13. Internal Controls and Security Measures

Question 1

Control Procedures

Answer 1

• Types of controls:
  1) Primary controls
  2) Secondary controls
  3) Time based classification
  4) Financial and operating controls
  5) People and system based controls
• Primary Controls:
  1) Preventive control - Deter the occurrence on unwanted events
  2) Detective control - alert people after an unwanted event. Hash totals may detect data entry errors but may also be used to test for completeness
  3) Corrective controls - correct the effect of unwanted event
  4) Directive control - cause or encourage the occurrence of desirable event such as encourage internal auditors to hold CIA
• Secondary controls:
  1) Compensatory (mitigative controls) - reduce the risk when primary controls are ineffective. They DON’T reduce risk by THEMSELVES
  2) Complementary controls - works with other control to reduce risk to an acceptable level
• Time based controls:
  1) Feedback control - report information about completed activities. They permit improvement in future performance by learning from past mistakes
  2) Concurrent control - ongoing process (real time controls)
  3) Feedforward controls - anticipate and prevent problem, similar to directive controls
• Financial and operational controls:
  1) Financial controls (accounting controls) ensure authorization, appropriate record keeping and safeguarding of assets
  2) Operational controls (administrative controls) - apply to production and support activities. Is based on management principles and methods
• People and system controls:
  1) People controls - dependent on the intervention of humans and their judgments
  2) System controls - executed whenever needed without human intervention
• Control activities are designed and operated to ensure that management directives are executed. If controls are not always in FORCE, the CAN’T operate effectively no matter hoe effective their design
• How control procedures are being implemented:
  1) Segregation of duties
  2) Independent checks and verification
  3) Safeguarding of assets
  4) Prenumbered forms
  5) Specific document flow
• Segregation of duties enhance system securities, functions of segregation: ARCR
  1) Authorization
  2) Record Keeping
  3) Custodian
  4) Reconciliation
• Supporting documents for AP and treasury departments for payment:
  1) PR - both
  2) PO - both
  3) Receiving report - both
  4) Vendor invoice - both
  5) Payment voucher issued by AP to issue. After payment treasurer stamp cancelled on above documents to avoid duplicate payments
• A risk factor at PURCHASING department is that purchases are made from parties related to the buyer r other company officials
• Receiving department is custodian
• Combining timekeeping function and preparation of payroll entries is PROHIBITED, they must be segregated
• Line supervisor SHOULDN’T have access to raw materials room
• Sales department prepares aging report and shares it with credit department, credit department write off uncollectable accounts then treasurer reviews and approves it
• Treasurer is custodian of cash
• Credit department approves sales transactions before they are processed
• Best strengthen IC over custody of inventory at off site warehouses is by implementing regular reconciliation with physical inventory counts
• Independent checks and verification (reconciliation with accounts) , it must be performed by personnel unconnected with the original transaction and DOESN’T have custody of assets involved
• Frequency of reconciliation is dependent of NATURE, AMOUNT and COST
• Sometimes internal auditors performs reconciliation of bank statement
• Safeguarding of assets limit access to assets for authorized personnel only
• Holding securities in safe box; 2 employees must be always present when box is accessed. Having 2 employees to open the box reduces possible risk that employee to pledge corporate investment securities for short tern personal loan
• Inherent control risk that a security guard allows one of the warehouse employees to remove company assets without authorization
• Prenumbered forms - a sequentially numbered forms are the basis for a strong set on IC
• Job time ticket is used to record the actual work performed for a specific product
• Production order is the document authorized to initiate the manufacturing of goods
• Specific document flow consists of:
  1) Tracing that ensures that transaction is properly RECORDED
  2) Vouching that ensures that transaction is OCCURRED
• Compensating control - best control to ensue proper authorization of company investment transaction is having written policy requiring review of major funding/ repayment by the board
• Treasurer has access (custody) to stock certificate, Controller perform the recording of securities

