Information systems control
Download
1 / 91

Information Systems Control - PowerPoint PPT Presentation


  • 212 Views
  • Updated On :

Information Systems Control. Dr. Yan Xiong College of Business CSU Sacramento January 27,2003 This lecture is based on Martin (2002) and Romney and Steinbart (2002). Agenda. AIS Threats Internal Controls General controls for information systems Internet controls

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Information Systems Control' - kiora


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Information systems control

Information Systems Control

Dr. Yan Xiong

College of Business

CSU Sacramento

January 27,2003

This lecture is based on Martin (2002) and Romney and Steinbart (2002)


Agenda
Agenda

  • AIS Threats

  • Internal Controls

  • General controls for information systems

  • Internet controls

  • Contingency management


Ais threats
AIS Threats

Natural and politicaldisasters:

  • fire or excessive heat

  • floods

  • earthquakes

  • high winds

  • war


Ais threats1
AIS Threats

  • Software errors andequipment malfunctions

    • hardware failures

    • power outages and fluctuations

    • undetected data transmission errors


Ais threats2
AIS Threats

  • Unintentional acts

    • accidents caused by human carelessness

    • innocent errors of omissions

    • lost or misplaced data

    • logic errors

    • systems that do not meet company needs


Ais threats3
AIS Threats

  • Intentional acts

    • sabotage

    • computer fraud

    • embezzlement

    • confidentiality breaches

    • data theft


Agenda1
Agenda

  • AIS Threats

  • Internal Control

  • Cost-benefit Analysis

  • General controls for information systems

  • Internet controls

  • Contingency management


Internal control
Internal Control

The COSO (Committee of Sponsoring Organizations) study defines internal control as the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved with regard to:

  • effectiveness and efficiency of operations

  • reliability of financial reporting

  • compliance with applicable laws and regulations


Internal control classifications
Internal Control Classifications

  • The specific control procedures used in the internal control and management control systems may be classified using the following four internal control classifications:

    • Preventive, detective, and corrective controls

    • General and application controls

    • Administrative and accounting controls

    • Input, processing, and output controls


Types of controls
Types of Controls

  • Preventive: deter problems before they arise

    • segregating duties

  • Detective: discover control problems as soon as they arise

    • bank reconciliation

  • Corrective: remedy problems discovered with detective controls

    • file backups


Internal control model
Internal Control Model

  • COSO’s internal control model has five crucial components:

    • Control environment

    • Control activities

    • Risk assessment

    • Information and communication

    • Monitoring


The control environment
The Control Environment

The control environment consists of many factors, including the following:

  • Commitment to integrity and ethical values

  • Management’s philosophy and operating style

  • Organizational structure


The control environment1
The Control Environment

  • The audit committee of the board of directors

  • Methods of assigning authority and responsibility

  • Human resources policies and practices

  • External influences


Control activities
Control Activities

Generally, control procedures fall into one of five categories:

  • Proper authorization of transactions and activities

  • Segregation of duties

  • Design and use of adequate documents and records

  • Adequate safeguards of assets and records

  • Independent checks on performance


Proper authorization of transactions and activities
Proper Authorization of Transactions and Activities

  • Authorization is the empowerment management gives employees to perform activities and make decisions.

  • Digital signature or fingerprint is a means of signing a document with a piece of data that cannot be forged.

  • Specific authorization is the granting of authorization by management for certain activities or transactions.


Segregation of duties
Segregation of Duties

  • Good internal control demands that no single employee be given too much responsibility.

  • An employee should not be in a position to perpetrate and conceal fraud or unintentional errors.


Segregation of duties1
Segregation of Duties

Custodial Functions

Handling cash

Handling assets

Writing checks

Receiving checks in mail

Authorization Functions

Authorization of

transactions

Recording Functions

Preparing source documents

Maintaining journals

Preparing reconciliations

Preparing performance reports


Segregation of duties2
Segregation of Duties

  • If two of these three functions are the responsibility of a single person, problems can arise.

  • Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them.

  • Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts.


Segregation of duties3
Segregation of Duties

  • Segregation of duties prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized.


Design and use of adequate documents and records
Design and Use of Adequate Documents and Records

  • The proper design and use of documents and records helps ensure the accurate and complete recording of all relevant transaction data.

  • Documents that initiate a transaction should contain a space for authorization.


Design and use of adequate documents and records1
Design and Use of Adequate Documents and Records

  • The following procedures safeguard assets from theft, unauthorized use, and vandalism:

    • effectively supervising and segregating duties

    • maintaining accurate records of assets, including information

    • restricting physical access to cash and paper assets

    • having restricted storage areas


Adequate safeguards of assets and records
Adequate Safeguards of Assets and Records

  • What can be used to safeguard assets?

