6 chapter's summary

ch10.pdf

Home >Business & Finance homework help >Accounting homework help >6 chapter's summary

1 of 38

ACCOUNTING INFORMATION SYSTEMS: A DATABASE APPROACH by: Uday S. Murthy, Ph.D., ACA and S. Michael Groomer, Ph.D., CPA, CISA

Information Systems Controls

Learning Objectives

After studying this chapter you should be able to:

• provide a definition of controls • explain the concepts of risk, exposure and reasonable assurance as they relate

to controls • explain the difference between preventive, detective, and corrective controls as

categories of controls • describe and discuss a number of risks that could be found in computer based

systems • discuss the essence of Sarbanes-Oxley and its impact on internal controls • discuss Statement on Auditing Standards (SAS) No.109 and its implications for

controls in information systems • provide a basic distinction between general and application controls as

categories of controls • describe general control procedures for database oriented systems

environments • describe application controls that can be incorporated into a database AIS • indicate some control procedures that can be instituted only in on-line database

systems • explain how entity integrity and referential integrity contribute to better control in

a database AIS • explain the hierarchical nature of the relationship between the control

environment, the accounting system, general and application control procedures • briefly describe the COBIT control framework released by the Information

Systems Audit and Control Association

The previous two chapters focused on the logical and physical modeling aspects of designing database systems. In this chapter we will examine the critical issue of information systems control and security. As you are aware, accountants are responsible for ensuring the accuracy and integrity of data stored in an information system. Organizations look to accountants to provide assurance that accounting data are error free. Given our focus on database systems, as we discussed in Chapter 6 ("Elements of Database Systems"), control and security concerns are heightened in database environments because of the single shield protecting the entire database, i.e., the database management system. However, database technology provides

http://www.isaca.org/

2 of 38

opportunities to build controls into the system itself such that errors and irregularities are prevented from occurring. As we shall see in the context of Microsoft Access, facilities within the DBMS permit a focus on the prevention of errors rather than on their detection. This chapter will examine these issues in detail.

Controls overview and definition

Controls are mechanisms or procedures designed to prevent, detect or correct errors and irregularities. A procedure is a series of steps undertaken to accomplish a particular task. Errors are unintentional mistakes while irregularities are intentional mistakes. The hardware inside computer systems will almost always process transactions and perform calculations in a flawless manner. However, the software that directs the functioning of computer hardware is designed and created by humans. It is the software component of computer-based information systems, and the human component that interacts with computer-based systems, that can cause errors and irregularities in data and thus bring the need for good controls.

Exposure and reasonable assurance

The likelihood that an information system will experience an error or irregularity is referred to as risk. In the next section we will explore the various kinds of risks associated with computer-based systems. The dollar amount of loss that could occur if the risk is realized, i.e., if errors actually occur, is referred to as an exposure. Without effective control mechanisms, the organization could likely be "exposed" to any one of a number of very disagreeable outcomes.

Exposure Potential Outcome Erroneous record keeping

The recording of financial transactions contrary to established accounting policies. The errors may involve timing, value, or classification problems.

Unacceptable accounting

The establishment or implementation of accounting policies which are not generally accepted or are inappropriate to the circumstances.

Business interruption This may include anything from a temporary suspension of operations to a permanent termination of the enterprise.

Erroneous management decisions

Are objectionable in themselves but may also lead to other exposures. Erroneous decision making may arise due to misleading information, lack of information, or errors in judgment.

3 of 38

Fraud and embezzlement

Fraud and embezzlement may be perpetrated at different levels - against management or by management. Misappropriation of funds is only one ramification of fraud. Deliberately misinforming management or investors is also fraudulent.

Statutory sanctions This refers to any set of the penalties, which may be brought by judicial or regulatory authorities having jurisdiction over an organization's operations.

Excessive costs Include any expense of the business, which could be readily avoided. A related exposure is also a loss of revenues to which the organization if fairly entitled.

Loss or destruction of assets

Refers to the unintentional loss of physical assets, monies, claims to monies, or information assets.

Competitive disadvantage

Relates to any inability of an organization to effectively remain abreast of the demands of the marketplace or to respond effectively to competitive challenges.

Controls need not be installed to prevent all risks, nor can controls ever be installed to prevent every possible risk. However, if the exposure for a risk is deemed unacceptably high, then controls should be implemented to prevent the occurrence of that risk. However, if the cost of implementing a control exceeds the likely benefit in terms of reduction of exposure, then the control should not be implemented. Thus, the cost- benefit issue must be addressed in determining which risks can and should be prevented with controls -- controls should only be implemented where the benefits from the control exceed the costs of implementation. The concept of reasonable assurance is also relevant in this context. Since the cost of implementing controls to protect against every conceivable risk would be prohibitive, controls are designed only to provide reasonable assurance, rather than absolute assurance, that accounting data are error free.

Control categories

Controls can be categorized as preventive, detective or corrective. Preventive controls aim to prevent the occurrence of errors or unwanted acts. Detective controls aim to detect errors or unwanted acts once they have occurred. Preventive controls tend to halt processing once an error has occurred or an exception condition has been identified. Examples of preventive controls include the segregation of duties, the use of passwords on computer accounts, label matches and batch totals. As you think about these specific controls, consider the fact that these controls can be driven by humans, machines or a combination of both (man-machine environments). For example, label

4 of 38

matches involve the electronic comparison of an internally written label on a file maintained on a mass storage device with a file label supplied by a human to a computer program. If the labels do not match, processing is aborted. Segregation of duties on the other hand is an organizational issue that focuses almost entirely on the human dimension of systems.

Detective controls on the other hand include the use of suspense files, computer based edits such as limit checks and the use of internal and external auditors. Suspense files involve the computer processing of incomplete transactions. If a transaction were not in balance, the transaction would be suspended until such time that balancing can be finalized. A limit check would be employed in a setting where a payroll check of no more than $50,000 is to be paid in any given month. While this is a detective control, it is also a machine control. If a request for pay of $60,000 were to be presented to the payroll system, this request would require a management override in order to make payment.

Corrective controls assist in both the investigation and correction of errors or unwanted acts after they have been detected. A human or machine must monitor the alarms provided by detective controls. If detective control alarms are not monitored, then this class of controls becomes useless. Examples of corrective controls include the backup process for key files, the use of Uninterruptible Power Sources (UPS), and discrepancy reports.

Preventive controls are inherently more reliable because they will prohibit the processing of transactions which have errors. Detective controls on the other hand typically permit all data, valid and invalid to see complete processing. Detective controls then rely on human intervention and follow-up or on corrective controls for ultimate resolution. While all three of these control types are a part of systems being built today, systems designers and users prefer to see preventative controls used more frequently than the detective/corrective combination. The obvious reason for this preference is that errors are identified from the outset and any transactions found to be in error are not processed to completion.

Historically, accountants, and external auditors in particular, have focused primarily on detecting errors after they have occurred. This historical focus was due to the predominantly manual nature of accounting systems where little could be done to prevent errors from occurring. Input, processing, and output of transactions related to accounting systems were all handled by humans. As you will likely agree, to err is human! With the computerization of accounting systems, however, errors and irregularities are almost always localized to the human components of computer-based systems. The question then becomes - how can systems be designed to minimize or virtually eliminate the risk of errors occurring? As we will see later in this chapter, currently available database technology does in fact allow a database oriented accounting system to have an extensive array of controls built into the system such that most errors are identified early in accounting process and are prevented from entering into the accounting system.

5 of 38

Risks in computer-based systems

As indicated above, the risk of errors and irregularities occurring in computer-based systems can be traced primarily to the human component of information systems. In addition to human interaction with systems, there may be external environmental factors that cause disruptions, errors, and irregularities in the system's operations. Let us more closely examine the nature of risks found in accounting information systems.

Errors in data

By far the most common risk is that of data being incorrectly input into, updated in, or deleted from an organization's data repository. Errors are unintentional mistakes arising mainly from invalid data entry. Inadequately trained personnel, or overworked and tired personnel, can frequently cause errors. As we will discuss later in the chapter, a number of controls can be programmed into information systems to validate entered data such that errors are detected before they enter the system.

