Information Systems Control - PowerPoint PPT Presentation

About This Presentation
Title:

Information Systems Control

Description:

Dr. Yan Xiong College of Business CSU Sacramento January 27,2003 This lecture is based on Martin (2002) and Romney and Steinbart (2002) Agenda AIS Threats Internal ... – PowerPoint PPT presentation

Number of Views:154
Avg rating:3.0/5.0
Slides: 92
Provided by: csusEdui79
Learn more at: https://www.csus.edu
Category:

less

Transcript and Presenter's Notes

Title: Information Systems Control


1
Information Systems Control
  • Dr. Yan Xiong
  • College of Business
  • CSU Sacramento
  • January 27,2003
  • This lecture is based on Martin (2002) and Romney
    and Steinbart (2002)

2
Agenda
  • AIS Threats
  • Internal Controls
  • General controls for
    information systems
  • Internet controls
  • Contingency management

3
AIS Threats
  • Natural and political
    disasters
  • fire or excessive heat
  • floods
  • earthquakes
  • high winds
  • war

4
AIS Threats
  • Software errors and equipment
    malfunctions
  • hardware failures
  • power outages and fluctuations
  • undetected data transmission errors

5
AIS Threats
  • Unintentional acts
  • accidents caused by human
    carelessness
  • innocent errors of omissions
  • lost or misplaced data
  • logic errors
  • systems that do not meet company needs

6
AIS Threats
  • Intentional acts
  • sabotage
  • computer fraud
  • embezzlement
  • confidentiality breaches
  • data theft

7
Agenda
  • AIS Threats
  • Internal Control
  • Cost-benefit Analysis
  • General controls for
    information systems
  • Internet controls
  • Contingency management

8
Internal Control
  • The COSO (Committee of Sponsoring Organizations)
    study defines internal control as the process
    implemented by the board of directors,
    management, and those under their direction to
    provide reasonable assurance that control
    objectives are achieved with regard to
  • effectiveness and efficiency of operations
  • reliability of financial reporting
  • compliance with applicable laws and regulations

9
Internal Control Classifications
  • The specific control procedures used in the
    internal control and management control systems
    may be classified using the following four
    internal control classifications
  • Preventive, detective, and corrective controls
  • General and application controls
  • Administrative and accounting controls
  • Input, processing, and output controls

10
Types of Controls
  • Preventive deter problems before they
    arise
  • segregating duties
  • Detective discover control problems as soon
    as they arise
  • bank reconciliation
  • Corrective remedy problems discovered with
    detective controls
  • file backups

11
Internal Control Model
  • COSOs internal control model has five crucial
    components
  • Control environment
  • Control activities
  • Risk assessment
  • Information and communication
  • Monitoring

12
The Control Environment
  • The control environment consists of many factors,
    including the following
  • Commitment to integrity and ethical values
  • Managements philosophy and operating style
  • Organizational structure

13
The Control Environment
  • The audit committee of the board of directors
  • Methods of assigning authority and responsibility
  • Human resources policies and practices
  • External influences

14
Control Activities
  • Generally, control procedures fall into one of
    five categories
  • Proper authorization of transactions and
    activities
  • Segregation of duties
  • Design and use of adequate documents and records
  • Adequate safeguards of assets and records
  • Independent checks on performance

15
Proper Authorization of Transactions and
Activities
  • Authorization is the empowerment management gives
    employees to perform activities and make
    decisions.
  • Digital signature or fingerprint is a means of
    signing a document with a piece of data that
    cannot be forged.
  • Specific authorization is the granting of
    authorization by management for certain
    activities or transactions.

16
Segregation of Duties
  • Good internal control demands that no single
    employee be given too much responsibility.
  • An employee should not be in a position to
    perpetrate and conceal fraud or unintentional
    errors.

17
Segregation of Duties
Custodial Functions Handling cash Handling
assets Writing checks Receiving checks in mail
Authorization Functions Authorization
of transactions
Recording Functions Preparing source
documents Maintaining journals Preparing
reconciliations Preparing performance reports
18
Segregation of Duties
  • If two of these three functions are the
    responsibility of a single person, problems can
    arise.
  • Segregation of duties prevents employees from
    falsifying records in order to conceal theft of
    assets entrusted to them.
  • Prevent authorization of a fictitious or
    inaccurate transaction as a means of concealing
    asset thefts.

19
Segregation of Duties
  • Segregation of duties prevents an employee from
    falsifying records to cover up an inaccurate or
    false transaction that was inappropriately
    authorized.

