Information Systems Control
Dr. Yan Xiong
College of Business
CSU Sacramento
January 27,2003
This lecture is based on Martin (2002) and Romney and
Steinbart (2002)
Agenda
AIS Threats
Internal Controls
General controls for
information systems
Internet controls
Contingency management
AIS Threats
Natural and political
disasters:
– fire or excessive heat
– floods
– earthquakes
– high winds
– war
AIS Threats
Software errors and
equipment malfunctions
– hardware failures
– power outages and fluctuations
– undetected data transmission
errors
AIS Threats
Unintentional acts
• accidents caused by
human carelessness
• innocent errors of omissions
• lost or misplaced data
• logic errors
• systems that do not meet
company needs
AIS Threats
Intentional acts
• sabotage
• computer fraud
• embezzlement
• confidentiality breaches
• data theft
Agenda
AIS Threats
Internal Control
Cost-benefit Analysis
General controls for
information systems
Internet controls
Contingency management
Internal Control
The COSO (Committee of Sponsoring Organizations)
study defines internal control as the process
implemented by the board of directors, management,
and those under their direction to provide reasonable
assurance that control objectives are achieved with
regard to:
– effectiveness and efficiency of operations
– reliability of financial reporting
– compliance with applicable laws and regulations
Internal Control Classifications
The specific control procedures used in
the internal control and management
control systems may be classified using
the following four internal control
classifications:
1 Preventive, detective, and corrective
controls
2 General and application controls
3 Administrative and accounting controls
4 Input, processing, and output controls
Types of Controls
Preventive: deter problems
before they arise
segregating duties
Detective: discover control
problems as soon as they arise
bank reconciliation
Corrective: remedy problems
discovered with detective controls
file backups
Internal Control Model
COSO’s internal control model has
five crucial components:
1 Control environment
2 Control activities
3 Risk assessment
4 Information and communication
5 Monitoring
The Control Environment
The control environment consists of many
factors, including the following:
1 Commitment to integrity and ethical
values
2 Management’s philosophy and
operating style
3 Organizational structure
The Control Environment
4 The audit committee of the board
of directors
5 Methods of assigning authority
and responsibility
6 Human resources policies and
practices
7 External influences
Control Activities
Generally, control procedures fall into one of five
categories:
1 Proper authorization of transactions and
activities
2 Segregation of duties
3 Design and use of adequate documents and
records
4 Adequate safeguards of assets and records
5 Independent checks on performance
Proper Authorization of Transactions
and Activities
Authorization is the empowerment
management gives employees to
perform activities and make
decisions.
Digital signature or fingerprint is a
means of signing a document with a
piece of data that cannot be forged.
Specific authorization is the granting
of authorization by management for
certain activities or transactions.
Segregation of Duties
Good internal control demands that
no single employee be given too
much responsibility.
An employee should not be in a
position to perpetrate and conceal
fraud or unintentional errors.
Segregation of Duties
Custodial Functions
Handling cash
Handling assets
Writing checks
Receiving checks in mail Authorization Functions
Authorization of
Recording Functions transactions
Preparing source documents
Maintaining journals
Preparing reconciliations
Preparing performance reports
Segregation of Duties
If two of these three functions are the
responsibility of a single person,
problems can arise.
Segregation of duties prevents employees
from falsifying records in order to conceal
theft of assets entrusted to them.
Prevent authorization of a fictitious or
inaccurate transaction as a means of
concealing asset thefts.
Segregation of Duties
Segregation of duties prevents an
employee from falsifying records to
cover up an inaccurate or false
transaction that was inappropriately
authorized.
Design and Use of Adequate
Documents and Records
The proper design and use of
documents and records helps ensure
the accurate and complete recording
of all relevant transaction data.
Documents that initiate a transaction
should contain a space for
authorization.
Design and Use of Adequate
Documents and Records
The following procedures safeguard
assets from theft, unauthorized use, and
vandalism:
– effectively supervising and segregating
duties
– maintaining accurate records of assets,
including information
– restricting physical access to cash and
paper assets
– having restricted storage areas
Adequate Safeguards of Assets and Records
What can be used to safeguard assets?
