today’s lecture covers
TRANSCRIPT
![Page 1: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/1.jpg)
Today’s Lecture Covers
Chapter 5 - Controls over Computer Operations and IS Support – Integrity
Chapter 7 – application controls
![Page 2: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/2.jpg)
Integrity
System processing is complete, accurate, timely and authorized
![Page 3: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/3.jpg)
Need to Align Comp. Op’n Services with Business Requirements
7 minimum control standards to ensure that defined user requirements are met. Operations and support to be defined in a formal
service agreement procedures to monitor operations and services delivery
performance (use of charge-out systems for IT costs - need to decide on fair allocation)
mgt processes should assess effectiveness and efficiency of service delivery
![Page 4: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/4.jpg)
Alligning Comp. Op’n Services with Business Requirements
7 minimum control standards (cont’d) procedures should identify and resolved
promptly to minimize impact (anticipate user requirements and get appropriate resources in advance)
configuration mgt and planning procedures should be established. Important to have hardware and software monitoring and approval process.
![Page 5: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/5.jpg)
Alligning Comp. Op’n Services with Business Requirements
the final 2 of 7 Operations change mgt process should ensure the
integrity of operations formal procedures should govern software version
usage and control strategy
![Page 6: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/6.jpg)
Control over Integrity and Availability
ensure complete, accurate and authorized processing of information
ensure continuity of processing services in light of minor processing errors or minor destruction of records
formal stds and procedures for all significant computer operations
application environment is properly controlled
offsite-back up is used
![Page 7: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/7.jpg)
Control over Integrity and Availability
operation service schedules used and monitored
physical and/or logical control over output
procedures to provide integrity of files in off-line storage
![Page 8: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/8.jpg)
Control Over System Software
config mgt procedures used acquisition and implementation policies
used change mgt procedures should be used protection from viruses
![Page 9: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/9.jpg)
Control over Info Transmission
procedures to protect in bound information and outbound information
network design should incorporate information integrity, confidentiality and availability requirements for transmissions
network implementation and config mgt needs to be controlled
![Page 10: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/10.jpg)
Control over Data Mgt
roles and responsibilities for data mgt needed
database design and implementation needs to address security, integrity and control requirements
also incorporate reliability and availability requirements
![Page 11: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/11.jpg)
Control over End-Using Computing
procedures to ensure that end-users conform with organizational strategy
stds for development, acquisition, documentation and operation of applications procedures.
Effective support and training
monitoring end-using computing
![Page 12: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/12.jpg)
General vs Application Controls• general implemented consist. across all appl.• application are built into specific programs• distinction often arbitrary- general are usually
reviewed once for audit as a whole• application must be considered for each
significant application• if general are uniformly strong and operate
effectively obtain such assur. wrt each app.• if not, does not mean each appl. affected... need to
consider app by app.
![Page 13: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/13.jpg)
Hardware - such as parity checks, character checks
Input and output controls - at source dep’t and data control
Programmed controls (software)
Application Controls
![Page 14: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/14.jpg)
Effective Design
designed with regard to business requiredesigned with regard to business risk analysisonly rely upon after taking general controls into considerationlook for integrity/accuracyuse structured programming techniquesuse training
![Page 15: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/15.jpg)
Types of Transactions
• each have different sensitivity and risk of errors• master file changes - updated only periodically• normal business applications• error correction transactions
![Page 16: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/16.jpg)
Master File Changes
• completeness, accuracy, and data authorization critical
• error would occur every time• make sure using current masters• important to guard against fraud
![Page 17: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/17.jpg)
Normal Transactions
• second largest concern as most transactions• necessary to control effectively• Need to include controls over regular
transactions and reports
![Page 18: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/18.jpg)
Error Correction Transactions
• watch bypass potential• errors often put aside and ignored• all should be logged with clear responsibility
for correction• ideally put back through regular processing
![Page 19: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/19.jpg)
Preventive Controls over Processing
• data entry as close to source of transact as possible to ensure familiarity
• structure operating procedures so that business activity not complete till transaction processing
• eliminate human component as much as possible
• authorize transactions before data entry
• use access control software
![Page 20: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/20.jpg)
Preventive Controls over Processing (cont’d)
• use 3 levels access - physical access to terminal, access control over use of terminal and then authorization in software
• scrutinize manually prepared input • use computer to edit transactions - use edit progs
to check for items such as missing data, format, self checking digit, limits & logical relation checks
• use key verification & interactive systems• use formatted input screens
![Page 21: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/21.jpg)
Preventive Controls over Processing (cont’d)
• use appropriately designed input forms• single source transaction data - input once • document application control procedures -
manuals etc.• training and supervision• adequate working conditions
![Page 22: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/22.jpg)
Detective Controls
• Use suspense records for impending transactions
• Monitor & investigate lack of regular activity (see if transactions omitted)
• verify records by examining assets etc.• prepare budgets/investigate variances• number transactions - check sequence• group and count source documents and
count # transactions processed
![Page 23: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/23.jpg)
Detective Controls (cont’d)
• use control totals to check completeness• reconcile changes in recorded assets and
liabilities to transactions processed• If practical, establish procedures for verification
by users• design programmed reasonableness tests• match processing results to source documents
in detail• check computations
![Page 24: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/24.jpg)
Detective Controls (cont’d)
• use summary and exception reports• use double entry recording to balance
transactions• agree summary records to detailed records• require user approval of results• require error tracking and analysis - develop
stats
![Page 25: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/25.jpg)
Master File Controls
• authorize all changes before input
• record changes to semi-permanent listings, reconcile changes
• print out for review by knowledgeable users for errors
• use control totals
• application progs should internally label master files
![Page 26: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/26.jpg)
Errors and Exception Controls
• use error and exception reports - ensure follow- up
• user error logs and define correction procedures and responsibilities
• resubmit errors into NORMAL processing cycle - do not bypass
![Page 27: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/27.jpg)
Management & Audit Trails
• file each record in planned sequence to facilitate retrieval
• provide unique id for each record• retain source copy for transactions• provide methods of tracing data backwards and
forwards through IS• document retention procedures
![Page 28: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/28.jpg)
Management & Audit Trails (cont’d)
• use logs• periodically copy and save permanent records
that are overwritten by changes• provide software capability to scrutinize &
analyse data
![Page 29: Today’s Lecture Covers](https://reader035.vdocuments.site/reader035/viewer/2022070404/56649f385503460f94c54ba5/html5/thumbnails/29.jpg)
Advanced System Characteristics
• absence independent evidence• no visible audit trails• lack of auth evidence• heavy I/C reliance• need to understand transaction flow• test controls to be relied upon• audit hardware/software