internal controls security readings ppt summary

internal controls security readings ppt summary - Security...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Security and Internal Controls Whose responsibility is Control? Who Who is responsible for the Detection of Fraud? Fraud? Why 1 does Fraud occur and how big is it? SYSTEMS RELIABILITY What What is Managements goal with regards to Security and Control? Security SYSTEMS 2 RELIABILITY SYSTEMS RELIABILITY One basic function of an MIS?AIS is to provide One information useful for decision making. In order to be useful, the information must be reliable, which means: means: 3 It provides an accurate, complete, and timely picture of the It organization’s activities. organization’s It is available when needed. The information and the system that produces it is The protected from loss, compromise, and theft. protected SYSTEMS RELIABILITY SYSTEMS RELIABILITY 4 The Trust Services framework The developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: systems SYSTEMS RELIABILITY SYSTEMS RELIABILITY The Trust Services framework The developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: systems SECURITY 5 Security Access to the system and its data is Access controlled. controlled. SYSTEMS RELIABILITY CONFIDENTIALITY SYSTEMS RELIABILITY SECURITY 6 The Trust Services framework The developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: systems Security Confidentiality Sensitive information is protected from Sensitive unauthorized disclosure. unauthorized SYSTEMS RELIABILITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY SECURITY 7 The Trust Services framework The developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: systems • Personal information about customers Personal Security collected through e-commerce is Confidentiality collected, used, disclosed, and Privacy maintained in an appropriate manner. maintained SYSTEMS RELIABILITY PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY SECURITY 8 The Trust Services framework The developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: systems Data is processed: Security Accurately Confidentiality Completely Privacy In a timely manner Processing integrity With proper authorization SYSTEMS RELIABILITY SECURITY 9 AVAILABILITY PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY The Trust Services framework The developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) identified five basic principles that contribute to systems reliability: systems • Security Confidentiality Online privacy Processing integrity The system is available to meet The Availability operational and contractual obligations. operational SYSTEMS RELIABILITY SECURITY 10 AVAILABILITY PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY Note the importance of Note security in this picture. It is the foundation of systems reliability. Security procedures: procedures: Restrict system access to only Restrict authorized users and protect: authorized The confidentiality of The sensitive organizational data. sensitive The privacy of personal The identifying information collected from customers. collected SYSTEMS RELIABILITY SECURITY 11 Provide for processing Provide integrity by preventing: integrity Submission of unauthorized Submission or fictitious transactions. or Unauthorized changes to Unauthorized stored data or programs. stored AVAILABILITY PROCESSING INTEGRITY PRIVACY CONFIDENTIALITY SYSTEMS RELIABILITY Security procedures also: Protect against a variety of Protect attacks, including viruses and worms, thereby ensuring the system is available when needed. needed. System of Accounting Internal Controls System of Accounting Internal Controls Objectives of an internal control system are: 1. Safeguard assets (from fraud or errors). 2. Maintain accuracy and integrity of accounting data. 3. Promote operational efficiency. 4. Ensure compliance with management directives. 12 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Three types of controls: Preventive controls Detective controls Corrective controls COSO Report ­ five components of internal control: Control environment. Risk assessment. Control activities. Information and communication. Monitoring. 13 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Control Environment Factor Example of a less risky control environment Exhibit 3-5 Factors of the Control Environment Example of a more risky control environment Integrity and ethics The company has a code of ethics, and it is rigidly enforced. The company does not have a code of ethics, or if they have one, it is not enforced. Philosophy and operating style Management is very conservative in its approach to things such as mergers. Management is very aggressive and risk taking in its approach to things such as mergers. 