– cash registers
– safes, lockboxes
– safety deposit boxes
– restricted and fireproof storage areas
– controlling the environment
– restricted access to computer rooms,
computer files, and information
Independent Checks on Performance
Independent checks to ensure that
transactions are processed
accurately are another important
control element.
What are various types of
independent checks?
– reconciliation of two independently
maintained sets of records
– comparison of actual quantities
with recorded amounts
Independent Checks on Performance
– double-entry accounting
– batch totals
Five batch totals are used in
computer systems:
1 A financial total is the sum of a
dollar field.
2 A hash total is the sum of a field
that would usually not be added.
Independent Checks on Performance
3 A record count is the number of
documents processed.
4 A line count is the number of lines
of data entered.
5 A cross-footing balance test
compares the grand total of all the
rows with the grand total of all the
columns to check that they are
equal.
Information and Communication
The fourth component of COSO’s
internal control model is information
and communication.
Accountants must understand the
following:
1 How transactions are initiated
2 How data are captured in machine-
readable form or converted from
source documents
Information and Communication
3 How computer files are accessed and
updated
4 How data are processed to prepare
information
5 How information is reported
6 How transactions are initiated
All of these items make it possible for the
system to have an audit trail.
An audit trail exists when individual
company transactions can be traced
through the system.
Monitoring Performance
The fifth component of COSO’s
internal control model is monitoring.
What are the key methods of
monitoring performance?
– effective supervision
– responsibility accounting
– internal auditing
Risk Assessment
The third component of COSO’s internal
control model is risk assessment.
Companies must identify the threats they
face:
– strategic — doing the wrong thing
– financial — having financial resources
lost, wasted, or stolen
– information — faulty or irrelevant
information, or unreliable systems
Risk Assessment
Companies that implement electronic
data interchange (EDI) must identify
the threats the system will face, such
as:
1 Choosing an inappropriate
technology
2 Unauthorized system access
3 Tapping into data transmissions
4 Loss of data integrity
Risk Assessment
5 Incomplete transactions
6 System failures
7 Incompatible systems
Risk Assessment
Some threats pose a greater risk
because the probability of their
occurrence is more likely.
What is an example?
A company is more likely to be the
victim of a computer fraud rather
than a terrorist attack.
Risk and exposure must be
considered together.
Cost and Benefits
Benefit of control
procedure is difference
between
expected loss with control
procedure(s)
expected loss without it
Loss / Fraud Conditions
Threat: potential adverse
or unwanted event that can
be injurious to AIS
Exposure: potential maximum
$ loss if event occurs
Risk: likelihood that event will occur
Expected Loss: Risk * Exposure
Loss / Fraud Conditions
For each AIS threat:
Expected
Exposure X Risk =
Loss
Maximum Likelihood Potential
Loss ($) of Event $ Loss
Occurring
Exposures
Possible Expo-
Threat Symbol sure Risk
Disaster D H L+
Power Outage O M H
System Down H L L
Human Error E M M
Fraud F M L
Data Theft T L M
Sabotage S H L
Risk Assessment of Controls
Threat
Risk
Implement
Exposure Yes
Control Needs Cost
Benefi-
cial? No
Costs
Payroll Case
Condition Without With Difference
Cost Payroll $10K $10K
Risk of Error 15% 1%
Error Cost $1.5K $0.1K $1.4K
Validate Cost 0 $0.6K $(0.6K)
Expected
Benefit $0.8K
Agenda
AIS Threats
Internal Controls
General controls for
information systems
Internet controls
Contingency management
General Controls
General controls ensure that overall
computer environment is stable
and well managed
General control categories:
1 Developing a security plan
2 Segregation of duties within the
systems function
General Controls
3 Project development controls
4 Physical access controls
5 Logical access controls
6 Data storage controls
7 Data transmission controls
8 Documentation standards
9 Minimizing system downtime
General Controls
10. Protection of personal computers
and client/server networks
11. Internet controls
12. Disaster recovery plans
Security Plan
Developing and continuously
updating a comprehensive
security plan one of most
important controls for company
Questions to be asked:
Who needs access to what information?
