Prepared by Coby Harmon University of California, Santa Barbara Westmont College

Prepared by
Coby Harmon
University of California, Santa Barbara
Westmont College
Chapter
4-1
Internal Controls and

Risks in IT Systems
Chapter
4-2
Accounting Information Systems, 2nd Edition
Study
Study Objectives
Objectives
1.
An overview of internal controls for IT systems
2.
General controls for IT systems
3.
General controls from a Trust Services Principles perspective
4.
Hardware and software exposures in IT systems
5.
Application software and application controls
6.
Ethical issues in IT systems
Chapter
4-3
Internal
Internal Controls
Controls for
for IT
IT Systems
Systems
Accounting Information System - collects, processes,
stores, and reports accounting information.
Internal controls for computer-based systems have been
described as being of two types:
General controls
Application controls
Chapter
4-4
SO 1 An overview of internal controls for IT systems
Internal
Internal Controls
Controls for
for IT
IT Systems
Systems
Exhibit 4-1
General and Application
Controls in IT Systems
Application controls
used to control inputs,
processing, and outputs.
General controls apply
overall to the IT
accounting system.
Chapter
4-5
Internal
Internal Controls
Controls for
for IT
IT Systems
Systems
Question
Internal controls that apply overall to the IT system are
called
a. Overall controls.
b. Technology controls.
c. Application controls.
d. General controls.
Chapter
4-6
General
General Controls
Controls for
for IT
IT Systems
Systems
Five categories of general controls:
1. Authentication of users and limiting unauthorized access
2. Hacking and other network break-ins
3. Organizational structure
4. Physical environment and physical security of the
system
5. Business Continuity
Chapter
4-7
SO 2 General controls for IT systems
General
General Controls
Controls for
for IT
IT Systems
Systems
Authentication of Users and Limiting
Unauthorized Users
Chapter
4-8
Log-in
Biometric devices
User IDs
Computer log
Password
Nonrepudiation
Smart card
User profile
Security token
Authority table
Two factor authentication
Configuration tables
General
General Controls
Controls for
for IT
IT Systems
Systems
Hacking and other Network Break-Ins
Firewall
Secure sockets layer
Symmetric encryption
Virus
Public key encryption
Antivirus software
Wired equivalency privacy
Vulnerability assessment
Wireless protected access
Intrusion detection
Service set identifier
Penetration testing
Virtual private network
Chapter
4-9
General
General Controls
Controls for
for IT
IT Systems
Systems
Organizational Structure
IT governance committee, responsibilities include:
1. Align IT investments to business strategy.
2. Budget funds and personnel for the most effective use
of the IT systems.
3. Oversee and prioritize changes to IT systems.
4. Develop, monitor, and review all IT operational policies.
5. Develop, monitor, and review security policies.
Chapter
4-10
General
General Controls
Controls for
for IT
IT Systems
Systems
Organizational Structure
Duties to be segregated are:
Systems analysts
Programmers
Operations personnel
Database administrator
Chapter
4-11
General
General Controls
Controls for
for IT
IT Systems
Systems
Physical Environment and Security
Controls for an IT system should include controls over
the physical environment of the system which includes:
Location
Operating environment
Back-up systems
Chapter
4-12
General
General Controls
Controls for
for IT
IT Systems
Systems
Controls for an IT system should include controls over
the physical environment of the system which includes:
Location
Operating environment
Back-up systems
System should also have both an
uninterruptible power supply and an
emergency power supply.
Chapter
4-13
Locate in area that are least at

risk of natural disasters such as
flood, earthquake, hurricane, and
fire.
Properly control dust,
temperature, and humidity.
Location should also have a fire
protection system.
General
General Controls
Controls for
for IT
IT Systems
Systems
Physical access controls:
Limited access to computer rooms through
employee ID badges or card keys

Video surveillance equipment
Logs of persons entering and exiting the computer
rooms
Locked storage of backup data and offsite backup
data
Chapter
4-14
General
General Controls
Controls for
for IT
IT Systems
Systems
Business Continuity
Business Continuity Planning (BCP)
Two parts of business continuity are related to IT systems:
A strategy for backup and restoration of IT systems, to
include redundant servers, redundant data storage,

