CHAPTER 10

INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY

Learning Objectives:
1. Identify and explain controls designed to ensure processing
integrity.
2. Identify and explain controls designed to ensure systems
availability.

Processing Integrity
Table 10-1 on page 275 groups six categories of application
controls as they apply to input, processing, or output of data.
The AC is Access Controls.

Input Controls
As the old saying goes: garbage in, garbage out.
The quality of data that is collected about business activities
and entered into the information system is vital.
The following source data controls regulate the integrity of
input:
1. Forms Design. Source documents and other forms should
be designed to help ensure that errors and omissions
are minimized.

Prenumbered Forms. Prenumbering forms improves

control by making it possible to verify that
none is missing.

Turnaround Documents. A turnaround document is a

record of company data sent to an external party
and then returned by the external party to the
system as input.

2. Cancellation and Storage of Documents. Documents that

have been entered into the system should be cancelled
so they cannot be inadvertently or fraudulently
reentered into the system. Paper documents should be
defaced, for example, by stamping them paid.
Electronic documents can be similarly cancelled by
setting a flag field to indicate that the document has
already been processed.
3. Authorization and Segregation of Duties. Source
documents should be prepared only by authorized
personnel acting within their authority.

Page 1 of 13

Visual Scanning. Source documents should be scanned for

reasonableness and propriety before being entered into
the system.

Data Entry Controls

The following tests are used to validate input data:
1.

A Field Check determines if the characters in a field

are of the proper type.

2.

A Sign Check (+/-) determines if the data in a field

have the appropriate arithmetic sign.

3.

A Limit Check tests a numerical amount to ensure that

it does not exceed a predetermined value.

4.

A Range Check is similar to a limit check except that

it has both upper and lower limits.

5.

A Size Check ensures that the input data will fit

into the assigned field.

6.

A Completeness Check on each input record determines

if all required data items have been entered.

7.

A Validity Check compares the ID code or account

number in transaction data with similar data in the
master file to verify that the account exists.

8.

A Reasonableness Test determines the correctness of

the logical relationship between two data items.

9.

Check Digit Verification. Authorized ID numbers (such

as an employee number) can contain a check digit that
is computed from the other digits. For example, the
system could assign each new employee a nine-digit
number, then calculate a tenth digit from the
original nine and append that calculated to the
original nine to form a ten-digit ID number.
Data entry devices can be programmed to perform
check digit verification by using the first nine
digits to calculate the tenth digit each time an
ID number is entered. If an error is made in
entering any of the ten digits, the calculation
made on the first nine digits will not match the
tenth, or check digit.

The above tests are used for both batch processing and
online real-time processing.

Page 2 of 13

Additional Batch Processing Data Entry Controls:

1.

Batch processing works correctly only if the transactions

are presorted to be in the same sequence as records in the
master file. A sequence check tests if a batch of input data
is in the proper numerical or alphabetical sequence.

2.

Information about data input or data processing errors (date

they occurred, cause of the error, date corrected and
resubmitted) should be entered in an error log.

3.

Batch Totals. Three commonly used batch totals are:

A Financial Total sums a field that contains dollar

values, such as the total dollar amount of all
sales for a beach of sales transactions.

A Hash Total sums a nonfinancial numeric field,

such as the total of the quantity ordered field in
a batch of sales transactions.

A Record Count sums the number of records in a

batch.

Additional Online Data Entry Controls

Whenever possible, the system should automatically enter
transaction data, which saves keying time and reduces
errors.
Other online processing data entry controls include:
1. Prompting, in which the system requests each input
data item and waits for an acceptable response. This
ensures that all necessary data are entered (i.e., an
online completeness check).
2. Preformatting, in which the system displays a document
with highlighted blank spaces and waits for the data
to be entered.
3. Closed-Loop Verification checks the accuracy of input
data by using it to retrieve and display other related
information.
4. Creation of a transaction log that includes a detailed
record of all transaction data; a unique transaction
identifier; the date and time of entry; terminal,
transmission line, and operator identification; and
the sequence in which the transaction was entered.
5. Error messages should indicate when an error has
occurred, which items are in error, and what the
operator should do to correct it.

