Title: Information Systems Control
1Information Systems Control
- Dr. Yan Xiong
- College of Business
- CSU Sacramento
- January 27,2003
- This lecture is based on Martin (2002) and Romney
and Steinbart (2002)
2Agenda
- AIS Threats
- Internal Controls
- General controls for
information systems - Internet controls
- Contingency management
3AIS Threats
- Natural and political
disasters - fire or excessive heat
- floods
- earthquakes
- high winds
- war
4AIS Threats
- Software errors and equipment
malfunctions - hardware failures
- power outages and fluctuations
- undetected data transmission errors
5AIS Threats
- Unintentional acts
- accidents caused by human
carelessness - innocent errors of omissions
- lost or misplaced data
- logic errors
- systems that do not meet company needs
6AIS Threats
- Intentional acts
- sabotage
- computer fraud
- embezzlement
- confidentiality breaches
- data theft
7Agenda
- AIS Threats
- Internal Control
- Cost-benefit Analysis
- General controls for
information systems - Internet controls
- Contingency management
8Internal Control
- The COSO (Committee of Sponsoring Organizations)
study defines internal control as the process
implemented by the board of directors,
management, and those under their direction to
provide reasonable assurance that control
objectives are achieved with regard to - effectiveness and efficiency of operations
- reliability of financial reporting
- compliance with applicable laws and regulations
9Internal Control Classifications
- The specific control procedures used in the
internal control and management control systems
may be classified using the following four
internal control classifications - Preventive, detective, and corrective controls
- General and application controls
- Administrative and accounting controls
- Input, processing, and output controls
10Types of Controls
- Preventive deter problems before they
arise - segregating duties
- Detective discover control problems as soon
as they arise - bank reconciliation
- Corrective remedy problems discovered with
detective controls - file backups
11Internal Control Model
- COSOs internal control model has five crucial
components - Control environment
- Control activities
- Risk assessment
- Information and communication
- Monitoring
12The Control Environment
- The control environment consists of many factors,
including the following - Commitment to integrity and ethical values
- Managements philosophy and operating style
- Organizational structure
13The Control Environment
- The audit committee of the board of directors
- Methods of assigning authority and responsibility
- Human resources policies and practices
- External influences
14Control Activities
- Generally, control procedures fall into one of
five categories - Proper authorization of transactions and
activities - Segregation of duties
- Design and use of adequate documents and records
- Adequate safeguards of assets and records
- Independent checks on performance
15Proper Authorization of Transactions and
Activities
- Authorization is the empowerment management gives
employees to perform activities and make
decisions. - Digital signature or fingerprint is a means of
signing a document with a piece of data that
cannot be forged. - Specific authorization is the granting of
authorization by management for certain
activities or transactions.
16Segregation of Duties
- Good internal control demands that no single
employee be given too much responsibility. - An employee should not be in a position to
perpetrate and conceal fraud or unintentional
errors.
17Segregation of Duties
Custodial Functions Handling cash Handling
assets Writing checks Receiving checks in mail
Authorization Functions Authorization
of transactions
Recording Functions Preparing source
documents Maintaining journals Preparing
reconciliations Preparing performance reports
18Segregation of Duties
- If two of these three functions are the
responsibility of a single person, problems can
arise. - Segregation of duties prevents employees from
falsifying records in order to conceal theft of
assets entrusted to them. - Prevent authorization of a fictitious or
inaccurate transaction as a means of concealing
asset thefts.
19Segregation of Duties
- Segregation of duties prevents an employee from
falsifying records to cover up an inaccurate or
false transaction that was inappropriately
authorized.
20Design and Use of Adequate Documents and Records
- The proper design and use of documents and
records helps ensure the accurate and complete
recording of all relevant transaction data. - Documents that initiate a transaction should
contain a space for authorization.
21Design and Use of Adequate Documents and Records
- The following procedures safeguard assets from
theft, unauthorized use, and vandalism - effectively supervising and segregating duties
- maintaining accurate records of assets, including
information - restricting physical access to cash and paper
assets - having restricted storage areas
22Adequate Safeguards of Assets and Records
- What can be used to safeguard assets?
- cash registers
- safes, lockboxes
- safety deposit boxes
- restricted and fireproof storage areas
- controlling the environment
- restricted access to computer rooms, computer
files, and information
23Independent Checks on Performance
- Independent checks to ensure that transactions
are processed accurately are another important
control element. - What are various types of independent checks?
- reconciliation of two independently maintained
sets of records - comparison of actual quantities with recorded
amounts
24Independent Checks on Performance
- double-entry accounting
- batch totals
- Five batch totals are used in computer systems
- A financial total is the sum of a dollar field.
- A hash total is the sum of a field that would
usually not be added.
25Independent Checks on Performance
- A record count is the number of documents
processed. - A line count is the number of lines of data
entered. - A cross-footing balance test compares the grand
total of all the rows with the grand total of all
the columns to check that they are equal.