Irregularities in data

Irregularities are intentional alterations or misstatements of data. Intentional alteration or misstatements of data in information systems may be performed by management in an attempt to mislead investors or creditors (to the extent that the altered data are reflected in the financial statements). Such kinds of irregularities, referred to as management fraud, are very difficult to detect. Intentional alteration or misstatements of data in systems could be performed by employees, often to conceal theft or misappropriation of assets (referred to as defalcation). A payroll data entry operator entering an incorrect number of hours worked for a friend in return for a percentage of the excess pay would be an example of a fraud committed by entering incorrect data. The "lapping" fraud which you may have learned about is also concealed by altering data. (In "lapping," collections from one customer are applied to the account of another customer whose payment was misappropriated by the fraud perpetrator).

Loss of data

In your own experiences with computer systems you have undoubtedly been fearful of inadvertently deleting a critical file or data within a file. Controls are needed to protect against both intentional and accidental erasure or destruction of data. A disgruntled employee might delete vital files as an act of revenge against the company. In response to this threat of loss of data, the organization needs to consider both preventive measures and recovery procedures. The first line of defense is to have control procedures that prevent accidental or intentional loss of data. However, once data are lost the organization should be able to recover the lost data. We will explore control procedures that both prevent and help recover lost data.

6 of 38

Natural disasters

Fires, floods, and other acts of God represent threats to the organization's information systems and information assets. These natural disasters can cause serious damage to an organization's information systems. There have been studies that have found that if a firm's information systems are inoperative for more than three business days there is a high likelihood that the firm will be forced into bankruptcy. Although rare, other types of disasters that might pose a threat would be intentional or criminal destruction or theft of the firm's computing hardware. It is critical to consider all possible disasters and protect against them to the extent possible while still ensuring that the costs of installing controls do not outweigh the potential benefits.

Computer crime

We have already alluded to the threat of intentional errors in and destruction of data. Broadly defined, computer crime includes any intentional act involving unauthorized access to, use of, alteration of, or destruction of computer hardware, software resources or data. White collar crime and computer crime in particular, is a growing problem with the proliferation of computers and the increasing level of computer literacy among a wide array of employees within most firms. Even the most conservative estimates of annual losses due to computer crime are several orders of magnitude greater than annual losses due to violent crime. One reason why losses due to computer crime are difficult to estimate is because most cases remain unreported. Fear of negative publicity causes many firms to avoid taking legal action against the perpetrator.

To consider the kinds of activities that constitute "computer crime, "it is revealing to review the categories of computer crime that the Federal Bureau of Investigation's National Computer Crime Squad investigates. They are:

• Intrusions of the Public Switched Network (the telephone company) • Major computer network intrusions • Network integrity violations • Privacy violations • Industrial espionage • Pirated computer software • Other crimes where the computer is a major factor in committing the criminal

offense Computer crime may be as obvious and blatant as stealing computer equipment or software, or it could be something more subtle. Hacking into a computer system even if only to test the system's defenses is also considered a computer crime. Unauthorized use of computer resources is considered computer crime whether or not the perpetrator obtained financial gain. Fraudulent modification of a computer program for private gain is a more obvious example of computer crime. A major category of computer crime is

http://www.tscm.com/compcrim.html

7 of 38

the theft of information. For most organizations these days the information stored in their computer systems represents a highly valued resource. Vast amounts of proprietary data are typically stored in organizational databases. Individuals with access to data about new products being developed or the company's customer list can potentially sell that information for private gain. For example, a phenomenal amount of information about the credit histories of literally millions of individuals is stored in the databases of companies such as TRW.

Each year, the American Institute of CPAs annually publishes a list of the "Top Technology Initiatives" that should be of concern for accountants. Members of the Information Technology Committees of the AICPA develop these listings. Interestingly, for 2013, a number of the top ten technology initiatives in the United States involve internal control concerns, including managing and retaining data (#1), securing the IT environment (#2), managing IT risk and compliance (#3), ensuring privacy (#4), and preventing and responding to computer fraud (#6). Five of the top ten initiatives have a direct connection to internal control and security.

Internal Controls and the Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002 has brought sweeping change to the world of accounting and auditing in the United States. The Sarbanes-Oxley Act, or “SOX” for short, was passed by the Congress of the United States in response to a number of financial failures. You have most likely heard of Enron, World-Com and other companies that have experienced serious financial difficulties. Sarbanes-Oxley sets into place the Public Company Accounting Oversight Board (PCAOB). The PCAOB is a private-sector, non-profit corporation created by the Sarbanes–Oxley Act and its powers and activities are ultimately subject to approval and oversight by the Securities and Exchange Commission. SOX provides the PCAOB with broad powers to regulate audits and auditors of public companies.

Prior to the appearance of the PCAOB, auditing standards were articulated in the public domain by the Auditing Standards Board of the American Institute of CPAs. These standards are entitled “Statement on Auditing Standards” or SASs for short. However, the SOX legislation gives the PCAOB the right to “adopt, amend, modify, repeal or reject” auditing and attestation standards for public companies. With a stroke of the President’s pen and a subsequent procedural action by the PCAOB, auditing standards for public companies moved from the public domain to the governmental domain. Auditing standards for non-public companies are still in the domain of the Auditing Standards Board. Given this duality, many in the financial community are concerned over the presence of two set of potentially competing sets auditing standards.

The essence of Sarbanes-Oxley is focused on several key concerns. They are:

Title I: This portion of the act extends broad powers to the PCAOB to regulate audits and auditors of public companies. The Securities and Exchange Commission (the SEC or Commission) has appointed the required five members

http://www.aicpa.org/INTERESTAREAS/INFORMATIONTECHNOLOGY/RESOURCES/TOPTECHNOLOGYINITIATIVES/Pages/2013TTI.aspx

http://pcaobus.org/About/History/Documents/PDFs/Sarbanes_Oxley_Act_of_2002.pdf

http://www.pcaobus.org/

http://en.wikipedia.org/wiki/Securities_and_Exchange_Commission

8 of 38

of the Board. This portion of the act describes the Board’s responsibility, structure, and authority.

Title II: The auditor independence provisions of the Act, and the SEC rules that flesh them out, affect not only auditors but also audit committees and the executives and directors of public companies. These provisions change relationships between auditors and clients, the marketplace for services, and the potential penalties for violations. Title II imposes new obligations on audit committees, restricts the circumstances in which clients can hire their outside auditor’s partners and employees, and limits the terms of service by audit partners on an engagement.

Title III: This portion of the act imposes new responsibilities on all corporate participants in the financial reporting process. It requires auditors to report directly to the audit committee, obligates audit committees to perform specified tasks, mandates that management formally acknowledge its participation in the financial reporting process, and imposes civil penalties on those who knowingly falsify financial statements. An issuer’s failure to comply with the audit committee independence requirements would lead to delisting.

Title IV: This section covers a lot of ground in terms of both new disclosures and their effect on corporate institutions. It requires increased disclosures of material off-balance-sheet arrangements and relationships, sets standards for non-GAAP (pro forma) financial information, and mandates that companies whose audit committees do not include an “audit committee financial expert” disclose that fact. Other new disclosures pertain to codes of ethics for senior financial officers, management assessments of a company’s internal controls, auditor’s attestation reports on the assessments, and additional prompt disclosures on Form 8-K. Already-required disclosures of transactions in company stock must be accelerated, and issuers are prohibited from making certain loans to directors or executive officers. New criteria for SEC reviews of issuers’ financial reports would increase the frequency of those reviews.

In April of 2003, the PCAOB asserted its legislative authority to promulgate auditing standards for public companies. While the PCAOB initially “grandfathered” all of the existing SASs, the PCAOB has issued five standards. Most notable of these standards is Auditing Standard No. 5: An Audit of Internal Control over Financial Reporting That is Integrated with an Audit of Financial Statements.

Given our discussion of internal controls, one of the most notable sections of SOX is Section 404 that deals with internal controls. This section

• Requires management to acknowledge its responsibility for o Establishing and maintaining adequate internal controls over financial

reporting and o Its assessment of the effectiveness of controls (404a).

9 of 38

• Requires that management must document and test their internal controls over financial reporting. Management will be required to report to the independent auditor and to report publicly their conclusions about the effectiveness of controls.

• Requires the auditor to attest and report on management’s assertions regarding internal controls (404b). The amount of work prescribed for the auditor is considerably more than the internal control work needed to opine on the financial statements. Thus in an opinion audit for public companies, the external auditor will issue three audit reports, one on the financial statements, one on internal controls and one on management assessment of internal controls.

The essence of Section 404 is to focus the attention of the client’s senior management on financial reporting and on internal controls over financial reporting. Moreover, this section is intended to minimize the opportunity and presence of fraudulent activities in the client organization.