20
Design and Use of Adequate Documents and Records
  • The proper design and use of documents and
    records helps ensure the accurate and complete
    recording of all relevant transaction data.
  • Documents that initiate a transaction should
    contain a space for authorization.

21
Design and Use of Adequate Documents and Records
  • The following procedures safeguard assets from
    theft, unauthorized use, and vandalism
  • effectively supervising and segregating duties
  • maintaining accurate records of assets, including
    information
  • restricting physical access to cash and paper
    assets
  • having restricted storage areas

22
Adequate Safeguards of Assets and Records
  • What can be used to safeguard assets?
  • cash registers
  • safes, lockboxes
  • safety deposit boxes
  • restricted and fireproof storage areas
  • controlling the environment
  • restricted access to computer rooms, computer
    files, and information

23
Independent Checks on Performance
  • Independent checks to ensure that transactions
    are processed accurately are another important
    control element.
  • What are various types of independent checks?
  • reconciliation of two independently maintained
    sets of records
  • comparison of actual quantities with recorded
    amounts

24
Independent Checks on Performance
  • double-entry accounting
  • batch totals
  • Five batch totals are used in computer systems
  • A financial total is the sum of a dollar field.
  • A hash total is the sum of a field that would
    usually not be added.

25
Independent Checks on Performance
  • A record count is the number of documents
    processed.
  • A line count is the number of lines of data
    entered.
  • A cross-footing balance test compares the grand
    total of all the rows with the grand total of all
    the columns to check that they are equal.

26
Information and Communication
  • The fourth component of COSOs internal control
    model is information and communication.
  • Accountants must understand the following
  • How transactions are initiated
  • How data are captured in machine-readable form or
    converted from source documents

27
Information and Communication
  • How computer files are accessed and updated
  • How data are processed to prepare information
  • How information is reported
  • How transactions are initiated
  • All of these items make it possible for the
    system to have an audit trail.
  • An audit trail exists when individual company
    transactions can be traced through the system.

28
Monitoring Performance
  • The fifth component of COSOs internal control
    model is monitoring.
  • What are the key methods of monitoring
    performance?
  • effective supervision
  • responsibility accounting
  • internal auditing

29
Risk Assessment
  • The third component of COSOs internal control
    model is risk assessment.
  • Companies must identify the threats they face
  • strategic doing the wrong thing
  • financial having financial resources lost,
    wasted, or stolen
  • information faulty or irrelevant information,
    or unreliable systems

30
Risk Assessment
  • Companies that implement electronic data
    interchange (EDI) must identify the threats the
    system will face, such as
  • Choosing an inappropriate technology
  • Unauthorized system access
  • Tapping into data transmissions
  • Loss of data integrity

31
Risk Assessment
  • Incomplete transactions
  • System failures
  • Incompatible systems

32
Risk Assessment
  • Some threats pose a greater risk because the
    probability of their occurrence is more likely.
  • What is an example?
  • A company is more likely to be the victim of a
    computer fraud rather than a terrorist attack.
  • Risk and exposure must be considered together.

33
Cost and Benefits
  • Benefit of control
    procedure is difference between
  • expected loss with control procedure(s)
  • expected loss without it

34
Loss / Fraud Conditions
  • Threat potential adverse or
    unwanted event that can be
    injurious to AIS
  • Exposure potential maximum loss if
    event occurs
  • Risk likelihood that event will occur
  • Expected Loss Risk Exposure

35
Loss / Fraud Conditions
For each AIS threat
Exposure
Risk
Expected Loss
X

Maximum Loss ()
Likelihood of Event Occurring
Potential Loss
36
Exposures
Possible Threat Symbol Expo- sure Risk
Disaster D H L
Power Outage O M H
System Down H L L
Human Error E M M
Fraud F M L
Data Theft T L M
Sabotage S H L
37
Risk Assessment of Controls
Threat
38
Payroll Case
Condition Without With Difference
Cost Payroll 10K 10K
Risk of Error 15 1
Error Cost 1.5K 0.1K 1.4K
Validate Cost 0 0.6K (0.6K)
Expected Benefit 0.8K
39
Agenda
  • AIS Threats
  • Internal Controls
  • General controls for
    information systems
  • Internet controls
  • Contingency management

40
General Controls
  • General controls ensure that overall computer
    environment is stable and
    well managed
  • General control categories
  • Developing a security plan
  • Segregation of duties within the systems function

41
General Controls
  • Project development controls
  • Physical access controls
  • Logical access controls
  • Data storage controls
  • Data transmission controls
  • Documentation standards
  • Minimizing system downtime

42
General Controls
  • 10. Protection of personal computers
    and client/server networks
  • Internet controls
  • Disaster recovery plans

43
Security Plan
  • Developing and continuously
    updating a comprehensive
    security plan one of most
    important controls for company
  • Questions to be asked
  • Who needs access to what information?
  • When do they need it?
  • On which systems does the information reside?

