Accounting information systems controls and process 2nd tunnwe weickgenannt chapter 04

Chapter 4-19 AICPA Trust Services Principles categorizes IT controls and risks into five categories: SO 3 General controls from a Trust Services Principles perspective General Controls f

Trang 1

Chapter

4-1

Prepared by Coby Harmon University of California, Santa Barbara

Westmont College

Trang 3

Chapter

4-3

1 An overview of internal controls for IT systems

2 General controls for IT systems

3 General controls from a Trust Services Principles perspective

4 Hardware and software exposures in IT systems

5 Application software and application controls

6 Ethical issues in IT systems

Study Objectives

Trang 4

Chapter

4-4 SO 1 An overview of internal controls for IT systems

Internal Controls for IT Systems

Accounting Information System - collects, processes,

stores, and reports accounting information

Internal controls for computer-based systems have been

described as being of two types:

► General controls

► Application controls

Trang 5

Chapter

4-5 SO 1 An overview of internal controls for IT systems

Application controls

used to control inputs,

processing, and outputs

Trang 6

SO 1 An overview of internal controls for IT systems

Question

Trang 7

Chapter

4-7 SO 2 General controls for IT systems

General Controls for IT Systems

Five categories of general controls:

1 Authentication of users and limiting unauthorized access

2 Hacking and other network break-ins

3 Organizational structure

4 Physical environment and physical security of the

system

5 Business Continuity

Trang 8

 Two factor authentication

SO 2 General controls for IT systems

Trang 9

 Public key encryption

 Wired equivalency privacy

 Wireless protected access

 Service set identifier

 Virtual private network

 Secure sockets layer

Trang 10

Chapter

4-10

Organizational Structure

IT governance committee, responsibilities include:

1 Align IT investments to business strategy

2 Budget funds and personnel for the most effective use

of the IT systems

3 Oversee and prioritize changes to IT systems

4 Develop, monitor, and review all IT operational policies

5 Develop, monitor, and review security policies

Trang 11

Trang 12

Chapter

4-12

Controls for an IT system should include controls over

the physical environment of the system which includes:

► Location

► Operating environment

► Back-up systems

Physical Environment and Security

Trang 13

Chapter

4-13

Locate in area that are least at risk of natural disasters such as flood, earthquake, hurricane,

and fire.

Controls for an IT system should include controls over

the physical environment of the system which includes:

► Location

► Operating environment

► Back-up systems

Properly control dust, temperature, and humidity

Location should also have a fire

Trang 14

Chapter

4-14

Physical access controls:

► Limited access to computer rooms through

employee ID badges or card keys

► Video surveillance equipment

► Logs of persons entering and exiting the computer

rooms

► Locked storage of backup data and offsite backup

data

Trang 15

Chapter

4-15

Business Continuity

Business Continuity Planning (BCP)

Two parts of business continuity are related to IT systems:

► A strategy for backup and restoration of IT systems, to

include redundant servers, redundant data storage, daily incremental backups, a backup of weekly

changes, and offsite storage of daily and weekly backups

► A disaster recovery plan

Trang 16

Chapter

4-16

The Real World

In some organizations, loss of a key CEO could spell disaster For

example, Martha Stewart founded and became the CEO of Martha

Stewart Living Omnimedia Inc In June 2003, she was indicted for

possible legal violations related to insider trading, and she stepped down as CEO Some in the financial community wondered if the

firm could continue or thrive without Martha Stewart Part of the

business continuity plan for her company should have been a

strategy to operate if some event would prevent Martha Stewart

from serving as CEO Martha was convicted, served time in prison, and successfully returned to work.

Trang 17

Question

Trang 18

Chapter

4-18

b Develop, monitor, and review security policies

An IT governance committee has several responsibilities

Which of the following is least likely to be a responsibility of the

IT governance committee?

c Oversee and prioritize changes to IT systems

d Align IT investments to business strategy

a Develop and maintain the database and ensure

adequate controls over the database

Question

Trang 19

Chapter

4-19

AICPA Trust Services Principles categorizes IT controls

and risks into five categories:

SO 3 General controls from a Trust Services Principles perspective

General Controls from an AICPA Trust

Services Principles Perspective

System is protected against unauthorized (physical and

logical) access.

Trang 20

Chapter

4-20

System is available for operation and use as committed or agreed.

Trang 21

Chapter

4-21

System processing is complete, accurate, timely and authorized.

Trang 22

Chapter

4-22

Personal information obtained

as a result of e-commerce is collected, used, disclosed, and retained as committed or

agreed.

Trang 23

Chapter

4-23

Information designated as confidential is protected as committed or agreed.