When do they need it?
On which systems does the information
reside?
Segregation of Duties
In AIS, procedures that
used to be performed by
separate individuals combined
Person with unrestricted access
to computer,
its programs,
and live data
has opportunity to both perpetrate
and conceal fraud
Segregation of Duties
To combat this threat,
organizations must
implement compensating
control procedures
Authority and responsibility
must be clearly divided
NOTE: must change with increasing
levels of automation
Segregation of Duties
Divide following functions:
• Systems analysis
• Programming
• Computer operations
• Users
• AIS library
• Data control
Duty Segregation
Analyze
What about small firms?
Design
Specs Archive
Program
Use
Programs Operate Output
Project Development
Controls
Long-range master plan
Project development plan
Periodic performance
evaluation
Post-implementation review
System performance
measurements
Development Controls
Master
Development Periodic
Performance
Plan
Review
Post
Implement
Project Review
Development
Performance
Plan Measures
STARTED COMPLETED SYSTEM
PROJECT PROJECT OPERATION
Physical Access Controls
Placing computer equipment
in locked rooms and restricting
access to authorized personnel
Having only one or two
entrances to computer room
Requiring proper employee ID
Requiring visitors to sign log
Installing locks on PCs
Logical Access Controls
Users should be allowed access only to
the data they are authorized to use and
then only to perform specific authorized
functions.
What are some logical access controls?
– passwords
– physical possession identification
– biometric identification
– compatibility tests
Access Control Matrix
PASS- FILES PROGRAMS
WORD A B 1 2
ABC 0 1 0 0
DEF 1 2 0 0
KLM 1 1 1 1
NOP 3 0 3 0
0 – No access 2 – Update
1 – Read / display 3 – Create / delete
Data Storage Controls
Information gives company
competitive edge and makes
it viable
Company should identify
types of data used and level
of protection required for each
Company must also document
steps taken to protect data
e.g., off-site storage
Data Transmission
Controls
Reduce risk of data
transmission failures
– data encryption (cryptography)
– routing verification procedures
– parity bits
– message acknowledgment techniques
Information
Information
Transmission System
Source
Message
Transmitter Channel Receiver
Signal
Destination
Noise
Information
Transmission Controls
Parity
Bit
Encrypt
Decrypt
SEND RECEIVE
Message
Routing
Verification
Data Message
Encryption Acknowledge-
ment
Even Parity Bit System
There are five Parity Bit
“1” bits in message
1 0 1 1 0 1 1 0 1
Message in Binary A “1” placed in parity
bit to make an even
number of “1”s.
Data Transmission Controls
Added importance when
using electronic data
interchange (EDI) or
electronic funds transfer (EFT)
In these types of environments,
sound internal control is achieved
using control procedures
Data Transmission Control
Controlled physical access
to network facilities
Identification required for all
network terminals
Passwords and dial-in phone
numbers changed on regular basis
Encryption used to secure stored
and transmitted data
Transactions log
Documentation
Standards
Documentation procedures
and standards ensure clear
and concise documentation
Documentation categories:
• Administrative documentation
• Systems documentation
• Operating documentation
Minimizing System
Downtime
Significant financial
losses can be incurred
if hardware or software
malfunctions cause AIS to fail
Methods used to minimize system
downtime
• preventive maintenance
• uninterruptible power system
• fault tolerance
Protection of PCs and
Client/Server Networks
PCs more vulnerable to
security risks than
mainframe computers
Difficult to restrict physical access
PC users less aware of importance
of security and control
More people familiar with the
operation of PCs
Segregation of duties is difficult
Protection of PCs and
Client/Server Networks
Train users in PC-related
control concepts
Restrict access by using
locks and keys on PCs
Establish policies and procedures
Protection of PCs and
Client/Server Networks
Portable PCs should not
be stored in cars
Back up hard disks regularly
Encrypt or password protect files
Build protective walls around
operating systems
Use multilevel password controls
to limit employee access to
incompatible data
Agenda
AIS Threats
Control concepts
General controls for
information systems
Internet controls
Contingency management
Internet Controls
Internet control is installing a
firewall, hardware and software that
control communications between a
company’s internal network (trusted
network) and an external network.
