Chapter 15: Controlling Computer-Based Information Systems, Part I

Accounting Information System 3rd Edition James Hall

EFFECTS OF CBIS ON TRADITIONAL CONTROL ACTIVITIES Control activities have emerged in response to fundamental risks, which, under different technological scenarios, change in their nature but do not go away. CONTROL ACTIVITIES: A. TRANSACTION AUTHORIZATION Authorization procedures are controls that ensure that an organizations employees process only valid transactions within the scope of their prescribed authority. In a CBIS environment, Transactions are often authorized by rules embedded within the computer program. The responsibility for achieving appropriate transaction authorization rests directly on the accuracy and the integrity of the computer programs that perform these tasks B. SEGREGATOIN OF DUTIES Objective 1. Transaction authorization is separate from transaction processing Objective 2. Asset custody is separate from record keeping responsibilities Objective 3. The organization should be structured so that a successful fraud requires collusion between two or more individuals with incompatible responsibilities. TRANSACTION

Control Objective 1 Control Objective 2 Control Objective 3

Authorization Authorization Journals Custody Subsidiary Ledgers

Processing Recording General Ledgers

In a CBIS environment, Separation of duties is not identical to that in a manual system A computer program may perform many tasks that are deemed incompatible in the manual environment. Primary activities that must be adequately separated: C. SUPERVISION Supervision is often used as a compensating control in situations where an adequate separation of duties is not possible for economic or practical reasons. Adequate supervision is is especially important in small organizations or in small functional units of larger firms where individual employees must perform incompatible tasks. In a CBIS environment, supervisory control must be more elaborate than in manual systems for 3 reasons: Problem of attracting competent employees Managements concern over the trustworthiness of data processing personnel in high-risk areas. Managements inability to adequately observe employees in a CBIS environment. D. ACCOUNTING RECORDS Program Development Program Operations Program Maintenance

Made by: Jessica Therese P. Atienza

Chapter 15: Controlling Computer-Based Information Systems, Part I

Accounting Information System 3rd Edition James Hall

In a manual system, organizations must keep accounting records in the form of source documents, journals and ledgers. These records provide an audit trail of essential information for tracing transactions from their initiation to their final disposition. Adequate accounting records become a critical element of internal control that the firms management and accountants are obliged to maintain and their auditors obliged to review. In a CBIS environment, documents and audit trails may assume very different and unfamiliar forms. Source documents and ledger accounts are kept magnetically on various mass storage devices. Journal entries, or their equivalent transaction records, are often fragmented and stored in normalized database files. Audit trails between these various magnetic records may take the form of pointers, hashing techniques, indexes, or embedded keys. To meet their respective responsibilities, the firms management, accountants, and auditors must understand the operational principles of the data management systems in use. E. ACCESS CONTROL Access to the firms assets should be limited only to authorized personnel. Uncontrolled access exposes assets to misappropriation, illegal use, theft, and destruction. Assets are at risk to both direct and indirect access. Controls over direct access include physical security devices, such as locks, safes, fences, restricted areas, and various alarm systems. Indirect access is also accomplished by accessing accounting records that control the physical assets distribution or ownership. In a manual system, indirect access control is accomplished by controlling the use of documents and records and by segregating the duties of those who must access and process these records. In a CBIS environment, accounting records tend to be concentrated within the data processing center on mass storage devices. 2 THREATS WITH DATA CONSOLIDATION: Computer Fraud Losses from Disasters Another access control problem unique to the CBIS environment is controlling access to computer programs. Errors and fraud exposuresare more likely to occur in the maintenance phase. 2 FORMS OF EXPOSURE WHEN APPLICATIONS ARE MODIFIED MANY TIMES: During authorized program maintenance, unintentional errors are sometimes programmed into applications along with the intended changes. Illegal access to applications can be used to make fraudulent program changes. CONTROLS THAT ADDRESS EXPOSURES: Techniques designed to limit personnel access authority Restrict access to computer programs Provide physical security for the data processing center Ensure adequate backup for data files Provide disaster recovery capability

Individuals should be granted access to data, programs, and restricted areas only when a need in connection with their assigned tasks has been demonstrated. F. INDEPENDENT VERIFICATION Verification procedures are independent checks of the accounting system to identify errors and misrepresentations. Verification differs from supervision because it takes place after the fact, be an individual who is not directly involved with the transaction or tack being verified. Supervision takes place while the activity is being performed, by a supervisor with direct responsibility for the transaction or task. Through independent verification process, management can assess: 1. 2. 3. The performance of individuals The integrity of the transaction processing system The correctness of data contained in accounting records

EXAMPLES OF INDEPENDENT VERIFICATIONS: The reconciliation of batch totals at periodic points during transaction processing.

Made by: Jessica Therese P. Atienza

Chapter 15: Controlling Computer-Based Information Systems, Part I

Accounting Information System 3rd Edition James Hall

The comparison of physical assets with accounting records. The reconciliation of subsidiary accounts with control accounts. Reviews by management of reports that summarize business activity. Periodic audits by independent external and internal auditors.

