290 likes | 298 Vues
Explore how to establish a strong control environment, identify specific controls for risk prevention in operating activities and information processing, and understand the impact of management's philosophy on control consciousness. Learn about integrity, ethical values, human resource policies, risk assessment, and control activities.
E N D
Supplemental Chapter D Sample Electronic Data Processing Controls
Objectives • Identify what contributes to a strong control environment and controls that contribute to it. • Identify specific controls to prevent, detect, or recover from risks associated with: • Operating activities. • Information processing risk.
Review of Controls Philosophy • Every entity, whether it is a business organization, governmental agency, or not-for-profit entity has some stated objectives. Entities are established to do something for someone. They might be organized to make money, provide public services, or administer an estate. There are many opportunities available to these entities to achieve their objectives. With each opportunity, there is some risk. • The risks may be: • strategic - doing the wrong things; • decision- failure to make a needed decision or selecting a poor alternative, • operating- doing the right things the wrong way; • financial - losing financial resources or creating financial liabilities; or • information- making errors in recording, maintaining, and reporting activities.
Control Environment • The control environment sets the tone of the organization and influences the control consciousness of its people. • The control environment encompasses several factors, but these are some of the most important: • the integrity and ethical values of the organization as a whole, • management’s philosophy, and • how the organization treats its people.
Integrity and Ethical Values • Controls that can help improve the integrity and ethical values of the organization include: • Hire honest people. • Establish a Code of Conduct. • Have a Violations Review Committee. • Review Company Practices and Rules.
Is the organization committed to hiring competent people who possess the knowledge and skills needed to perform their assigned jobs? Does management have a conservative or reasonable approach in accepting business risks and in reporting the financial results of operations? If the entity has an annual audit of their financial statements, does it have an audit committee to oversee the audit? If there is a board of directors, are there outside representatives on the board? Impact of Management’s Philosophy on the Control Environment • Management’s philosophy can either contribute to, or help prevent a high-risk environment. • Questions that may be asked to identify a high-risk environment include: Do people understand the company’s policies and practices, what they are responsible for, and to whom they report? Has management developed a culture that emphasizes integrity and ethical behavior? Does the company have a well defined organizational structure with appropriate division of duties and responsibilities and identified reporting relationships so that important activities are planned, executed, controlled, and monitored on a timely basis?
Human Resource Policies and Practices • People are frequently the most important assets of the organization. • However, if they are not the right people and if they are not managed properly, they may become more of a liability than an asset. • Human resource policies and practices relate to hiring, orienting, training, evaluating, counseling, promoting, compensating, and terminating employees. • The following controls can help ensure success in hiring and retaining quality employees: • Check the background of each applicant. • Bond people in critical positions. • Explain organization policies and procedures. • Define promotion and personal growth opportunities. • Define procedures for terminating employees. • Provide well‑defined work schedules.
Risk Assessment • Risk assessment is a process of identifying things that can go wrong and the probability of their occurrence. There are no exhaustive checklists identifying all the things that can go wrong. People with criminal minds work on expanding these checklists all the time. They are looking for weaknesses in the system and identifying ways to take advantage of a weakness for personal gain, without being caught. Failure to identify these weaknesses before they are identified by people with criminal minds often results in significant losses. • Some of the important areas you should investigate during the risk assessment phase include: • Where has the company incurred losses in the past and how much has been lost? • Where have similar companies incurred losses and how much have they lost? • Ask employees where errors and irregularities are most likely to occur.
Control Activities • We can classify control activities by their use (i.e., whether they are used to prevent, detect, or recover from errors or irregularities). • Preventive controls focus on preventing an error or irregularity. • Detective controls focus on identifying when an error or irregularity has occurred. • Corrective controls focus on recovering from, repairing the damage from, or minimizing the cost of an error or irregularity. • An error is an unintended mistake on the part of an employee while an irregularity is an intentional effort to do something that is undesirable to the organization. • Control activities relevant to the information processing activities of an entity may be broadly classified into three areas: • (a) separation of duties, • (b) physical controls, and • (c) information processing controls.
Separate Accounting and Information Systems from Other Organization Functions • Accounting and information systems are support functions and should have organizational independence from the departments that use their information and perform the operational activities of the organization. It implies that to the extent possible, the organization should ensure that: • A user department initiates all transactions. • User departments authorize new business application software and changes to current application software. • Custody of assets resides with designated operational departments. • Errors in transaction data should be entered on an error log, referred back to the user department for correction, and followed up on by the control group.
Separate Responsibilities within the Information Systems Function • Some functions within the information systems areas are incompatible and ideally separate. When possible, organizations should separate the following functions from each other: • Systems analysis - analyzing the information and processing needs and designing or modifying the application software. • Database administration - integrating the data requirements of analysis and design to maintain an enterprise data resource. • Programming - writing computer programs to perform the tasks designed by analysts. • Operations - running the application programs (designed by systems analysts and written by the programmers) on the computer. • Information systems library - storing programs and files when not in use and keeping track of all versions of data and applications. • Data control - reconciling input and output, distributing output to authorized information customers, and monitoring the correction of errors.
