Information Systems Control

1
Information Systems Control

• Dr. Yan Xiong
• College of Business
• CSU Sacramento
• January 27,2003
• This lecture is based on Martin (2002) and Romney
  and Steinbart (2002)

2
Agenda

• AIS Threats
• Internal Controls
• General controls for
  information systems
• Internet controls
• Contingency management

3
AIS Threats

• Natural and political
  disasters
• fire or excessive heat
• floods
• earthquakes
• high winds
• war

4
AIS Threats

• Software errors and equipment
  malfunctions
• hardware failures
• power outages and fluctuations
• undetected data transmission errors

5
AIS Threats

• Unintentional acts
• accidents caused by human
  carelessness
• innocent errors of omissions
• lost or misplaced data
• logic errors
• systems that do not meet company needs

6
AIS Threats

• Intentional acts
• sabotage
• computer fraud
• embezzlement
• confidentiality breaches
• data theft

7
Agenda

• AIS Threats
• Internal Control
• Cost-benefit Analysis
• General controls for
  information systems
• Internet controls
• Contingency management

8
Internal Control

• The COSO (Committee of Sponsoring Organizations)
  study defines internal control as the process
  implemented by the board of directors,
  management, and those under their direction to
  provide reasonable assurance that control
  objectives are achieved with regard to
• effectiveness and efficiency of operations
• reliability of financial reporting
• compliance with applicable laws and regulations

9
Internal Control Classifications

• The specific control procedures used in the
  internal control and management control systems
  may be classified using the following four
  internal control classifications
• Preventive, detective, and corrective controls
• General and application controls
• Administrative and accounting controls
• Input, processing, and output controls

10
Types of Controls

• Preventive deter problems before they
  arise
• segregating duties
• Detective discover control problems as soon
  as they arise
• bank reconciliation
• Corrective remedy problems discovered with
  detective controls
• file backups

11
Internal Control Model

• COSOs internal control model has five crucial
  components
• Control environment
• Control activities
• Risk assessment
• Information and communication
• Monitoring

12
The Control Environment

• The control environment consists of many factors,
  including the following
• Commitment to integrity and ethical values
• Managements philosophy and operating style
• Organizational structure

13
The Control Environment

• The audit committee of the board of directors
• Methods of assigning authority and responsibility
• Human resources policies and practices
• External influences

14
Control Activities

• Generally, control procedures fall into one of
  five categories
• Proper authorization of transactions and
  activities
• Segregation of duties
• Design and use of adequate documents and records
• Adequate safeguards of assets and records
• Independent checks on performance

15
Proper Authorization of Transactions and
Activities

• Authorization is the empowerment management gives
  employees to perform activities and make
  decisions.
• Digital signature or fingerprint is a means of
  signing a document with a piece of data that
  cannot be forged.
• Specific authorization is the granting of
  authorization by management for certain
  activities or transactions.

16
Segregation of Duties

• Good internal control demands that no single
  employee be given too much responsibility.
• An employee should not be in a position to
  perpetrate and conceal fraud or unintentional
  errors.

17
Segregation of Duties
Custodial Functions Handling cash Handling
assets Writing checks Receiving checks in mail
Authorization Functions Authorization
of transactions
Recording Functions Preparing source
documents Maintaining journals Preparing
reconciliations Preparing performance reports
18
Segregation of Duties

• If two of these three functions are the
  responsibility of a single person, problems can
  arise.
• Segregation of duties prevents employees from
  falsifying records in order to conceal theft of
  assets entrusted to them.
• Prevent authorization of a fictitious or
  inaccurate transaction as a means of concealing
  asset thefts.

19
Segregation of Duties

• Segregation of duties prevents an employee from
  falsifying records to cover up an inaccurate or
  false transaction that was inappropriately
  authorized.

20
Design and Use of Adequate Documents and Records

• The proper design and use of documents and
  records helps ensure the accurate and complete
  recording of all relevant transaction data.
• Documents that initiate a transaction should
  contain a space for authorization.