daily incremental backups, a backup of weekly
changes, and offsite storage of daily and weekly
backups.
A disaster recovery plan.
Chapter
4-15
The
The Real
Real World
World
In some organizations, loss of a key CEO could spell disaster. For
example, Martha Stewart founded and became the CEO of Martha
Stewart Living Omnimedia Inc. In June 2003, she was indicted for
possible legal violations related to insider trading, and she stepped
down as CEO. Some in the financial community wondered if the
firm could continue or thrive without Martha Stewart. Part of the
business continuity plan for her company should have been a
strategy to operate if some event would prevent Martha Stewart
from serving as CEO. Martha was convicted, served time in prison,
and successfully returned to work.
Chapter
4-16
General
General Controls
Controls for
for IT
IT Systems
Systems
Question
Which of the following is not a control intended to
authenticate users?
a. User log-in.
b. Security token.
c. Encryption.
d. Biometric devices.
Chapter
4-17
General
General Controls
Controls for
for IT
IT Systems
Systems
Question
An IT governance committee has several responsibilities.
Which of the following is least likely to be a responsibility of the
IT governance committee?
a. Develop and maintain the database and ensure
adequate controls over the database.
b. Develop, monitor, and review security policies.
c. Oversee and prioritize changes to IT systems.
d. Align IT investments to business strategy.
Chapter
4-18
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Principles Perspective
Perspective
AICPA Trust Services Principles categorizes IT controls
and risks into five categories:
a. Security
System is protected against

unauthorized (physical and
logical) access.
b. Availability
c. Processing integrity
d. Online privacy
e. Confidentiality
Chapter
4-19
SO 3 General controls from a Trust Services Principles perspective
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Perspective
a. Security
b. Availability
System is available for operation

and use as committed or agreed.
d. Online privacy
e. Confidentiality
Chapter
4-20
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Perspective
a. Security
b. Availability
System processing is complete,

accurate, timely and authorized.
d. Online privacy
e. Confidentiality
Chapter
4-21
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Perspective
a. Security
b. Availability
d. Online privacy
e. Confidentiality
Chapter
4-22
Personal information obtained

as a result of e-commerce is
collected, used, disclosed, and
retained as committed or
agreed.
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Perspective
a. Security
b. Availability
d. Online privacy
e. Confidentiality
Chapter
4-23
Information designated as
confidential is protected as
committed or agreed.
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Perspective
Risks In Not Limiting Unauthorized Users
Previously covered IT controls that can lessen risk of
unauthorized users gaining access to the IT system:
a. user ID,
f.
access levels,
b. password,
g. computer logs, and
c. security token,
h. authority tables.
d. biometric devices,
e. log-in procedures,
Chapter
4-24
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Perspective
Risks From Hacking or Other Network Break-Ins
Controls that may be applied are,
firewalls,
encryption of data,
security policies,
security breach resolution,
secure socket layers (SSL),
virtual private network (VPN),
wired equivalency privacy (WEP)
Chapter
4-25
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Perspective
Risks From Hacking or Other Network Break-Ins
Controls that may be applied are,
wireless protected access (WPA),
service set identifier (SSID),
antivirus software,
vulnerability assessment,
penetration testing, and
intrusion detection.
Chapter
4-26
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Perspective
Risks From Environmental Factors
Environmental changes that affect the IT system can
cause availability risks and processing integrity risks.
Physical Access Risks

Physical access to computer systems and computer rooms
should be limited to those who must have access in order to
carry out their job assignments.
Chapter
4-27
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Perspective
Physical Access Risk
Security risk is that an intruder who gains physical access may
change user access levels.
Availability risk is the unauthorized physical access to
physically shut down, sabotage, or destroy hardware or software.
Processing integrity risk is that systems or programs may be
shut down or sabotaged.
Confidentiality risk is that intruder may gain access to
confidential data.
Chapter
4-28
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Perspective
Business Continuity Risks
Security risk is that an unauthorized person may gain access to
the backup data.
Availability risk is that as events interrupt operations, the
system becomes unavailable for regular processing.
Processing integrity risk is that business interruptions can
lead to incomplete or inaccurate data.
Confidentiality risk is that unauthorized persons may gain
access to confidential data if they access backup data..
Chapter
4-29
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Question
AICPA Trust Principles describe five categories of IT risks and
controls. Which of these five categories would best be
described by the statement, The system is protected against
unauthorized access?
a. Security.
b. Confidentiality.
c. Processing integrity.
d. Availability.
Chapter
4-30
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Question
The risk that an unauthorized user would shut down
systems within the IT system is a(n)
a. Security risk.
b. Availability risk.
c. Processing integrity risk.
d. Confidentiality risk.
Chapter
4-31
Hardware
Hardware and
and Software
Software Exposures
Exposures
Typical IT system components that represent entry
points where the risks must be controlled.
1. The operating system
2. The database
3. The database management system (DBMS)
4. Local area networks (LANs)
5. Wireless networks
6. E-business conducted via the Internet
7. Telecommuting workers
8. Electronic data interchange (EDI)
9. Application software
Chapter
4-32
SO 4 Hardware and software exposures in IT systems
Hardware
Hardware and
and Software
Software Exposures
Exposures
Exposure
Areas
Chapter
4-33
Exhibit 4-6
SO 4
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Operating System
The software that controls the basic input and output
activities of the computer.
Provides the instructions that enable the CPU to:
read and write to disk,
read keyboard input,
control output to the monitor,
manage computer memory, and
communicate between the CPU, memory, and disk
storage.
Chapter
4-34
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Operating System
Unauthorized access would allow an unauthorized user to:
1. Browse disk files or memory for sensitive data or
passwords.
2. Alter data through the operating system.
3. Alter access tables to change access levels of users.
4. Alter application programs.
5. Destroy data or programs.
Chapter
4-35
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Database
A large disk storage for accounting and operating data.
Controls such as:
user IDs, passwords,
authority tables,
firewalls, and
encryption
are examples of controls that can limit exposure.