14 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Factor Assignment of authority and responsibility Example of a less risky control environment Lines of authority are well established, and managers’ jobs and duties are clear to have certain responsibilities Example of a more risky control environment Managers have overlapping duties, and oftentimes managers are not quite sure them. whether or not they and authority. Organization and development of people Management carefully trains and cultivates employees to be able to take on more responsibility. Management does not spend any money or time on the training of employees. Attention and direction by the board of directors Members of the board examine reports and hold top management accountable for the accuracy of the reports. Members of the board do not prepare for the meetings they attend and are merely “big­name” figureheads. 15 System of Accounting Internal Controls System of Accounting Internal Controls Risk Assessment Ma n a g e m e nt m us t d e ve lo p a wa y to : 1. Identify the sources of risks. 2. Determine impact of risks. 3. Estimate chances of risks occurring. 4. Develop an action plan to reduce the impact and probability of risks. 5. Execute the action plan and continue the cycle, beginning again with the first step. 16 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Control Activities C a te g o rie s : 1. Auth o riza tio n o f tra ns a c tio n s 2. S e g re g a tio n o f d utie s 3. Ad e q u a te re c o rd s a nd d o c u m e n ts 4. S e c u rity o f a s s e ts a n d d o c um e nts 5. Ind e p e n d e n t c h e c ks a nd re c o n c ilia tio n 17 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Control Activities C a te g o rie s : 1. Authorization of Transactions G e n e ra l a uth o riza tio n S p e c ific a u th o riza tio n 18 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Control Activities C a te g o rie s : 2. Segregation of Duties Exhibit 3-6 Segregation of Duties 19 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Control Activities C a te g o rie s : 3. Adequate Records and Documents S u p p o rting d o c um e nta tio n fo r a ll s ig nific a n t tra n s a c tio ns S c h e d u le s a nd a na lys e s o f fin a nc ia l info rm a tio n Ac c o u nting c yc le re p o rts Aud it T ra il 20 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Control Activities C a te g o rie s : 4. Security of Assets and Documents P ro te c ting p h ys ic a l a s s e ts P ro te c ting info rm a tio n Cost-benefit c o m p a ris o n 21 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Control Activities C a te g o rie s : 5. Independent Checks and Reconciliation P ro c e d ure s : Reconciliation Comparison of physical assets with records Recalculation of amounts Analysis of reports Review of batch totals 22 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Quick Review Wh ic h c o n tro l a c tivity is in te nd e d to s e rve a s a m e th o d to c o n firm th e a c c ura c y o r c o m p le te ne s s o f d a ta in th e a c c o u nting s y s te m ? a . a u th o riza tio n b . s e g re g a tio n o f d utie s c . s e c u rity o f a s s e ts d . ind e p e nd e nt c h e c ks a n d re c o nc ilia tio ns 23 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Quick Review P ro p e r s e g re g a tio n o f func tio n a l re s p o n s ib ilitie s c a lls fo r s e p a ra tio n o f th e fun c tio ns o f a . a u th o riza tio n, e xe c utio n , a nd p a ym e nt. b . a u th o riza tio n, re c o rd ing , a n d c u s to d y. c . c us to d y, e xe c u tio n, a nd re p o rting . d . a u th o riza tio n, p a ym e n t, a n d re c o rd in g . 24 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Information and Communication An e ffe c tive a c c o u nting s y s te m m us t: 1. Id e n tify a ll re le va nt fina nc ia l e ve n ts tra ns a c tio n s . 2. C a p ture th e im p o rta nt d a ta o f th e s e tra ns a c tio n s . 3. R e c o rd a nd p ro c e s s th e d a ta th ro ug h a p p ro p ria te c la s s ific a tio n, s u m m a riza tio n , a nd a g g re g a tio n . 4. R e p o rt th is s u m m a rize d a nd a g g re g a te d in fo rm a tio n to m a na g e rs . 25 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Information and Communication Monitoring Any s ys te m o f c o ntro l m u s t b e c o ns ta n tly m o n ito re d to a s s u re th a t it c o ntin ue s to b e e ffe c tive . 26 SO 10 The maintenance of accounting internal controls System of Accounting Internal Controls System of Accounting Internal Controls Reasonable Assurance of Internal Controls C o ntro ls a c h ie ve a s e n s ib le b a la n c e o f re d u c in g ris k wh e n c o m p a re d with th e c o s t o f th e c o n tro l. No t p o s s ib le to p ro vid e a b s o lu te a s s u ra n c e , b e c a us e : Flawed judgments are applied in decision making. Human error exists in every organization. Controls can be circumvented or ignored. Controls may not be cost beneficial. 