Download Chapter 4 - Internal Controls In IT Systems

Chapter 4 - Internal Controls In IT Systems
Instructor Manual
 Introduction To Internal Controls For IT Systems. It is important to consider
possible threats that can disrupt or stop IT systems, and to implement controls that
can help prevent these threats. It is important to understand general and application
controls, the nature of risks in IT systems, and how these controls can reduce the
risks. The AICPA Trust Services Principles is a structure to help organize these
risks and controls. Controls can also be categorized into general controls and
application controls. General controls apply to the overall IT accounting system.
Application controls are input, processing, and output controls within IT applications.
 General Controls In IT Systems
o Authentication Of Users And Limiting Unauthorized Users. Authentication is
intended to ensure that users trying to access the IT system are valid, authorized
users. There are many ways to authenticate users, including log-in procedures
using a user ID and password, smart cards, security tokens, and biometric
devices. User ID and password combinations are authentication based on what
as person knows. Two factor authentication is based on what a user knows and
what he has. Examples are smart cards and security tokens. Biometric
authentication uses unique physical characteristics of a person such as a finger
print. Even with these controls, an unauthorized user may be able to get access
to the system. Thus, additional controls are needed such as a computer log, and
a user profile in an authority table that determines each user’s access level.
o Hacking And Other Network Break-Ins. The more extensive the network
system, the more openings there are for hackers and unauthorized users. A
firewall is hardware, software, or a combination of both that blocks instances of
unauthorized network traffic. The firewall examines network packets of data and
tries ton allow authorized data to flow through, yet block unauthorized packets of
data. Encryption of data, either through symmetric or public key encryption
converts data into cipher text that is not readable unless the user has the correct
key. Wireless networks should be encrypted through either Wired Equivalency
Privacy (WEP) or Wireless Protected Access (WPA). The Service Set Identifier
(SSID) of a wireless network should be unique. Other methods to protect
network traffic are virtual private network (VPN) and secure sockets layer (SSL).
Other methods to increase authentication control are antivirus software,
vulnerability assessment, intrusion detection, and penetration testing. These
methods help monitor and prevent unauthorized access.
o Organizational Structure. The manner in which a company establishes,
delegates, and monitors IT system functions is part of the general controls. For
companies with extensive IT systems, this would include at IT governance
committee of top executives. The IT governance committee should: (1) align IT
strategy with business strategy; (2) budget funds and personnel for IT; (3)
develop, monitor; and review all IT policies; and (5) develop, monitor, and review
security policies. It is also important that IT duties be properly segregated.
1
Systems analysts and programmers, operators, and database administrator
duties should be segregated. As major changes are made to an IT system, the
changes should follow a process that controls the initiation, approval,
development, and maintenance of IT systems. Often, the process followed is a
System Development Life Cycle (SDLC).
o Physical Environment And Security. An IT system should have controls over
the physical environment and physical access controls to the IT system.
Physical access controls are intended to prevent malicious acts or vandalism to
the system. The physical environment, such as temperature and humidity should
be controlled to prevent system problems. There should also be dust and fire
prevention systems. Uninteruptble power supplies and emergency power
supplies can keep the system operating in the event of power failures. Physical
access controls include: (1) ID badges or key cards to limit access, (2) video
surveillance equipment, (3) logs of those entering the area, and (4) locked
storage of data storage.
o Business Continuity. Business continuity planning is a proactive program to
consider risks to business continuation and developing plans to limit those risks.
The business continuity plan should include a strategy for backup and restoration
of IT systems, and a disaster recovery plan. The system can use redundant
servers and redundant arrays of independent disks (RAID) to guard against
system failure. There should also be regular backups of data and an off-site
storage of backups. A disaster recovery plan includes the plan of steps
necessary to continue IT operations after a disaster,
 General Controls From An AICPA Trust Principles Perspective. The AICPA
Trust Services Principles are a framework that categorizes risks and controls into
five categories: (1) security, (2) availability, (3) processing integrity, (4) online
privacy, and (5) confidentiality.
o Risks In Not Limiting Unauthorized Users. There are eight IT controls that
can lessen the risk of unauthorized users gaining access to the IT system.
Those eight are: user ID, password, security token, biometric devices, log-in
procedures, access levels, computer logs, and authority tables. Without such
controls, there are security risks, availability risks, processing integrity risks, and
confidentiality risks. Security risks are from external persons, as well as
employees of the organization who may try to access data for which they do not
need access. Unauthorized access to the IT system can allow persons to
browse through data, alter data in an unauthorized manner, destroy data, copy
the data with the intent to steal and perhaps sell to competitors, or record
unauthorized transactions. Availability risks result when a person gains
unauthorized access, and may allow him to tamper with the IT system in a
manner that may shut down systems and or programs to make the system or
program temporarily unavailable for its intended use. If unauthorized users are
able to access the IT system, they pose processing integrity risks in that they
may be able to alter data to change the results of processing. This alteration of
data could occur prior to the transaction being processed, during processing, or
after the processing is complete. Confidentiality risks, or the risk of confidential
data being available to unauthorized users, can occur if authentication controls
2
are weak. An unauthorized user who gains access can browse, steal, or destroy
confidential data.
