Kế toán kiểm toán - Chapter 8: Computer controls and security

Accounting Information Systems9th EditionMarshall B. Romney Paul John Steinbart8-1©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartComputer Controls and SecurityChapter 88-2©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning ObjectivesIdentify and explain the four principles of systems reliability and the three criteria used to evaluate whether the principles have been achieved.Identify and explain the controls that apply to more than one principle of reliability.Identify and explain the controls that help explain that a system is available to users when needed.3©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning ObjectivesIdentify and explain the security controls that prevent unauthorized access to information, software, and other system resources.Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity.Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized.4©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntroductionDuring his fifth month at Northwest Industries, Jason Scott is assigned to audit Seattle Paper Products (SPP).Jason’s task is to review randomly selected payable transactions, track down all supporting documents, and verify that all transactions have been properly authorized.5©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntroductionJason is satisfied that many of the transactions are valid and accurate.However, some transactions involve the purchase of services from Pacific Electric.These transactions were processed on the basis of vendor invoices approved by management.Five of these invoices bear the initials “JLC.”6©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntroductionJLC is Jack Carlton, the general supervisor.Carlton denies initialing the invoices, and claims he has never heard of Pacific Electric.What questions does Jason have?Is Carlton telling the truth?If Carlton is not telling the truth, what is he up to?7©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntroductionIf Pacific Electric is a fictitious company, how could SPP’s control systems allow its invoices to be processed and approved for payment?This chapter discusses the many different types of controls that companies use to ensure the integrity of their AIS.8©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning Objective 1Identify the four principles of systems reliability and the three criteria used to evaluate whether or not the principles have been achieved.9©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartThe Four Principles of a Reliable SystemAvailability of the system when needed.Security of the system against unauthorized physical and logical access.Maintainability of the system as required without affecting its availability, security, and integrity.Integrity of the system to ensure that processing is complete, accurate, timely, and authorized.10©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartThe Criteria Used To Evaluate Reliability PrinciplesFor each of the four principles of reliability, three criteria are used to evaluate whether or not the principle has been achieved.The entity has defined, documented, and communicated performance objectives, policies, and standards that achieve each of the four principles.The entity uses procedures, people, software, data, and infrastructure to achieve each principle in accordance with established policies and standards.The entity monitors the system and takes action to achieve compliance with the objectives, policies, and standards for each principle.11©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning Objective 2Identify and explain the controls that apply to more than one principle of reliability.12©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartControls Related to More Than One Reliability PrincipleStrategic Planning & BudgetingDeveloping a Systems Reliability PlanDocumentation13©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartControls Related to More Than One Reliability PrincipleDocumentation may be classified into three basic categories:Administrative documentation: Describes the standards and procedures for data processing.Systems documentation: Describes each application system and its key processing functions.Operating documentation: Describes what is needed to run a program.14©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning Objective 3Identify and explain the controls that help explain that a system is available to users when needed.15©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartAvailabilityAvailabilityMinimizing Systems DowntimePreventive maintenanceUPSFault toleranceDisaster Recovery PlanMinimize the extent of disruption, damage, and lossTemporarily establish an alternative means of processing informationResume normal operations as soon as possible16©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartAvailability Disaster Recovery, continuedTrain and familiarize personnel with emergency operationsPriorities for the recovery processInsuranceBackup data and program filesElectronic vaultingGrandfather-father-son conceptRollback proceduresSpecific assignmentsBackup computer and telecommunication facilitiesPeriodic testing and revisionComplete documentation17©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning Objective 4Identify and explain the security controls that prevent unauthorized access to information, software, and other system resources.18©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartDeveloping a Security PlanDeveloping and continuously updating a comprehensive security plan is one of the most important controls a company can identify.What questions need to be asked?Who needs access to what information? When do they need it?On which systems does the information reside?19©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartSegregation of Duties Withinthe Systems FunctionIn a highly integrated AIS, procedures that used to be performed by separate individuals are combined.Any person who has unrestricted access to the computer, its programs, and live data could have the opportunity to both perpetrate and conceal fraud.To combat this threat, organizations must implement compensating control procedures.20©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartSegregation of Duties Withinthe Systems FunctionAuthority and responsibility must be clearly divided among the following functions:Systems administrationNetwork managementSecurity managementChange managementUsersSystems analysisProgrammingComputer operationsInformation system libraryData control21©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartSegregation of Duties Withinthe Systems FunctionIt is important that different people perform these functions.Allowing a person to perform two or more of them exposes the company to the possibility of fraud.22©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartPhysical Access ControlsHow can physical access security be achieved? Place computer equipment in locked rooms and restrict access to authorized personnelHave only one or two entrances to the computer roomRequire proper employee IDRequire that visitors sign a logUse a security alarm systemRestrict access to private secured telephone lines and terminals or PCs.Install locks on PCs.Restrict access of off-line programs, data and equipmentLocate hardware and other critical system components away from hazardous materials.Install fire and smoke detectors and fire extinguishers that don not damage computer equipment23©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLogical Access ControlsUsers should be allowed access only to the data they are authorized to use and then only to perform specific authorized functions. What are some logical access controls?passwordsphysical possession identificationbiometric identificationcompatibility tests24©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartProtection of PCs and Client/Server NetworksMany of the policies and procedures for mainframe control are applicable to PCs and networks.The following controls are also important:Train users in PC-related control concepts.Restrict access by using locks and keys on PCs.Establish policies and procedures.25©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartProtection of PCs and Client/Server NetworksPortable PCs should not be stored in cars.Keep sensitive data in the most secure environment possible.Install software that automatically shuts down a terminal after its