Independent verifications are needed in the manual environment because employees sometimes make mistakes or forget to perform necessary tasks. In the CBIS environment, accountants and auditors perform their independent verification function by evaluating controls over systems development and maintenance activities and occasionally by reviewing the internal logic of programs. GENERAL CONTROL FRAMEWORK FOR CBIS ENVIRONMENT GENERAL CONTROLS: apply to a wide range of exposures that systematically threaten the integrity of all applications processed within the CBIS environment. 1. OPERATING SYSTEM CONTROLS OPERATING SYSTEM is the computers program. It allows users and their applications to share and access common computer resources, such as processors, main memory, databases, and printers. 3 MAIN TASKS OF OS: It translates high-level languages, such as COBOL, FORTRAN, BASIC, and SQL, into the machine-level language that the computer can execute. Compilers & interpreters language translator modules of the OS The OS allocates computer resources to users, workgroups, and applications. This includes assigning memory workspace(partitions) to applications and authorizing access to terminals, telecommunications links, databases, and printers. Manages the tasks of job scheduling and multiprogramming. 3 WAYS JOBS ARE SUBMITTED TO THE SYSTEM: Directly by the system operator From various batch-job queues Through telecommunications links from remote workstations To achieve efficient and effective use of finite computer resources, the OS must schedule job processing according to established priorites and balance the use of resources among the competing applications. 5 FUNDAMENTAL CONTROL OBJECTIVES: The OS must protect itself from users. User applications must not be able to gain control of, or damage in any way, the OS, thus causing it to cease running or destroy data. The OS must protect users from each other. One user must not be able to access, destroy, or corrupt the data or programs of another user. The OS must protect users from themselves. A users application may consist of several modules stored in separate memory location s, each with its own data. One module must not be allowed to destroy or corrupt another module. The OS must be protected from itself. The OS is also made up of individual modules. No module should be allowed to destroy or corrupt another module. The OS must be protected from its environment. In the event of a power failure or other disaster, the OS should be able to achieve a controlled termination of activities from which it can later recover. OPERATING SYSTEM SECURITY: involves policy, procedures, and controls that determine who can access the OS, which resources they can access, and what actions they can take. SECURITY COMPONENTS: LOG-ON PROCEDURE: is the OS first line of defense against unauthorized access ACCESS TOKEN: contains key info about the user, including user ID, password, user group, and privileges granted to the user ACCESS CONTROL LIST: contain info that defines the access privileges for all valid user of the resource

Made by: Jessica Therese P. Atienza

Chapter 15: Controlling Computer-Based Information Systems, Part I

Accounting Information System 3rd Edition James Hall

DISCRETIONARY ACCESS CONTROL: allows resource owners to grant access privileges to other users.

THREATS TO OS INTEGRITY 3 SOURCES OF EXPOSURES: Privileged personnel who abuse their authority. System administrators and systems programmers require unlimited access to the OS to perform maintenance and to recover from system failures. Such individuals may use this authority to access users programs and data files. Individuals, both internal and external to the organization, who browse the OS to identify and exploit security flows An individual who intentionally (or accidentally) inserts a computer virus or other form of destructive program into the OS. OPERATING SYSTEM CONTROL TECHNIQUES Controlling Access Privileges user access privileges are assigned to individuals and to entire workgroups authorized to use the system. 2. DATA MANAGEMENT CONTROLS

3. 4. 5. 6. 7. 8. 9.

ORGANIZATIONAL STRUCTURE CONTROLS SYSTEM DEVELOPMENT CONTROLS SYSTEMS MAINTENANCE CONTROLS COMPUTER CENTER SECURITY AND CONTROLS INTERNET AND INTRANET CONTROLS ELECTRONIC DATA INTERCHANGE CONTROLS PERSONAL COMPUTER CONTROLS

APPLICATION CONTROLS: are narrowly focused on exposures associated with specific systems. 10. APPLICATION CONTROLS

SUMMARY OF CBIS EXPOSURES AND CONTROLS AREA OF RISK 1. Operating System NATURE OF EXPOSURE Accidental and intentional threat, including attempts to access data illegally, violate user privacy, or perform malicious acts. CONTROL TECHNIQUES Access privilege control, password control, virus control, audit trail control, and fault tolerance control

Made by: Jessica Therese P. Atienza

Chapter 15: Controlling Computer-Based Information Systems, Part I

Accounting Information System 3rd Edition James Hall

BACKUP CONTROL: Grandparent-parent-child backup procedures, direct access file backup and recovery procedures. ACCESS CONTROLS: Subschemas, passwords, authorization rules, user-defined procedures, encryption, biometric devices, and interfere controls. The functions of programming, computer operations, tape librarian, and database administrator should be organizationally segregated.

2. Data Management

Inadequate backup of data and unauthorized access to data by authorized and unauthorized personnel

3. Organizational Structure

Programmers and operators who perform incompatible functions may perpetrate program fraud. Documentation standards may be inadequate to support audit tasks. Data files in tape libraries are subject to loss, destruction, and illegal access. The development of unauthorized projects resulting in the misapplication of financial resources. Projects are improperly prioritized, resulting in inefficient allocation of resources. Newly implemented systems contain material errors, fraud or fail to meet user needs. Poor-quality systems documentation impedes audit and maintenance activities. Unauthorized change can result in program errors, fraud, incorrect information presented in financial statements and to users, system failures, and severe disruptions to operations. Loss and theft of physical equipment and system disruption caused by software failure, hardware failure, power outages, and physical disasters.

4. Systems Development

Systems authorizations, user specification activities, technical design activities, internal audit participation, program testing, and user test and acceptance procedures.

5. Systems Maintenance

Program maintenance authorizations, user involvement, technical specifications, program testing, documentation, and source program library software control. Physical construction, location, limited access to computer facilities, air conditioning, backup power supply, and disaster recovery planning.

6. Computer Center

Made by: Jessica Therese P. Atienza