MODULE 3 PPT CIS

Internal Control in Computerized Information System

Internal Control

⦿ Internal Control is the process designed and effected by those charged with governance, management, and other
personnel to provide reasonable assurance about the achievement of the entity’s objectives with regard to
financial reporting, effectiveness and efficiency, and compliance with laws and regulations.

Reasonable Assurance

⦿ Inherent Limitations:

› Faulty judgments in decision making

› Consideration of relative costs and benefits

› Breakdowns because of human failures, simple errors or mistakes

› Controls can be circumvented by collusion of two or more people

› Management override of internal control system

Components of Internal Control System

⦿ Control Environment

⦿ Risk Assessment Process

⦿ Information System and Related business processes relevant to financial reporting and communication

⦿ Control Activities

⦿ Monitoring of Controls

Control Activities in Computerized Information System

⦿ General Control- apply overall to IT accounting system, they are not restricted to any particular accounting
application

⦿ Application Control- used specifically in accounting applications to control inputs, processing and output.

General Controls

⦿ Authentication of users and limiting unauthorized access

⦿ Hacking and other network break-ins

⦿ Organizational structure

⦿ Physical Environment and physical security of the system

⦿ Business Continuity
Authentication of users

⦿ Log in restrictions- user id and password

› User ID- uniform but differentiated

› Password- should consists at least 8 characters and nonalphanumeric. Secret but sometimes acts can
defeat the purpose of password

⦿ Smart Card and Security Token- reduces unauthorized access. Also known as two-factor authentication (user has
and user know)

⦿ Biometric Devices – unique physical characteristics of the user (finger print, retina scans, voice recognition and
face recognition)

Limiting unauthorized access

⦿ Computer Log – complete record of all dates, times and uses for each user

› Nonrepudiation- user cannot deny any particular act that he did on the system

› Log in of customer

⦿ User Profile- determine the user’s access levels to hardware, software and data

⦿ Authority Table – contains the list of valid, authorized users and the access level granted to each one

⦿ Configuration table- hardware, software and application programs can only be changed by authorized users.

Hacker

⦿ Firewall-designed to block unauthorized access

⦿ Encryption- process of converting data into secret codes referred to as cipher text. Encryption renders the data
useless to those who do not possess the correct encryption key

› Symmetric Encryption-uses single encryption key that must be used to encrypt data and decode the
encrypted data (same key for sender and receiver)

› Public Key Encryption- uses both public and private encryption key (sender – public while receiver-
private)

Hacker

⦿ Wired Equivalency Privacy- encryption method mostly used in wireless network that uses symmetric encryption
key. This method is susceptible to hacking.

⦿ Wireless Protected Access- improved encryption method that can check whether encryption key have been
tampered with. It authenticates computer and user first before transmitting data

⦿ Service Set Identifier (SSID)- a password that is passed between the sending and receiving nodes of a wireless
network.

⦿ Virtual Private Network (VPN)- employed when employee connects to the system through a public network such
as internet

⦿ Secure Socket Layer-Web-based technology can be used to limit access when employee use Internet. (https: / /)

Network Break-Ins
 ⦿ Break Ins- virus or worm inserted in the system

› Virus- self-replicating price of program code that can attach itself to other programs and data and perform
malicious actions such as deleting files or shutting down the computer

› Worm-small piece of program code that attaches to the computer’s unused memory space and replicates
it

⦿ Antivirus Software- continually scans the system for viruses and worms and either deletes or quarantines them

⦿ Long Range Monitoring

› Vulnerability Assessment – identifies weaknesses of the IT system before it becomes break ins

› Intrusion Deletion-serves as an alarm when someone tries to break in with the system

› Penetration Testing- legitimate attempting to break in an IT system to discover weaknesses

Organization Structure

⦿ IT governance committee – suitable to a large IT system. It is composed of top executives such as CEO, CFO,
CIO and heads of business units.

› Align IT system to business strategy

› Budget funds and personnel for the most effective use of the IT systems

› Oversee and prioritize changes in IT systems

› Develop, monitor, and review IT operational policies

› Develop, monitor and review security policies

⦿ The manner in which an organization establishes, delegates, and monitors IT system functions

› Functional responsibilities must be properly segregated (system analysist, programmers, operators and
database administrator)

Physical Environment and Security

⦿ Physical Security- it limits the physical access to computer hardware and software so that malicious acts or
vandalism do not disrupt the system and data are protected

⦿ Location of the IT system should be in an area that are least at risk of disaster, area that properly controls dust ,
temperature and humidity and fire prevention system that does not use water

⦿ Uninterruptible Power Supply- to keep the computer running for several minutes after the power outage

⦿ Emergency Power Supply-alternative power supply that provides electrical power when the main source is lost

⦿ Limited access to computer rooms

⦿ Video Surveillance Equipment

⦿ Logs of persons entering and exiting the computer rooms

⦿ Locked Storage of backup data and offsite backup data

Business Continuity
 ⦿ Business Continuity Planning- a proactive program for considering risks to the continuation of business and
developing plans and procedures to reduce those risks. Continuation of IT system is an integral part of business
continuity.

