Professional Documents
Culture Documents
AC115 Lecture Notes 2 (2) (Compatibility Mode)
AC115 Lecture Notes 2 (2) (Compatibility Mode)
CONTROLS
General controls
Application controls
Relationship Between General
and Administrative Controls
Risk of unauthorized change
Risk of system crash
to application software
Cash receipts
application
controls
Sales Payroll
applications application
controls controls
Other cycle
application
controls
Segregation of IT duties
Systems development
Hardware controls
Administration of the IT
Function
The perceived importance of IT within an
organization is often dictated by the attitude of
the board of directors and senior management.
Segregation of IT Duties
Security Administrator
Systems Data
Operations
Development Control
Systems Development
Typical test
strategies
Input controls
Processing
controls
Output controls
Input Controls
Financial total
Hash total
Record count
Input Controls
• Data input controls ensure the accuracy,
completeness, and timeliness of data during
its conversion from its original source into
computer data, or entry into a computer
application. Data can be entered into a
computer application from either manual
online input or by batch processing
(automated). Someone reviewing input
controls should determine the adequacy of
both manual and automated controls over
data input to ensure that data is input
accurately with optimum use of computerized
validation and editing and that error handling
procedures facilitate the timely and accurate
resubmission of all corrected data.
• 1) Documented procedures should
exist for any data manually
entered into the application.
These procedures should include
how to identify, correct,
and reprocess rejected data.
• 2) Input edits should be used by
the application. These could
include checking for invalid field
lengths, invalid characters,
missing or erroneous data,
incorrect dates, or the use of
check digits.
• 3) Input data should also be
controlled by the use of record
counts, batching techniques,
control totals, or some other type
of logging. (Balancing of
source documents to input
processing)
• 4) Another way to help ensure
appropriate data is being entered
into the application is to require
that an authorized person approve
the input documents.
The authorization levels of the
assigned approvers should also be
reviewed to determine if they are
reasonable.
• 5) Passwords should be used to
control access to the application.
Passwords should be changed
periodically, deleted when
employees/users leave the
University, and modified to reflect
changes as a person’s
responsibilities change.
•
• 6) Duties should be separated to
ensure that no one individual
performs more than one of the
following operations without
supervisory review:
- Origination of data
- Input of data into the system
- Processing the data
- Distribution of the output
Processing Controls
Validation test
Sequence test
Completeness test
Processing Controls
• Processing controls are used to
ensure the accuracy, completeness,
and timeliness of data during either
batch or real-time processing by the
computer application. Someone
reviewing these controls should
determine the adequacy of controls
over application programs and
related computer operations to
ensure that data is accurately
processed through the application
and that no data is added, lost, or
altered during processing.
• 1) Documentation should exist
explaining the processing of data
through the application. Examples
would be narratives on how the
application processes
data, flowcharts, and an
explanation of system or error
messages.
• 2) If the application is “run” on a
regular schedule to process data,
either manually or automatically,
there should be documented
procedures explaining how this
is performed. There may be a
schedule that must be followed
with controls in place to ensure
all processing was completed.
• 3) A processing log may exist. If it
does, it should be reviewed for
unusual or unauthorized activity.
• 4) The processing log, or another
log or report, should be used to
document any errors or problems
encountered during processing.
Types of information that
should be considered keeping are
descriptions of any errors
encountered, dates identified, any
codes associated with errors, any
corrective action taken, date and
times corrected.
• 5) There should be controls in
place to make sure the correct
generation/cycle of files are used
for processing. This may include
the generation of backup files
from processing to be used for
disaster recovery.
• 6) Processing edits should also be
used. These may be similar to
input edits but applied to the data
during processing.
• 7) Audit trails should be
generated during processing.
These audit trails should be logs
or reports that contain
information about each
transaction. Data that should
be included are who initiated
each of the transactions, the data
and time of the transactions, the
location of the transaction
origination (IP address as
an example).
Output Controls
– 7. Designating responsibilities.
• Disaster recovery planning is an
ongoing, dynamic process that
continues throughout the
information system’s lifecycle.
1. Identifying Critical Systems
and Functions
• Information systems can be very
complex, fulfilling many business
functions. Your first step in disaster
recovery planning is to identify and
prioritize the business-critical
functions, systems, and processes. As
a disaster recovery planner, you must
obtain input from Executive and
Functional Managers to determine
each system’s criticality
2. Identifying Critical Resources
• Your second step in disaster recovery
planning is to identify the resources that are
critical to the information systems that
support the functions, systems, and
processes that you identified in step one. The
critical resources that you identify must
include everything necessary to support the
critical function, system, or process. Some
examples of critical resources are:
• Telecommunications connections,
• Personnel.
• As a disaster recovery planner, you must
analyze the critical resources identified and
determine the impact on information system
operations if a given resource is disrupted or
damaged. The impact analysis must include
allowable outage times, i.e., “How long can a
company afford to be without this resource?”
When analyzing the impact, you must also
consider the outage effect on dependent
systems.
• Using the resulting business impact
analysis, you must then develop and
prioritize strategies for recovery and
restoration.
3. Developing a Notification Plan
• Your third step is to develop a
plan for notifying essential
personnel when a disaster occurs
or is imminent. The plan must
describe the methods the
company uses to notify personnel
during business and non-business
hours. Prompt notification can
reduce the disaster’s effects on
the information system because
you will have time to take
mitigating actions.
4. Developing a Damage
Assessment Plan
• Your fourth step is to develop a plan for
assessing the nature and extent of damage to
the system, and determine the extent to
activate the Disaster Recovery Plan. Although
damage assessment procedures may be
unique for each system, you must address the
following areas:
– • Facility damage,