27 SO 10 The maintenance of accounting internal controls System of Information Technology Controls System of Information Technology Controls Fo r a n y b u s ine s s p ro c e s s , th e re s h o u ld b e b o th accounting internal controls a s in COSO, a n d IT controls a s in th e Trust Principles. R is k a nd c o ntro ls in IT a re d ivid e d into five c a te g o rie s : S e c u rity O n lin e p riva c y. Ava ila b ility C o n fid e ntia lity. P ro c e s s in g inte g rity. 28 SO 11 The maintenance of information technology controls System of Information Technology Controls System of Information Technology Controls Quick Review AIC P A T ru s t P rinc ip le s id e n tify five c a te g o rie s o f ris ks a nd c o ntro ls . Wh ic h c a te g o ry is b e s t d e s c rib e d b y th e s ta te m e nt, “Info rm a tio n p ro c e s s c o u ld b e in a c c ura te , in c o m p le te , o r no t p ro p e rly a u th o rize d ”? a . s e c u rity b . a va ila b ility c . p ro c e s s ing inte g rity d . c o n fid e n tia lity 29 SO 11 The maintenance of information technology controls 30 Internal Controls and Risks in IT Systems Accounting Information Systems, 1st Edition Study Objectives Study Objectives 1. 2. G e n e ra l c o ntro ls fo r IT s ys te m s 3. G e n e ra l c o ntro ls fro m a T ru s t P rinc ip le s p e rs p e c tive 4. Ha rd wa re a nd s o ftwa re e xp o s u re s in IT s ys te m s 5. Ap p lic a tio n s o ftwa re a nd a p p lic a tio n c o ntro ls 6. 31 An o ve rvie w o f in te rn a l c o n tro ls fo r IT s ys te m s Eth ic a l is s ue s in IT s ys te m s Internal Controls for IT Systems Internal Controls for IT Systems Accounting Information System ­ collects, processes, stores, and reports accounting information. Computer­based systems have been described as being of two types: General controls Application controls 32 SO 1 An overview of internal controls for IT systems Internal Controls for IT Systems Internal Controls for IT Systems Exhibit 4-1 G e ne ra l a nd Ap p lic a tio n C o ntro ls in IT S y s te m s Application controls used to control inputs, processing, and outputs. General controls apply overall to the IT accounting system. 33 SO 1 An overview of internal controls for IT systems Internal Controls for IT Systems Internal Controls for IT Systems Concept Check Internal controls that apply overall to the IT system are called a . Overall controls. b. Technology controls. c . Ap p lic a tio n c o ntro ls . d . G e ne ra l c o n tro ls . 34 SO 1 An overview of internal controls for IT systems General Controls in IT Systems General Controls in IT Systems Five categories of general controls: 1. Authentication of users and limiting unauthorized access 2. Hacking and other network break­ins 3. Organizational structure 4. Physical environment and physical security of the system 5. Business Continuity 35 SO 2 General controls for IT systems General Controls in IT Systems General Controls in IT Systems Authentication of Users and Limiting Unauthorized Users Authentication of users Biometric devices Log­in Computer log User IDs Nonrepudiation Password User profile Smart card Authority table Security token Two factor authentication 36 Configuration tables SO 2 General controls for IT systems General Controls in IT Systems General Controls in IT Systems Hacking and other Network Break-Ins Firewall Secure sockets layer Symmetric encryption Virus Public key encryption Antivirus software Wired equivalency privacy Vulnerability assessment Wireless protected access Intrusion detection Service set identifier Penetration testing Virtual private network 37 SO 2 General controls for IT systems General Controls in IT Systems General Controls in IT Systems Organizational Structure IT governance committee, responsibilities include: 1. Align IT investments to business strategy. 2. Budget funds and personnel for the most effective use of the IT systems. 3. Oversee and prioritize changes to IT systems. 4. Develop, monitor, and review all IT operational policies. 5. Develop, monitor, and review security policies. 38 SO 2 General controls for IT systems General Controls in IT Systems General Controls in IT Systems Organizational Structure Duties to be segregated are: Systems analysts Programmers Operators Database administrator 39 SO 2 General controls for IT systems General Controls in IT Systems General Controls in IT Systems Physical Environment and Security Physical access controls: Limited access to computer rooms through employee ID badges or card keys Video surveillance equipment Logs of persons entering and exiting the computer rooms Locked storage of backup data and offsite backup data 40 SO 2 General controls for IT systems General Controls in IT Systems General Controls in IT Systems Business Continuity Business Continuity Planning (BCP) Business continuity related to IT systems: A strategy for backup and restoration of IT systems, to include redundant servers, redundant data storage, daily incremental backups, a backup of weekly changes, and offsite storage of daily and weekly backups. A disaster recovery plan. 41 SO 2 General controls for IT systems General Controls in IT Systems General Controls in IT Systems Concept Check Which of the following is not a control intended to authenticate users? a . User log­in. b . S e c u rity to ke n. c . Enc ryp tio n . d . Bio m e tric d e vic e s . 