Information systems control
1 / 91

Information Systems Control - PowerPoint PPT Presentation

  • Updated On :

Information Systems Control. Dr. Yan Xiong College of Business CSU Sacramento January 27,2003 This lecture is based on Martin (2002) and Romney and Steinbart (2002). Agenda. AIS Threats Internal Controls General controls for information systems Internet controls

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Information Systems Control' - kiora

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Information systems control

Information Systems Control

Dr. Yan Xiong

College of Business

CSU Sacramento

January 27,2003

This lecture is based on Martin (2002) and Romney and Steinbart (2002)


  • AIS Threats

  • Internal Controls

  • General controls for information systems

  • Internet controls

  • Contingency management

Ais threats
AIS Threats

Natural and politicaldisasters:

  • fire or excessive heat

  • floods

  • earthquakes

  • high winds

  • war

Ais threats1
AIS Threats

  • Software errors andequipment malfunctions

    • hardware failures

    • power outages and fluctuations

    • undetected data transmission errors

Ais threats2
AIS Threats

  • Unintentional acts

    • accidents caused by human carelessness

    • innocent errors of omissions

    • lost or misplaced data

    • logic errors

    • systems that do not meet company needs

Ais threats3
AIS Threats

  • Intentional acts

    • sabotage

    • computer fraud

    • embezzlement

    • confidentiality breaches

    • data theft


  • AIS Threats

  • Internal Control

  • Cost-benefit Analysis

  • General controls for information systems

  • Internet controls

  • Contingency management

Internal control
Internal Control

The COSO (Committee of Sponsoring Organizations) study defines internal control as the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved with regard to:

  • effectiveness and efficiency of operations

  • reliability of financial reporting

  • compliance with applicable laws and regulations

Internal control classifications
Internal Control Classifications

  • The specific control procedures used in the internal control and management control systems may be classified using the following four internal control classifications:

    • Preventive, detective, and corrective controls

    • General and application controls

    • Administrative and accounting controls

    • Input, processing, and output controls

Types of controls
Types of Controls

  • Preventive: deter problems before they arise

    • segregating duties

  • Detective: discover control problems as soon as they arise

    • bank reconciliation

  • Corrective: remedy problems discovered with detective controls

    • file backups

Internal control model
Internal Control Model

  • COSO’s internal control model has five crucial components:

    • Control environment

    • Control activities

    • Risk assessment

    • Information and communication

    • Monitoring

The control environment
The Control Environment

The control environment consists of many factors, including the following:

  • Commitment to integrity and ethical values

  • Management’s philosophy and operating style

  • Organizational structure

The control environment1
The Control Environment

  • The audit committee of the board of directors

  • Methods of assigning authority and responsibility

  • Human resources policies and practices

  • External influences

Control activities
Control Activities

Generally, control procedures fall into one of five categories:

  • Proper authorization of transactions and activities

  • Segregation of duties

  • Design and use of adequate documents and records

  • Adequate safeguards of assets and records

  • Independent checks on performance

Proper authorization of transactions and activities
Proper Authorization of Transactions and Activities

  • Authorization is the empowerment management gives employees to perform activities and make decisions.

  • Digital signature or fingerprint is a means of signing a document with a piece of data that cannot be forged.

  • Specific authorization is the granting of authorization by management for certain activities or transactions.

Segregation of duties
Segregation of Duties

  • Good internal control demands that no single employee be given too much responsibility.

  • An employee should not be in a position to perpetrate and conceal fraud or unintentional errors.

Segregation of duties1
Segregation of Duties

Custodial Functions

Handling cash

Handling assets

Writing checks

Receiving checks in mail

Authorization Functions

Authorization of


Recording Functions

Preparing source documents

Maintaining journals

Preparing reconciliations

Preparing performance reports

Segregation of duties2
Segregation of Duties

  • If two of these three functions are the responsibility of a single person, problems can arise.

  • Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them.

  • Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts.

Segregation of duties3
Segregation of Duties

  • Segregation of duties prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized.

Design and use of adequate documents and records
Design and Use of Adequate Documents and Records

  • The proper design and use of documents and records helps ensure the accurate and complete recording of all relevant transaction data.

  • Documents that initiate a transaction should contain a space for authorization.

