Transcript Information Systems Control

Information Systems Control
Dr. Yan Xiong
College of Business
CSU Sacramento
January 27,2003
This lecture is based on Martin (2002) and Romney and
Steinbart (2002)
Agenda
AIS Threats
 Internal Controls
 General controls for
information systems
 Internet controls
 Contingency management

AIS Threats
Natural and political
disasters:
– fire or excessive heat
– floods
– earthquakes
– high winds
– war
AIS Threats

Software errors and
equipment malfunctions
– hardware failures
– power outages and fluctuations
– undetected data transmission
errors
AIS Threats

Unintentional acts
•
•
•
•
•
accidents caused by
human carelessness
innocent errors of omissions
lost or misplaced data
logic errors
systems that do not meet
company needs
AIS Threats

Intentional acts
• sabotage
• computer fraud
• embezzlement
• confidentiality breaches
• data theft
Agenda
AIS Threats
 Internal Control
 Cost-benefit Analysis
 General controls for
information systems
 Internet controls
 Contingency management

Internal Control
The COSO (Committee of Sponsoring Organizations)
study defines internal control as the process
implemented by the board of directors, management,
and those under their direction to provide reasonable
assurance that control objectives are achieved with
regard to:
– effectiveness and efficiency of operations
– reliability of financial reporting
– compliance with applicable laws and regulations
Internal Control Classifications

The specific control procedures used in
the internal control and management
control systems may be classified using
the following four internal control
classifications:
1 Preventive, detective, and corrective
controls
2 General and application controls
3 Administrative and accounting controls
4 Input, processing, and output controls
Types of Controls
Preventive: deter problems
before they arise
 segregating duties
 Detective: discover control
problems as soon as they arise
 bank reconciliation
 Corrective: remedy problems
discovered with detective controls
 file backups

Internal Control Model

COSO’s internal control model has
five crucial components:
1 Control environment
2 Control activities
3 Risk assessment
4 Information and communication
5 Monitoring
The Control Environment
The control environment consists of many
factors, including the following:
1 Commitment to integrity and ethical
values
2 Management’s philosophy and
operating style
3 Organizational structure
The Control Environment
4
5
6
7
The audit committee of the board
of directors
Methods of assigning authority
and responsibility
Human resources policies and
practices
External influences
Control Activities
Generally, control procedures fall into one of five
categories:
1 Proper authorization of transactions and
activities
2 Segregation of duties
3 Design and use of adequate documents and
records
4 Adequate safeguards of assets and records
5 Independent checks on performance
Proper Authorization of Transactions
and Activities



Authorization is the empowerment
management gives employees to
perform activities and make
decisions.
Digital signature or fingerprint is a
means of signing a document with a
piece of data that cannot be forged.
Specific authorization is the granting
of authorization by management for
certain activities or transactions.
Segregation of Duties


Good internal control demands that
no single employee be given too
much responsibility.
An employee should not be in a
position to perpetrate and conceal
fraud or unintentional errors.
Segregation of Duties
Custodial Functions
Handling cash
Handling assets
Writing checks
Receiving checks in mail
Recording Functions
Preparing source documents
Maintaining journals
Preparing reconciliations
Preparing performance reports
Authorization Functions
Authorization of
transactions
Segregation of Duties



If two of these three functions are the
responsibility of a single person,
problems can arise.
Segregation of duties prevents employees
from falsifying records in order to conceal
theft of assets entrusted to them.
Prevent authorization of a fictitious or
inaccurate transaction as a means of
concealing asset thefts.
Segregation of Duties

Segregation of duties prevents an
employee from falsifying records to
cover up an inaccurate or false
transaction that was inappropriately
authorized.
Design and Use of Adequate
Documents and Records


The proper design and use of
documents and records helps ensure
the accurate and complete recording
of all relevant transaction data.
Documents that initiate a transaction
should contain a space for
authorization.
Design and Use of Adequate
Documents and Records

The following procedures safeguard
assets from theft, unauthorized use, and
vandalism:
– effectively supervising and segregating
duties
– maintaining accurate records of assets,
including information
– restricting physical access to cash and
paper assets
– having restricted storage areas
Adequate Safeguards of Assets and Records