o Risks From Hacking Or Other Network Break-Ins. Whether the threat is from
an insider or outsider, efforts should be made to reduce the threat of hacking or
network break-ins and to limit the potential harm that can be done by hacking
and break-ins. The security risks related to hacking and network break-ins are
the same as those identified in the previous section on unauthorized users. The
availability risks are that the network break-in can allow systems or programs to
be shut down, altered or sabotaged. The person who breaks in may also plant a
virus or worm into the system. The processing integrity risks are that the person
breaking in can alter the data or programs to compromise the accuracy or
completeness of the data. Recording nonexistent or unauthorized transactions
will also compromise data accuracy or completeness, as could a virus or worm.
Again there is a confidentiality risk since the person breaking in may access,
browse, steal or change confidential data.
o Risks From Environmental Factors. Any environmental changes that affect
the IT system can cause availability risks and processing integrity risks. These
risks are that systems can be shut down or errors and glitches in processing can
occur that cause lost or corrupted data. Backup power supply systems allow IT
systems to be gradually shut down without the loss or corruption of data
o Physical Access Risks. The security risk is that an intruder who gains physical
access may change user access levels so that he or she can later access data or
systems through any network attached system. The availability risks are that
unauthorized physical access would allow an intruder to physically shut down,
sabotage, destroy hardware or software, or insert viruses or worms from diskette,
CD or other media. An intruder may interrupt processing and thereby affect the
accuracy or completeness of processing, causing processing integrity risks.
Viruses and worms can also affect the accuracy and completeness of
processing. An intruder poses confidentiality risks in that an intruder may be able
to gain access to confidential data to browse, alter, or steal the data.
o Business Continuity Risks. The security risk is that an unauthorized person
may gain access to the backup data. The availability risk is that as disasters or
events interrupt operations, the system becomes unavailable for regular
processing. The processing integrity risk is that business interruptions can lead
to incomplete or inaccurate data. The confidentiality risk is that unauthorized
persons may gain access to confidential data if they are able to gain access to
backup data.
 Hardware And Software Exposures In IT Systems. There are many possible
configurations of hardware and software that could be used in organizations. This
section describes some typical hardware and software systems and the
corresponding risks and controls.
o The Operating System. The operating system is the software that controls the
basic input and output activities of the computer. The operating system can be
an “entry point” for unauthorized users or hackers. Operating system access
allows a user access to all the important aspects of the IT system. Since all
application software and database software works through the operating system,
3
o
o
o
o
o
o
access to the operating system also allows access to applications and the
database. In addition, all read/write data functions are controlled by the
operating system and any person who has access to the operating system can
have access to data. Essentially, access to the operating system opens access
to any data or program in the IT system. If a knowledgeable person is able to
access and manipulate the operating system, that person potentially has access
to all data passing through the operating system, and all processes or programs.
Thus the operating system poses security risks, availability risks, processing
integrity risks, and confidentiality risks.
The Database. The database is an exposure area because any unauthorized
access to the data can compromise the security and confidentiality of the data,
and potentially interfere with the availability and normal processing of the IT
system. An unauthorized user who gains access to the data base can browse
through the data, compromising the security and confidentiality of the data in the
database. The unauthorized user could also destroy or erase data, thereby
affecting the accuracy of processing, and perhaps making processing
unavailable since some data has been erased.
The Database Management System. As is true of the data, the DBMS poses
security, confidentiality, availability, and processing integrity risk exposures.
Since the database management system reads and writes data to the database,
unauthorized access to the DBMS is another exposure area. An unauthorized
user who is able to access the DBMS may be able to browse, alter, or steal data.
LANS And WANS. Since LANs and WANs are connected into the larger
network of servers and computers within a company, the LANs represent risk
exposure areas because anyone who has access to a workstation on the LAN
can have access to data and devices on the entire network within the
organization. LANs pose security, confidentiality, availability, and processing
integrity risks. An unauthorized user on the LAN may browse, alter or steal data
and thereby compromise the security and confidentiality of data. Any
unauthorized manipulation of data or programs through the LAN can affect
availability and processing integrity of the IT system.
Wireless Networks. The wireless network does represent another potential
“entry point” of unauthorized access and therefore poses the same four risk
exposures of security, confidentiality, availability, and processing integrity. The
wireless network has the same kind of exposures as described in the LAN
section above. These network signals are similar to radio signals and therefore
anyone who can receive those radio signals may gain access to the network.
The Internet And World Wide Web. The Internet connection required to
conduct Internet based business can open the company network to unauthorized
users, hackers and other network break-ins. An unauthorized user can
compromise security and confidentiality, and affect availability and processing
integrity by alter data or programs or inserting virus or worm programs.
