1 Computer-Based Information Systems Controls. 2 Learning Objectives 1. Describe the threats to an AIS and discuss why these threats are growing. 2. Explain

1

Computer-Based Information Systems Controls

2

Learning Objectives

1. Describe the threats to an AIS and discuss why these threats are growing.

2. Explain the basic concepts of control as applied to business organizations.

3. Describe the major elements in the control environment of a business organization.

3

Learning Objectives, continued

4. Describe control policies and procedures commonly used in business organizations.

5. Evaluate a system of internal accounting control, identify its deficiencies, and prescribe modifications to remedy those deficiencies.

6. Conduct a cost-benefit analysis for particular threats, exposures, risks, and controls.

4

Threats to Accounting Information Systems

What are examples of natural and political disasters?– fire or excessive heat– floods– earthquakes– high winds– war

5


What are examples of software errors and equipment malfunctions?– hardware failures– power outages and fluctuations– undetected data transmission errors

6

Threats to Accounting Information Systems What are examples of unintentional

acts?– accidents caused by human

carelessness– innocent errors of omissions– lost or misplaced data– logic errors– systems that do not meet company

needs

7


What are examples of intentional acts?– sabotage– computer fraud– embezzlement

8

Why are AIS Threats Increasing? Increasing numbers of client/server systems

mean that information is available to an unprecedented number of workers.

Because LANs and client/server systems distribute data to many users, they are harder to control than centralized mainframe systems.

WANs are giving customers and suppliers access to each other’s systems and data, making confidentiality a concern.

9

Overview of Control Concepts

What is the traditional definition of internal control?

Internal control is the plan of organization and the methods a business uses to safeguard assets, provide accurate and reliable information, promote and improve operational efficiency, and encourage adherence to prescribed managerial policies.

10

Overview of Control Concepts What is management control? Management control encompasses the

following three features:1 It is an integral part of management

responsibilities.2 It is designed to reduce errors,

irregularities, and achieve organizational goals.

3 It is personnel-oriented and seeks to help employees attain company goals.

11

Internal Control Classifications The specific control procedures used in the

internal control and management control systems may be classified using the following four internal control classifications:1 Preventive, detective, and corrective controls 2 General and application controls3 Administrative and accounting controls4 Input, processing, and output controls

12

The Foreign Corrupt Practices Act In 1977, Congress incorporated language

from an AICPA pronouncement into the Foreign Corrupt Practices Act.

The primary purpose of the act was to prevent the bribery of foreign officials in order to obtain business.

A significant effect of the act was to require corporations to maintain good systems of internal accounting control.

13

Committee of Sponsoring Organizations The Committee of Sponsoring

Organizations (COSO) is a private sector group consisting of five organizations:1 American Accounting Association 2 American Institute of Certified Public

Accountants3 Institute of Internal Auditors4 Institute of Management Accountants5 Financial Executives Institute

14

Committee of Sponsoring Organizations

In 1992, COSO issued the results of a study to develop a definition of internal controls and to provide guidance for evaluating internal control systems.

The report has been widely accepted as the authority on internal controls.

15


The COSO study defines internal control as the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved with regard to:– effectiveness and efficiency of operations – reliability of financial reporting– compliance with applicable laws and

regulations

16


COSO’s internal control model has five crucial components: 1 Control environment2 Control activities3 Risk assessment4 Information and communication5 Monitoring

17

Information Systems Auditand Control Foundation The Information Systems Audit and Control

Foundation (ISACF) recently developed the Control Objectives for Information and related Technology (COBIT).

COBIT consolidates standards from 36 different sources into a single framework.

The framework addresses the issue of control from three vantage points, or dimensions:

18

Information Systems Auditand Control Foundation1 Information: needs to conform to certain

criteria that COBIT refers to as business requirements for information

2 IT resources: people, application systems, technology, facilities, and data

3 IT processes: planning and organization, acquisition and implementation, delivery and support, and monitoring

19

The Control Environment

The first component of COSO’s internal control model is the control environment.