Internet Controls
Passwords
Encryption technology
Routing verification
procedures
Installing a firewall
Internet Risks
Split into packets
A B
May travel different paths
Message Intended
originating ? Destination
at Point A Did anyone else Point B
see the message?
? ?
Did Point B receive Was the message
this message? really sent by
Point A?
Messaging Security
Confidentiality
Integrity: detect tampering
Authentication: correct party
Non-repudiation: sender can’t deny
Access controls: limit entry to
authorized users
Symmetric Encryption
Sender Receiver
Identical
Keys
Clear Clear
Text Text
Message Message
PKI
Public Key Infrastructure
Most commonly used
Two keys:
public key – publicly available
private key – kept secret
Two keys related through secret
mathematical formula
Need both to process transaction
Biometric Usage
For user authentication
By order of use
finger scanners
hand geometry
face-recognition
eye scan
voiceprints
signature verification
Digital Signature
Also called Certificate
Issued by trusted third party
Certification Authority (CA)
Electronic passport to prove identity
Provides assurance messages are valid
Uses encryption to verify
identity of unseen partner
Firewall
Firewall is barrier
between networks
not allowing information
to flow into and out of
trusted network
Firewalls
Attempted
Access Valid
Firewall Traffic
Internet Sensitive
Database
Valid
Access
External Internal
Screen Screen
Firewall Types
Packet Filter:
simplest type
doesn’t examine data
looks at IP header
Proxy Firewall (Server):
hides protected private network
forwards requests from private to
public network (not within)
Firewall Types
Demilitarized Zone:
more secure
several layers of firewall protection
different levels of protection to
different portions of company’s
network
runs between private network and
outside public network
Bypassing Firewalls
Internet
Firewall
SERVER
Inventory R&D
Customer Info Department
Ordering
Agenda
AIS Threats
Control concepts
General controls for
information systems
Internet controls
Contingency management
Contingency
Management
Disaster Recovery
is reactive
Contingency Management
is proactive
Continuity Planning latest term
Accounting standards in terms
of Disaster Recovery
Disaster Recovery Plan
Purpose: to ensure
processing capacity can be
restored as smoothly and
quickly as possible in the
event of:
a major disaster
a temporary disruption
Disaster Plan Objectives
Minimize disruption,
damage, and loss
Temporarily establish
alternative means of
processing information
Resume normal operations as soon
as possible
Train and familiarize personnel with
emergency operations
Plan Elements
Priorities for recovery
process
Backup data and program
files
Backup facilities
reciprocal agreements
hot and cold sites
shadow mode (parallel)
Back Up Data
Rollback:
predated copy of each
record created prior to
processing transaction
If hardware failure
records rolled back to
predated version
transactions processed from
beginning
Back Up Data Decisions
How often? (e.g., weekly)
Exposure * Risk = Expected Loss
Where do you store backup data
on-site (e.g., fireproof safe)
off-site (incurs costs)
How quick to recover?
What is recovered first?
Remote Access
Computer World, 1/21/02
Companies eying remote access
as contingency management tool
Scrambling to develop remote
access systems
Result of September 11
If main facilities down, still can
communicate with one another
Recovery Plan
Recovery plan not
complete until tested by
simulating disaster
EDS
Plan must be continuously
reviewed and revised so it
reflects current situation
Plan should include insurance
coverage
Cardinal Health
Redundant systems for
critical order processing
Redundant WAN trunks
System data backed up daily
backup media kept off-site
Backup replica site
different part of country
switched on within 30 minutes
The Money Store
Databases backed up
every evening
Back-up files stored at
on-site
information storage vendor
Automatic archival process that
periodically pulls / stores back-up
data files
The Money Store
Call Centers
in 3 locations nationally
separated so that a natural
disaster will not hit all three
simultaneously
calls electronically rerouted to
other two sites
in Sacramento, rent vacant
building as emergency site
Topics Covered
AIS Threats
Control concepts
General controls for
information systems
Internet controls
Contingency management