26Information and Communication
- The fourth component of COSOs internal control
model is information and communication. - Accountants must understand the following
- How transactions are initiated
- How data are captured in machine-readable form or
converted from source documents
27Information and Communication
- How computer files are accessed and updated
- How data are processed to prepare information
- How information is reported
- How transactions are initiated
- All of these items make it possible for the
system to have an audit trail. - An audit trail exists when individual company
transactions can be traced through the system.
28Monitoring Performance
- The fifth component of COSOs internal control
model is monitoring. - What are the key methods of monitoring
performance? - effective supervision
- responsibility accounting
- internal auditing
29Risk Assessment
- The third component of COSOs internal control
model is risk assessment. - Companies must identify the threats they face
- strategic doing the wrong thing
- financial having financial resources lost,
wasted, or stolen - information faulty or irrelevant information,
or unreliable systems
30Risk Assessment
- Companies that implement electronic data
interchange (EDI) must identify the threats the
system will face, such as - Choosing an inappropriate technology
- Unauthorized system access
- Tapping into data transmissions
- Loss of data integrity
31Risk Assessment
- Incomplete transactions
- System failures
- Incompatible systems
32Risk Assessment
- Some threats pose a greater risk because the
probability of their occurrence is more likely. - What is an example?
- A company is more likely to be the victim of a
computer fraud rather than a terrorist attack. - Risk and exposure must be considered together.
33Cost and Benefits
- Benefit of control
procedure is difference between - expected loss with control procedure(s)
- expected loss without it
34Loss / Fraud Conditions
- Threat potential adverse or
unwanted event that can be
injurious to AIS - Exposure potential maximum loss if
event occurs - Risk likelihood that event will occur
- Expected Loss Risk Exposure
35Loss / Fraud Conditions
For each AIS threat
Exposure
Risk
Expected Loss
X
Maximum Loss ()
Likelihood of Event Occurring
Potential Loss
36Exposures
Possible Threat Symbol Expo- sure Risk
Disaster D H L
Power Outage O M H
System Down H L L
Human Error E M M
Fraud F M L
Data Theft T L M
Sabotage S H L
37Risk Assessment of Controls
Threat
38Payroll Case
Condition Without With Difference
Cost Payroll 10K 10K
Risk of Error 15 1
Error Cost 1.5K 0.1K 1.4K
Validate Cost 0 0.6K (0.6K)
Expected Benefit 0.8K
39Agenda
- AIS Threats
- Internal Controls
- General controls for
information systems - Internet controls
- Contingency management
40General Controls
- General controls ensure that overall computer
environment is stable and
well managed - General control categories
- Developing a security plan
- Segregation of duties within the systems function
41General Controls
- Project development controls
- Physical access controls
- Logical access controls
- Data storage controls
- Data transmission controls
- Documentation standards
- Minimizing system downtime
42General Controls
- 10. Protection of personal computers
and client/server networks - Internet controls
- Disaster recovery plans
43Security Plan
- Developing and continuously
updating a comprehensive
security plan one of most
important controls for company - Questions to be asked
- Who needs access to what information?
- When do they need it?
- On which systems does the information reside?
44Segregation of Duties
- In AIS, procedures that used
to be performed by separate
individuals combined - Person with unrestricted access
- to computer,
- its programs,
- and live data
- has opportunity to both perpetrate and conceal
fraud
45Segregation of Duties
- To combat this threat, organizations must
implement compensating
control procedures - Authority and responsibility
must be clearly divided - NOTE must change with increasing levels of
automation
46Segregation of Duties
- Divide following functions
- Systems analysis
- Programming
- Computer operations
- Users
- AIS library
- Data control
47Duty Segregation
What about small firms?
48Project Development Controls
- Long-range master plan
- Project development plan
- Periodic performance evaluation
- Post-implementation review
- System performance measurements
49Development Controls
Master Development Plan
Periodic Performance Review
Post Implement Review
Performance Measures
50Physical Access Controls
- Placing computer equipment
in locked rooms and restricting access to
authorized personnel - Having only one or two entrances to computer room
- Requiring proper employee ID
- Requiring visitors to sign log
- Installing locks on PCs
51Logical Access Controls
- Users should be allowed access only to the data
they are authorized to use and then only to
perform specific authorized functions. - What are some logical access controls?
