Chapter 10:

Computer Controls for Organizations and

Accounting Information Systems

Introduction
Enterprise Level Controls
General Controls for Information Technology
Application Controls for Transaction
Processing

Chapter
10-1

Enterprise Level Controls

Consistent policies and procedures
Managements risk assessment process
Centralized processing and controls
Controls to monitor results of operations

Chapter
10-2

Enterprise Level Controls

Controls to monitor the internal audit
function, the audit committee, and selfassessment programs
Period-end financial reporting process
Board-approved policies that address
significant business control and risk
management practices
Chapter
10-3

Risk Assessment and

Security Policies

Chapter
10-4

Integrated Security for

the Organization
Physical Security
Measures

used to protect its facilities, resources,

or proprietary data stored on physical media

Logical Security
Limit

access to system and information to

authorized individuals

Integrated Security
Combines

physical and logical elements

Supported by comprehensive security policy

Chapter
10-5

Physical and Logical

Security

Chapter
10-6

General Controls for

Information Technology
Access to Data, Hardware, and Software
Protection of Systems and Data with
Personnel Policies
Protection of Systems and Data with
Technology and Facilities
Chapter
10-7

General Controls for

Information Technology
IT general controls apply to all information
systems
Major Objectives
Access

to programs and data is limited to

authorized users
Data and systems protected from change, theft,
and loss
Computer programs are authorized, tested, and
Chapter
approved before usage
10-8

Access to Data,
Hardware, and
Software
Utilization of strong passwords
8

or more characters in length..or longer

Different types of characters
Letters, numbers, symbols

Biometric identification
Distinctive

user physical characteristics

Voice patterns, fingerprints, facial patterns,
retina prints

Chapter
10-9

Security for Wireless

Technology
Utilization of wireless local area networks
Virtual Private Network (VPN)
Allows

remote access to entity resources

Data Encryption
Data

converted into a scrambled format

Converted back to meaningful format following
transmission
Chapter
10-10

Data Encryption

Chapter
10-11

Controls for Networks

Control Problems
Electronic

eavesdropping
Hardware or software malfunctions
Errors in data transmission

Control Procedures
Checkpoint

control procedure
Routing verification procedures
Message acknowledgment procedures

Chapter
10-12

Controls for Personal

Computers
Take an inventory of personal computers
Identify applications utilized by each
personal computer
Classify computers according to risks and
exposures
Enhance physical security
Chapter
10-13

Additional Controls for

Laptops

Chapter
10-14

Personnel Policies
Separation of Duties
Separate Accounting

and Information Processing

from Other Subsystems
Separate Responsibilities within IT Environment

Use of Computer Accounts

Each

employee has password protected account

Biometric identification
Chapter
10-15

Separation of Duties

Chapter
10-16

Division of Responsibility
in IT Environment

Chapter
10-17

Division of Responsibility
in IT Environment

Chapter
10-18

Personnel Policies
Identifying Suspicious Behavior
Protect

against fraudulent employee actions

Observation of suspicious behavior
Highest percentage of fraud involved employees
in the accounting department
Must safeguard files from intentional and
unintentional errors
Chapter
10-19

Safeguarding Computer
Files

Chapter
10-20

File Security Controls

Chapter
10-21

Business Continuity
Planning
Definition
Comprehensive

approach to ensuring normal

operations despite interruptions

Components
Disaster Recovery
Fault

Tolerant Systems
Backup
Chapter
10-22

Disaster Recovery
Definition
Process

and procedures
Following disruptive event

Summary of Types of Sites

Hot

Site
Flying-Start Site
Cold Site
Chapter
10-23

Fault Tolerant Systems

Definition
Used

to deal with computer errors

Ensure functional system with accurate and
complete data (redundancy)

Major Approaches
Consensus-based

protocols
Watchdog processor
Utilize disk mirroring or rollback processing

Chapter
10-24

Backup
Batch processing
Risk

of losing data before, during, and after

processing
Grandfather-parent-child procedure

Types of Backups
Hot

backup
Cold Backup
Electronic Vaulting
Chapter
10-25

Batch Processing

Chapter
10-26

Computer Facility
Controls
Locate Data Processing Centers in Safe Places
Protect

from the public

Protect from natural disasters (flood, earthquake)

Limit Employee Access

Security

Badges (color-coded with pictures)

Man Trap

Buy Insurance
Chapter
10-27

Study Break #1
A _______ is a comprehensive plan that helps protect the
enterprise from internal and external threats.
A. Firewall
B. Security policy
C. Risk assessment
D. VPN