Question 2

System Controls and Information Security

Answer 2

• Three Goals for Information security: CIA
  1) Confidentiality - security of information
  2) Integrity - prevent access to unauthorized
  3) Availability - access to use computer for authorized
• Threat to Information security:
  1) Input manipulation
  2) Program alteration - Deliberate change of the process
  3) Direct file alteration - Deliberate change of data
  4) Data theft
  5) Sabotage - Disruption of an organization system NOT for personal gain but simply for revenge
  6) Malware
  7) Viruses - CAN replicate itself, destroys data
  8) Logic bombs - CAN’T replicate itself, destroy data
  9) Warms - Replicate itself, DOESN’T destroy data
  10) Trojan - computer program that appear friendly voluntarily installed on computer, the purpose is to take over the computer and retrieve sensitive data
  11) Back doors - Obtain access to system while bypassing the usual password controls
  12) Spyware - spy on user without his knowledge to collect data. program to catch it is keylogger
  13) Ransomware - holds computer or file hostage and demand for ransom payment
  14) Theft - physical equipment
  15) Phishing - attempt to acquire sensitive information by pretending to be a TRUSTWORTHY entity
• Steering committee consists of IT manager and end user
• Steering committee function:
  1) Approve development budget
  2) Assign resources
  3) Review their progress
  4) Ensure that requests for new systems are aligned with entity objectives
• Request for change to existing system should be initiated by end user and authorized by management or steering committee . All changes should be made to a TESTING ENVIRONMENT and tested before being placed on WORKING ENVIRONMENT. Adequate testing must involve INCORRECT DATA to see how it is being handled. Change of program code should be stored at library
• Physical control - limited physical access, ONLY operators should be allowed unmonitored access to the computer centers. Using biometric identification system would be MOST effective to limit unauthorized access.
• Logical controls - Limit system access:
  1) Authentication - is the act of ensuing that the PERSON attempting to access the system is in fact who he says he is through ID and passwords.
  2) Authorization - is the practice of ensuring that once in the system the user can only ACCESS THOSE PROGRAMS
• Input Controls provide reasonable assurance that data is Authorized, Accurate and Complete - Online or Batch
• Online input controls:
  1) Preformatting
  2) Edit checks - Is a preventive, detective and corrective action that should be performed on transaction PRIOR to updating master file
  3) Limit (reasonableness) checks
  4) Check digits - An algorithm, WONT detect transposition errors
• Preformatting is display of documents with blanks for data items to be entered by terminal operator. Prompting is an online data entry technique that can be employed when inexperienced personnel enters data
• A self checking digit is a control designed to catch errors at data entry level
• Batch input controls:
  1) Management release
  2) Record count
  3) Financial totals
  4) Hash totals - has no meaning, ensures that input data was not manipulated during processing
• Processing control provides reasonable assurance that all data submitted for processing is processed and only approved data has been processed:
  1) Validation - Determine existence
  2) Completeness - any record with missing data is rejected
  3) Arithmetic controls - cross footing and Zero balance
  4) Sequence check - tests for ordering NOT omission of records, used with BATCH inputs
  5) Run to run controls - check after EACH stage that all transactions have been processed
• Output controls provides reasonable assurance that processing was complete and accurate: Data control group should be responsible for processing the errors detected during the processing of data
  1) Audit trial
  2) Error listing report
• Computer operation in information system is concerned with day to day processing and distribution of data
• Computer assisted audit techniques (CAATs): May use SYSTEM or TRANSACTION based
  1) Auditing around the computer - NOT appropriate when systems are sophisticated. The auditor MANUALLY process transactions, SMALL number of transactions, computer is treated as black box only inputs and outputs are evaluated
  2) Auditing through the computer - uses the computer to TEST the PROCESSING
  3) Test data - Client program, auditor data with dummy inputs
  3) Parallel simulation - auditor program and client data. The auditor must have considerable technical knowledge
  4) Generalized audit software (GAS) - auditor program and client data, it gives major aid in retrieving information for computerized files. Example ACL, IDEA. The auditor can search for duplicated records, gaps in numerically sequenced records, high monetary amounts
  5) Spreadsheet analysis - easy analysis of huge number of clients data
  6) Integrated test facility (ITF) - the auditor creates fictitious entity (using wrong data) on the client LIVE system to determine if real time program contains adequate control. Considered as CONCURRENT audit technique
  7) Embedded audit module - Is an integral part of an application system which permits continuous monitoring of online real time system
• Concurrent audit techniques MUST be INCORPORATED with CLIENT system
• Computer security plan should be developed to safeguard physical facilities, hardware and integrity of data
• Storage controls:
  1) Dual write routines - data can be stored at 2 separate physical locations
  2) Validity check - Hardware that transmits or receives data compares the bit in each byte
  3) Physical controls
  4) Cloud computing is defined as standardized IT capability delivered via the internet. Advantages are lower infrastructure investment, lower maintenance costs, increased mobility and lower personnel costs. Disadvantages are less control than there would be over internal IT department, more difficulty ensuring security and privacy of data, less comparability with existing tool and software

Question 3

Security Measures and Business Continuity Plan

Answer 3

• Inherent risk of the internet: Confidential information can be intercepted
  1) Password attacks - brute force attach uses password cracking software to try large number of letter and numbers to access system
  2) Main in the middle - takes advantage of sniffing and routing. The attack may be used to steal data, obtain access to the network, analyze traffic on the network and insert new data or modify existing data. Encryption is the effective response
  3) Denial of service attack (DOS) - attempt to overload an organization network with so many messages that it CAN’T function. It comes from MULTIPLE SOURCES and uses a computer of innocent parties infected by Trojan
• Spoofing is IDENTITY misrepresentation is CYBERSPACE using a false website to obtain visitor information
• Sniffing is the use of software to eavesdrop on information sent by user to the host computer of website
• If a program takes longer than usual to load or execute, an antivirus run should take place
• Use of data encryption uses hardware or software to covert data into codes using:
  1) Public key (Asymmetric) is MORE secure because it requires 2 KEYS. The PUBLIC key for CODING is widely known, the PRIVATE key for DECODING is kept SECRET. Neither parties knows that other private key. Most common public key is RSA.
  2) Private key (SYMMETRIC) LESS secure because it requires only 1 KEY
• Firewall is a combination of hardware and software that separates internal network from external network which provides protection against unauthenticated logins from outside users.
• Proxy server is a firewall system that limits access to a computer by routing users to replicated websites. Also is a symbolic representation of the flow of documents are procedures
• Rountine backup and offsite rotation:
  1) Offsite location must be humidity and temperature controlled. Using it will MOST COMPROMISE the use of Grand father - father - Son backup
  2) Typical backup - duplication of ALL data and application programs once a month. Incremental changes backup may be used
• Disaster recovery plan is the process of RESUMING normal information processing AFTER the occurrence of MAJOR interruption
• Business continuity plan is the continuation of business DURING the period in which computer processing in UNAVAILABLE or LESS than NORMAL
• The operating system should operate first AFTER disaster
• A disaster recover team should be appointed
• Data conversion operators is NOT an important aspect of disaster recovery plan
• Types of disaster centers:
  1) Hot site - Full operational processing, available within FEW HOURS
  2) Warm site - facility with LIMITED HARDWARE, available within FEW DAYS
  3) Cold site - facility lacking most infrastructure, available within FEW WEEKS. MOST LIKELY USED