42 SO 2 General controls for IT systems General Controls in IT Systems General Controls in IT Systems Concept Check An IT governance committee has several responsibilities. Which of the following is least likely to be a responsibility of the IT governance committee? a. Develop and maintain the database and ensure adequate controls over the database. b. Develop, monitor, and review security policies. c. Oversee and prioritize changes to IT systems. d. Align IT investments to business strategy. 43 SO 2 General controls for IT systems General Controls from an AICPA Trust General Controls from an AICPA Trust General General Principles Perspective Principles Perspective Principles Principles AICPA Trust Principles categorizes IT controls and risks into five categories: a. Security b. Availability c. Processing integrity d. Online privacy e. Confidentiality 44 SO 3 General controls from a Trust Principles perspective General Controls from an AICPA Trust General Controls from an AICPA Trust General General Principles Perspective Principles Perspective Principles Principles Risks In Not Limiting Unauthorized Users IT controls that lessen risk of unauthorized users gaining access to the IT system: a. user ID, a. access levels, b. password, b. computer logs, and c. security token, c. authority tables. d. biometric devices, e. log­in procedures, 45 SO 3 General controls from a Trust Principles perspective General Controls from an AICPA Trust General Controls from an AICPA Trust General General Principles Perspective Principles Perspective Principles Principles Risks From Hacking or Other Network Break-Ins Controls that may be applied are, a. firewalls b. encryption of data, c. security policies, d. security breach resolution, e. secure socket layers (SSL), f. virtual private network (VPN), g. network (VPN), 46 SO 3 General controls from a Trust Principles perspective General Controls from an AICPA Trust General Controls from an AICPA Trust General General Principles Perspective Principles Perspective Principles Principles Risks From Hacking or Other Network Break-Ins Controls that may be applied are, h. wired equivalency privacy (WEP), i. wireless protected access (WPA), j. service set identifier (SSID), k. antivirus software, l. vulnerability assessment, m. penetration testing, and n. intrusion detection. 47 SO 3 General controls from a Trust Principles perspective General Controls from an AICPA Trust General Controls from an AICPA Trust General General Principles Perspective Principles Perspective Principles Principles Risks From Environmental Factors Environmental changes that affect the IT system can cause availability risks and processing integrity risks. Physical Access Risks Business Continuity Risks 48 SO 3 General controls from a Trust Principles perspective General Controls from an AICPA Trust General Controls from an AICPA Trust Concept Check AICPA Trust Principles describe five categories of IT risks and controls. Which of these five categories would best be described by the statement, “The system is protected against unauthorized access”? a. Security. b. Confidentiality. c. Processing integrity. d. Availability. 49 SO 3 General controls from a Trust Principles perspective General Controls from an AICPA Trust General Controls from an AICPA Trust Concept Check The risk that an unauthorized user would shut down systems within the IT system is a(n) a. Security risk. b. Availability risk. c. Processing integrity risk. d. Confidentiality risk. 50 SO 3 General controls from a Trust Principles perspective Hardware and Software Exposures Hardware and Software Exposures Typical IT system components that represent “entry points” where the risks must be controlled. 1. The operating system 2. The database 3. The database management system (DBMS) 4. Local area networks (LANs) 5. Wireless networks 6. E­business conducted via the Internet 7. Telecommuting workers 8. Electronic data interchange (EDI) 9. Application software 51 SO 4 Hardware and software exposures in IT systems Hardware and Software Exposures Hardware and Software Exposures Typical “entry points” 52 Exhibit 4-6 Hardware and Software Exposures Hardware and Software Exposures The Operating System The software that controls the basic input and output activities of the computer. Provides the instructions that enable the CPU to: read and write to disk, read keyboard input, control output to the monitor, manage computer memory, and communicate between the CPU, memory, and disk storage. 