Chapter
10-28

Study Break #1 - Answer

A _______ is a comprehensive plan that helps protect the
enterprise from internal and external threats.
A. Firewall
B. Security policy
C. Risk assessment
D. VPN

Chapter
10-29

Study Break #2
A _____ site is a disaster recovery site that includes a computer
system similar to the one the company regularly uses, software,
and up-to-date data so the company can resume full data
processing operations within seconds or minutes.
A. Hot
B. Cold
C. Flying start
D. Backup
Chapter
10-30

Study Break #2 - Answer

A _____ site is a disaster recovery site that includes a computer
system similar to the one the company regularly uses, software,
and up-to-date data so the company can resume full data
processing operations within seconds or minutes.
A. Hot
B. Cold
C. Flying start
D. Backup
Chapter
10-31

Study Break #3
Fault-tolerant systems are designed to tolerate computer errors
and are built on the concept of _________.
A. Redundancy
B. COBIT
C. COSO
D. Integrated security

Chapter
10-32

Study Break #3 - Answer

Fault-tolerant systems are designed to tolerate computer errors
and are built on the concept of _________.
A. Redundancy
B. COBIT
C. COSO
D. Integrated security

Chapter
10-33

Application Controls
for Transaction
Processing
Purpose
Embedded

in business process applications

Prevent, detect, and correct errors and
irregularities

Application Controls
Input

Controls
Processing Controls
Output Controls

Chapter
10-34

Application Controls
for Transaction
Processing

Chapter
10-35

Input Controls
Purpose
Ensure validity
Ensure accuracy
Ensure completeness

Categories
Observation,

recording, and transcription of data

Edit

tests
Additional input controls
Chapter
10-36

Observation, Recording,
and Transcription of Data
Confirmation mechanism
Dual observation
Point-of-sale devices (POS)
Preprinted recording forms

Chapter
10-37

Preprinted Recording
Form

Chapter
10-38

Edit Tests
Input Validation Routines (Edit Programs)
Programs

or subroutines
Check validity and accuracy of input data

Edit Tests
Examine

selected fields of input data

Rejects data not meeting preestablished standards
of quality
Chapter
10-39

Edit Tests

Chapter
10-40

Edit Tests

Chapter
10-41

Additional Input Controls

Validity Test
Transactions

matched with master data files

Transactions lacking a match are rejected

Check-Digit Control Procedure

Chapter
10-42

Processing Controls
Purpose
Focus

on manipulation of accounting data

Contribute

to a good audit trail

Two Types
Control
Data

totals

manipulation controls
Chapter
10-43

Audit Trail

Chapter
10-44

Control Totals
Common Processing Control Procedures
Batch

control total
Financial control total
Nonfinancial control total
Record count
Hash total

Chapter
10-45

Data Manipulation
Controls
Data Processing
Following

validation of input data

Data manipulated to produce decision-useful
information

Processing Control Procedures

Software Documentation
Error-Testing

Compiler
Utilization of Test Data

Chapter
10-46

Output Controls
Purpose
Ensure validity
Ensure accuracy
Ensure completeness

Major Types
Validating

Processing Results
Regulating Distribution and Use of Printed Output
Chapter
10-47

Output Controls
Validating Processing Results
Preparation

of activity listings
Provide detailed listings of changes to master files

Regulating Distribution and Use of Printed

Output
Forms

control
Pre-numbered forms
Authorized distribution list

Chapter
10-48

Study Break #4
A ______ is a security appliance that runs behind a firewall
and allows remote users to access entity resources by using
wireless, handheld devices.
A. Data encryption
B. WAN
C. Checkpoint
D. VPN

Chapter
10-49

Study Break #4 - Answer

A ______ is a security appliance that runs behind a firewall
and allows remote users to access entity resources by using
wireless, handheld devices.
A. Data encryption
B. WAN
C. Checkpoint
D. VPN

Chapter
10-50

Study Break #5
Organizations use ______ controls to prevent, detect, and
correct errors and irregularities in transactions that are
processed.
A. Specific
B. General
C. Application
D. Input

Chapter
10-51

Study Break #5 - Answer

Organizations use ______ controls to prevent, detect, and
correct errors and irregularities in transactions that are
processed.
A. Specific
B. General
C. Application
D. Input

Chapter
10-52

Copyright
Copyright 2012 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the
express written permission of the copyright owner is unlawful.
Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchaser
may make backup copies for his/her own use only and not for
distribution or resale. The Publisher assumes no responsibility for errors,
omissions, or damages, caused by the use of these programs or from the
use of the information contained herein.

Chapter
10-53

Chapter 10

Chapter
10-54