What can be used to safeguard assets?
– cash registers
– safes, lockboxes
– safety deposit boxes
– restricted and fireproof storage areas
– controlling the environment
– restricted access to computer rooms,
computer files, and information
Independent Checks on Performance


Independent checks to ensure that
transactions are processed
accurately are another important
control element.
What are various types of
independent checks?
– reconciliation of two independently
maintained sets of records
– comparison of actual quantities
with recorded amounts
Independent Checks on Performance
double-entry accounting
– batch totals
Five batch totals are used in
computer systems:
1 A financial total is the sum of a
dollar field.
2 A hash total is the sum of a field
that would usually not be added.
–

Independent Checks on Performance
3
4
5
A record count is the number of
documents processed.
A line count is the number of lines
of data entered.
A cross-footing balance test
compares the grand total of all the
rows with the grand total of all the
columns to check that they are
equal.
Information and Communication


The fourth component of COSO’s
internal control model is information
and communication.
Accountants must understand the
following:
1 How transactions are initiated
2 How data are captured in machinereadable form or converted from
source documents
Information and Communication
How computer files are accessed and
updated
4 How data are processed to prepare
information
5 How information is reported
6 How transactions are initiated
All of these items make it possible for the
system to have an audit trail.
An audit trail exists when individual
company transactions can be traced
through the system.
3


Monitoring Performance


The fifth component of COSO’s
internal control model is monitoring.
What are the key methods of
monitoring performance?
– effective supervision
– responsibility accounting
– internal auditing
Risk Assessment


The third component of COSO’s internal
control model is risk assessment.
Companies must identify the threats they
face:
– strategic — doing the wrong thing
– financial — having financial resources
lost, wasted, or stolen
– information — faulty or irrelevant
information, or unreliable systems
Risk Assessment

Companies that implement electronic
data interchange (EDI) must identify
the threats the system will face, such
as:
1 Choosing an inappropriate
technology
2 Unauthorized system access
3 Tapping into data transmissions
4 Loss of data integrity
Risk Assessment
5
6
7
Incomplete transactions
System failures
Incompatible systems
Risk Assessment




Some threats pose a greater risk
because the probability of their
occurrence is more likely.
What is an example?
A company is more likely to be the
victim of a computer fraud rather
than a terrorist attack.
Risk and exposure must be
considered together.
Cost and Benefits

Benefit of control
procedure is difference
between
 expected loss with control
procedure(s)
 expected loss without it
Loss / Fraud Conditions
Threat: potential adverse
or unwanted event that can
be injurious to AIS
 Exposure: potential maximum
$ loss if event occurs
 Risk: likelihood that event will occur
 Expected Loss: Risk * Exposure

Loss / Fraud Conditions
For each AIS threat:
Exposure
Maximum
Loss ($)
X
Risk
Likelihood
of Event
Occurring
=
Expected
Loss
Potential
$ Loss
Exposures
Possible
Threat
Disaster
Power Outage
System Down
Human Error
Fraud
Data Theft
Sabotage
Symbol
D
O
H
E
F
T
S
Exposure Risk
H
L+
M
H
L
L
M
M
M
L
L
M
H
L
Risk Assessment of Controls
Threat
Risk
Exposure
Control Needs
Costs
Implement
Yes
Cost
Beneficial?
No
Payroll Case
Condition
Without
Cost Payroll
$10K
$10K
Risk of Error
15%
1%
Error Cost
$1.5K
$0.1K
$1.4K
Validate Cost
0
$0.6K
$(0.6K)
Expected
Benefit
With
Difference
$0.8K
Agenda
AIS Threats
 Internal Controls
 General controls for
information systems
 Internet controls
 Contingency management

General Controls


General controls ensure that overall
computer environment is stable
and well managed
General control categories:
1 Developing a security plan
2 Segregation of duties within the
systems function
General Controls
3
4
5
6
7
8
9
Project development controls
Physical access controls
Logical access controls
Data storage controls
Data transmission controls
Documentation standards
Minimizing system downtime
General Controls
10.
11.
12.
Protection of personal computers
andclient/server networks
Internet controls
Disaster recovery plans
Security Plan
Developing and continuously
updating a comprehensive
security plan one of most
important controls for company
 Questions to be asked:
 Who needs access to what information?
 When do they need it?
 On which systems does the information
reside?

