Accounting Information Systems
Accounting Information Systems ACC 321
Popular in Course
Popular in Accounting
This 21 page Class Notes was uploaded by Princess Nienow on Saturday September 19, 2015. The Class Notes belongs to ACC 321 at Michigan State University taught by Staff in Fall. Since its upload, it has received 11 views. For similar materials see /class/207669/acc-321-michigan-state-university in Accounting at Michigan State University.
Reviews for Accounting Information Systems
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 09/19/15
Chapter 1 Accounting Info SystemsOverview What is an AIS pg 6 7 0 Accounting info system a system that collects records stores and processes data to produce info for decision makers o 6 components of an AIS 1 The people who operate the system and perform the functions 2 The procedures and instructions manual or automated 3 The data about the business process 4 The software to process the data 5 The info technology infrastructure including computers network communications and peripheral devices 6 The internal controlssecurity measures to protect the data in the AIS o 3 functions of an AIS 1 Collect and store data 2 Transform data into info 3 Provide adequate controls to safeguard the organization s assets 0 7 characteristics of useful info 1 Relevant info is relevant ifit reduces uncertainty improves decision makers ability to make predictions of confirmscorrects their prior expectations 2 Reliable info is reliable if it is free from error or bias and accurately represents the events or activities of the organization 3 Complete info is complete ifit does not omit important aspects of the underlying events or activities that it measures 4 Timely info is timely if it is provided in time for decision makers to make decisions 5 Understandable Info is understandable ifit is presented in a useful and intelligible format 6 Verifiable Info is verifiable if two knowledgeable people acting independently would each produce the same info 7 Accessible info is accessible if it is available to users when they need it and in a format they can use The Role of the AIS in the Value Chain pg 1012 0 Value chain the linking together of all the primary and support activities in a business Value is added as a product passes through the chain 0 The five primary functions of a value chain that directly provide value to customers 1 Inbound logistics consists of receiving storing and distributing the materials an organization uses to create the services and products it sells 2 Operations the activities that transform inputs into final products or services 3 Outbound logistics the activities that distribute the finished goods or services to customers 4 Marketing and sales the activities that help customers buy the organization s products or services EX Advertising market research calling on customers order processing and credit approval activities 5 Service activities provide postsale support to customers 0 The four support activities allow the primary activities to be performed efficiently 1 Firm infrastructure the accounting finance legal and general administration activities that allow the organization to function a AIS is part of the infrastructure 2 Human resources the activities that include recruiting hiring training and providing employee benefits and compensation 3 Technology activities improve a product or service EX Research and development investments in new info technology web site development and product design redesign a supply chain systems 4 Purchasing activities procure raw materials supplies machinery and buildings used to carry out primary activities The primary and support activities are subsystems of the value chain system The value chain system is part of the supply chain system 0 Supply chain an extended system that includes an organization s value chain as well as its suppliers distributors and customers How an AIS can add value to an organization 0 An AIS is support activity so it can add value by providing timely and accurate info so the five primary activities can be performed effectively The AIS does this in 6 ways 1 Improving the quality and reducing the costs of products or services a EX AIS can instantly notify operators ifperformance is below an acceptable level This maintains quality reduces the amount of wasted materials and saves the cost of reworking anything 2 Improving efficiency a EX An AIS can provide timely info to allow for a just in time manufacturing approach which requires constant accurate uptodate info about raw materials 3 Sharing knowledge a EX Accounting firms use AIS to share best practices and support communication between people at different offices Employees can search the company database to identify relevant experts for assistance with a client 4 Improving the efficiency and effectiveness ofits supply chain a EX Allowing customers to directly access the company s inventory and sales order entry reduces the costs of sales and marketing Potentially this increases both sales and customer retention 5 Improving the internal control structure a EX An AIS with proper security internal controls and privacy can protect systems from fraud errors equipment and software failure and naturalpolitical disasters 6 Improving decision making Chapter 2 Business Processes pg 3033 Transaction an agreement between two entities to exchange goods or services or any other event that can be measured in economic terms by an organization Transaction processing the process that begins with capturing transaction data and ends with an informational output such as financial statements Giveget exchange an event where two entities exchange items such as cash for goods or services Business cycle a group of related business processes The 5 major cycles are The revenue cycle where goods and services are sold for cash or credit The expenditure cycle where companies purchase inventory for resale or raw materials to use in producing products in exchange for cash or a credit The production cycle where raw materials are transformed into finished goods The human resourcespayroll cycle where employee are hired trained compensated evaluated promoted and terminated The financing cycle where companies sell shares in the company to investors and borrow money and where investors are paid dividends and interest is paid on loans General ledger and reporting system the infoprocessing operations involved in updating the general ledger and preparing reports that summarize the results of the organization s activities for both management and external parties Pg 33Table with common examples for each cycle 0 O O O NH 5 U1 Chapter 3 Systems and Development and Documentation Techniques Flowcharts pg 7077 0 Flowchart an analytical technique used to describe some aspect of an info system in a clear concise and logical manner Flowcharting was introduced in the 19505 for two reasons 1 Record how business processes are