Documente Academic
Documente Profesional
Documente Cultură
HAPTER 8
Information Systems Controls for System Reliability Part 2: Confidentiality, Privacy, Processing Integrity, and Availability
Romney/Steinbart
1 of 136
INTRODUCTION
Questions to be addressed in this chapter include:
What controls are used to protect the confidentiality of sensitive information? What controls are designed to protect privacy of customers personal information? What controls ensure processing integrity? How are information systems changes controlled to ensure that the new system satisfies all five principles of systems reliability?
Romney/Steinbart
2 of 136
INTRODUCTION
SYSTEMS RELIABILITY PROCESSING INTEGRITY
CONFIDENTIALITY
SECURITY
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 3 of 136
AVAILABILITY
PRIVACY
PROCESSING INTEGRITY
Three categories/groups of integrity controls are designed to meet the preceding objectives:
Input controls Processing controls Output controls
Romney/Steinbart
4 of 136
PROCESSING INTEGRITY
Input Controls
If the data entered into a system is inaccurate or incomplete, the output will be, too. (Garbage in garbage out.) Companies must establish control procedures to ensure that all source documents are authorized, accurate, complete, properly accounted for, and entered into the system or sent to their intended destination in a timely manner.
Romney/Steinbart
5 of 136
PROCESSING INTEGRITY
The following input controls (source data controls) regulate integrity of input:
Forms design
Source documents and other forms should be designed to help ensure that errors and omissions are minimized e.g. using prenumbered forms.
Romney/Steinbart
6 of 136
PROCESSING INTEGRITY
The following input controls regulate integrity of input:
Forms design Cancellation and storage of documents
Documents that have been entered should be canceled Paper documents are stamped paid or otherwise defaced A flag field is set on electronic documents. Canceling documents does not mean destroying documents. They should be retained as long as needed to satisfy legal and regulatory requirements.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 7 of 136
PROCESSING INTEGRITY
The following input controls regulate integrity of input:
Forms design Cancellation and storage of documents Authorization and segregation of duties
Source documents should be prepared only by authorized personnel acting within their authority. Employees who authorize documents should not be assigned incompatible functions.
Romney/Steinbart
8 of 136
PROCESSING INTEGRITY
The following input controls regulate integrity of input:
Forms design Cancellation and storage of documents Authorization and segregation of duties Visual scanning
Romney/Steinbart
9 of 136
PROCESSING INTEGRITY
Once data is collected, data entry control procedures are needed to ensure that its entered correctly. Common tests to validate input (data entry controls) include:
Field check Determines if the characters in a field are of the proper type. Example: The characters in a social security field should all be numeric.
Romney/Steinbart
10 of 136
PROCESSING INTEGRITY
Once data is collected, data entry control procedures are needed to ensure that its entered correctly. Common tests to validate input include:
Field check Sign check Determines if the data in a field have the appropriate arithmetic sign. Example: The number of hours a student is enrolled in during a semester could not be a negative number.
Romney/Steinbart
11 of 136
PROCESSING INTEGRITY
Once data is collected, data entry control procedures are needed to ensure that its entered correctly. Common tests to validate input include:
Field check Sign check Limit check Tests whether an amount exceeds a predetermined value. Example: A university might use a limit check to make sure that the hours a student is enrolled in do not exceed 21.
Romney/Steinbart
12 of 136
PROCESSING INTEGRITY
Once data is collected, data entry control procedures are needed to ensure that its entered correctly. Common tests to validate input include:
Field check Sign check Limit check Range check Similar to a field check, but it checks both ends of a range. Example: Perhaps a wage rate is checked to ensure that it does not exceed $15 and is not lower than the minimum wage rate.
Romney/Steinbart
13 of 136
PROCESSING INTEGRITY
Once data is collected, data entry control procedures are needed to ensure that its entered correctly. Common tests to validate input include:
Field check Sign check Limit check Range check Size (or capacity) check Ensures that the data will fit into the assigned field. Example: A social security number of 10 digits would not fit in the 9-digit social security field.
