controls • Unfound-Record Test • Transactions matched with master data files • Transactions lacking a match are rejected • Check-Digit Control Procedure • Modulus 11 Technique

  44. Processing Controls • Purpose • Focus on manipulation of accounting data • Contribute to a good audit trail • Two Types • Control totals • Data manipulation controls

  45. Audit Trail

  46. Control Totals • Common Processing Control Procedures • Batch control total • Financial control total • Nonfinancial control total • Record count • Hash total

  47. Data Manipulation Controls • Data Processing • Following validation of input data • Data manipulated to produce decision-useful information • Processing Control Procedures • Software Documentation • Error-Testing Compiler • Utilization of Test Data

  48. Output Controls • Purpose • Ensure validity • Ensure accuracy • Ensure completeness • Major Types • Validating Processing Results • Regulating Distribution and Use of Printed Output

  49. Output Controls • Validating Processing Results • Preparation of activity listings • Provide detailed listings of changes to master files • Regulating Distribution and Use of Printed Output • Forms control • Pre-numbered forms • Authorized distribution list

More Related