The control environment consists of many factors, including the following:1 Commitment to integrity and ethical values2 Management’s philosophy and operating

style3 Organizational structure

20

The Control Environment

4 The audit committee of the board of directors

5 Methods of assigning authority and responsibility

6 Human resources policies and practices

7 External influences

21

Control Activities

The second component of COSO’s internal control model is control activities.

Generally, control procedures fall into one of five categories:1 Proper authorization of transactions

and activities2 Segregation of duties

22

Control Activities

3 Design and use of adequate documents and records

4 Adequate safeguards of assets and records

5 Independent checks on performance

23

Proper Authorization of Transactions and Activities Authorization is the empowerment

management gives employees to perform activities and make decisions.

Digital signature or fingerprint is a means of signing a document with a piece of data that cannot be forged.

Specific authorization is the granting of authorization by management for certain activities or transactions.

24

Segregation of Duties

Good internal control demands that no single employee be given too much responsibility.

An employee should not be in a position to perpetrate and conceal fraud or unintentional errors.

25


Recording FunctionsPreparing source documents

Maintaining journalsPreparing reconciliations

Preparing performance reports

Custodial FunctionsHandling cash

Handling assetsWriting checks

Receiving checks in mail Authorization FunctionsAuthorization of

transactions

26


If two of these three functions are the responsibility of a single person, problems can arise.

Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them.

Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts.

27


Segregation of duties prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized.

28

Design and Use of Adequate Documents and Records

The proper design and use of documents and records helps ensure the accurate and complete recording of all relevant transaction data.

Documents that initiate a transaction should contain a space for authorization.

29

Design and Use of Adequate Documents and Records The following procedures safeguard assets

from theft, unauthorized use, and vandalism:– effectively supervising and segregating

duties– maintaining accurate records of assets,

including information– restricting physical access to cash and paper

assets– having restricted storage areas

30

Adequate Safeguards ofAssets and Records What can be used to safeguard

assets?– cash registers– safes, lockboxes– safety deposit boxes– restricted and fireproof storage areas– controlling the environment– restricted access to computer rooms,

computer files, and information

31

Independent Checkson Performance

Independent checks ensure that transactions are processed accurately are another important control element.

32


What are various types of independent checks? – reconciliation of two independently

maintained sets of records– comparison of actual quantities with

recorded amounts– double-entry accounting– batch totals

33


Five batch totals are used in computer systems:1 A financial total is the sum of a dollar

field.2 A hash total is the sum of a field that

would usually not be added.

34


3 A record count is the number of documents processed.

4 A line count is the number of lines of data entered.

5 A cross-footing balance test compares the grand total of all the rows with the grand total of all the columns to check that they are equal.

35

Risk Assessment

The third component of COSO’s internal control model is risk assessment.

Companies must identify the threats they face:– strategic — doing the wrong thing– financial — having financial resources lost,

wasted, or stolen– information — faulty or irrelevant information,

or unreliable systems

36

Risk Assessment

Companies that implement electronic data interchange (EDI) must identify the threats the system will face, such as:1 Choosing an inappropriate technology2 Unauthorized system access3 Tapping into data transmissions4 Loss of data integrity

37

Risk Assessment

5 Incomplete transactions6 System failures7 Incompatible systems

38

Risk Assessment

Some threats pose a greater risk because the probability of their occurrence is more likely. For example:

A company is more likely to be the victim of a computer fraud rather than a terrorist attack.

Risk and exposure must be considered together.

39

Estimate Cost and Benefits

No internal control system can provide foolproof protection against all internal control threats.

The cost of a foolproof system would be prohibitively high.

One way to calculate benefits involves calculating expected loss.

40

Expected loss = risk × exposure

Estimate Cost and Benefits

The benefit of a control procedure is the difference between the expected loss with the control procedure(s) and the expected loss without it.