Romney/Steinbart
14 of 136
PROCESSING INTEGRITY
Common tests to validate input include:
Field check Sign check Limit check Range check Size (or capacity) check Completeness check
Determines if all required items have been entered. Example: Has the students billing address been entered along with enrollment details?
Romney/Steinbart
15 of 136
PROCESSING INTEGRITY
Once data is collected, data entry control procedures are needed to ensure that its entered correctly. Common tests to validate input include:
Field check Sign check Limit check Range check Size (or capacity) check Completeness check Validity check
Compares the value entered to a file of acceptable values. Example: Does the state code entered for an address match one of the 50 valid state codes? 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 16 of 136
PROCESSING INTEGRITY
Once data is collected, data entry control procedures are needed to ensure that its entered correctly. Common tests to validate input include:
Field check Sign check Limit check Range check Determines whether a logical relationship seems to Size (or be capacity) check correct. Completeness check Example: A freshman with annual financial aid of $60,000 is probably not reasonable. Validity check Reasonableness test
Romney/Steinbart
17 of 136
PROCESSING INTEGRITY
Once data is collected, data entry control procedures are An additional digit called a check digit can be needed toappended ensure that its entered correctly. Common to account numbers, policy numbers, ID tests to validate input numbers, etc.include:
Field check Data entry devices then perform check digit Sign check verification by using the original digits in the number to recalculate the check digit. Limit check check If the recalculated check digit does not match the Range recorded Size (or digit capacity) checkon the source document, that result suggests that an error was made in recording or Completeness check entering the number. Validity check Reasonableness test Check digit verification
Romney/Steinbart
18 of 136
PROCESSING INTEGRITY
Additional Batch Processing Data Entry Controls
In addition to the preceding controls, when using batch processing, the following data entry controls should be incorporated.
Sequence check
Tests whether the data is in the proper numerical or alphabetical sequence.
Romney/Steinbart
19 of 136
errors (when they occurred, cause, when they were corrected and resubmitted). Additional Batch Processing Data Entry Errors should be investigated, corrected, and resubmitted on a timely basis (usually with the next batch) and subjected to the same input validation In addition to the preceding controls, when routines. batch The log processing, should be reviewed ensure using the periodically following to data that all errors have been corrected and then used to entry controls should be incorporated. prepare an error report, summarizing errors by record Sequence check type, error type, cause, and disposition.
Controls
Error log
Romney/Steinbart
20 of 136
Commonly used batch totals include: Financial totalssums of fields that contain dollar Additional Batch Processing Data Entry values, such as total sales. Hash totalssums of nonfinancial fields, such as the sum of all social security numbers of In addition to the preceding employees being paid. controls, when using batch processing, the following data Record countcount of the number of records in a batch. entry controls should be incorporated. These batch totals are calculated and recorded when Sequence check data is entered and used later to verify that all input Errorwas log processed correctly.
Controls
Batch totals
Romney/Steinbart
21 of 136
PROCESSING INTEGRITY
Additional online data entry controls
Online processing data entry controls include:
Automatic entry of data
Whenever possible, the system should automatically enter transaction data, such as next available document number or new ID number. Saves keying time and reduces errors.
Romney/Steinbart
22 of 136
PROCESSING INTEGRITY
Additional online data entry controls
Online processing data entry controls include:
Automatic entry of data Prompting
System requests each input item and waits for an acceptable response.
Romney/Steinbart
23 of 136
PROCESSING INTEGRITY
Additional online data entry controls
Online processing data entry controls include:
Automatic entry of data Prompting Pre-formatting
Fields that need to be completed are highlighted.
