1
Computer-Based Information Systems Controls
2
Learning Objectives
1. Describe the threats to an AIS and discuss why these threats are growing.
2. Explain the basic concepts of control as applied to business organizations.
3. Describe the major elements in the control environment of a business organization.
3
Learning Objectives, continued
4. Describe control policies and procedures commonly used in business organizations.
5. Evaluate a system of internal accounting control, identify its deficiencies, and prescribe modifications to remedy those deficiencies.
6. Conduct a cost-benefit analysis for particular threats, exposures, risks, and controls.
4
Threats to Accounting Information Systems
What are examples of natural and political disasters?– fire or excessive heat– floods– earthquakes– high winds– war
5
Threats to Accounting Information Systems
What are examples of software errors and equipment malfunctions?– hardware failures– power outages and fluctuations– undetected data transmission errors
6
Threats to Accounting Information Systems What are examples of unintentional
acts?– accidents caused by human
carelessness– innocent errors of omissions– lost or misplaced data– logic errors– systems that do not meet company
needs
7
Threats to Accounting Information Systems
What are examples of intentional acts?– sabotage– computer fraud– embezzlement
8
Why are AIS Threats Increasing? Increasing numbers of client/server systems
mean that information is available to an unprecedented number of workers.
Because LANs and client/server systems distribute data to many users, they are harder to control than centralized mainframe systems.
WANs are giving customers and suppliers access to each other’s systems and data, making confidentiality a concern.
9
Overview of Control Concepts
What is the traditional definition of internal control?
Internal control is the plan of organization and the methods a business uses to safeguard assets, provide accurate and reliable information, promote and improve operational efficiency, and encourage adherence to prescribed managerial policies.
10
Overview of Control Concepts What is management control? Management control encompasses the
following three features:1 It is an integral part of management
responsibilities.2 It is designed to reduce errors,
irregularities, and achieve organizational goals.
3 It is personnel-oriented and seeks to help employees attain company goals.
11
Internal Control Classifications The specific control procedures used in the
internal control and management control systems may be classified using the following four internal control classifications:1 Preventive, detective, and corrective controls 2 General and application controls3 Administrative and accounting controls4 Input, processing, and output controls
12
The Foreign Corrupt Practices Act In 1977, Congress incorporated language
from an AICPA pronouncement into the Foreign Corrupt Practices Act.
The primary purpose of the act was to prevent the bribery of foreign officials in order to obtain business.
A significant effect of the act was to require corporations to maintain good systems of internal accounting control.
13
Committee of Sponsoring Organizations The Committee of Sponsoring
Organizations (COSO) is a private sector group consisting of five organizations:1 American Accounting Association 2 American Institute of Certified Public
Accountants3 Institute of Internal Auditors4 Institute of Management Accountants5 Financial Executives Institute
14
Committee of Sponsoring Organizations
In 1992, COSO issued the results of a study to develop a definition of internal controls and to provide guidance for evaluating internal control systems.
The report has been widely accepted as the authority on internal controls.
15
Committee of Sponsoring Organizations
The COSO study defines internal control as the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that control objectives are achieved with regard to:– effectiveness and efficiency of operations – reliability of financial reporting– compliance with applicable laws and
regulations
16
Committee of Sponsoring Organizations
COSO’s internal control model has five crucial components: 1 Control environment2 Control activities3 Risk assessment4 Information and communication5 Monitoring
17
Information Systems Auditand Control Foundation The Information Systems Audit and Control
Foundation (ISACF) recently developed the Control Objectives for Information and related Technology (COBIT).
COBIT consolidates standards from 36 different sources into a single framework.
The framework addresses the issue of control from three vantage points, or dimensions:
18
Information Systems Auditand Control Foundation1 Information: needs to conform to certain
criteria that COBIT refers to as business requirements for information
2 IT resources: people, application systems, technology, facilities, and data
3 IT processes: planning and organization, acquisition and implementation, delivery and support, and monitoring
19
The Control Environment
The first component of COSO’s internal control model is the control environment.
