Chapter 8:

Controlling Information Systems: Introduction to Pervasive and General Controls

• Organizational governance: processes employed by organizations to select and attain

objectives.
• IT governance: processes to see that that the organization’s IT supports the attainment of
organizational objectives. (Consists of the leadership, organizational structures, and processes that
ensure that the enterprises’s IT sustains and extends the organization’s strategies and objectives.)

Control Objectives for Information Technology (COBIT)

• Developed by the Information Systems Audit and Control Foundation to provide guidance
to managers, users, and auditors on the best practices for the management of information
technology.
• According to COBIT
– IT resources must be managed by IT control processes to ensure that the organization
has the information it needs to achieve its objectives.
IT Resources
• Data: Objects in their widest sense (i.e., external and internal), structured and nonstructured,
graphics, sound, etc.
• Application systems: Application systems are understood to be the sum of manual and
programmed procedures reflecting business processes.
• Technology: Technology covers hardware, operating systems, database management
systems, networking, multimedia, etc.
• Facilities: Facilities are all resources used to house and support information systems.
• People: People include staff skills; awareness; and productivity to plan, organize, acquire,
deliver, support, and monitor information systems and services.

A Hypothetical Computer System

• This computer system consists of one or more mainframe computers connected to several
networked client computers (CCs) and PCs perhaps through an LAN and to PCs and CCs
located in the organization’s other facilities, perhaps through a WAN
• Computer facilities operated by other organizations are connected, perhaps via the Internet
and through a firewall to the mainframe, servers, and PCs.

Organization Structures
• Centralized: CIO is central leader of all information system functions
• Decentralized: Assigns personnel to non-central (e.g., departments) organizational units
• Functional organization: Assigns personnel to skills-based units (e.g., programming, systems
analysis). Used by both decentralized and centralized organizations
• Matrix: Assembles work groups or teams, comprised of members from different functional
areas, under the authority of a team leader
• Project: Establishes permanent systems development structures such as “Financial Systems
Development”

-The use of IT resources for enterprise systems and e-business: magnifies the importance of protecting the
resources both within and outside of the organization from risks.
Summary of Information Systems Functions:
 IT Control Domains and Processes:

IT Control Process Domains

• COBIT organizes IT internal control into domains and process
• Domains include:
– Planning and organization
– Acquisition and implementation
– Delivery and support
– Monitoring
-In an information systems organization structure, the three functions that might logically report directly to
the CIO would be: systems development, technical services, and data center.
-Collusion- any fraud committed by two or more individuals or departments.
-

-Compensatory controls- A small organization that does not have enough personnel to adequately segregate
-

duties must rely on alternative controls.

-Forced vacations-is a policy of requiring an employee to take leave from the job and substituting another
employee in his or her place.
-fidelity bond- indemnifies a company in case it suffers losses from defalcations committed by its
employees.
- system development life cycle (SDLC)- is a formal set of activities, or a process, used to develop and
implement a new or modified information system.
-application software- Computer software that is used to facilitate the execution of a given business process.
-Systemsdocumentation- provides an overall description of the application, including the system's purpose;
an overview of system procedures; and sample source documents, outputs, and reports.
-Programdocumentation- provides a description of an application computer program and usually includes the
program's purpose, program flowcharts, and source code listings.
-Training materials -are documentation that helps users learn their jobs and perform consistently in those
jobs.
-Program change controls-provide assurance that all program modifications are authorized and that the
changes are completed, tested, and properly implemented.
-Electronic vaulting-A technique uses a service whereby data changes made on a computer are automatically
transmitted over the Internet on a continuous basis to an off-site server maintained by a third party.
-Continuous data protection (CDP)-The data replication strategy whereby all data changes are saved to
secondary systems as the changes are happening on the primary system.
-Hot site-The disaster recovery strategy fully equipped data center that is made available on a standby basis
to client companies for a monthly subscriber's fee.
-Cold site -A facility usually comprising air-conditioned space with a raised floor, telephone connections,
and computer ports, into which a subscriber can move equipment.
-Biometric identification systems- identify authorized personnel through some unique physical trait such as
fingers, hands, voice, eyes, face, and writing dynamics.( The most common biometric devices read:
fingerprints, thumbprints)
-Threat monitoring-In an online computer environment, the accumulation of access activity and its review by
the security officer.
-Preventive maintenance- Periodic cleaning, testing, and adjusting of computer equipment.
-Computer hacking/Computer cracking- is the intentional penetration of an organization's computer system,
accomplished by bypassing the system's access security controls.
-Recovery-The process whereby we restore lost data and continue operations.
-In a denial-of-service attack -Web site is overwhelmed by an intentional onslaught of thousands of
-

