C HAPTER 8

Information Systems Controls

for System Reliability
Part 2: Confidentiality, Privacy,
Processing Integrity, and
Availability

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 1 of 136
 INTRODUCTION

• Questions to be addressed in this chapter

include:
– What controls are used to protect the confidentiality of
sensitive information?
– What controls are designed to protect privacy of
customers’ personal information?
– What controls ensure processing integrity?
– How are information systems changes controlled to
ensure that the new system satisfies all five principles
of systems reliability?

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 2 of 136
 INTRODUCTION

• Reliable systems satisfy

SYSTEMS five principles:
RELIABILITY
– Information Security
PROCESSING INTEGRITY

(discussed in Chapter 7)
CONFIDENTIALITY

AVAILABILITY
– Confidentiality
PRIVACY

– Privacy
– Processing integrity
– Availability

SECURITY

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 3 of 136
 CONFIDENTIALITY

 Reliable systems
SYSTEMS
RELIABILITY
maintain the
confidentiality of
PROCESSING INTEGRITY

sensitive information.
CONFIDENTIALITY

AVAILABILITY
PRIVACY

SECURITY

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 4 of 136
 CONFIDENTIALITY

• Maintaining confidentiality requires that

management identify which information is
sensitive.
• Each organization will develop its own
definitions of what information needs to be
protected.• COBIT control objective PO 2.3 specifies the
need to identify and to properly label potentially
• Most definitions will include:
sensitive information, to assign responsibility for
– Business plans
its protection, and to implement appropriate
– controls.
Pricing strategies
– Client and customer lists
– Legal documents

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 5 of 136
 CONFIDENTIALITY

 Table 8-1 in your textbook summaries key

controls to protect confidentiality of information:

Situation Controls
Storage Encryption and access controls
Transmission Encryption
Disposal Shredding, thorough erasure, physical
destruction
Overall Categorization to reflect value and training
in proper work practices

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 6 of 136
 CONFIDENTIALITY

• Encryption is a fundamental control procedure

for protecting the confidentiality of sensitive
information.
• Confidential information should be encrypted:
– While stored
– Whenever transmitted

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 7 of 136
 CONFIDENTIALITY

• The Internet provides inexpensive transmission,

but data is easily intercepted.
• Encryption solves the interception issue.
• If data is encrypted before sending it, a virtual
private network (VPN) is created.
– Provides the functionality of a privately owned
network
– But uses the Internet

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 8 of 136
 CONFIDENTIALITY

• Use of VPN software creates private

communication channels, often referred to as
tunnels.
– The tunnels are accessible only to parties who have
the appropriate encryption and decryption keys.
– Cost of •theInVPN
accordance with COBIT DS 5.11, VPNs include
software is much less than costs of
controls to authenticate the parties exchanging
leasing or information
buying a privately-owned, secure
and to create an audit trail of the
communications network.
exchange.
– Also, makes it much easier to add or remove sites
from the “network.”

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 9 of 136
 CONFIDENTIALITY

• It is critical to encrypt any sensitive information

stored in devices that are easily lost or stolen,
such as laptops, PDAs, cell phones, and other
portable devices.
– Many organizations have policies against storing
sensitive information on these devices.
– 81% of users admit they do so anyway.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 10 of 136
 CONFIDENTIALITY
• Encryption alone is not sufficient to protect
confidentiality. Given enough time, many encryption
schemes can be broken.
• Access controls are also needed:
– To prevent unauthorized parties from obtaining the encrypted
data; and
– Because not all confidential information can be encrypted in
storage.
• Strong authentication techniques are necessary.
• Strong authorization controls should be used to limit the
actions (read, write, change, delete, copy, etc.) that
authorized users can perform when accessing
confidential information.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 11 of 136
 CONFIDENTIALITY
• Access to system outputs should also be controlled:
– Do not allow visitors to roam through buildings unsupervised.
– Require employees to log out of any application before leaving
their workstation unattended, so other employees do not have
unauthorized access.
– Workstations should use password-protected screen savers that
automatically engage when there is no activity for a specified
period.
– Access should be restricted to rooms housing printers and fax
machines.
– Reports should be coded to reflect the importance of the
information therein, and employees should be trained not to
leave reports with sensitive information laying in plain view.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 12 of 136
 CONFIDENTIALITY

• It is especially important to control

disposal of information resources.
• Printed reports and microfilm with
sensitive information should be shredded.
• COBIT control objective DS 11.4 addresses the
need to define and implement procedures
governing the disposal of sensitive data and any
hardware on which that data was stored.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 13 of 136
 CONFIDENTIALITY
• Special procedures are needed for information stored on
magnet and optical media.
– Using built-in operating system commands to delete the
information does not truly delete it, and utility programs will often
be able to recover these files.
– De-fragmenting a disk may actually create multiple copies of a
“deleted” document.
– Consequently, special software should be used to “wipe” the
media clean by repeatedly overwriting the disk with random
patterns of data (sometimes referred to as “shredding” a disk).
– Magnetic disks and tapes can be run through devices to
demagnetize them.
– The safest alternative may be to physically destroy disks with
highly sensitive data.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 14 of 136
 CONFIDENTIALITY
• Controls to protect confidentiality must be
continuously reviewed and modified to respond
to new threats created by technological
advances.
• Many organizations now prohibit visitors from
using cell phones while touring their facilities
because of the threat caused by cameras in
these phones.
• Because these devices are easy to hide, some
organizations use jamming devices to deactivate
their imaging systems while on company
premises.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 15 of 136
 CONFIDENTIALITY

• Phone conversations have also been affected by

technology.
• The use of voice-over-the-Internet (VoIP)
technology means that phone conversations are
routed in packets over the Internet.
– Because this technology makes wiretapping much
easier, conversations about sensitive topics should be
encrypted.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 16 of 136
 CONFIDENTIALITY

• Employee use of email and instant messaging

(IM) probably represents two of the greatest
threats to the confidentiality of sensitive
information.
– It is virtually impossible to control its distribution once
held by the recipient.
– Organizations need to develop comprehensive
policies governing the appropriate and allowable use
of these technologies for business purposes.
– Employees need to be trained on what type of
information they can and cannot share, especially
with IM.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 17 of 136
 CONFIDENTIALITY

