CHAPTER 4: Internal Controls and Risks in IT Systems

Overview of Internal Controls for It Systems

 One of the critical functions within IT systems is the accounting information system
 IT systems are critical for most businesses, especially when it comes to accounting.
Accounting Information System
– collects, processes, stores, and reports accounting information.
Importance of Protecting IT systems
 IT systems can fail or be attacked, which stops work and causes serious problems.
 As an analogy, when you park your car in a public garage, you give some thought to
whether it is susceptible to theft or vandalism and take some precautions such as locking
the door or turning on a car alarm.
The Matching of Controls to Risks
 The description of the general and application controls that should exist in IT systems.
 The type and nature of risks in IT systems.
 The recognition of how these controls can be used to reduce the risks in IT systems.
Types of IT Control
1. General Controls – apply overall to the IT accounting system; they are not restricted to
any accounting application.
2. Application controls – are used specifically in accounting applications to control inputs,
processing, and outputs. Application controls are intended to ensure that inputs and
processing are accurate and complete and that outputs are properly distributed,
controlled, and disposed.
Validity Check
– A programmed input check called a validity check can examine the date and alert the user
to an invalid entry.
GENERAL CONTROL FOR IT SYSTEM
The general controls described in this section are divided into five broad categories:
 Authentication of users and limiting unauthorized access
 Hacking and other network break-ins
 Organizational structure
 Physical environment and physical security of the system
 Business Continuity

 AUTHENTICATION OF USERS AND LIMITING UNAUTHORIZED ACCESS

Authentication of users - is a process or procedure in an IT system to ensure that the person

accessing the IT system is a valid and authorized user.
Unauthorized users- trying to access IT systems is a prevalent, difficult, and ongoing problem
that organizations must try to control. May be hackers or people outside the organization, or
users within the company trying to gain access to data they are not entitled to.
Log- in- means to make the computer recognize you in order to create a connection at the
beginning of a computer session.
Password- is a secret set of characters that identifies the user as the authentic owner of that
associated user ID.
Security token- newer technology to authenticate users.
Two-factor authentication –is the users of authentication.
Biometric devices- use some unique physical characteristic of the user to identify the user and
allow the appropriate level of access to that user.
Computer log- is a complete record of all dates, times, and uses for each user.
Nonrepudiation- means that a user cannot deny any particular act that he or she did on the IT
system.
Authority table- contains a list of valid, authorized users and the access level granted to each
one.
Configuration tables- for hardware, software, and application programs that contain the
appropriate set-up and security settings.

 HACKING AND OTHER NETWORK BREAK-INS

Firewall Protection - A firewall blocks unauthorized access to a network by examining and

filtering data that flows between internal networks and the Internet.

Encryption - Converts sensitive data into unreadable formats (cipher text) and requires a key to
decrypt it, protecting data from unauthorized access.

Types of Encryptions:

 Symmetric encryption: Uses one key for both encrypting and decrypting data.
 Public key encryption: Public key encrypts data, while the private key decrypts it.
Encryption Strength: Stronger encryption keys (like 256 bit) make it harder for hackers to
break the code.
Wireless Network Security:
 WEP: Older encryption, vulnerable to attacks.
 WPA: Improved security for wireless networks through stronger encryption and user
authentication.
 SSID: A unique network password to prevent unauthorized access.
Virtual Private Networks (VPNs) - VPNs provide secure, encrypted communication tunnels
over public networks, enabling remote access to internal systems.

Secure Sockets Layer (SSL) -SSL encrypts data transferred via websites, especially during
transactions, and can be recognized by the “https://” in web addresses.

Malware Protection:
  Viruses: Malicious programs that attach to files and cause damage.
 Worms: Self-replicating programs that overwhelm system memory.
 Antivirus Software: Detects and neutralizes viruses and worms.
Proactive Security Measures:

 Vulnerability Assessment: Proactively scans the system for security weaknesses.

 Intrusion Detection: Monitors network activity for signs of hacking.
 Penetration Testing: Simulates attacks to identify exploitable vulnerabilities.

 STRUCTURE ORGANIZATION
Organizations with extensive IT systems should govern the overall development and operation
of IT systems through the use of an IT governance committee, usually made up of top
executives.

- Its function is to govern the overall development and operation of IT systems.