Processing Controls

Page 3 of 13

Controls are also needed to ensure that data is processed

correctly
1. Data Matching. In certain cases, two or more items of
data must be matched before an action can take place.
For example, the system should verify that information
on the vendor invoice matches that on both the
purchase order and the receiving report before paying
a vendor.
2. File Labels. File labels need to be checked to ensure
that the correct and most current files are being
updated.
Two important types of internal labels are
header and trailer records.
The header record is located at the beginning of
each file and contains the file name, expiration
date, and other identification data.
The trailer record is located at the end of the
file and contains the batch totals calculated
during input.
3. Recalculation of Batch Totals. Batch totals can be
recomputed as each transaction record is processed and
compared to the values in the trailer record.
If financial or total discrepancy is evenly
divisible by 9, the likely cause is a
transposition error, in which two adjacent
digits were inadvertently reversed (e.g., 46
instead of 64)
4. Cross-Footing and Zero-Balance Test. Often totals can
be calculated in multiple ways. For example, in
spreadsheets a grand total can often be computed
either by summing a column of row totals or by summing
a row of column totals. These two methods should
produce the same result.

A cross-footing balance test compares the

results produced by each method to verify
accuracy. For example, the totals for all debit
columns are equal to the totals for all credit
columns.

A zero-balance test applies the same logic to

control accounts. For example, adding the
balance for all customers in an accounts
receivable subsidiary ledger and comparing to
the balance in the accounts receivable general
control account should be the same; the
difference should be zero.

Page 4 of 13

5. Write-Protection Mechanisms. These protect against the

accidental writing over or erasing of data files
stored on magnetic media.
6. Database Processing Integrity Procedures. Database
systems use database administrators, data
dictionaries, and concurrent update controls to ensure
processing integrity. The administrator establishes
and enforces procedures for accessing and updating the
database. The data dictionary ensures that data items
are defined and used consistently. Concurrent update
controls protect records from errors that occur when
two or more users attempt to update the same record
simultaneously. This is accomplished by locking out
one user until the system has finished processing the
update entered by the other.

Output Controls
Careful checking of system output provides additional control over
processing integrity. Important output controls include:
1. User review of output. Users should carefully examine
system output for reasonableness, completeness, and
that they are the intended recipient.
2. Reconciliation procedures. Periodically, all
transactions and other system updates should be
reconciled to control reports, file status/update
reports, or other control mechanisms. In addition,
general ledger accounts should be reconciled to
subsidiary account totals on a regular basis.
3. External data reconciliation. Database totals should
periodically be reconciled with data maintained
outside the system. For example, the number of
employee records in the payroll file can be compared
with the total from human resources to detect attempts
to add fictitious employees to the payroll database.
COBIT application control objective AC6 addresses the need to
protect the confidentiality and integrity of data during
transmission.
When using encryption to protest the confidentiality of
information transmitted from one location to another,
organizations need to implement controls designed to minimize the
risk of data transmission errors.

Page 5 of 13

Data Transmission Controls

Parity checking and message acknowledgement techniques are two
basic types of data transmission controls.
Parity Checking
Computers represent characters as a set of binary digits (bits).
When data are transmitted, some bits may be lost or received
incorrectly due to media disruptions or failures. To detect these
types of errors, an extra digit, called a parity bit, is added to
every character. For example, the digits 5 and 7 can be
represented by the seven-bit patterns 0000101 and 0000111,
respectively. An eighth bit could be added to each character to
serve as the parity bit. Two basic schemes are referred to as even
parity and odd parity. In even parity, the parity bit is set so
that each character has an even number of bits with the value 1;
in odd parity, the parity bit is set so that an odd number of bits
in the character have the value 1.
Message Acknowledgment Techniques
Techniques can be used to let the sender of an electronic message
know that a message was received:
1.

Echo Check. When data are transmitted, the system calculates

a summary statistic such as the number of bits in the
message. The receiving unit performs the same calculationa
procedure known as an echo checkand sends the result to the
sending unit. If the counts agree, the transmission is
presumed to be accurate.

2.

Trailer Record. The sending unit stores control totals in a

trailer record. The receiving unit uses that information to
verify that the entire message was received.

3.

Numbered Batches. If a large message is transmitted in

segments, each can be numbered sequentially so that the
receiving unit can properly assemble the segments.

Example: Credit Sales Processing

The following is an example of processing integrity controls
using a credit sale as an example.
The following transaction data are used: sales order number,
customer account number, inventory item number, quantity
sold, sale price, and delivery date.
Processing these transactions includes the following steps:
1. Entering and editing the transaction data
2. Updating the customer and inventory records (the
amount of the credit purchase is added to the
customers balance; for each inventory item, the

Page 6 of 13

quantity sold is subtracted from the quantity on hand)

3. Preparing and distributing shipping or billing
documents

Batch processing Integrity Controls

Processing credit sales transactions in a batch processing
mode includes the following steps:
1. Prepare batch totals. These totals are recorded on
batch control forms added to each group of sales
documents.
2. Deliver the transactions to the computer operations
department for processing.
3. Enter the transaction data into the system. Data entry
errors generally fall into one of two types, operator
errors or incorrect source data.
4. Sort and edit the transaction file. Either before or
after the sales transaction file is sorted into
customer number sequence, a program performs several
input validation checks.
5. Update the master files. The sales transaction file is
processed against customer (accounts receivable) and
inventory databases or master files.
6. Prepare and distribute output. Outputs include billing
or shipping documents and a control report.
7. User review. Users in the shipping and billing
departments perform a limited review of the documents
for incomplete data or other obvious deficiencies.
Figure 10-1 on page 275 illustrates these seven steps and
identifies the application controls that should be utilized
at each stage.