performed 2 Analyze how to improve the current processes and document ow Flowcharting symbols categories 1 Inputoutput symbols represent devices that provide input to or record output from processing operations 2 Processing symbols either show what type of device is used to process data or indicate when processing is performed manually 3 Storage symbols represent the device used to store data that the system is not currently using 4 Flow and miscellaneous symbols indicate the ow of data and goods They also represent such operations as where owcharts begin or end where decisions are made and when to add explanatory notes to owcharts Document owchart illustrates the ow of documents and info among areas of responsibility within an organization 0 A document owchart is particularly useful in analyzing the adequacy of control procedures in a system such as internal checks and segregation of functions Internal control owchart document owcharts that describe and evaluate internal controls System owchart depict the relationships among the input processing and output of an AIS Program owchart illustrates the sequence of logical operations performed by a computer in executing a program oA program owchart describes the specific logic to perform a process shown on a system owchart o Serves as the blueprint for coding the computer program Pg 71 shows the owchart symbols Chapter 4 Relational Databases Relational Databases pg 111123 0 Data model an abstract representation of the contents ofa database 0 Relational data model represents everything in the database as being stored in the form of tables 0 The relational data model only describes how the data appears in the conceptual and external level schemes The data is not actually stored in tables but rather in the manner described in the internallevel scheme 0 Tuple a row in a relational table that contains data about a specific occurrence of the type of entity represented by that table ex In a customer table each tuple would have info about a specific customer 0 Primary key the attribute that uniquely identifies a specific row in a table 0 Foreign Key an attribute in a table that is a primary key in another table used to link tables 0 Requirements of a Relational Database 1 Every column in a row must be single valued 2 Primary keys cannot be blank a Entity integrity rule a design constraint in a relational database requiring that the primary key have a nonnull value 3 Foreign keys ifnot blank must have values that correspond to the value of a primary key in another table a Referential integrity rule a constraint in relational database design requiring that any non null value ofa foreign key must correspond to a primary key in the referenced table 4 All nonkey attributes in a table should describe a characteristic about the object identified by the primary key Update anomaly insert anomaly and delete anomaly problems that can occur if a database is designed incorrectly To update customer address you have update multiple times which can create errors you can t input info about a potential customers until after a sale has been made you can t delete a sale invoice without deleting all info about that customer 0 These events are avoided with relational databases Normalization an approach to database design that assumes that everything is stored in one large table to begin Then rules are followed to decompose the original table into a set of normalized tables Semantic data modeling an approach to database design under which the designer uses knowledge about business processes usually work and about the info needs associated with the transaction to draw a picture of what the database should look like Chapter 5 Computer Fraud and Abuse Introduction to Fraud pg 145147 0 Fraud gaining an unfair advantage over another person 0 Legally an act is fraudulent if 1 Afalse statement representation or disclosure 2 A material fact which induces a person to act 3 An intent to deceive 4 A justifiable reliance that is the person relies on the misrepresentation to take action 5 An injury or loss suffered by a victim o Whitecollar criminals fraud perpetrators are usually employees with knowledge and access 0 Two forms of fraud 1 Misappropriation of assets employee fraud the theft of company assets 2 Fraudulent financial reporting intentional or reckless conduct whether by act or omission that results in materially misleading financial statements a Four ways to reduce fraudulent financial reporting i Establish an organizational environment that contributes to the integrity of the financial reporting process ii Identify and understand the factors that lead to fraudulent financial reporting iii Assess the risk of fraudulent financial reporting within the company iv Design and implement internal controls to provide reasonable assurance that fraudulent financial reporting is prevented 0 SAS No99 Requires auditors to Understand fraud Discuss the risks of material fraudulent misstatements Obtain info Identify asses and respond to risks Evaluate the results of their audit tests Document and communicate findings Incorporate a technology focus 2quot Vmwww Who Perpetrates Fraud and Why it Occurs 0 Cyber criminals are the FBI s third highest threat 0 The fraud triangle pressure opportunity rationalization 0 Pressure a person s incentive or motivation for committing fraud 0 EX Financial lifestyle emotional industry conditions management characteristics 0 Opportunity the condition or situation that allows a person or organization to do three things 1 Commit the fraud Conceal the fraud a Lapping an employee steals cash or a check from customer A to pay the AR then uses customer B s payment to pay offA then customer C s payment to pay off B etc b Check kiting an employee creates cash by taking advantage of the lag between depositing a check and the check clearing the bank Convert the theft or misrepresentation to a personal gain 0 Rationalization allows perpetrators to justify their illegal behavior N 539quot Computer Fraud and Abuse Techniques pg 158173 0 Adware using software to collect websurfing and spending data and forward it to advertising or media organizations It also causes banner ads to pop up on computer monitors as the Internet is surfed Bluebugging taking control of someone else s phone to make calls send text messages listen to their phone calls or read their teXt messages Bluesnarfing stealing contact lists images and other data using Bluetooth Botnet a network of hijacked computers Hackers bot herders that control the hijacked computers zombies use them in a variety of internet attacks Carding buying and selling phished credit card numbers Chipping planting a chip that records transaction data in a legitimate credit cart reader Click fraud clicking online ads numerous times to in ate advertising bills CyberExtortion requiring a company to pay a specified amount ofmoney to keep the eXtortionist from harming the company