21
Design and Use of Adequate Documents and Records

• The following procedures safeguard assets from
  theft, unauthorized use, and vandalism
• effectively supervising and segregating duties
• maintaining accurate records of assets, including
  information
• restricting physical access to cash and paper
  assets
• having restricted storage areas

22
Adequate Safeguards of Assets and Records

• What can be used to safeguard assets?
• cash registers
• safes, lockboxes
• safety deposit boxes
• restricted and fireproof storage areas
• controlling the environment
• restricted access to computer rooms, computer
  files, and information

23
Independent Checks on Performance

• Independent checks to ensure that transactions
  are processed accurately are another important
  control element.
• What are various types of independent checks?
• reconciliation of two independently maintained
  sets of records
• comparison of actual quantities with recorded
  amounts

24
Independent Checks on Performance

• double-entry accounting
• batch totals
• Five batch totals are used in computer systems
• A financial total is the sum of a dollar field.
• A hash total is the sum of a field that would
  usually not be added.

25
Independent Checks on Performance

• A record count is the number of documents
  processed.
• A line count is the number of lines of data
  entered.
• A cross-footing balance test compares the grand
  total of all the rows with the grand total of all
  the columns to check that they are equal.

26
Information and Communication

• The fourth component of COSOs internal control
  model is information and communication.
• Accountants must understand the following
• How transactions are initiated
• How data are captured in machine-readable form or
  converted from source documents

27
Information and Communication

• How computer files are accessed and updated
• How data are processed to prepare information
• How information is reported
• How transactions are initiated
• All of these items make it possible for the
  system to have an audit trail.
• An audit trail exists when individual company
  transactions can be traced through the system.

28
Monitoring Performance

• The fifth component of COSOs internal control
  model is monitoring.
• What are the key methods of monitoring
  performance?
• effective supervision
• responsibility accounting
• internal auditing

29
Risk Assessment

• The third component of COSOs internal control
  model is risk assessment.
• Companies must identify the threats they face
• strategic doing the wrong thing
• financial having financial resources lost,
  wasted, or stolen
• information faulty or irrelevant information,
  or unreliable systems

30
Risk Assessment

• Companies that implement electronic data
  interchange (EDI) must identify the threats the
  system will face, such as
• Choosing an inappropriate technology
• Unauthorized system access
• Tapping into data transmissions
• Loss of data integrity

31
Risk Assessment

• Incomplete transactions
• System failures
• Incompatible systems

32
Risk Assessment

• Some threats pose a greater risk because the
  probability of their occurrence is more likely.
• What is an example?
• A company is more likely to be the victim of a
  computer fraud rather than a terrorist attack.
• Risk and exposure must be considered together.

33
Cost and Benefits

• Benefit of control
  procedure is difference between
• expected loss with control procedure(s)
• expected loss without it

34
Loss / Fraud Conditions

• Threat potential adverse or
  unwanted event that can be
  injurious to AIS
• Exposure potential maximum loss if
  event occurs
• Risk likelihood that event will occur
• Expected Loss Risk Exposure

35
Loss / Fraud Conditions
For each AIS threat
Exposure
Risk
Expected Loss
X

Maximum Loss ()
Likelihood of Event Occurring
Potential Loss
36
Exposures
Possible Threat Symbol Expo- sure Risk
Disaster D H L
Power Outage O M H
System Down H L L
Human Error E M M
Fraud F M L
Data Theft T L M
Sabotage S H L
37
Risk Assessment of Controls
Threat
38
Payroll Case
Condition Without With Difference
Cost Payroll 10K 10K
Risk of Error 15 1
Error Cost 1.5K 0.1K 1.4K
Validate Cost 0 0.6K (0.6K)
Expected Benefit 0.8K
39
Agenda

• AIS Threats
• Internal Controls
• General controls for
  information systems
• Internet controls
• Contingency management

40
General Controls

• General controls ensure that overall computer
  environment is stable and
  well managed
• General control categories
• Developing a security plan
• Segregation of duties within the systems function

41
General Controls

• Project development controls
• Physical access controls
• Logical access controls
• Data storage controls
• Data transmission controls
• Documentation standards
• Minimizing system downtime

42
General Controls

• 10. Protection of personal computers
  and client/server networks
• Internet controls
• Disaster recovery plans

43
Security Plan

• Developing and continuously
  updating a comprehensive
  security plan one of most
  important controls for company
• Questions to be asked
• Who needs access to what information?
• When do they need it?
• On which systems does the information reside?

