Você está na página 1de 47

Chapter

10-1

Chapter 10:
Computer Controls for Organizations and
Accounting Information Systems

Introduction
Enterprise Level Controls
General Controls for Information Technology
Application Controls for Transaction
Processing

Chapter
10-2

Enterprise Level Controls


Consistent policies and procedures
Managements risk assessment process
Centralized processing and controls
Controls to monitor results of operations

Chapter
10-3

Enterprise Level Controls


Controls to monitor the internal audit
function, the audit committee, and selfassessment programs
Period-end financial reporting process
Board-approved policies that address
significant business control and risk
management practices
Chapter
10-4

Risk Assessment and


Security Policies

Chapter
10-5

Integrated Security for


the Organization
Physical Security
Measures

used to protect its facilities, resources,


or proprietary data stored on physical media

Logical Security
Limit

access to system and information to


authorized individuals

Administrative Policies, procedures,


standards, and guidelines.
Chapter
10-6

Physical and Logical


Security

Chapter
10-7

General Controls for


Information Technology
Access to Data, Hardware, and Software
Protection of Systems and Data with
Personnel Policies
Protection of Systems and Data with
Technology and Facilities
Chapter
10-8

General Controls for


Information Technology
IT general controls apply to all information
systems
Major Objectives
Access

to programs and data is limited to


authorized users
Data and systems protected from change, theft,
and loss
Computer programs are authorized, tested, and
Chapter
approved before usage
10-9

Access to Data,
Hardware, and
Software
Utilization of strong passwords
8

or more characters in length..or longer


Different types of characters
Letters, numbers, symbols

Biometric identification
Distinctive

user physical characteristics


Voice patterns, fingerprints, facial patterns,
retina prints

Chapter
10-10

Security for Wireless


Technology
Utilization of wireless local area networks
Virtual Private Network (VPN)
Allows

remote access to entity resources

Data Encryption
Data

converted into a scrambled format


Converted back to meaningful format following
transmission
Chapter
10-11

Controls for Networks


Control Problems
Electronic

eavesdropping
Hardware or software malfunctions
Errors in data transmission

Control Procedures
Checkpoint

control procedure
Routing verification procedures
Message acknowledgment procedures

Chapter
10-12

Controls for Personal


Computers
Take an inventory of personal computers
Identify applications utilized by each
personal computer
Classify computers according to risks and
exposures
Enhance physical security
Chapter
10-13

Additional Controls for


Laptops

Chapter
10-14

Personnel Policies
Separation of Duties
Separate Accounting

and Information Processing


from Other Subsystems
Separate Responsibilities within IT Environment

Use of Computer Accounts


Each

employee has password protected account


Biometric identification
Chapter
10-15

Separation of Duties

Chapter
10-16

Division of Responsibility
in IT Environment

Chapter
10-17

Division of Responsibility
in IT Environment

Chapter
10-18

Personnel Policies
Identifying Suspicious Behavior
Protect

against fraudulent employee actions


Observation of suspicious behavior
Highest percentage of fraud involved employees
in the accounting department
Must safeguard files from intentional and
unintentional errors
Chapter
10-19

Safeguarding Computer
Files

Chapter
10-20

File Security Controls

Chapter
10-21

Business Continuity
Planning
Definition
Comprehensive

approach to ensuring normal


operations despite interruptions

Components
Disaster Recovery
Fault

Tolerant Systems
Backup
Chapter
10-22

Disaster Recovery
Definition
Process

and procedures
Following disruptive event

Summary of Types of Sites


Hot

Site
Flying-Start Site
Cold Site
Chapter
10-23

Fault Tolerant Systems


Definition
Used

to deal with computer errors


Ensure functional system with accurate and
complete data (redundancy)

Major Approaches
Consensus-based

protocols
Watchdog processor
Utilize disk mirroring or rollback processing

Chapter
10-24

Backup
Batch processing
Risk

of losing data before, during, and after


processing
Grandfather-parent-child procedure

Types of Backups
Hot

backup
Cold Backup
Electronic Vaulting
Chapter
10-25

Computer Facility
Controls
Locate Data Processing Centers in Safe Places
Protect

from the public


Protect from natural disasters (flood, earthquake)

Limit Employee Access


Security

Badges (color-coded with pictures)


Man Trap

Buy Insurance
Chapter
10-26

Study Break #1
A _______ is a comprehensive plan that helps protect the
enterprise from internal and external threats.
A. Firewall
B. Security policy
C. Risk assessment
D. VPN

Chapter
10-27

Study Break #3
Fault-tolerant systems are designed to tolerate computer errors
and are built on the concept of _________.
A. Redundancy
B. COBIT
C. COSO
D. Integrated security

Chapter
10-28

Application Controls
for Transaction
Processing
Purpose
Embedded

in business process applications


Prevent, detect, and correct errors and
irregularities

Application Controls
Input

Controls
Processing Controls
Output Controls

Chapter
10-29

Application Controls
for Transaction
Processing

Chapter
10-30

Input Controls
Purpose
Ensure validity
Ensure accuracy
Ensure completeness

Categories
Observation,

recording, and transcription of data

Edit

tests
Additional input controls
Chapter
10-31

Observation, Recording,
and Transcription of Data
Confirmation mechanism
Dual observation
Point-of-sale devices (POS)
Preprinted recording forms

Chapter
10-32

Preprinted Recording
Form

Chapter
10-33

Edit Tests
Input Validation Routines (Edit Programs)
Programs

or subroutines
Check validity and accuracy of input data

Edit Tests
Examine

selected fields of input data


Rejects data not meeting preestablished standards
of quality
Chapter
10-34

Edit Tests

Chapter
10-35

Edit Tests

Chapter
10-36

Additional Input Controls


Validity Test
Transactions

matched with master data files


Transactions lacking a match are rejected

Check-Digit Control Procedure

Chapter
10-37

Processing Controls
Purpose
Focus

on manipulation of accounting data

Contribute

to a good audit trail

Two Types
Control
Data

totals

manipulation controls
Chapter
10-38

Audit Trail

Chapter
10-39

Control Totals
Common Processing Control Procedures
Batch

control total
Financial control total
Nonfinancial control total
Record count
Hash total

Chapter
10-40

Data Manipulation
Controls
Data Processing
Following

validation of input data


Data manipulated to produce decision-useful
information

Processing Control Procedures


Software Documentation
Error-Testing

Compiler
Utilization of Test Data

Chapter
10-41

Output Controls
Purpose
Ensure validity
Ensure accuracy
Ensure completeness

Major Types
Validating

Processing Results
Regulating Distribution and Use of Printed Output
Chapter
10-42

Output Controls
Validating Processing Results
Preparation

of activity listings
Provide detailed listings of changes to master files

Regulating Distribution and Use of Printed


Output
Forms

control
Pre-numbered forms
Authorized distribution list

Chapter
10-43

Study Break #5
Organizations use ______ controls to prevent, detect, and
correct errors and irregularities in transactions that are
processed.
A. Specific
B. General
C. Application
D. Input

Chapter
10-44

Triangles of Information
Security

Why We Do It (Fraud)

How We Prevent It
Chapter
10-45

Fraud Triangle

Chapter
10-46

CIA Triangle

Chapter
10-47

Você também pode gostar