electronically Data Diddling changing data before during or after it is in entered in the system Data leakage copying company data such as computer files without permission Denialof Service Attack sending email bombs hundreds of messages per second from randomly generated false addresses The recipient s internet service provider is overloaded and shuts down Dictionary attacks direct harvesting attacks using software to guess the company addresses and send them blank emails Unreturned messages are valid and are added to spammer email lists Email threats sending a threatening message asking the recipient to do something that makes it possible to defraud them Eavesdropping listening to private voice or data transmissions often using a wire tap Economic Espionage the theft of info trade secrets and intellectual property Evil Twin a wireless network with the same name as a local wireless access point The hacker disables the legitimate access point users unknowingly reconnect to the evil twin and hackers monitor the traffic looking for useful info Hacking the unauthorized access and use of computer systems usually by means ofa personal computer and a telecommunications system Hijacking gaining control of someone else s computer to carry out illicit acts such as ending spam without the computer user s knowledge Identity Theft assuming someone s identity usually for economic gain by illegally obtaining confidential info such as a social security number Internet Misinformation using the internet to disrupt communications and electronic commerce Internet Terrorism using the internet to disrupt communications and electronic commerce Key logger using spyware to record a user s keystrokes Logic and time bombs software that sits idle until a specified circumstance or time triggers it destroying programs data or both Malware software that be used to do harm Masqueradingimpersonation accessing a system by pretending to be an authorized user The impersonator enjoys the same privileges at the legitimate user Packet sniffing using a computer to find confidential info as it travels the Internet and other networks Password Cracking penetrating system defenses stealing valid passwords and decrypting them so they can be used to access system programs files and data Pharming redirecting traffic to a spoofed website to gain access to personal and confidential info Phishing sending emails requesting recipients to visit a web page and verify data or fill in missing data The emails and web sites look like legitimate companies primarily financial institutions Phreaking attacking phone systems and using telephone lines to transmit viruses and to access steal and destroy data Piggybacking o Tapping into a telecommunications line latching on to a legitimate user and accompanying the perpetrator into the system 0 The clandestine use of someone s WiFi 0 Bypassing physical security controls by entering a secure door when an authorized person opens it Posing creating a seemingly legitimate business collecting personal info while making a sale and never delivering the item sold Pretext acting under false pretenses to gain confidential info Rootkit software that conceals processes files network connections and system data from the operating system and other programs Rounddown fraud truncating interest calculations at two decimal places The truncated fraction ofa cent is placed in an account controlled by the perpetrator Salami technique stealing tiny slices ofmoney over time An example is increasing expenses by a fraction ofa percent and placing those funds in a dummy account Scavenging dumpster diving searching for confidential corporate or personal info by searching trash cans or scanning the contents of computer memory Shoulder surfing watching people or listening as they enter or give confidential info 0 Ex Atm card stuck in machine Skimming doubleswiping a credit card or covertly swiping it in a card reader that records the data for later use Social engineering techniques that trick a person into disclosing confidential info Software Piracy illegally copying computer software Spamming emailing an unsolicited message to many people at the same time Splog a spam blog that promotes affiliated web sites to increase their Google PageRank Spoofing making an email message look as ifsomeone else sent it Spyware using software to monitor computing habits and send that data to someone else often without the computer user s permission Steganography programs hiding data from on file inside a host file such as a large image or sound file Superzapping using special software to bypass system controls and perform illegal acts Trap door entering a system using a back door that bypasses normal system controls Trojan horse unauthorized code in an authorized and properly functioning program Typosquatting setting up web sites with names similar to real websites so users making typographical errors entering web site names are sent to a site filled with malware Virus a segment of executable code that attaches itself to software replicates itself and spreads to other systems or files Triggered by a predefined event it damages system resources or displays a message on the monitor Vishing voice phishing where email recipients are asked to call a phone number where they are asked to divulge confidential data War dialing dialing thousands ofphone lines searching for idle modems that be used to enter the system capture the attached computer and gain access to the network to which it is attached War drivingrocketing looking for unprotected wireless networks using a car or rocket Worm similar to a virus but a program rather than a code segment hidden in a host program Copies and actively transmits itself directly to other systems It usually does not live very long but is very destructive while alive Zeroday attack an attack between the time a new software vulnerability is discovered and a software patch that fixes the problem is released Chapter 6 Control and Accounting Info Systems Overview of Control Concepts pg 200203 0 Internal control the process implemented by the board of directors managers and those under their direction to provide reasonable assurance that the following control objectives are met 0 Safeguarding assets including preventing or detecting on a timely basis the unauthorized acquisition use or disposition of material company assets 0 Maintaining records in enough detail to accurately and fairly re ect assets 0 Providing accurate and reliable info 0 Providing reasonable assurance the GAAP is followed 0 Promoting and improving operational efficiency including making sure some company receipts and expenditures are made in accordance with management and directors authorizations o Encouraging adherence to managerial policies 0 Complying with applicable laws and regulations 0 3 functions ofinternal controls Preventative controls controls that deter problems before they arise