The control environment consists of many factors, including the following:1 Commitment to integrity and ethical values2 Management’s philosophy and operating
style3 Organizational structure
20
The Control Environment
4 The audit committee of the board of directors
5 Methods of assigning authority and responsibility
6 Human resources policies and practices
7 External influences
21
Control Activities
The second component of COSO’s internal control model is control activities.
Generally, control procedures fall into one of five categories:1 Proper authorization of transactions
and activities2 Segregation of duties
22
Control Activities
3 Design and use of adequate documents and records
4 Adequate safeguards of assets and records
5 Independent checks on performance
23
Proper Authorization of Transactions and Activities Authorization is the empowerment
management gives employees to perform activities and make decisions.
Digital signature or fingerprint is a means of signing a document with a piece of data that cannot be forged.
Specific authorization is the granting of authorization by management for certain activities or transactions.
24
Segregation of Duties
Good internal control demands that no single employee be given too much responsibility.
An employee should not be in a position to perpetrate and conceal fraud or unintentional errors.
25
Segregation of Duties
Recording FunctionsPreparing source documents
Maintaining journalsPreparing reconciliations
Preparing performance reports
Custodial FunctionsHandling cash
Handling assetsWriting checks
Receiving checks in mail Authorization FunctionsAuthorization of
transactions
26
Segregation of Duties
If two of these three functions are the responsibility of a single person, problems can arise.
Segregation of duties prevents employees from falsifying records in order to conceal theft of assets entrusted to them.
Prevent authorization of a fictitious or inaccurate transaction as a means of concealing asset thefts.
27
Segregation of Duties
Segregation of duties prevents an employee from falsifying records to cover up an inaccurate or false transaction that was inappropriately authorized.
28
Design and Use of Adequate Documents and Records
The proper design and use of documents and records helps ensure the accurate and complete recording of all relevant transaction data.
Documents that initiate a transaction should contain a space for authorization.
29
Design and Use of Adequate Documents and Records The following procedures safeguard assets
from theft, unauthorized use, and vandalism:– effectively supervising and segregating
duties– maintaining accurate records of assets,
including information– restricting physical access to cash and paper
assets– having restricted storage areas
30
Adequate Safeguards ofAssets and Records What can be used to safeguard
assets?– cash registers– safes, lockboxes– safety deposit boxes– restricted and fireproof storage areas– controlling the environment– restricted access to computer rooms,
computer files, and information
31
Independent Checkson Performance
Independent checks ensure that transactions are processed accurately are another important control element.
32
Independent Checkson Performance
What are various types of independent checks? – reconciliation of two independently
maintained sets of records– comparison of actual quantities with
recorded amounts– double-entry accounting– batch totals
33
Independent Checkson Performance
Five batch totals are used in computer systems:1 A financial total is the sum of a dollar
field.2 A hash total is the sum of a field that
would usually not be added.
34
Independent Checkson Performance
3 A record count is the number of documents processed.
4 A line count is the number of lines of data entered.
5 A cross-footing balance test compares the grand total of all the rows with the grand total of all the columns to check that they are equal.
35
Risk Assessment
The third component of COSO’s internal control model is risk assessment.
Companies must identify the threats they face:– strategic — doing the wrong thing– financial — having financial resources lost,
wasted, or stolen– information — faulty or irrelevant information,
or unreliable systems
36
Risk Assessment
Companies that implement electronic data interchange (EDI) must identify the threats the system will face, such as:1 Choosing an inappropriate technology2 Unauthorized system access3 Tapping into data transmissions4 Loss of data integrity
37
Risk Assessment
5 Incomplete transactions6 System failures7 Incompatible systems
38
Risk Assessment
Some threats pose a greater risk because the probability of their occurrence is more likely. For example:
A company is more likely to be the victim of a computer fraud rather than a terrorist attack.
Risk and exposure must be considered together.
39
Estimate Cost and Benefits
No internal control system can provide foolproof protection against all internal control threats.
The cost of a foolproof system would be prohibitively high.
