1 / 91

Information Systems Control

Information Systems Control. Dr. Yan Xiong College of Business CSU Sacramento January 27,2003 This lecture is based on Martin (2002) and Romney and Steinbart (2002). Agenda. AIS Threats Internal Controls General controls for information systems Internet controls

Download Presentation

Information Systems Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Information Systems Control Dr. Yan Xiong College of Business CSU Sacramento January 27,2003 This lecture is based on Martin (2002) and Romney and Steinbart (2002)

  2. Agenda • AIS Threats • Internal Controls • General controls for information systems • Internet controls • Contingency management

  3. AIS Threats Natural and politicaldisasters: • fire or excessive heat • floods • earthquakes • high winds • war

  4. AIS Threats • Software errors andequipment malfunctions • hardware failures • power outages and fluctuations • undetected data transmission errors

  5. AIS Threats • Unintentional acts • accidents caused by human carelessness • innocent errors of omissions • lost or misplaced data • logic errors • systems that do not meet company needs

  6. AIS Threats • Intentional acts • sabotage • computer fraud • embezzlement • confidentiality breaches • data theft

  7. Agenda • AIS Threats • Internal Control • Cost-benefit Analysis • General controls for information systems • Internet controls • Contingency management

  8. Internal Control The COSO (Committee of Sponsoring Organizations) study defines internal control as the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved with regard to: • effectiveness and efficiency of operations • reliability of financial reporting • compliance with applicable laws and regulations

  9. Internal Control Classifications • The specific control procedures used in the internal control and management control systems may be classified using the following four internal control classifications: • Preventive, detective, and corrective controls • General and application controls • Administrative and accounting controls • Input, processing, and output controls

  10. Types of Controls • Preventive: deter problems before they arise • segregating duties • Detective: discover control problems as soon as they arise • bank reconciliation • Corrective: remedy problems discovered with detective controls • file backups

  11. Internal Control Model • COSO’s internal control model has five crucial components: • Control environment • Control activities • Risk assessment • Information and communication • Monitoring

  12. The Control Environment The control environment consists of many factors, including the following: • Commitment to integrity and ethical values • Management’s philosophy and operating style • Organizational structure

  13. The Control Environment • The audit committee of the board of directors • Methods of assigning authority and responsibility • Human resources policies and practices • External influences

  14. Control Activities Generally, control procedures fall into one of five categories: • Proper authorization of transactions and activities • Segregation of duties • Design and use of adequate documents and records • Adequate safeguards of assets and records • Independent checks on performance

  15. Proper Authorization of Transactions and Activities • Authorization is the empowerment management gives employees to perform activities and make decisions. • Digital signature or fingerprint is a means of signing a document with a piece of data that cannot be forged. • Specific authorization is the granting of authorization by management for certain activities or transactions.

  16. Segregation of Duties • Good internal control demands that no single employee be given too much responsibility. • An employee should not be in a position to perpetrate and conceal fraud or unintentional errors.

  17. Segregation of Duties Custodial Functions Handling cash Handling assets Writing checks Receiving checks in mail Authorization Functions Authorization of transactions Recording Functions Preparing source documents Maintaining journals Preparing reconciliations Preparing performance reports

  18. Segregation of Duties • If two of these three functions are the responsibility of a single person, problems can arise. • Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them. • Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts.

  19. Segregation of Duties • Segregation of duties prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized.

  20. Design and Use of Adequate Documents and Records • The proper design and use of documents and records helps ensure the accurate and complete recording of all relevant transaction data. • Documents that initiate a transaction should contain a space for authorization.

  21. Design and Use of Adequate Documents and Records • The following procedures safeguard assets from theft, unauthorized use, and vandalism: • effectively supervising and segregating duties • maintaining accurate records of assets, including information • restricting physical access to cash and paper assets • having restricted storage areas

  22. Adequate Safeguards of Assets and Records • What can be used to safeguard assets? • cash registers • safes, lockboxes • safety deposit boxes • restricted and fireproof storage areas • controlling the environment • restricted access to computer rooms, computer files, and information

  23. Independent Checks on Performance • Independent checks to ensure that transactions are processed accurately are another important control element. • What are various types of independent checks? • reconciliation of two independently maintained sets of records • comparison of actual quantities with recorded amounts

  24. Independent Checks on Performance • double-entry accounting • batch totals • Five batch totals are used in computer systems: • A financial total is the sum of a dollar field. • A hash total is the sum of a field that would usually not be added.