    • cash registers

    • safes, lockboxes

    • safety deposit boxes

    • restricted and fireproof storage areas

    • controlling the environment

    • restricted access to computer rooms, computer files, and information


Independent checks on performance
Independent Checks on Performance

  • Independent checks to ensure that transactions are processed accurately are another important control element.

  • What are various types of independent checks?

    • reconciliation of two independently maintained sets of records

    • comparison of actual quantities with recorded amounts


Independent checks on performance1
Independent Checks on Performance

  • double-entry accounting

  • batch totals

  • Five batch totals are used in computer systems:

    • A financial total is the sum of a dollar field.

    • A hash total is the sum of a field that would usually not be added.


  • Independent checks on performance2
    Independent Checks on Performance

    • A record count is the number of documents processed.

    • A line count is the number of lines of data entered.

    • A cross-footing balance test compares the grand total of all the rows with the grand total of all the columns to check that they are equal.


    Information and communication
    Information and Communication

    • The fourth component of COSO’s internal control model is information and communication.

    • Accountants must understand the following:

      • How transactions are initiated

      • How data are captured in machine-readable form or converted from source documents


    Information and communication1
    Information and Communication

    • How computer files are accessed and updated

    • How data are processed to prepare information

    • How information is reported

    • How transactions are initiated

  • All of these items make it possible for the system to have an audit trail.

  • An audit trail exists when individual company transactions can be traced through the system.


  • Monitoring performance
    Monitoring Performance

    • The fifth component of COSO’s internal control model is monitoring.

    • What are the key methods of monitoring performance?

      • effective supervision

      • responsibility accounting

      • internal auditing


    Risk assessment
    Risk Assessment

    • The third component of COSO’s internal control model is risk assessment.

    • Companies must identify the threats they face:

      • strategic — doing the wrong thing

      • financial — having financial resources lost, wasted, or stolen

      • information — faulty or irrelevant information, or unreliable systems


    Risk assessment1
    Risk Assessment

    • Companies that implement electronic data interchange (EDI) must identify the threats the system will face, such as:

      • Choosing an inappropriate technology

      • Unauthorized system access

      • Tapping into data transmissions

      • Loss of data integrity


    Risk assessment2
    Risk Assessment

    • Incomplete transactions

    • System failures

    • Incompatible systems


    Risk assessment3
    Risk Assessment

    • Some threats pose a greater risk because the probability of their occurrence is more likely.

    • What is an example?

    • A company is more likely to be the victim of a computer fraud rather than a terrorist attack.

    • Risk and exposure must be considered together.


    Cost and benefits
    Cost and Benefits

    • Benefit of control procedure is difference between

      • expected loss with control procedure(s)

      • expected loss without it


    Loss fraud conditions
    Loss / Fraud Conditions

    • Threat: potential adverse or unwanted event that can be injurious to AIS

    • Exposure: potential maximum $ loss if event occurs

    • Risk: likelihood that event will occur

    • Expected Loss: Risk * Exposure


    Loss fraud conditions1
    Loss / Fraud Conditions

    For each AIS threat:

    Exposure

    Risk

    Expected

    Loss

    X

    =

    Maximum

    Loss ($)

    Likelihood

    of Event

    Occurring

    Potential

    $ Loss



    Risk assessment of controls

    Risk

    Implement

    Exposure

    Yes

    Cost

    Benefi-

    cial?

    Control Needs

    No

    Costs

    Risk Assessment of Controls

    Threat



    Agenda2
    Agenda

    • AIS Threats

    • Internal Controls

    • General controls for information systems

    • Internet controls

    • Contingency management


    General controls
    General Controls

    • General controls ensure that overall computer environment is stable and well managed

    • General control categories:

      • Developing a security plan

      • Segregation of duties within the systems function


    General controls1
    General Controls

    • Project development controls

    • Physical access controls

    • Logical access controls

    • Data storage controls

    • Data transmission controls

    • Documentation standards

    • Minimizing system downtime


    General controls2
    General Controls

    10. Protection of personal computers and client/server networks

    • Internet controls

    • Disaster recovery plans


    Security plan
    Security Plan

    • Developing and continuously updating a comprehensive security plan one of most important controls for company

    • Questions to be asked:

      • Who needs access to whatinformation?

      • When do they need it?

      • On which systems does the information reside?


    Segregation of duties4
    Segregation of Duties

    • In AIS, procedures that used to be performed by separate individuals combined

    • Person with unrestricted access

      • to computer,

      • its programs,

      • and live data

    • has opportunity to both perpetrate and conceal fraud


    Segregation of duties5
    Segregation of Duties

    • To combat this threat, organizations must implement compensating control procedures

    • Authority and responsibility must be clearly divided

      NOTE: must change with increasing levels of automation


    Segregation of duties6
    Segregation of Duties

    Divide following functions:

    • Systems analysis

    • Programming

    • Computer operations

    • Users

    • AIS library

    • Data control


    Duty segregation

    Analyze

    Design

    Specs

    Archive

    Program

    Use

    Programs

    Output

    Operate

    What about small firms?