53 SO 4 Hardware and software exposures in IT systems Hardware and Software Exposures Hardware and Software Exposures The Operating System Unauthorized access would allow an unauthorized user to: 1. Browse disk files or memory for sensitive data or passwords. 2. Alter data through the operating system. 3. Alter access tables to change access levels of users. 4. Alter application programs. 5. Destroy data or programs. 54 SO 4 Hardware and software exposures in IT systems Hardware and Software Exposures Hardware and Software Exposures The Database A large disk storage for accounting and operating data. Controls such as: user IDs, passwords, authority tables, firewalls, and encryption are examples of controls that can limit exposure. 55 SO 4 Hardware and software exposures in IT systems Hardware and Software Exposures Hardware and Software Exposures The Database Management System A software system that manages the interface between many users and the database. Exhibit 4-7 56 SO 4 Hardware and software exposures in IT systems Hardware and Software Exposures Hardware and Software Exposures The Database Management System Exhibit 4-6 A software system that manages the interface between many users and the database. 57 SO 4 Hardware and software exposures in IT systems Hardware and Software Exposures Hardware and Software Exposures The Database Management System A software system that manages the interface between many users and the database. Physical access, environmental, and business continuity controls can help guard against the loss of the data or alteration to the DBMS. 58 SO 4 Hardware and software exposures in IT systems Hardware and Software Exposures Hardware and Software Exposures LANS and WANS A local area network, or LAN, is a computer network covering a small geographic area. A group of LANs connected to each other is called a wide area network, or WAN. 59 SO 4 Hardware and software exposures in IT systems Hardware and Software Exposures Hardware and Software Exposures LANS and WANS Exhibit 4-6 Controls: limit unauthorized users firewalls encryption virtual private networks 60 SO 4 Hardware and software exposures in IT systems Hardware and Software Exposures Hardware and Software Exposures Wireless Networks Exhibit 4-6 Same kind of exposures as a local area network. 61 SO 4 Hardware and software exposures in IT systems Hardware and Software Exposures Hardware and Software Exposures Wireless Networks Same kind of exposures as a local area network. Controls include: wired equivalency privacy (WEP) or wireless protected access (WPA), station set identifiers (SSID), and encrypted data. 62 SO 4 Hardware and software exposures in IT systems Hardware and Software Exposures Hardware and Software Exposures Internet and World Wide Web Exhibit 4-6 The use of dual firewalls can help prevent hackers or unauthorized users from accessing the organization’s internal network of computers. 63 SO 4 Hardware and software exposures in IT systems Hardware and Software Exposures Hardware and Software Exposures Telecommuting Workers The organization’s security policy should address the security expectations of workers who telecommute, and such workers should connect to the company network via a virtual private network. 64 Exhibit 4-6 Hardware and Software Exposures Hardware and Software Exposures Electronic Data Interchange Company­to­company transfer of standard business documents in electronic form. EDI controls include: authentication, computer logs, and network break­in controls. Exhibit 4-6 65 Hardware and Software Exposures Hardware and Software Exposures Concept Check The risk of an unauthorized user gaining access is likely to be a risk for which of the following areas? a . Telecommuting workers. b . Inte rne t. c . Wire le s s n e two rks . d . All o f th e a b o ve . 66 SO 4 Hardware and software exposures in IT systems Application Software and Application Controls Application Software and Application Controls Applications software a c c o m p lis h e s e nd u s e r ta s ks s uc h a s : wo rd p ro c e s s ing , s p re a d s h e e ts , d a ta b a s e m a inte na n c e , a n d a c c o u ntin g fu nc tio ns . Applications controls ­ intended to improve the accuracy, completeness, and security of input, process, and output. 