simultaneous messages making it impossible for the attached site to engage in its normal activities.
-distributed denial-of-service attack-uses many computers, called zombies, that unwittingly cooperate in a
-

denial-of-service attack by sending messages to the target Web site.

-Firewall-a technique to protect one network from another “untrusted” network by blocking certain kinds of
traffic.
- intrusion-detection system(IDS)- is the threat monitoring portion of the security module that monitors
system and network resources and activities and “learns” how users typically behave on the system.
-intrusion-prevention system (IPS)-actively blocks unauthorized traffic using rules specified by the
organization.

Chapter 9: Controlling Information Systems: Business Process and Application Controls

Steps in Preparing Control Matrix:

I. Specifying control goals represents the first step in building a control matrix. The goals are listed
across the top row of the matrix.
1. Identify the operations process goals
a. Effectiveness goals
b. Efficiency goals
 c. Security goals
2. Identify Information Process Goals
a. Input Goals
b. Update Goals
II. Recommending Control Plans
1. Annotating “Present” Control Plans
2. Evaluating “Present” Control Plans
3. Identifying and Evaluating “Missing” Control Plans
Operations Process Goals: Effectiveness Goals
i. Ensure the successful accomplishment of the goals set forth for the business process
ii. Different processes have different effectiveness goals. For Lenox’s cash receipts process we include
only two examples here:
– A — Timely deposit of checks
– B — Comply with compensating balance agreements with the depository bank
– Other possible goals of a cash receipts would be shown as goals C, D, and so forth, and
described at the bottom of the matrix (in the matrix legend).
iii. With respect to other business processes, such as production, we might be concerned with
effectiveness goals related to the following:
– Goal A—to maintain customer satisfaction by finishing production orders on time.
– Goal B—to increase market share by ensuring the highest quality of finished goods.
Operations Process Goals: Efficiency Goals
i. The purpose of efficiency control goals of the operations process is to ensure that all resources used
throughout the business process are being employed in the most productive manner
ii. In parentheses, notice that we have listed two resources of the cash receipts process for which
efficiency is applicable—people and computers.
• In fact, people and computers would always be considered in the efficiency assessments
related to accounting information systems.
iii. In other business processes, such as receiving goods and supplies, we might also be concerned with
the productive use of equipment such as trucks, forklifts, and hand-held scanners.
Operations Process Goals: Security Goals
i. The purpose of security control goals of the operations process is to ensure that entity resources are
protected from loss, destruction, disclosure, copying, sale, or other misuse.
ii. In parentheses, we have included two resources of the cash receipts process over which security must
be ensured—cash and information (accounts receivable master data).
• With any business process, we are concerned with information that is added, changed, or
deleted as a result of executing the process, as well as assets that are brought into or taken
out of the organization as a result of the process, such as cash, inventory, and fixed assets.
iii. With regard to other business processes, such as shipping, we might include customer master data
and shipping data.
• Note: The security over hard assets used to execute business processes, such as computer
equipment, trucks, trailers, and loading docks, is handled through pervasive controls.
Information Process Goals: Input Goals
i. With respect to all business process data entering the system, the purpose of input goals of the
information process is to ensure:
• input validity (IV)
• input completeness (IC) and
• input accuracy (IA).
ii. With the cash receipts process, we are concerned with input validity, accuracy, and completeness
over cash receipts
• Here, they are in the form of remittance advices
• Notice that we specifically name the input data of concern in parentheses.
 iii. With respect to other business processes, such as hiring employees, we would be concerned with