Complying with Section 404 of SOX is a costly undertaking for public companies. The Financial Executives Institute (FEI) conducts surveys of public companies to assess the costs of complying with Section 404. In January 2004, their survey revealed that the average cost of complying with SOX was estimated at $1.93. In July 2004, a second FEI survey pegged the cost at $3.1 million. The FEI survey conducted in 2007, however, revealed that the average cost of SOX compliance had dropped to $1.7 million.

The Sarbanes-Oxley Act requires companies to adopt a control framework, but it does not mandate the use of any particular control framework. What has emerged as the de facto standard internal control framework is referred to as the COSO internal control framework. The acronym COSO stands for the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. The COSO Internal Control— Integrated Framework, is generally recognized as providing suitable criteria against which management may evaluate and report on the effectiveness of its internal controls for financial reporting. Under COSO, internal controls and procedures for financial reporting consist of the following components: control environment, risk assessment, control activities, information and communication, and monitoring. Such a framework considers matters at both the entity level and activity level.

Complete coverage of Sarbanes-Oxley is beyond the scope of this chapter. As you will recall, SOX applies to public companies. In the section that follows, we further discuss internal controls as they apply to both public and non-public companies with a focus on the applicable SASs.

Internal Controls and SAS No. 109

An organization's primary defense mechanism against the risks indicated above is its internal controls. The Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants provides a description of the components of internal control

http://www.coso.org/

http://www.coso.org/publications/executive_summary_integrated_framework.htm

10 of 38

in Statement on Auditing Standards (SAS) No. 109, "Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement." As you are likely aware, the SASs constitute the procedures that must be adhered to by Certified Public Accountants in their performance of financial statement audits.

SAS No. 109 was issued in March of 2006. This standard either directly or indirectly supersedes SASs No’s. 55, 74 and 94 which were previously relied upon standards for internal control. Like its predecessors, SAS No. 109 recognizes the COSO Internal Control--Integrated Framework as the generally accepted framework for internal controls. We introduced the General Systems Model in Chapter 2. We now use the General Systems Model, shown below, as the basis for recognizing the definition and description of internal control found in COSO and SAS No. 109.

A Model for Understanding the COSO Components of Internal Control

(Transaction objectives that must be satisfied)

· Existence · Completeness · Accuracy · Classification · Timing · Posting and Summarization

Data Capture System

(Inputs – Transactions and

events)

Reporting System (Outputs -

Ad-Hoc Reports and Financial Statements)

Control Activities

· Adequate Segregation of Duties · Proper Authorization of Transactions · Adequate Documents and Records · Physical Control Over Assets and Records · Independent Checks on Performance

Accounting Procedures • Identify • Record • Classify • Summarize • Interpret

Information and Communication

(System Boundary)

Control Environment · Integrity and Ethical Values · Commitment to Competence · Audit Committee Participation · Management Philosophy and Operating Style · Organizational Structure · Assignment of Authority and Responsibility · Human Resource Policies and Practices

General Systems Control Environment (Control Concerns Outside the System)

Risk Assessment · Detail Tie-in · Existence / Validity · Completeness · Accuracy · Classification · Cutoff · Valuation · Ownership · Presentation and Disclosure

Monitoring

Subject to….

Audit objectives for financial statements

· Existence · Completeness · Accuracy · Classification · Cutoff · Realizable value · Ownership · Presentation and disclosure

·Periodic Assessment of Control Quality

The Accounting System

11 of 38

This diagram of COSO in the context of the General Systems Model indicates two things. First, COSO has a systems orientation. Second, the General Systems Model provides a very effective way of thinking about the nature and components of internal controls found in SAS No. 109. Consider the Student Registration System that we first discussed in Chapter 8. In the table below, you will see a description of the components of SAS No. 109 relative to the Student Registration System.

System Components (Documentation Required by

SAS No. 109 is Bolded) Description

Control Environment What is outside the student registration system (e.g., control environment system or other accounting systems)?

Management's Risk Assessment

This is management's identification and analysis of risks relevant to the preparation of financial statements in accord with GAAP. Essentially this assessment focuses on the financial statement assertions that management makes to the stockholders.

Control Activities Specific control activities (procedures) undertaken by the registration system. Information and Communication

Distinguishes what is inside the system (e.g., accounting activities for registration processing).

Monitoring This is a role that management plays in periodically assessing the quality of the processing undertaken by the student registration system.

Inputs to the System

Transactions from inside and outside the organization's boundary (e.g., students making registration requests, departments providing course availability information).

Outputs from the system Registration statements, fee statements, class rosters.

Accounting Procedures The process of identifying, recording, classifying, summarizing, and interpreting transactions and events.

Each component of the COSO framework will now be discussed in detail.

Control environment

The control environment "represents the collective effect of various factors on establishing, enhancing, or mitigating the effectiveness of specific policies and procedures." Specifically, the control environment includes management's philosophy,

12 of 38

the entity's organizational structure, the board of directors' and its committees' functions, methods of assigning authority and responsibility, management's control methods for monitoring and following up on performance, and internal auditing and personnel policies and practices. You can think of the control environment as the milieu in which personnel within the organization operate. Examples of weak control environments were plentiful in the savings and loan industry in the early 1980s. Many directors of these institutions led lavish life-styles and were extremely lax in their own regard for controls within their organizations.

Management's Risk Assessment

This is the process management undertakes to identify and analyze the risks relevant to the preparation of the financial statements in conformity with generally accepted accounting principles. For example, if a company sells products that are subject to sharp declines in value due to changes in technology, it is important that management incorporate controls that would overcome the risk of overstating inventory. In this context, management needs to consider what assertions they make when they construct the financial statements. If you have had the auditing class, this may sound like an auditing oriented discussion (and it is!). In the inventory example, management must consider whether the inventory is appropriately valued and recorded in the right accounting period, among others. Essentially what management must consider are the "balance related" assertions that auditors consider when they examine account balances at year end (e.g., existence, completeness, accuracy, classification, cutoff, valuation, ownership, disclosure and detail-tie in). Please refer to the diagram above for further consideration of this issue.

Control activities

Control activities (procedures) are the policies, procedures and guidelines that management has established to provide reasonable assurance that specific entity objectives will be achieved. Control procedures may be applied at "various organizational and data processing levels. Control procedures that affect all information systems and sub-systems within the organization are categorized as general control procedures, while controls designed to prevent or detect errors within each information system or sub-system are categorized as application control procedures. Note that general control procedures are also referred to as entity-level control procedures.

It is also important to note that there is a building block process for designating specific general and application control procedures. Specific control procedures are derived from the internal control elements (adequate segregation of duties, proper authorization of transactions, etc.) indicated in the General Systems Model view of SAS No. 109. For example, one of the key general controls is the functional segregation of personnel. This obviously stems from the adequate division of duties element. The use of batch totals as an application control stems from adequate documents and records AND physical control over assets and records. This suggests that more than one internal control element can influence the specification of a particular control procedure.

13 of 38

Information and Communication

Information and communication comprise two concepts, that is, what is inside the system in the way of accounting procedures and the transaction related objectives that must be satisfied by the system. With regard to accounting activities, this is simply a collection of procedures that comprise input, processing and output. These procedures define the nature and purpose of a system and the activities undertaken by the system. Accounting procedures are aimed at identifying, assembling, classifying, analyzing, recording, and reporting an entity's transactions. In addition, accounting procedures are also designed to maintain accountability for the related assets and liabilities. Essentially, the accounting system constitutes the entity's methodology for converting accounting inputs into information outputs. In a computer-based accounting system, the processing of accounting data from the input of accounting transactions to their eventual disposition in the financial statements would be handled predominantly by computers.

Information and communication also embrace the notion of transaction related objectives. That is, accounting transactions must be supported by appropriate and adequate documentation (existence), any transaction presented to the accounting system must be accurately recorded, and all valid transactions must be recorded (completeness). These transactions must be classified in the right accounts, recorded at the right time, posted and summarized correctly.

Monitoring

This is merely the process that management uses to provide an ongoing assessment of the effectiveness and quality of the internal controls. Information in this regard can come from a variety of source including studies of existing internal controls by employees, from the work of the internal auditors and from the annual audit conducted by external accountants (public accountants or regulatory accountants).

In May 2013, COSO released an updated version of its Internal Control—Integrated Framework. While the framework remains essentially unchanged, the update introduces the notion of “principles” to describe the components of internal control. The update presents a more formal way of designing and evaluating internal control, by referring to the principles.