• Many organizations are taking steps to address

the confidentiality threats created by email and
IM.
– One response is to mandate encryption of all email
with sensitive information.
– Some organizations prohibit use of freeware IM
products and purchase commercial products with
security features, including encryption.
– Users sending emails must be trained to be very
careful about the identity of their addressee.
• EXAMPLE: The organization may have two employees
named Allen Smith. It’s critical that sensitive information go to
the correct Allen Smith.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 18 of 136
 PRIVACY
• In the Trust Services
framework, the privacy
SYSTEMS
RELIABILITY
principle is closely related to
the confidentiality principle.
PROCESSING INTEGRITY

• Primary difference is that

CONFIDENTIALITY

AVAILABILITY privacy focuses on protecting

personal information about
PRIVACY

customers rather than

organizational data.
• Key controls for privacy are
the same that were
previously listed for
confidentiality.
SECURITY

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 19 of 136
 PRIVACY

• COBIT section DS 11 addresses the

management of data and specifies the need to
comply with regulatory requirements.
• A number of regulations, including the Health
Insurance Portability and Accountability Act
(HIPAA) and the Financial Services
Modernization Act (aka, Gramm-Leach-Billey
Act) require organizations to protect the privacy
of customer information.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 20 of 136
 PRIVACY

• The Trust Services privacy framework of the AICPA and

CICA lists ten internationally recognized best practices
for protecting the privacy of customers’ personal
information:
– Management

• The organization establishes a set of procedures

and policies for protecting privacy of personal
information it collects.
• Assigns responsibility and accountability for
those policies to a specific person or group.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 21 of 136
 PRIVACY

• The Trust Services privacy framework of the AICPA and

CICA lists ten internationally recognized best practices
for protecting the privacy of customers’ personal
information:
– Management
– Notice
• Provides notice about its policies and practices
when it collects the information or as soon as
practicable thereafter.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 22 of 136
 • Describes the choices available to
individuals and obtains their consent
PRIVACY
to the collection and use of their
personal information.
• Choices may differ across countries.
• The Trust Services privacy framework of the AICPA and
– United States—The default is “opt
CICA lists ten internationally recognized best practices
out,” i.e., organizations can collect
for protecting the privacy of customers’ personalabout
personal information
information: customers unless the customer
– Management explicitly objects.
– Notice – Europe—The default is “opt in,”
– Choice and consent i.e., they can’t collect the
information unless customers
explicitly give them permission.
• Collection
– The organization collects only that
information needed to fulfill the
purposes stated in its privacy
policies.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 23 of 136
 PRIVACY

• The Trust Services privacy framework of the AICPA and

CICA lists ten internationally recognized best practices
for protecting the privacy of customers’ personal
information:
– Management
– Notice
– Choice and consent
– Collection
• The organization collects only that
information needed to fulfill the
purposes stated in its privacy policies.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 24 of 136
 PRIVACY

• The Trust Services privacy framework of the AICPA and

CICA lists ten internationally recognized best practices
for protecting the privacy of customers’ personal
information:
– Management
– Notice
– Choice and consent
– Collection
– Use and retention
• The organization uses its customers’
personal information only according
to stated policy and retains that
information only as long as needed.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 25 of 136
 PRIVACY

• The Trust Services privacy framework of the AICPA and

CICA lists ten internationally recognized best practices
for protecting the privacy of customers’ personal
information:
– Management
– Notice
– Choice and consent
– Collection
– Use and retention
• The organization provides individuals
– Access with the ability to access, review,
correct, and delete the personal
information stored about them.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 26 of 136
 PRIVACY

• The Trust Services privacy framework of the AICPA and

CICA lists ten internationally recognized best practices
for protecting the privacy of customers’ personal
information:
– Management
– Notice • The organization discloses customers’
– Choice and consent personal information to third parties
– Collection only per stated policy and only to third
parties who provide equivalent
– Use and retention
protection.
– Access
– Disclosure to Third Parties

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 27 of 136
 • The organization takes reasonable steps to protect customers’
personal information from loss or unauthorized disclosure.
• Issues that are sometimes overlooked: PRIVACY
– Disposal of computer equipment
• Should follow the suggestions presented on section regarding
• The protection
Trust Services privacy framework of the AICPA and
of confidentiality.
–CICA
Emaillists ten internationally recognized best practices
for•protecting
If you sendthe privacy
emails of customers’
to a list of recipients,personal
each recipient
information:
typically knows who the other recipients are.
– •Management
If the email regards a private issue, e.g., perhaps it pertains to
– Notice
their AIDS treatment, then the privacy of all recipients has
been violated.
– Choice and consent
– •Collection
One remedy might be to address the recipients on the “bcc”
line of the email, rather than as original addresses.
– Use and retention
– Release of electronic documents.
– Access
• When physical documents are exchanged, sometimes
– Disclosure to Third Parties
portions are blacked out (redacted) to protect privacy.
– Security
• Similar procedures are needed for the exchange of electronic
documents.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 28 of 136
 PRIVACY
• The Trust Services privacy framework of the AICPA and CICA
lists ten internationally recognized best practices for
protecting the privacy of customers’ personal information:
– Management
– Notice
– Choice and consent
– Collection
– Use and retention
– Access
– Disclosure to Third Parties
– Security • The organization maintains the
integrity of its customers’ personal
– Quality
information.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 29 of 136
 PRIVACY
• The Trust Services privacy framework of the AICPA and CICA
lists ten internationally recognized best practices for
protecting the privacy of customers’ personal information:
– Management
– Notice
• The organization assigns one or more
– Choice and consent
employees to be responsible for
– Collection assuring and verifying compliance
– Use and retention with its stated policies.
– Access • Also provides for procedures to
– respond to customer complaints,
Disclosure to Third Parties
– Security including third-party dispute-
resolution processes.
– Quality
– Monitoring and enforcement

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 30 of 136
 PRIVACY

• As with confidentiality, encryption and access

controls are the two basic mechanisms for
protecting consumers’ personal information.
– It is common practice to use SSL to encrypt all
personal information transmitted between individuals
and the organization’s Website.
– However, SSL only protects the information in transit.
– Consequently, strong authentication controls are
needed to restrict Website visitors’ access to
individual accounts.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 31 of 136
 PRIVACY

• Organizations should consider encrypting

customers’ personal information in
storage.
– May be economically justified, because some
state• laws require
California SB 1386 companies to notify
effectively requires all
companies
to notify all their customers whenever a security
customers of security incidents.
incident may have led to the compromise of
– The notification processinformation.
personally identifiable is costly but may be
waived if the information was encrypted while
in storage.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 32 of 136
 PRIVACY

• Organizations need to train employees on how

to manage personal information collected from
customers.
– Especially important for medical and financial
information.
– Intentional misuse or unauthorized disclosure can
have serious economic consequences, including:
• Drop in stock price
• Significant lawsuits
• Government suspension of the organization’s business
activity

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 33 of 136
 PRIVACY

• One topic of concern is cookies used on Web

sites.
– A cookie is a text file created by a Website and stored
on a visitor’s hard drive. It records what the visitor has
done on the site.
– Most Websites create multiple cookies per visit to
make it easier for visitors to navigate the site.
– Browsers can be configured to refuse cookies, but it
may make the Website inaccessible.
– Cookies are text files and cannot “do” anything other
store information, but many people worry that they
violate privacy rights.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 34 of 136
 PRIVACY

• Another privacy-related issue that is of growing

concern is identity theft.
– Organizations have an ethical and moral obligation to
implement controls to protect databases that contain
their customers’ personal information.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 35 of 136
 PRIVACY

• Steps that individuals can take to minimize the risk of

becoming a victim of identity theft include:
– Shred all documents that contain personal information,
especially unsolicited credit card offers. Cross-cut shredders are
more effective.
– Never send personally identifying information in unencrypted
email.
– Beware of email, phone, and print requests to “verify” personal
information that the requesting party should already possess.
• Credit card companies won’t ask for your security code.
• The IRS won’t email you for identifying information in
response to an audit.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 36 of 136
 PRIVACY
– Do not carry your social security card with you or comply
with requests to reveal the last 4 digits.
– Limit the amount of identifying information preprinted on
checks and consider eliminating it.
– Do not place outgoing mail with checks or personal
information in your mailbox for pickup.
– Don’t carry more than a few blank checks with you.
– Use special software to thoroughly clean any digital media
before disposal, or physically destroy the media. It is
especially important to thoroughly erase or destroy hard
drives before donating or disposing of equipment.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 37 of 136
 PRIVACY
– Monitor your credit reports regularly.
– File a police report as soon as you discover that your
purse or wallet was stolen.
– Make photocopies of driver’s licenses, passports, and
credit cards. Store them with phone numbers for all the
credit cards in a safe location to facilitate notifying
authorities if they are stolen.
– Immediately cancel any lost or stolen credit cards.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 38 of 136
 PRIVACY

• A related concern involves the

overwhelming volume of spam.
– Spam is unsolicited email that contains either
advertising or offensive content.
• Reduces the efficiency benefits of email.
• Is a source of many viruses, worms, spyware, and
other malicious content.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 39 of 136
 PRIVACY

• In 2003, the U.S. Congress passed the

Controlling the Assault of Non-Solicited
Pornography and Marketing (CAN-SPAM)
Act.
– Provides criminal and civil penalties for violation of
the law.
– Applies to commercial email, which is any email with
a primary purpose of advertising or promotion.
– Covers most legitimate email sent by organizations to
customers, suppliers, or donors to non-profits.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 40 of 136
 PRIVACY

• Consequently, organizations must carefully follow the

CAN-SPAM guidelines, which include:
– The sender’s identity must be clearly displayed in the
message header.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 41 of 136
 PRIVACY

• Consequently, organizations must carefully follow the

CAN-SPAM guidelines, which include:
– The sender’s identity must be clearly displayed in the message
header.
– The subject field in the header must clearly identify the
message as an advertisement or solicitation.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 42 of 136
 PRIVACY

• Consequently, organizations must carefully follow the

CAN-SPAM guidelines, which include:
– The sender’s identity must be clearly displayed in the message
header.
– The subject field in the header must clearly identify the message
as an advertisement or solicitation.
– The body must provide recipients with a working link that
can be used to “opt out” of future email.
• Organizations have 10 days after receipt of an “opt out”
request to ensure they do not send additional
unsolicited email to that address.
• Means someone must be assigned responsibility for
processing these requests.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 43 of 136
 PRIVACY

• Consequently, organizations must carefully follow the

CAN-SPAM guidelines, which include:
– The sender’s identity must be clearly displayed in the message
header.
– The subject field in the header must clearly identify the message
as an advertisement or solicitation.
– The body must provide recipients with a working link that can be
used to “opt out” of future email.
– The body must include the sender’s valid postal address.
• Best practice (not required) would be to provide full
street address, telephone, and fax numbers.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 44 of 136
 PRIVACY

• Consequently, organizations must carefully follow the

CAN-SPAM guidelines, which include:
– The sender’s identity must be clearly displayed in the message
header.
– The subject field in the header must clearly identify the message
as an advertisement or solicitation.
– The body must provide recipients with a working link that can be
used to “opt out” of future email.
– The body must include the sender’s valid postal address.
– Organizations
• Experts should not: that organizations redesign their
recommend
• Sendownemail to randomly
Websites generated
to include addresses.
a visible means for visitors
• Set upto Websites
“opt in” todesigned
receive email.
to harvest email addresses of
potential customers.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 45 of 136
 PROCESSING INTEGRITY

• COBIT control objective

SYSTEMS DS 11.1 addresses the
RELIABILITY
need for controls over the
PROCESSING INTEGRITY

input, processing, and

CONFIDENTIALITY

AVAILABILITY
output of data.
PRIVACY

• Identifies six categories of

controls that can be used
to satisfy that objective.
• Six categories are grouped
SECURITY into three for discussion.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 46 of 136
 PROCESSING INTEGRITY

• Three categories/groups of integrity

controls are designed to meet the
preceding objectives:
– Input controls
– Processing controls
– Output controls

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 47 of 136
 PROCESSING INTEGRITY

• Three categories of integrity controls are

designed to meet the preceding
objectives:
– Input Controls
– Processing controls
– Output controls

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 48 of 136
 PROCESSING INTEGRITY

• Input Controls
– If the data entered into a system is inaccurate or
incomplete, the output will be, too. (Garbage in 
garbage out.)
– Companies must establish control procedures to
ensure that all source documents are authorized,
accurate, complete, properly accounted for, and
entered into the system or sent to their intended
destination in a timely manner.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 49 of 136
 PROCESSING INTEGRITY

• The following input controls regulate integrity of

input:
– Forms design
• Source documents and other forms should be
designed to help ensure that errors and omissions
are minimized (Chapter 18).

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 50 of 136
 PROCESSING INTEGRITY

• The following input controls regulate integrity of

input:
– Forms design
• Pre-numbered forms sequence test
• Pre-numbering helps verify that no items are
missing.
• When sequentially pre-numbered input
documents are used, the system should be
programmed to identify and report missing or
duplicate form numbers.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 51 of 136
 PROCESSING INTEGRITY

• The following input controls regulate integrity of

input:
– Forms design
– Pre-numbered forms sequence test
• Turnaround documents
• Documents sent to external parties that are prepared
in machine-readable form to facilitate their
subsequent processing as input records.
• Example: the stub that is returned by a customer
when paying a utility bill.
• Are more accurate than manually-prepared input
records.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 52 of 136
 PROCESSING INTEGRITY
• Documents that have been entered should be
canceled
– Paper documents are stamped “paid” or
• The following inputdefaced
otherwise controls regulate integrity of
input: – A flag field is set on electronic documents.
• Canceling
– Forms design documents does not mean destroying
documents.
• Pre-numbered forms sequence test
• They should be retained as long as needed to satisfy
• Turnaround documents
legal and regulatory requirements.
– Cancellation and storage of documents

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 53 of 136
 PROCESSING INTEGRITY

• The following input controls regulate integrity of

input:
– Forms design
• Pre-numbered forms sequence test
• Turnaround documents
– Cancellation and storage of documents
– Authorization and segregation of duties
• Source documents should be prepared only by
authorized personnel acting within their authority.
• Employees who authorize documents should not be
assigned incompatible functions.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 54 of 136
 PROCESSING INTEGRITY

• The following input controls regulate integrity of

input:
– Forms design
– Pre-numbered forms sequence test
– Turnaround documents
– Cancellation and storage of documents
– Authorization and segregation of duties
– Visual scanning
• Documents should be scanned for reasonableness
and propriety.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 55 of 136
 PROCESSING INTEGRITY

• The following input controls regulate integrity of

input:
– Forms design
– Pre-numbered forms sequence test
– Turnaround documents
– Cancellation and storage of documents
– Authorization and segregation of duties
– Visual scanning
– Check digit verification
– RFID security

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 56 of 136
 PROCESSING INTEGRITY

• Five categories of integrity controls are

designed to meet the preceding
objectives:
– Input controls
• Data entry controls
– Processing controls
– Output controls

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 57 of 136
 PROCESSING INTEGRITY

• Once data is collected, data entry control procedures are

needed to ensure that it’s entered correctly. Common
tests to validate input include:
– Field check
• Determines if the characters in a field are of the
proper type.
• Example: The characters in a social security field
should all be numeric.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 58 of 136
 PROCESSING INTEGRITY

• Once data is collected, data entry control procedures are

needed to ensure that it’s entered correctly. Common
tests to validate input include:
– Field check
– Sign check
• Determines if the data in a field have the appropriate
arithmetic sign.
• Example: The number of hours a student is enrolled
in during a semester could not be a negative number.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 59 of 136
 PROCESSING INTEGRITY

• Once data is collected, data entry control procedures are

needed to ensure that it’s entered correctly. Common
tests to validate input include:
– Field check
– Sign check
– Limit check
• Tests whether an amount exceeds a predetermined
value.
• Example: A university might use a limit check to
make sure that the hours a student is enrolled in do
not exceed 21.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 60 of 136
 PROCESSING INTEGRITY

• Once data is collected, data entry control procedures are

needed to ensure that it’s entered correctly. Common
tests to validate input include:
– Field check
– Sign check
– Limit check
– Range check
• Similar to a field check, but it checks both ends of a
range.
• Example: Perhaps a wage rate is checked to ensure
that it does not exceed $15 and is not lower than the
minimum wage rate.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 61 of 136
 PROCESSING INTEGRITY

• Once data is collected, data entry control procedures are

needed to ensure that it’s entered correctly. Common
tests to validate input include:
– Field check
– Sign check
– Limit check
– Range check
– Size (or capacity) check
• Ensures that the data will fit into the assigned field.
• Example: A social security number of 10 digits would
not fit in the 9-digit social security field.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 62 of 136
 PROCESSING INTEGRITY

• Common tests to validate input include:

– Field check
– Sign check
– Limit check
– Range check
– Size (or capacity) check
– Completeness check

• Determines if all required items have been entered.

• Example: Has the student’s billing address been
entered along with enrollment details?

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 63 of 136
 PROCESSING INTEGRITY

• Once data is collected, data entry control procedures are

needed to ensure that it’s entered correctly. Common
tests to validate input include:
– Field check
– Sign check
– Limit check
– Range check
– Size (or capacity) check
– Completeness check
– Validity check
• Compares the value entered to a file of acceptable
values.
• Example: Does the state code entered for an address
match one of the 50 valid state codes?
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 64 of 136
 PROCESSING INTEGRITY

• Once data is collected, data entry control procedures are

needed to ensure that it’s entered correctly. Common
tests to validate input include:
– Field check
– Sign check
– Limit check
– Range • check
Determines whether a logical relationship seems to
– Size (or be
capacity) check
correct.
– • Example:
Completeness checkA freshman with annual financial aid of
– $60,000 is probably not reasonable.
Validity check
– Reasonableness test

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 65 of 136
 PROCESSING INTEGRITY

• Once data is collected, data entry control procedures are

• An additional digit called a check digit can be
needed toappended
ensure that it’s entered correctly. Common
to account numbers, policy numbers, ID
tests to validate
numbers,input
etc.include:
– Field •check
Data entry devices then perform check digit
– Sign check
verification by using the original digits in the number
– to recalculate the check digit.
Limit check
– Range • check
If the recalculated check digit does not match the
– Size (or digit recorded
capacity) checkon the source document, that result
suggests that an error was made in recording or
– Completeness check
entering the number.
– Validity check
– Reasonableness test
– Check digit verification

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 66 of 136
 PROCESSING INTEGRITY

• The preceding tests are used for batch

processing and online real-time
processing.
• Both processing approaches also have
some additional controls that are unique to
each approach.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 67 of 136
 PROCESSING INTEGRITY

• Additional Batch Processing Data Entry

Controls
– In addition to the preceding controls, when
using batch processing, the following data
entry controls should be incorporated.
• Sequence check
• Tests whether the data is in the proper numerical or
alphabetical sequence.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 68 of 136
 PROCESSING INTEGRITY
• Records information about data input or processing
errors (when they occurred, cause, when they were
corrected and resubmitted).
• Additional Batch Processing Data Entry
• Errors should be investigated, corrected, and
Controls resubmitted on a timely basis (usually with the next
batch) and subjected to the same input validation
– In addition to the preceding controls, when
routines.
using
• batch
The log processing, the periodically
should be reviewed following todata
ensure
that all errors
entry controls have been
should corrected and then used to
be incorporated.
prepare an error report, summarizing errors by record
• Sequence check
type, error type, cause, and disposition.
• Error log

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 69 of 136
 PROCESSING INTEGRITY
• Summarize key values for a batch of input records.
Commonly used batch totals include:
– Financial totals—sums of fields that contain dollar
• Additional Batch Processing Data Entry
values, such as total sales.
Controls– Hash totals—sums of nonfinancial fields, such as
the sum of all social security numbers of
– In addition to the preceding
employees being paid. controls, when
using batch processing,
– Record count—countthe following
of the number ofdata
records in
a batch.
entry controls should be incorporated.
• These batch totals are calculated and recorded when
• Sequence check
data is entered and used later to verify that all input
• Errorwas
log processed correctly.
• Batch totals

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 70 of 136
 PROCESSING INTEGRITY

• Additional online data entry controls

– Online processing data entry controls include:
• Automatic entry of data
• Whenever possible, the system should automatically
enter transaction data, such as next available
document number or new ID number.
• Saves keying time and reduces errors.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 71 of 136
 PROCESSING INTEGRITY

• Additional online data entry controls

– Online processing data entry controls include:
• Automatic entry of data
• Prompting
• System requests each input item and waits for an
acceptable response.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 72 of 136
 PROCESSING INTEGRITY

• Additional online data entry controls

– Online processing data entry controls include:
• Automatic entry of data
• Prompting
• Pre-formatting
• Fields that need to be completed are highlighted.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 73 of 136
 PROCESSING INTEGRITY

• Additional online data entry controls

– Online processing data entry controls include:
• Automatic entry of data
• Prompting
• Pre-formatting
• Closed-loop verification
• Checks accuracy of input data by retrieving related
information.
• Example: When a customer’s account number is
entered, the associated customer’s name is displayed
on the screen so the user can verify that entries are
being made for the correct account.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 74 of 136
 • Maintains a detailed record of all transaction data,
including:
PROCESSING INTEGRITY
– A unique transaction identifier
– Date and time of entry
• Additional online data entry controls
– Terminal from which entry is made
– Transmission line
– Online processing data entry controls include:
– Operator identification
• Automatic entry of in
– Sequence data
which transaction is entered
• The log can be used to reconstruct a file that is
• Prompting
damaged or can be used to ensure transactions are
• Pre-formatting
not lost or entered twice if a malfunction shuts down
• Closed-loop verification
the system.
• Transaction logs

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 75 of 136
 PROCESSING INTEGRITY

• Additional online data entry controls

– Online processing data entry controls include:
• Automatic entry of data
• Prompting
• Pre-formatting
• Closed-loop verification
• Transaction logs
• Error messages
• Should indicate when an error occurred, which item,
and how it should be corrected.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 76 of 136
 PROCESSING INTEGRITY

• Three categories of integrity controls are

designed to meet the preceding
objectives:
– input controls
– Processing controls
– Output controls

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 77 of 136
 PROCESSING INTEGRITY

• Processing Controls
– Processing controls to ensure that data is
processed correctly include:
• Data matching
• Two or more items must match before processing
can proceed.
• Example: The quantity billed on the vendor invoice
must match the quantity ordered on the purchase
order and the quantity received on the receiving
report.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 78 of 136
 PROCESSING INTEGRITY

• Processing Controls
– Processing controls to ensure that data is
processed correctly include:
• Data matching
• File labels
• External labels should be checked visually to ensure the correct and
most current files are being updated.
• There are also two important types of internal labels to be checked.
– The header record, located at the beginning of each file, contains
the file name, expiration date, and other identification data.
– The trailer record at the end of the file contains the batch totals
calculated during input.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 79 of 136
 • Batch totals should be recomputed as processing takes place.
• These totals should be compared to the totals in the trailer record.
PROCESSING INTEGRITY
• Discrepancies indicate processing errors, such as:
– If the recomputed record count is smaller than the original count,
• Processing Controls
one or more records were not processed.
– If the recomputed record count is larger than the original, then
–additional
Processing controls
unauthorized to ensure
transactions that
were data isor some
processed
authorized transactions were processed twice.
processed correctly include:
– If the discrepancy between totals is evenly divisible by 9, there
was • Data matching
probably a transposition error (two adjacent digits were
• File labels
reversed).
• Recalculation of batch totals

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 80 of 136
 PROCESSING INTEGRITY

• Processing Controls
– Processing controls to ensure that data is
processed correctly include:
• Data matching
• File labels
• Recalculation of batch totals
• Cross-footing balance test
• Compares arithmetic results produced by two different
methods to verify accuracy.
• EXAMPLE: Compute the sum of column totals in a
spreadsheet and compare it to a sum of the row totals.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 81 of 136
 PROCESSING INTEGRITY

• Processing Controls
– Processing controls to ensure that data is
processed correctly include:
• Data matching
• File labels
• Recalculation of batch totals
• Cross-footing balance test
• Write-protection mechanisms
• Protect against accidental writing over or erasing of
data files but are not foolproof.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 82 of 136
 PROCESSING INTEGRITY

• Processing Controls
– Processing controls to ensure that data is
processed correctly include:
•• Data
Manymatching
businesses are replacing bar codes and manual
• tagslabels
File with radio frequency identification (RFID) tags
that can store up to 128 bytes of data.
• Recalculation of batch totals
• These tags should be write-protected so that
• Cross-footing balance test
unscrupulous customers cannot change price
• information on merchandise.
Write-protection mechanisms
• RFID security

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 83 of 136
 PROCESSING INTEGRITY
• Database systems use database administrators, data
• Processing Controls
dictionaries, and concurrent update controls to
– Processing
ensure controls
processingto integrity.
ensure that data is
• The administrator establishes and enforces
processed correctly include:
procedures for accessing and updating the database.
• Data
• Thematching
data dictionary ensures that data items are
• File labels
defined and used consistently.
• Concurrent update controls protect records from
• Recalculation of batch totals
being updated by two users simultaneously.
• Cross-footing balance
– Locks one testuntil the other has finished
user out
• Write-protection
processing. mechanisms
• Database processing integrity procedures

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 84 of 136
 PROCESSING INTEGRITY

• Three categories of integrity controls are

designed to meet the preceding
objectives:
– Input controls
– Processing controls
– Output controls

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 85 of 136
 PROCESSING INTEGRITY

• Output Controls
– Careful checking of system output
provides additional control over
processing integrity.
– Output controls include:
• User review of output
• Users carefully examine output for reasonableness,
completeness, and to assure they are the intended
recipient.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 86 of 136
 PROCESSING INTEGRITY

• Output Controls
– Careful checking of system output
provides additional control over
• Periodically, all transactions and other system updates
processing integrity.
should be reconciled to control reports, file
– Output
status/update
controlsreports, or other control mechanisms.
include:
• Control accounts should also be reconciled to
• User reviewaccount
subsidiary of output
totals.
• Reconciliation procedures

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 87 of 136
 PROCESSING INTEGRITY

• Output Controls
– Careful checking of system output
provides additional control over
processing integrity.
• Database totals should periodically be reconciled with data
– Output controls
maintained outsideinclude:
the system.
• EXAMPLE: Compare number of employee records in the
• User review
payroll of output
file to number in the human resources file. (Excess
records in payroll suggests a “ghost” employee.)
• Reconciliation procedures
• External data reconciliation

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 88 of 136
 PROCESSING INTEGRITY

• Output Controls
– In addition to using encryption to protect the confidentiality of
information being transmitted, organizations need controls to
minimize the risk of data transmission errors.
– When the receiving unit detects a data transmission error, it asks
the sending unit to re-send. Usually done automatically.
– Sometimes, the system may not be able to accomplish automatic
resubmission and will ask the sender to re-transmit the data.
– Two basic types of data transmission controls:
• Parity checking
• Message acknowledgment techniques

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 89 of 136
 PROCESSING INTEGRITY

• Output Controls
– In addition to using encryption to protect the confidentiality of
information being transmitted, organizations need controls to
minimize the risk of data transmission errors.
– When the receiving unit detects a data transmission error, it asks
the sending unit to re-send. Usually done automatically.
– Sometimes, the system may not be able to accomplish automatic
resubmission and will ask the sender to re-transmit the data.
– Two basic types of data transmission controls:
• Parity checking
• Message acknowledgment techniques

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 90 of 136
 PROCESSING INTEGRITY

• Parity checking
– Computers represent characters as a set of binary
digits (bits).
– For example, “5” is represented by the seven-bit
pattern 0000101.
– When data are transmitted some bits may be lost or
received incorrectly.
– Two basic schemes to detect these events are
referred to as even parity and odd parity.
– In either case, an additional bit is added to the digit
being transmitted.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 91 of 136
 PROCESSING INTEGRITY
– In even parity, the parity bit is set so that each character has an
even number of bits with the value 1.
– In odd parity, the objective is that an odd number of bits should
have the value 1.
– The pattern for 5 is 0000101. This pattern has two bits (an even
number) with a value of 1. Therefore, the parity bit that is added
would be zero if we were using even parity and 1 if we were
using odd parity.
– The receiving device performs parity checking to verify that the
proper number of bits set to one in each character received.
– Additional accuracy can be achieved with more complex parity
schemes.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 92 of 136
 PROCESSING INTEGRITY

• Output Controls
– In addition to using encryption to protect the confidentiality of
information being transmitted, organizations need controls to
minimize the risk of data transmission errors.
– When the receiving unit detects a data transmission error, it asks
the sending unit to re-send. Usually done automatically.
– Sometimes, the system may not be able to accomplish automatic
resubmission and will ask the sender to re-transmit the data.
– Two basic types of data transmission controls:
• Parity checking
• Message acknowledgment techniques

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 93 of 136
 PROCESSING INTEGRITY
• When data are transmitted, the system calculates a
• Message Acknowledgment Techniques
summary statistic such as the number of bits in the
– message.
A number of message acknowledgment
• The receiving unit performs the same calculation (an
techniques can and
“echo check”) be sends
usedthe to result
let the sender
to the ofunit.
sending
an• electronic
If the countsmessage know that isapresumed
match, the transmission message
wasaccurate.
received:
• Echo check

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 94 of 136
 PROCESSING INTEGRITY

• Message Acknowledgment Techniques

– A number of message acknowledgment
techniques can be used to let the sender of
an electronic message know that a message
was received:
• Echo check
• Trailer record
• The sending unit stores control totals in a trailer record.
• The receiving unit uses the information in those totals to
verify the entire message was received.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 95 of 136
 PROCESSING INTEGRITY

• Message Acknowledgment Techniques

– A number of message acknowledgment
techniques can be used to let the sender of
an electronic message know that a message
was received:
• Echo check
• Trailer record
• Numbered batches
• If a large message is transmitted in segments, each can
be numbered sequentially.
• The receiving unit uses those numbers to properly
assemble the segments.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 96 of 136
 AVAILABILITY

• Reliable systems are available

SYSTEMS for use whenever needed.
RELIABILITYPROCESSING INTEGRITY
• Threats to system availability
originate from many sources,
CONFIDENTIALITY

AVAILABILITY including:
– Hardware and software failures
PRIVACY

– Natural and man-made disasters

– Human error
– Worms and viruses
– Denial-of-service attacks and
other sabotage

SECURITY

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 97 of 136
 AVAILABILITY

• Proper controls can minimize the risk of

significant system downtime caused by the
preceding threats.
• It is impossible to totally eliminate all
threats.
• Consequently, organizations must develop
disaster recovery and business continuity
plans to enable them to quickly resume
normal operations after such an event.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 98 of 136
 AVAILABILITY

• Minimizing Risk of System Downtime

– Loss of system availability can cause
significant financial losses, especially if the
system affected is essential to e-commerce.
– Organizations can take a variety of steps to
minimize the risk of system downtime.
• Physical and logical access controls (Chapter 7)
can reduce the risk of successful denial-of-service
attacks.
• Good information security reduces risk of theft or
sabotage of IS resources.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 99 of 136
 AVAILABILITY

– COBIT control objective DS 13.5 identifies the

need for preventive maintenance. Examples:
• Cleaning disk drivers
• Properly storing magnetic and optical media
– Use of redundant components can provide
fault tolerance, which enables the system to
continue functioning despite failure of a
component. Examples of redundant
• components:
Surge protection devices provide protection
against temporary power fluctuations.
• Dual processors
• Arrays of multiple hard drives.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 100 of 136
 AVAILABILITY

• COBIT control objectives DS 12.1 and 12.4

address the importance of proper location and
design of rooms housing mission-critical servers
and databases.
– Raised floors protect from flood damage.
– Fire protection and suppression devices reduce
likelihood of fire damage.
– Adequate air conditioning reduces likelihood of
damage from over-heating or humidity.
– Cables with special plugs that cannot be easily
removed reduce risk of damage due to accidentally
unplugging.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 101 of 136
 AVAILABILITY

– An uninterruptible power supply (UPS)

provides protection from a prolonged power
outage and buys the system enough time to
back up critical data and shut down safely.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 102 of 136
 AVAILABILITY
• Training is especially important.
– Well-trained operators are less likely to make
mistakes and more able to recover if they do.
– Security awareness training, particularly concerning
safe email and Web-browsing practices, can reduce
risk of virus and worm infection.
• Anti-virus software should be installed, run, and
• Ccurrent.
kept OBIT control objective DS 13.1 stresses the
importance of defining and documenting
• Email should be scanned for viruses at both the
operational procedures and ensuring that
server and desktop levels.
operations staff understand their
• Newly acquired software and disks, CDs, or
responsibilities.
DVDs should be scanned and tested first on a
machine that is isolated from the main network.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 103 of 136
 AVAILABILITY

• Disaster Recovery and Business

Continuity Planning
– Disaster recovery and business continuity
plans are essential if an organization hopes to
survive a major catastrophe.
–•Being without
Experience an IS for
suggests even
that a short which
companies period of
time can be aquite
experience costly—some
major report
disaster resulting as high
in loss of
asuse
half
of atheir
million dollars per
information hour.
system for more than a
fewmany
– Yet days large
have aU.S.
greater than 50%do
companies chance of
not have
going outdisaster
adequate of business.
recovery and business
continuity plans.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 104 of 136
 AVAILABILITY

• The objectives of a disaster recovery and

business continuity plan are to:
– Minimize the extent of the disruption, damage,
and loss
– Temporarily establish an alternative means of
processing information
– Resume normal operations as soon as
possible
– Train and familiarize personnel with
emergency operations

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 105 of 136
 AVAILABILITY

• Key components of effective disaster

recovery and business continuity plans
include:
– Data backup procedures
– Provisions for access to replacement
infrastructure (equipment, facilities, phone
lines, etc.)
– Thorough documentation
– Periodic testing
– Adequate insurance

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 106 of 136
 AVAILABILITY

• Key components of effective disaster

recovery and business continuity plans
include:
– Data backup procedures
– Provisions for access to replacement
infrastructure (equipment, facilities, phone
lines, etc.)
– Thorough documentation
– Periodic testing
– Adequate insurance

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 107 of 136
 AVAILABILITY

• Data Backup Procedures

– Data need to be backed up regularly and
frequently.
– A backup is an exact copy of the most current
version of a database. It is intended for use in
the event of a hardware or software failure.
– The process of installing the backup copy for
use is called restoration.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 108 of 136
 AVAILABILITY

• Several different backup procedures exist.

– A full backup is an exact copy of the data
recorded on another physical media (tape,
magnetic disk, CD, DVD, etc.)
– Restoration involves bringing the backup copy
online.
– Full backups are time consuming, so most
organizations:
• Do full backups weekly
• Supplement with daily partial backups.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 109 of 136
 AVAILABILITY

• Two types of partial backups are

possible:
– Incremental backup
• Involves copying only the data items that have
changed since the last backup.
• Produces a set of incremental backup files, each
containing the results of one day’s transactions.
• Restoration:
– First load the last full backup.
– Then install each subsequent incremental
backup in the proper sequence.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 110 of 136
 AVAILABILITY

• Two types of partial backups are

possible:
– Incremental backup
– Differential backup
• All changes made since the last full backup are copied.
• Each new differential backup file contains the cumulative
effects of all activity since the last full backup.
• Will normally take longer to do the backup than when
incremental backup is used.
• Restoration:
– First load the last full backup.
– Then install the most recent differential backup file.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 111 of 136
 AVAILABILITY

• Incremental and differential backups are both

made daily.
– Additional intra-day backups are often made for
mission-critical databases.
– Periodically, the system makes a copy of the
database at that point in time, called a checkpoint,
and stores the copy on backup media.
– If a hardware or software fault interrupts processing,
the checkpoint is used to restart the system.
– The only transactions that need to be reprocessed
are those that occurred since the last checkpoint.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 112 of 136
 AVAILABILITY

• Whichever backup procedure is used,

multiple backup copies should be created:
– One can be stored on-site for use in minor
incidents.
–• AtMirroring
least one additional
(maintaining copy ofshould
two copies be stored
the database at two
separate data centers) is an alternative to these traditional
off-site to be safe should a disaster occur
backup methods. Mirroring is used by financial institutions
and airlines, that cannot afford to lose transactions.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 113 of 136
 AVAILABILITY

• The offsite copies can be transported to

remote storage physically or electronically.
– The same security controls should apply as to
original copies.
• Sensitive data should be encrypted in storage and
during transmission.
• Access to the backup files should be carefully
controlled and monitored.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 114 of 136
 AVAILABILITY

• • Tape
Backups
or disk?are
Diskretained for only
backup is faster a fixed
and disks period
are less oflost.
easily
Tape, however, is cheaper, easier to transport, and more durable.
time.
Many organizations use both. Data is first backed up to disk, for
• speed, and then transferred
An archive is a copytooftape. Archives aremaster
a database, usually stored
file, on
tape.
or software that will be retained indefinitely as an
historical record, usually to satisfy legal and
regulatory requirements.
• Multiple copies of archives should be made and
stored in different locations.
• Appropriate security controls should also be
applied to these files.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 115 of 136
 AVAILABILITY

• Special attention should be paid to email,

because it has become an important archive of
organizational behavior and information.
• Access to email is often important when
companies are embroiled in lawsuits.
• Organizations may be tempted to adopt a policy
of periodically deleting all email to prevent a
plaintiff’s attorney from finding a “smoking gun.”

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 116 of 136
 AVAILABILITY

• Most experts advise against such policies and

recommend that organizations include email in
their backup and archive procedures because:
– There are likely to be copies of the email stored in
locations outside the organization.
– Such a policy would mean that the organization would
not be able to tell its side of the story.
– Also, courts have sanctioned companies for failing to
provide timely access to email.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 117 of 136
 AVAILABILITY

• Key components of effective disaster

recovery and business continuity plans
include:
– Data backup procedures
– Provisions for access to replacement
infrastructure (equipment, facilities, phone
lines, etc.)
– Thorough documentation
– Periodic testing
– Adequate insurance

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 118 of 136
 AVAILABILITY

• Infrastructure Replacement
– Major disasters can totally destroy an organization’s
information processing center or make it inaccessible.
– A key component of disaster recovery and business
continuity plans incorporates provisions for replacing
• How the necessary
much computing
time can the infrastructure,
organization including:
afford to be without its
information system? The recovery time objective (RTO) represents
• Computers
the time following
• Network a disaster
equipment andbyaccess
which the organization’s information
system must be available again .
• Telephone lines
• Office equipment
• Supplies
– It may even be necessary to hire temporary staff.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 119 of 136
 • The least expensive approach.
• The organization enters into an agreement with another organization
AVAILABILITY
that uses similar equipment to have temporary access to and use of
their information system resources in the event of a disaster.
• Effective solutions for disasters of limited duration and magnitude,
• Organizations have three basic
especially for small organizations.
• Not optimal in major disasters as:
options for replacing computer and
– The host organization may also be affected.
– The host also needs the resources.
networking equipment.
– Reciprocal agreements

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 120 of 136
 AVAILABILITY

• Organizations have three basic

options for replacing computer and
networking equipment.
– Reciprocal agreements
– Cold sites
• An empty building is purchased or leased and pre-wired for
necessary telephone and Internet access.
• Contracts are created with vendors to provide all necessary
computer and office equipment within a specified period of time.
• Still leaves the organization without use of the IS for a period of time.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 121 of 136
 AVAILABILITY

• Organizations have three basic

• Most expensive solution but used by organizations like financial
options for replacing computer and
institutions and airlines which cannot survive any appreciable time
without there IS.
networking equipment.
• The hot site is a facility that is pre-wired for phone and Internet (like
the cold site) but also contains the essential computing and office
– Reciprocal agreements
equipment.
• It is a backup infrastructure designed to provide fault tolerance in
the–event
Cold of asites
major disaster.
– Hot sites

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 122 of 136
 AVAILABILITY

• Key components of effective disaster

recovery and business continuity plans
include:
– Data backup procedures
– Provisions for access to replacement
infrastructure (equipment, facilities, phone
lines, etc.)
– Thorough documentation
– Periodic testing
– Adequate insurance

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 123 of 136
 AVAILABILITY
• Documentation
– An important and often overlooked component.
Should include:
• The disaster recovery plan itself, including instructions for
notifying appropriate staff and the steps to resume operation,
needs to be well documented.
• Assignment of responsibility for the various activities.
• Vendor documentation of hardware and software.
• Documentation of modifications made to the default
configuration (so replacement will have the same
functionality).
• Detailed operating instructions.
– Copies of all documentation should be stored both
on-site and off-site.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 124 of 136
 AVAILABILITY

• Key components of effective disaster

recovery and business continuity plans
include:
– Data backup procedures
– Provisions for access to replacement
infrastructure (equipment, facilities, phone
lines, etc.)
– Thorough documentation
– Periodic testing
– Adequate insurance

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 125 of 136
 AVAILABILITY

• Testing
– Periodic testing and revision is probably the
most important component of effective
disaster recovery and business continuity
plans.
• Most plans fail their initial test, because it’s
impossible to anticipate everything that could go
wrong.
• The time to discover these problems is before the
actual emergency and in a setting where the
weaknesses can be carefully analyzed and
appropriate changes made.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 126 of 136
 AVAILABILITY

• Plans should be tested on at least an

annual basis to ensure they reflect recent
changes in equipment and procedures.
– Important to test procedures involved in
executing reciprocal agreements or hot or
cold sites.
– Backup restoration procedures also require
practice.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 127 of 136
 AVAILABILITY
• Brainstorming sessions involving mock
scenarios can be effective in identifying gaps
and shortcomings.
– More realistic and detailed simulations or drills should
also be performed, although not to the expense of
completely performing every activity.
– Experts recommend testing individual components of
the plans separately, because it is too difficult and
costly to simulate and analyze every aspect
simultaneously.
• The plan documentation needs to be updated to
reflect any changes in procedure made in
response to problems identified during testing.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 128 of 136
 AVAILABILITY

• Key components of effective disaster

recovery and business continuity plans
include:
– Data backup procedures
– Provisions for access to replacement
infrastructure (equipment, facilities, phone
lines, etc.)
– Thorough documentation
– Periodic testing
– Adequate insurance

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 129 of 136
 AVAILABILITY

• Insurance
– Organizations should acquire adequate
insurance coverage to defray part or all of the
expenses associated with implementing their
disaster recovery and business continuity
plans.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 130 of 136
 CHANGE MANAGEMENT CONTROLS

• Organizations constantly modify their information

systems to reflect new business practices and to take
advantage of advances in IT.
• Controls are needed to ensure such changes don’t
negatively impact reliability.
• Existing controls related to security, confidentiality,
privacy, processing integrity, and availability should be
modified to maintain their effectiveness after the change.
• Change management controls need to ensure adequate
segregation of duties is maintained in light of the
modifications to the organizational structure and
adoption of new software.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 131 of 136
 CHANGE MANAGEMENT CONTROLS

• Important change management controls include:

– All change requests should be documented in a
standard format that identifies:
• Nature of the change
• Reason for the change
• Date of the request
– All changes should be approved by appropriate levels
of management.
• Approvals should be clearly documented to provide an audit
trail.
• Management should consult with the CSO and other IT
managers about impact of the change on reliability.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 132 of 136
 CHANGE MANAGEMENT CONTROLS

– Changes should be thoroughly tested prior to

• When changing systems, data from old files and
implementation.
• databases are entered
Includes assessing effectinto new data
of change on structures.
all five principles of
systems reliability.
• Conversion controls help ensure that the new data
• storage
Should occur
media in are
a separate, non-production environment.
free of errors.
– All
• Olddocumentation
and new systems (program
shouldinstructions, system
be run in parallel at
descriptions, backup
least once and results and disastertorecovery
compared identify plans)
should be updated to reflect authorized changes to
discrepancies.
the system.
• Internal auditors should review data conversion
– “Emergency” changes or deviations from policy must
processes for accuracy.
be documented and subjected to a formal review and
approval process as soon after implementation as
practicable. All such actions should be logged to
provide an audit trail.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 133 of 136
 CHANGE MANAGEMENT CONTROLS

– “Backout” plans should be developed for

reverting to the previous configuration if the
approved changes need to be interrupted or
aborted.
– User rights and privileges should be carefully
monitored during the change process to
ensure proper segregation of duties.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 134 of 136
 CHANGE MANAGEMENT CONTROLS

• The most important change management control

is adequate monitoring and review by top
management to ensure that the changes are
consistent with the entity’s multiyear strategic
plan.
• Objective: Be sure the system continues to
effectively support the organization’s strategy.
• Steering committees are often created to
perform this function.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 135 of 136
 SUMMARY

• In this chapter, you’ve learned about the

controls used to protect the confidentiality
of sensitive information and the controls
used to protect the privacy of customer
information.
• You’ve also learned about controls that
help ensure processing integrity.
• Finally, you’ve learned about controls to
ensure that the system is available when
needed.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 136 of 136