Systems Controls and Security Measures in an Accounting Information System Paprint

SYSTEMS CONTROLS AND SECURITY MEASURES IN AN

ACCOUNTING INFORMATION SYSTEM

CONTROLS FOR COMPUTERIZED ACCOUNTING INFORMATION SYSTEM

o CONTROLS

- Refer to measures or techniques that prevent , detect, and/or correct conditions that may lead to loss or damage to the business firm.

Some of the reasons why computers can cause control problems are:

1. Effects or errors may be magnified.

2. Inadequate separation of duties because of decreased manual involvement.

3. Audit trails may be undermined.

4. 4. Human judgment is bypassed.

5. 5. Changes to data and programs may be made by individuals lacking knowledge.

6. 6. More individuals may have access to accounting data.

Computer controls can be classified as:

1. General Controls

2. Application controls

GENERAL CONTROLS

-General controls are measures that ensure that a company’s control environment is stable and

well managed . These controls provide reasonable assurance that development of, and changes to computer programs are authorized, tested and approved prior uses.

• 1. Organizational or Personnel Controls

a) These will involve separation of incompatible duties at minimum, segregate programming, operations, and library functions within the information systems department .One way to separate key functions is as follows :

1. System analysis- The system analyst analyzes the present user environment and requirements and may (1) recommend specific changes (2) recommend the purchase of a new system, or (3) design a new information system.

2. System programming- The systems programmer is responsible for implementing, debugging the software necessary for making the hardware work.

3. Applications programming- The applications programmer is responsible for writing, testing and debugging the application programs for the specifications provided by the system analyst.

4. Database administration- In a database environment, a database administrator (DBA) is responsible for maintaining the database and restricting access to the database to authorized personnel.

5. Data preparation- Data may be prepared by user departments and input by key to magnetic disk or magnetic tape.

6. Operations- The operator is responsible for the daily computer operations of both hardware and software.

7. Data library- The librarian is responsible for custody of the removable media and for the maintenance of program and system documentation.

8. Data control- The control group act as liaison between users and the processing center.

b) Companies may use separate computer accounts that are assigned to users on either a group or individual bases. This will also involve the use of PASSWORDS and CALL-BACK PROCEDURES to restrict access from remote terminals.

• 2. File security / Software Controls a) These will require

1. Documentation of all programs, procedures and operating investments.

2. Segregation of duties as to

a. Systems design and operation

b. Testing of new systems and operations

3. Approval of new programs and changes to program by management, users and information systems personnel.

4. Library control of all master and transaction file conversions to prevent unauthorized changes and to verify the accuracy of the results.

5. Back-up storage of software off-premises.

a) These involve built-in controls in the computers by the manufacturer which will detect machine malfunction.

b) Among the most common types of built-in controls are:

1. Parity check 2. Duplicate reading 3. Echo check 4. Dual circuitry 5. Interlock 6. Boundary protection

7. File protection ring

8. Validity test

c) The system should be examined periodically (often weekly ) by a qualified service technician.

• 4. Access to computer and data files controls or controls over access to equipment

and data files

a) These will include the following segregation controls as follows:

1. Access to program documentation should be limited to those persons who require it in the performance of their duties.

2. Access to data files and programs should be limited to those individuals authorized to process data.

3. Access to computer hardware should be limited to authorized individuals such as computer operators and their supervisors.

b) Physical access to computer facility controls.

c) Use of visitor entry log which document those who have had access to the area.

d) Use of identification code and a confidential password to control access to software

e) Use of “call back” which is a specialized form of user identification in which the user dial the system , identifies him/herself and disconnected from the system.

f) Use of “encryption” where data is encoded when stored in computer files and/or from remote locations . Data encryption transforms plaintext messages into unintelligible

cyphertext using an encryption key.

• 5. Other data and procedural controls including security and disaster controls

(Fault-tolerant systems, backup, and contingency planning)

a) Physical Security

1. Fireproof storage

2. Backup for the vital documents, files and programs

b) Contingency planning which includes the development of a formal disaster recovery.

• Hot sites - is a facility that is configured and ready to operate within few hours . • Cold sites - is a facility that provides everything necessary to quickly install

computer equipment, but doesn’t have the computer installed.

c) Insurance should also be obtained to compensate the company for losses when they occur.

APPLICATION CONTROLS

a) Attempt to ensure the validity, accuracy and completeness of the data entered into the system.

Four Categories:

1) Data observation and recording

2) Data transcription

3) Programmed (source program) edit checks

These includes:

a) Control batch or proof totals

b) Completeness check

c) Hash total

d) Limit check

f) Self- checking digit

g) Record count

h) Sequence check

i) Validity check

j) Reasonableness check

b) Control procedures that should be followed in the input data are:

1) Systems specifications documenting all necessary steps in the preparation should be written and used.

2) Serial controls should be logged.

3) Signature approvals should be received and accounted for.

4) A peso-value unit or hash totals should be prepared for a batch or a processing period and compared by the computer with the totals processed.

5) Data to be entered into the system should be verified.

6) An editing procedure should be followed whereby all input information is compared with tables of valid codes.

7) Check digits should be used whenever possible.

8) All rejected items in the editing procedure should be listed with references and their disposition accounted for.

9) Specific procedures should be established for delivery of data to the computer department.

2) Processing Controls

Included in processing controls are:

a) File Labels

b) Trailer Labels

c) Sequence tests

d) Proof totals

f) Exception listings

g) Transmittal record

h) A record should be logged for each processing run showing the files used, time consumed, machine halts, operator actions and other relevant data.

3) Output Controls

-these govern the accuracy and reasonableness of the output of data processing and prevent authorized use of output.

Important measures includes:

a) Error log

b) Follow-up control totals

c) Distribution log

d) Audit trail storage

e) Visual review for apparent reasonableness and completeness.

f) Exceptions should be properly handled.

g) Complete resubmission of corrected errors should be assured.

h) Provision should be made to see that all output reports are delivered on time and to authorized destinations.

i) Users should be periodically queried for the continued needs for the output.

j) Shred sensitive documents.

COMPUTER CONTROL ACTIVITIES

-Computer General Control activities

-Computer Application Control activities

-User Control Activities to test the Completeness and accuracy of computer Processed Transactions

COMPUTER FRAUD

1) Input manipulation