aEX Hiring qualified accounting personnel separating duties controlling assets etc Detective controls controls designed to discover control problems soon after they arise aEX Monthly trial balances and bank reconciliations Corrective controls procedures established to remedy the problems that are discovered 0 Two categories ofinternal controls 0 General controls designed to make sure an organization s control environment is stable and well managed I EX Info systems management controls security management controls IT infrastructure controls and software acquisition development and maintenance controls 0 Application controls prevent detect and correct transaction errors and fraud Foreign Corrupt Practices Act 1977 Congress ruling that prevents the bribery of foreign officials in order to obtain business as well as requires corporations to maintain good systems ofinternal accounting control SarbanesOxley Act of 2002 SOX intended to prevent financial statement fraud make financial reports more transparent provide protection to investors strengthen the internal controls at public companies and punish executive who perpetrate fraud 0 Public company accounting oversight board PCAOB 5member board to control the auditing profession The SEC appoints the board 0 New rules for auditors auditors cannot perform nonaudit tasks such as bookkeeping for the company 0 New rules for audit committees must be independent of the company 0 New rules for management CEO s now must verify financial statements 0 New internal control requirements Belief system communicates company core values to employees and inspires them to live by them Boundary system helps employees act ethically by setting limits beyond which an employee must not pass 0 EX Meeting minimum standards or performance shunning off limit activities and avoiding activities that would hurt the company s reputation Diagnostic control system measures company progress by comparing actual performance to planned performance 0 EX Comparing budgets or sales goals to actual results Interactive control system helps toplevel managers with highlevel activities that demand frequent and regular attention H N W 0 Ex Developing company strategy setting objectives understanding and assessing risks monitoring changes in competitors and emerging technologies and developing responses for high level issues The Internal Environment pg 207213 0 Internal environment the tone or culture ofa company that helps determine the risk consciousness of employees It is the foundation for all other ERM components providing discipline and structure 0 The most important component of the internal control framework 0 Components of the internal environment 0 Management s philosophy operating style and risk appetite o The board of directors 0 Commitment to integrity ethical values and competence 0 Organizational structure 0 Methods or assigning authority and responsibility 0 Human resource standards 0 External in uences Risk appetite the amount of risk a company is willing to accept in order to achieve its goals and objectives 0 Audit Committee composted entirely of outside independent directors It s responsible for overseeing the corporation s internal control structure its financial reporting process and its compliance with laws and standards 0 Aspects of organizational structures 0 Centralization or decentralization of authority 0 Assignment of responsibility for specific tasks 0 Whether there is a direct reporting relationship or more of a matrix structure 0 Organization by industry product line geographical location or by a particular distribution or marketing network 0 The way responsibility allocation affects management s info requirements 0 The organization of the accounting and info system functions 0 The size and nature of company activities 0 Policy and procedures manual explains proper business practices describes the knowledge and experience needed by key personnel spells out management policy for handling specific transactions and documents the systems and procedures employed to process those transactions Risk Assessment and Control pg 2 162 19 o Inherent risk the risk that exists before management takes any steps to control the likelihood or impact ofa risk Residual risk the risk that remains after management implements internal controls or some other response to risk Four responses to risk Reduce the most effective way to reduce the likelihood and impact of risk is to implement an effective system of internal controls Accept accept the likelihood and impact of the risk by not acting to prevent it Share share some of the risk or transfer it to someone else a Ex Buy insurance outsource an activity 4 Avoid risk is avoided by not engaging in the activity that produces the risk aEx Sell a division exit a product line or not expand Risk assessment and response strategy 1 Identify the events or threats that confront the company 2 Estimate the likelihood of each threat H LON 3 Estimate the impact or potential loss from each threat 4 Identify controls to guard against each threat 5 Estimate the costs and benefits from instituting controls a Expected Loss Impact X Likelihood b The value ofa control procedure is the difference between expected loss with the procedure and the expected loss without it 6 Decide ifit is cost beneficial to protect from the threat aIfyes reduce risk by implementing controls b If no avoid share or accept the risk Control Activities pg 2 19228 0 Control Activities policies procedures and rules that provide reasonable assurance that management s control objectives are met and the risk responses are carried out 0 Categories of control procedures 1 Proper authorization of transactions and activities a authorization the empowerment of an employee to perform certain tasks such as purchases b Specific authorization certain transactions require managers to approve cGeneral authorization employees can handle routine transactions without special approval 2 Segregation of duties aSegregation ofaccounting duties i Authorization approving transactions and decisions ii Recording preparing source documents entering data online maintainingjournals preparing reconciliations and preparing performance reports iii Custody handling cash tools inventory or fixed assets receiving customer checks writing checks for the company b Segregation of systems duties Systems administration responsible for ensuring that the different parts of an info system operate smoothly and efficiently Network management ensure that all applicable devices are linked to the organization s internal and external networks and that the networks operate continuously and properly iii Security management ensures that all aspects of the system are secure and protected from internal and external threats Change management these individuals manage all changes to an organization s info system to ensure they are made smoothly and efficiently and to prevent