One way to calculate benefits involves calculating expected loss.
40
Expected loss = risk × exposure
Estimate Cost and Benefits
The benefit of a control procedure is the difference between the expected loss with the control procedure(s) and the expected loss without it.
41
Information and Communication
The fourth component of COSO’s internal control model is information and communication.
42
Information and Communication Accountants must understand the following:
1 How transactions are initiated2 How data are captured in machine-readable
form or converted from source documents3 How computer files are accessed and
updated4 How data are processed to prepare
information5 How information is reported6 How transactions are initiated
43
Information and Communication All of these items make it possible for the
system to have an audit trail. An audit trail exists when individual
company transactions can be traced through the system.
44
Monitoring Performance
The fifth component of COSO’s internal control model is monitoring.
What are the key methods of monitoring performance?– effective supervision– responsibility accounting– internal auditing
45
Computer Controls and Security
46
Learning Objectives
1. Identify and explain the four principles of systems reliability and the three criteria used to evaluate whether the principles have been achieved.
2. Identify and explain the controls that apply to more than one principle of reliability.
3. Identify and explain the controls that help explain that a system is available to users when needed.
47
Learning Objectives4. Identify and explain the security controls
that prevent unauthorized access to information, software, and other system resources.
5. Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity.
6. Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized.
48
The Four Principles of a Reliable System
1. Availability of the system when needed.
2. Security of the system against unauthorized physical and logical access.
3. Maintainability of the system as required without affecting its availability, security, and integrity.
4. Integrity of the system to ensure that processing is complete, accurate, timely, and authorized.
49
The Criteria Used To Evaluate Reliability Principles
For each of the four principles of reliability, three criteria are used to evaluate whether or not the principle has been achieved.1. The entity has defined, documented, and
communicated performance objectives, policies, and standards that achieve each of the four principles.
2. The entity uses procedures, people, software, data, and infrastructure to achieve each principle in accordance with established policies and standards.
3. The entity monitors the system and takes action to achieve compliance with the objectives, policies, and standards for each principle.
50
Controls Related to More Than One Reliability Principle
Strategic Planning & Budgeting Developing a Systems Reliability Plan Documentation
51
Controls Related to More Than One Reliability Principle Documentation may be classified into three
basic categories: Administrative documentation: Describes the
standards and procedures for data processing.
Systems documentation: Describes each application system and its key processing functions.
Operating documentation: Describes what is needed to run a program.
52
Availability Availability
Minimizing Systems Downtime• Preventive maintenance
• UPS• Fault tolerance
• Disaster Recovery Plan• Minimize the extent of disruption, damage,
and loss• Temporarily establish an alternative means of
processing information• Resume normal operations as soon as
possible
53
Availability Disaster Recovery, continued• Train and familiarize personnel with emergency
operations• Priorities for the recovery process• Insurance• Backup data and program files
• Electronic vaulting• Grandfather-father-son concept• Rollback procedures
• Specific assignments• Backup computer and telecommunication facilities• Periodic testing and revision• Complete documentation
54
Developing a Security Plan
Developing and continuously updating a comprehensive security plan is one of the most important controls a company can identify.What questions need to be asked?Who needs access to what information? When do they need it?On which systems does the information
reside?
55
Segregation of Duties Withinthe Systems Function In a highly integrated AIS, procedures that
used to be performed by separate individuals are combined.
Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.
To combat this threat, organizations must implement compensating control procedures.
56
Segregation of Duties Withinthe Systems Function Authority and responsibility must be clearly divided
among the following functions:
1. Systems administration2. Network management3. Security management4. Change management5. Users6. Systems analysis7. Programming8. Computer operations9. Information system library10. Data control
57
Segregation of Duties Withinthe Systems Function
It is important that different people perform these functions.
Allowing a person to perform two or more of them exposes the company to the possibility of fraud.
58
Physical Access Controls How can physical access security be achieved?