Chapter
4-36
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Database Management System
A software system that manages the interface between
many users and the database.
Exhibit 4-7
Chapter
4-37
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Database
Management System
Exhibit 4-6
A software system
that manages the
interface between
many users and the
database.
Chapter
4-38
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Database Management System
A software system that manages the interface between
many users and the database.
Physical access, environmental, and business continuity
controls can help guard against the loss of the data or
alteration to the DBMS.
Chapter
4-39
Hardware
Hardware and
and Software
Software Exposures
Exposures
LANS and WANS
A local area network, or LAN, is a computer network
covering a small geographic area.
A group of LANs connected to each other is called a wide
area network, or WAN.
Chapter
4-40
Hardware
Hardware and
and Software
Software Exposures
Exposures
LANS and WANS
Exhibit 4-6
Controls:
limit unauthorized
users
firewalls
encryption
virtual private
networks
Chapter
4-41
Hardware
Hardware and
and Software
Software Exposures
Exposures
Wireless Networks
Exhibit 4-6
Same kind of
exposures as a
local area
network.
Chapter
4-42
Hardware
Hardware and
and Software
Software Exposures
Exposures
Wireless Networks
Same kind of exposures as a local area network.
Controls include:
wired equivalency privacy (WEP) or wireless
protected access (WPA),
station set identifiers (SSID), and
encrypted data.
Chapter
4-43
The
The Real
Real World
World
Boeing Co. uses wireless networks on the floor of the large shop
where it manufactures airplanes. This wireless network with
notebook computers allows Boeing workers to move around the
plane while they are working and view engineering drawings or
parts availability during the manufacturing processes. The
employees do not have to walk to a desk or workstation, away from
the manufacturing flow, to access these things. Wireless networks
can make employees more efficient by allowing them to roam.
Chapter
4-44
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Internet and World Wide Web
Exhibit 4-6
The use of dual

firewalls can help
prevent hackers or
unauthorized users
from accessing the
organizations internal
network of
computers.
Chapter
4-45
Hardware
Hardware and
and Software
Software Exposures
Exposures
Telecommuting Workers
and Mobile Workers
Exhibit 4-6
The organizations security

policy should address the
security expectations of workers
who telecommute, and such
workers should connect to the
company network via a virtual
private network.
Chapter
4-46
SO 4
Hardware
Hardware and
and Software
Software Exposures
Exposures
Electronic Data Interchange
Company-to-company transfer
of standard business
documents in electronic form.
EDI controls include:
authentication,
computer logs, and
network break-in
controls.
Exhibit 4-6
Chapter
4-47
SO 4
Hardware
Hardware and
and Software
Software Exposures
Exposures
Question
The risk of an unauthorized user gaining access is likely to
be a risk for which of the following areas?
a. Telecommuting workers.
b. Internet.
c. Wireless networks.
d. All of the above.
Chapter
4-48
Hardware
Hardware and
and Software
Software Exposures
Exposures
Cloud Computing
As introduced in chapter 2, cloud computing includes:
Software and data reside with third party companies (the cloud)
and not on company computers.