› Strategy for backup and restoration of IT system

› Disaster Recovery Plan

⦿ Backup Strategy

› Redundant Server- two or more computer network or data server that can run identical processes or
maintain the same data (Redundant arrays of independent disks RAIDS)

› Offsite Backup-additional copy of the backup files stored in an offsite location

⦿ Disaster Recovery Plan- a plan for the continuance of IT system after a disaster. Reactive than proactive.

Risks

⦿ Security Risk

⦿ Availability Risk

⦿ Processing Integrity Risk

⦿ Confidentiality Risk

Control and Risk Matrix

⦿ Input Controls- intended to ensure the accuracy and completeness of data input procedures and the resulting data

⦿ Process Controls- intended to ensure the accuracy and completeness of processing that occurs in the accounting
applications

⦿ Output Controls- intended to help ensure the accuracy, completeness and security of outputs that result from
applciation processing

Input Controls

⦿ GIGO “ Garbage in, Garbage out”

Source Document Controls

⦿ Form Design
⦿ Form Authorization and Control
⦿ Retention of Source Document

Standard Procedures for Data input

⦿ Data Preparation- process of collecting and preparing source documents

› Which form to use, when to use them, how to use them and where to route them

› Reduce the chance of lost, misuse, misdirected or incorrect data collection from source documents

⦿ Error Handling- logged, investigated, corrected and resubmitted for processing

Programmed Edit Check

⦿ Input Validation Check

› Field Check-examines the field to determine whether the appropriate type of data was entered (either
number or letter) (not applicable for both number and letter) (name or date)

› Validity Check-examines the field to ensure that the data entry in the field is valie compared with a
preexisting list of acceptable values (Civil Status)

› Limit Check- check field input against a preestablished limit or limits but only an upper limit (maximum
number of hours, no negative)

› Range Check- check field input against a preestablished limit to both upper and lower limit

› Reasonableness Check- compares the value in a field with those fields to which it is related to determine
whether the value is reasonable. (Pay rate VS Job category code)

› Completeness Check- assesses the critical fields in an input screen to make sure that the value is in
those fields. It cannot ensure that the correct value was entered (SSS number)

› Sign Check- examines a field to determine that it has the appropriate sign (+ or -)

› Sequence Check- ensures that the batch of transactions is sorted in order but does not help find the
missing transactions because it checks only sequence not completeness
 › Self-checking- is an extra digit added to a coded identification number, determined by a mathematical
algorithm

Note: Sequence and Self-checking are more appropriate for transactions that are processed in batches.

Control Totals and Reconciliation

⦿ Control Total- subtotals of selected fields for an entire batch of transactions. Computing totals manually and
reconciling it with the computer-generated totals.

› Record Counts- simple count of the numer of records processed

› Batch Totals- totals of financial data such as total gross pay

› Hash Totals – totals of fields that have no apparent logical reasons to be added (no practical use)

Processing Controls

⦿ Application software has no error

⦿ Some of the input controls also serve as processing controls: Control Totals, limit and range checks,
reasonableness check, sign check

⦿ Run-to-run control totals- reconciliation of control totals at various stages of the processing

⦿ Computer logs of transactions processed, production run logs, and error listings

Output Controls

⦿ Objectives: (1) ensure the accuracy and completeness of the output and (2) to properly manage the safekeeping
of output reports to ascertain that security and confidentiality of the information is maintained.

⦿ Users can notice if the reports are complete and accurate. Any errors must be logged and corrected.

⦿ Output reports contain data that should not fall into the wrong hands is confidential therefore , an organization
must maintain procedures to protect output from unauthorized access.

⦿ Guidelines as to how reports are stored and length of time they are to be retained

⦿ Sensitive output should be shredded

⦿ Most of the outputs are stored in the computer, thus authentication controls can help to prevent, detect and
control the access to it.

Ethical Issues

⦿ Misuse of confidential customer information stored in an IT system

⦿ Theft of data, such as credit card information, by hackers

⦿ Employee use of IT system hardware and software for personal use or personal gain

⦿ Using company email to send offensive, threatening, or sexually explicit material

GOD BLESS 😊