The table below shows the five COSO components and the 17 principles from the May 2013 update to the framework. The principles can be interpreted to mean the actions being taken (or that should be taken) by management in fulfillment of its obligation to ensure adherence to the COSO internal control framework.

14 of 38

Control Components and Principles Control

Environment Risk

Assessment Control

Activities Information and Communication

Monitoring Activities

1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibility

3. Establishes structure, authority, and responsibility

4. Demonstrated commitment to competence

5. Enforces accountability

6. Specifies suitable objectives

7. Identifies and analyzes risk

8. Assesses fraud risk

9. Identifies and analyzes significant change

10. Selects and develops control activities

11. Selects and develops general controls over technology

12. Deploys through policies and procedures

13. Uses relevant information.

14. Communicates internally

15. Communicates externally

16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies

General control procedures for database environments

General control procedures are the methods and measures adopted within a business to promote operational efficiency and encourage adherence to prescribed managerial policies. Segregation of duties, maintenance of proper documents and records, and making sure that all accounting transactions are appropriately authorized are some of the common general control procedures that should exist in all accounting systems, regardless of the presence or extent of computerization. For computer-based accounting systems, general controls are those controls that facilitate the effective operation and management of the organization's computer systems and all its applications. The six categories of general control procedures are: (1) proper organization of the information systems department, (2) system development and program change controls, (3) hardware controls, (4) access controls over program and data files, (5) computer operations controls, and (6) backup and recovery procedures. Let us now examine each of these control categories in some detail.

1. Proper organization of the systems function

A key general control procedure pertains to the organization of the entity's information systems (IS) function. Broadly, the functions within the IS department include (1) systems analysis and design, (2) programming, (3) computer operations, and (4) file library. You are already aware of the activities involved in systems analysis, design, and programming based on our discussion in Chapter 7. While systems analysis and design are focused on the logical modeling of systems, programming is oriented towards the physical modeling of systems. Computer operations have to do with the day to day running of the entity's “computer center.” The file library is a secure location where the entity's data and program files are located. While you may think of the file library in physical terms as a room with disks and tapes, it is important to recognize that many

15 of 38

organizations have a "logical" file library wherein computer files are housed on a secure disk accessible only to key individuals within the IS department.

Ideally, each of these IS department functions should be handled by separate individuals. It should be noted, however, that in many small organizations the same individual handles all systems analysis, design, and programming. However, it is particularly critical to segregate programming from operations. The programming function has the objective of developing application programs to meet users' needs. Programmers should have access to the source code versions of computer programs which they test off line using sample data. Computer operations are focused on the running of these programs to process data related to the entity's actual operations. Operators should have access only to the object code or executable versions of computer programs, which is all they need to actually run programs. Computer operators also have access to live data. The need for the separation of programming from operations stems from the risk that a programmer could write a fraudulent program and actually run the program on live data if he/she is also responsible for computer operations. Or conversely, the operator could modify source code if he/she is also responsible for programming and could then run the modified program on live data.

In addition to the above organizational guidelines for the IS department, it is also important to institute sound personnel policies and practices. These include background checks before hiring personnel, mandatory vacations, rotation of duties, regular reviews and performance appraisal of existing IS department personnel, and supervision of personnel as they perform their daily duties in the IS department. Unfortunately, most perpetrators of computer fraud seem exactly like the kinds of individuals organizations would eagerly seek to hire (well educated and highly computer literate)! Many instances of computer crime are traced to disgruntled employees. It is therefore important to ensure that key IS personnel are well paid and rewarded for their efforts. Likewise, policies should exist to terminate disgruntled employees without advance notice. Passwords of all computer accounts that the terminated employee had access to should immediately be changed.

2. Systems development and program change controls

The second category of general control procedures deals with the development of new application programs and changes to existing programs. The objective of these controls is to ensure that new programs, and changes to existing programs, are duly authorized, designed, and tested. The specific set of control procedures include (1) user and management authorization of new program development, (2) user approval of all substantive changes to programs, (3) a planned approach to application development using proven systems analysis and design techniques (such as those presented in Chapter 7), and (4) thorough testing of new applications and changes to existing applications before they are deployed.

A key aspect of systems development and program change controls is user involvement. Users must be closely involved in the design of new applications and in

16 of 38

their testing. The user's knowledge of the application's environment can be crucial in testing newly developed applications. As we will examine in greater detail in the next chapter, the processing of test data is the primary means of checking a program's logic. The use of simulations to test the operation of the new system under real world operating conditions is also a good control practice.

Segregation of duties within the IS department, per our discussion under the first category of general IS controls, is another aspect of systems development and program change controls. Programming and operations should be segregated. As discussed earlier, it is crucial to prevent an astute programmer from modifying a program and running the modified program on real data. It is only after a program has been thoroughly tested and approved for use that the object code version of the program should be transferred from the "test area" to the "production library" from where it can be executed by end users wishing to run the program. These controls are known as program change controls.

3. Access controls

Of all the controls in computer-based information systems, none are more critical than those over access to data and program files. The objective of access controls is to prevent or detect unauthorized physical or logical access to data and program files. The primary goal of access controls is to prevent all unauthorized access, but a secondary goal is to detect unauthorized access and even attempted unauthorized access to the system. Physical access and logical access are both important. However, of the two, it is much more difficult to achieve completely impenetrable logical access controls.

Physical access control has to do with controlling physical access to hardware and software resources. Except in very small organizations, the main computing resources would typically be housed at a central location with remote terminals or networked personal computers distributed throughout the organization. The central computing center should be accessible only by key authorized personnel. Electronic locking mechanisms and closed circuit televisions are some of the methods of preventing unauthorized access to the computing center. Computer terminals can also by physically locked. All data and program files should be stored in a secure fire proof location to which access should be controlled.

Logical access control is aimed at preventing unauthorized logical access to data and program files. In the networked computing environments prevalent in most organizations, all programs and data files can theoretically be accessed from any remote networked machine. The primary method of logical access control is user authorization and authentication. User authorization means that every user permitted to use a system must be issued a unique user name (user ID). Authentication of authorized users is performed by means of passwords or passphrases. Many system managers today require users to formulate passphrases for systems access. A passphrase is essentially key letters and/or words from a sentence with special characters added to provide additional complexity. For example, the sentence “the code

17 of 38

to open my locker at the gym is 0204.” The passphrase that one might construct could be given as follows: !TCtopnMlckeratgi0204! There are of course many variations on the suggested sentence. You may have already constructed a passphrase for your university email. You likely noted that the email administrator had a particular set of rules that were enforced in having you construct your passphrase. Research has indicated that while the complexity of the passphrase is important (for example, the use of Upper Case, special characters, and blanks), it is the length of the passphrase that is likely the more important aspect of passphrase construction. The longer the passphrase, the harder it will be for the hacker to “break” the passphrase.

No authorized user should be given access to a system without being authenticated. At a minimum, the access control software should be designed to (1) mask the user's password when it is entered, (2) require alphanumeric passphrased with a certain minimum length, (3) disallow more than three invalid log-on attempts, and (4) log all valid and invalid log-on attempts. Systems with extremely confidential information would benefit from the installation of intrusion detection systems, which are designed to monitor system log-ins and identify potential hackers. Intrusion detection is of particular concern in networked environments. An ongoing research project at the University of California at Davis is addressing the development of intrusion detection systems for large networks.

When there are many users each of whom is permitted to access different files for different reasons, an access control matrix (also called authorization table) should be developed. As shown in the table below, an access control matrix lists user names as row entries and the files and programs as column entries. The cell values within the matrix indicate whether the user has access to the program or file and the type of access allowed. When the user signs on to the system, the access control matrix is referenced to determine whether to allow the user access to a particular file or program and whether to allow the user to perform the intended action.

Access Control Matrix (Authorization Table) User name Sales Payroll Purchase order Led Zeppelin N A U,D Sting A,U,D N R Steve Winwood R,A N A,D

Legend: N = no access; A = add records; U = update records; D = delete records; R = read records

An excellent access control software package for IBM's popular System 390 mainframe is RACF -- Resource Access Control Facility (pronounced “rack-f”). RACF provides the facilities to authenticate users and provide access only to resources which those users have authority to access.

An important related concept is role-based security. Based on the job functions to be performed by each position in an organization, security professionals should develop a list of all objects to which the position needs access and the kind of access required. Security profiles can then be developed for each job position. In such a role-based

http://seclab.cs.ucdavis.edu/projects/Promia-proj-sum.html

http://www-03.ibm.com/servers/eserver/zseries/zos/racf/

18 of 38

security model, each user (employee) is assigned the proper role (i.e., security profile) that will enable him/her to perform all the job functions in that role, but will not allow him/her to perform any actions in the system that are incompatible with his/her position. The authorization table discussed above enables the implementation of role-based security.

Most relational database systems, including Microsoft Access, have facilities to restrict user access to tables. Restricting logical access to tables in a relational database is done by setting "permissions" on tables. Permissions can be set by the database administrator at either the individual user level or at the group level (i.e., to groups of users). Older versions of Microsoft Access had a feature allowing user-level security to be defined for a database. This was accomplished using the "Security" option under the "Tools" menu, allowing user and group permissions to be set for each table in the database. The types of access restrictions that can be established in the student registration database can be seen in the following figure. Unfortunately, user-level security is not available in the latest version of Microsoft Access (Access 2010).

Logical access control is only as good as the passphrase system in place. As indicated above, systems administrators should have a very explicit set of rules for constructing passphrases. Users should be forced to change passphrases frequently -- at least once every few months. A passphrase history file should be maintained and users should be

19 of 38

prevented from using a recently used passphrase when they are prompted to enter a new passphrase. The ultimate burden of protecting user names and passphrases lies with users. If users keep user names and passphrases taped to their computer terminals, and if physical access to the terminal is not controlled, then that would defeat the whole purpose of even a very complex passphrase and access control matrix system!

Another means of protecting logical access to sensitive data is encryption. Data encryption is the coding of data to make it unintelligible without the correct decoding mechanism. There are two methods of encryption. The first is private key or symmetric encryption and the second is public key or asymmetric encryption. In private key encryption, a single key is used for both encryption and decryption. The sender encrypts the message using a key (or code) and the user decrypts (or decodes) the message using the same key. The problem however, is that the key must be transmitted to the receiver and that transmission is typically done on an insecure channel. Any individual who obtains the key can decrypt the message. Another problem with private key encryption is that a separate key is needed for each pair of individuals who intend to communicate securely. So if a company has 10,000 customers, it will need 10,000 private keys! In public key encryption two keys are used. The sender encrypts the message using a "public" key which can even be published in a phone directory, and the recipient reads the message by decrypting it with the private key that is known only to that individual. The public key can be transmitted on an insecure channel, because anyone who intercepts it still needs the private key to decode the message. Thus, public key encryption is considerably safer than private key encryption. Also, a company needs only one public key and one private key to communicate securely with all its customers. A number of Web site links are provided at the end of the chapter pointing to resources about cryptography and public key encryption. The primary means of security for electronic commerce activities on the Internet is "secure sockets layer" (SSL). For example, when you connect to a secure site, many web browsers will display an icon of a closed padlock indicating that any information you transmit, such as credit card information, will be encrypted.

4. Computer operations controls

Computer operations controls deal with the day-to-day running of the computer center and the organization's application programs. The objective of computer operations controls is to ensure that application programs are used properly and that the correct files are used during processing. In organizations where programs are run in batch mode, a daily data processing schedule should be designed and adhered to. This schedule lists when each job should be run. Any jobs not run according to the schedule should be carefully scrutinized and run only after special approval has been obtained. Adherence to a data processing schedule makes it harder to misuse computer time and perhaps run fraudulent jobs.

20 of 38

Virtually all mainframe operating systems provide a wealth of statistical information about jobs that were run. These statistics include information about the clock time consumed by each job, CPU time used, number of pages printed, memory, and disk usage. Periodically, these job statistics can be compared to historical averages. Abnormal discrepancies should be investigated for possible fraud. Computer-generated statistics can also be used to evaluate machine utilization. The extent of computer down time, set-up time between jobs, memory and disk space utilization statistics can provide valuable information about how computer resources are being used.

Mainframe computing systems typically have an "operator's console" which is the main terminal attached to the system. System level functions such as shutting down and restarting the system and aborting jobs can be performed from the console. Another computer operations control is to maintain a console log which tracks all activity performed at the console. Again, this console can be reviewed for evidence of fraudulent activity.

5. Data backup and recovery procedures

The objective of data backup and recovery procedures is to ensure that accidental or intentional destruction of data will not cause a major disruption in the organization's operations. The primary means of protecting against data destruction is to make periodic backups of all program and data files. In Chapter 6 we discussed static backup and dynamic backup methods for database systems. To recall, static backup simply involves dumping the contents of the database to a tape, whereas dynamic backup involves maintaining a log file of transaction activity that is occurring since the last static backup.

In batch processing systems where files are maintained on magnetic tapes, the "grandparent-parent-child" backup convention is used to protect against erasure of tapes. In this technique, the "grandparent," "parent" and "child" versions of files are always maintained. The "child" version of a master file is the output of the current file maintenance run. The "parent" version is the master file that was the input to the current file maintenance run. Finally, the "grandparent" version is the master file that was the input to the previous file maintenance run. The point of this technique is that if the current master file is erased it can be reconstructed by re-performing the most recent file maintenance run (since the parent version is still available). If both the child and parent versions are destroyed, the parent version can first be reconstructed using the grandparent version, and then the child version can be reconstructed using the parent version.

In addition to the above backup and recovery procedures, it is also prudent to prevent erasure of files by simply "write protecting" files. Mainframe disk packs and tapes have write protection rings which, when removed, make it impossible to write on a file that is intended to be used as a "read only" file. Some USB (“flash”) drives provide write-

21 of 38

protection capability. Some of these drives have a small notch that can be slid to one side to make the drive “write-protected,” meaning that no files can be deleted from the drive or written on to the drive. To allow file deletion and file saving onto the drive, one would simply slide the notch to disable write-protection.

Backup and recovery procedures protect against accidental or intentional loss of data. Organizations also need to consider the possibility that their computer centers may be struck by natural disasters such as fires or floods. The key to being prepared for such eventualities is to construct a disaster recovery plan also known as a business continuity plan. Backups of program and data files should be maintained both on site and off site. A remote computing facility should be identified where the data processing operations can be temporarily switched over at short notice. There are two types of backup processing centers -- hot sites and cold sites. A cold site is a data processing location that can take over the organization's transaction processing but only with considerable set up and configuration. The necessary files, programs, procedures and documentation are maintained at the cold site, but must be made operational as needed (i.e., when disaster strikes). A hot site is a location that can immediately take over transaction processing. Not only are files, programs, procedures, and documentation maintained at the hot site, but they are loaded and configured such that they can be made operational at short notice. Obviously, a hot site is preferable but is also more expensive. Cost-benefit analysis should be undertaken before choosing between the cold site and hot site options. In addition to the hardware and software, it is important to identify the individuals who will be responsible for maintaining, testing and actually running the backup facilities and related applications. However, as stated earlier in the chapter, it is important to note the statistics on business failure -- organizations that lose their computing facilities for more than three days are likely to go bankrupt.

It is important to note that disaster recovery planning is more than just being able to run programs at a remote site. All the forms, documents, procedures, and manuals needed to run the business should be considered in planning for disasters. Hence, the term "business continuity plan" is more appropriate. The steps and considerations in business continuity planning are as follows:

1. obtain management support and "buy-in" for the plan 2. identify key personnel responsible for testing and executing the plan 3. identify alternative processing location(s) -- either a hot site or a cold site 4. identify vital applications ("mission-critical" applications) 5. store data and program files off-site 6. periodically test the plan 7. obtain insurance to recoup some of the financial loss associated with a disaster

The various general control procedures are summarized in the following table:

22 of 38

General Control Procedures Control Description

Organization of the systems function

Segregation of duties, sound personnel policies and practices

Systems development and program change controls

Authorization of new applications and substantive changes to existing applications, planned approach to application development, thorough testing.

Access controls

Physical access controls and logical access controls. User authentication is the primary means of logical access control.

Computer operations controls Daily data processing schedule, console log, review of computer generated run time statistics.

Data backup and recovery procedures

Static and dynamic backup, business continuity planning.