Online Processing Integrity Controls

Online Data Entry Controls
1. When a user accesses the online system, logical access
controls confirm the identity of the data entry device
(personal computer, terminal) and the validity of the
users ID number and password.
2. A compatibility test is performed on all user
interactions to ensure that only authorized tasks are
performed.
3. The system automatically assigns the transaction the
next sequential sales order number and the current

Page 7 of 13

date as the date of the invoice.

4. To assist authorized personnel in entering sales data,
the system prompts for all required input
(completeness test). After each prompt, the system
waits for a response.
5. Each response is tested using one or more of the
following controls: validity checks (valid customer
and inventory numbers), field and sign checks (only
positive, numeric characters in the quantity, date,
and price fields), and limit or range checks (delivery
date versus current date).
6. When the customer number is entered, the system
retrieves the corresponding customer name from the
database and displays it on the screen (closed-loop
verification).
7. When the inventory item number is entered, the system
and the operator go through the same procedures as
they do with the customer number.
Online Processing Controls
Updating files includes the customer and inventory
database records.
Additional validation tests are performed by
comparing data in each transaction record with
data in the corresponding database record.
These tests often include the following:
1. Validity checks on the customer and
inventory item numbers
2. Sign checks on inventory-on-hand balance
(after subtracting quantities sold)
3. Limit check that compare each customers
total amount due with the credit limit
4. Range checks on the sale price of each
item sold relative to the permissible
range of prices for that item
5. Reasonableness tests on the quantity sold
of each item relative to normal sales
quantities for that customer and that item
Online Output Controls
Output controls that can be utilized are as follows:
1. Billing and shipping documents are forwarded
electronically to only preauthorized users.

Page 8 of 13

2. Users in the shipping and billing departments

perform a limited review of the documents by
visually inspecting them for incomplete data or
other obvious errors.
3. The control report is sent automatically to its
intended recipients, or then can query the
system for the report.
Focus 10-1 on page 283 discusses some of the issues involving the
use of electronic voting machines.
Electronic voting may eliminate some of the types of
problems that occurred in Florida in the November 2000
election.
Voting software could use completeness checks to ensure that
voters made choices in all races. This would eliminate the
hanging problem created by failing to completely punch out
the hoe on a paper ballot.
Limit checks could identify and prevent voters from
attempting to select more candidates than permitted in a
particular race.
Some security experts suggest that election officials adopt
the methods used by the state of Nevada to ensure that
electronic gambling machines operate honestly and
accurately, which include the following:
1. The Gaming Control Board keeps copies of all software.
It is illegal for casinos to use any unregistered
software. For electronic voting, the government should
keep copies of the source code.
2. Frequent on-site spot checks of the computer chips in
gambling machines are made to verify compliance with
the Gaming Control Boards records. Similar tests
should be done to voting machines.
3. Extensive tests are conducted of the machines
physical security, such as how it reacts to stun guns
and large electric shocks. Voting machines should be
similarly tested.
4. All gambling machine manufacturers are carefully
scrutinized and are registered. Similar checks should
be performed on voting machine manufacturers, and
software developers.

Page 9 of 13

Availability
Reliable systems and information are available for use whenever
needed.
Threats to system availability originate from many sources,
including:
1.

Hardware and software failures

2.

Natural and man-made disasters

3.

Human error

4.

Worms and viruses

5.

Denial-of-service attacks and other acts of sabotage

Table 8-3 on page 309 summarizes the key controls related to

ensure system availability which minimize system downtime and
provide timely recovery.