been idle for a certain amount of time.Back up hard disks regularly.Encrypt or password protect files.Build protective walls around operating systems.Ensure that PCs are booted up within a secure system.Use multilevel password controls to limit employee access to incompatible data.Use specialists to detect holes in the network.26©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartInternet and e-Commerce ControlsWhy caution should be exercised when conducting business on the Internet.the large and global base of people that depend on the Internetthe variability in quality, compatibility, completeness, and stability of network products and services27©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartInternet and e-Commerce Controlsaccess of messages by otherssecurity flaws in Web sitesattraction of hackers to the InternetWhat controls can be used to secure Internet activity?passwordsencryption technologyrouting verification procedures28©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartInternet and e-Commerce ControlsAnother control is installing a firewall, hardware and software that control communications between a company’s internal network (trusted network) and an external network.The firewall is a barrier between the networks that does not allow information to flow into and out of the trusted network.Electronic envelopes can protect e-mail messages29©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning Objective 5Identify and explain the controls that help ensure that a system can be properly maintained, while still providing for system availability, security, and integrity.30©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartMaintainabilityTwo categories of controls help ensure the maintainability of a system:Project development and acquisition controlsChange management controls31©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartProject Development and Acquisition ControlsProject development and acquisition controls include:Strategic Master PlanProject ControlsData Processing ScheduleSystem Performance MeasurementsPostimplementation Review32©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartChange Management ControlsChange management controls include:Periodically review all systems for needed changesRequire all requests to be submitted in standardized formatLog and review requests form authorized users for changes and additions to systemsAssess the impact of requested changes on system reliability objectives, policies and standards33©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartChange Management Controls, continuedCategorize and rank all changes using established prioritiesImplement procedures to handle urgent mattersCommunicate all changes to managementRequire IT management to review, monitor, and approve all changes to software, hardware and personnel responsibilitiesAssign specific responsibilities to those involved in the change and monitor their work.34©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartChange Management Controls, continuedControl system access rights to avoid unauthorized systems and data accessMake sure all changes go through the appropriate stepsTest all changesMake sure there is a plan for backing our of any changes in the event they don’t work properlyImplement a quality assurance functionUpdate all documentation and procedures when change is implemented35©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartLearning Objective 6Identify and explain the integrity controls that help ensure that system processing is complete, accurate, timely, and authorized.36©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntegrityA company designs general controls to ensure that its overall computer system is stable and well managed.Application controls prevent, detect and correct errors in transactions as they flow through the various stages of a specific data processing program.37©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntegrity: Source Data Controls Companies must establish control procedures to ensure that all source documents are authorized, accurate , complete and properly accounted for, and entered into the system or sent ot their intended destination in a timely manner. Source data controls include:38©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntegrity: Source Data Controls Forms designPrenumbered forms sequence testTurnaround documentsCancellation and storage of documentsAuthorization and segregation of dutiesVisual scanningCheck digit verificationKey verification39©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntegrity:Input Validation Routines Input validation routines are programs the check the integrity of input data. They include:Limit checkRange checkReasonableness testRedundant data checkSequence checkField checkSign checkValidity checkCapacity check40©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntegrity: On-line Data Entry ControlsThe goal of on-line data entry control is to ensure the integrity of transaction data entered from on-line terminals and PCs by minimizing errors and omissions.They include:41©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntegrity: On-line Data Entry ControlsField, limit, range, reasonableness, sign, validity, redundant data checksUser ID numbersCompatibility testsAutomatic entry of transaction data, where possiblePromptingPreformattingCompleteness checkClosed-lop verificationTransaction logError messagesRetain data for legal purposes42©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntegrity: Data Processing and Storage ControlsControls to help preserve the integrity of data processing and stored data:Policies and proceduresData control functionReconciliation procedureExternal data reconciliationException reporting43©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartIntegrity: Data Processing and Storage Controls, continuedData currency checksDefault valuesData matchingFile labelsWrite protection mechanismsDatabase protection mechanismsData conversion controlsData security44©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartOutput ControlsThe data control functions should review all output for reasonableness and proper format and should reconcile corresponding output and input control totals.Data control is also responsible for distributing computer output to the appropriate user departments.45©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartOutput ControlsUsers are responsible for carefully reviewing the completeness and accuracy of all computer output that they receive.A shredder can be used to destroy highly confidential data.46©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartData Transmission ControlsTo reduce the risk of data transmission failures, companies should monitor the network.How can data transmission errors be minimized?using data encryption (cryptography)implementing routing verification proceduresadding parityusing message acknowledgment techniques47©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartData Transmission Controls Data Transmission Controls take on added importance in organizations that utilize electronic data interchange (EDI) or electronic funds transfer (EFT).48©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartData Transmission ControlsIn these types of environments, sound internal control is achieved using the following control procedures:Physical access to network facilities should be strictly controlled.Electronic identification should be required for all authorized network terminals.Strict logical access control procedures are essential, with passwords and dial-in phone numbers changed on a regular basis.49©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartData Transmission ControlsControl procedures, continuedEncryption should be used to secure stored data as well as data being transmitted.Details of all transactions should be recorded in a log that is periodically reviewed.50©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartCase ConclusionWere Jason and his supervisor able to identify the source of the fictitious invoices? No.They asked the police to identify the owner of the Pacific Electric bank account. What did the police discover? Patricia Simpson, a data entry clerk at SPP, was the owner of the account.51©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/SteinbartEnd of Chapter 852©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart53©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart