Control and Accounting

Information Systems

Tri Susilo Wahyu Aji

180800782
Kasus Meikarta
Pengendalian internal di
kementrian ESDM
Kasus PSSI
 Kasus Pengendalian Internal di
Akuntansi
• KAI
• MALINDA DEE – CITIBANK
• WORLDCOM
• BANK LIPPO
Internal Controls
Why Is Control Needed?

❖ Any potential adverse occurrence or unwanted event

that could be injurious to either the accounting
information system or the organization is referred to
as a threat or an event.

❖ The potential dollar loss should a particular threat

become a reality is referred to as the exposure or
impact of the threat.

❖ The probability that the threat will happen is the

likelihood associated with the threat
A Primary Objective of an AIS

▪ Is to control the organization so the

organization can achieve its objectives

▪ Management expects accountants to:

❖ Take a proactive approach to eliminating
system threats.
❖ Detect, correct, and recover from threats
when they occur.
Internal Controls
• Processes implemented to provide assurance
that the following objectives are achieved:
– Safeguard assets
– Maintain sufficient records
– Provide accurate and reliable information
– Prepare financial reports according to established
criteria
– Promote and improve operational efficiency
– Encourage adherence with management policies
– Comply with laws and regulations
Functions of Internal Controls

• Preventive controls
– Deter problems from occurring
• Detective controls
– Discover problems that are not prevented
• Corrective controls
– Identify and correct problems; correct and recover
from the problems
Control Frameworks

• COBIT
– Framework for IT control
• COSO
– Framework for enterprise internal controls
(control-based approach)
• COSO-ERM
– Expands COSO framework taking a risk-based
approach
COBIT Framework

• Current framework version is COBIT5

• Based on the following principles:
– Meeting stakeholder needs
– Covering the enterprise end-to-end
– Applying a single, integrated framework
– Enabling a holistic approach
– Separating governance from management
COBIT5 Separates Governance
from Management
 Components of COSO
Frameworks

• Control (internal) • Internal environment

environment • Objective setting
COSO

• Risk assessment • Event identification

COSO-ERM
• Control activities • Risk assessment
• Information and • Risk response
communication
• Control activities
• Monitoring
• Information and
communication
• Monitoring
Internal Environment
• Management’s philosophy, operating
style, and risk appetite
• Commitment to integrity, ethical
values, and competence
• Internal control oversight by Board of
Directors
• Organizing structure
• Methods of assigning authority and
responsibility
• Human resource standards
Objective Setting

• Strategic objectives
– High-level goals
• Operations objectives
– Effectiveness and efficiency of operations
• Reporting objectives
– Improve decision making and monitor
performance
• Compliance objectives
– Compliance with applicable laws and regulations
Event Identification

Identifying incidents both external and

internal to the organization that could
affect the achievement of the organizations
objectives
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?
Risk Assessment
Risk is assessed from two perspectives:
• Likelihood
▫ Probability that the event will occur
• Impact
▫ Estimate potential loss if event occurs

Types of risk
• Inherent
▫ Risk that exists before plans are made to control it
• Residual
▫ Risk that is left over after you control it
Risk Response

• Reduce
– Implement effective internal control
• Accept
– Do nothing, accept likelihood and impact of risk
• Share
– Buy insurance, outsource, or hedge
• Avoid
– Do not engage in the activity
Control Activities

• Proper authorization of transactions and

activities
• Segregation of duties
• Project development and acquisition controls
• Change management controls
• Design and use of documents and records
• Safeguarding assets, records, and data
• Independent checks on performance
Monitoring
• Perform internal control evaluations (e.g.,
internal audit)
• Implement effective supervision
• Use responsibility accounting systems (e.g.,
budgets)
• Monitor system activities
• Track purchased software and mobile devices
• Conduct periodic audits (e.g., external, internal,
network security)
• Employ computer security officer
• Engage forensic specialists
• Install fraud detection software
• Implement fraud hotline
Controls for Information Security