– Place computer equipment in locked rooms and restrict access to authorized personnel
– Have only one or two entrances to the computer room– Require proper employee ID– Require that visitors sign a log– Use a security alarm system– Restrict access to private secured telephone lines and
terminals or PCs.– Install locks on PCs.– Restrict access of off-line programs, data and equipment– Locate hardware and other critical system components
away from hazardous materials.– Install fire and smoke detectors and fire extinguishers
that don not damage computer equipment
59
Logical Access Controls
Users should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions.
What are some logical access controls?– passwords– physical possession identification– biometric identification– compatibility tests
60
Protection of PCs and Client/Server Networks
Many of the policies and procedures for mainframe control are applicable to PCs and networks.
The following controls are also important: Train users in PC-related control concepts. Restrict access by using locks and keys on
PCs. Establish policies and procedures.
61
Protection of PCs and Client/Server Networks
Portable PCs should not be stored in cars. Keep sensitive data in the most secure environment
possible. Install software that automatically shuts down a
terminal after its been idle for a certain amount of time.
Back up hard disks regularly. Encrypt or password protect files. Build protective walls around operating systems. Ensure that PCs are booted up within a secure
system. Use multilevel password controls to limit employee
access to incompatible data. Use specialists to detect holes in the network.
62
Internet and e-Commerce Controls
Why caution should be exercised when conducting business on the Internet.– the large and global base of people
that depend on the Internet– the variability in quality, compatibility,
completeness, and stability of network products and services
63
Internet and e-Commerce Controls
– access of messages by others– security flaws in Web sites– attraction of hackers to the Internet
What controls can be used to secure Internet activity?– passwords– encryption technology– routing verification procedures
64
Internet and e-Commerce Controls Another control is installing a firewall,
hardware and software that control communications between a company’s internal network (trusted network) and an external network. The firewall is a barrier between the
networks that does not allow information to flow into and out of the trusted network.
Electronic envelopes can protect e-mail messages
65
Maintainability
Two categories of controls help ensure the maintainability of a system:Project development and acquisition
controlsChange management controls
66
Project Development and Acquisition Controls
Project development and acquisition controls include:Strategic Master PlanProject ControlsData Processing ScheduleSystem Performance MeasurementsPostimplementation Review
67
Change Management Controls Change management controls include: Periodically review all systems for needed
changes Require all requests to be submitted in
standardized format Log and review requests form authorized
users for changes and additions to systems Assess the impact of requested changes on
system reliability objectives, policies and standards
68
Change Management Controls, continued
Categorize and rank all changes using established priorities
Implement procedures to handle urgent matters
Communicate all changes to management Require IT management to review, monitor,
and approve all changes to software, hardware and personnel responsibilities
Assign specific responsibilities to those involved in the change and monitor their work.
69
Change Management Controls, continued
Control system access rights to avoid unauthorized systems and data access
Make sure all changes go through the appropriate steps
Test all changes Make sure there is a plan for backing our of
any changes in the event they don’t work properly
Implement a quality assurance function Update all documentation and procedures
when change is implemented
70
Integrity
A company designs general controls to ensure that its overall computer system is stable and well managed.
Application controls prevent, detect and correct errors in transactions as they flow through the various stages of a specific data processing program.
71
Integrity: Source Data Controls
Companies must establish control procedures to ensure that all source documents are authorized, accurate , complete and properly accounted for, and entered into the system or sent ot their intended destination in a timely manner.
Source data controls include:
72
Integrity: Source Data Controls Forms design Prenumbered forms sequence test Turnaround documents Cancellation and storage of documents Authorization and segregation of duties Visual scanning Check digit verification Key verification
73
Integrity:Input Validation Routines
Input validation routines are programs the check the integrity of input data. They include:
Limit check
Range check
Reasonableness test
Redundant data check
Sequence check
Field check
Sign check
Validity check
Capacity check
74
Integrity: On-line Data Entry Controls
The goal of on-line data entry control is to ensure the integrity of transaction data entered from on-line terminals and PCs by minimizing errors and omissions.