44
Segregation of Duties
  • In AIS, procedures that used
    to be performed by separate
    individuals combined
  • Person with unrestricted access
  • to computer,
  • its programs,
  • and live data
  • has opportunity to both perpetrate and conceal
    fraud

45
Segregation of Duties
  • To combat this threat, organizations must
    implement compensating
    control procedures
  • Authority and responsibility
    must be clearly divided
  • NOTE must change with increasing levels of
    automation

46
Segregation of Duties
  • Divide following functions
  • Systems analysis
  • Programming
  • Computer operations
  • Users
  • AIS library
  • Data control

47
Duty Segregation
What about small firms?
48
Project Development Controls
  • Long-range master plan
  • Project development plan
  • Periodic performance evaluation
  • Post-implementation review
  • System performance measurements

49
Development Controls
Master Development Plan
Periodic Performance Review
Post Implement Review
Performance Measures
50
Physical Access Controls
  • Placing computer equipment
    in locked rooms and restricting access to
    authorized personnel
  • Having only one or two entrances to computer room
  • Requiring proper employee ID
  • Requiring visitors to sign log
  • Installing locks on PCs

51
Logical Access Controls
  • Users should be allowed access only to the data
    they are authorized to use and then only to
    perform specific authorized functions.
  • What are some logical access controls?
  • passwords
  • physical possession identification
  • biometric identification
  • compatibility tests

52
Access Control Matrix
PASS- FILES PROGRAMS
WORD A B 1 2
ABC 0 1 0 0
DEF 1 2 0 0
KLM 1 1 1 1
NOP 3 0 3 0
0 No access 1 Read / display
2 Update 3 Create / delete
53
Data Storage Controls
  • Information gives company competitive edge and
    makes it viable
  • Company should identify types of
    data used and level of protection
    required for each
  • Company must also document steps taken to
    protect data
  • e.g., off-site storage

54
Data Transmission Controls
  • Reduce risk of data
    transmission failures
  • data encryption (cryptography)
  • routing verification procedures
  • parity bits
  • message acknowledgment techniques

55
Information Transmission System
Information
56
Transmission Controls
57
Even Parity Bit System
There are five 1 bits in message
1 0 1 1 0
1 1 0 1
58
Data Transmission Controls
  • Added importance when using
    electronic data interchange (EDI)
    or electronic funds transfer
    (EFT)
  • In these types of environments, sound internal
    control is achieved using control procedures

59
Data Transmission Control
  • Controlled physical access to
    network facilities
  • Identification required for all network
    terminals
  • Passwords and dial-in phone numbers changed on
    regular basis
  • Encryption used to secure stored and transmitted
    data
  • Transactions log

60
Documentation Standards
  • Documentation procedures and
    standards ensure clear and concise
    documentation
  • Documentation categories
  • Administrative documentation
  • Systems documentation
  • Operating documentation

61
Minimizing System Downtime
  • Significant financial losses
    can be incurred if
    hardware or software malfunctions cause AIS
    to fail
  • Methods used to minimize system downtime
  • preventive maintenance
  • uninterruptible power system
  • fault tolerance

62
Protection of PCs and Client/Server Networks
  • PCs more vulnerable to security risks
    than mainframe computers
  • Difficult to restrict physical access
  • PC users less aware of importance of security and
    control
  • More people familiar with the operation of PCs
  • Segregation of duties is difficult

63
Protection of PCs and Client/Server Networks
  • Train users in PC-related
    control concepts
  • Restrict access by using
    locks and keys on PCs
  • Establish policies and procedures

64
Protection of PCs and Client/Server Networks
  • Portable PCs should not be
    stored in cars
  • Back up hard disks regularly
  • Encrypt or password protect files
  • Build protective walls around operating systems
  • Use multilevel password controls to limit
    employee access to incompatible data

65
Agenda
  • AIS Threats
  • Control concepts
  • General controls for
    information systems
  • Internet controls
  • Contingency management

66
Internet Controls
  • Internet control is installing a firewall,
    hardware and software that control communications
    between a companys internal network (trusted
    network) and an external network.

