Chapter 8: Controlling Information Systems: Introduction to Pervasive Controls Accounting Information Systems, 9e Gelinas ►Dull ► Wheeler © 2010 Cengage

Chapter 8:Controlling Information Systems: Introduction to

Pervasive Controls

Accounting Information Systems, 9e

Gelinas ►Dull ► Wheeler

© 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product

or service or otherwise on a password-protected website for classroom use© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Learning ObjectivesDescribe the major pervasive controls that

organizations employ as part of their internal control structure.

Explain how pervasive controls help ensure continuous, reliable operational and IT processes.

Appreciate how an organization must plan and organize all resources, including IT resources, to ensure achievement of its strategic vision.

© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Learning Objectives (cont’d)Overview the major controls used to

manage the design and implementation of new processes, especially new IT processes.

Appreciate the integral part played by the monitoring function in ensuring the overall effectiveness of a system of internal controls.


Suggested Exercise QuestionsSP 8-1 on page 290SP 8-2 on page 291P 8-2 on page 293P 8-3 on page 293P 8-4 on page 294P 8-5 on page 295P 8-6 on page 295P 8-7 on page 296


Organizational Governance and IT Governance Organizational governance: processes

employed by organizations to select objectives, establish processes to achieve objectives, and monitor performance.

IT governance: process that ensures the enterprise’s IT sustains and extends the organization’s strategies and objectives.


Hypothetical Computer System (large size organization)


Information Systems Organization(large size organization)


Summary of IT Organization Functions


Summary of IT Organization Functions (cont’d)


Summary of IT Organization Functions (cont’d)


Control Objectives for Information and Related Technology (COBIT)Provides guidance on the best practices for

the management of information technology. IT resources must be managed by IT control

processes to ensure an organization has the information it needs to achieve its objectives.

Provides a framework to ensure that IT: is aligned with the business. enables the business and maximizes benefits. resources are used responsibly. risks are managed appropriately.


IT Control Process DomainsCOBIT groups IT control processes into

four broad domains: Plan and organize Acquire and implement Deliver and support Monitor and evaluate


IT Control Domains and Processes


Stakeholders in AISA stakeholder is any person who has an

interest in an existing or proposed AIS. Stakeholders can be technical or nontechnical workers. They may also include both internal and external workers. System owners System users System designers System builders Systems analysts (project managers)

System OwnersSystem owners –responsible for funding the project of developing, operating, and maintaining the information system.

They usually come from the ranks of management. - large IS project: senior managers - medium IS project: middle managers - smaller IS project: middle or supervisory

Primary Concerns - how much will the systems cost?

- how much value or what benefits will the system return to the business?

System UsersSystem users – a “customer” who will use or is affected by an IS on a

regular basis Make up the vast majority of “customers” Primary concern: get the job done using an IS! Internal users

Clerical and service workers, technical and professional staff, supervisors, middle managers, and executive managers

External usersInternet EC constomers, suppliers, partners…

System Designers and System BuildersSystem designer – a technical specialist who translates system users’ business requirements and constraints into technical solution.

DBA, Network architects, web designer, security experts…

System builders – a technical specialist who constructs information systems and components based on the design specifications generated by the system designers.

Programmers (applications, systems, and DB), network administrators, web masters..

Systems AnalystsSystems analyst – a specialist who studies the problems and needs of an organization to determine how people, data, processes, and information technology can best accomplish improvements for the business.

Roles:− Bridge (facilitator) between management and technical

specialist: next slide− Understand both business and computing− Ultimately, a problem solver

The Systems Analyst as a Facilitator

Where Do Systems Analysts Work?May be permanently assigned to a team

that supports a specific business function

May also be pooled and temporarily

assigned to specific projects Figure on next slide

Where Do Systems Analysts Work?