Outsourcing of IT to a third party.
Advantages:
Chapter
4-49
1. Scalability
3.
Infrastructure is reduced
2. Expanded access
4.
Cost savings
Cloud
Cloud
Computing
Computing
Exhibit 22
Cloud Hosting of Accounting
Software
Chapter
4-50
SO 4
Hardware
Hardware and
and Software
Software Exposures
Exposures
Cloud Computing
Risks associated with cloud computing
Security. All processing, storing data, and reading
data occur over the Internet; therefore, the third-party

provider must have good user authentication,
firewalls, encryption, and virtual private network
connections.
Availability. Any interruptions in service cause the
software and data to be unavailable.

Chapter
4-51
Hardware
Hardware and
and Software
Software Exposures
Exposures
Cloud Computing
Risks associated with cloud computing
Processing integrity. All control of software
installation, testing, and upgrading is transferred to the

third-party provider of cloud computing services.
Confidentiality. Risk that employees of the third-party
provider can possibly browse and misuse company

data.
Chapter
4-52
The
The Real
Real World
World
Starbucks uses a combination of public clouds, private clouds, and
traditional corporate IT systems. In its stores, Starbucks uses Office
365 for e-mail and productivity applications such as Microsoft Word.
Office 365 is the public cloud version of the Microsoft Office Suite.
For e-mail and productivity applications at the corporate offices,
Starbucks uses its own traditional IT systems on premises. For its
customer relationship management software, Starbucks uses
Salesforce.com, a public cloud application. For other accounting
and Oracle ERP applications, Starbucks uses a private cloud based
on virtualized servers that they maintain. This example of using
various IT approaches is quite common.
Chapter
4-53
Application
Application Software
Software and
and Application
Application Controls
Controls
Applications software accomplishes end user tasks such
as:
word processing,
spreadsheets,
database maintenance, and
accounting functions.
Applications controls - intended to improve the accuracy,

completeness, and security of input, process, and output.
Chapter
4-54
SO 5 Application software and application controls
Application
Software and
and Application
Controls
Input Controls
Date input - data converted from human readable form to
computer readable form.
Input controls are of four types:
1. Source document controls
2. Standard procedures for data preparation and error
handling
3. Programmed edit checks
4. Control totals and reconciliation
Chapter
4-55
Application
Software and
and Application
Controls
Source Document Controls
Source document -paper form used to capture and
record the original data of an accounting transaction.
Note:
Many IT systems do not use source documents.
General controls such as computer logging of

transactions and keeping backup files, become
important.
Where source documents are used, several source
document controls should be used.

Chapter
4-56
Application
Software and
and Application
Controls
Form Design - Both the source document and the input
screen should be well designed so that they are easy to
understand and use, logically organized into groups of
related data.
Form Authorization and Control:
Area for authorization by appropriate manager
Prenumbered and used in sequence
Blank source documents should be controlled
Chapter
4-57
Application
Software and
and Application
Controls
Retention of Source Documents:
Retained and filed for easy retrieval
Part of the audit trail.
Chapter
4-58
Application
Software and
and Application
Controls
Standard Procedures for Data Input
Data Preparation standard data collection procedures
reduce the chance of lost, misdirected, or incorrect data
collection from source documents.
Error Handling:
Errors should be logged, investigated, corrected, and
resubmitted for processing

Error log should be regularly reviewed by an appropriate
manager
Chapter
4-59
Application
Software and
and Application
Controls
Programmed Input Validation Checks
Data should be validated and edited to be as close to the
original source of data as possible.
Input validation checks include:
1. Field check
6. Completeness check
2. Validity check
7. Sign check
3. Limit check
8. Sequence check
4. Range check
9. Self-checking digit
5. Reasonableness check
Chapter
4-60
Application
Software and
and Application
Controls
Control Totals and Reconciliation
Control totals are subtotals of selected fields for an entire
batch of transactions.
Three types:
record counts,
batch totals, and
hash totals.
Chapter
4-61
Application
Software and
and Application
Controls
Processing Controls
Intended to prevent, detect, or correct errors that occur
during processing.
Ensure that application software has no errors.
Control totals, limit and range tests, and
reasonableness and sign tests.