41

Information and Communication

The fourth component of COSO’s internal control model is information and communication.

42

Information and Communication Accountants must understand the following:

1 How transactions are initiated2 How data are captured in machine-readable

form or converted from source documents3 How computer files are accessed and

updated4 How data are processed to prepare

information5 How information is reported6 How transactions are initiated

43

Information and Communication All of these items make it possible for the

system to have an audit trail. An audit trail exists when individual

company transactions can be traced through the system.

44

Monitoring Performance

The fifth component of COSO’s internal control model is monitoring.

What are the key methods of monitoring performance?– effective supervision– responsibility accounting– internal auditing

45

Computer Controls and Security

46

Learning Objectives

1. Identify and explain the four principles of systems reliability and the three criteria used to evaluate whether the principles have been achieved.

2. Identify and explain the controls that apply to more than one principle of reliability.

3. Identify and explain the controls that help explain that a system is available to users when needed.

47

Learning Objectives4. Identify and explain the security controls

that prevent unauthorized access to information, software, and other system resources.

5. Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity.

6. Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized.

48

The Four Principles of a Reliable System

1. Availability of the system when needed.

2. Security of the system against unauthorized physical and logical access.

3. Maintainability of the system as required without affecting its availability, security, and integrity.

4. Integrity of the system to ensure that processing is complete, accurate, timely, and authorized.

49

The Criteria Used To Evaluate Reliability Principles

For each of the four principles of reliability, three criteria are used to evaluate whether or not the principle has been achieved.1. The entity has defined, documented, and

communicated performance objectives, policies, and standards that achieve each of the four principles.

2. The entity uses procedures, people, software, data, and infrastructure to achieve each principle in accordance with established policies and standards.

3. The entity monitors the system and takes action to achieve compliance with the objectives, policies, and standards for each principle.

50

Controls Related to More Than One Reliability Principle

Strategic Planning & Budgeting Developing a Systems Reliability Plan Documentation

51

Controls Related to More Than One Reliability Principle Documentation may be classified into three

basic categories: Administrative documentation: Describes the

standards and procedures for data processing.

Systems documentation: Describes each application system and its key processing functions.

Operating documentation: Describes what is needed to run a program.

52

Availability Availability

Minimizing Systems Downtime• Preventive maintenance

• UPS• Fault tolerance

• Disaster Recovery Plan• Minimize the extent of disruption, damage,

and loss• Temporarily establish an alternative means of

processing information• Resume normal operations as soon as

possible

53

Availability Disaster Recovery, continued• Train and familiarize personnel with emergency

operations• Priorities for the recovery process• Insurance• Backup data and program files

• Electronic vaulting• Grandfather-father-son concept• Rollback procedures

• Specific assignments• Backup computer and telecommunication facilities• Periodic testing and revision• Complete documentation

54

Developing a Security Plan

Developing and continuously updating a comprehensive security plan is one of the most important controls a company can identify.What questions need to be asked?Who needs access to what information? When do they need it?On which systems does the information

reside?

55

Segregation of Duties Withinthe Systems Function In a highly integrated AIS, procedures that

used to be performed by separate individuals are combined.

Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.

To combat this threat, organizations must implement compensating control procedures.

56

Segregation of Duties Withinthe Systems Function Authority and responsibility must be clearly divided

among the following functions:

1. Systems administration2. Network management3. Security management4. Change management5. Users6. Systems analysis7. Programming8. Computer operations9. Information system library10. Data control

57

Segregation of Duties Withinthe Systems Function

It is important that different people perform these functions.

Allowing a person to perform two or more of them exposes the company to the possibility of fraud.

58

Physical Access Controls How can physical access security be achieved?