Design and use of adequate documents and records1
Design and Use of Adequate Documents and Records

  • The following procedures safeguard assets from theft, unauthorized use, and vandalism:

    • effectively supervising and segregating duties

    • maintaining accurate records of assets, including information

    • restricting physical access to cash and paper assets

    • having restricted storage areas

Adequate safeguards of assets and records
Adequate Safeguards of Assets and Records

  • What can be used to safeguard assets?

    • cash registers

    • safes, lockboxes

    • safety deposit boxes

    • restricted and fireproof storage areas

    • controlling the environment

    • restricted access to computer rooms, computer files, and information

Independent checks on performance
Independent Checks on Performance

  • Independent checks to ensure that transactions are processed accurately are another important control element.

  • What are various types of independent checks?

    • reconciliation of two independently maintained sets of records

    • comparison of actual quantities with recorded amounts

Independent checks on performance1
Independent Checks on Performance

  • double-entry accounting

  • batch totals

  • Five batch totals are used in computer systems:

    • A financial total is the sum of a dollar field.

    • A hash total is the sum of a field that would usually not be added.

  • Independent checks on performance2
    Independent Checks on Performance

    • A record count is the number of documents processed.

    • A line count is the number of lines of data entered.

    • A cross-footing balance test compares the grand total of all the rows with the grand total of all the columns to check that they are equal.

    Information and communication
    Information and Communication

    • The fourth component of COSO’s internal control model is information and communication.

    • Accountants must understand the following:

      • How transactions are initiated

      • How data are captured in machine-readable form or converted from source documents

    Information and communication1
    Information and Communication

    • How computer files are accessed and updated

    • How data are processed to prepare information

    • How information is reported

    • How transactions are initiated

  • All of these items make it possible for the system to have an audit trail.

  • An audit trail exists when individual company transactions can be traced through the system.

  • Monitoring performance
    Monitoring Performance

    • The fifth component of COSO’s internal control model is monitoring.

    • What are the key methods of monitoring performance?

      • effective supervision

      • responsibility accounting

      • internal auditing

    Risk assessment
    Risk Assessment

    • The third component of COSO’s internal control model is risk assessment.

    • Companies must identify the threats they face:

      • strategic — doing the wrong thing

      • financial — having financial resources lost, wasted, or stolen

      • information — faulty or irrelevant information, or unreliable systems

    Risk assessment1
    Risk Assessment

    • Companies that implement electronic data interchange (EDI) must identify the threats the system will face, such as:

      • Choosing an inappropriate technology

      • Unauthorized system access

      • Tapping into data transmissions

      • Loss of data integrity

    Risk assessment2
    Risk Assessment

    • Incomplete transactions

    • System failures

    • Incompatible systems

    Risk assessment3
    Risk Assessment

    • Some threats pose a greater risk because the probability of their occurrence is more likely.

    • What is an example?

    • A company is more likely to be the victim of a computer fraud rather than a terrorist attack.

    • Risk and exposure must be considered together.

    Cost and benefits
    Cost and Benefits

    • Benefit of control procedure is difference between

      • expected loss with control procedure(s)

      • expected loss without it

    Loss fraud conditions
    Loss / Fraud Conditions

    • Threat: potential adverse or unwanted event that can be injurious to AIS

    • Exposure: potential maximum $ loss if event occurs

    • Risk: likelihood that event will occur

    • Expected Loss: Risk * Exposure

    Loss fraud conditions1
    Loss / Fraud Conditions

    For each AIS threat:








    Loss ($)


    of Event



    $ Loss

    Risk assessment of controls








    Control Needs



    Risk Assessment of Controls



    • AIS Threats

    • Internal Controls

    • General controls for information systems

    • Internet controls

    • Contingency management

    General controls
    General Controls

    • General controls ensure that overall computer environment is stable and well managed

    • General control categories:

      • Developing a security plan

      • Segregation of duties within the systems function

    General controls1
    General Controls

    • Project development controls

    • Physical access controls

    • Logical access controls

    • Data storage controls

    • Data transmission controls

    • Documentation standards

    • Minimizing system downtime

    General controls2
    General Controls

    10. Protection of personal computers and client/server networks

    • Internet controls

    • Disaster recovery plans

    Security plan
    Security Plan

    • Developing and continuously updating a comprehensive security plan one of most important controls for company

    • Questions to be asked:

      • Who needs access to whatinformation?

      • When do they need it?