67 SO 5 Application software and application controls Application Software and Application Controls Application Software and Application Controls Input Controls Date input ­ d a ta c o nve rte d fro m h u m a n re a d a b le fo rm to c o m p u te r re a d a b le fo rm . Input controls are of four types: 1. Source document controls 2. Standard procedures for data preparation and error handling 3. Programmed edit checks 4. Control totals and reconciliation 68 SO 5 Application software and application controls Application Software and Application Controls Application Software and Application Controls Source Document Controls Source document -p a p e r fo rm us e d to c a p ture a n d re c o rd th e o rig in a l d a ta o f a n a c c o unting tra ns a c tio n . Note: Many IT systems do not use source documents. General controls such as computer logging of transactions and keeping backup files, become important. Where source documents are used, several source document controls should be used. 69 SO 5 Application software and application controls Application Software and Application Controls Application Software and Application Controls Source Document Controls Form Design - B o th th e s o urc e d o c um e nt a n d th e inp ut s c re e n s h o uld b e we ll d e s ig ne d s o th a t th e y a re e a s y to u nd e rs ta n d a n d us e , lo g ic a lly o rg a nize d into g ro up s o f re la te d d a ta . Form Authorization and Control: Area for authorization by appropriate manager Prenumbered and used in sequence Blank source documents should be controlled 70 SO 5 Application software and application controls Application Software and Application Controls Application Software and Application Controls Source Document Controls Retention of Source Documents: Retained and filed for easy retrieval Part of the audit trail. 71 SO 5 Application software and application controls Application Software and Application Controls Application Software and Application Controls Standard Procedures for Data Input Data Preparation – standard data collection procedures reduce the chance of lost, misdirected, or incorrect data collection from source documents. Error Handling: Errors should be logged, investigated, corrected, and resubmitted for processing Error log should be regularly reviewed by an appropriate manager 72 SO 5 Application software and application controls Application Software and Application Controls Application Software and Application Controls Programmed Input Validation Checks Data should be validated and edited to be as close to the original source of data as possible. Input validation checks include: 1. Field check 6. Completeness check 2. Validity check 7. Sign check 3. Limit check 8. Sequence check 4. Range check 9. Self­checking digit 5. Reasonableness check 73 SO 5 Application software and application controls Application Software and Application Controls Application Software and Application Controls Control Totals and Reconciliation Control totals are subtotals of selected fields for an entire batch of transactions. Three types: record counts, batch totals, and hash totals. 74 SO 5 Application software and application controls Application Software and Application Controls Application Software and Application Controls Processing Controls Inte n d e d to p re ve nt, d e te c t, o r c o rre c t e rro rs th a t o c c ur d urin g p ro c e s s ing . Ensure that application software has no errors. Control totals, limit and range tests, and reasonableness and sign tests. Computer logs of transactions processed, production run logs, and error listings. 75 SO 5 Application software and application controls Application Software and Application Controls Application Software and Application Controls Output Controls R e p o rts fro m th e va rio u s a p p lic a tio n s . Two primary objectives of output controls: to assure the accuracy and completeness of the output, and to properly manage the safekeeping of output reports to ascertain that security and confidentiality of the information is maintained. 76 SO 5 Application software and application controls Application Software and Application Controls Application Software and Application Controls Concept Check Which programmed input validation check compares the value in a field with related fields with determine whether the value is appropriate? a . Completeness check. b . Va lid ity c h e c k. c . R e a s o n a b le n e s s c h e c k. d . C o m p le te ne s s c h e c k. 77 SO 5 Application software and application controls Application Software and Application Controls Application Software and Application Controls Concept Check Which programmed input validation check determines whether the appropriate type of data, either alphabetic or numeric, was entered? a . Completeness check. b . Va lid ity c h e c k. c . R e a s o n a b le n e s s c h e c k. d . Fie ld c h e c k. 78 SO 5 Application software and application controls Application Software and Application Controls Application Software and Application Controls Concept Check Which programmed input validation makes sure that a value was entered in all of the critical fields? a . Completeness check. b . Va lid ity c h e c k. c . R e a s o n a b le n e s s c h e c k. d . Fie ld c h e c k. 79 SO 5 Application software and application controls Application Software and Application Controls Application Software and Application Controls Concept Check Which control total is the total of field values that are added for control purposes, but not added for any other purpose? a . Record count. b . Ha s h to ta l. c . Ba tc h to ta l. d . Fie ld to ta l. 80 SO 5 Application software and application controls Ethical Issues in Information Technology Ethical Issues in Information Technology Besides fraud, there are many kinds of unethical behaviors related to computers, such as: Misuse of confidential customer information. Theft of data, such as credit card information, by hackers. Employee use of IT system hardware and software for personal use or personal gain. Using company e­mail to send offensive, threatening, or sexually explicit material. 81 SO 6 Ethical issues in IT systems RISK ASSESSMENT AND RISK RISK RESPONSE RESPONSE Cost benefit analysis for controls 82 RISK ASSESSMENT AND RISK RESPONSE Accountants: Help Help management design effective controls to reduce inherent risk reduce Evaluate internal control systems to ensure they Evaluate are operating effectively are Assess and reduce inherent risk using the risk Assess assessment and response strategy assessment 83 RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Event Identification The first step in risk The assessment and response strategy is event identification, which we have already discussed. already Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it costbeneficial to protect system No Avoid, share, or accept risk Yes 84 Reduce risk by implementing set of controls to guard against threat RISK ASSESSMENT AND RISK RESPONSE Estimate Likelihood and Estimate Impact Impact 85 Some events pose Some more risk because they are more probable than others. than Some events pose Some more risk because their dollar impact would be more significant. significant. Likelihood and impact Likelihood must be considered together: together: If either increases, the If materiality of the event and the need to protect against it rises. against Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it costbeneficial to protect system No Avoid, share, or accept risk Yes Reduce risk by implementing set of controls to guard against threat RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Identify Controls Management must Management identify one or more controls that will protect the company from each event. from In evaluating In benefits of each control procedure, consider effectiveness and timing. timing. Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it costbeneficial to protect system No Avoid, share, or accept risk Yes 86 Reduce risk by implementing set of controls to guard against threat RISK ASSESSMENT AND RISK RESPONSE 87 All other factors equal: A preventive control is preventive better than a detective one. one. However, if preventive However, controls fail, detective controls are needed to discover the problem, and corrective controls are needed to recover. are Consequently, the Consequently, three complement each other, and a good internal control system should have all three. should Similarly, a company Similarly, should use all four levers of control. levers Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it costbeneficial to protect system No Avoid, share, or accept risk Yes Reduce risk by implementing set of controls to guard against threat RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate Costs and Estimate Benefits Benefits It would be costprohibitive to create an prohibitive internal control system that provided foolproof protection against all events. events. Also, some controls Also, negatively affect operational efficiency, and too many controls can make it very inefficient. inefficient. Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it costbeneficial to protect system No Avoid, share, or accept risk Yes 88 Reduce risk by implementing set of controls to guard against threat RISK ASSESSMENT AND RISK RESPONSE 89 The benefits of an internal The control procedure must exceed its costs. exceed Benefits can be hard to Benefits quantify, but include: quantify, Increased sales and Increased productivity productivity Reduced losses Better integration with Better customers and suppliers suppliers Increased customer Increased loyalty loyalty Competitive Competitive advantages advantages Lower insurance Lower premiums premiums Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it costbeneficial to protect system No Avoid, share, or accept risk Yes Reduce risk by implementing set of controls to guard against threat RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Costs are usually easier Costs to measure than benefits. benefits. Primary cost is Primary personnel, including: personnel, Time to perform Time control procedures control Costs of hiring Costs additional employees