– Place computer equipment in locked rooms and restrict access to authorized personnel

– Have only one or two entrances to the computer room– Require proper employee ID– Require that visitors sign a log– Use a security alarm system– Restrict access to private secured telephone lines and

terminals or PCs.– Install locks on PCs.– Restrict access of off-line programs, data and equipment– Locate hardware and other critical system components

away from hazardous materials.– Install fire and smoke detectors and fire extinguishers

that don not damage computer equipment

59

Logical Access Controls

Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions.

What are some logical access controls?– passwords– physical possession identification– biometric identification– compatibility tests

60

Protection of PCs and Client/Server Networks

Many of the policies and procedures for mainframe control are applicable to PCs and networks.

The following controls are also important: Train users in PC-related control concepts. Restrict access by using locks and keys on

PCs. Establish policies and procedures.

61

Protection of PCs and Client/Server Networks

Portable PCs should not be stored in cars. Keep sensitive data in the most secure environment

possible. Install software that automatically shuts down a

terminal after its been idle for a certain amount of time.

Back up hard disks regularly. Encrypt or password protect files. Build protective walls around operating systems. Ensure that PCs are booted up within a secure

system. Use multilevel password controls to limit employee

access to incompatible data. Use specialists to detect holes in the network.

62

Internet and e-Commerce Controls

Why caution should be exercised when conducting business on the Internet.– the large and global base of people

that depend on the Internet– the variability in quality, compatibility,

completeness, and stability of network products and services

63

Internet and e-Commerce Controls

– access of messages by others– security flaws in Web sites– attraction of hackers to the Internet

What controls can be used to secure Internet activity?– passwords– encryption technology– routing verification procedures

64

Internet and e-Commerce Controls Another control is installing a firewall,

hardware and software that control communications between a company’s internal network (trusted network) and an external network. The firewall is a barrier between the

networks that does not allow information to flow into and out of the trusted network.

Electronic envelopes can protect e-mail messages

65

Maintainability

Two categories of controls help ensure the maintainability of a system:Project development and acquisition

controlsChange management controls

66

Project Development and Acquisition Controls

Project development and acquisition controls include:Strategic Master PlanProject ControlsData Processing ScheduleSystem Performance MeasurementsPostimplementation Review

67

Change Management Controls Change management controls include: Periodically review all systems for needed

changes Require all requests to be submitted in

standardized format Log and review requests form authorized

users for changes and additions to systems Assess the impact of requested changes on

system reliability objectives, policies and standards

68

Change Management Controls, continued

Categorize and rank all changes using established priorities

Implement procedures to handle urgent matters

Communicate all changes to management Require IT management to review, monitor,

and approve all changes to software, hardware and personnel responsibilities

Assign specific responsibilities to those involved in the change and monitor their work.

69

Change Management Controls, continued

Control system access rights to avoid unauthorized systems and data access

Make sure all changes go through the appropriate steps

Test all changes Make sure there is a plan for backing our of

any changes in the event they don’t work properly

Implement a quality assurance function Update all documentation and procedures

when change is implemented

70

Integrity

A company designs general controls to ensure that its overall computer system is stable and well managed.

Application controls prevent, detect and correct errors in transactions as they flow through the various stages of a specific data processing program.

71

Integrity: Source Data Controls

Companies must establish control procedures to ensure that all source documents are authorized, accurate , complete and properly accounted for, and entered into the system or sent ot their intended destination in a timely manner.

Source data controls include:

72

Integrity: Source Data Controls Forms design Prenumbered forms sequence test Turnaround documents Cancellation and storage of documents Authorization and segregation of duties Visual scanning Check digit verification Key verification

73

Integrity:Input Validation Routines

Input validation routines are programs the check the integrity of input data. They include:

Limit check

Range check

Reasonableness test

Redundant data check

Sequence check

Field check

Sign check

Validity check

Capacity check

74

Integrity: On-line Data Entry Controls

The goal of on-line data entry control is to ensure the integrity of transaction data entered from on-line terminals and PCs by minimizing errors and omissions.