Segregation of Duties
In AIS, procedures that
used to be performed by
separate individuals combined
 Person with unrestricted access
 to computer,
 its programs,
 and live data
 has opportunity to both perpetrate
and conceal fraud

Segregation of Duties
To combat this threat,
organizations must
implement compensating
control procedures
 Authority and responsibility
must be clearly divided
NOTE: must change with increasing
levels of automation

Segregation of Duties
Divide following functions:
• Systems analysis
• Programming
• Computer operations
• Users
• AIS library
• Data control
Analyze
Duty Segregation
What about small firms?
Design
Specs
Archive
Program
Programs
Use
Operate
Output
Project Development
Controls
Long-range master plan
 Project development plan
 Periodic performance
evaluation
 Post-implementation review
 System performance
measurements

Master
Development
Plan
Project
Development
Plan
STARTED
PROJECT
Development Controls
Periodic
Performance
Review
Post
Implement
Review
Performance
Measures
COMPLETED
PROJECT
SYSTEM
OPERATION
Physical Access Controls
Placing computer equipment
in locked rooms and restricting
access to authorized personnel
 Having only one or two
entrances to computer room
 Requiring proper employee ID
 Requiring visitors to sign log
 Installing locks on PCs

Logical Access Controls


Users should be allowed access only to
the data they are authorized to use and
then only to perform specific authorized
functions.
What are some logical access controls?
– passwords
– physical possession identification
– biometric identification
– compatibility tests
Access Control Matrix
PASS-
FILES
PROGRAMS
WORD
A
B
1
2
ABC
0
1
0
0
DEF
1
2
0
0
KLM
1
1
1
1
NOP
3
0
3
0
0 – No access
1 – Read / display
2 – Update
3 – Create / delete
Data Storage Controls
Information gives company
competitive edge and makes
it viable
 Company should identify
types of data used and level
of protection required for each
 Company must also document
steps taken to protect data
 e.g., off-site storage

Data Transmission
Controls

Reduce risk of data
transmission failures
– data encryption (cryptography)
– routing verification procedures
– parity bits
– message acknowledgment techniques
Information
Transmission System
Information
Source
Message
Transmitter
Channel
Receiver
Signal
Noise
Destination
Information
Transmission Controls
Routing
Verification
Message
Data
Encryption
Decrypt
SEND
Encrypt
Parity
Bit
RECEIVE
Message
Acknowledgement
Even Parity Bit System
Parity Bit
There are five
“1” bits in message
1
0
1
1
Message in Binary
0
1
1
0
1
A “1” placed in parity
bit to make an even
number of “1”s.
Data Transmission Controls
Added importance when
using electronic data
interchange (EDI) or
electronic funds transfer (EFT)
 In these types of environments,
sound internal control is achieved
using control procedures

Data Transmission Control
Controlled physical access
to network facilities
 Identification required for all
network terminals
 Passwords and dial-in phone
numbers changed on regular basis
 Encryption used to secure stored
and transmitted data
 Transactions log

Documentation
Standards
Documentation procedures
and standards ensure clear
and concise documentation
 Documentation categories:
• Administrative documentation
• Systems documentation
• Operating documentation

Minimizing System
Downtime
Significant financial
losses can be incurred
if hardware or software
malfunctions cause AIS to fail
 Methods used to minimize system
downtime
• preventive maintenance
• uninterruptible power system
• fault tolerance

Protection of PCs and
Client/Server Networks

PCs more vulnerable to
security risks than
mainframe computers
 Difficult to restrict physical access
 PC users less aware of importance
of security and control
 More people familiar with the
operation of PCs
 Segregation of duties is difficult
Protection of PCs and
Client/Server Networks
Train users in PC-related
control concepts
 Restrict access by using
locks and keys on PCs
 Establish policies and procedures

Protection of PCs and
Client/Server Networks
Portable PCs should not
be stored in cars
 Back up hard disks regularly
 Encrypt or password protect files
 Build protective walls around
operating systems
 Use multilevel password controls
to limit employee access to
incompatible data

Agenda
AIS Threats
 Control concepts
 General controls for
information systems
 Internet controls
 Contingency management

