Chapter 10:

Computer Controls for Organizations and

Accounting Information Systems

Introduction
Enterprise Level Controls
General Controls for Information Technology
Application Controls for Transaction
Processing

Chapter
10-1
 Enterprise Level Controls

Consistent policies and procedures

Managements risk assessment process

Centralized processing and controls

Controls to monitor results of operations

Chapter
10-2
 Enterprise Level Controls

Controls to monitor the internal audit

function, the audit committee, and self-
assessment programs
Period-end financial reporting process
Board-approved policies that address
significant business control and risk
management practices
Chapter
10-3
Risk Assessment and
Security Policies

Chapter
10-4
 Integrated Security for
the Organization

Physical Security
Measures used to protect its facilities, resources,
or proprietary data stored on physical media
Logical Security
Limitaccess to system and information to
authorized individuals
Integrated Security
Combines physical and logical elements
Supported by comprehensive security policy Chapter
10-5
Physical and Logical
Security

Chapter
10-6
 General Controls for
Information Technology

Access to Data, Hardware, and Software

Protection of Systems and Data with

Personnel Policies

Protection of Systems and Data with

Technology and Facilities
Chapter
10-7
 General Controls for
Information Technology

IT general controls apply to all information

systems
Major Objectives
Access to programs and data is limited to
authorized users
Data and systems protected from change, theft,
and loss
Computer programs are authorized, tested, and
approved before usage Chapter
10-8
 Access to Data,
Hardware, and
Software
Utilization of strong passwords
8 or more characters in length..or longer
Different types of characters
Letters, numbers, symbols

Biometric identification
Distinctive user physical characteristics
Voice patterns, fingerprints, facial patterns,
retina prints
Chapter
10-9
 Security for Wireless
Technology

Utilization of wireless local area networks

Virtual Private Network (VPN)
Allows remote access to entity resources

Data Encryption
Data converted into a scrambled format
Converted back to meaningful format following
transmission
Chapter
10-10
Data Encryption

Chapter
10-11
 Controls for Networks

Control Problems
Electronic eavesdropping
Hardware or software malfunctions
Errors in data transmission

Control Procedures
Checkpoint control procedure
Routing verification procedures
Message acknowledgment procedures
Chapter
10-12
 Controls for Personal
Computers

Take an inventory of personal computers

Identify applications utilized by each
personal computer
Classify computers according to risks and
exposures
Enhance physical security
Chapter
10-13
Additional Controls for
Laptops

Chapter
10-14
 Personnel Policies

Separation of Duties
Separate Accounting and Information Processing
from Other Subsystems
Separate Responsibilities within IT Environment

Use of Computer Accounts

Eachemployee has password protected account
Biometric identification

Chapter
10-15
Separation of Duties

Chapter
10-16
Division of Responsibility
in IT Environment

Chapter
10-17
Division of Responsibility
in IT Environment

Chapter
10-18
 Personnel Policies

Identifying Suspicious Behavior

Protect against fraudulent employee actions
Observation of suspicious behavior
Highest percentage of fraud involved employees
in the accounting department
Must safeguard files from intentional and
unintentional errors

Chapter
10-19
Safeguarding Computer
Files

Chapter
10-20
File Security Controls

Chapter
10-21
 Business Continuity
Planning

Definition
Comprehensive approach to ensuring normal
operations despite interruptions

Components
Disaster Recovery
FaultTolerant Systems
Backup
Chapter
10-22
 Disaster Recovery

Definition
Process and procedures
Following disruptive event

Summary of Types of Sites

Hot Site
Flying-Start Site
Cold Site
Chapter
10-23
 Fault Tolerant Systems

Definition
Usedto deal with computer errors
Ensure functional system with accurate and
complete data (redundancy)

Major Approaches
Consensus-based protocols
Watchdog processor
Utilize disk mirroring or rollback processing
Chapter
10-24
 Backup

Batch processing
Risk of losing data before, during, and after
processing
Grandfather-parent-child procedure

Types of Backups
Hot backup
Cold Backup
Electronic Vaulting
Chapter
10-25
Batch Processing

Chapter
10-26
 Computer Facility
Controls

Locate Data Processing Centers in Safe Places

Protect from the public
Protect from natural disasters (flood, earthquake)

Limit Employee Access

Security
Badges (color-coded with pictures)
Man Trap

Buy Insurance
Chapter
10-27
 Study Break #1

A _______ is a comprehensive plan that helps protect the

enterprise from internal and external threats.