Application control procedures for database environments

Application controls essentially focus on procedures to check the accuracy and reliability of accounting data and on those procedures to safeguard the organization's assets. Regardless of the presence or extent of computerization, an organization needs a variety of procedures to achieve these very basic requirements. Basic to all application systems is a need for controls driven by the internal control elements described above (e.g., division of duties, independent checks on performance, etc.). For computer based systems, application control procedures, again driven by the internal control elements, comprise procedures programmed into computer-based systems to ensure that transactions meet a number of internal control objectives. Computer-based application control procedures include input controls, processing controls, and output controls. As their names suggest, these three sets of control procedures are applicable during the input, processing, and output stages of the data processing cycle.

Input control procedures

Input control procedures are essentially procedures to validate the data. That is, controls are designed to ensure that data entered into the system are error free. In relational database systems, which we have been focusing on, a number of data validation rules can be defined at the table level. In addition, the field type designated for each field in a table can itself serve as a control mechanism. For example, fields defined as "Date/Time" will accept only date and time data appropriately formatted. Number fields will accept only integers. Fields defined as text will accept any keyboard

23 of 38

character. Controlling data input into fields by setting the field format appropriately is referred to as a field test.

You were introduced to validation rules in relational database systems in Chapter 6. To recap, validation rules can be designed to check whether data entered into a field in a table (1) is greater than the lower limit and/or less than the upper limit of values for the field (range test), (2) is of the correct length (length test), and (3) matches one of the acceptable values for the field (validity test). Let us now examine validation rules in more detail in the context of the student registration system example discussed in Chapters 8 and 9. Consider the STUDENTS table shown on the next page in "design" view.

In the screenshot of the Microsoft Access STUDENTS table above, notice that the MAJOR field is currently highlighted. Several properties can be set for the MAJOR field, as shown in the "General" tab in the bottom half of the table. The field size is set to "4" which means that the maximum length for a major is four characters. The "Validation Rule" field is where data entry controls are specified. For the MAJOR field, the validation rule states that the value entered into that field must conform to the list of acceptable majors (ACCT, MKTG, MGMT, FINC, etc.). If a user attempts to enter a string of four characters that is not one of the majors, then the error message as

24 of 38

specified in the "Validation Text" field will be displayed to the user ("Invalid major!!!" in the above figure).

Field level validation rules cannot reference another field. However, it is conceivable that a control procedure would need to reference multiple fields. For example, consider a table with "order date" and "delivery date" fields in which the delivery date must always be on or after the order date. Such a control procedure is defined as a table level validation rule. In Microsoft Access, "Table properties" can be defined for the table as a whole. It is in the table properties that validation rules that reference multiple fields can be defined. An input control that involves comparing values between two or more fields is referred to as a valid combinations test.

Controls in on-line systems

The validation rules discussed above simply require the user to enter a value in a field, and the system responds with an error message if the user enters invalid data. On-line database systems permit more sophisticated control over data input. If a field can have only one of several acceptable values, then the user can be presented with a "pick list" of acceptable values from which the user makes a selection. The user can even be prevented from entering data into a field (i.e., all the user can do is to select one value from the "pick list"). Such a control would ensure that the field would never have invalid data. A related type of control is to return a related value based on entered data. If the user enters the student number, then the system can return the student name associated with that student number by looking up a table. Thus, the user can verify that he/she has entered the correct student number. Such a control is referred to as closed loop verification and is only possible in on-line systems.

On-line data entry systems can also be programmed to ensure that all required fields have been entered. In Access for example, if a value must be entered into a field, then the "Required" property field for the field can simply be set to "Yes" and the user will not be able to add a record with that field being blank. This control procedure that ensures that all required data have been entered is referred to as a completeness test. On-line systems can also prompt the user for input, unlike batch oriented systems. As already discussed, meaningful error messages can be displayed to the data entry operator or end user in on-line systems. Prompting for input is another control procedure unique to on-line systems. Another powerful feature in on-line and database systems is the ability to program the system to automatically enter data in certain fields. This control procedure, referred to as system generated data, can for example enter the current date and next order number on an order entry form. In contrast to batch systems, therefore, on-line systems provide numerous features to prevent the occurrence of errors.

25 of 38

Enforcing entity and referential integrity

In addition to the above validation rules, relational database systems also permit the enforcing of entity integrity and referential integrity. Recall from Chapter 6 that entity integrity means that the primary key must be unique and cannot be null. In the STUDENTS table above, the "Required" property for the STUDENT-NO field would be set to "Yes" and the "Indexed" property would be set to "Yes (no duplicates)." The "Required" and "Indexed" properties thus allow entity integrity to be enforced in Microsoft Access.

Referential integrity means that if foreign keys have a value, the value must be one that exists in the "master" table for that foreign key. In Microsoft Access, referential integrity is specified as relationships are defined between tables. Relationships are defined starting from the "master" table for a key and going to a related table that has the master table primary key as a foreign key. In Chapter 9, we saw the relationships between all tables in the registration system database (see Microsoft Access figure labeled "Relationships" in Chapter 9). The relationship between STUDENTS and REGISTRATIONS is one to many, and the following figure shows how referential integrity can be enforced between these two tables in Microsoft Access.

Once referential integrity has been established between two related tables, Access will not allow a value to be entered into a foreign key field if that value does not exist in the "master" table for that field (as defined in the "Relationships" window in Access).

Implementing input controls in Microsoft Access

Having discussed the various types of input control procedures, and input controls in online systems, let us now bring a practical flavor to that discussion by demonstrating how controls can be implemented in Microsoft Access. In Chapter 6, and here in this chapter, we have seen ways in which controls can be programmed within Microsoft Access. Consider the following form for entering information about parts:

26 of 38

Let us now list various control procedures that can be implemented within Microsoft Access that would prevent errors from occurring during data entry using the above form. The discussion of possible controls is related to each field on the above form:

PART NUMBER: Assuming a numeric field, the data type of the field should be set to "Number." Setting the correct data type in Access is essentially the "field test" or "field check" control described earlier. Also, assuming that valid part numbers fall in the range 1000 to 4999, a validation rule can be entered to prevent invalid part numbers from being entered. The validation rule would be >999 and <5000. This control is essentially the "range test" described earlier.

DESCRIPTION: This field is a text field that allows any keyboard character to be entered. As such, there really is no control procedure to prevent wrong data from being entered into this field. However, in Microsoft Access, the field can be made a "required" field to prevent the user from leaving the field blank. A field can be made "required" by changing the default value of "No" to "Yes" in the "Required" property for the field, when in "design mode" in a table. Making a field "required" is a way of implementing the "completeness test" described earlier.

CLASSIFICATION: Assuming that this field has three valid values--"MT," (metallic) "PL" (plastic) and "CO," (composite) a validation rule can be set up to ensure that the user only enters one of those three values. The validation rule would be "MT" or "PL" or "CO". This validation rule is essentially the "validity test" described earlier.

QUANTITY-ON-HAND: This field should have a control to ensure that it never has a negative value. The validation rule would be >=0. This control is another example of a range test.

27 of 38

UNIT-COST-PRICE: Assuming that the cost price should be at least $1 and the maximum cost price for parts is $500, this field should have the following validation rule: >=1 And <=500. This control again is a range test.

UNIT-SELLING-PRICE: Assuming that the selling price should always be greater than the cost price, the following validation rule would be entered as a "table property" [UNIT-SELLING-PRICE]>[UNIT-COST-PRICE]. Note that table properties can be viewed by clicking on "View" and "Properties" when in "design mode" in a table. This control procedure is essentially the "valid combinations test" described earlier. The control ensures that two different fields -- unit selling price and unit cost price -- have a valid relationship between them.

Note that all validation rules, except the one for UNIT-SELLING-PRICE, are entered at the individual field level when in "design mode" in a table. Also, appropriate error messages should be typed in the "Validation text" property of the field. For example, in the UNIT-COST-PRICE field, the validation text should say "Price should be greater than $1 and less than or equal to $500!" -- this is the error message the user will see when he/she enters invalid data.

Another very important control in Microsoft Access, not demonstrated above, is the "combo box." Consider the "SALES ORDER FORM" shown below:

Note the "SALESPERSON NO." field in the above form. It is a "combo box" that allows the user to simply pick a salesperson number from the "drop down" list. When the user picks salesperson number 12, that salesperson's name automatically appears in the "SALESPERSON NAME" field. This type of control is essentially the "closed loop verification" test discussed earlier.

28 of 38

The "system generated data" control procedure discussed earlier can be implemented in Microsoft Access in several ways. Date fields can have default values of the current system date. So for example when the user enters a new sales order using a form in Access, the current date would automatically appear in the "Order date" field, because the default value of the order date field is =Date(). In addition to default values, Access also has an "autonumber" data type, which automatically increments by one when a new record is entered. This data type is therefore useful for order numbers, invoice numbers, etc.