      • On which systems does the information reside?

    Segregation of duties4
    Segregation of Duties

    • In AIS, procedures that used to be performed by separate individuals combined

    • Person with unrestricted access

      • to computer,

      • its programs,

      • and live data

    • has opportunity to both perpetrate and conceal fraud

    Segregation of duties5
    Segregation of Duties

    • To combat this threat, organizations must implement compensating control procedures

    • Authority and responsibility must be clearly divided

      NOTE: must change with increasing levels of automation

    Segregation of duties6
    Segregation of Duties

    Divide following functions:

    • Systems analysis

    • Programming

    • Computer operations

    • Users

    • AIS library

    • Data control

    Duty segregation










    What about small firms?

    Duty Segregation

    Project development controls
    Project Development Controls

    • Long-range master plan

    • Project development plan

    • Periodic performance evaluation

    • Post-implementation review

    • System performance measurements

    Development controls












    Development Controls









    Physical access controls
    Physical Access Controls

    • Placing computer equipment in locked rooms and restricting access to authorized personnel

    • Having only one or two entrances to computer room

    • Requiring proper employee ID

    • Requiring visitors to sign log

    • Installing locks on PCs

    Logical access controls
    Logical Access Controls

    • Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions.

    • What are some logical access controls?

      • passwords

      • physical possession identification

      • biometric identification

      • compatibility tests

    Access control matrix
    Access Control Matrix

    0 – No access

    1 – Read / display

    2 – Update

    3 – Create / delete

    Data storage controls
    Data Storage Controls

    • Information gives company competitive edge and makes it viable

    • Company should identify types of data used and level of protection required for each

    • Company must also document steps taken to protect data

      • e.g., off-site storage

    Data transmission controls
    Data Transmission Controls

    • Reduce risk of data transmission failures

      • data encryption (cryptography)

      • routing verification procedures

      • parity bits

      • message acknowledgment techniques

    Information transmission system











    Information Transmission System

    Transmission controls















    Transmission Controls

    Even parity bit system

    Parity Bit

    A “1” placed in parity

    bit to make an even

    number of “1”s.

    Message in Binary

    Even Parity Bit System

    There are five

    “1” bits in message

    Data transmission controls1
    Data Transmission Controls

    • Added importance when using electronic data interchange (EDI) or electronic funds transfer (EFT)

    • In these types of environments, sound internal control is achieved using control procedures

    Data transmission control
    Data Transmission Control

    • Controlled physical access to network facilities

    • Identification required for all network terminals

    • Passwords and dial-in phone numbers changed on regular basis

    • Encryption used to secure stored and transmitted data

    • Transactions log

    Documentation standards
    Documentation Standards

    • Documentation procedures and standards ensure clear and concise documentation

    • Documentation categories:

      • Administrative documentation

      • Systems documentation

      • Operating documentation

    Minimizing system downtime
    Minimizing System Downtime

    • Significant financial losses can be incurred if hardware or software malfunctions cause AIS to fail

    • Methods used to minimize system downtime

      • preventive maintenance

      • uninterruptible power system

      • fault tolerance

    Protection of pcs and client server networks
    Protection of PCs and Client/Server Networks

    • PCs more vulnerable to security risks than mainframe computers

      • Difficult to restrict physical access

      • PC users less aware of importance of security and control

      • More people familiar with the operation of PCs

      • Segregation of duties is difficult

    Protection of pcs and client server networks1
    Protection of PCs and Client/Server Networks

    • Train users in PC-related control concepts

    • Restrict access by using locks and keys on PCs

    • Establish policies and procedures

    Protection of pcs and client server networks2
    Protection of PCs and Client/Server Networks

    • Portable PCs should not be stored in cars

    • Back up hard disks regularly

    • Encrypt or password protect files

    • Build protective walls around operating systems

    • Use multilevel password controls to limit employee access to incompatible data


    • AIS Threats

    • Control concepts

    • General controls for information systems

    • Internet controls

    • Contingency management

    Internet controls
    Internet Controls

    • Internet control is installing a firewall, hardware and software that control communications between a company’s internal network (trusted network) and an external network.

    Internet controls1
    Internet Controls

    • Passwords

    • Encryption technology

    • Routing verification procedures

    • Installing a firewall

    Internet risks

    Split into packets



    May travel different paths



    at Point A



    Point B


    Did anyone else

    see the message?