Romney/Steinbart
24 of 136
PROCESSING INTEGRITY
Additional online data entry controls
Online processing data entry controls include:
Automatic entry of data Prompting Pre-formatting Closed-loop verification
Checks accuracy of input data by retrieving related information. Example: When a customers account number is entered, the associated customers name is displayed on the screen so the user can verify that entries are being made for the correct account.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 25 of 136
Maintains a detailed record of all transaction data, including: A unique transaction identifier Date and time of entry Terminal from which entry iscontrols made Additional online data entry Transmission line Online processing data entry controls include: Operator identification Automatic entry of in data Sequence which transaction is entered The log can be used to reconstruct a file that is Prompting damaged or can be used to ensure transactions are Pre-formatting not lost or entered twice if a malfunction shuts down the system. Closed-loop verification
PROCESSING INTEGRITY
Transaction logs
Romney/Steinbart
26 of 136
AVAILABILITY
SYSTEMS RELIABILITY PROCESSING INTEGRITY
CONFIDENTIALITY
AVAILABILITY
Reliable systems are available for use whenever needed. Threats to system availability originate from many sources, including:
Hardware and software failures Natural and man-made disasters Human error Worms and viruses Denial-of-service attacks and other sabotage
SECURITY
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 27 of 136
PRIVACY
AVAILABILITY
Minimizing Risk of System Downtime
Loss of system availability can cause significant financial losses, especially if the system affected is essential to e-commerce. Organizations can take a variety of steps to minimize the risk of system downtime.
E.g. Uninterruptible power supply (UPS) E.g. Location and design of rooms housing critical servers and databases. E.g. Adequate air conditioning, fire detection devices, etc.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 28 of 136
AVAILABILITY
Key components of effective disaster recovery and business continuity plans include:
Data backup procedures Provisions for access to replacement infrastructure (equipment, facilities, phone lines, etc.) Thorough documentation Periodic testing
Romney/Steinbart
29 of 136
AVAILABILITY
Data Backup Procedures
Data need to be backed up regularly and frequently. A backup is an exact copy of the most current version of a database. It is intended for use in the event of a hardware or software failure. The process of installing the backup copy for use is called restoration.
Romney/Steinbart
30 of 136
AVAILABILITY
Several different backup procedures exist.
A full backup is an exact copy of the data recorded on another physical media (tape, magnetic disk, CD, DVD, etc.) Restoration involves bringing the backup copy online. Full backups are time consuming, so most organizations:
Do full backups weekly Supplement with daily partial backups.
Romney/Steinbart
31 of 136
AVAILABILITY
Two types of partial backups are possible:
Incremental backup
Involves copying only the data items that have changed since the last backup. Produces a set of incremental backup files, each containing the results of one days transactions. Restoration: First load the last full backup. Then install each subsequent incremental backup in the proper sequence.
Romney/Steinbart
32 of 136
AVAILABILITY
Two types of partial backups are possible:
Incremental backup Differential backup
All changes made since the last full backup are copied. Each new differential backup file contains the cumulative effects of all activity since the last full backup. Will normally take longer to do the backup than when incremental backup is used. Restoration: First load the last full backup. Then install the most recent differential backup file.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 33 of 136
AVAILABILITY
Organizations have three basic options for replacing computer and networking equipment.
Reciprocal agreements
The least expensive approach. The organization enters into an agreement with another organization that uses similar equipment to have temporary access to and use of their information system resources in the event of a disaster. Effective solutions for disasters of limited duration and magnitude, especially for small organizations. Not optimal in major disasters as: The host organization may also be affected. The host also needs the resources.
Romney/Steinbart 34 of 136
AVAILABILITY
Organizations have three basic options for replacing computer and networking equipment.
Reciprocal agreements Cold sites
An empty building is purchased or leased and pre-wired for necessary telephone and Internet access. Contracts are created with vendors to provide all necessary computer and office equipment within a specified period of time. Still leaves the organization without use of the IS for a period of time.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 35 of 136
AVAILABILITY
Most expensive solution but used by organizations like financial institutions and airlines which cannot survive any appreciable time without there IS. The hot site is a facility that is pre-wired for phone and Internet (like the cold site) but also contains the essential computing and office equipment. It is a backup infrastructure designed to provide fault tolerance in event Cold sites the of a major disaster.
Organizations have three basic options for replacing computer and networking equipment.
Reciprocal agreements
Hot sites
Romney/Steinbart
36 of 136
Romney/Steinbart
37 of 136
SUMMARY
In this chapter, youve learned about the controls used to protect the confidentiality of sensitive information and the controls used to protect the privacy of customer information. Youve also learned about controls that help ensure processing integrity. Finally, youve learned about controls to ensure that the system is available when needed.
2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart 38 of 136