Chapter 4 : Internal Controls and Risks in IT Systems

I- Internal Controls for IT Systems:

Accounting Information System - collects, processes, stores, and reports accounting information.

Internal controls for computer-based systems have been described as being of two types:

 General controls : apply overall to the IT accounting system.

 Application controls : used to control inputs, processing, and outputs.
 If the general controls are compromised or outdated, then application
controls are not that important.
II- General Controls for IT Systems:
Five categories of general controls:

1. Authentication of users and limiting unauthorized access

2. Hacking and other network break-ins
3. Organizational structure
4. Physical environment and physical security of the system
5. Business Continuity

Authentication of Users and Limiting Unauthorized Users:

Log : listing (generally a chronological list, expl activity log or access log)

Authentification : the user of the IS is recognized as a “valid” user.

Authorization: is related to the actions an authorized user can do within the IS.

Hacking and other Network Break-Ins :

Encryption : converting plain text to a cypher text.

Asymmetric encryption : stronger than symmetric (public key with a private key makes a symmetric
encryption)

Vulnerability assessment: automated scan of the IS and if it finds a weakness in the system it reports
(eg of a vulnerability: a weak password, and if your password is guessed, it becomes a threat)

Penetration testing : “Ethical hackers” the objective is to see to what extent the system is hackable.

Security and IT controls = combination of preventive, detective and corrective controls. (Time
based model based on the equation P > D + R

- P : the time needed for the hacker to break through the IS controls,
- D : time to detect the breach,
- R : reaction time
 this model is used by companies with high exposure to risk

Organizational Structure :
IT governance committee, responsibilities include:

1. Align IT investments to business strategy.

2. Budget funds and personnel for the most effective use of the IT systems.

3. Oversee and prioritize changes to IT systems.

4. Develop, monitor, and review all IT operational policies.

5. Develop, monitor, and review security policies.

Duties to be segregated are:

► Systems analysts

► Programmers: write the code for the system

► Operations personnel : will use the system

► Database administrator

 eg: the operations personnel cannot be the programmer since he can manipulated data

Physical Environment and Security :

Controls for an IT system should include controls over the physical environment of the system which
includes:
Physical access controls:

► Limited access to computer rooms through employee ID badges or card keys.

► Video surveillance equipment.

► Logs of persons entering and exiting the computer rooms.

► Locked storage of backup data and offsite backup data.

Business Continuity :
Business Continuity Planning (BCP)

Two parts of business continuity are related to IT systems:

► A strategy for backup and restoration of IT systems, to include redundant servers,

redundant data storage, daily incremental backups, a backup of weekly changes, and
offsite storage of daily and weekly backups.

► A disaster recovery plan.

III- General Controls from an AICPA Trust Services Principles Perspective:

a. Security: System is protected against unauthorized (physical and logical) access

b. Availability: System is available for operation and use as committed or agreed.

c. Processing integrity: System processing is complete, accurate, timely and authorized.

d. Online privacy: Personal information obtained as a result of e-commerce is collected,
used, disclosed, and retained as committed or agreed.

e. Confidentiality: Information designated as confidential is protected as committed or

agreed.

Home of information system reliability:

Security : the information system is protected against unauthorised access  security is the
-
base for the 4 pillars.
- Four pillars for the “home” are : availability, processing integrity (the information that is
processed by the IS is accurate, well structured, complete…) , confidentiality (information
about transactions, reports, plans..) , privacy (related to information about the identity of
people)
 Security is more important than the 4 pillars, not because that the pillars are not important but
because the security is the base.
Risks In Not Limiting Unauthorized Users:
Previously covered IT controls that can lessen risk of unauthorized users gaining access to the IT
system (log in / user ID’s …)

Risks From Hacking or Other Network Break-Ins:

Controls that may be applied are,

► firewalls, ► wireless protected access

(WPA),
► encryption of data,
► service set identifier (SSID),
► security policies,
► antivirus software,
► security breach resolution,
► vulnerability assessment,
► secure socket layers (SSL),
► penetration testing, and
► virtual private network (VPN),
► intrusion detection.
► wired equivalency privacy (WEP)

Risks From Environmental Factors: Environmental changes that affect the IT system can cause
availability risks and processing integrity risks.

Physical Access Risks: Physical access to computer systems and computer rooms should be limited
to those who must have access in order to carry out their job assignments.

► Security risk is that an intruder who gains physical access may change user access levels.

► Availability risk is the unauthorized physical access to physically shut down, sabotage, or
destroy hardware or software.

► Processing integrity risk is that systems or programs may be shut down or sabotaged.

► Confidentiality risk is that intruder may gain access to confidential data.

Business Continuity Risks:

► Security risk is that an unauthorized person may gain access to the backup data.

► Availability risk is that as events interrupt operations, the system becomes unavailable for
regular processing.

► Processing integrity risk is that business interruptions can lead to incomplete or inaccurate
data.

► Confidentiality risk is that unauthorized persons may gain access to confidential data if they
access backup data..

IV- Hardware and Software Exposures :

Typical IT system components that represent “entry points” where the risks must be controlled.
 1. The operating system
2. The database
3. The database management system (DBMS)
4. Local area networks (LANs)
5. Wireless networks
6. E-business conducted via the Internet
7. Telecommuting workers
8. Electronic data interchange (EDI)
9. Application software

The Operating System: The software that controls the basic input and output activities of the
computer.