Computer logs of transactions processed, production
run logs, and error listings.
Chapter
4-62
Application
Software and
and Application
Controls
Output Controls
Reports from the various applications.
Two primary objectives of output controls:
to assure the accuracy and completeness of the
output, and
to properly manage the safekeeping of output reports
to ascertain that security and confidentiality of the

information is maintained.
Chapter
4-63
Application
Software and
and Application
Controls
Question
Which programmed input validation check compares the
value in a field with related fields with determine whether
the value is appropriate?
a. Completeness check.
b. Validity check.
c. Reasonableness check.
d. Completeness check.
Chapter
4-64
Application
Software and
and Application
Controls
Question
Which programmed input validation check determines
whether the appropriate type of data, either alphabetic or
numeric, was entered?
b. Validity check.
d. Field check.
Chapter
4-65
Application
Software and
and Application
Controls
Question
Which programmed input validation makes sure that a
value was entered in all of the critical fields?
b. Validity check.
d. Field check.
Chapter
4-66
Application
Software and
and Application
Controls
Question
Which control total is the total of field values that are added
for control purposes, but not added for any other purpose?
a. Record count.
b. Hash total.
c. Batch total.
d. Field total.
Chapter
4-67
Ethical
Ethical Issues
Issues in
in IT
IT Systems
Systems
Besides fraud, there are many kinds of unethical behaviors
related to computers, such as:
Misuse of confidential customer information.
Theft of data, such as credit card information, by
hackers.
Employee use of IT system hardware and software for
personal use or personal gain.

Using company e-mail to send offensive, threatening, or
sexually explicit material.

Chapter
4-68
SO 6 Ethical issues in IT systems
The
The Real
Real World
World
An unusual case of computer abuse occurred at a federal agency that
regulates financial aspects of companies. The Securities and Exchange
Commission (SEC) detected senior managers spending excessive
hours viewing pornography during regular working hours. One SEC
attorney spent as much as eight hours a day viewing pornography on
his office computer. A congressional investigation revealed that 33
high-level SEC staffers in Washington, D.C., were involved in such
abuse of computers. Ironically, this misconduct was occurring during
the same time that this agency should have been monitoring and
reviewing banking institutions and other companies involved in the
countrys financial meltdown.
Chapter
4-69
SO 6 Ethical issues in IT systems
Copyright
Copyright
Copyright 2013 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchaser
may make back-up copies for his/her own use only and not for
distribution or resale. The Publisher assumes no responsibility for
errors, omissions, or damages, caused by the use of these
programs or from the use of the information contained herein.
Chapter
4-70

Prepared by Coby Harmon University of California, Santa Barbara Westmont College

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Prepared by Coby Harmon University of California, Santa Barbara Westmont College

Загружено:

Авторское право:

Доступные форматы

Prepared by

Internal Controls and

Accounting Information Systems, 2nd Edition

An overview of internal controls for IT systems

General controls for IT systems

General controls from a Trust Services Principles perspective

Hardware and software exposures in IT systems

Application software and application controls

Ethical issues in IT systems

SO 1 An overview of internal controls for IT systems

SO 1 An overview of internal controls for IT systems

SO 1 An overview of internal controls for IT systems

SO 2 General controls for IT systems

Two factor authentication

SO 2 General controls for IT systems

Secure sockets layer

Public key encryption

Wired equivalency privacy

Wireless protected access

Service set identifier

Virtual private network

SO 2 General controls for IT systems

SO 2 General controls for IT systems

SO 2 General controls for IT systems

SO 2 General controls for IT systems

Locate in area that are least at

employee ID badges or card keys

SO 2 General controls for IT systems

include redundant servers, redundant data storage,

SO 2 General controls for IT systems

SO 2 General controls for IT systems

SO 2 General controls for IT systems

SO 2 General controls for IT systems

System is protected against

SO 3 General controls from a Trust Services Principles perspective

System is available for operation

SO 3 General controls from a Trust Services Principles perspective

System processing is complete,

SO 3 General controls from a Trust Services Principles perspective

Personal information obtained

SO 3 General controls from a Trust Services Principles perspective

SO 3 General controls from a Trust Services Principles perspective

g. computer logs, and

SO 3 General controls from a Trust Services Principles perspective

SO 3 General controls from a Trust Services Principles perspective

SO 3 General controls from a Trust Services Principles perspective

Physical Access Risks

SO 3 General controls from a Trust Services Principles perspective

SO 3 General controls from a Trust Services Principles perspective

SO 3 General controls from a Trust Services Principles perspective

SO 3 General controls from a Trust Services Principles perspective

SO 3 General controls from a Trust Services Principles perspective

SO 4 Hardware and software exposures in IT systems

SO 4 Hardware and software exposures in IT systems

SO 4 Hardware and software exposures in IT systems

are examples of controls that can limit exposure.

SO 4 Hardware and software exposures in IT systems

SO 4 Hardware and software exposures in IT systems

SO 4 Hardware and software exposures in IT systems

SO 4 Hardware and software exposures in IT systems

SO 4 Hardware and software exposures in IT systems

SO 4 Hardware and software exposures in IT systems

SO 4 Hardware and software exposures in IT systems