    Duty Segregation


    Project development controls
    Project Development Controls

    • Long-range master plan

    • Project development plan

    • Periodic performance evaluation

    • Post-implementation review

    • System performance measurements


    Development controls

    Project

    Development

    Plan

    STARTEDPROJECT

    COMPLETED

    PROJECT

    SYSTEM

    OPERATION

    Master

    Development

    Plan

    Development Controls

    Periodic

    Performance

    Review

    Post

    Implement

    Review

    Performance

    Measures


    Physical access controls
    Physical Access Controls

    • Placing computer equipment in locked rooms and restricting access to authorized personnel

    • Having only one or two entrances to computer room

    • Requiring proper employee ID

    • Requiring visitors to sign log

    • Installing locks on PCs


    Logical access controls
    Logical Access Controls

    • Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions.

    • What are some logical access controls?

      • passwords

      • physical possession identification

      • biometric identification

      • compatibility tests


    Access control matrix
    Access Control Matrix

    0 – No access

    1 – Read / display

    2 – Update

    3 – Create / delete


    Data storage controls
    Data Storage Controls

    • Information gives company competitive edge and makes it viable

    • Company should identify types of data used and level of protection required for each

    • Company must also document steps taken to protect data

      • e.g., off-site storage


    Data transmission controls
    Data Transmission Controls

    • Reduce risk of data transmission failures

      • data encryption (cryptography)

      • routing verification procedures

      • parity bits

      • message acknowledgment techniques


    Information transmission system

    Source

    Message

    Transmitter

    Channel

    Receiver

    Signal

    Destination

    Noise

    Information

    Information

    Information Transmission System


    Transmission controls

    Parity

    Bit

    SEND

    RECEIVE

    Encrypt

    Decrypt

    Message

    Routing

    Verification

    Message

    Acknowledge-

    ment

    Data

    Encryption

    Transmission Controls


    Even parity bit system

    Parity Bit

    A “1” placed in parity

    bit to make an even

    number of “1”s.

    Message in Binary

    Even Parity Bit System

    There are five

    “1” bits in message


    Data transmission controls1
    Data Transmission Controls

    • Added importance when using electronic data interchange (EDI) or electronic funds transfer (EFT)

    • In these types of environments, sound internal control is achieved using control procedures


    Data transmission control
    Data Transmission Control

    • Controlled physical access to network facilities

    • Identification required for all network terminals

    • Passwords and dial-in phone numbers changed on regular basis

    • Encryption used to secure stored and transmitted data

    • Transactions log


    Documentation standards
    Documentation Standards

    • Documentation procedures and standards ensure clear and concise documentation

    • Documentation categories:

      • Administrative documentation

      • Systems documentation

      • Operating documentation


    Minimizing system downtime
    Minimizing System Downtime

    • Significant financial losses can be incurred if hardware or software malfunctions cause AIS to fail

    • Methods used to minimize system downtime

      • preventive maintenance

      • uninterruptible power system

      • fault tolerance


    Protection of pcs and client server networks
    Protection of PCs and Client/Server Networks

    • PCs more vulnerable to security risks than mainframe computers

      • Difficult to restrict physical access

      • PC users less aware of importance of security and control

      • More people familiar with the operation of PCs

      • Segregation of duties is difficult


    Protection of pcs and client server networks1
    Protection of PCs and Client/Server Networks

    • Train users in PC-related control concepts

    • Restrict access by using locks and keys on PCs

    • Establish policies and procedures


    Protection of pcs and client server networks2
    Protection of PCs and Client/Server Networks

    • Portable PCs should not be stored in cars

    • Back up hard disks regularly

    • Encrypt or password protect files

    • Build protective walls around operating systems

    • Use multilevel password controls to limit employee access to incompatible data


    Agenda3
    Agenda

    • AIS Threats

    • Control concepts

    • General controls for information systems

    • Internet controls

    • Contingency management


    Internet controls
    Internet Controls

    • Internet control is installing a firewall, hardware and software that control communications between a company’s internal network (trusted network) and an external network.


    Internet controls1
    Internet Controls

    • Passwords

    • Encryption technology

    • Routing verification procedures

    • Installing a firewall


    Internet risks

    Split into packets

    A

    B

    May travel different paths

    Message

    originating

    at Point A

    Intended

    Destination

    Point B

    ?

    Did anyone else

    see the message?

    ?

    ?

    Was the message

    really sent by

    Point A?

    Did Point B receive

    this message?