 Provides the instructions that enable the CPU to:

► read and write to disk,

► read keyboard input,

► control output to the monitor,

► manage computer memory, and communicate between the CPU, memory, and disk
storage

 Unauthorized access would allow an unauthorized user to:

1. Browse disk files or memory for sensitive data or passwords.

2. Alter data through the operating system.

3. Alter access tables to change access levels of users.

4. Alter application programs.

 5. Destroy data or programs.

The Database:
A large disk storage for accounting and operating data.

Controls such as user IDs, passwords, authority tables, firewalls, and encryption are examples of
controls that can limit exposure.

The Database Management System:

A software system that manages the interface between many users and the database.

Physical access, environmental, and business continuity controls can help guard against the loss of
the data or alteration to the DBMS.

LANS and WANS:

A local area network, or LAN, is a computer network covering a small geographic area.

A group of LANs connected to each other is called a wide area network, or WAN.

Controls:

 limit unauthorized users

 firewalls

 encryption

 virtual private networks

Wireless Networks: Same kind of exposures as a local area network.
Controls include:

 wired equivalency privacy (WEP) or wireless protected access (WPA),

 station set identifiers (SSID), and

 encrypted data.

The Internet and World Wide Web:

The use of dual firewalls can help

prevent hackers or unauthorized
users from accessing the
organization’s internal network of
computers.

Telecommuting Workers and Mobile Workers:

The organization’s security policy should address the security expectations of workers who
telecommute, and such workers should connect to the company network via a virtual private
network.

Electronic Data Interchange

Company-to-company transfer of standard business documents in electronic form.

EDI controls include:

 authentication,

 computer logs, and

 network break-in controls.

Cloud Computing:
As introduced in chapter 2, cloud computing includes:

► Software and data reside with third party companies (the cloud) and not on company
computers.

► Outsourcing of IT to a third party.

Advantages: Scalabitlity | Expanded access | Infrastructure is reduced | Cost savings

Risks associated with cloud computing

 Security: All processing, storing data, and reading data occur over the Internet; therefore,
the third-party provider must have good user authentication, firewalls, encryption, and
virtual private network connections.
 Availability : Any interruptions in service cause the software and data to be unavailable
  Processing integrity : All control of software installation, testing, and upgrading is
transferred to the third-party provider of cloud computing services.
 Confidentiality : Risk that employees of the third-party provider can possibly browse and
misuse company data.

V- Application Software and Application Controls

Applications software accomplishes end user tasks such as:
 word processing,
 spreadsheets,
 database maintenance, and
 accounting functions.
Applications controls - intended to improve the accuracy, completeness, and security of input,
process, and output.

Input Controls:
Date input - data converted from human readable form to computer readable form.

Input controls are of four types:

1. Source document controls

2. Standard procedures for data preparation and error handling

3. Programmed edit checks

4. Control totals and reconciliation

Source document controls:

Source document: paper form used to capture and record the original data of an accounting
transaction.

 Many IT systems do not use source documents.

 General controls such as computer logging of transactions and keeping backup files,
become important.

 Where source documents are used, several source document controls should be used

Form Design - Both the source document and the input screen should be well designed so that they
are easy to understand and use, logically organized into groups of related data.

Form Authorization and Control:

 Area for authorization by appropriate manager

 Prenumbered and used in sequence

 Blank source documents should be controlled

Retention of Source Documents:

 Retained and filed for easy retrieval

 Part of the audit trail.

Standard Procedures for Data Input:

Data Preparation – standard data collection procedures reduce the chance of lost, misdirected, or
incorrect data collection from source documents.

Error Handling:

 Errors should be logged, investigated, corrected, and resubmitted for processing

 Error log should be regularly reviewed by an appropriate manager

Programmed Input Validation Checks:

Data should be validated and edited to be as close to the original source of data as possible.

Input validation checks include:

Reasonableness check : reasonable

in the context of another cell for
example tax rate and acitivity.

Control Totals and Reconciliation:

Control totals are subtotals of selected fields for an entire batch of transactions:

 Record counts : eg # of employees

 Batch totals : a financial amount (eg total amount payed as salaries)
 Hash totals: a control total (eg : total number of social security cards)

Processing Controls:
Intended to prevent, detect, or correct errors that occur during processing.

 Ensure that application software has no errors.

 Control totals, limit and range tests, and reasonableness and sign tests.

 Computer logs of transactions processed, production run logs, and error listings.

Output Controls:
Reports from the various applications.

Two primary objectives of output controls:

 to assure the accuracy and completeness of the output, and

  to properly manage the safekeeping of output reports to ascertain that security and
confidentiality of the information is maintained.

VI- Ethical Issues in IT Systems:

Besides fraud, there are many kinds of unethical behaviors related to computers, such as:

 Misuse of confidential customer information.

 Theft of data, such as credit card information, by hackers.

 Employee use of IT system hardware and software for personal use or personal gain.

 Using company e-mail to send offensive, threatening, or sexually explicit material.

Chapter 4 for the exam focus on :

 Type of IT risk : Availability / Security / Processing integrity / Privacy / Confidentiality

 General or Application control