Академический Документы
Профессиональный Документы
Культура Документы
Coby Harmon
University of California, Santa Barbara
Westmont College
Chapter
4-1
Study
Study Objectives
Objectives
1.
2.
3.
4.
5.
6.
Chapter
4-3
Internal
Internal Controls
Controls for
for IT
IT Systems
Systems
Accounting Information System - collects, processes,
stores, and reports accounting information.
Internal controls for computer-based systems have been
described as being of two types:
General controls
Application controls
Chapter
4-4
Internal
Internal Controls
Controls for
for IT
IT Systems
Systems
Exhibit 4-1
General and Application
Controls in IT Systems
Application controls
used to control inputs,
processing, and outputs.
General controls apply
overall to the IT
accounting system.
Chapter
4-5
Internal
Internal Controls
Controls for
for IT
IT Systems
Systems
Question
Internal controls that apply overall to the IT system are
called
a. Overall controls.
b. Technology controls.
c. Application controls.
d. General controls.
Chapter
4-6
General
General Controls
Controls for
for IT
IT Systems
Systems
Five categories of general controls:
1. Authentication of users and limiting unauthorized access
2. Hacking and other network break-ins
3. Organizational structure
4. Physical environment and physical security of the
system
5. Business Continuity
Chapter
4-7
General
General Controls
Controls for
for IT
IT Systems
Systems
Authentication of Users and Limiting
Unauthorized Users
Chapter
4-8
Log-in
Biometric devices
User IDs
Computer log
Password
Nonrepudiation
Smart card
User profile
Security token
Authority table
Configuration tables
General
General Controls
Controls for
for IT
IT Systems
Systems
Hacking and other Network Break-Ins
Firewall
Symmetric encryption
Virus
Antivirus software
Vulnerability assessment
Intrusion detection
Penetration testing
Chapter
4-9
General
General Controls
Controls for
for IT
IT Systems
Systems
Organizational Structure
IT governance committee, responsibilities include:
1. Align IT investments to business strategy.
2. Budget funds and personnel for the most effective use
of the IT systems.
3. Oversee and prioritize changes to IT systems.
4. Develop, monitor, and review all IT operational policies.
5. Develop, monitor, and review security policies.
Chapter
4-10
General
General Controls
Controls for
for IT
IT Systems
Systems
Organizational Structure
Duties to be segregated are:
Systems analysts
Programmers
Operations personnel
Database administrator
Chapter
4-11
General
General Controls
Controls for
for IT
IT Systems
Systems
Physical Environment and Security
Controls for an IT system should include controls over
the physical environment of the system which includes:
Location
Operating environment
Back-up systems
Chapter
4-12
General
General Controls
Controls for
for IT
IT Systems
Systems
Physical Environment and Security
Controls for an IT system should include controls over
the physical environment of the system which includes:
Location
Operating environment
Back-up systems
System should also have both an
uninterruptible power supply and an
emergency power supply.
Chapter
4-13
General
General Controls
Controls for
for IT
IT Systems
Systems
Physical Environment and Security
Physical access controls:
Limited access to computer rooms through
rooms
Locked storage of backup data and offsite backup
data
Chapter
4-14
General
General Controls
Controls for
for IT
IT Systems
Systems
Business Continuity
Business Continuity Planning (BCP)
Two parts of business continuity are related to IT systems:
A strategy for backup and restoration of IT systems, to
The
The Real
Real World
World
In some organizations, loss of a key CEO could spell disaster. For
example, Martha Stewart founded and became the CEO of Martha
Stewart Living Omnimedia Inc. In June 2003, she was indicted for
possible legal violations related to insider trading, and she stepped
down as CEO. Some in the financial community wondered if the
firm could continue or thrive without Martha Stewart. Part of the
business continuity plan for her company should have been a
strategy to operate if some event would prevent Martha Stewart
from serving as CEO. Martha was convicted, served time in prison,
and successfully returned to work.
Chapter
4-16
General
General Controls
Controls for
for IT
IT Systems
Systems
Question
Which of the following is not a control intended to
authenticate users?
a. User log-in.
b. Security token.
c. Encryption.
d. Biometric devices.
Chapter
4-17
General
General Controls
Controls for
for IT
IT Systems
Systems
Question
An IT governance committee has several responsibilities.
Which of the following is least likely to be a responsibility of the
IT governance committee?
a. Develop and maintain the database and ensure
adequate controls over the database.
b. Develop, monitor, and review security policies.
c. Oversee and prioritize changes to IT systems.
d. Align IT investments to business strategy.