to effectively segregate duties segregate Costs of programming Costs controls into a system controls Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it costbeneficial to protect system No Avoid, share, or accept risk Yes 90 Reduce risk by implementing set of controls to guard against threat RISK ASSESSMENT AND RISK RESPONSE Other costs of a poor Other control system include: control Lost sales Lower productivity Drop in stock price if Drop security problems arise arise Shareholder or Shareholder regulator lawsuits regulator Fines and penalties Fines imposed by governmental agencies agencies Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it costbeneficial to protect system No Avoid, share, or accept risk Yes 91 Reduce risk by implementing set of controls to guard against threat RISK ASSESSMENT AND RISK RESPONSE The expected loss The related to a risk is measured as: measured Expected loss = Expected impact x likelihood impact The value of a The control procedure is the difference between: between: Expected loss with Expected control procedure control Expected loss Expected without it without Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it costbeneficial to protect system No Avoid, share, or accept risk Yes 92 Reduce risk by implementing set of controls to guard against threat RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Determine Cost-Benefit Determine Effectiveness Effectiveness After estimating After benefits and costs, management determines if the control is cost beneficial, i.e., is the cost of implementing a control procedure less than the change in expected loss that would be attributable to the change? to Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it costbeneficia l to protect system No Avoid, share, or accept risk Yes 93 Reduce risk by implementing set of controls to guard against threat RISK ASSESSMENT AND RISK RESPONSE In evaluating costs and In benefits, management must consider factors other than those in the expected benefit calculation. calculation. If an event threatens If an organization’s existence, it may be worthwhile to institute controls even if costs exceed expected benefits. benefits. The additional cost The can be viewed as a catastrophic loss insurance premium. insurance Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it costbeneficia l to protect system No Avoid, share, or accept risk Yes 94 Reduce risk by implementing set of controls to guard against threat RISK ASSESSMENT AND RISK RESPONSE Let’s go through an example: 95 Hobby Hole is trying to decide whether to install a motion Hobby detector system in its warehouse to reduce the probability of a catastrophic theft. of A catastrophic theft could result in losses of $800,000. Local crime statistics suggest that the probability of a Local catastrophic theft at Hobby Hole is 12%. catastrophic Companies with motion detectors only have about a .5% Companies probability of catastrophic theft. probability The present value of purchasing and installing a motion The detector system and paying future security costs is estimated to be about $43,000. estimated Should Hobby Hole install the motion detectors? RISK ASSESSMENT AND RISK RESPONSE Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Implement the Control or Implement Avoid, Share, or Accept the Risk the When controls are cost When effective, they should be implemented so risk can be reduced. risk Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it costbeneficia l to protect system No Avoid, share, or accept risk Yes 96 Reduce risk by implementing set of controls to guard against threat 97 Expected Loss without control procedure = $800,000 x .12 = $96,000. Expected loss with control procedure = $800,000 x .005 = $4,000. Estimated value of control procedure = $96,000 - $4,000 = $92,000. Estimated cost of control procedure = $43,000 (given). Benefits exceed costs by $92,000 - $43,000 = $49,000. Benefits $49,000 In this case, Hobby Hole should probably install the motion detectors. RISK ASSESSMENT AND RISK RESPONSE 98 Risks that are not reduced Risks must be accepted, shared, or avoided. or If the risk is within the If company’s risk tolerance, they will typically accept the risk. risk. A reduce or share reduce response is used to bring residual risk into an acceptable risk tolerance range. tolerance An avoid response is An typically only used when there is no way to cost-effectively bring risk into an acceptable risk tolerance range. tolerance Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Is it costbeneficia l to protect system No Avoid, share, or accept risk Yes Reduce risk by implementing set of controls to guard against threat ...
View Full Document

This note was uploaded on 10/23/2011 for the course CISY 1225 taught by Professor Sherwood during the Spring '10 term at Dalhousie.

Ask a homework question - tutors are online