- The committee, which would include officers such as the chief executive officer (CEO), chief
financial officer (CFO), chief information officer (CIO), and the heads of business units such
as the vice president of marketing, has several important responsibilities, including the
following:

1. Align IT investments to business strategy.

2. Budget funds and personnel for the most effective use of the IT systems.
3. Oversee and prioritize changes to IT systems.
4. Develop, monitor, and review all IT operational policies.
5. Develop, monitor, and review security policies.
WHY IT IS IMPORTANT TO UNDERSTAND IT GOVERNANCE COMMITTEE?

- It governance committee consists of top management; its role is to develop policies and to
delegate duties such that those policies are properly implemented.
- It is important that the IT governance committee ensure that the organization maintains hiring
and promotion procedures which screen candidates and verify the background and references of
applicants.
- It governance committee should also see that the organization maintains written job
descriptions and requirements for IT positions.
THE DIVISION OF DUTIES AND THE POLICIES OF THE ORGANIZATION

The functional responsibilities within an IT system must include proper segregation of duties.

In an IT system, the duties to be segregated are those of systems analysts, programmers,

operators, and database administrator.

 Systems analysts analyze and design IT systems, while

 Programmers actually write the software, using a programming language.
  Operations personnel are employees who are responsible for processing operating data.
 Database administrator develops and maintains the database and ensures adequate
controls over data within the database.
SYSTEM DEVELOPMENT LIFE CYCLE, OR SDLC
- Generally described as the systematic steps undertaken to plan, prioritize, authorize,
oversee, test, and implement large-scale changes to the IT system.

 PHYSICAL ENVIRONMENT AND SECURITY

Physical environment- includes the location, operating environment, and backup systems of the
IT system.
Physical security- is intended to limit physical access to computer hardware and software so that
malicious acts or vandalism do not disrupt the system, and so that data are protected.
Uninterruptible power supply(UPS)- includes a battery to maintain power in the event of
power outage in order to keep the computer running for several minutes after a power outage.
Emergency power supply(EPS)- is an alternative power supply that provides electrical power
in the event that main source is lost. An Example of an EPS is a gasoline- powered generator

Large-scale IT systems should be protected by physical access controls. Such controls

include the following:
1. Limited access to computer rooms through employee ID badges or card keys
2. Video surveillance equipment
3. Logs of persons entering and exiting the computer rooms
4. Locked storage of backup data and offsite backup data

 BUSINESS CONTUINITY

WHAT IS BUSINESS CONTINUITY PLANNING (BCP)?

-is a proactive program for considering risks to the continuation of business and developing plans
and procedures to reduce those risks.
Two parts of business continuity are related to IT systems:
1. A strategy for backup and restoration of IT systems, to include redundant servers, redundant
data storage, daily incremental backups, a backup of weekly changes, and off-site storage of
daily and weekly backups
2. A disaster recovery plan

Redundant servers – is a one approach to a backup processing system.

IT systems, redundant data storage is accomplished by the use of Redundant arrays of
independent disks (RAIDs).
This backup protection is improved by off-site backup, an additional copy of the backup files
stored in an off-site location.
The plan for the continuance of IT systems after a disaster is called a disaster recovery plan
(DRP)

GENERAL CONTROL FROM AN AICPA TRUST SERVICES PRINCIPLES

PERSPECTIVE
The AICPA Trust Services Principles categorizes IT controls and risks into five categories:
a. Security - The system is protected against unauthorized (physical and logical)
access.
b. Availability -The system is available for operation and use as committed or agreed.
c. Processing integrity- System processing is complete, accurate, timely, and
authorized.
d. Online privacy- Personal information obtained as a result of e-commerce is
collected, used, disclosed, and retained as committed or agreed.
e. Confidentiality- Information designated as confidential is protected as committed
or agreed.

RISKS IN NOT LIMITING UNAUTHORIZED USERS

 An unauthorized user could easily access data and programs he should not have access to,
change data, record transactions, and perhaps even have a company check written directly
to himself.
 There are several security risks resulting from unauthorized access. However, it is
important first to understand the nature of unauthorized access.
 The computer log serves as a detective control to assist in the discovery of unusual log-in
attempts.
RISKS FROM HACKING OR OTHER NETWORKSBREAKS-IN
Hackers or other who break into computer networks are usually thought of as being outside the
company.
To Avoid these problems:
1. Firewalls
2. Encryption of data
3. Security policies
4. Security breach resolution

RISKS FROM ENVIRONMENTAL FACTORS

 IT system can be negatively affected by the environment in which they operate. Extremes
of temperature or humidity can cause operating problems, especially to large mainframe
computers, which are sensitive to heat and high humidity and therefore must be placed in
rooms in which the climate is tightly controlled.

PHYSICAL ACCESS RISKS

 Refers to the vulnerabilities a system or network faces when unauthorized individual gain
direct access to physical hardware such as servers, workstation, or other critical devices.
Common risk:
1. Theft or Damage
2. Unauthorized Device Connection
3. Tampering
4. Data Breach
Business Continuity
 - Refers to potential threats that can disrupt an organization’s ability to maintain essential
function during or after a disaster or unexpected event.
- These risks may affect operations, finance, reputation, or customer trust.
Common type of business continuity risks:
1. Natural Disaster
2. Cyber Security Threats
3. Supply Chain Disruption
4. Power Outage

HARDWARE AND SOFTWARE EXPOSURES IN IT SYSTEM

THE OPERATING SYSTEM
 The operating system is the software that controls the basic input and output
activities of the computer.
 The operating system provides the instructions that enable the CPU to read and
write to disk, read keyboard input, control output to the monitor, manage
computer memory, and communicate between the CPU, memory, and disk
storage.
 Operating system access allows a user access to all the important aspects of the IT
system.
 Operating system poses security risks, availability risks, processing integrity risks,
and confidentiality risks.
The risks to the operating system related to accounting data include security, availability,
processing integrity, and confidentiality risks. Unauthorized access to the operating system
would allow the unauthorized user to do the following:
1.Browse disk files or memory for sensitive data or passwords
2.Alter data through the operating system
3.Alter access tables to change access levels of users
4.Alter application programs
5.Destroy data or programs

