Professional Documents
Culture Documents
AIN1501 E-Tutor: H Carrim
AIN1501 E-Tutor: H Carrim
Information is no longer only a nice-to- have, but rather a necessity in the business
environment, enabling users to make sensible decisions.
In order for information to allow users to make informed decisions, information should
meet the requirements of the CIA triad, that is, confidentiality, integrity and availability.
A threat is the potential that a vulnerability in a system will be exploited, while a risk
refers to the probability that the vulnerability will be exploited and therefore risk can be
quantified.
The only way to address the threats mentioned in study unit 10 is to develop an
organisational information system security policy stipulating the control procedures to
be followed.
An organisation will need to determine any threats to the existing information and then
perform a risk assessment. A risk assessment refers to the quantification of the
likelihood of these threats resulting in the information system being attacked.
General controls
General controls are overall controls affecting all transaction processing. General
controls are implemented to ensure the effective operation of the organisation's
accounting information system.
Application controls
Preventive controls
Preventive controls are the first layer in the internal control shield. Preventive controls
prevent and discourage adverse events such as fraud, errors, theft, loss, and so on from
occurring.
Detective controls
Detective controls are the second layer in the internal control shield. Detective controls
search for, uncover and identify adverse events after they have occurred.
Corrective controls
Corrective controls are the last layer in the internal control shield. Corrective controls,
also sometimes called corrective measures, commence as soon as the detective controls
have uncovered and identified an adverse event. The purpose of corrective controls is to
limit and repair the damage caused by the adverse event and should bring the
organisation back to its normal working operations as effectively as possible.
• Data recovery
• Disaster recovery of complete system (in order to minimise financial loss and
prevent a material impact on the financial reporting process, controls should be
in place that enable a business to resume normal operations as soon as possible
after a disaster has struck the organisation)
• Fire extinguishers (to minimise the damage caused by a fire)
• Backup power (to minimise the impact of a power outage)
• Insurance (to recover damage to be able to be in operation as soon as possible).
Disaster planning
Disaster planning forms part of mitigating the risk of substantial financial loss resulting
from an unexpected disruption of normal business operations.
- Controls to anticipate or prevent possible disasters (covered in the previous section).
The focus of this section will be on the second of these - disaster recovery
Step 1: When designing the plan, planning should commence with an analysis of the
organisation's needs (needs analysis), that is, the critical resources needed, should be
identified.
Step 2: A list of priorities for recovery should be compiled based on the needs analysis.
System controls
Controls need to be put into place to ensure data communication between users is
reliable and assets are safeguarded.
Summary
In this study unit, we examined ways of alleviating the threats faced in a computerised
information system environment and we referred to these as controls. Controls can be
classified by type or by function. Finally, we examined the controls that should be
designed and implemented in order to minimise the impact of a disaster. You will learn
more about controls in your auditing modules.