44
Segregation of Duties

• In AIS, procedures that used
  to be performed by separate
  individuals combined
• Person with unrestricted access
• to computer,
• its programs,
• and live data
• has opportunity to both perpetrate and conceal
  fraud

45
Segregation of Duties

• To combat this threat, organizations must
  implement compensating
  control procedures
• Authority and responsibility
  must be clearly divided
• NOTE must change with increasing levels of
  automation

46
Segregation of Duties

• Divide following functions
• Systems analysis
• Programming
• Computer operations
• Users
• AIS library
• Data control

47
Duty Segregation
What about small firms?
48
Project Development Controls

• Long-range master plan
• Project development plan
• Periodic performance evaluation
• Post-implementation review
• System performance measurements

49
Development Controls
Master Development Plan
Periodic Performance Review
Post Implement Review
Performance Measures
50
Physical Access Controls

• Placing computer equipment
  in locked rooms and restricting access to
  authorized personnel
• Having only one or two entrances to computer room
• Requiring proper employee ID
• Requiring visitors to sign log
• Installing locks on PCs

51
Logical Access Controls

• Users should be allowed access only to the data
  they are authorized to use and then only to
  perform specific authorized functions.
• What are some logical access controls?
• passwords
• physical possession identification
• biometric identification
• compatibility tests

52
Access Control Matrix
PASS- FILES PROGRAMS
WORD A B 1 2
ABC 0 1 0 0
DEF 1 2 0 0
KLM 1 1 1 1
NOP 3 0 3 0
0 No access 1 Read / display
2 Update 3 Create / delete
53
Data Storage Controls

• Information gives company competitive edge and
  makes it viable
• Company should identify types of
  data used and level of protection
  required for each
• Company must also document steps taken to
  protect data
• e.g., off-site storage

54
Data Transmission Controls

• Reduce risk of data
  transmission failures
• data encryption (cryptography)
• routing verification procedures
• parity bits
• message acknowledgment techniques

55
Information Transmission System
Information
56
Transmission Controls
57
Even Parity Bit System
There are five 1 bits in message
1 0 1 1 0
1 1 0 1
58
Data Transmission Controls

• Added importance when using
  electronic data interchange (EDI)
  or electronic funds transfer
  (EFT)
• In these types of environments, sound internal
  control is achieved using control procedures

59
Data Transmission Control

• Controlled physical access to
  network facilities
• Identification required for all network
  terminals
• Passwords and dial-in phone numbers changed on
  regular basis
• Encryption used to secure stored and transmitted
  data
• Transactions log

60
Documentation Standards

• Documentation procedures and
  standards ensure clear and concise
  documentation
• Documentation categories
• Administrative documentation
• Systems documentation
• Operating documentation

61
Minimizing System Downtime

• Significant financial losses
  can be incurred if
  hardware or software malfunctions cause AIS
  to fail
• Methods used to minimize system downtime
• preventive maintenance
• uninterruptible power system
• fault tolerance

62
Protection of PCs and Client/Server Networks

• PCs more vulnerable to security risks
  than mainframe computers
• Difficult to restrict physical access
• PC users less aware of importance of security and
  control
• More people familiar with the operation of PCs
• Segregation of duties is difficult

63
Protection of PCs and Client/Server Networks

• Train users in PC-related
  control concepts
• Restrict access by using
  locks and keys on PCs
• Establish policies and procedures

64
Protection of PCs and Client/Server Networks

• Portable PCs should not be
  stored in cars
• Back up hard disks regularly
• Encrypt or password protect files
• Build protective walls around operating systems
• Use multilevel password controls to limit
  employee access to incompatible data

65
Agenda

• AIS Threats
• Control concepts
• General controls for
  information systems
• Internet controls
• Contingency management

66
Internet Controls

• Internet control is installing a firewall,
  hardware and software that control communications
  between a companys internal network (trusted
  network) and an external network.