Minimizing Risk of System Downtime

The loss of system availability can cause significant
financial losses.
The shutdown of eBay and several other major Web sites in
early 2000 are estimated to have cost millions of dollars in
lost sales.
The following is a 2007 update of phishing attacks (source
Wikipedia Encyclopedia at the following Web site:
http://en.wikipedia.org/wiki/Phishing )
It is estimated that between May 2004 and May 2005,
approximately 1.2 million computer users in the United
States suffered losses caused by phishing, totaling
approximately U.S. $929 million. United States businesses
lose an estimated U.S. $2 billion per year as their clients
become victims. In 2007 phishing attacks escalated. 3.6
million adults lost U.S. $3.2 billion in the 12 months
ending in August 2007.
Organizations can take a variety of steps to minimize the
risk of system downtime.
The physical and logical access controls can reduce
the risk of successful denial-of-service attacks.
Good computer security reduces the risk of system
downtime due to the theft or sabotage of information
system resources.
The use of redundant components, such as dual
processors and arrays of multiple hard drives,

Page 10 of 13

provides fault tolerance, enabling a system to

continue functioning in the event that a particular
component fails.
COBIT DS12 Manage the Physical Environment control
objectives DS12.1 (Site Selection and Layout) and DS12.4
(Protection against Environmental Factors) addresses the
importance of locating and designing the rooms housing
mission-critical servers and databases so as to minimize the
risks associated with natural and man-made disasters.
Surge protection devices provide protection against
temporary power fluctuation that might otherwise cause
computers and other network equipment to crash.
An uninterruptible power supply (UPS) system provides
protection in the event of a prolonged power outage.

Disaster Recovery and Business Continuity Planning

Disaster recovery and business continuity plans are
essential if an organization hopes to survive a major
catastrophe.
Downtime has reported losses as high as $500,000 per
hour of downtime.
A life insurance company during Hurricane Andrew estimated
that it would have been out of business within three days,
without a recovery plan.
Moreover, experience suggests that companies that have had a
major disaster resulting in loss of use of their information
system for more than a few days have a greater than 50
percent chance of going out of business,
Focus 10-2 on page 288 describes how NASDAQ recovered from
September 11.
Because of their recovery plan, NASDAQ was up and running
only 6 days after the 9/11/01 terrorist attack.
Although the Manhattan office phone lines were out, NASDAQ
still had offices in Maryland and Connecticut, which allowed
it to monitor the regulatory processes.
NASDAQ also had their executives carry more than one mobile
phone in case one service provider went down.
Data Backup Procedures
A backup is an exact copy of the most current version of a
database, file, or software program.

Page 11 of 13

The process of installing the backup copy for use is called

restoration.
Several different backup procedures exist:
A full backup is an exact copy of the data recorded on
another physical media (tape, magnetic disk, CD, DVD,
etc.). Full backups are time-consuming, so most
organizations only do full backups weekly and
supplement them with daily backups.
Two types of partial backups are:
1. An incremental backup involves copying only
the data items that have changed since the
last backup.
2. Differential backup copies all changes made
since the last full backup.
Management must establish a recovery point objective (RPO),
which represents the maximum length of time for which it is
willing to risk the possible loss of transaction data.
Real-time mirroring involves maintaining two copies of the
database at two separate data centers at all times and
updating both copies in real-time as each transaction
occurs.
Periodically, the system makes a copy of the database at
that point in time, called a checkpoint, and stores it on
backup media.
An archive is a copy of a database, master file, or software
that will be retained indefinitely as an historical record,
usually to satisfy legal and regulatory requirements.
Infrastructure Replacement
A second key component of disaster recovery includes
provisions for replacing the necessary computer
infrastructure: computers, network equipment and access,
telephone lines, other office equipment (e.g., fax
machines), and supplies.
The recovery time objective (RTO) represents the time
following a disaster by which the organizations information
system must be available again.
Figure 10-3 on page 285 depicts the relationship and
differences between the recovery time objective (RTO) and
the recovery point objective (RPO).
Organizations have three basic options for replacing
computer and networking equipment:
1. The least expensive approach is to create
reciprocal agreements with another organization

Page 12 of 13

that uses similar equipment to have temporary

access to and use of their information system
resources.
2. Another solution involves purchasing or leasing a
cold site, which is an empty building that is
prewired for necessary telephone and Internet
access, plus a contract with one or more vendors to
provide all necessary computers and other office
equipment within a specified period of time.
3. A more expensive solution for organizations, such
as financial institutions and airlines, which
cannot survive any appreciable time period without
access to their information system, is to create
what is referred to as a hot site. A hot site is a
facility that is not only prewired for telephone
and Internet access but also contains all the
computing and office equipment the organization
needs to perform its essential business activities.
Documentation
Documentation is an important, but often overlooked,
component of disaster recovery and business continuity
plans.
The plan itself, including instructions for notifying
appropriate staff and the steps to take to resume
operations, which needs to be well documented.
Testing
Periodic testing and revision is probably the most
important component of effective disaster recovery and
business continuity plans.
Most plans fail their initial test because it is
impossible to anticipate everything that could go
wrong.
Disaster recovery and business continuity plans need
to be tested on at least an annual basis.

Page 13 of 13