They include:
75
Integrity: On-line Data Entry Controls Field, limit, range, reasonableness, sign, validity,
redundant data checks User ID numbers Compatibility tests Automatic entry of transaction data, where possible Prompting Preformatting Completeness check Closed-lop verification Transaction log Error messages Retain data for legal purposes
76
Integrity: Data Processing and Storage Controls
Controls to help preserve the integrity of data processing and stored data:
Policies and procedures Data control function Reconciliation procedure External data reconciliation Exception reporting
77
Integrity: Data Processing and Storage Controls, continued
Data currency checks Default values Data matching File labels Write protection mechanisms Database protection mechanisms Data conversion controls Data security
78
Output Controls
The data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control totals.
Data control is also responsible for distributing computer output to the appropriate user departments.
79
Output Controls
Users are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive.
A shredder can be used to destroy highly confidential data.
80
Data Transmission Controls
To reduce the risk of data transmission failures, companies should monitor the network.
How can data transmission errors be minimized?– using data encryption (cryptography)– implementing routing verification
procedures– adding parity– using message acknowledgment
techniques
81
Data Transmission Controls
Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT).
82
Data Transmission Controls
In these types of environments, sound internal control is achieved using the following control procedures:1 Physical access to network facilities should be
strictly controlled.2 Electronic identification should be required for all
authorized network terminals.3 Strict logical access control procedures are
essential, with passwords and dial-in phone numbers changed on a regular basis.
83
Data Transmission Controls
Control procedures, continued4 Encryption should be used to secure
stored data as well as data being transmitted.
5 Details of all transactions should be recorded in a log that is periodically reviewed.
84
Computer Fraud
85
Learning Objectives
1. Describe fraud and describe the process one follows to perpetuate a fraud.
2. Discuss why fraud occurs, including the pressures, opportunities, and rationalizations that are present in most frauds.
3. Compare and contrast the approaches and techniques that are used to commit computer fraud.
4. Describe how to deter and detect computer fraud.
86
The Fraud Process
Most frauds involve three steps.
The theft ofsomething
The conversionto cash
Theconcealment
87
The Fraud Process
What is a common way to hide a theft?– to charge the stolen item to an
expense account What is a payroll example?
– to add a fictitious name to the company’s payroll
88
The Fraud Process
What is lapping? In a lapping scheme, the perpetrator
steals cash received from customer A to pay its accounts receivable.
Funds received at a later date from customer B are used to pay off customer A’s balance, etc.
89
The Fraud Process
What is kiting? In a kiting scheme, the perpetrator
covers up a theft by creating cash through the transfer of money between banks.
The perpetrator deposits a check from bank A to bank B and then withdraws the money.
90
The Fraud Process
Since there are insufficient funds in bank A to cover the check, the perpetrator deposits a check from bank C to bank A before his check to bank B clears.
Since bank C also has insufficient funds, money must be deposited to bank C before the check to bank A clears.
The scheme continues to keep checks from bouncing.
91
Why Fraud Occurs
Researchers have compared the psychological and demographic characteristics of three groups of people:
White-collarcriminals
Violentcriminals
Generalpublic
Few differencesSignificant differences
92
Why Fraud Occurs
What are some common characteristics of fraud perpetrators?
Most spend their illegal income rather than invest or save it.
Once they begin the fraud, it is very hard for them to stop.
They usually begin to rely on the extra income.
93
Why Fraud Occurs
Perpetrators of computer fraud tend to be younger and possess more computer knowledge, experience, and skills.
Some computer fraud perpetrators are more motivated by curiosity and the challenge of “beating the system.”
Others commit fraud to gain stature among others in the computer community.
94
Why Fraud Occurs
Three conditions are necessary for fraud to occur:1 A pressure or motive2 An opportunity3 A rationalization
95
Pressures
What are some financial pressures?– living beyond means– high personal debt– “inadequate” income– poor credit ratings– heavy financial losses– large gambling debts
96
Pressures
What are some work-related pressures?– low salary– nonrecognition of performance– job dissatisfaction– fear of losing job– overaggressive bonus plans
97
Pressures
What are other pressures?– challenge– family/peer pressure– emotional instability– need for power or control– excessive pride or ambition
98
Opportunities
An opportunity is the condition or situation that allows a person to commit and conceal a dishonest act.