Chapter
4-18
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Principles Perspective
Perspective
AICPA Trust Services Principles categorizes IT controls
and risks into five categories:
a. Security
b. Availability
c. Processing integrity
d. Online privacy
e. Confidentiality
Chapter
4-19
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Principles Perspective
Perspective
AICPA Trust Services Principles categorizes IT controls
and risks into five categories:
a. Security
b. Availability
c. Processing integrity
d. Online privacy
e. Confidentiality
Chapter
4-20
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Principles Perspective
Perspective
AICPA Trust Services Principles categorizes IT controls
and risks into five categories:
a. Security
b. Availability
c. Processing integrity
d. Online privacy
e. Confidentiality
Chapter
4-21
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Principles Perspective
Perspective
AICPA Trust Services Principles categorizes IT controls
and risks into five categories:
a. Security
b. Availability
c. Processing integrity
d. Online privacy
e. Confidentiality
Chapter
4-22
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Principles Perspective
Perspective
AICPA Trust Services Principles categorizes IT controls
and risks into five categories:
a. Security
b. Availability
c. Processing integrity
d. Online privacy
e. Confidentiality
Chapter
4-23
Information designated as
confidential is protected as
committed or agreed.
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Principles Perspective
Perspective
Risks In Not Limiting Unauthorized Users
Previously covered IT controls that can lessen risk of
unauthorized users gaining access to the IT system:
a. user ID,
f.
access levels,
b. password,
c. security token,
h. authority tables.
d. biometric devices,
e. log-in procedures,
Chapter
4-24
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Principles Perspective
Perspective
Risks From Hacking or Other Network Break-Ins
Controls that may be applied are,
firewalls,
encryption of data,
security policies,
security breach resolution,
secure socket layers (SSL),
virtual private network (VPN),
wired equivalency privacy (WEP)
Chapter
4-25
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Principles Perspective
Perspective
Risks From Hacking or Other Network Break-Ins
Controls that may be applied are,
wireless protected access (WPA),
service set identifier (SSID),
antivirus software,
vulnerability assessment,
penetration testing, and
intrusion detection.
Chapter
4-26
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Principles Perspective
Perspective
Risks From Environmental Factors
Environmental changes that affect the IT system can
cause availability risks and processing integrity risks.
Chapter
4-27
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Principles Perspective
Perspective
Physical Access Risk
Security risk is that an intruder who gains physical access may
change user access levels.
Availability risk is the unauthorized physical access to
physically shut down, sabotage, or destroy hardware or software.
Processing integrity risk is that systems or programs may be
shut down or sabotaged.
Confidentiality risk is that intruder may gain access to
confidential data.
Chapter
4-28
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Services
Services Principles
Principles Perspective
Perspective
Business Continuity Risks
Security risk is that an unauthorized person may gain access to
the backup data.
Availability risk is that as events interrupt operations, the
system becomes unavailable for regular processing.
Processing integrity risk is that business interruptions can
lead to incomplete or inaccurate data.
Confidentiality risk is that unauthorized persons may gain
access to confidential data if they access backup data..
Chapter
4-29
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Question
AICPA Trust Principles describe five categories of IT risks and
controls. Which of these five categories would best be
described by the statement, The system is protected against
unauthorized access?
a. Security.
b. Confidentiality.
c. Processing integrity.
d. Availability.
Chapter
4-30
General
General Controls
Controls from
from an
an AICPA
AICPATrust
Trust
Question
The risk that an unauthorized user would shut down
systems within the IT system is a(n)
a. Security risk.
b. Availability risk.
c. Processing integrity risk.
d. Confidentiality risk.
Chapter
4-31
Hardware
Hardware and
and Software
Software Exposures
Exposures
Typical IT system components that represent entry
points where the risks must be controlled.
1. The operating system
2. The database
3. The database management system (DBMS)
4. Local area networks (LANs)
5. Wireless networks
6. E-business conducted via the Internet
7. Telecommuting workers
8. Electronic data interchange (EDI)
9. Application software
Chapter
4-32
Hardware
Hardware and
and Software
Software Exposures
Exposures
Exposure
Areas
Chapter
4-33
Exhibit 4-6
SO 4
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Operating System
The software that controls the basic input and output
activities of the computer.
Provides the instructions that enable the CPU to:
read and write to disk,
read keyboard input,
control output to the monitor,
manage computer memory, and
communicate between the CPU, memory, and disk
storage.
Chapter
4-34
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Operating System
Unauthorized access would allow an unauthorized user to:
1. Browse disk files or memory for sensitive data or
passwords.