Skills Needed by the Systems Analyst Working knowledge of (existing and emerging) IT General business problem-solving skills Good interpersonal communication skills Good interpersonal relation skills Flexibility and adaptability Character and ethics

Other StakeholdersExternal Service Provider (ESP) – a systems analyst, system designer, or system builder who sells his/her expertise and experience to other businesses to help those businesses purchase, develop, or integrate their information systems solutions; may be affiliated with a consulting or services organization.

• PwC, Accenture (previously Anderson Consulting – spun off from Arthur Anderson consulting)

• Consultants, Contracted SA, SD, SB, programmers..Project Manager – an experienced professional who accepts responsibility for planning, monitoring, and controlling projects with respect to schedule, budget, deliverables, customer satisfaction, technical standards, and system quality.

• Usually senior analysts

Plan & Organize Domain:IT Control Process 1 Establish Strategic Vision for Information TechnologyIS management should establish a process for developing a strategic.IS strategic planning effort must ensure support of the organization’s strategic plan and that IT is optimally deployed.Plan must ensure that the organization is prepared to anticipate competitors’ actions and take advantage of emerging technology.© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Plan & Organize Domain:IT Control Process 2Develop Tactics to Plan, Communicate, and Manage Realization of the Strategic Vision Manage IT resources with budgeting, controlling expenditures and monitoring costs.Establish direction and related policies consistent with the control environment established by senior management.

Communicate policies. Personnel policies for IT.

Project-management framework.


IT Control Process 1: Organizational ControlsIT steering committee: coordinates the

organizational and IT strategic planning processes and reviews and approves the strategic IT plan.

Security officer: safeguards the IT organization by (1) establishing employee passwords and access to data and (2) making sure the IT organization is secure from physical threats.

Organizational design principles and segregation of duties.


Segregation of Duties within the IT Department


Acquire & Implement DomainIdentify, develop or acquire, and implement IT

solutions.Must correctly determine the requirements for

a new information system and see that those requirements are satisfied by the new system.

Systems development life cycle (SDLC): The SDLC covers the progression of information systems through the systems development process, from birth, through implementation, to ongoing use and modification.


A Simple System Development ProcessSystem development process – a set of

activities, methods, best practices, deliverables, and automated tools that stakeholders use to develop and maintain information systems and software.

See “IS Development” from the class website

Acquire & Implement Domain:IT Process 3Identify Automated SolutionsSDLC must include procedures to:

define information requirements formulate alternative courses of action perform feasibility studies assess risks

Solutions should be consistent with the strategic IT plan.May develop the IT solution in-house OR contract with third parties for all or part of the development.


Acquire & Implement Domain:IT Process 4Develop and Acquire IT SolutionsDevelop and acquire application software.Acquire technology infrastructure.Develop service level requirements and application documentation which typically includes the following:

Systems and program documentation Operations run manual User manual Training materials


Acquire & Implement Domain:IT Process 5Integrate IT Solutions Into Operational ProcessesProvide for a planned, tested, controlled, and approved conversion to the new system. After installation review to determine that the new system has met users’ needs in a cost-effective manner.


Acquire & Implement Domain:IT Process 6Manage Changes to Existing IT SystemsChanges to the IT infrastructure must be managed via change request, impact assessment, documentation, authorization, release and distribution policies, and procedures.Program change controls: provide assurance that all modifications to programs are authorized, and that changes are completed, tested, and properly implemented.These controls very important with enterprise systems due to the interdependence and complexity of the business processes.© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.

Program Change Controls


Deliver & Support Domain:IT Process 7Deliver Required IT Services


Deliver & Support Domain:IT Process 8Ensure Security and Continuous ServiceTo ensure computing resources are operational, IT management must plan for increases in required capacity or losses of usable resources.To ensure that computing resources are secured, management should establish a process to account for all IT components.Processes should be in place to identify, track, and resolve problems in a timely manner.


Ensure Continuous Service Business continuity planning (also known as disaster recovery planning, contingency planning, and business interruption planning): a process that identifies events that may threaten an organization and provides a framework to ensure that the organization will continue to operate when the threatened event occurs or will resume operations with a minimum of disruption.


Continuity of IT ServicesBackup: making a copy of data,

programs, and documentation.Recovery: use the backup data to restore

lost data and resume operations.Continuous Data Protection (CDP): all

data changes are date stamped and saved to secondary systems as the changes are happening.


Continuity of IT Services (cont’d)Mirror site: the site that maintains copies

of the primary site’s programs and data.Electronic vaulting: service whereby

data changes are automatically transmitted over the Internet on a continuous basis to an off-site server maintained by a third party.


Continuity of IT Services (cont’d)Hot site: fully equipped data center that

can accommodate many businesses and that is made available to client companies for a monthly subscriber fee.

Cold site: facility usually comprised of air-conditioned space with a raised floor, telephone connections, and computer ports into which a subscriber can move equipment.


Continuity of IT Services (cont’d)Denial-of-service attack: a Web site is

overwhelmed by an intentional onslaught of thousands of simultaneous messages, making it impossible for the attacked site to engage in its normal activities.

Distributed denial-of-service attack: uses many computers (called zombies) that unwittingly cooperate in a denial-of-service attack by sending messages to the target Web sites.


Distributed DoS

Distributed denial-of-service attack (DDoS) – attacks from multiple computers that flood a Web site with so many requests for service that it slows down or crashes.

Distributed Denial-of-Service Attack

Restricting Access to Computing Resources – Layers of Protection


Restricting Logical Access to Stored Programs, Data, and DocumentationAccess control software: ensures that (1) only authorized users gain access to a system through a process of identification (e.g., a unique account number for each user) and authentication (e.g., a password to verify that users are who they say they are), (2) restricts authorized users to specific data they require and sets the action privileges for that data (e.g., read, copy, write data), and (3) monitors access attempts and violations.


Restricting Logical Access to Stored Programs, Data, and Documentation (cont’d)

Intrusion-detection system (IDS): part of access control software that logs and monitors who is on or trying to access the network.

Intrusion-prevention system (IPS): actively block unauthorized traffic using rules specified by the organization.

Library controls: a combination of people, procedures, and computer software that restrict access to data, programs, and documentation in an offline environment.


Restricting Logical Access to Stored Programs, Data, and Documentation (cont’d)

Data encryption: process that employs mathematical algorithms and encryption keys to encode data so that it is unintelligible in its encrypted form.

Public-key cryptography: employs a pair of matched keys for each system user, one private (i.e., known only to the party who possesses it) and one public. The public key corresponds to but is not the same as the user’s private key.


Computer Hacking and CrackingComputer hacking and cracking:

intentional, unauthorized access to an organization’s computer system, accomplished by bypassing the system’s access security controls.

Hacker: someone who simply gets a kick out of breaking into a computer system but does not hold malicious intentions to destroy or steal.

Cracker: term used when a hacker’s motive is crime, theft, or destruction.


Hacking techniques


Physical Protection of IT Assets


Preventive maintenance: periodic cleaning, testing, and adjusting of computer equipment to ensure their equipment’s continued efficient and correct operation.

Deliver & Support Domain:IT Process 9Provide Support ServicesIdentify training needs of all personnel - internal and external.Conduct timely training sessions.Help desk: provides advice and assistance to users to help them overcome problems encountered in using IT resources so that they can effectively use those resources.


Monitor & Evaluate Domain:IT Process 10Monitor and Evaluate the ProcessesEstablish a system for defining performance indicators (service levels).Gather data about processes and generate performance reports.Measure progress toward identified goals.Obtain outside confirmation based on independent review.


Trust Services Principles and Criteria


Documents

Chapter 8: Controlling Information Systems: Introduction to Pervasive Controls Accounting Information Systems, 9e Gelinas ►Dull ► Wheeler © 2010 Cengage