COMPUTER-BASED

INFORMATION SYSTEMS
CONTROL
LEARNING OBJECTIVES

1. Describe the threats to an FIS and discuss why these threats

are growing.
2. Identify and explain the general controls that should exist
within a computer-based information system.
3. Identify and explain the control procedures and techniques
that should be incorporated into data processing applications
of computer-based information systems.
 Describe the threats to an FIS
and discuss why these threats are
growing
LEARNING OBJECTIVE 2

Identify and explain the general

controls that should exist within
a computer-based information
system.
GENERAL CONTROLS

A company designs general controls to

ensure that its overall computer system is
stable and well managed.
The following are categories of general
controls:
GENERAL CONTROLS

1. Developing a security plan

2. Segregation of duties within the systems function
3. Project development controls
4. Physical access controls
5. Logical access controls
6. Data storage controls
7. Data transmission controls
8. Documentation standards
9. Minimizing system downtime
10. Disaster recovery plans
11. Protection of personal computers and client/server networks
12. Internet controls
DEVELOPING A SECURITY PLAN

 Developing and continuously updating a

comprehensive security plan is one of the most
important controls a company can identify.
 What questions need to be asked?
 Who needs access to what information?
 When do they need it?
 On which systems does the information reside?
SEGREGATION OF DUTIES WITHIN
THE SYSTEMS FUNCTION
 In a highly integrated AIS, procedures that used to be performed
by separate individuals are combined.
 Any person who has unrestricted access to the computer, its
programs, and live data could have the opportunity to both
perpetrate and conceal fraud.
SEGREGATION OF DUTIES WITHIN
THE SYSTEMS FUNCTION
 To combat this threat, organizations must implement compensating control
procedures.
 Authority and responsibility must be clearly divided among the following
functions:
1.Systems analysis
2.Programming
3.Computer operations
4.Users
5.AIS library
6.Data control
SEGREGATION OF DUTIES WITHIN
THE SYSTEMS FUNCTION
It is important that different people perform
these functions.
Allowing a person to perform two or more of
them exposes the company to the possibility of
fraud.
PROJECT DEVELOPMENT CONTROLS

l To minimize failures, the basic principles of responsibility accounting should be

applied to the AIS function.
l What key elements are included in project development control?
1.Long-range master plan
2.Project development plan
3.Data processing schedule
4Assignment of responsibility
5.Periodic performance evaluation
6.Post implementation review
7.System performance measurements
PHYSICAL ACCESS CONTROLS

 How can physical access security be achieved?

1. placing computer equipment in locked rooms and
restricting access to authorized personnel
2. having only one or two entrances to the computer
room
3. requiring proper employee ID
4. requiring that visitors sign a log
5. installing locks on PCs
LOGICAL ACCESS CONTROLS

 Users should be allowed access only to the data they are

authorized to use and then only to perform specific authorized
functions.
 What are some logical access controls?
–passwords
–physical possession identification
–biometric identification
–compatibility tests
DATA STORAGE CONTROLS

 Information is generally what gives a company a competitive

edge and makes it viable.
 A company should identify the types of data maintained and the
level of protection required for each.
 A company must also document the steps taken to protect data.
DATA STORAGE CONTROLS

 A properly supervised file library is one essential means of preventing loss

of data.
 A file storage area should also be protected against fire, dust, excess heat,
or humidity.
 Following are types of file labels that can be used to protect data files from
misuse:
–external labels
–internal labels (volume, header, trailer)
DATA TRANSMISSION CONTROLS

To reduce the risk of data transmission failures,

companies should monitor the network.
How can data transmission errors be
minimized?
–using data encryption (cryptography)
–implementing routing verification procedures
–adding parity
–using message acknowledgment techniques
 DATA TRANSMISSION CONTROLS

Data Transmission Controls take on added importance in organizations that utilize electronic data interchange
(EDI) or electronic funds transfer (EFT).
In these types of environments, sound internal control is achieved using the following control procedures:
1 . Physical access to network facilities should be strictly controlled.
2 Electronic identification should be required for all authorized network terminals.
3 .Strict logical access control procedures are essential, with passwords and dial-in phone
numbers changed on a regular basis.
4 .Encryption should be used to secure stored data as well as data being transmitted.
5 .Details of all transactions should be recorded in a log that is periodically reviewed.
DOCUMENTATION STANDARDS

 Another important general control is documentation procedures and standards to

ensure clear and concise documentation.
 Documentation may be classified into three basic categories:
1Administrative documentation
2Systems documentation
3Operating documentation
MINIMIZING SYSTEM DOWNTIME

l Significant financial losses can be incurred if hardware or software malfunctions

cause an AIS to fail.
l What are some methods used to minimize system downtime?
– preventive maintenance
– uninterruptible power system
– fault tolerance
DISASTER RECOVERY PLAN

l Every organization should have a disaster recovery plan so that data processing
capacity can be restored as smoothly and quickly as possible in the event of a
major disaster.
What are the objectives of a recovery plan?
1 Minimize the extent of the disruption, damage, and loss.
2 Temporarily establish an alternative means of processing information.
3 Resume normal operations as soon as possible.
4 Train and familiarize personnel with emergency operations.
DISASTER RECOVERY PLAN