2. Alter data through the operating system.
3. Alter access tables to change access levels of users.
4. Alter application programs.
5. Destroy data or programs.
Chapter
4-35
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Database
A large disk storage for accounting and operating data.
Controls such as:
user IDs, passwords,
authority tables,
firewalls, and
encryption
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Database Management System
A software system that manages the interface between
many users and the database.
Exhibit 4-7
Chapter
4-37
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Database
Management System
Exhibit 4-6
A software system
that manages the
interface between
many users and the
database.
Chapter
4-38
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Database Management System
A software system that manages the interface between
many users and the database.
Physical access, environmental, and business continuity
controls can help guard against the loss of the data or
alteration to the DBMS.
Chapter
4-39
Hardware
Hardware and
and Software
Software Exposures
Exposures
LANS and WANS
A local area network, or LAN, is a computer network
covering a small geographic area.
A group of LANs connected to each other is called a wide
area network, or WAN.
Chapter
4-40
Hardware
Hardware and
and Software
Software Exposures
Exposures
LANS and WANS
Exhibit 4-6
Controls:
limit unauthorized
users
firewalls
encryption
virtual private
networks
Chapter
4-41
Hardware
Hardware and
and Software
Software Exposures
Exposures
Wireless Networks
Exhibit 4-6
Same kind of
exposures as a
local area
network.
Chapter
4-42
Hardware
Hardware and
and Software
Software Exposures
Exposures
Wireless Networks
Same kind of exposures as a local area network.
Controls include:
wired equivalency privacy (WEP) or wireless
protected access (WPA),
station set identifiers (SSID), and
encrypted data.
Chapter
4-43
The
The Real
Real World
World
Boeing Co. uses wireless networks on the floor of the large shop
where it manufactures airplanes. This wireless network with
notebook computers allows Boeing workers to move around the
plane while they are working and view engineering drawings or
parts availability during the manufacturing processes. The
employees do not have to walk to a desk or workstation, away from
the manufacturing flow, to access these things. Wireless networks
can make employees more efficient by allowing them to roam.
Chapter
4-44
Hardware
Hardware and
and Software
Software Exposures
Exposures
The Internet and World Wide Web
Exhibit 4-6
Chapter
4-45
Hardware
Hardware and
and Software
Software Exposures
Exposures
Telecommuting Workers
and Mobile Workers
Exhibit 4-6
Chapter
4-46
SO 4
Hardware
Hardware and
and Software
Software Exposures
Exposures
Electronic Data Interchange
Company-to-company transfer
of standard business
documents in electronic form.
EDI controls include:
authentication,
computer logs, and
network break-in
controls.
Exhibit 4-6
Chapter
4-47
SO 4
Hardware
Hardware and
and Software
Software Exposures
Exposures
Question
The risk of an unauthorized user gaining access is likely to
be a risk for which of the following areas?
a. Telecommuting workers.
b. Internet.
c. Wireless networks.
d. All of the above.
Chapter
4-48
Hardware
Hardware and
and Software
Software Exposures
Exposures
Cloud Computing
As introduced in chapter 2, cloud computing includes:
Software and data reside with third party companies (the cloud)
Advantages:
Chapter
4-49
1. Scalability
3.
Infrastructure is reduced
2. Expanded access
4.
Cost savings
Cloud
Cloud
Computing
Computing
Exhibit 22
Cloud Hosting of Accounting
Software
Chapter
4-50
SO 4
Hardware
Hardware and
and Software
Software Exposures
Exposures
Cloud Computing
Risks associated with cloud computing
Security. All processing, storing data, and reading
Hardware
Hardware and
and Software
Software Exposures
Exposures
Cloud Computing
Risks associated with cloud computing
Processing integrity. All control of software
Chapter
4-52
The
The Real
Real World
World
Starbucks uses a combination of public clouds, private clouds, and
traditional corporate IT systems. In its stores, Starbucks uses Office
365 for e-mail and productivity applications such as Microsoft Word.
Office 365 is the public cloud version of the Microsoft Office Suite.
For e-mail and productivity applications at the corporate offices,
Starbucks uses its own traditional IT systems on premises. For its
customer relationship management software, Starbucks uses
Salesforce.com, a public cloud application. For other accounting
and Oracle ERP applications, Starbucks uses a private cloud based
on virtualized servers that they maintain. This example of using
various IT approaches is quite common.
Chapter
4-53
Application
Application Software
Software and
and Application
Application Controls
Controls
Applications software accomplishes end user tasks such
as:
word processing,
spreadsheets,
database maintenance, and
accounting functions.
Chapter
4-54
Application
Application Software
Software and
and Application
Application Controls
Controls
Input Controls
Date input - data converted from human readable form to
computer readable form.