other inputs, such as employee, payroll, and benefit plan data.
Information Process Goals: Update Goals
i. Update goals must consider all related information that will be affected by the input data, including
master file data and ledger data. For the business process input data, the purpose of update control
goals of the information process is to ensure:
• The update completeness (UC) and
• Update accuracy (UA)
ii. With regard to the cash receipts information process, we recognize that the accounts receivable data
will be updated by cash receipts
• Cash received reflects the debit and customer account reflects the credit).
• Notice that we list accounts receivable master data in the control matrix.
iii. Other business processes, such as cash payments, would involve different update concerns, such as
vendor, payroll, or accounts payable master data.
Annotating Present Control Plans
• Start on the upper left-hand column of the systems flowchart and spot the first manual keying
symbol, manual process symbol, or computer process symbol (process related symbols)
• Then, follow the sequential logic of the systems flowchart and identify all of the process-related
symbols.
• Each process-related symbol reflects an internal control plan which is already present.
• It is important to recognize that while a control plan may be present, it may not be working as
effectively as it should; thus, you might recommend ways to strengthen or augment existing control
plans
Annotate the Process Flow Chart
• Review the flowchart and determine whether a control is present (P-) or missing (M-)
• Annotate the flowchart
– If controls are present, mark P-
– If controls are absent, mark M-
Annotating Present Control Plans
a. Reviewing the Lenox systems flowchart (Figure 9.2), you will find that the first process-related
symbol is entitled “Endorse checks.”
– Because this process appears on the flowchart, this control plan already exists, meaning, it is
present as opposed to missing.
– Accordingly, place a P- beside the process, indicating that is it present, and a 1 beside the P-
reflecting the first present control plan on the flowchart.
– As a result, you should have annotated the systems flowchart with a P-1
b. Continue reviewing the systems flowchart by following its sequential logic, annotating the flowchart
with P-2, P-3, and so on until you have accounted for all present control plans.
Evaluating “Present” Control Plans:
• Write number (P-1, P-2, P-3 through P-n) and name of each control plan in the left-hand column of
the control matrix.
• Then, starting with P-1, look across the row and determine which control goals the plan addresses
and place a P-1 in each cell of the matrix for which P-1 is applicable.
• It is possible that a given control plan can attend to more than one control goal.
• Continue this procedure for each of the present control plans.
• Simultaneously, in the legend of the matrix, describe how the control plan addresses each noted
control goal.
Identifying and Evaluating “Missing” Control Plans:
The next step in recommending control plans is to determine if additional controls are needed to address
missing control goal areas, strengthen present control plans, or both.
 • Examining the controls matrix: The first place to start is to look at the control matrix and see if there
are any control goals (operations or information) for which no present control plan is addressing.
• If so, you need to do the following:
i. In the left-hand column of the matrix, number the first missing control plan as M-1 and label
or title the plan.
ii. Across the matrix row, place M-1 in each cell for which the missing control is designed.
iii. In the legend of the matrix, explain how the missing control will address each noted control
goal.
iv. On the systems flowchart, annotate M-1 where the control should be inserted.
v. If there are still control goals for which no control plan has addressed, develop another plan
(M-2) and repeat the four previous steps (i through iv). Continue this procedure until each
control goal on the matrix is addressed by at least one control plan.
• With regard to Lenox, we have noted two missing control plans in the sample control matrix for the
Cash Receipts Business Process
• M-1 and M-2, although more might exist

Evaluating the systems flowchart:

• Even though all of the control goals on the matrix are now addressed, closely review the systems
flowchart one more time.
• Look for areas where further controls are needed.
• Just because all control goals on the matrix have one or more associated control plans, we might
have to to add more control plans or strengthen existing plans to reduce residual risk to an acceptable
level in certain areas.
• It takes training and experience to spot risks and weaknesses of this nature
• In Chapters 10 through 16 you will learn more about how to make such critical internal control
assessments.
Sample Control Plans for Data Input
1. Manual and automated data entry
2. Data entry with batches of input data
Available Control Plans for Data Input
• P-1: Document design
– source document is designed to easily complete and key data
• P-2: Written approvals
– signature or initials indicating approval of event processing
• P-3: Preformatted screens
– defines acceptable format for each data field (e.g., 9 numeric characters for SSN)
• P-4: Online prompting
– requests user input or asks questions, e.g., message box
• P-5: Populate input screen with master data
– User enters an entity’s ID code and the system then retrieves certain data about that entity
from existing master data.
– User might be prompted to enter the customer ID (code).
– By accessing the customer master data, the system automatically provides data such as the
customer’s name and address, the salesperson’s name, and the sales terms.
– This reduces the number of keystrokes required, making data entry quicker, more accurate,
and more efficient.
– Therefore, the system automatically populates input fields with existing data

• P-6: Compare input data with master data

– the system compares inputs with standing (master) data to ensure their accuracy and validity
– Input/master data dependency checks
 • These edits test whether the contents of two or more data elements or fields on an
event description bear the correct logical relationship.
• For example, input sales events can be tested to determine whether the salesperson
works in the customer’s territory.
• If these two items don’t match, there is some evidence that the customer number or
the salesperson identification was input erroneously.
– Input/master data validity and accuracy checks
• These edits test whether master data supports the validity and accuracy of the input.
For example, this edit
– might prevent the input of a shipment when no record of a corresponding
customer order exists.
– If no match is made, we may have input some data incorrectly, or the
shipment might simply be invalid.
• We might also compare elements within the input and master data.

• P-7: Procedures for rejected Inputs

– After processing the input, the user compares the input with the master data to determine
whether the input either is acceptable or contains errors, and that any errors are corrected
and resubmitted

• P-8: Programmed edit checks

– Automatically performed by data entry programs upon entry of data
• Reasonableness checks (limit checks)—tests input for values within predetermined
limits
• Document/record hash totals—compares computer total to manually calculated total
• Mathematical accuracy checks—compare calculations performed manually to
computer calculations, e.g., compare invoice total to manually entered to computer
calculated total
• Check Digit verification – a functionally dependent extra digit is appended to a
number; if mis-keying occurs, a check digit mismatch occurs and the system rejects
the input
• Document/Record Hash Totals – summarization of any numeric data on the source
document
• P-9: Confirm input acceptance
– These interactive programmed features inform the user that the input has been accepted and
recorded or rejected for processing.
• P-10: Automated data entry
– stores the accurate, valid input data onto digital media in a timely manner with minimal use
of resources.
• P-11: Enter data close to the originating source
– OLTE and OLRT
– No transportation of source documents, no transcription of source documents
– Easier to recognize mistakes
• P-12: Digital signatures
– Validates the identify of the sender
Dat entry- most error prone and inefficient steps in an operations or information process.
Data Entry with Batches
-involves collecting inputs into work units called batches; batched inputs are then keyed into system as a
batch,
– Implies some delay between the economic event and its reflection in the system
– Allows for controls focusing on the batch, e.g., batch control totals (hash or other totals from
batch)
 – Batch entry is often followed by an exception and summary report
• Whenever documents are numbered sequentially, a sequence check can be automatically applied to
those documents.
• Batch sequence checks work best when we can control the input process and the serial numbers of
the input data, such as payroll checks.
– In a batch sequence check, the event data within a batch are checked as follows:
• a. The range of serial numbers constituting the batch is entered.
• b. Each individual, serially pre-numbered event data is entered.
• c. The computer program sorts the event data into numerical order; checks the
documents against the sequence number range; and reports missing, duplicate, and
out-of-range event data.
• Cumulative sequence check provides input control when the serial numbers are not entered in
sequence (i.e., picking tickets might contain broken sets of numbers).
– Matching of individual event data (picking ticket #s) is made to a file that contains all
document numbers (all sales order numbers).
• Periodically, reports of missing numbers are produced for manual follow-up.
– Reconciling a checkbook is another example of a situation where the check numbers are
issued in sequence.
• However, the bank statement we receive may not contain a complete sequence of
checks.
• Our check register assists us in performing a cumulative sequence check to make
sure that all checks are eventually cleared.
Batch Control Plans
• Batch control plans, to be effective, should ensure that:
– All documents are included in batch
– All batches are submitted for processing
– All batches are accepted by computer
– All differences are disclosed, investigated and corrected on a timely basis
• Batch control procedures start by grouping event data and calculating totals for the group: Several
different types of batch control totals can be calculated
– Document/record counts are simple counts of the number of documents entered in a batch
• This procedure represents the minimum level required to control input completeness.
• Because one document could be intentionally replaced with another, this control is
not effective for ensuring input validity and says nothing about input accuracy.
– Item or line counts
• Counts number of items or lines entered, such as a count of the number of invoices
being paid by all the customer remittances.
• By reducing the possibility that line items or entire documents could be added to the
batch or not be input, this control improves input validity, completeness, and
accuracy.
• Remember, a missing event record is a completeness error and a data set missing
from an event record is an accuracy error.
– Dollar totals
• Sum of dollar value of items in batch
• By reducing the possibility that entire documents could be added to or lost from the
batch or that dollar amounts were incorrectly input, this control improves input
validity, completeness, and accuracy.
– Hash totals
• Are a summation of any numeric data existing for all documents in the batch, such
as a total of customer numbers or invoice numbers in the case of remittance advices.
• Unlike dollar totals, hash totals normally serve no purpose other than control.
 • Hash totals can be a powerful batch control because they can determine if inputs
have been altered, added, or deleted.
• These batch hash totals operate for a batch in a manner similar to the operation of
document/record hash totals for individual inputs.