A sound disaster plan should contain the following elements:

1 Priorities for the recovery process
2 Backup data and program files
3 Specific assignments
4 Complete documentation
5 Backup computer and telecommunications facilities
 reciprocal agreements
 hot and cold sites
DISASTER RECOVERY PLAN

l There are other aspects of disaster recovery planning that

deserve mention:
 The recovery plan is incomplete until it has been satisfactorily
tested by simulating a disaster.
 The recovery plan must be continuously reviewed and revised
to ensure that it reflects current situation.
 The plan should include insurance coverage.
PROTECTION OF PCS AND CLIENT/SERVER
NETWORKS
l Why are PCs more vulnerable to security risks than are
mainframes?
It is difficult to restrict physical access.
PC users are usually less aware of the
importance of security and control.
Many people are familiar with the operation of
PCs.
Segregation of duties is very difficult.
 PROTECTION OF PCS AND CLIENT/SERVER
NETWORKS
l Many of the policies and procedures for mainframe control are applicable to PCs
and networks.
l The following controls are also important:
 Train users in PC-related control concepts.
 Restrict access by using locks and keys on PCs.
 Establish policies and procedures.
 Portable PCs should not be stored in cars.
 Back up hard disks regularly.
 Encrypt or password protect files.
 Build protective walls around operating systems.
 Use multilevel password controls to limit employee access to
incompatible data.
INTERNET CONTROLS

 Why caution should be exercised when conducting business on the

Internet.
1. the large and global base of people that depend on
the Internet
2. the variability in quality, compatibility, completeness,
and stability of network products and services
INTERNET CONTROLS

3. access of messages by others

4. security flaws in Web sites
5. attraction of hackers to the Internet
6. What controls can be used to secure Internet activity?
7. passwords
8. encryption technology
9. routing verification procedures
INTERNET CONTROLS

 Another control is installing a firewall, hardware and software that control

communications between a company’s internal network (trusted
network) and an external network.
 The firewall is a barrier between the networks that does not allow
information to flow into and out of the trusted network.
LEARNING OBJECTIVE 3

Identify and explain the control

procedures and techniques that
should be incorporated into
data processing applications of
computer-based information
systems.
APPLICATION CONTROLS

 The primary objective of application controls is to ensure the

accuracy of a specific application’s inputs, files, programs, and
outputs.
 This section will discuss five categories of application controls:
1. Source data controls
2. Input validation routines
3. On-line data entry controls
4. Data processing and file maintenance controls
5. Output controls
SOURCE DATA CONTROLS

 There are a number of source data controls that regulate the accuracy,
validity, and completeness of input:
–key verification
–check digit verification
–prenumbered forms sequence test
–turnaround documents
–authorization
INPUT VALIDATION ROUTINES

l Input validation routines are programs that check the validity and accuracy of input data
as it is entered into the system.
l These programs are called edit programs.
l The accuracy checks they perform are called edit checks.
l What are some edit checks used in input validation routines?
– sequence check
– field check
– sign check
– validity check
– limit check
– range check
– reasonableness test
ON-LINE DATA ENTRY CONTROLS

l The goal of on-line data entry controls is to ensure the accuracy and integrity of
transaction data entered from on-line terminals and PCs or Laptop/notesbook.
l What are some on-line data entry controls?
– data checks
– user ID numbers and passwords
– comparability tests
– Prompting
– preformatting
– completeness check
– automatic transaction data entry
– closed-loop verifications
– transaction log
– clear error messages
DATA PROCESSING AND FILE
MAINTENANCE CONTROLS
l What are some of the more common controls that help preserve the accuracy and
completeness of data processing?
–data currency checks
–default values
–data matching
–exception reporting
–external data reconciliation
–control account reconciliation
–file security
–file conversion controls
OUTPUT CONTROLS

l The data control functions should review all output for reasonableness and proper
format and should reconcile corresponding output and input control totals.
l Data control is also responsible for distributing computer output to the
appropriate user departments.
OUTPUT CONTROLS

l Users are responsible for carefully reviewing the completeness and accuracy of all
computer output that they receive.
l A shredder can be used to destroy highly confidential data.
 Assignments
How To Control and Secure Database in
Implementation of Revenue Cycle in global
Environment;
How To Control and Secure Communication
System Implementation of Revenue Cycle in
Global Environment;
How To Control and Secure Computer Access
in the Implementation of Revenue Cycle in
Global Environment;
How To Control and Secure Computer
Hardware in the Implementation of Revenue
Cycle in Global Environment;
How To Control and Secure Revenue Cycle
Application in Global Environment;