Input controls are of four types:
1. Source document controls
2. Standard procedures for data preparation and error
handling
3. Programmed edit checks
4. Control totals and reconciliation
Chapter
4-55
Application
Application Software
Software and
and Application
Application Controls
Controls
Source Document Controls
Source document -paper form used to capture and
record the original data of an accounting transaction.
Note:
Many IT systems do not use source documents.
Application
Application Software
Software and
and Application
Application Controls
Controls
Source Document Controls
Form Design - Both the source document and the input
screen should be well designed so that they are easy to
understand and use, logically organized into groups of
related data.
Form Authorization and Control:
Area for authorization by appropriate manager
Prenumbered and used in sequence
Blank source documents should be controlled
Chapter
4-57
Application
Application Software
Software and
and Application
Application Controls
Controls
Source Document Controls
Retention of Source Documents:
Retained and filed for easy retrieval
Part of the audit trail.
Chapter
4-58
Application
Application Software
Software and
and Application
Application Controls
Controls
Standard Procedures for Data Input
Data Preparation standard data collection procedures
reduce the chance of lost, misdirected, or incorrect data
collection from source documents.
Error Handling:
Errors should be logged, investigated, corrected, and
manager
Chapter
4-59
Application
Application Software
Software and
and Application
Application Controls
Controls
Programmed Input Validation Checks
Data should be validated and edited to be as close to the
original source of data as possible.
Input validation checks include:
1. Field check
6. Completeness check
2. Validity check
7. Sign check
3. Limit check
8. Sequence check
4. Range check
9. Self-checking digit
5. Reasonableness check
Chapter
4-60
Application
Application Software
Software and
and Application
Application Controls
Controls
Control Totals and Reconciliation
Control totals are subtotals of selected fields for an entire
batch of transactions.
Three types:
record counts,
batch totals, and
hash totals.
Chapter
4-61
Application
Application Software
Software and
and Application
Application Controls
Controls
Processing Controls
Intended to prevent, detect, or correct errors that occur
during processing.
Ensure that application software has no errors.
Control totals, limit and range tests, and
Chapter
4-62
Application
Application Software
Software and
and Application
Application Controls
Controls
Output Controls
Reports from the various applications.
Two primary objectives of output controls:
to assure the accuracy and completeness of the
output, and
to properly manage the safekeeping of output reports
Chapter
4-63
Application
Application Software
Software and
and Application
Application Controls
Controls
Question
Which programmed input validation check compares the
value in a field with related fields with determine whether
the value is appropriate?
a. Completeness check.
b. Validity check.
c. Reasonableness check.
d. Completeness check.
Chapter
4-64
Application
Application Software
Software and
and Application
Application Controls
Controls
Question
Which programmed input validation check determines
whether the appropriate type of data, either alphabetic or
numeric, was entered?
a. Completeness check.
b. Validity check.
c. Reasonableness check.
d. Field check.
Chapter
4-65
Application
Application Software
Software and
and Application
Application Controls
Controls
Question
Which programmed input validation makes sure that a
value was entered in all of the critical fields?
a. Completeness check.
b. Validity check.
c. Reasonableness check.
d. Field check.
Chapter
4-66
Application
Application Software
Software and
and Application
Application Controls
Controls
Question
Which control total is the total of field values that are added
for control purposes, but not added for any other purpose?
a. Record count.
b. Hash total.
c. Batch total.
d. Field total.
Chapter
4-67
Ethical
Ethical Issues
Issues in
in IT
IT Systems
Systems
Besides fraud, there are many kinds of unethical behaviors
related to computers, such as:
Misuse of confidential customer information.
Theft of data, such as credit card information, by
hackers.
Employee use of IT system hardware and software for
The
The Real
Real World
World
An unusual case of computer abuse occurred at a federal agency that
regulates financial aspects of companies. The Securities and Exchange
Commission (SEC) detected senior managers spending excessive
hours viewing pornography during regular working hours. One SEC
attorney spent as much as eight hours a day viewing pornography on
his office computer. A congressional investigation revealed that 33
high-level SEC staffers in Washington, D.C., were involved in such
abuse of computers. Ironically, this misconduct was occurring during
the same time that this agency should have been monitoring and
reviewing banking institutions and other companies involved in the
countrys financial meltdown.
Chapter
4-69
Copyright
Copyright
Copyright 2013 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchaser
may make back-up copies for his/her own use only and not for
distribution or resale. The Publisher assumes no responsibility for
errors, omissions, or damages, caused by the use of these
programs or from the use of the information contained herein.
Chapter
4-70