    Was the message

    really sent by

    Point A?

    Did Point B receive

    this message?

    Internet Risks

    Messaging security
    Messaging Security

    • Confidentiality

    • Integrity: detect tampering

    • Authentication: correct party

    • Non-repudiation: sender can’t deny

    • Access controls: limit entry to authorized users

    Symmetric encryption









    Encoded Message


    Symmetric Encryption




    Information systems control

    • Public Key Infrastructure

    • Most commonly used

    • Two keys:

      • public key – publicly available

      • private key – kept secret

    • Two keys related through secret mathematical formula

    • Need both to process transaction

    Biometric usage
    Biometric Usage

    • For user authentication

    • By order of use

      • finger scanners

      • hand geometry

      • face-recognition

      • eye scan

      • voiceprints

      • signature verification

    Digital signature
    Digital Signature

    • Also called Certificate

    • Issued by trusted third party

      • Certification Authority (CA)

    • Electronic passport to prove identity

    • Provides assurance messages are valid

    • Uses encryption to verify identity of unseen partner


    • Firewall is barrier between networks not allowing information to flow into and out of trusted network










    Access Controls








    Firewall types
    Firewall Types

    • Packet Filter:

      • simplest type

      • doesn’t examine data

      • looks at IP header

    • Proxy Firewall (Server):

      • hides protected private network

      • forwards requests from private to public network (not within)

    Firewall types1
    Firewall Types

    • Demilitarized Zone:

      • more secure

      • several layers of firewall protection

      • different levels of protection to different portions of company’s network

      • runs between private network and outside public network

    Bypassing firewalls




    Customer Info




    Bypassing Firewalls



    • AIS Threats

    • Control concepts

    • General controls for information systems

    • Internet controls

    • Contingency management

    Contingency management
    Contingency Management

    • Disaster Recovery is reactive

    • Contingency Management is proactive

    • Continuity Planning latest term

    • Accounting standards in terms of Disaster Recovery

    Disaster recovery plan
    Disaster Recovery Plan

    • Purpose: to ensure processing capacity can be restored as smoothly and quickly as possible in the event of:

      • a major disaster

      • a temporary disruption

    Disaster plan objectives
    Disaster Plan Objectives

    • Minimize disruption, damage, and loss

    • Temporarily establish alternative means of processing information

    • Resume normal operations as soon as possible

    • Train and familiarize personnel with emergency operations

    Plan elements
    Plan Elements

    • Priorities for recovery process

    • Backup data and program files

    • Backup facilities

      • reciprocal agreements

      • hot and cold sites

      • shadow mode (parallel)

    Back up data
    Back Up Data

    • Rollback:

      • predated copy of each record created prior to processing transaction

    • If hardware failure

      • records rolled back to predated version

      • transactions processed from beginning

    Back up data decisions
    Back Up Data Decisions

    • How often? (e.g., weekly)

      • Exposure * Risk = Expected Loss

    • Where do you store backup data

      • on-site (e.g., fireproof safe)

      • off-site (incurs costs)

    • How quick to recover?

    • What is recovered first?

    Remote access
    Remote Access

    • Computer World, 1/21/02

    • Companies eying remote access as contingency management tool

    • Scrambling to develop remote access systems

    • Result of September 11

    • If main facilities down, still can communicate with one another

    Recovery plan
    Recovery Plan

    • Recovery plan not complete until tested by simulating disaster

      • EDS

    • Plan must be continuously reviewed and revised so it reflects current situation

    • Plan should include insurance coverage

    Cardinal health
    Cardinal Health

    • Redundant systems for critical order processing

    • Redundant WAN trunks

    • System data backed up daily

      • backup media kept off-site

    • Backup replica site

      • different part of country

      • switched on within 30 minutes

    The money store
    The Money Store

    • Databases backed up every evening

    • Back-up files stored at

      • on-site

      • information storage vendor

    • Automatic archival process that periodically pulls / stores back-up data files

    The money store1
    The Money Store

    • Call Centers

      • in 3 locations nationally

      • separated so that a natural disaster will not hit all three simultaneously

      • calls electronically rerouted to other two sites

      • in Sacramento, rent vacant building as emergency site

    Topics covered
    Topics Covered

    • AIS Threats

    • Control concepts

    • General controls for information systems

    • Internet controls

    • Contingency management