Accounting

Information Systems (AIN1501)

Part 3 - Topic 5

Study Unit 11 – Computer and accounting information system controls

Information is no longer only a nice-to- have, but rather a necessity in the business
environment, enabling users to make sensible decisions.

In order for information to allow users to make informed decisions, information should
meet the requirements of the CIA triad, that is, confidentiality, integrity and availability.

A threat is the potential that a vulnerability in a system will be exploited, while a risk
refers to the probability that the vulnerability will be exploited and therefore risk can be
quantified.

The only way to address the threats mentioned in study unit 10 is to develop an
organisational information system security policy stipulating the control procedures to
be followed.

An organisation will need to determine any threats to the existing information and then
perform a risk assessment. A risk assessment refers to the quantification of the
likelihood of these threats resulting in the information system being attacked.

Information system security policies

1. Defining an information system security policy

An information system security policy is a formal document describing the procedures

to be followed by the organisation when addressing threats to the information system.

2. Documents containing guidelines for an information system policy

There are, however, a number of documents containing guidelines for

information system control. These are aimed at helping the organisation when
compiling an information security system policy.

These documents include the following:

• The CobiT framework

• The King III report
• Information Security Framework (ISF)

AIN1501 E-tutor: H Carrim

Controls

Controls can be classified using various methods.

1. Controls classified by type

General controls

General controls are overall controls affecting all transaction processing. General
controls are implemented to ensure the effective operation of the organisation's
accounting information system.

Application controls

Application controls are specific to the functioning of individual applications.

2. Controls classified by function

Preventive controls

Preventive controls are the first layer in the internal control shield. Preventive controls
prevent and discourage adverse events such as fraud, errors, theft, loss, and so on from
occurring.

• Backup of data and documentation

• Antivirus software
• Antispyware
• Spam management software
• Training of staff
• Software change and implementation controls
• Adequate disposal of used/damaged/redundant equipment

Detective controls

Detective controls are the second layer in the internal control shield. Detective controls
search for, uncover and identify adverse events after they have occurred.

AIN1501 E-tutor: H Carrim

 • Check digit
• Programmed edit tests
• Activity logs
• Intrusion detection system (IDS)
• Hash totals

Corrective controls

Corrective controls are the last layer in the internal control shield. Corrective controls,
also sometimes called corrective measures, commence as soon as the detective controls
have uncovered and identified an adverse event. The purpose of corrective controls is to
limit and repair the damage caused by the adverse event and should bring the
organisation back to its normal working operations as effectively as possible.

• Data recovery
• Disaster recovery of complete system (in order to minimise financial loss and
prevent a material impact on the financial reporting process, controls should be
in place that enable a business to resume normal operations as soon as possible
after a disaster has struck the organisation)
• Fire extinguishers (to minimise the damage caused by a fire)
• Backup power (to minimise the impact of a power outage)
• Insurance (to recover damage to be able to be in operation as soon as possible).

Disaster planning

Disaster planning forms part of mitigating the risk of substantial financial loss resulting
from an unexpected disruption of normal business operations.

Disaster planning comprises two elements:

- Controls to anticipate or prevent possible disasters (covered in the previous section).

-Disaster recovery or contingency planning after the event

The focus of this section will be on the second of these - disaster recovery

A disaster recovery plan is implemented according to the following three steps:

Step 1: When designing the plan, planning should commence with an analysis of the
organisation's needs (needs analysis), that is, the critical resources needed, should be
identified.

Step 2: A list of priorities for recovery should be compiled based on the needs analysis.

AIN1501 E-tutor: H Carrim

Step 3: Once this has been done, a planning committee can be formed to design a
disaster recovery strategy for approval by the board of directors.

System controls

Controls need to be put into place to ensure data communication between users is
reliable and assets are safeguarded.

Summary

In this study unit, we examined ways of alleviating the threats faced in a computerised
information system environment and we referred to these as controls. Controls can be
classified by type or by function. Finally, we examined the controls that should be
designed and implemented in order to minimise the impact of a disaster. You will learn
more about controls in your auditing modules.

AIN1501 E-tutor: H Carrim