THE DATABASE
 In an IT system, all or most accounting records and data are stored in electronic form
in the database.
 The database also is an exposure area. It is a part of the IT system that is susceptible
to security, availability, processing integrity, and confidentiality risks.
THE DATABASE MANAGEMENT SYSTEM
 The database management system (DBMS) is a software system that manages the
interface between many users and the database.
The inventory data can be stored in the database and shared by all three user groups. Each
individual user group may have a different level of access.
 The DBMS poses security, confidentiality, availability, and processing integrity risk
exposures.
 Both the data and the database management system are critical components that must be
adequately guarded to protect business continuity.
 Loss of the data or alteration to the DBMS can halt operations.
LANS AND WANS
A local area network, or LAN, is a computer network covering a small geographic area.
In most cases, LANs are within a single building or a local group of buildings.
 Most LANs are sets of personal computers or workstations that are connected in order to
share data and devices such as printers. Typically, the LAN is connected to a larger
computer, the server, where data and some programs reside and are shared over the LAN.
 A group of LANs connected to each other to cover a wider geographic area is called a
wide area network, or WAN.
 LANs and WANs are connected into the larger network of servers and computers within a
company, the LANs represent risk exposure areas.
WIRELESS NETWORKS
 Wireless networks have become very popular in organizations because they allow
workers to connect to the network without being tethered to a network cable.
 In the wireless network, signals are transmitted through the air rather than over cables.
These network signals are similar to radio signals; therefore, anyone who can receive
those radio signals may gain access to the network.
 A popular activity is to find a company whose network signal bleeds outside the building
to the sidewalk around it. Potential abusers of this network make identifiable chalk marks
on the sidewalks so that others can find the network access. This activity has become
known as “warchalking.”
 The legality and ethics of warchalking are debatable, but a company might avoid it by
instituting proper controls, such as wired equivalency privacy (WEP) or wireless
protected access (WPA), station set identifiers (SSID), and encrypted data.
THE INTERNET AND WORLD WIDE WEB
 Many companies use the Internet to buy or sell via a website or to better serve customers
and/or employees.
  The Internet connection required to conduct Web-based business can open the company
network to unauthorized users, hackers, and other network break-in artists.
 An unauthorized user can compromise security and confidentiality and affect availability
and processing integrity by altering data or software or by inserting virus or worm
programs.
 A typical network configuration for Internet connection to a company’s network that
there is a separate computer serving as the Web server. This computer Web server is
isolated from the company network via a firewall.
TELECOMMUTING WORKERS AND MOBILE WORKERS
A significant number of employees in the United States work from home, using some type of
network connection to the office. This work arrangement is commonly called telecommuting or
teleworking. telecommuting work arrangements are used by nearly 20 percent of workers over
the age of 18. Telecommuting can offer benefits to both employer and employee.
 The employee gains flexibility and other advantages of being at home, while the
employer may save office space and overhead expenses for the worker.
 The potential disadvantages of telecommuting are that the tele- worker loses daily face-
to-face interaction and may miss meetings with other employees or supervisors.
Telecommuting workers cause two sources of risk exposures for their organizations.
1. The necessary network equipment and cabling can be an entry point for hackers and
unauthorized users.
2.The teleworker’s computer is also an entry point for potential unauthorized users; it is
not under the direct control of the organization, because it is located in the teleworker’s
home.
Addressing Security Challenges:
 Security Policies: Organizations must implement robust security policies that specifically
address the unique security needs of telecommuters and mobile workers.
 Virtual Private Networks (VPNs): Telecommuters should connect to the company
network via a VPN, which creates a secure, encrypted connection, protecting sensitive
data during transmission.
 Firewall and Antivirus Software: Telecommuters and mobile workers must use up-to-
date firewalls and antivirus software to protect their devices from malware and
unauthorized access.
 Remote Wipe Capability: Companies providing mobile devices to employees should
implement "remote wipe" capabilities, allowing IT professionals to remotely delete
company data and applications from lost or stolen devices, safeguarding sensitive
information.
ELECTRONIC DATA INTERCHANGE
 Electronic data interchange (EDI) is the company-to-company transfer of stan- dard
business documents in electronic form.
 EDI is widely used by businesses to buy and sell goods and materials.
 The EDI network entails security, confidentiality, availability, and processing integrity
risks, as it is another “entry point” for unauthorized users or hackers EDI transactions
must be properly guarded and controlled by general controls including authentication,
computer logs, and network break-in controls.
The advantages of public cloud computing,
1. Scalability- as a company grows, it can easily purchase new capacity from the cloud
provider. It need not buy servers or new data storage as the cloud provider already has the
capacity. If a company has a large increase in business volume during certain seasons, it
can easily scale up the capacity purchased from the cloud provider.
2. Expanded access- once the software and data are stored in the cloud, it can be accessed
by multiple devices from many different locations.
3. Infrastructure is reduced- the company has a reduced need for servers and data storage
since most of these resources are provided by the cloud provider. This also means that the
cloud provider handles data security and backup of data.
4. Cost savings- Cloud computing is usually a pay-for-service model. In other words, a
company pays the cloud provider only for the level of services it actually uses. Cloud
computing also allows a company to reduce its investment in IT hardware and the
personnel needed to support IT hardware.
Risks of cloud computing
1. Security- All processing, storing data, and reading data occur over the Internet; therefore,
the third-party provider must have good user authentication, firewalls, encryption, and virtual
private network connections. firewalls, encryption, and virtual private network connections.
2. Availability- Any interruptions in service cause the software and data to be unavailable.
Company relies on provider’s backup plans
3. Processing integrity- All control of software installation, testing, and
upgrading is transferred to the provider of cloud computing services.
4. Confidentiality- the control of maintaining confidentiality is transferred to the third-party
provider. This includes an extra risk that employees of the third-party provider can possibly
browse and misuse company data.
 APPLICATION SOFTWARE AND APPLICATION CONTROLS
APPLICATION SOFTWARE
 Is a computer program that help user to performs a specific task in the system.
 Applications software accomplishes end user tasks such as word processing spreadsheets,
database maintenance, and accounting functions.
APPLICATION CONTROL
 Application controls are used specifically in accounting applications to control inputs,
processing, and outputs.
 Application controls are intended to ensure that inputs and processing are accurate and
complete and that outputs are properly distributed, controlled, and disposed.
Types of Control
 Input Control
 Processing Control
 Output Control
Input Control
 are intended to ensure the accuracy and completeness of data input procedures and the
resulting data.

Four Types of Input Control

1. Source document controls
2. Standard procedures for data preparation and error handling
3. Programmed edit checks
4. Control totals and reconciliation

Source Document Controls

 A source document is the paper form used to capture and record the original data of an
accounting transaction. For example, before filling in the blank fields in Exhibit 4-8, the
data entry person needs to know the new employee’s name, address, hire date, and many
other pieces of information.
Several Document Control
FORM DESIGN
 Both the source document and the input screen should be well designed so that they are
easy to understand and use, logically organized into groups of related data. For example,
notice that employee name and address blanks, or fields, are located very close to each
other, since they are logically related. Source documents should have clear and direct
instructions embedded into the form.
FORM AUTHORIZATION AND CONTROL
 The source document should contain an area for authorization by the appropriate
manager, such as the bottom left of the form in Exhibit 4-9. The source document forms
should be prenumbered and used in sequence. Prenumbering allows for ongoing
monitoring and control over blank source documents.
RETENTION OF SOURCE DOCUMENT
 After data from source documents have been keyed into the computer, the source
documents should be retained and filed in a manner that allows for easy retrieval.
STANDARD PROCEDURES FOR DATA INPUT
DATA PREPARATION
 The procedures to collect and prepare source documents are called data preparation
procedures. Without well-defined source data preparation procedures, employees would
be unsure of which forms to use, as well as when to use them, how to use them, and
where to route them.
ERROR HANDING
 As data are collected on source documents or entered on screens, errors may occur. It is
not possible to eliminate all errors. Therefore, an organization should have error handling
procedures.
PROGRAMMED INPUT VALIDATION CHECKS
 Data should be validated and edited as close as possible to the time of obtaining the data
from its original source. In many IT systems that process transactions in real time, editing
can take place during data entry.