errors and fraud v Users record transactions authorize data to be processed and use the system output vi Systems analysis help users determine their info needs and then design and info system to meet those needs vii Programming take the design provided by systems analysts and create an info system by writing the computer program viii Computer operations run the software on the company s computers Ensure data is input properly and correctly processed to produce the needed output ix Info system library maintains custody of corporate databases files and programs in a separate storage area Data control ensures that the source data has been properly approved monitors the ow of work reconciles in inputs and outputs maintains record ofinput errors to ensure correction and distributes systems outputs 3 Project development and acquisition controls a Strategic master plan shows the projects that must be completed to achieve longrange company goals and addresses the company s requirements b Project controls E lt F 9 i Project development plan shows how a project will be completed including tasks to be performed and by who the dates to be completed by and project costs ii Project milestones significant points when progress is reviewed and actual and estimated completion dates are compared iii Performance evaluation the team that is responsible for the success or failure of the project should be evaluated as each project is completed c Data processing schedule used to maximize the use of scarce computer resources d Steering committee should be formed to guide and oversee systems development 6 System performance measurements include the following i Throughput output per unit of time ii Utilization percentage of time the system is being productively used iii Response time how long it takes the system to respond f Postimplementation review performed after a development project is completed to determine if the anticipated benefits were achieved 0 Systems integrator a vendor who uses common standards and manages a cooperative systems development effort involving its own development personnel and those of the client and other vendors Change management the process of making sure changes do not negatively affect systems reliability security confidentiality integrity and availability Design and use of documents and records Safeguarding assets records and data a Create and enforce appropriate policies and procedures b Maintain accurate records of all assets c Restrict access to assets d Protect records and documents Independent checks on performance a Toplevel reviews i company performance must be compared to budgeted previous and competitors performance b Analytical reviews an examination of the relationships between different sets of data i EX As credit sales increase so should accounts receivable c Reconciliation of two independently maintained sets of records i EX Bank reconciliation or reconciliation of accounts receivable subsidiary total to the total accounts receivable d Comparison of actual quantities with recorded amounts i EX Cash in register should match the cash on the register tape at end of employee shift inventory should be counted annually etc eDoubleentry accounting debits must always equal credits f Independent review Chapter 7 Information Systems Controls for Systems Reliability Part 1 Introduction pg 2 502 51 0 Information security is the foundation of systems reliability 0 Other principles underlying systems reliability 0 Confidentialitysecurity restricts system access to authorized users only which protects the confidentiality of sensitive data Privacysecurity restricts system access to authorized users only which protects the privacy of information from customers Processing integritysecurity prevents unauthorized or fake transactions being submitted as well as unauthorized changes to data being made 0 Availabilitysecurity protects against viruses to ensure the system is always available 0 0 Three Fundamental Information Security Concepts pg 2 532 57 1 Security is a management issue not a technology issue a managers are responsible for accuracy ofinternal reports and financial statements b criteria for implementing the principles for systems reliability 1 Developing and documenting policies 1 Management must develop a set of security policies before designing and implementing controls 2 Management must record all technology in the company and decide which need to be protected the most ii Effectively communicating policies to all authorized users 1 Employees must periodically reminded of procedures iii Designing and employing appropriate control procedures to implement policies 1 Management must decide how much to invest in security and are held accountable for ensuring that the company has proper security controls iv Monitoring the system and taking corrective action to maintain compliance with policies 1 Technology is always changing thus security systems must be constantly update and communicated with employees 2 The timebased model of security evaluates the effectiveness of an organization s security with the formula by using the variables a Pthe time an attacker has to break through the organization s preventative controls b Dthe time it takes to detect the attack c Cthe time is takes to respond to the attack d If P gt D C then the security is effective 3 Defenseindepth employ multiple layers of controls in order to avoid having a single point of failure aredundancy increases effectiveness because if one procedure fails another may function properly b Utilizing a firewall passwords and other processes increases redundancy which can buy time for a company to recognize an attack and respond to it Preventative Controls pg 258277 0 Seven Major types of preventative controls 1 Authentication Controls a authentication focuses on verifying the identity of the person or device attempting to access the system in attempt to ensure that only the legitimate users access the system b users can be verified by i passwords or pins ii smart cards or ID badges iii biometric identifier such as fingerprint or voice c multifactor authentication utilizing two or all of the methods together 1 Ex An employee inserting a card and typing in a password 2 Authorization Controls a Authorization restricts access of authenticated user to specific portions of the system and specifies what actions they are permitted to perform b Access control matrix a table specifying which portions of the system users are permitted to access and what actions they can perform c Compatibility test used when an employee attempts to access part of an info system 3 Training a Employees must be trained to not open unsolicited emails never share passwords physically protect laptops etc b Social engineering use deception to obtain unauthorized access to info resources 4 Controlling Physical Access a Only one entrance with an employee at the door to verify the identity of anyone