Trang 24

Chapter

4-24

Previously covered IT controls that can lessen risk of

unauthorized users gaining access to the IT system:

Trang 25

► security breach resolution,

► secure socket layers (SSL),

► virtual private network (VPN),

► wired equivalency privacy (WEP)

Risks From Hacking or Other Network Break-Ins

Trang 26

Chapter

4-26

Controls that may be applied are,

► wireless protected access (WPA),

► service set identifier (SSID),

► antivirus software,

► vulnerability assessment,

► penetration testing, and

► intrusion detection

Risks From Hacking or Other Network Break-Ins

Trang 27

Chapter

4-27

Environmental changes that affect the IT system can

cause availability risks and processing integrity risks.

Risks From Environmental Factors

Physical Access Risks

Physical access to computer systems and computer rooms

should be limited to those who must have access in order to

carry out their job assignments

Trang 28

Chapter

4-28

► Security risk is that an intruder who gains physical access may change user access levels

► Availability risk is the unauthorized physical access to

physically shut down, sabotage, or destroy hardware or software

► Processing integrity risk is that systems or programs may be shut down or sabotaged.

► Confidentiality risk is that intruder may gain access to

confidential data.

Physical Access Risk

Trang 29

Chapter

4-29

► Security risk is that an unauthorized person may gain access to the backup data.

► Availability risk is that as events interrupt operations, the

system becomes unavailable for regular processing

► Processing integrity risk is that business interruptions can

lead to incomplete or inaccurate data

► Confidentiality risk is that unauthorized persons may gain

access to confidential data if they access backup data

Business Continuity Risks

Trang 30

Trang 31

Chapter

4-31

b Availability risk

The risk that an unauthorized user would shut down

systems within the IT system is a(n)

c Processing integrity risk

d Confidentiality risk

a Security risk

Question

Trang 32

Chapter

4-32

Hardware and Software Exposures

Typical IT system components that represent “entry

points” where the risks must be controlled.

1 The operating system

2 The database

3 The database management system (DBMS)

4 Local area networks (LANs)

Trang 33

Chapter

4-33

Exposure Areas

Exhibit 4-6

SO 4

Trang 34

Chapter

4-34

The software that controls the basic input and output

activities of the computer

Provides the instructions that enable the CPU to:

► read and write to disk,

► read keyboard input,

► control output to the monitor,

► manage computer memory, and

► communicate between the CPU, memory, and disk

storage

The Operating System

SO 4 Hardware and software exposures in IT systems

Trang 35

Chapter

4-35

Unauthorized access would allow an unauthorized user to:

1 Browse disk files or memory for sensitive data or

passwords

2 Alter data through the operating system

3 Alter access tables to change access levels of users

4 Alter application programs

5 Destroy data or programs

The Operating System

Trang 36

Chapter

4-36

A large disk storage for accounting and operating data

Controls such as:

► user IDs, passwords,

Trang 37

Chapter

4-37

A software system that manages the interface between

many users and the database

The Database Management System

Exhibit 4-7

Trang 38

The Database

Management System

Exhibit 4-6

Trang 39

Chapter

4-39

A software system that manages the interface between

many users and the database

Physical access, environmental, and business continuity

controls can help guard against the loss of the data or

alteration to the DBMS

The Database Management System

Trang 40

Chapter

4-40

A local area network, or LAN, is a computer network

covering a small geographic area

A group of LANs connected to each other is called a wide

area network, or WAN.

LANS and WANS

Trang 41

Chapter

4-41

LANS and WANS

Trang 42

Exhibit 4-6

Trang 43

Chapter

4-43

Same kind of exposures as a local area network

Controls include:

 wired equivalency privacy (WEP) or wireless

protected access (WPA),

 station set identifiers (SSID), and

 encrypted data.

Wireless Networks

Trang 44

Chapter

4-44

The Real World

Boeing Co uses wireless networks on the floor of the large shop

where it manufactures airplanes This wireless network with

notebook computers allows Boeing workers to move around the

plane while they are working and view engineering drawings or

parts availability during the manufacturing processes The

employees do not have to walk to a desk or workstation, away from the manufacturing flow, to access these things Wireless networks

can make employees more efficient by allowing them to roam.

Trang 45

Chapter

4-45

The use of dual

firewalls can help

The Internet and World Wide Web

Exhibit 4-6

Trang 46

Chapter

4-46

The organization’s security

policy should address the

security expectations of workers

who telecommute, and such

workers should connect to the

company network via a virtual

private network.

Exhibit 4-6

Telecommuting Workers

and Mobile Workers

SO 4

Định dạng
Số trang	70
Dung lượng	2,42 MB