Opportunities often stem from a lack of internal controls.
However, the most prevalent opportunity for fraud results from a company’s failure to enforce its system of internal controls.
99
Rationalizations
Most perpetrators have an excuse or a rationalization that allows them to justify their illegal behavior.
What are some rationalizations? The perpetrator is just “borrowing” the stolen
assets. The perpetrator is not hurting a real person, just a
computer system. No one will ever know.
100
Computer Fraud
The U.S. Department of Justice defines computer fraud as any illegal act for which knowledge of computer technology is essential for its perpetration, investigation, or prosecution.
What are examples of computer fraud?– unauthorized use, access, modification,
copying, and destruction of software or data
101
Computer Fraud
– theft of money by altering computer records or the theft of computer time
– theft or destruction of computer hardware
– use or the conspiracy to use computer resources to commit a felony
– intent to illegally obtain information or tangible property through the use of computers
102
The Rise in Computer Fraud
Organizations that track computer fraud estimate that 80% of U.S. businesses have been victimized by at least one incident of computer fraud.
103
The Rise in Computer Fraud
No one knows for sure exactly how much companies lose to computer fraud. Why? There is disagreement on what computer fraud is. Many computer frauds go undetected, or
unreported. Most networks have a low level of security. Many Internet pages give instructions on how to
perpetrate computer crimes. Law enforcement is unable to keep up with fraud.
104
Computer Fraud Classifications
Computerinstruction fraud
Processor fraud
Data fraud
Inputfraud
Outputfraud
105
Computer Fraud andAbuse Techniques
What are some of the more common techniques to commit computer fraud?– Cracking– Data diddling– Data leakage– Denial of service attack– Eavesdropping– E-mail forgery and threats
106
Computer Fraud andAbuse Techniques
– Hacking– Internet misinformation and terrorism– Logic time bomb– Masquerading or impersonation– Password cracking– Piggybacking– Round-down– Salami technique
107
Computer Fraud andAbuse Techniques
– Software piracy– Scavenging– Social engineering– Superzapping– Trap door– Trojan horse– Virus – Worm
108
Preventing and Detecting Computer Fraud
What are some measures that can decrease the potential of fraud?1 Make fraud less likely to occur.2 Increase the difficulty of committing
fraud.3 Improve detection methods.4 Reduce fraud losses.5 Prosecute and incarcerate fraud
perpetrators.
109
Preventing and Detecting Computer Fraud
1 Make fraud less likely to occur.Use proper hiring and firing practices.Manage disgruntled employees.Train employees in security and fraud
prevention.Manage and track software licenses.Require signed confidentiality
agreements.
110
Preventing and Detecting Computer Fraud2 Increase the difficulty of committing
fraud.Develop a strong system of internal
controls.Segregate duties.Require vacations and rotate duties.Restrict access to computer
equipment and data files.Encrypt data and programs.
111
Preventing and Detecting Computer Fraud
3 Improve detection methods.Protect telephone lines and the
system from viruses.Control sensitive data.Control laptop computers.Monitor hacker information.
112
Preventing and Detecting Computer Fraud
4 Reduce fraud losses.Maintain adequate insurance.Store backup copies of programs and
data files in a secure, off-site location. Develop a contingency plan for fraud
occurrences.Use software to monitor system activity
and recover from fraud.
113
Preventing and Detecting Computer Fraud
5 Prosecute and incarcerate fraud perpetrators.Most fraud cases go unreported and
unprosecuted. Why?• Many cases of computer fraud are as yet
undetected.• Companies are reluctant to report
computer crimes.
114
Preventing and Detecting Computer Fraud Law enforcement officials and the courts
are so busy with violent crimes that they have little time for fraud cases.
It is difficult, costly, and time consuming to investigate.
Many law enforcement officials, lawyers, and judges lack the computer skills needed to investigate, prosecute, and evaluate computer crimes.