who is entering b Rooms with computers or sensitive information must be looked 5 Controlling Remote Access a border router connects a company s info system to the Internet 1 Static packet filtering screens individual IP packets based solely on the contents of the source andor destination fields in the IP packet header Performed by the border router b Firewall either a specialpurpose hardware device or software running on a general purpose computer c Demilitarized zone a separate network that permits controlled access from the Internet to selected resources d Transmission Control Protocol specifies the procedures for dividing files and documents into packets to be sent over the Internet and the methods for reassembly or original document at the destination e Internet Protocol specifies the structure of those packets and how to route them to the proper destination f Access control list determines which packets are allowed entry and which are dropped g Stateful packet filtering maintains a table that lists all established connections between the organization s computers and the Internet More effective than a state packet filter h Deep packet inspection inspecting the body of the data 1 Intrusion prevention systems designed to identify and drop packets that are part of an attack Compare incoming mail against a list ofknown attacks as well as a list of what normal traffic looks like It uses stats to determine if the traffic is likely to be normal This is a new technology that is still being improved It is a complementary tool to firewalls j Companies should also have firewalls for each department to protect against internal attacks k Remote authentication dialin user service a standard method for verifying the identity of users attempting to dial in access 1 To monitor if any modems are unsecure technology specialists must periodically check using war dialing which calls every telephone number assigned to the company to identify those that are connected to modems 6 Host and Application Hardening a Host configuration 1 Hardening the process of turning off optional programs to decrease the number of vulnerabilities b Managing user accounts and privileges i Users with unlimited capabilities should use an account with limited access for daily routines and only use the unlimited account when necessary c Software design 7 Encryption the process of transforming normal text plaintext into unreadable gibberish ciphertext a Decryption reverses this process transforming ciphertext back to plaintext b Factors of encryption strength i Key length longer codes make it harder to spot patterns and quotbreakquot the code ii Key management policies keeping keys extremely secure 1 Key escrow having all keys on file in case an employee leaves that encrypted a file iii Nature of the encryption algorithm c Types of encryption systems i Symmetric encryption systems use the same key both to encrypt and decrypt ii Asymmetric encryption systems use two keys A public key and a private key d Hashing a process that takes plaintext of any length and transforms it into a short code e Digital signature information encrypted with the creator s private key and can only be decrypted with the corresponding public key f Digital certificate an electronic document created and digitally signed by a trusted third party that certifies the identity of the owner of a public key g Public key infrastructure refers to the system and processes used to issue and manage asymmetric keys and digital certificates h Certificate authority the organization that issues public and private keys and records the public key in a digital certificate i Esignature a cursive style imprint of a person s name that is applied to an electronic document Legally binding Detective Controls pg 277279 0 The audit trail created by the authorization and authentication processes is a detective control 0 Four types of detective controls 1 Log analysis the process of examininglogs to monitor security a logs create an audit trail b labor intensive and prone to human error 2 Intrusion a Intrusion detection systems create logs ofnetwork traffic that was permitted to pass the firewall and then analyze the logs for signs of attempted or successful intrusions 3 Managerial reports a Key performance indicators i number ofincidents with business impact ii percent of users who do not comply with password standards iii percent of cryptographic keys compromised and revoked 4 Security Testing a Vulnerability scans use automated tools designed to identify whether a given system possesses any wellknown vulnerabilities b Penetration test an authorized attempt by either an internal audit team or an external security consulting firm to break into the organization s info system Corrective Controls pg 279281 0 Three components to satisfy COBIT 1 Computer emergency response team responsible for dealing with major incidents a The incident report process recognition 39 Containment ii39 Recovery i FollowUp 2 Designation of a specific individual with organizationwide responsibility for information security a Chief Information Security Officer 3 An organized patch management team a Exploit the set ofinstructions for taking advantage ofa vulnerability published on the Internet b Patch a code released by software developers that fixes a particular vulnerability c Patch management the process for regularly applying patches and updates to all software used by the organization lt 39 Chapter 8 Information Systems Controls for ReliabilityPart 2 Confidentiality pg 294296 0 Virtual private network provides the functionality of a privately owned network while using the Internet Privacy pg 296299 0 10 practices to protect customer information 1 Management 2 Notice 3 Choice and consent 4 Collection a Cookies a text file created by a web site and stored on a Visitor s hard disk 5 Use and retention 6 Access 7 Disclosure to third parties 8 Security 9 Quality 10 Monitoring and enforcement Processing Integrity pg 299305 0 Input Controls 0 Forms design utilizing controls such as prenumbered source documents and turnaround tables in order to reduce the number of errors 0 Cancellation and storage of documents documents should be quotcancelledquot to prevent them from being reentered in the system Ex Stamping quotPaidquot on the document 0 Authorization and segregation of duties 0 Visual scanning scan for reasonableness prior to entry in the system 0 Data entry controls I Field check determines if the characters in a field are of the proper type 0 Ex A zip code should not contain letters Sign check determines if the data in a field have the appropriate arithmetic sign Limit check tests a numerical amount to ensure that it does not exceed a predetermined value Range check is similar to limit check except it has both upper and lower bounds Size check ensures that the input data will fit into the assigned field Completeness check determines if all required data