Prepared by Coby Harmon University of California, Santa Barbara Westmont College Chapter 4-1 Internal Controls and Risks in IT Systems Chapter 4-2 Accounting Information Systems, 2nd Edition Study Study Objectives Objectives An overview of internal controls for IT systems General controls for IT systems General controls from a Trust Services Principles perspective Hardware and software exposures in IT systems Application software and application controls Ethical issues in IT systems Chapter 4-3 Internal Internal Controls Controls for for IT IT Systems Systems Accounting Information System - collects, processes, stores, and reports accounting information Internal controls for computer-based systems have been described as being of two types: ► General controls ► Application controls Chapter 4-4 SO An overview of internal controls for IT systems Internal Internal Controls Controls for for IT IT Systems Systems Exhibit 4-1 General and Application Controls in IT Systems Application controls used to control inputs, processing, and outputs General controls apply overall to the IT accounting system Chapter 4-5 SO An overview of internal controls for IT systems Internal Internal Controls Controls for for IT IT Systems Systems Question Internal controls that apply overall to the IT system are called a Overall controls b Technology controls c Application controls d General controls Chapter 4-6 SO An overview of internal controls for IT systems General General Controls Controls for for IT IT Systems Systems Five categories of general controls: Authentication of users and limiting unauthorized access Hacking and other network break-ins Organizational structure Physical environment and physical security of the system Business Continuity Chapter 4-7 SO General controls for IT systems General General Controls Controls for for IT IT Systems Systems Authentication of Users and Limiting Unauthorized Users Chapter 4-8  Log-in  Biometric devices  User IDs  Computer log  Password  Nonrepudiation  Smart card  User profile  Security token  Authority table  Two factor authentication  Configuration tables SO General controls for IT systems General General Controls Controls for for IT IT Systems Systems Hacking and other Network Break-Ins  Firewall  Secure sockets layer  Symmetric encryption  Virus  Public key encryption  Antivirus software  Wired equivalency privacy  Vulnerability assessment  Wireless protected access  Intrusion detection  Service set identifier  Penetration testing  Virtual private network Chapter 4-9 SO General controls for IT systems General General Controls Controls for for IT IT Systems Systems Organizational Structure IT governance committee, responsibilities include: Align IT investments to business strategy Budget funds and personnel for the most effective use of the IT systems Oversee and prioritize changes to IT systems Develop, monitor, and review all IT operational policies Develop, monitor, and review security policies Chapter 4-10 SO General controls for IT systems Application Application Software Software and and Application Application Controls Controls Source Document Controls Source document -paper form used to capture and record the original data of an accounting transaction Note: ► Many IT systems not use source documents  General controls such as computer logging of transactions and keeping backup files, become important ► Where source documents are used, several source document controls should be used Chapter 4-56 SO Application software and application controls Application Application Software Software and and Application Application Controls Controls Source Document Controls Form Design - Both the source document and the input screen should be well designed so that they are easy to understand and use, logically organized into groups of related data Form Authorization and Control: ► Area for authorization by appropriate manager ► Prenumbered and used in sequence ► Blank source documents should be controlled Chapter 4-57 SO Application software and application controls Application Application Software Software and and Application Application Controls Controls Source Document Controls Retention of Source Documents: ► Retained and filed for easy retrieval ► Part of the audit trail Chapter 4-58 SO Application software and application controls Application Application Software Software and and Application Application Controls Controls Standard Procedures for Data Input Data Preparation – standard data collection procedures reduce the chance of lost, misdirected, or incorrect data collection from source documents Error Handling: ► Errors should be logged, investigated, corrected, and resubmitted for processing ► Error log should be regularly reviewed by an appropriate manager Chapter 4-59 SO Application software and application controls Application Application Software Software and and Application Application Controls Controls Programmed Input Validation Checks Data should be validated and edited to be as close to the original source of data as possible Input validation checks include: Field check Completeness check Validity check Sign check Limit check Sequence check Range check Self-checking digit Reasonableness check Chapter 4-60 SO Application software and application controls Application Application Software Software and and Application Application Controls Controls Control Totals and Reconciliation Control totals are subtotals of selected fields for an entire batch of transactions Three types: ► record counts, ► batch totals, and ► hash totals Chapter 4-61 SO Application software and application controls Application Application Software Software and and Application Application Controls Controls Processing Controls Intended to prevent, detect, or correct errors that occur during processing ► Ensure that application software has no errors ► Control totals, limit and range tests, and reasonableness and sign tests ► Computer logs of transactions processed, production run logs, and error listings Chapter 4-62 SO Application software and application controls Application Application Software Software and and Application Application Controls Controls Output Controls Reports from the various applications Two primary objectives of output controls: ► to assure the accuracy and completeness of the output, and ► to properly manage the safekeeping of output reports to ascertain that security and confidentiality of the information is maintained Chapter 4-63 SO Application software and application controls Application Application Software Software and and Application Application Controls Controls Question Which programmed input validation check compares the value in a field with related fields with determine whether the value is appropriate? a Completeness check b Validity check c Reasonableness check d Completeness check Chapter 4-64 SO Application software and application controls Application Application Software Software and and Application Application Controls Controls Question Which programmed input validation check determines whether the appropriate type of data, either alphabetic or numeric, was entered? a Completeness check b Validity check c Reasonableness check d Field check Chapter 4-65 SO Application software and application controls Application Application Software Software and and Application Application Controls Controls Question Which programmed input validation makes sure that a value was entered in all of the critical fields? a Completeness check b Validity check c Reasonableness check d Field check Chapter 4-66 SO Application software and application controls Application Application Software Software and and Application Application Controls Controls Question Which control total is the total of field values that are added for control purposes, but not added for any other purpose? a Record count b Hash total c Batch total d Field total Chapter 4-67 SO Application software and application controls Ethical Ethical Issues Issues in in IT IT Systems Systems Besides fraud, there are many kinds of unethical behaviors related to computers, such as: ► Misuse of confidential customer information ► Theft of data, such as credit card information, by hackers ► Employee use of IT system hardware and software for personal use or personal gain ► Using company e-mail to send offensive, threatening, or sexually explicit material Chapter 4-68 SO Ethical issues in IT systems The The Real Real World World An unusual case of computer abuse occurred at a federal agency that regulates financial aspects of companies The Securities and Exchange Commission (SEC) detected senior managers spending excessive hours viewing pornography during regular working hours One SEC attorney spent as much as eight hours a day viewing pornography on his office computer A congressional investigation revealed that 33 high-level SEC staffers in Washington, D.C., were involved in such abuse of computers Ironically, this misconduct was occurring during the same time that this agency should have been monitoring and reviewing banking institutions and other companies involved in the country’s financial meltdown Chapter 4-69 SO Ethical issues in IT systems Copyright Copyright Copyright © 2013 John Wiley & Sons, Inc All rights reserved Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc The purchaser may make back-up copies for his/her own use only and not for distribution or resale The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein Chapter 4-70 ... systems Chapter 4-3 Internal Internal Controls Controls for for IT IT Systems Systems Accounting Information System - collects, processes, stores, and reports accounting information Internal controls. ..Internal Controls and Risks in IT Systems Chapter 4-2 Accounting Information Systems, 2nd Edition Study Study Objectives Objectives An overview of internal controls for IT systems General controls. .. IT Systems Systems Exhibit 4-1 General and Application Controls in IT Systems Application controls used to control inputs, processing, and outputs General controls apply overall to the IT accounting