They include:

75

Integrity: On-line Data Entry Controls Field, limit, range, reasonableness, sign, validity,

redundant data checks User ID numbers Compatibility tests Automatic entry of transaction data, where possible Prompting Preformatting Completeness check Closed-lop verification Transaction log Error messages Retain data for legal purposes

76

Integrity: Data Processing and Storage Controls

Controls to help preserve the integrity of data processing and stored data:

Policies and procedures Data control function Reconciliation procedure External data reconciliation Exception reporting

77

Integrity: Data Processing and Storage Controls, continued

Data currency checks Default values Data matching File labels Write protection mechanisms Database protection mechanisms Data conversion controls Data security

78

Output Controls

The data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control totals.

Data control is also responsible for distributing computer output to the appropriate user departments.

79

Output Controls

Users are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive.

A shredder can be used to destroy highly confidential data.

80

Data Transmission Controls

To reduce the risk of data transmission failures, companies should monitor the network.

How can data transmission errors be minimized?– using data encryption (cryptography)– implementing routing verification

procedures– adding parity– using message acknowledgment

techniques

81


Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT).

82


In these types of environments, sound internal control is achieved using the following control procedures:1 Physical access to network facilities should be

strictly controlled.2 Electronic identification should be required for all

authorized network terminals.3 Strict logical access control procedures are

essential, with passwords and dial-in phone numbers changed on a regular basis.

83


Control procedures, continued4 Encryption should be used to secure

stored data as well as data being transmitted.

5 Details of all transactions should be recorded in a log that is periodically reviewed.

84

Computer Fraud

85

Learning Objectives

1. Describe fraud and describe the process one follows to perpetuate a fraud.

2. Discuss why fraud occurs, including the pressures, opportunities, and rationalizations that are present in most frauds.

3. Compare and contrast the approaches and techniques that are used to commit computer fraud.

4. Describe how to deter and detect computer fraud.

86

The Fraud Process

Most frauds involve three steps.

The theft ofsomething

The conversionto cash

Theconcealment

87

The Fraud Process

What is a common way to hide a theft?– to charge the stolen item to an

expense account What is a payroll example?

– to add a fictitious name to the company’s payroll

88

The Fraud Process

What is lapping? In a lapping scheme, the perpetrator

steals cash received from customer A to pay its accounts receivable.

Funds received at a later date from customer B are used to pay off customer A’s balance, etc.

89

The Fraud Process

What is kiting? In a kiting scheme, the perpetrator

covers up a theft by creating cash through the transfer of money between banks.

The perpetrator deposits a check from bank A to bank B and then withdraws the money.

90

The Fraud Process

Since there are insufficient funds in bank A to cover the check, the perpetrator deposits a check from bank C to bank A before his check to bank B clears.

Since bank C also has insufficient funds, money must be deposited to bank C before the check to bank A clears.

The scheme continues to keep checks from bouncing.

91

Why Fraud Occurs

Researchers have compared the psychological and demographic characteristics of three groups of people:

White-collarcriminals

Violentcriminals

Generalpublic

Few differencesSignificant differences

92

Why Fraud Occurs

What are some common characteristics of fraud perpetrators?

Most spend their illegal income rather than invest or save it.

Once they begin the fraud, it is very hard for them to stop.

They usually begin to rely on the extra income.

93

Why Fraud Occurs

Perpetrators of computer fraud tend to be younger and possess more computer knowledge, experience, and skills.

Some computer fraud perpetrators are more motivated by curiosity and the challenge of “beating the system.”

Others commit fraud to gain stature among others in the computer community.