- passwords
- physical possession identification
- biometric identification
- compatibility tests
52Access Control Matrix
PASS- FILES PROGRAMS
WORD A B 1 2
ABC 0 1 0 0
DEF 1 2 0 0
KLM 1 1 1 1
NOP 3 0 3 0
0 No access 1 Read / display
2 Update 3 Create / delete
53Data Storage Controls
- Information gives company competitive edge and
makes it viable - Company should identify types of
data used and level of protection
required for each - Company must also document steps taken to
protect data - e.g., off-site storage
54Data Transmission Controls
- Reduce risk of data
transmission failures - data encryption (cryptography)
- routing verification procedures
- parity bits
- message acknowledgment techniques
55Information Transmission System
Information
56Transmission Controls
57Even Parity Bit System
There are five 1 bits in message
1 0 1 1 0
1 1 0 1
58Data Transmission Controls
- Added importance when using
electronic data interchange (EDI)
or electronic funds transfer
(EFT) - In these types of environments, sound internal
control is achieved using control procedures
59Data Transmission Control
- Controlled physical access to
network facilities - Identification required for all network
terminals - Passwords and dial-in phone numbers changed on
regular basis - Encryption used to secure stored and transmitted
data - Transactions log
60Documentation Standards
- Documentation procedures and
standards ensure clear and concise
documentation - Documentation categories
- Administrative documentation
- Systems documentation
- Operating documentation
61Minimizing System Downtime
- Significant financial losses
can be incurred if
hardware or software malfunctions cause AIS
to fail - Methods used to minimize system downtime
- preventive maintenance
- uninterruptible power system
- fault tolerance
62Protection of PCs and Client/Server Networks
- PCs more vulnerable to security risks
than mainframe computers - Difficult to restrict physical access
- PC users less aware of importance of security and
control - More people familiar with the operation of PCs
- Segregation of duties is difficult
63Protection of PCs and Client/Server Networks
- Train users in PC-related
control concepts - Restrict access by using
locks and keys on PCs - Establish policies and procedures
64Protection of PCs and Client/Server Networks
- Portable PCs should not be
stored in cars - Back up hard disks regularly
- Encrypt or password protect files
- Build protective walls around operating systems
- Use multilevel password controls to limit
employee access to incompatible data
65Agenda
- AIS Threats
- Control concepts
- General controls for
information systems - Internet controls
- Contingency management
66Internet Controls
- Internet control is installing a firewall,
hardware and software that control communications
between a companys internal network (trusted
network) and an external network.
67Internet Controls
- Passwords
- Encryption technology
- Routing verification procedures
- Installing a firewall
68Internet Risks
69Messaging Security
- Confidentiality
- Integrity detect tampering
- Authentication correct party
- Non-repudiation sender cant deny
- Access controls limit entry to authorized users
70Symmetric Encryption
Clear Text Message
71PKI
- Public Key Infrastructure
- Most commonly used
- Two keys
- public key publicly available
- private key kept secret
- Two keys related through secret mathematical
formula - Need both to process transaction
72Biometric Usage
- For user authentication
- By order of use
- finger scanners
- hand geometry
- face-recognition
- eye scan
- voiceprints
- signature verification
73Digital Signature
- Also called Certificate
- Issued by trusted third party
- Certification Authority (CA)
- Electronic passport to prove identity
- Provides assurance messages are valid
- Uses encryption to verify
identity of unseen partner
74Firewall
- Firewall is barrier
between networks not
allowing information to flow
into and out of trusted network
75Firewalls
76Firewall Types
- Packet Filter
- simplest type
- doesnt examine data
- looks at IP header
- Proxy Firewall (Server)
- hides protected private network
- forwards requests from private to public network
(not within)
77Firewall Types
- Demilitarized Zone
- more secure
- several layers of firewall protection
- different levels of protection to different
portions of companys network - runs between private network and outside public
network
78Bypassing Firewalls
Firewall
79Agenda
- AIS Threats
- Control concepts
- General controls for
information systems - Internet controls
- Contingency management
80Contingency Management
- Disaster Recovery
is reactive - Contingency Management is
proactive - Continuity Planning latest term
- Accounting standards in terms of
Disaster Recovery
81Disaster Recovery Plan
- Purpose to ensure processing
capacity can be restored as smoothly and
quickly as possible in the
event of - a major disaster
- a temporary disruption
82Disaster Plan Objectives
- Minimize disruption, damage,
and loss - Temporarily establish alternative
means of processing information - Resume normal operations as soon as possible
- Train and familiarize personnel with emergency
operations
83Plan Elements
- Priorities for recovery process
- Backup data and program files
- Backup facilities
- reciprocal agreements
- hot and cold sites
- shadow mode (parallel)
84Back Up Data
- Rollback
- predated copy of each record
created prior to processing transaction - If hardware failure
- records rolled back to predated
version - transactions processed from beginning
85Back Up Data Decisions
- How often? (e.g., weekly)
- Exposure Risk Expected Loss
- Where do you store backup data
- on-site (e.g., fireproof safe)
- off-site (incurs costs)
- How quick to recover?
- What is recovered first?
86Remote Access
- Computer World, 1/21/02
- Companies eying remote access as
contingency management tool - Scrambling to develop remote access systems
- Result of September 11
- If main facilities down, still can communicate
with one another
87Recovery Plan
- Recovery plan not complete
until tested by simulating disaster - EDS
- Plan must be continuously reviewed and
revised so it reflects current situation - Plan should include insurance coverage
88Cardinal Health
- Redundant systems for critical
order processing - Redundant WAN trunks
- System data backed up daily
- backup media kept off-site
- Backup replica site
- different part of country
- switched on within 30 minutes
89The Money Store
- Databases backed up every
evening - Back-up files stored at
- on-site
- information storage vendor
- Automatic archival process that periodically
pulls / stores back-up data files
90The Money Store
- Call Centers
- in 3 locations nationally
- separated so that a natural disaster will not hit
all three simultaneously - calls electronically rerouted to other two sites
- in Sacramento, rent vacant building as emergency
site
91Topics Covered
- AIS Threats
- Control concepts
- General controls for
information systems - Internet controls
- Contingency management