The following table shows the correspondence between the generic input controls described above and their equivalent in Microsoft Access.

Correspondence between generic input controls and controls in Microsoft Access

Generic control procedure Implementation in MS Access

Field test Set the data type to Number, Currency, Yes/No, or Date/Time, as appropriate for the field.

Range test Set validation rule: > lower limit And < upper limit Length test Set input mask

Validity test Set validation rule: "text1" Or "text2" Or "text3" ... Valid combinations test Set validation rule at the "table property" level Closed loop verification Make the key field a "combo box"

Completeness test Make the "Required" property of all necessary fields "Yes"

System generated data Set the default value for date fields; make numeric fields "Autonumber"

Processing control procedures

Processing control procedures are applicable during the processing phase of the data processing cycle. In on-line input and file update systems there is no distinction between input and processing controls -- they are one and the same. It is only in batch processing systems that the distinction between input and processing controls is relevant. Processing controls in batch processing systems include (1) internal label test -- checking the internal file labels of files mounted for a batch processing run to ensure that the correct files are being used for the run, (2) sequence check -- making sure that the sequential order of transactions is maintained so that missing transactions can be flagged, and (3) control total verification -- comparing summary totals of the number of transactions processed relative to the number that were entered.

29 of 38

Output control procedures

Output control procedures are designed to ensure that system outputs are delivered only to authorized users. Recall from our discussion in Chapter 3 that computer output comprises both hard copy (paper) and soft copy (screen) output. Paper copies of sensitive output should be shredded after use. Physical access controls should be in place to prevent unauthorized physical access to printed outputs. In the on-line networked computing environments so prevalent today, control over who can access soft copy output is achieved primarily through the set of logical access controls discussed earlier. Encryption of output transmission is another means of ensuring that sensitive data is not read by unauthorized individuals. A common means of verifying computer output is to perform reconciliation procedures. Similar to the concept of reconciling a checking account to the bank statement, outputs of a system can be checked against the inputs that went into the system and the known ways in which those inputs should have been processed.

In addition to the input, processing and output control procedures discussed above, user control procedures are also relevant. User control procedures represent procedures performed by user departments to ensure that all of their transactions have been accurately processed by the computer. User procedures typically involving reviewing output and perhaps, on a sample basis, re-performing some of the computer calculations. However, given the complexities of present-day computer systems and the large volume of transactions, users rarely check computer output by re-performing computer calculations.

Application control procedures are summarized in the following table.

Application Control Procedures Control Description

Input

All systems: Field test, range test, length test, validity test, valid combinations test. Online systems: closed loop verification; completeness test, prompting, system generated data. Database systems: enforcing entity and referential integrity.

Processing In batch systems: internal label test, sequence check, control total verification.

Output Restricting physical and logical access to hard and soft copy output, shredding hard copy output after use, encryption of soft copy output.

User Re-performance of computer procedures to ensure the accuracy and validity of output.

30 of 38

Relationship between the control environment, accounting system, and control procedures

An entity's risk assessment, control environment, accounting system, control procedures, and monitoring mechanisms are all related in a hierarchical manner. All elements of the internal control structure must be effective for the internal control structure as a whole to be considered sound. It is very difficult for strong accounting system and control procedures to compensate for a weak control environment. Similarly, it is difficult for very strong control procedures to compensate for a weak accounting system and an ineffective control environment. General and application control procedures can be effective in preventing and detecting errors only if the accounting system is sound. That is, the accounting system must be performing its basic role of converting accounting inputs into information outputs before control procedures can be counted on to prevent or detect errors.

Application control procedures can be considered reliable only if general control procedures are effective. If general control procedures are very weak, then even the most intricate set of validation rules cannot provide a high degree of assurance about error prevention. As we discussed earlier in the chapter, access controls are one category of general control procedures. If access controls are weak, then it would be possible for unauthorized individuals to access a database table and delete validation rules. Thus, the validation rules are only effective if there is a reasonable degree of assurance provided by general control procedures, particularly those dealing with logical access.

COBIT control framework

In an attempt to establish a standardized framework for information technology control, the Information Systems Audit and Control Association (ISACA) has issued COBIT— Control Objectives for Information and Related Technology. Now in its 5th edition, the COBIT framework is oriented towards management and presents “good practices” in information technology controls. The framework helps management discharge its responsibility for establishing an internal control system to support business processes. In addition, the COBIT framework spells out specific control activities, the IT resources involved in those control activities, and the information requirements impacted by those activities. A control objective laid out in COBIT can be thought of as a statement of the desired result or purpose to be achieved by implementing control procedures within a particular IT activity. Employing COBIT will allow an organization to design specific control activities to ensure that the business requirements of effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability of information are achieved. The framework specifies 34 high-level Control Objectives, one for each of the IT processes, grouped into four domains: planning & organization, acquisition & implementation, delivery & support, and monitoring. You are encouraged to visit the ISACA web site on COBIT for more information about this path-breaking control framework.

http://www.isaca.org/

http://www.isaca.org/COBIT/Pages/default.aspx

31 of 38

Summary This chapter focused on information systems controls. The chapter began with an overview of controls, defining terms such as controls, risk, exposure, reasonable assurance, preventive and detective controls. The various risks in computer-based systems were then reviewed. Errors and irregularities in data, loss of data, natural disasters, and computer crime represent the major threats to information systems. Internal controls were then discussed with special reference to SAS No. 109. Per SAS No. 109, the internal control structure comprises five components -- the control environment, risk assessment, the information system and communication, control activities (procedures), and monitoring. The General Systems Model was revisited and the components of the internal control structure were discussed in terms of the elements of the General Systems Model. The two broad categories of control procedures were then discussed in detail -- general control procedures and application control procedures. General control procedures affect all applications and comprise the following six categories: (1) proper organization of the systems function, (2) hardware controls, (3) system development and program change controls, (4) access controls over program and data files, (5) computer operations controls, and (6) backup and recovery procedures.

Application control procedures were discussed next. Input, processing, and output controls are the three broad categories of application controls. Input and processing controls are virtually indistinguishable in on-line systems. The primary means of implementing input controls in database environments is through validation rules defined at the table level. Enforcing entity and referential integrity enhances the level of control over data residing in a database system. Examples using Microsoft Access in the context of the Student Registration System were presented. The methods of implementing input controls in Microsoft Access were also explored. Examples of output control procedures and user control procedures were also provided. The chapter then presented a discussion of the hierarchical nature of the relationship between the control environment, the accounting system, and control procedures. The chapter concluded with a brief discussion of the COBIT control framework.

32 of 38

Key Terms

Access control matrix Application control procedures Business continuity plan Cold site Closed loop verification Components of General Systems Model Computer Crime Console log Controls Control Environment Control Procedures Control total verification Corrective control Daily data processing schedule Disaster recovery plan Dual read Detective Control Dynamic backups Echo check Encryption Entity integrity Errors Exposure General control procedures Hot site Intentional errors Internal label test Irregularities Logical access control Management fraud Parity check Periodic backups Physical access control Preventative control Private key Public key Read after write Reasonable Assurance Referential integrity Risk Sequence check Static backups Unintentional errors User control procedures

33 of 38

Key Web Sites

• Computer Crime Research Center – “Daily news about computer crime, internet fraud, and cyber terrorism”

• A Computer Crime & Legal Resource Directory set up by the Computer Professionals for Social Responsibility.

• A Web page dedicated to the topic of Computer Ethics. • A page listing resources related to information warfare and information security. • Yahoo category listing of computer security and encryption links • A page listing a variety of LAN security tools • The National Institute of Standards and Technology maintains a Computer

Security Resource Clearinghouse. • Symantec site listing current virus threats • PGP Technology ("Pretty Good Privacy”) for encryption • A page with a wealth of information about cryptography and security. • CERIAS - COAST – Center for Education and Research in Information

Assurance and Security and Computer Operations, Audit, and Security Technology -- is a multiple project, multiple investigator laboratory in computer security research in the Computer Science Department at Purdue University.