67
Internet Controls
  • Passwords
  • Encryption technology
  • Routing verification procedures
  • Installing a firewall

68
Internet Risks
69
Messaging Security
  • Confidentiality
  • Integrity detect tampering
  • Authentication correct party
  • Non-repudiation sender cant deny
  • Access controls limit entry to authorized users

70
Symmetric Encryption
Clear Text Message
71
PKI
  • Public Key Infrastructure
  • Most commonly used
  • Two keys
  • public key publicly available
  • private key kept secret
  • Two keys related through secret mathematical
    formula
  • Need both to process transaction

72
Biometric Usage
  • For user authentication
  • By order of use
  • finger scanners
  • hand geometry
  • face-recognition
  • eye scan
  • voiceprints
  • signature verification

73
Digital Signature
  • Also called Certificate
  • Issued by trusted third party
  • Certification Authority (CA)
  • Electronic passport to prove identity
  • Provides assurance messages are valid
  • Uses encryption to verify
    identity of unseen partner

74
Firewall
  • Firewall is barrier
    between networks not
    allowing information to flow
    into and out of trusted network

75
Firewalls
76
Firewall Types
  • Packet Filter
  • simplest type
  • doesnt examine data
  • looks at IP header
  • Proxy Firewall (Server)
  • hides protected private network
  • forwards requests from private to public network
    (not within)

77
Firewall Types
  • Demilitarized Zone
  • more secure
  • several layers of firewall protection
  • different levels of protection to different
    portions of companys network
  • runs between private network and outside public
    network

78
Bypassing Firewalls
Firewall
79
Agenda
  • AIS Threats
  • Control concepts
  • General controls for
    information systems
  • Internet controls
  • Contingency management

80
Contingency Management
  • Disaster Recovery
    is reactive
  • Contingency Management is
    proactive
  • Continuity Planning latest term
  • Accounting standards in terms of
    Disaster Recovery

81
Disaster Recovery Plan
  • Purpose to ensure processing
    capacity can be restored as smoothly and
    quickly as possible in the
    event of
  • a major disaster
  • a temporary disruption

82
Disaster Plan Objectives
  • Minimize disruption, damage,
    and loss
  • Temporarily establish alternative
    means of processing information
  • Resume normal operations as soon as possible
  • Train and familiarize personnel with emergency
    operations

83
Plan Elements
  • Priorities for recovery process
  • Backup data and program files
  • Backup facilities
  • reciprocal agreements
  • hot and cold sites
  • shadow mode (parallel)

84
Back Up Data
  • Rollback
  • predated copy of each record
    created prior to processing transaction
  • If hardware failure
  • records rolled back to predated
    version
  • transactions processed from beginning

85
Back Up Data Decisions
  • How often? (e.g., weekly)
  • Exposure Risk Expected Loss
  • Where do you store backup data
  • on-site (e.g., fireproof safe)
  • off-site (incurs costs)
  • How quick to recover?
  • What is recovered first?

86
Remote Access
  • Computer World, 1/21/02
  • Companies eying remote access as
    contingency management tool
  • Scrambling to develop remote access systems
  • Result of September 11
  • If main facilities down, still can communicate
    with one another

87
Recovery Plan
  • Recovery plan not complete
    until tested by simulating disaster
  • EDS
  • Plan must be continuously reviewed and
    revised so it reflects current situation
  • Plan should include insurance coverage

88
Cardinal Health
  • Redundant systems for critical
    order processing
  • Redundant WAN trunks
  • System data backed up daily
  • backup media kept off-site
  • Backup replica site
  • different part of country
  • switched on within 30 minutes

89
The Money Store
  • Databases backed up every
    evening
  • Back-up files stored at
  • on-site
  • information storage vendor
  • Automatic archival process that periodically
    pulls / stores back-up data files

90
The Money Store
  • Call Centers
  • in 3 locations nationally
  • separated so that a natural disaster will not hit
    all three simultaneously
  • calls electronically rerouted to other two sites
  • in Sacramento, rent vacant building as emergency
    site

91
Topics Covered
  • AIS Threats
  • Control concepts
  • General controls for
    information systems
  • Internet controls
  • Contingency management
Write a Comment
User Comments (0)
About PowerShow.com