Telecommuting Workers. Telecommuting workers cause two sources of risk
exposures to their organizations. First, the network equipment and cabling that is
necessary can be an “entry point” for hackers and unauthorized users.
Secondly, the teleworker’s computer is also an “entry point” for potential
4
unauthorized users. The computer used by the teleworker is not under the
control of the organization since it is located in the teleworker’s home. Therefore,
the organization must rely on the teleworker to maintain appropriate security over
that computer and to appropriately use firewalls and virus software updates to
keep security up to date. These two “entry points” pose security, confidentiality,
availability, and processing integrity risks.
o Electronic Data Interchange. To conduct EDI with business partners, a
business must use a dedicated network, a value added network, or the Internet.
Regardless of the type of network used for EDI, the EDI network entails security,
confidentiality, availability, and processing integrity risks. The EDI network is
another “entry point” for unauthorized users or hackers. EDI transactions must
be properly guarded and controlled by general controls including authentication,
computer logs, and network break-in controls.
 Application Software And Application Controls. Applications software is the
software that accomplishes end user tasks such as word processing, spreadsheets,
database maintenance, and accounting functions. Application software represents
another “entry point” through which unauthorized users or hackers could gain
access. Application software has specific processing integrity risks that are not
inherent in the eight previous IT components. The specific processing risks are
inaccurate, incomplete, or unsecure data as it is input, processed, or becomes
output. In addition, a risk of application software is the addition and processing of
unauthorized transactions. For these specific risks, application controls should be
part of accounting applications.
o Input Controls. No matter the manner of input, controls should be in place to
insure that the data entered is accurate and complete. Input controls should be
in place to insure the authorization, accuracy, and completeness of that data
input. These input controls are of four types.
 Source document controls. Where source documents are used, several
source document controls should be used to minimize the potential for errors,
incomplete data, or unauthorized transactions as data is entered. The source
document as well as the input screen should be well designed so that they
are easy to understand and use. Source documents should have clear and
direct instructions embedded into the form. Finally the source document
design and input screen design should match each other. The source
document should contain an area for authorization by the appropriate
manager. The source document forms should be prenumbered and used in
that sequence. After source documents have been entered by keying, the
source documents should be retained and filed in a manner that allows for
easy retrieval.
 Standard procedures for data preparation and error handling. Without
well-defined source data preparation procedures, employees would be unsure
as which forms to use, when to use them, how to use them, and where to
route them. An organization should have error handling procedures. As
errors are discovered, they should be logged, investigated, corrected, and
resubmitted for processing. The error log should be regularly reviewed by an
appropriate manager so that corrective action can be taken on a timely basis.
5

Programmed edit checks. Application software can include input validation
checks to prevent or detect input errors. These validation checks are preprogrammed into accounting application software and they are intended to
check a field, or fields, for errors. These include field checks, validity checks,
limit checks, range checks, reasonableness checks, completeness checks,
sign checks, sequence checks, and self checking digits.
 Control totals and reconciliations. Control totals are useful in any IT
system in which transactions are processed in batches. Control totals are
subtotals of selected fields for an entire batch of transactions. The totals
include record counts, batch totals, and hash totals.
o Processing Controls. Processing controls are intended to prevent, detect, or
correct errors that occur during the processing in an application. The
reconciliation of control totals at various stages of the processing is called run-torun control totals. During processing, some calculations such as addition or
multiplication must occur. Limit, range, and reasonableness checks can be used
to insure that the results of these mathematical manipulations are within
expected ranges or limits. Computer logs of transactions processed, production
run logs, and error listings can be regularly examined to prevent, detect, or
correct other errors.
o Output Controls. There are two primary objectives of output controls: to assure
the accuracy and completeness of the output, and to properly manage the
safekeeping of output reports to insure that security and confidentiality of the
information is maintained. To insure accuracy and completeness, the output can
be reconciled to control totals. In addition, it is extremely important that users of
the reports examine the reports for completeness and reasonableness. An
organization must maintain procedures to protect output from unauthorized
access. There should be written guidelines and procedures for output
distribution. The organization should also establish procedures to guide the
retention and disposal of output.
 Ethical Issues Of Information Technology. Without proper controls on IT systems
the computer systems can be easily misused by outsiders or employees. In addition
to computer assets being misused, access to IT systems may give unauthorized
users access to other assets. Management must try to prevent theft conducted
using the IT system such as theft by entering fraudulent transactions. Both misuse
of computers and theft through the computer systems are unethical behaviors that
management should discourage through proper internal controls. Unethical
problems related to IT systems would include: (1) misuse of confidential customer
information stored in an IT system; (2) theft of data such as credit card information
by hackers. (3) employee use of IT system hardware and software for personal use
or personal gain, and (4) using company e-mail to send offensive, threatening, or
sexually explicit material.
6