items have been entered Validity check compares the ID code or account number in transaction data with similar data in the master file to verify that the account exists Reasonableness test determines the correctness of the logical relationship between two data items Check digit verification authorized ID numbers can contain a check digit that is computed from other digits 0 Ex The system could assign each new employee a ninedigit number then calculate a tenth digit from the original nine and add that calculated number to the original nine to form a tendigit ID number If any of the first nine numbers are entered wrong it will not match the 10th digit the check digit 0 Batch processing entry controls I Sequence check test ifa batch ofinput data is in the proper numerical or alphabetical sequence I Batch totals summarize calculated key values for a batch input record 0 Financial total sums a field that contain dollar values such as the total dollar amount of all sales for a batch of transactions 0 Hash total sums nonfinancial numeric fields such as total of the quantity ordered field 0 Record count sums the number of records in a batch o Prompting the system requests each input data item and waits for an acceptable response I ie an online completeness check 0 Preformatting the system displays a document with highlighted blank spaces and waits for the data to be entered o Closedloop verification checks the accuracy of input data by using it to retrieve an display other info I Ex Ifa customer number is entered the customer can be displayed to ensure that the correct number was entered 0 Transaction log includes a detailed record of all transaction data a unique transaction identifier the date and time terminal transmission line operator identifier sequence the transaction was entered Ensures transactions are not lost or entered twice 0 Error log info about data entry or processing errors date cause corrected resubmitted should be entered in an error log This is used to periodically check that all errors have been corrected and then to complete an error report Processing controls 0 Data matching two or more items of data must be matched before an action can take place I Vendor on purchase order must match the on the invoice before a check is disbursed 0 File labels must be checked to ensure that correct and most current files are being updated I Header record located at the beginning of each file Contains the file name expiration date and other identification data I Trailer record located at the end of the file Contains the batch totals calculated during input 0 Recalculation ofbatch totals batch totals can be recomputed after each transaction record to ensure that they match the trailer record Discrepancies indicate an error If the recalculated value is greater additional or unauthorized transactions were probably entered If the recalculated value if smaller transactions may have been deleted Transposition error two adjacent digits were revered o ifa financial or hash total is evenly divisible by 9 a transposition error probably occurred 0 Crossfooting compares the results produced by each method to verify accuracy I zerobalance tests similar to crossfooting except used to control accounts A non zero balance indicates an error 0 Writeprotection mechanisms protect against the accidental writing over or erasing of data files stored on magnetic media I Ex RFID tags must have writeprotection mechanisms to ensure data isn t lost 0 Database processing integrity procedures database systems use database administrators data dictionaries and concurrent update controls to ensure processing integrity I Concurrent update controls protect records from errors that occur when two or more users attempt to update the same record simultaneously Output controls 0 User review of output users should examine output for correctness o Reconciliation periodically all transactions should be reconciled to control reports 0 External data reconciliation 0 Parity checking verifies that there are the proper number of bits set to the value 1 I Parity bit added to every character 0 Ex An even parity system would set the parity bit for 5 to 0 so it would be transmitted as 00000101 0 Message acknowledgement Echo check a hardware control that verifies transmitted data by having the receiving device send the message back to the sending device so that message received can be compared with the message sent Trailer record the sending unit stores control totals in a trailer record The receiving unit uses that info to verify that the message was received Numbered batches ifa large message is transmitted in segments each can be numbered sequentially so that the receiving unit can properly assemble the segments 0 Batch processing integrity controls 2quot gt195 9 E Prepare batch totals Deliver the transactions to the computer operations department for processing Enter the transaction data into the system Sort and edit the transaction file Update the master files Prepare and distribute output User review Availability pg 334346 0 Threats to availability include 0 Hardware and software failures 0 Natural and manmade disasters 0 Human error 0 Worms and viruses 0 Denialofattacks and other acts of sabotage 0 Fault tolerance the capability ofa system to continue performing when there is a hardware failure The use of redundant components such as dual processors provides fault tolerance o Uninterruptible power supply provides protection in the event of a prolonged power outage O 0 using battery power to enable the system to operate long enough to back up critical data and safely shut down Raised oors prevent against oods air conditioning prevents computers from overheating sprinklers prevent against fires Objectives ofa disaster recovery and business continuity plan Minimize the extent of the disruption damage and loss Temporarily establish an alternative means ofprocessing info Resume normal operations as soon as possible Train and familiarize personnel with emergency operations 0 Backup an exact copy of the most current version ofa database file or software program I Full backup an exact copy of an entire database Time consuming I Incremental backup a partial backup that involves copying only the data items that have changed since the last backup I Differential backup a partial backup that copies all changes made since the last full backup More time consuming than incremental backup I Restoration the process of installing the backup copy for use I Recovery point objective represents the maximum length of time for which it is willing to risk the possible loss of transaction data I Realtime mirroring involves maintaining two copies of the database at two separate data centers at all times and updating both copies in real time as each transaction occurs I Archive a copy of a database master file or software that will be retained indefinitely as an historical record usually to satisfy legal