  25. Independent Checks on Performance • A record count is the number of documents processed. • A line count is the number of lines of data entered. • A cross-footing balance test compares the grand total of all the rows with the grand total of all the columns to check that they are equal.

  26. Information and Communication • The fourth component of COSO’s internal control model is information and communication. • Accountants must understand the following: • How transactions are initiated • How data are captured in machine-readable form or converted from source documents

  27. Information and Communication • How computer files are accessed and updated • How data are processed to prepare information • How information is reported • How transactions are initiated • All of these items make it possible for the system to have an audit trail. • An audit trail exists when individual company transactions can be traced through the system.

  28. Monitoring Performance • The fifth component of COSO’s internal control model is monitoring. • What are the key methods of monitoring performance? • effective supervision • responsibility accounting • internal auditing

  29. Risk Assessment • The third component of COSO’s internal control model is risk assessment. • Companies must identify the threats they face: • strategic — doing the wrong thing • financial — having financial resources lost, wasted, or stolen • information — faulty or irrelevant information, or unreliable systems

  30. Risk Assessment • Companies that implement electronic data interchange (EDI) must identify the threats the system will face, such as: • Choosing an inappropriate technology • Unauthorized system access • Tapping into data transmissions • Loss of data integrity

  31. Risk Assessment • Incomplete transactions • System failures • Incompatible systems

  32. Risk Assessment • Some threats pose a greater risk because the probability of their occurrence is more likely. • What is an example? • A company is more likely to be the victim of a computer fraud rather than a terrorist attack. • Risk and exposure must be considered together.

  33. Cost and Benefits • Benefit of control procedure is difference between • expected loss with control procedure(s) • expected loss without it

  34. Loss / Fraud Conditions • Threat: potential adverse or unwanted event that can be injurious to AIS • Exposure: potential maximum $ loss if event occurs • Risk: likelihood that event will occur • Expected Loss: Risk * Exposure

  35. Loss / Fraud Conditions For each AIS threat: Exposure Risk Expected Loss X = Maximum Loss ($) Likelihood of Event Occurring Potential $ Loss

  36. Exposures

  37. Risk Implement Exposure Yes Cost Benefi- cial? Control Needs No Costs Risk Assessment of Controls Threat

  38. Payroll Case

  39. Agenda • AIS Threats • Internal Controls • General controls for information systems • Internet controls • Contingency management

  40. General Controls • General controls ensure that overall computer environment is stable and well managed • General control categories: • Developing a security plan • Segregation of duties within the systems function

  41. General Controls • Project development controls • Physical access controls • Logical access controls • Data storage controls • Data transmission controls • Documentation standards • Minimizing system downtime

  42. General Controls 10. Protection of personal computers and client/server networks • Internet controls • Disaster recovery plans

  43. Security Plan • Developing and continuously updating a comprehensive security plan one of most important controls for company • Questions to be asked: • Who needs access to whatinformation? • When do they need it? • On which systems does the information reside?

  44. Segregation of Duties • In AIS, procedures that used to be performed by separate individuals combined • Person with unrestricted access • to computer, • its programs, • and live data • has opportunity to both perpetrate and conceal fraud

  45. Segregation of Duties • To combat this threat, organizations must implement compensating control procedures • Authority and responsibility must be clearly divided NOTE: must change with increasing levels of automation

  46. Segregation of Duties Divide following functions: • Systems analysis • Programming • Computer operations • Users • AIS library • Data control

  47. Analyze Design Specs Archive Program Use Programs Output Operate What about small firms? Duty Segregation

  48. Project Development Controls • Long-range master plan • Project development plan • Periodic performance evaluation • Post-implementation review • System performance measurements

  49. Project Development Plan STARTEDPROJECT COMPLETED PROJECT SYSTEM OPERATION Master Development Plan Development Controls Periodic Performance Review Post Implement Review Performance Measures

  50. Physical Access Controls • Placing computer equipment in locked rooms and restricting access to authorized personnel • Having only one or two entrances to computer room • Requiring proper employee ID • Requiring visitors to sign log • Installing locks on PCs

More Related