    Internet Risks


    Messaging security
    Messaging Security

    • Confidentiality

    • Integrity: detect tampering

    • Authentication: correct party

    • Non-repudiation: sender can’t deny

    • Access controls: limit entry to authorized users


    Symmetric encryption

    Receiver

    Sender

    Identical

    Keys

    Clear

    Text

    Message

    Encrypt

    Encoded Message

    Decrypt

    Symmetric Encryption

    Clear

    Text

    Message


    PKI

    • Public Key Infrastructure

    • Most commonly used

    • Two keys:

      • public key – publicly available

      • private key – kept secret

    • Two keys related through secret mathematical formula

    • Need both to process transaction


    Biometric usage
    Biometric Usage

    • For user authentication

    • By order of use

      • finger scanners

      • hand geometry

      • face-recognition

      • eye scan

      • voiceprints

      • signature verification


    Digital signature
    Digital Signature

    • Also called Certificate

    • Issued by trusted third party

      • Certification Authority (CA)

    • Electronic passport to prove identity

    • Provides assurance messages are valid

    • Uses encryption to verify identity of unseen partner


    Firewall
    Firewall

    • Firewall is barrier between networks not allowing information to flow into and out of trusted network


    Firewalls

    Attempted

    Access

    Valid

    Traffic

    Sensitive

    Database

    Internet

    Firewall

    Access Controls

    Valid

    Access

    External

    Screen

    Internal

    Screen

    Firewalls


    Firewall types
    Firewall Types

    • Packet Filter:

      • simplest type

      • doesn’t examine data

      • looks at IP header

    • Proxy Firewall (Server):

      • hides protected private network

      • forwards requests from private to public network (not within)


    Firewall types1
    Firewall Types

    • Demilitarized Zone:

      • more secure

      • several layers of firewall protection

      • different levels of protection to different portions of company’s network

      • runs between private network and outside public network


    Bypassing firewalls

    Internet

    SERVER

    Inventory

    Customer Info

    Ordering

    R&D

    Department

    Bypassing Firewalls

    Firewall


    Agenda4
    Agenda

    • AIS Threats

    • Control concepts

    • General controls for information systems

    • Internet controls

    • Contingency management


    Contingency management
    Contingency Management

    • Disaster Recovery is reactive

    • Contingency Management is proactive

    • Continuity Planning latest term

    • Accounting standards in terms of Disaster Recovery


    Disaster recovery plan
    Disaster Recovery Plan

    • Purpose: to ensure processing capacity can be restored as smoothly and quickly as possible in the event of:

      • a major disaster

      • a temporary disruption


    Disaster plan objectives
    Disaster Plan Objectives

    • Minimize disruption, damage, and loss

    • Temporarily establish alternative means of processing information

    • Resume normal operations as soon as possible

    • Train and familiarize personnel with emergency operations


    Plan elements
    Plan Elements

    • Priorities for recovery process

    • Backup data and program files

    • Backup facilities

      • reciprocal agreements

      • hot and cold sites

      • shadow mode (parallel)


    Back up data
    Back Up Data

    • Rollback:

      • predated copy of each record created prior to processing transaction

    • If hardware failure

      • records rolled back to predated version

      • transactions processed from beginning


    Back up data decisions
    Back Up Data Decisions

    • How often? (e.g., weekly)

      • Exposure * Risk = Expected Loss

    • Where do you store backup data

      • on-site (e.g., fireproof safe)

      • off-site (incurs costs)

    • How quick to recover?

    • What is recovered first?


    Remote access
    Remote Access

    • Computer World, 1/21/02

    • Companies eying remote access as contingency management tool

    • Scrambling to develop remote access systems

    • Result of September 11

    • If main facilities down, still can communicate with one another


    Recovery plan
    Recovery Plan

    • Recovery plan not complete until tested by simulating disaster

      • EDS

    • Plan must be continuously reviewed and revised so it reflects current situation

    • Plan should include insurance coverage


    Cardinal health
    Cardinal Health

    • Redundant systems for critical order processing

    • Redundant WAN trunks

    • System data backed up daily

      • backup media kept off-site

    • Backup replica site

      • different part of country

      • switched on within 30 minutes


    The money store
    The Money Store

    • Databases backed up every evening

    • Back-up files stored at

      • on-site

      • information storage vendor

    • Automatic archival process that periodically pulls / stores back-up data files


    The money store1
    The Money Store

    • Call Centers

      • in 3 locations nationally

      • separated so that a natural disaster will not hit all three simultaneously

      • calls electronically rerouted to other two sites

      • in Sacramento, rent vacant building as emergency site


    Topics covered
    Topics Covered

    • AIS Threats

    • Control concepts

    • General controls for information systems

    • Internet controls

    • Contingency management


    ad