*control redundancy- Having too many control plans directed at the same control goal.
*Document design-A control plan that makes it easier to prepare the document initially and later to input
data from the document.
*Written approval- takes the form of a signature or initials on a document to indicate that the proper person
has authorized the event.
*Preformatted screens-control the online entry of data by defining the acceptable format of each data field,
automatically moving to the next field, requiring that certain fields be completed, and/or automatically
populating certain fields.
*Online prompting- describes a computer system's asking the user for input or asking questions that the user
must answer.
* Programmed edit checks-are edits automatically performed by data entry programs upon entry of the input
data.
* Reasonableness check- is a “limit check”
*mathematical accuracy checks--The edit that compares calculations performed manually with those
performed by the computer to determine if a document has been entered correctly.
*check-digit is an extra digit that is added to an identification number to help control the accuracy with
which the number is entered into a computer system.
*key verification-The control plan designed to reduce the possibility that one person will misread or mis-key
data.
*exception and summary report is a computer-generated report that reflects the events--either in detail,
summary total, or both--that were accepted by the system and rejected by the system.
*line-A count of the number of invoices being paid by all of the customer remittances is a type of batch
control total.
*hash total -is the general term to describe the summation of data that would not normally be totaled except
for control purposes.
*turnaround document- a document that is printed as an output of one computer process and is used to
capture and input a subsequent transaction
*Data encryption-a process that employs mathematical algorithms and keys to encode data so that it is
unintelligible to the human eye.
*One-for-one checking-shipping clerk compares each line on the shipping document to the items to be
shipped. to ensure that the shipment is accurate.
*We prefer to enter data close to the originating source to ensure that business event data is entered in a
timely manner and that personnel who enter the data can confirm its legitimacy and easily correct errors.
*tickler file-The file of open sales orders .The manager of shipping reviews a file of open sales orders--items
to be shipped today--to determine that all shipments are made in a timely manner.
*When there are programmed edits to control data entry, we would expect to also find procedures for
rejected inputs to ensure that erroneous items are corrected and re-input.
*Encryption- The process of encoding data so that it may only be read by someone having a key.