INPUT VALIDATION CHECKS INCLUDED

 FIELD CHECK
 A field check examines a field to determine whether the appropriate type (alpha or
numeric) of data was entered. If the wrong data type is entered, the application should
reject that data and alert the user with an error message.

 VALIDITY CHECKS
 A validity check examines a field to ensure that the data entry in the field is valid
compared with a preexisting list of acceptable values.
  LIMIT CHECK
 A limit check has only an upper limit; for example, hours worked cannot exceed a value
of 70% hours per week. Hours worked would never be negative, and it is conceivable that
it could be zero in some cases. Therefore, there is no need for a lower limit in that field,
and a limit check would be appropriate.

 RANGE CHECKS
 A range check has both an upper and a lower limit. Some fields, such as quantity
requested, may logically suggest that the entity cannot be less than 1.

 REASONABLENESS CHECK
 A reasonableness check compares the value in a field with those fields to which it is
related to determine whether the value is reasonableness.

 COMPLETENESS CHECKS
 A completeness check assesses the critical fields in an input screen to make sure that a
value is in those fields.

 SIGN CHECK
 A sign check examine a field to determine that it has the appropriate sign, positive or
negative.

 SEQUENCE CHECKS
 A sequence check ensures that the batch of transactions is sorted in order, but does not
help find missing transactions because it checks only sequence, not completeness.

 SELF- CHECKING DIGIT

 A self- checking digit is an extra digit added to a coded identification number, determined
by a mathematical algorithm.

CONTROL TOTALS AND RECONCILIATION

 CONTROL TOTALS
 Are subtotals of selected fields for an entire batch of transactions. For a batch of similar
transactions, such as payroll transactions for a pay period, control totals can be calculated
before data are processed.

 RECORD COUNTS
 Are a simple court of the number of records processed. The records can be courted prior
to and after input, and the totals should agree.
  BATCH TOTALS
 Are totals of financial data, such as total gross pay or total federal tax deducted.

 HASH TOTALS
 Are totals of fields that have no apparent logical reason to be added.

PROCESSING CONTROL
 Processing controls are intended to prevent, detect, or correct errors that occur during the
processing in an application.
 Processing controls are intended to ensure the accuracy and completeness of processing
that occurs in accounting applications.
 This reconciliation of control totals at various stages of the processing is called run-to-run
control totals.

OUTPUT CONTROLS
 Output Control are intended to help ensure the accuracy, completeness, and security of
outputs that result from application processing.
 Many outputs in an IT system are reports from the various applications. An example of
an output report is a payroll check register. There are two primary objectives of output
controls:
 To ensure the accuracy and completeness of the output, and to properly manage the
safekeeping of output reports to ascertain that security and confidentiality of the
information is maintained.
 To ensure accuracy and completeness, the output can be reconciled to control totals.

ETHICAL ISSUES IN IT SYSTEM

 A strong set of internal controls can assist in discouraging unethical behavior such as
fraud and abuse.

◆ Management has a duty to maintain internal controls over IT systems for several reasons.
 Mainly to safeguard asset and funds
 IT systems themselves, such as computer hardware and software, are assets that must be
protected from theft, abuse, or misuse.
 The managers of the SEC have a duty to enforce policies that protect the computers and
the IT systems.
 Similarly, a company has a duty to its owners to enforce policies and controls to prevent
misuse
 Access to IT systems may give unauthorized users access to other assets which could
possibly result to fraudulent acts

Besides fraud, there are many kinds of unethical behaviors related to computers:

 Misuse of confidential customer

 Information stored in an IT system. Theft of data, such as credit card
information, by hackers
 Employee use of IT system hardware and software for personal use or personal gain
 Using company e-mail to send offensive, threatening, or sexually explicit material