Hapter 10
1 / 31

HAPTER 10 - PowerPoint PPT Presentation

  • Uploaded on

HAPTER 10. Information Systems Controls for System Reliability Part 3: Processing Integrity and Availability. INTRODUCTION. Questions to be addressed in this chapter include: What controls ensure processing integrity? What controls ensure that the system is available when needed?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HAPTER 10' - lucia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Hapter 10


Information Systems Controls for System Reliability

Part 3: Processing Integrity and Availability


  • Questions to be addressed in this chapter include:

    • What controls ensure processing integrity?

    • What controls ensure that the system is available when needed?

Processing integrity

  • A reliable system produces information that is accurate, timely, reflects results of only authorized transactions, and includes outcomes of all activities engaged in by the organization during a given period of time.

  • Requires controls over both data input quality and the processing of the data.








Input controls
Input Controls

  • Forms Design

    • Pre-numbered forms/ sequence test

    • Turnaround documents

  • Authorization and segregation of duties

  • Cancellation and storage of documents

  • Visual scanning

Input controls1
Input Controls

  • Data Entry Controls (Edit checks)

    • Field check

    • Sign check

    • Limit check

    • Range check

    • Size (or capacity) check

    • Completeness check

    • Validity check

    • Reasonableness test

    • Check digit verification

    • Key verification

Input controls2
Input Controls

  • The preceding tests are used for batch processing and online real-time processing.

  • Both processing approaches also have some additional controls that are unique to each approach.

Batch input controls
Batch Input Controls

  • Batch Processing

    • Input multiple source documents at once in a group

  • In addition to the preceding controls, when using batch processing, the following data entry controls should be incorporated.

    • Sequence check

    • Error log

    • Batch totals

Batch input controls1
Batch Input Controls

  • Batch Totals

    • Compare input totals to output totals

      • Financial

        • Sums a field that contains monetary values

      • Hash

        • Sums a nonfinancial numeric field

      • Record count

        • The number of records in a batch

Online data entry controls
Online Data Entry Controls

  • Additional online data entry controls

    • Online processing data entry controls include:

      • Automatic entry of data

      • Prompting

      • Closed-loop verification

      • Transaction logs

      • Error messages

Processing controls
Processing Controls

  • Processing controls to ensure that data is processed correctly include:

    • Data matching

    • File labels

    • Recalculation of batch totals

    • Cross-footing balance test

    • Write-protection mechanisms

    • Concurrent update controls

Output controls
Output Controls

  • Careful checking of system output provides additional control over processing integrity.

  • Output controls include:

    • User review of output

    • Reconciliation procedures

    • External data reconciliation

    • Data transmission controls

Output controls1
Output Controls

  • Data Transmission Controls

    • Two basic types of data transmission controls:

      • Checksums – hash of file transmitted, comparison made of hash before and after transmission

      • Parity checking

Output controls2
Output Controls

  • Parity checking

    • Computers represent characters as a set of binary digits (bits).

    • For example, “5” is represented by the seven-bit pattern 0000101.

    • When data are transmitted some bits may be lost or received incorrectly.

    • Two basic schemes to detect these events are referred to as even parity and odd parity.

    • In either case, an additional bit is added to the digit being transmitted.


  • Reliable systems are available for use whenever needed.

  • Threats to system availability originate from many sources, including:

    • Hardware and software failures

    • Natural and man-made disasters

    • Human error

    • Worms and viruses

    • Denial-of-service attacks and other sabotage








Controls ensuring availability
Controls Ensuring Availability

  • Systems or information need to be available 24/7

    • It is not possible to ensure this so:


  • Minimizing Risk of System Downtime

    • Loss of system availability can cause significant financial losses, especially if the system affected is essential to e-commerce.

    • Organizations can take a variety of steps to minimize the risk of system downtime.