A. Firewall
B. Security policy
C. Risk assessment
D. VPN

Chapter
10-28
 Study Break #1 - Answer

A _______ is a comprehensive plan that helps protect the

enterprise from internal and external threats.

A. Firewall
B. Security policy
C. Risk assessment
D. VPN

Chapter
10-29
 Study Break #2

A _____ site is a disaster recovery site that includes a computer

system similar to the one the company regularly uses, software,
and up-to-date data so the company can resume full data
processing operations within seconds or minutes.

A. Hot
B. Cold
C. Flying start
D. Backup

Chapter
10-30
 Study Break #2 - Answer

A _____ site is a disaster recovery site that includes a computer

system similar to the one the company regularly uses, software,
and up-to-date data so the company can resume full data
processing operations within seconds or minutes.

A. Hot
B. Cold
C. Flying start
D. Backup

Chapter
10-31
 Study Break #3

Fault-tolerant systems are designed to tolerate computer errors

and are built on the concept of _________.

A. Redundancy
B. COBIT
C. COSO
D. Integrated security

Chapter
10-32
 Study Break #3 - Answer

Fault-tolerant systems are designed to tolerate computer errors

and are built on the concept of _________.

A. Redundancy
B. COBIT
C. COSO
D. Integrated security

Chapter
10-33
 Application Controls
for Transaction
Processing
Purpose
Embedded in business process applications
Prevent, detect, and correct errors and
irregularities

Application Controls
Input Controls
Processing Controls
Output Controls
Chapter
10-34
Application Controls
for Transaction
Processing

Chapter
10-35
 Input Controls

Purpose
Ensure validity
Ensure accuracy
Ensure completeness

Categories
Observation, recording, and transcription of data
Edittests
Additional input controls
Chapter
10-36
 Observation, Recording,
and Transcription of Data

Confirmation mechanism
Dual observation
Point-of-sale devices (POS)
Preprinted recording forms

Chapter
10-37
Preprinted Recording
Form

Chapter
10-38
 Edit Tests

Input Validation Routines (Edit Programs)

Programs or subroutines
Check validity and accuracy of input data

Edit Tests
Examine selected fields of input data
Rejects data not meeting preestablished standards
of quality
Chapter
10-39
Edit Tests

Chapter
10-40
Edit Tests

Chapter
10-41
 Additional Input Controls

Validity Test
Transactions matched with master data files
Transactions lacking a match are rejected

Check-Digit Control Procedure

Chapter
10-42
 Processing Controls

Purpose
Focus on manipulation of accounting data
Contribute to a good audit trail

Two Types
Control totals
Data manipulation controls

Chapter
10-43
Audit Trail

Chapter
10-44
 Control Totals

Common Processing Control Procedures

Batch control total
Financial control total
Nonfinancial control total
Record count
Hash total

Chapter
10-45
 Data Manipulation
Controls

Data Processing
Following validation of input data
Data manipulated to produce decision-useful
information

Processing Control Procedures

Software Documentation
Error-Testing Compiler
Utilization of Test Data
Chapter
10-46
 Output Controls

Purpose
Ensure validity
Ensure accuracy
Ensure completeness

Major Types
ValidatingProcessing Results
Regulating Distribution and Use of Printed Output

Chapter
10-47
 Output Controls

Validating Processing Results

Preparation of activity listings
Provide detailed listings of changes to master files

Regulating Distribution and Use of Printed

Output
Forms control
Pre-numbered forms
Authorized distribution list
Chapter
10-48
 Study Break #4

A ______ is a security appliance that runs behind a firewall

and allows remote users to access entity resources by using
wireless, handheld devices.

A. Data encryption
B. WAN
C. Checkpoint
D. VPN

Chapter
10-49
 Study Break #4 - Answer

A ______ is a security appliance that runs behind a firewall

and allows remote users to access entity resources by using
wireless, handheld devices.

A. Data encryption
B. WAN
C. Checkpoint
D. VPN

Chapter
10-50
 Study Break #5

Organizations use ______ controls to prevent, detect, and

correct errors and irregularities in transactions that are
processed.

A. Specific
B. General
C. Application
D. Input

Chapter
10-51
 Study Break #5 - Answer

Organizations use ______ controls to prevent, detect, and

correct errors and irregularities in transactions that are
processed.

A. Specific
B. General
C. Application
D. Input

Chapter
10-52
 Copyright

Copyright 2012 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchaser
may make backup copies for his/her own use only and not for
distribution or resale. The Publisher assumes no responsibility for errors,
omissions, or damages, caused by the use of these programs or from the
use of the information contained herein.

Chapter
10-53
Chapter 10

Chapter
10-54