• A web page dedicated to disaster recovery planning and business continuity planning

• Information Systems Audit and Control Association • The COBIT 5 page at the ISACA site – ISACA’s Fifth Edition of “Control

Objectives for Information & Related Technology” • Wikipedia entry on US Department of Defense Trusted Computer System

Evaluation Criteria • Wikipedia entry on Information Technology controls (includes a section on IT

general controls and IT application controls)

http://www.crime-research.org/

http://cpsr.org/prevsite/cpsr/privacy/crime/crime.html/view

http://library.thinkquest.org/26658/

http://www.fas.org/irp/wwwinfo.html

http://dir.yahoo.com/Computers_and_Internet/Security_and_Encryption/

http://www.practicallynetworked.com/sharing/securitytools.htm

http://csrc.ncsl.nist.gov/

http://www.symantec.com/avcenter/vinfodb.html

http://www.symantec.com/products-solutions/families/?fid=encryption

http://theory.lcs.mit.edu/~rivest/crypto-security.html

http://www.cs.purdue.edu/coast/coast.html

http://www.disasterrecoveryworld.com/

http://www.isaca.org/

http://www.isaca.org/cobit/pages/default.aspx

http://en.wikipedia.org/wiki/Trusted_Computer_System_Evaluation_Criteria

http://en.wikipedia.org/wiki/Information_technology_controls

34 of 38

Discussion Questions

1. Define and distinguish between controls, exposure, and risk. 2. Distinguish between preventing and detective controls. Given the calls for

accountants to be more proactive rather than reactive, which kinds of controls should accountants be emphasizing?

3. Discuss some of the potential threats to data and computer systems. 4. What is computer crime? Give examples of acts that constitute computer crime.

Can you think of any acts that might be unethical but probably do not constitute computer crime?

5. Identify and briefly discuss the five components of internal controls as described in SAS No. 109.

6. Give examples of factors that pertain to an entity's control environment. 7. Distinguish between general, application, and user control procedures. 8. Giving examples, discuss the six categories of general control procedures. 9. Within the information systems function, which two functions is it most important to

segregate? 10. What is the objective of system development and program change control

procedures? Explain how this objective can be achieved. 11. What are some common hardware controls that you would find in most computer

systems? 12. Distinguish between physical and logical access to computer systems. Indicate the

kinds of control procedures that would prevent unauthorized physical and logical access.

13. What are intrusion detection systems? 14. Distinguish between private key and public key encryption. 15. Giving examples, explain computer operations control procedures. 16. Explain backup and recovery procedures in batch systems. 17. Indicate some types of validation rules that can be programmed at the table level in

Microsoft Access. 18. Distinguish between the validity test and the valid combinations test. 19. Indicate some controls that could be used only in on-line systems. 20. Discuss control procedures that would provide assurance that only authorized

individuals view information systems outputs. 21. Discuss the nature of the relationship between general, application, and user

control procedures.

35 of 38

Problems and Exercises

Visit the Web sites listed at the end of the chapter and find out information about the following topics: • Internet firewalls • Kerberos • Clipper chip • DES • RSA • Michelangelo virus • SSL • SET

2. Find out information about the latest computer viruses from the Symantec web site -- http://www.symantec.com/avcenter/vinfodb.html. Write a one page report outlining your findings.

3. Search the World Wide Web for anti-virus software. Download one freeware or shareware anti-virus software package for your current operating system.

4. Search the World Wide Web for information about actual instances of computer crime. Write a brief report indicating (1) the type of crime that was committed, (2) the dollar amount of loss (if available), (3) the length of time over which the crime was committed, and (4) how the crime was detected. The sites listed at the end of the chapter should provide a good starting point for your search efforts.

5. Consider the Student Registration System we have discussed in this and the previous two chapters. List all possible controls on a field by field basis in each of the five tables (STUDENTS, COURSES, DEPARTMENTS, INSTRUCTORS, REGISTRATIONS). What general control procedure is most critical to ensure the reliability of these table level control procedures?

6. List the general control procedure that would prevent or detect each of the following errors or problems from occurring.

a. Due to some hardware problem, there was some doubt whether data were being accurately transmitted around a network.

b. Confidential pricing information being transmitted from Houston to Philadelphia was intercepted by a competitor who used the pricing information to obtain a competitive advantage.

http://www.symantec.com/avcenter/vinfodb.html

36 of 38

c. The computer operator changed the payroll program to effectively give herself a 25% pay raise.

d. A programmer who felt he was wrongly denied a promotion changed all user passwords, including the system administrator's password, and quit the company on the same day.

e. A hacker was able to log into the system using an employee's last name as the user ID and that employee's first name as the password.

f. Per the sales manager's request, a programmer modified the sales program one afternoon. The next day the sales program crashed and the company was unable to process sales orders for two days until the problem was corrected.

g. A company's computer center was located in the basement. Due to a flash flood, the entire basement was flooded and the company lost all of its vital data and program files, including backup copies.

h. A programmer was able to run the payroll program after hours thereby obtaining a second paycheck for the month.

i. An operator was able to run computer jobs for his brother's business on the company's computer systems (the company was not reimbursed by the operator's brother's business).

j. As a result of a power failure, the company's database system was corrupted resulting in the loss of data. The backup copy of the database was current only as of midnight the previous night (transactions that occurred since midnight were lost forever).

k. Due to a malfunctioning read write head on a magnetic disk drive, all records entered one afternoon were unreadable and consequently unrecoverable off the disk drive.

7. List the application (input) control procedure that would prevent or detect each of the following errors or problems from occurring.

a. Acceptable entries in the "priority code" field are "E" (extremely urgent) "U" (urgent) and "N" (normal). However, a data entry operator inadvertently entered a priority code of "F".

b. In an on-line sales order entry application, an operator entered "5432" as ABC Corp.'s customer number instead of "6432." As a result the sale was charged to XYZ Corp. whose customer number was 5432.

37 of 38

c. Salespersons frequently forget to input the desired delivery date when entering customer orders on-line.

d. Hours worked in a payroll application were entered as -5.

e. A data entry operator inadvertently typed the letter "O" instead of the number zero in a product number.

f. An international customer with a customer category of "I" was charged only $15 for shipping. The minimum shipping charge for international customers is $25.

g. A data entry operator inadvertently entered "TE" in the state code field for Memphis, Tennessee.

h. In an on-line sales order entry application, an operator entered "543" instead of "534" for ink jet cartridges. As a result, the customer was sent (and charged for) an ink jet printer instead of the requested ink jet printer cartridges.

i. A data entry operator in the payroll department inadvertently entered $2,000 in the bonus field for a sales clerk. The correct bonus should have been $200. Some senior management personnel do however receive bonuses of $2,000 or more.

j. A governmental customer whose customer number begins with 'G' was inadvertently charged 8.25% sales tax in the 'tax' field.

k. In an on-line order entry system, a data entry operator entered the current date as 8/20/09 instead of 8/30/09.

8. Consider the following Microsoft Access form for maintaining member information at a local public library.

38 of 38

Required:

(1) Indicate five possible errors that could arise in the process of entering data into the above form.

(2) Indicate an input control that could be implemented within Microsoft Access to prevent each error from occurring.

9. Consider the following Microsoft Access form for recording books checked out at a local public library.

Required:

(1) Indicate five possible errors that could arise in the process of entering data into the above form.

(2) Indicate an input control that could be implemented within Microsoft Access to prevent each error from occurring.

Last Updated: August 23, 2013

Controls overview and definition
Exposure and reasonable assurance
Control categories
Risks in computer-based systems

Errors in data
Irregularities in data
Loss of data
Natural disasters
Computer crime

Internal Controls and the Sarbanes-Oxley Act of 2002
Internal Controls and SAS No. 109

Control environment
Management's Risk Assessment
Control activities
Information and Communication
Monitoring

In May 2013, COSO released an updated version of its Internal Control—Integrated Framework. While the framework remains essentially unchanged, the update introduces the notion of “principles” to describe the components of internal control. The updat...
The table below shows the five COSO components and the 17 principles from the May 2013 update to the framework. The principles can be interpreted to mean the actions being taken (or that should be taken) by management in fulfillment of its obligation...
General control procedures for database environments

1. Proper organization of the systems function
2. Systems development and program change controls
3. Access controls
4. Computer operations controls
5. Data backup and recovery procedures

Application control procedures for database environments

Input control procedures

Controls in on-line systems

Enforcing entity and referential integrity
Implementing input controls in Microsoft Access
Processing control procedures
Output control procedures

Relationship between the control environment, accounting system, and control procedures
COBIT control framework
Key Terms
Discussion Questions
Problems and Exercises