Nurul Hidayah
1808700757
The Trust Services Framework
Two Fundamental Information
Security Concepts
1. Security is Management Issue, Not Just a
Technology Issue
Two Fundamental Information
Security Concepts
2. The Time-Based Model of Information
Security
Combination of preventive, detective, and
corrective controls to protect information
assets
Formula : P > D + R
Strategy : Defense-in-Depth
Understanding Targeted Attacks
1. Conduct Reconnaissance
2. Attemp Social Engineering
3. Scan and map the target
4. Research
5. Execute the attack
6. Cover tracks
Protecting Infomation Resources
Protecting Infomation Resources
People
• Security-conscious culture
Lead by example
• Training
Protecting Infomation
Resources
Process : 1. User Access Controls
• Authentication controls
Verify person’s identity:
1. Something the person knows (Password, PIN)
2. Something the person has (smart card, ID Badges)
3. Some physical/behavioral characteristic (Biometric
identifier)
-> multifactor authentication and multimodal
authentication
• Authorization controls
Access control matrix
Protecting Infomation Resources
• Process : 2. Penetration Testing
• Process : 3. Change controls and change management
1. Documentation of all change requests
2. Documentation approval of all change requests
3. Testing of all changes in a separate system
4. Conversion controls
5. Updating of all documentation
6. Special process for timely review
7. Development and documentation of “backout” plans
8. Careful monitoring and review
Protecting Infomation Resources
• IT Solutions: 1. Antimalware Controls
1. Malicious software awareness education
2. Installation of antimalware protection tools
3. Centralized management of patches and
updates of antimalware software
4. Regular review of new malware threats
5. Filtering of incoming traffic to block potential
sources of malware
6. Training employees not to install unapproved
software
Protecting Infomation Resources
• IT Solutions: 2. Network Access Controls
1. Perimeter Defense : Routers, Firewalls, and
Intrusion Prevention Systems. (Fig 8-6)
2. Controlling Access by Filtering Packets
3. Using Defense-in-Depth to Restrict
Network Access
4. Securing Wireless Access
Protecting Infomation Resources
• IT Solutions : 3. Device and Software
Hardening Controls
1. Endpoint Configuration
2. User account management
3. Software Design
• IT Solutions : 4. Encryption
• Physical Security : Access Controls
 Detecting Attacks

Log Analysis

Intrusion Detection System

Continuous Monitoring
Responding to Attacks

• Computer Incident Response Team (CIRT)

Recognition, Containment, Recovery, Follow-UP
• Chief Information Security Officer (CISO)
Confidentiality and Privacy
Controls
Preserving Confidentiality
Privacy
Privacy • Data Masking
Controls • Tokenization

Privacy • Spam
Concerns • Identity Theft

Privacy Regulations • Management • Access

• Notice •
and Generally • Choice and consent
Disclosure to third parties
• Security
Accepted Privacy • Collection • Quality
Principles • Use, retention, and disposal • Monitoring and Enforcement
Encryption
Factors that Influence
Encryption Length:
1. Key Length
2. Encryption Algorithm
3. Policies for Managing
Cryptographic Keys
Types of Encryption Systems
Hashing
Digital Signatures
• Creating Digital Signatures
Digital Signatures
• Usage
Digital Certificates and Public Key
Infrastructure

Digital Certificate Public Key

Certificate Authority Infrastructure
Virtual Private Networks (VPNS)

• Two types of VPN

1. Using a browser, encripting the traffic with SSL
2. Using IPSec
Processing Integrity and
Availability Controls

Tri Susilo Wahyu Aji

180800782
Processing Integrity Controls
• Input
– Forms design
• Sequentially prenumbered
– Control to identify potential missing transaction
• Cut down on errors by making data entry easier
– Turnaround documents
• Eliminate errors in data entry

