AIS - CHAPTER 14

COMPUTER BASED IS CONTROLS

AIS Threats

• Natural disasters - can affect many companies at once

• Software errors, bugs and equipment malfunctions
• Unintentional acts, accidents, innocent errors and omissions
• Intentional acts, computer crime, sabotage, theft of cash, data, time, services

Why AIS threats increasing

• Most AIS managers believe threats are increasing



• E&Y study found

1. Increasing number of client/server systems in use
2. LANs distribute computers to many users and are harder to control than centralized systems
3. WANs give access to outsiders, vendors, customers, making confidentiality and security a concern

• Many organizations do not adequately protect their systems due to:

1. Computer control problems are downplayed and underestimated
2. Control implications of moving from centralized to networks are not well understood.
3. Many companies do not realize that data security is crucial
4. Productivity and cost pressures motivate management to forego controls

General Controls

• Ensure that overall computer system is stable and well managed



• Segregation of duties

1. Systems analysis
2. Programming
3. Computer operations
4. Transaction authorization
5. AIS library
6. Data control

• Management control of the AIS

1. To minimize project failures, basic responsibility accounting should be applied to development projects
1. Long-range master plan
2. Project development plan
3. Data processing schedule
4. Assignment of responsibility
5. Periodic performance evaluations
6. Postimplementation review
7. System performance measures.

• Physical access controls

1. Locate computers in locked rooms, limiting access
2. Have one or two secured entrances to computer rooms
3. Require employee ID cards or badges that can be read electronically
4. Require visitors to sing a log as they enter or leave
5. Use security alarms to detect unauthorized access during off hours.
6. Restrict remote access to private, secured phone lines
7. Install and use locks on PC and other computer devices

• Logical access controls

1. Restricted user access and ability to manipulate data
2. Protection from outside hackers who may try to misuse data
3. Differentiation between authorized and unauthorized users - PIN #
4. Passwords - most frequent identification and authorization system (must maintain control over passwords to be effective - see physical possession and biometric identification methods, compatibility checks

• Data storage controls - protect confidential/proprietary data from unauthorized disclosure or loss

1. Properly supervise data library
2. File labels both internal and external - volume, header, trailer labels
3. File protection ring, write protection of the media
4. Concurrent update control - prevent simultaneous updates in on-line, data base environment, record lock-out until released by first user.

• Data transmission controls - to reduce risk of loss or corrupted data

1. Monitoring network performance and detect weak points
2. Maintaining backup components and multiple paths between crucial network nodes.
3. Checkpoint and rollback procedures to recover from a failure
4. Upgrade to conditioned lines
5. Data encryption
6. Routing verification procedures -
7. Parity checking
8. Message acknowledgment techniques - echo check, trailer labels etc.

• Documentation standards

1. Facilitates communication and regular progress reviews during systems development
2. Reference and training tools for new users
3. Simplifies program maintenance.
4. Eases problems related to job turnover
5. Categories include administrative, systems, operating

• Minimize system downtime

1. Preventative maintenance
2. Uninterruptable power supply
3. Fault-tolerant components

• Disaster Recovery planning

1. Goal is to recover processing capability ASAP
1. Minimize the extent of disruption, damage and loss
2. Temporarily establish an alternative processing site
3. Resume normal operations
4. Train and familiarize personnel with emergency operations
5. Companies unprepared for disaster may go out of business
2. Plan should include
1. Priorities for the recovery process
2. Backup data and program files - electronic vaulting, grandfather-father-son, checkpoint, rollback
3. Specific assignments
4. Complete documentation
5. Backup facilities
6. Simulation test
7. Review and revision

• Protection of PCS and client/server networks

1. Vulnerable because
1. PCs are pervasive in organization
2. Users may be less conscious of importance of security
3. People may misuse PC knowledge
4. Segregation of duties difficult
5. Networks often accessed from remote locations
6. PCs portable, subject to loss or theft
2. Controls applicable to this environment
1. Train users in control concepts and importance
2. Restrict access with locks on PCs
3. Control data that can be stored on PCs
4. Minimize threat of loss or theft
5. Carry portables onto planes, don't leave in cars
6. Keep sensitive data on secure system, not portables
7. Use super-erase utility to wipe data clean from disks
8. Build protective walls around operating system to prevent changes
9. Boot up systems within a security system
10. Detect hole in networks and security systems
11. Audit and record what users do and when to trace breaches
12. Educate users on virus protection
13. Inventory all PCs and identify their users
14. For PC applications under the control of one user, sound human resource practices must be followed.

1. Internet controls
1. Confidentiality is much more difficult to maintain because of the number of computers through which a message must pass
2. A firewall must be maintained between Internet access and the company's own networks or use of a separate Internet server.

Application Controls

• Ensure the accuracy of a specific application's inputs, files, programs, outputs



• Batch totals - calculated before and during processing, then reconciled after the run is complete



• Source data controls

1. Data control function
2. Key verification
3. Check digit verification
4. Prenumbered forms sequence test
5. Turnaround documents

• Input validation routines - check validity and accuracy of input data

1. Edit programs - do specific edit checks prior to processing
1. Field check
2. Limit check
3. Range check
4. Reasonableness check
5. Redundant data check
6. Sequence check
7. Sign check
8. Validity check

• On-line data entry checks

1. Data edit checks and Id, password to limit data entry
2. Compatibility checks - user authorization for updating
3. Prompting - system requests each input item.
4. Preformatting - display of document with blanks highlighted.
5. Completeness check - all required items have been entered.
6. Default values - system supplies likely input item
7. Closed-loop verification - display and checking of input items
8. Transaction logging - record of all input data
9. Clear error messages

• File maintenance controls

1. Data currency checks - display date of last transaction
2. Exception reporting
3. External data reconciliation
4. Control account reconciliation
5. File security
6. File conversion controls
7. Error logs
8. Error reporting

• Output controls

1. Review for reasonableness
2. Reconcile control totals
3. Distribute to proper areas
4. Use care with sensitive documents such as checks
5. Review by user for completeness and accuracy
6. Shred sensitive documents

Top of document

Back to AIS Daily Schedule

Back to AIS Home Page

Back to Burke Home Page