Physical Controls • Physical controls encompass the physical security of the organization's assets and records, authorization to access computer programs and data files, and periodically counting the quantities of physical assets and comparing them with amounts shown on financial records. • Physical Security of Assets and Records • Access Controls C Computer Programs and Files • Reconcile Physical Quantities with Recorded Quantities
Physical Security of Assets and Records • The assets and sensitive records of the organization should be protected and only released to, or accessed by, authorized individuals. • Many of these are simple controls such as separate storage rooms, locks on doors and filing cabinets, and surveillance people. • Physical access controls prevent unauthorized access to the computer devices themselves. • Typically, large systems or file servers are housed in a locked room that is entered only with a combination lock or a key. • When unauthorized personnel or others gain access to the physical devices, they can seriously disrupt operations or even destroy the devices themselves.
Access controls • Systems access • Physical access • Data and Application access
Access Controls for Computer Programs and Files • When IT is embedded in the business and information processes, individuals who execute business events must gain access to the technology to execute business and information processes. • Unauthorized access to the system represents a tremendous risk to the organization. • Preventing unauthorized access to the system is critical. • Controlling access is particularly important when the system has online, real-time transaction processing capabilities
Access Controls for Computer Programs and Files • Access controls restrict unauthorized access to the system itself, to physical devices, and to data in the system. • System access controls are used to prevent unauthorized access into the system. Organizations must control who obtains access to the system through an on-line terminal or by data communication lines. • A password is a unique identifier that only the user should know and is required to enter each time he/she logs onto the system. Unless passwords are formally assigned, routinely changed, and protected from use by other people, they will quickly get into the wrong hands and provide unauthorized access to the system. • The access control matrix identifies the functions each user can perform once they gain access to the computer. It controls what data and programs the user may access.
Case In Point: Passwords • Surveys show that most passwords are “no-brainers” for hackers trying to break into a system. • The most common password is the users own name or the name of a child. The second most common password is “secret.” • Other common passwords in order of usage are: • Stress related words such as “deadline” or “work” • Sports teams or sports terms like “bulls” or “golfer” • “Payday” • “Bonkers” • The current season (e.g. “winter” or “spring”) • The users ethnic group • Repeated characters (e.g. “bbbbb” or “AAAAA”) • Obscenities or sexual terms
Data and Application Access Controls • Data and application access controls maintain the integrity and privacy of data and processes within a computer system. They should prevent loss, destruction, or access of data and applications by unauthorized personnel. • Encryption is used to protect highly sensitive and confidential data. Encryption is a process of encoding data entered into the system, storing or transmitting the data in coded form, and then decoding the data upon its use or arrival at its destination.
Reconcile Physical Quantities with Recorded Quantities • Periodically, the physical assets should be compared with the assets recorded on the financial records. Auditors generally require a physical count of inventory on hand to compare with the amount reported on the financial statements. The same idea should be applied to other assets: • At the end of each sales clerks shift the amount of cash in the cash drawer should be counted and compared with the sales total from the cash register for the employee's shift. • Fixed assets such as computer equipment should be tagged with identification numbers and assigned to specific employees. At least annually an inventory clerk should compare what each employee actually has with what they have been issued. • Property, plant, equipment, and inventories of all types should be counted and the quantities compared with the financial records. Any differences should be reconciled. Frequently this identifies errors and irregularities that would never be detected otherwise.
Batch Process Update Report Process Update Real-Time Process Update Update Process Old Reference Data Event and Maintenance Data Reference Data Reference Data New Reference Data Update Process Update Process PARENT Update Process Event and Maintenance Data Event and Maintenance Data Old Reference Data Event and Maintenance Data Report New Reference Data Update Process Old Reference Data Event and Maintenance Data CHILD New Reference Data Types of Updating Processes Types of Updating Processes GRANDPARENT
Grandparent-Parent-Child Batch Processing Backup Example Journal Voucher Batch Key in journal voucher data If we lost the “child” master file, we could process the transaction file against the “parent” master file Unsorted Journal Vouchers Sort vouchers in chart of account order Sorted Journal Vouchers General Ledger Master Edit input and update master file (Parent) Grandparent “Old” General Ledger Master from preceding batch process run (not shown on this day’s run) Old General Ledger Master New General Ledger Master Sorted Journal Vouchers Error and Exception Report Parent Child
Journal Voucher data Transaction data are stored in a transaction log. Input data (could use scanner) Transaction Log If we lost the master file, we could rollback to the backup master and reprocess the transaction log data against the backup master. General Ledger Master Edit data and update master file Error and Exception Message Master Backup N (Journal Voucher file numerical order) Periodic Backup of the Master Reference data Rollback and Recovery On-line Processing Backup Example
Field Checks • check digit • completeness check • default value • field or mode check • range (limit) check • validity/ set check
Record Checks • master reference check • reasonableness check • referential integrity • valid sign check
Batch Checks • sequence check • transaction type check • batch control totals • hash control total • financial/numeric total • record control total
File Controls • External file labels • Internal file labels • Lock out procedures • Read-only file designation • File protection rings
Documentation • Procedural documentation • Systems documentation • User manual • Application documentation • Operator manual • Data documentation • record layout • data dictionary • Operating documentation
Give Accounting and Information Systems Organizational Independence • To the Extent Possible, Separate Responsibilities Within the Information Systems Function • Systems Analysis • Database Administration • Programming • Operations • Information Systems Library • Data control
Reporting Instructions - Used to Generate Queries, Documents, and Reports • Access the user output request, along with any specifications or parameters. Validate that the user should have access to the requested information. • Determine if a format is stored for the output. If so, access the format file. If not allow the user to help specify a format or use a default format. • Access necessary data from appropriate data pools and process it (if necessary). • Communicate the output to the screen, printer, or computer file and display it in the prescribed format. 4.