Chapter 4: Internal Controls Flashcards
What does security mean? (1)
The establishment and application of safeguards to protect data, software and computer hardware from accidental or malicious modification, destruction or disclosure.
What are the basic concerns of the computerised system that security should maintain? (3)
- The availability of the computerised service.
- The integrity of the data that it processes and stores.
- The confidentiality of the data before, during and after processing.
What is the information system’s security based on? (3)
- Physical= equipment can be impaired when subjected to events eg fire, flooding, improper environmental conditions etc.
- People= as a threat.
- Data= that might get lost or damaged.
What functions should all security measures perform? (5)
- The avoidance or prevention of loss.
- The deterrence of as many threats as possible.
- Easy recovery after any loss.
- Identification of the cause of any losses after the event.
- The correction of vulnerable areas to reduce the risk of repeated losses.
What are general controls? (1)
General controls relate to the environment within which computer based systems are developed, maintained and operated.
What are some examples of general controls? (8)
- Personnel recruitment policies= to ensure honesty and competence.
- Segregation of duties= between different types of jobs to minimise data tampering.
- Training programmes= for new staff and new systems.
- Authorisation= procedures for program amendments and testing.
- Backup procedures= maintaining copies of files and back ups off site.
- Access controls= eg anti virus, firewalls.
- Transmission measures= to ensure data isn’t hacked when being transferred.
- Controls to ensure computing resources are used efficiently.
What are the main issues that affect security? (3)
- The nature of the personal data and the possible harm of it was accessed, altered, disclosed, lost or destroyed.
- The place where personal data is stored.
- The reliability of staff that have access to the data.
What are the main data security measures? (3)
- Physical security.
- Software security eg failed access logs.
- Operational security eg work taken home by employees.
According to the data protection act, data must be: (3)
- Accurate and up to date.
- Kept for no longer then necessary.
- Handled in a way that ensures security, including protection against unlawful processing, access, loss, destruction or damage.
What physical controls are used to protect computer systems? (4)
- Fire systems and procedures eg fire alarms, smoke detectors.
- Location of hardware= away from the risk eg not having computers near areas prone to flooding.
- Building maintenance= attention to roofs, windows and doors to reduce the risk of flooding or break ins.
- Physical controls= eg security, CCTV.
What individual staff controls are used to protect the computer systems? (5)
- Physical controls.
- Logical access systems= if physical controls fail eg methods to ID the user.
- Personal ID= eg a PIN or password that is kept secret and frequently changed.
- Usage logs= the system should automatically record login and log off times.
- Secure storage= backups should be kept in a safe or in an off site area.
What errors might occur during the operation of a system? (4)
- Data capture/ classification errors.
- Transcription errors= occurring when data is input eg typed incorrectly.
- Data communication faults= if the system operates over a wide network then the original terminal may be corrupted during transmission.
- Data processing errors= because of programming errors, system design or data corruption.
What are data capture/ classification errors and what do they include?
These occur before data is ready for input into the system eg:
- Incorrect data classification= allocating a production cost as an admin cost.
- Measuring mistake= recording the incorrect quantity of goods received.
- Incorrect spelling or transposition error= recording £50.60 as £50.06.
The purpose of the controls is to ensure that: (4)
- The data being processed is complete.
- The data being processing is authorised.
- The results are accurate.
- A complete audit trail of activity is available.
What states should have controls? (3)
- Input.
- File processing.
- Output.
What is included in the input stage? (6)
- Data collection and preparation.
- Data authorisation.
- Data conversion.
- Data transmission.
- Data correction.
- Corrected data re-input.
What is included in the file processing stage? (3)
- Data validation and editing.
- Data manipulation, sorting and merging.
- Master file updates.
What is included in the output stage? (2)
- Output control and reconciliation with predetermined data.
- Information distribution.
What does data integrity mean? (1)
Completeness and accuracy of data maintained using controls over data input, file processing and output.
What should data controls ensure? (4)
- That data is collected accurately in full.
- Data is generated at appropriate times.
- Data is accurate and kept up to date.
- Processed properly and accurately to provide useful and meaningful output.