67
Internet Controls

• Passwords
• Encryption technology
• Routing verification procedures
• Installing a firewall

68
Internet Risks
69
Messaging Security

• Confidentiality
• Integrity detect tampering
• Authentication correct party
• Non-repudiation sender cant deny
• Access controls limit entry to authorized users

70
Symmetric Encryption
Clear Text Message
71
PKI

• Public Key Infrastructure
• Most commonly used
• Two keys
• public key publicly available
• private key kept secret
• Two keys related through secret mathematical
  formula
• Need both to process transaction

72
Biometric Usage

• For user authentication
• By order of use
• finger scanners
• hand geometry
• face-recognition
• eye scan
• voiceprints
• signature verification

73
Digital Signature

• Also called Certificate
• Issued by trusted third party
• Certification Authority (CA)
• Electronic passport to prove identity
• Provides assurance messages are valid
• Uses encryption to verify
  identity of unseen partner

74
Firewall

• Firewall is barrier
  between networks not
  allowing information to flow
  into and out of trusted network

75
Firewalls
76
Firewall Types

• Packet Filter
• simplest type
• doesnt examine data
• looks at IP header
• Proxy Firewall (Server)
• hides protected private network
• forwards requests from private to public network
  (not within)

77
Firewall Types

• Demilitarized Zone
• more secure
• several layers of firewall protection
• different levels of protection to different
  portions of companys network
• runs between private network and outside public
  network

78
Bypassing Firewalls
Firewall
79
Agenda

• AIS Threats
• Control concepts
• General controls for
  information systems
• Internet controls
• Contingency management

80
Contingency Management

• Disaster Recovery
  is reactive
• Contingency Management is
  proactive
• Continuity Planning latest term
• Accounting standards in terms of
  Disaster Recovery

81
Disaster Recovery Plan

• Purpose to ensure processing
  capacity can be restored as smoothly and
  quickly as possible in the
  event of
• a major disaster
• a temporary disruption

82
Disaster Plan Objectives

• Minimize disruption, damage,
  and loss
• Temporarily establish alternative
  means of processing information
• Resume normal operations as soon as possible
• Train and familiarize personnel with emergency
  operations

83
Plan Elements

• Priorities for recovery process
• Backup data and program files
• Backup facilities
• reciprocal agreements
• hot and cold sites
• shadow mode (parallel)

84
Back Up Data

• Rollback
• predated copy of each record
  created prior to processing transaction
• If hardware failure
• records rolled back to predated
  version
• transactions processed from beginning

85
Back Up Data Decisions

• How often? (e.g., weekly)
• Exposure Risk Expected Loss
• Where do you store backup data
• on-site (e.g., fireproof safe)
• off-site (incurs costs)
• How quick to recover?
• What is recovered first?

86
Remote Access

• Computer World, 1/21/02
• Companies eying remote access as
  contingency management tool
• Scrambling to develop remote access systems
• Result of September 11
• If main facilities down, still can communicate
  with one another

87
Recovery Plan

• Recovery plan not complete
  until tested by simulating disaster
• EDS
• Plan must be continuously reviewed and
  revised so it reflects current situation
• Plan should include insurance coverage

88
Cardinal Health

• Redundant systems for critical
  order processing
• Redundant WAN trunks
• System data backed up daily
• backup media kept off-site
• Backup replica site
• different part of country
• switched on within 30 minutes

89
The Money Store

• Databases backed up every
  evening
• Back-up files stored at
• on-site
• information storage vendor
• Automatic archival process that periodically
  pulls / stores back-up data files

90
The Money Store

• Call Centers
• in 3 locations nationally
• separated so that a natural disaster will not hit
  all three simultaneously
• calls electronically rerouted to other two sites
• in Sacramento, rent vacant building as emergency
  site

91
Topics Covered

• AIS Threats
• Control concepts
• General controls for
  information systems
• Internet controls
• Contingency management