10-49
Processing Integrity: Data Entry
Controls
• Field check
– Characters in a field are
proper type
• Sign check
– Data in a field is appropriate
sign (positive/negative)
• Limit check
– Tests numerical amount
against a fixed value
• Range check
– Tests numerical amount
against lower and upper
limits
• Size check
– Input data fits into the field
• Completeness check
– Verifies that all required data is
entered
• Validity check
– Compares data from transaction file
to that of master file to verify
existence
• Reasonableness test
– Correctness of logical relationship
between two data items
• Check digit verification
– Recalculating check digit to verify
data entry error has not been made
10-50
Additional Data Entry Controls
• Batch processing
– Sequence check
• Test of batch data in proper
numerical or alphabetical
sequence
– Error logs
– Batch totals
• Summarize numeric values
for a batch of input records
– Financial total
– Hash total
– Record count
• Online
– Employee Access controls
– Automatic data entry
– Prompting
• System prompts you for input
(online completeness check)
– Closed-loop verification
• Checks accuracy of input data
by using it to retrieve and
display other related
information (e.g., customer
account # retrieves the
customer name)
– Transaction logs
– Error Messages
Processing Controls
• Data matching • Cross-footing
– Two or more items – Verifies accuracy by comparing
must be matched two alternative ways of
before an action takes calculating the same total
place • Zero-balance tests
• File labels – For control accounts (e.g.,
– Ensures correct and payroll clearing)
most updated file is • Write-protection mechanisms
used – Protect against overwriting or
• Recalculation of batch erasing data
totals • Concurrent update controls
– Prevent error of two or more
users updating the same record
at the same time
Output Controls
• User review of output
• Reconciliation
– Procedures to reconcile to control reports (e.g., general ledger A/R
account reconciled to Accounts Receivable Subsidiary Ledger)
• External data reconciliation
• Data transmission controls
– Check sums
• Hash of file transmitted, comparison made of hash before and after transmission
– Parity checking
• Bit added to each character transmitted, the characters can then be verified for
accuracy
 Output Controls
• Message Acknowledgment Techniques for data
transmission (let the sender of an electronic message know
that a message was received)
– Echo Check
• When data are transmitted, the system calculates a
summary statistic , receiving unit performs the same
calculation and sends back to source. If they agree,
accuracy is assumed
– Trailer Record
• sending unit stores control totals in a trailer record
• receiving unit uses that information to verify that the
entire message was received
Processing Integrity Controls(Spreadsheets)

• Spreadsheets usually developed by end

user
• Lack of application controls
• Solutions
– Multiple people evaluate all cells for possible
error
– Cell formulas.
• Do not hardwire
• Use cell references
– input/output section
 Controls Ensuring Availability
• Systems or information need to be
available 24/7
– It is not possible to ensure this so:
Availability Controls
• Preventive maintenance
• Fault tolerance
– Use of redundant
components
• Data center location and design
– Raised floor
– Fire suppression
– Air conditioning
– Uninterruptible power supply
(UPS) or back-up generator
– Surge protection
• Patch management and antivirus
software
• Backup procedures
– Full(probably weekly)
– Incremental
• Copies only items that have
changed since last partial
backup
– Differential backup
• Copies all changes made since
last full backup
• Disaster recovery plan (DRP)
– Procedures to restore
organization’s IT function
• Cold site
• Hot site
• Business continuity plan (BCP)
– How to resume all operations,
58
10-58
 Disaster Recovery Plan (DRP)
• Procedures to restore an organization’s IT
function in the event that its data center is
destroyed
– Cold Site
• An empty building that is prewired for necessary
telephone and Internet access, plus a contract with
one or more vendors to provide all necessary
equipment within a specified period of time
– Hot Site
• A facility that is not only prewired for telephone and
Internet access but also contains all the computing
and office equipment the organization needs to
perform its essential business activities
– Second Data-Center
• Used for back-up and site mirroring
 Recovery
• Business Continuity Plan (BCP)
– How to resume not only IT operations, but all
business processes
• Relocating to new offices
• Hiring temporary replacements
 DRP & BCP

• Documentation
– Plan, responsibilities, procedures to resume
operations should be documented
• Testing
– Test to make sure it works as intended
– Revise as needed
– Should test at least on an annual basis
 Virtualization & Cloud Computing
• Virtualization
– Can reduce time to recover from hardware problems
• Install files to new box
– Support real time mirroring
• Cloud Computing
– Use redundant banks of servers in multiple locations
• Reduces risk of system downtime and data loss
– Potential problem
• Data retrieval if public cloud provider goes belly-up
• Policy of making regular back-ups and storing
somewhere other than cloud necessary
– Assess long-run financial viability of cloud provider before
62
taking the plunge
Maturnuwun ☺