COMPUTER

CONTROLS FOR
ORGANIZATIONS AND
AIS
COMPUTER CONTROLS FOR ORGANIZATIONS AND AIS AIS

Control Objectives for Information and related Technology (COBIT) – a

governance framework designed to help organizations control IT and
maximize the value created by IT.

Enterprise-
level
Control

General
Controls

Application
Controls

Control Categories: Top-down Approach

1 ENTERPRISE LEVEL CONTROLS

Enterprise Level Controls are controls that affect the entire

organization and influence the effectiveness of other controls.

Helps establish the level of security and control consciousness in the

organization which is the basis of the control environment.

• Management’s ethical values and philosophy

• Assignment of authority and responsibility
• Effectiveness of the board of directors
• Consistent policies and procedures
• Risk assessment process
• Centralized processing and controls
• Controls to monitor the results of operations
• Controls to monitor other controls (i.e. IA Function)
• Period-end financial reporting
1 ENTERPRISE LEVEL CONTROLS

Security Policy – a comprehensive plan that helps protect an

enterprise from both the external and internal threats.

KEY ISSUES FOR DEVELOPING SECURITY POLICIES

• Evaluate information assets and identify threats to these assets
• Assess both external and internal threats
• Perform a risk assessment
• Determine the information assets are under protected,
overprotected, or adequately protected
• Create a team for drafting a policy
• Obtain approval for the policy
• Create the specific security policies
• Implement the policies throughout the organization
• Develop policy compliance measures and enforce the policies
• Manage the policies
1 ENTERPRISE LEVEL CONTROLS

Physical Logical Integrated

Security Security Security

Physical Security encompass any measures that an organization uses to

protect its facilities, resources or its proprietary data that are stored in
a physical media.
Logical Security uses technology to limit access to only authorized
individuals to the organization’s systems and information.
Integrated Security combines the logical and physical security
technologies
Physical Security Logical Security
• Facility Monitoring • e-IDs and passwords
• Access Controls to the facilities / data • System authentication
• Alarm systems • Biometrics
• Shred sensitive documents • Logs of logon attempts
• Proper storage/disposal of hard drives • Application-level firewalls
and other electronic storage media • Anti-virus and anti-spyware software
• Secure storage of back-up copies of • Intrusion detection systems
data and master copies of critical • Encryption for data in transit
software • Smart cards
2 GENERAL CONTROLS

IT General Controls or ITGC affect the integrity of the entire

information system.

ITGC Domains:
1. Access of Data, Hardware, and Software
2. Program Development
3. Program Changes
4. Computer Operations

• Strong passwords • Inventory of portable laptops and

• Biometric identification
• Data Encryption
• Virtual Private Network (VPN)
• Checkpoint
• Routing verification procedures
• Message acknowledgment
procedures
desktop
• Back-up
• Segregation of Duties (SOD)
• Use of Computer Accounts
• Identifying Suspicious Behavior
• File Security Controls
• Business Continuity Planning
• Fault-tolerant Systems
2 GENERAL CONTROLS

DISCUSSION QUESTIONS:
1. What are the different personnel functions within an
IT environment?
2. What are the personnel functions and responsibilities
which should be separated to ensure control’s design
and operating effectiveness within AIS?
3 APPLICATION CONTROLS

Application Controls prevent, detect, and correct errors and

irregularities in processing transactions. These are controls embedded
in business process applications.

INPUT PROCESS OUTPUT

A. Input Controls help ensure the validity, accuracy, and completeness

of the data entered into an AIS.
1. Data are rejected at the time they are input can be more easily
corrected.
2. It is not cost-effective to screen accounting data continuously
through the processing cycles.
3. It is vital than an AIS use accurate data in later data processing
operations to protect the master files from inaccuracies and
safeguards the computer processing in subsequent stages of
the data processing work.
4. An AIS cannot provide good outputs it is does not start with
good inputs.
3 APPLICATION CONTROLS

• Confirmation Mechanism
• Dual observation
• Automated data collection and recording
• Edit tests (input validation routines)
• Validity Test
• Check-digit Control Procedures

B. Processing Controls focus on the manipulation of accounting data

after they are input to the computer system.

• Printed transaction listing

• Control totals (Batch control total; Record
count; Hash total)
• Data Manipulation Controls (Software
Documentation / Systems Documentation;
Compiler and Test Data)
3 APPLICATION CONTROLS

C. Output Controls controls to ensure the output’s validity, accuracy

and completeness.

• Validating processing results – checking of

listings against source documents
• Regulating distribution and Use of Printed
Output
- Forms controls
- Authorized distribution list

END