94

Why Fraud Occurs

Three conditions are necessary for fraud to occur:1 A pressure or motive2 An opportunity3 A rationalization

95

Pressures

What are some financial pressures?– living beyond means– high personal debt– “inadequate” income– poor credit ratings– heavy financial losses– large gambling debts

96

Pressures

What are some work-related pressures?– low salary– nonrecognition of performance– job dissatisfaction– fear of losing job– overaggressive bonus plans

97

Pressures

What are other pressures?– challenge– family/peer pressure– emotional instability– need for power or control– excessive pride or ambition

98

Opportunities

An opportunity is the condition or situation that allows a person to commit and conceal a dishonest act.

Opportunities often stem from a lack of internal controls.

However, the most prevalent opportunity for fraud results from a company’s failure to enforce its system of internal controls.

99

Rationalizations

Most perpetrators have an excuse or a rationalization that allows them to justify their illegal behavior.

What are some rationalizations? The perpetrator is just “borrowing” the stolen

assets. The perpetrator is not hurting a real person, just a

computer system. No one will ever know.

100

Computer Fraud

The U.S. Department of Justice defines computer fraud as any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution.

What are examples of computer fraud?– unauthorized use, access, modification,

copying, and destruction of software or data

101

Computer Fraud

– theft of money by altering computer records or the theft of computer time

– theft or destruction of computer hardware

– use or the conspiracy to use computer resources to commit a felony

– intent to illegally obtain information or tangible property through the use of computers

102

The Rise in Computer Fraud

Organizations that track computer fraud estimate that 80% of U.S. businesses have been victimized by at least one incident of computer fraud.

103

The Rise in Computer Fraud

No one knows for sure exactly how much companies lose to computer fraud. Why? There is disagreement on what computer fraud is. Many computer frauds go undetected, or

unreported. Most networks have a low level of security. Many Internet pages give instructions on how to

perpetrate computer crimes. Law enforcement is unable to keep up with fraud.

104

Computer Fraud Classifications

Computerinstruction fraud

Processor fraud

Data fraud

Inputfraud

Outputfraud

105

Computer Fraud andAbuse Techniques

What are some of the more common techniques to commit computer fraud?– Cracking– Data diddling– Data leakage– Denial of service attack– Eavesdropping– E-mail forgery and threats

106


– Hacking– Internet misinformation and terrorism– Logic time bomb– Masquerading or impersonation– Password cracking– Piggybacking– Round-down– Salami technique

107


– Software piracy– Scavenging– Social engineering– Superzapping– Trap door– Trojan horse– Virus – Worm

108

Preventing and Detecting Computer Fraud

What are some measures that can decrease the potential of fraud?1 Make fraud less likely to occur.2 Increase the difficulty of committing

fraud.3 Improve detection methods.4 Reduce fraud losses.5 Prosecute and incarcerate fraud

perpetrators.

109


1 Make fraud less likely to occur.Use proper hiring and firing practices.Manage disgruntled employees.Train employees in security and fraud

prevention.Manage and track software licenses.Require signed confidentiality

agreements.

110

Preventing and Detecting Computer Fraud2 Increase the difficulty of committing

fraud.Develop a strong system of internal

controls.Segregate duties.Require vacations and rotate duties.Restrict access to computer

equipment and data files.Encrypt data and programs.

111


3 Improve detection methods.Protect telephone lines and the

system from viruses.Control sensitive data.Control laptop computers.Monitor hacker information.

112


4 Reduce fraud losses.Maintain adequate insurance.Store backup copies of programs and

data files in a secure, off-site location. Develop a contingency plan for fraud

occurrences.Use software to monitor system activity

and recover from fraud.

113


5 Prosecute and incarcerate fraud perpetrators.Most fraud cases go unreported and

unprosecuted. Why?• Many cases of computer fraud are as yet

undetected.• Companies are reluctant to report

computer crimes.

114

Preventing and Detecting Computer Fraud Law enforcement officials and the courts

are so busy with violent crimes that they have little time for fraud cases.

It is difficult, costly, and time consuming to investigate.

Many law enforcement officials, lawyers, and judges lack the computer skills needed to investigate, prosecute, and evaluate computer crimes.