  • Preventive maintenance can reduce risk of hardware and software failure. Examples:

    • Cleaning disk drivers

    • Properly storing magnetic and optical media

  • Use of redundant components can provide fault tolerance, which enables the system to continue functioning despite failure of a component. Examples:

    • Dual processors

    • Arrays of multiple hard drives.


  • Risks associated with natural and man-made disasters can be reduced with proper location and design of rooms housing mission-critical servers and databases.

    • Raised floors protect from flood damage.

    • Fire protection and suppression devices reduce likelihood of fire damage.

    • Adequate air conditioning reduces likelihood of damage from over-heating or humidity.

    • Cables with special plugs that cannot be easily removed reduce risk of damage due to accidentally unplugging.


  • Surge protection devices provide protection against temporary power fluctuations.

    • An uninterruptible power supply (UPS) provides protection from a prolonged power outage and buys the system enough time to back up critical data and shut down safely.


  • Training

    • Well-trained operators are less likely to make mistakes and more able to recover if they do.

    • Security awareness training, particularly concerning safe email and web-browsing practices, can reduce risk of virus and worm infection.

  • Patch management and antivirus software

    • Anti-virus software should be installed, run, and kept current.

    • Email should be scanned for viruses at both the server and desktop levels.

    • Newly acquired software and disks, CDs, or DVDs should be scanned and tested first on a machine that is isolated from the main network.


  • Recovery and Resumption of Normal Operations

    • Data backup procedures

    • Disaster recovery plan (DRP)

    • Business continuity plan (BCP)


  • Data Backup Procedures

    • Data need to be backed up regularly and frequently.

    • A backup is an exact copy of the most current version of a database, file, or software program. It is intended for use in the event of a hardware or software failure.

    • The process of installing the backup copy for use is called restoration.


  • A full backup is an exact copy of the data recorded on another physical media (tape, magnetic disk, CD, DVD, etc.)

  • Full backups are time consuming, so most organizations:

    • Do full backups weekly

    • Supplement with daily partial backups.

      • incremental backup- copy only data that changed since the last partial backup

      • differential backup – copy only data that changed from last full back-up


  • Whichever backup procedure is used, multiple backup copies should be created:

    • One can be stored on-site for use in minor incidents.

    • At least one additional copy should be stored off-site to be safe should a disaster occur


  • Disaster Recovery and Business Continuity PlanningObjectives:

    • Minimize the extent of the disruption, damage, and loss

    • Temporarily establish an alternative means of processing information

    • Resume normal operations as soon as possible

    • Train and familiarize personnel with emergency operations

  • Recovery point objective (RPO)

  • Recovery time objective (RTO)


  • Infrastructure Replacement

    • Major disasters can totally destroy an organization’s information processing center or make it inaccessible.

    • A key component of disaster recovery and business continuity plans incorporates provisions for replacing the necessary computing infrastructure, including:

      • Computers

      • Network equipment and access

      • Telephone lines

      • Office equipment

      • Supplies

    • It may even be necessary to hire temporary staff.


  • Organizations have three basic options for replacing computer and networking equipment.

    • Reciprocal agreements

    • Cold sites

    • Hot sites


  • Documentation

    • An important and often overlooked component. Should include:

      • The disaster recovery plan itself, including instructions for notifying appropriate staff and the steps to resume operation, needs to be well documented.

      • Assignment of responsibility for the various activities.

      • Vendor documentation of hardware and software.

      • Documentation of modifications made to the default configuration (so replacement will have the same functionality).

      • Detailed operating instructions.

    • Copies of all documentation should be stored both on-site and off-site.


  • Testing

    • Periodic testing and revision is probably the most important component of effective disaster recovery and business continuity plans.

      • Most plans fail their initial test, because it’s impossible to anticipate everything that could go wrong.

      • The time to discover these problems is before the actual emergency and in a setting where the weaknesses can be carefully analyzed and appropriate changes made.


  • Insurance

    • Organizations should acquire adequate insurance coverage to defray part or all of the expenses associated with implementing their disaster recovery and business continuity plans.