and regulatory requirements Usually stored on tape 0 Infrastructure replacement I Recovery time objective represents the time following a disaster by which the organization s information system must be available again I Cold site an empty building that is prewired for necessary telephone and internet access plus a contract with one or more vendors to provide all the necessary computer and other office equipment within a specified period of time I Hot site a facility that is not only prewired for telephone and internet access but also contains all the computing and office equipment the organization needs to perform its essential business activities Enable the realtime mirroring approach 0 Documentation the disaster plan must be documented with instructions for all employees I Detailed operating instructions are important especially if temporary staffneeds to be hired 0 Testing Chapter 9 Auditing ComputerBased Information Systems Information Systems Audit pg 334346 0 The purpose of an information systems audit is to review and evaluate the internal controls that protect the system 0 The 6 Objectives of Info systems audit are see pg 336341 1 Security provisions protect computer equipment programs communications and data from unauthorized access modification or destruction a Types of security errors and fraud faced by companies 1 Accidental or intentional damage to system assets unauthorized access disclosure or modification of data and programs theft and interruption ofbusiness Control procedures to minimize security errors and fraud 1 Developing a protection plan restricting physical and logical access using encryption and firewalls using data transmission controls preventing and recovering from system failures or disasters Systems review audit procedures 1 Inspecting computer sites interviewing personnel reviewing policies and procedures and examining access logs insurance policies and the disaster recovery plan Tests of controls audit procedures 1 Auditors test security controls by observing procedures verifying that controls are in place and work as intended investigating errors to ensure correct handling and examine any tests previously performed 5 0 SD e Compensating controls 1 Sound personnel policies ii Effective user controls iii Segregation ofincompatible duties N Program development and acquisition are performed in accordance with management s general and specific authorization a Inadvertent errors due to misunderstanding of system specifications or carless programming b Unauthorized instructions deliberately inserted in the programs c Compensating controls 1 Strong processing controls ii Independent processing of test data by auditor Program modifications have management s authorization and approval a Utilizing a source code to compare the tested program with the current program can help expose unauthorized changes to the program Reprocessing technique uses a verified copy of the source code Without notice the auditor uses the program to reprocess data and compare that to the company s output If discrepancies arise they must be investigated Parallel simulation similar to reprocessing except that the auditor writes a program instead of saving a verified copy of the course code Often used during the implementation process A U 0 d Compensating Controls 1 Independent audit tests for unauthorized or erroneous program changes ii Strong processing controls 4 Processing of transactions files reports and other computer records is accurate and complete a Processing test data a way of testing a program by processing hypothetical series of valid and invalid transactions The test should process the valid transactions correctly and identify all the invalid transactions 1 Test data generator program automatically prepares test data based on program specifications ii Disadvantages 1 The auditor must spend considerable time developing an understanding of the system and preparing an adequate set of test transactions 2 Care must be taken to ensure that test data do not affect the company s files and databases Can be less effective than a concealed test because the test must be reversed b Concurrent audit techniques continually monitor the system and collect audit evidence while live data are processed during regular operating hours i Used because it is difficult or impossible to stop the system to perform audit tests i Embedded audit modules segments of program code that perform audit functions report test to the auditor and store the evidence iii Concurrent audit techniques can be time consuming but less so if done when the programs are developed Integrated test facility places a small set of fictitious records in the master files Snapshot technique examines the way transactions are processed Selected transactions are marked that triggers the process They are traced throughout the process to ensure everything is working correctly System control audit review file uses embedded audit modules to continuously monitor transaction activity and collect data on transactions with special audit significance 1 Audit log 2 Records transactions that exceed a certain dollar limit involving inactive accounts deviating from company policy or containing writedowns ofasset values vii Audit hooks audit routines that ag suspicious transactions 1 Enables auditors to be notified of questionable transactions as soon as they occur 2 Realtime notification displays a message on the auditor s terminal instantly viii Continuous and intermittent simulation embeds an audit module in a database management system Ifa transaction has special audit significance the module independently processes the data records the result and compares them with those obtained by the DBMS If discrepancies exist details are recorded on an audit log for investigation c Analysis of Program Logic i Analysis of program logic is necessary when auditors suspect a program contains unauthorized code of serious errors This is very time consuming so is used as a last resort 1 Automated owcharting programs interpret program source code and generate a corresponding program owchart 2 Automated decision table programs generate a decision table represent the program logic 3 Scanning routings search a program for occurrences ofa specified variable name or other character combinations 4 Mapping programs identify unexecuted program code 5 Program tracing sequentially prints all application program steps executed during a program run i Helps expose unauthorized program instructions incorrect logic paths and unexecuted program codes d Compensating controls i Strong user controls ii Effective source data controls 5 Source data that are inaccurate or improperly authorized are identified and handled according to prescribed managerial policies a Input controls matrix a matrix that shows the control procedures applied to each field of an input record lt2 S
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'