1 / 29

Today’s Lecture Covers

Today’s Lecture Covers. Chapter 5 - Controls over Computer Operations and IS Support – Integrity Chapter 7 – application controls. Dsheehy@grantthornton.ca. Integrity. System processing is complete, accurate, timely and authorized. Need to Align Comp. Op’n Services with Business Requirements.

beata
Download Presentation

Today’s Lecture Covers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Today’s Lecture Covers • Chapter 5 - Controls over Computer Operations and IS Support – Integrity • Chapter 7 – application controls Dsheehy@grantthornton.ca

  2. Integrity • System processing is complete, accurate, timely and authorized

  3. Need to Align Comp. Op’n Services with Business Requirements • 7 minimum control standards to ensure that defined user requirements are met. • Operations and support to be defined in a formal service agreement • procedures to monitor operations and services delivery performance (use of charge-out systems for IT costs - need to decide on fair allocation) • mgt processes should assess effectiveness and efficiency of service delivery

  4. Alligning Comp. Op’n Services with Business Requirements • 7 minimum control standards (cont’d) • procedures should identify and resolved promptly to minimize impact (anticipate user requirements and get appropriate resources in advance) • configuration mgt and planning procedures should be established. Important to have hardware and software monitoring and approval process.

  5. Alligning Comp. Op’n Services with Business Requirements • the final 2 of 7 • Operations change mgt process should ensure the integrity of operations • formal procedures should govern software version usage and control strategy

  6. Control over Integrity and Availability • ensure complete, accurate and authorized processing of information • ensure continuity of processing services in light of minor processing errors or minor destruction of records • formal stds and procedures for all significant computer operations • application environment is properly controlled • offsite-back up is used

  7. Control over Integrity and Availability • operation service schedules used and monitored • physical and/or logical control over output • procedures to provide integrity of files in off-line storage

  8. Control Over System Software • config mgt procedures used • acquisition and implementation policies used • change mgt procedures should be used • protection from viruses

  9. Control over Info Transmission • procedures to protect in bound information and outbound information • network design should incorporate information integrity, confidentiality and availability requirements for transmissions • network implementation and config mgt needs to be controlled

  10. Control over Data Mgt • roles and responsibilities for data mgt needed • database design and implementation needs to address security, integrity and control requirements • also incorporate reliability and availability requirements

  11. Control over End-Using Computing • procedures to ensure that end-users conform with organizational strategy • stds for development, acquisition, documentation and operation of applications procedures. • Effective support and training • monitoring end-using computing

  12. General vs Application Controls • general implemented consist. across all appl. • application are built into specific programs • distinction often arbitrary- general are usually reviewed once for audit as a whole • application must be considered for each significant application • if general are uniformly strong and operate effectively obtain such assur. wrt each app. • if not, does not mean each appl. affected... need to consider app by app.

  13. Application Controls • Hardware - such as parity checks, character checks • Input and output controls - at source dep’t and data control • Programmed controls (software)

  14. Effective Design • designed with regard to business require • designed with regard to business risk analysis • only rely upon after taking general controls into consideration • look for integrity/accuracy • use structured programming techniques • use training

  15. Types of Transactions • each have different sensitivity and risk of errors • master file changes - updated only periodically • normal business applications • error correction transactions

  16. Master File Changes • completeness, accuracy, and data authorization critical • error would occur every time • make sure using current masters • important to guard against fraud

  17. Normal Transactions • second largest concern as most transactions • necessary to control effectively • Need to include controls over regular transactions and reports

  18. Error Correction Transactions • watch bypass potential • errors often put aside and ignored • all should be logged with clear responsibility for correction • ideally put back through regular processing

  19. Preventive Controls over Processing • data entry as close to source of transact as possible to ensure familiarity • structure operating procedures so that business activity not complete till transaction processing • eliminate human component as much as possible • authorize transactions before data entry • use access control software

  20. Preventive Controls over Processing (cont’d) • use 3 levels access - physical access to terminal, access control over use of terminal and then authorization in software • scrutinize manually prepared input • use computer to edit transactions - use edit progs to check for items such as missing data, format, self checking digit, limits & logical relation checks • use key verification & interactive systems • use formatted input screens

  21. Preventive Controls over Processing (cont’d) • use appropriately designed input forms • single source transaction data - input once • document application control procedures - manuals etc. • training and supervision • adequate working conditions

  22. Detective Controls • Use suspense records for impending transactions • Monitor & investigate lack of regular activity (see if transactions omitted) • verify records by examining assets etc. • prepare budgets/investigate variances • number transactions - check sequence • group and count source documents and count # transactions processed

  23. Detective Controls (cont’d) • use control totals to check completeness • reconcile changes in recorded assets and liabilities to transactions processed • If practical, establish procedures for verification by users • design programmed reasonableness tests • match processing results to source documents in detail • check computations

  24. Detective Controls (cont’d) • use summary and exception reports • use double entry recording to balance transactions • agree summary records to detailed records • require user approval of results • require error tracking and analysis - develop stats

  25. Master File Controls • authorize all changes before input • record changes to semi-permanent listings, reconcile changes • print out for review by knowledgeable users for errors • use control totals • application progs should internally label master files

  26. Errors and Exception Controls • use error and exception reports - ensure follow- up • user error logs and define correction procedures and responsibilities • resubmit errors into NORMAL processing cycle - do not bypass

  27. Management & Audit Trails • file each record in planned sequence to facilitate retrieval • provide unique id for each record • retain source copy for transactions • provide methods of tracing data backwards and forwards through IS • document retention procedures

  28. Management & Audit Trails (cont’d) • use logs • periodically copy and save permanent records that are overwritten by changes • provide software capability to scrutinize & analyse data

  29. Advanced System Characteristics • absence independent evidence • no visible audit trails • lack of auth evidence • heavy I/C reliance • need to understand transaction flow • test controls to be relied upon • audit hardware/software

More Related