Internet Controls

Internet control is installing a
firewall, hardware and software that
control communications between a
company’s internal network (trusted
network) and an external network.
Internet Controls
Passwords
 Encryption technology
 Routing verification
procedures
 Installing a firewall

Internet Risks
A
Split into packets
B
May travel different paths
Message
originating
at Point A
?
Did Point B receive
this message?
?
Did anyone else
see the message?
Intended
Destination
Point B
?
Was the message
really sent by
Point A?
Messaging Security
Confidentiality
 Integrity: detect tampering
 Authentication: correct party
 Non-repudiation: sender can’t deny
 Access controls: limit entry to
authorized users

Symmetric Encryption
Sender
Receiver
Identical
Keys
Clear
Text
Message
Clear
Text
Message
PKI
Public Key Infrastructure
 Most commonly used
 Two keys:
 public key – publicly available
 private key – kept secret
 Two keys related through secret
mathematical formula
 Need both to process transaction

Biometric Usage
For user authentication
 By order of use
 finger scanners
 hand geometry
 face-recognition
 eye scan
 voiceprints
 signature verification

Digital Signature
Also called Certificate
 Issued by trusted third party
 Certification Authority (CA)
 Electronic passport to prove identity
 Provides assurance messages are valid
 Uses encryption to verify
identity of unseen partner

Firewall

Firewall is barrier
between networks
not allowing information
to flow into and out of
trusted network
Attempted
Access
Internet
Firewall
Firewalls
External
Screen
Valid
Traffic
Sensitive
Database
Valid
Access
Internal
Screen
Firewall Types
Packet Filter:
 simplest type
 doesn’t examine data
 looks at IP header
 Proxy Firewall (Server):
 hides protected private network
 forwards requests from private to
public network (not within)

Firewall Types

Demilitarized Zone:
 more secure
 several layers of firewall protection
 different levels of protection to
different portions of company’s
network
 runs between private network and
outside public network
Bypassing Firewalls
Internet
Firewall
SERVER
Inventory
Customer Info
Ordering
R&D
Department
Agenda
AIS Threats
 Control concepts
 General controls for
information systems
 Internet controls
 Contingency management

Contingency
Management
Disaster Recovery
is reactive
 Contingency Management
is proactive
 Continuity Planning latest term
 Accounting standards in terms
of Disaster Recovery

Disaster Recovery Plan

Purpose: to ensure
processing capacity can be
restored as smoothly and
quickly as possible in the
event of:
 a major disaster
 a temporary disruption
Disaster Plan Objectives
Minimize disruption,
damage, and loss
 Temporarily establish
alternative means of
processing information
 Resume normal operations as soon
as possible
 Train and familiarize personnel with
emergency operations

Plan Elements
Priorities for recovery
process
 Backup data and program
files
 Backup facilities
 reciprocal agreements
 hot and cold sites
 shadow mode (parallel)

Back Up Data
Rollback:
 predated copy of each
record created prior to
processing transaction
 If hardware failure
 records rolled back to
predated version
 transactions processed from
beginning

Back Up Data Decisions

How often? (e.g., weekly)

Exposure * Risk = Expected Loss
Where do you store backup data
 on-site (e.g., fireproof safe)
 off-site (incurs costs)
 How quick to recover?
 What is recovered first?

Remote Access
Computer World, 1/21/02
 Companies eying remote access
as contingency management tool
 Scrambling to develop remote
access systems
 Result of September 11
 If main facilities down, still can
communicate with one another

Recovery Plan
Recovery plan not
complete until tested by
simulating disaster
 EDS
 Plan must be continuously
reviewed and revised so it
reflects current situation
 Plan should include insurance
coverage

Cardinal Health
Redundant systems for
critical order processing
 Redundant WAN trunks
 System data backed up daily
 backup media kept off-site
 Backup replica site
 different part of country
 switched on within 30 minutes

The Money Store
Databases backed up
every evening
 Back-up files stored at
 on-site
 information storage vendor
 Automatic archival process that
periodically pulls / stores back-up
data files

The Money Store

Call Centers
 in 3 locations nationally
 separated so that a natural
disaster will not hit all three
simultaneously
 calls electronically rerouted to
other two sites
 in Sacramento, rent vacant
building as emergency site
Topics Covered
AIS Threats
 Control concepts
 General controls for
information systems
 Internet controls
 Contingency management
