LECTURER: Cristina C.

Gonzaga, CPA, MBA

 Difference between IT and ICT and IS

IT ICT IS
Hardware Hardware Hardware
Software Software Software
Data Data Data
Networks Network
People
Processes
 Definition : Any organized combination of
hardware, software, communication networks,
data resources, and policies and procedures to
store, retrieve, transform, and disseminate
information.

 People rely on modern information system to

communicate with one another using a variety
of physical devices (hardware), information
processing instructions and procedures
(software), communication channels
(networks), and stored data (data resources).
 System Activities

Control of Systems Performance

INPUT PROCESSING
Data into OUTPUT
of Data Information of information
Resources products

Storage of Data Resources

Network Resources
(Comunications media & network support)
 Key Concepts
 “Reasonable Assurance”
 “Acceptable Levels”
 Control Environments
 Primary Element of Internal Control
 Establishes conditions under which Internal
Controls will Operate
 Organization Structure
 Control Framework
 Organizational policies and procedures
 External Influences
 Organizational structure
 Defines individual managers’ responsibilities
 Sets limits of authority
 Ensures appropriate segregation of duties
 May be complex or simple
 Large organizations tend to have highly
structured control frameworks
 Small organizations frequently use personal
contact between employees.
 Elements
 Segregation of duties
 Competence and integrity of people
 Appropriate levels of authority
 Accountability
 Adequate resources
 Supervision and review
 Describe what is to be done
 Scope of the function
 Activities
 Interrelationships with other departments
 External influences
 Laws and regulations
 Customs
 Union agreements
 Competitive environments
 Systems Software
 Computer programs and routines controlling
computer hardware, processing and non-user
functions
 Includes
 Operating systems
 Telecommunications software
 Data management
 Applications Software
 Computer programs written to support business
functions
 Includes
 General Ledger/ Payroll/ Inventory/ Order Processing
 Generated outside the IT organization to
meet specific user needs
 Includes
 Micro-based systems
 User-developed systems
 General IT Controls
 Computer Operations
 Physical security
 Logical security
 Program change control
 Systems Development
 Application Controls
 Business systems oriented
 Accuracy
 Completeness
 Authorization
 Preventive- prevents an undesirable event
 Restrictions on users
 Requirements for passwords
 Separate authorization
 Detective- detects undesirable events
after the fact
 Effective use of audit trails
 Exception reports
 Corrective- allow things to be put right
 Disaster Recovery Plans
 Transaction reversal capability
 Discretionary- subject to human discretion
 Supervisory review of signatures
 Non-discretionary-provided by the system
and cannot be overridden
 Use of PIN numbers
 Voluntary/ Mandated
 Voluntary- chosen by the organization to support
its business
 Mandatory- required by laws and regulations
 Manual/ Automated
 Manual-implemented by manual intervention
 Automated- implemented by the computer
system
 Application/ General IS
 Application- to do with the business function
 General IS- to do with the running of the IS
function
 Control Objectives and Risks
 Potential Risks
 Fraud
 Business interruption
 Errors
 Customer dissatisfaction
 Poor public image
 Ineffective and inefficient use of resources
 General Control Objectives
 Integrity of information
 Security
 Compliance
 Integrity of information
 Input
 All transaction are initially and completely recorded
 All transactions are completely and accurately entered
into the system
 All transactions are entered once only
 Controls may include:
 Pre-numbered documents
 Control total reconciliation
 Data validation
 Activity logging
 Document scanning
 Access authorization
 Document cancellation
 Processing
 Approved transactions are accepted by the
system and processed
 All rejected transactions are reported,
corrected and re-input
 All accepted transactions are processed once
only
 All transactions are accurately processed
 All transactions are completely processed
 Controls may include:
 Control totals
 Programmed balancing
 Segregation of duties
 Restricted access
 File labels
 Exception reports
 Error logs
 Reasonableness tests
 Concurrent update control
 Output
 Hard copy
 File output
 On-line enquiry files
 Primary Objectives
 Assurance that the results of Input and
Processing are output
 Output is available only to authorized
personnel
 Typical Controls
 Complete audit trail
 Output distribution logs
 Integrity
of programs and processing
 Change control
 Prevention of unwanted changes
 Ensuring adequate design and development
control
 Ensuring adequate testing
 Controlled program transfer
 On-going maintainability of systems
 Systems Development
 Typical controls
 Use of a formal SDLC
 User involvement
 Adequate documentation
 Formalized testing plan
 Planned conversion
 Use of post-implementation reviews
 Establishment of a QA function
 Involvement of Internal Auditors
 Nowadays
 On-line, real-time input with a small batch
component
 Input via a terminal
 Instantaneous update
 Overnight report production
 Terminals my be local or remote
 Terminals may be dial-up or dedicated
 Terminals may be differing types
 Primary control objectives
 Availability
 Security
 Confidentiality
 Accuracy
 Microwave
 Satellite
 Cables
 Dedicated
 Dial-Up
 Line operations
 Digital to analogue
 Simplex- one way only
 Half-duplex-one way at a time
 Duplex-two way communications
 Wireless-everywhere
 Synchronous Communications
 High speed transmission and reception of long groups
of characters
 Asynchronous Communications
 Slow, irregular transmissions, one character at a time
with start and stop bits
 Encryption
 Scrambling of data into unreadable forms such that it
can be unscrambled
 Protocol
 A set of rules for message transmission in the network
 Private Public Switched (PSNs)
 Value Added (VANs)
 Local Area (LANs)
 Wide Area (WANs)
 The Internet
 The Cloud
 Point-to-Point
 Separate, direct links
 Multidrop
 Multiple terminals sharing a single line
 Ring Networks
 No central computer, each machine is a “node”
 Star Networks
 Single central computer coordinating all
communications
 Infrastructure as a Service (IaaS)
 Platform as a Service (PaaS)
 Application Software as a Service (ASaaS)
 Online enquiry
 Allows a remote user to retrieve data directly
 Primary concern- Confidentiality
 Online data entry
 Remote entry of data
 Allows concurrent processing of data
 Primary concern
 Transaction authenticity
 Accuracy
 Completeness
 Online update
 As per on-line data entry but with immediate effect
 Primary concerns
 Concurrency control
 Availability
 Availability
 Security
 Unauthorized access
 Accidental or intentional changes
 Security threatened areas
 Operating system
 Management features
 Inter-computer communication
 Dial-up access
 Gateways
 Poor performance
 Hardware components
 Software
 Data
 Networkingcapability
 Human resources
 Ensured by
 Adequate physical environment
 Adequate backups
 Multiple redundancies
 Peer-to-peer networking
 Adequate Disaster Recovery Planning
 Training
 A factor of
 Hardware
 Software
 Human element
 Hardware
 Theft
 Sabotage
 Penetration
 Operating System
 Theft
 Corruption
 By-passing
 Substitution
 Application Software
 Theft
 Corruption
 By-passing
 Substitution
 Data
 Theft
 Corruption
 Substitution
 Manipulation
 Insiders- Users
 Insiders – Specialists
 Outsiders – Legitimate
 Outsiders - Hackers
 Programming languages
 Who programs?
 The SDLC
 Change control
 Problem management
 Source code
 Object code
 Executable code
 Compilers
 Assemblers
 Interpreters
 Analyze
 Design
 Code
 Test
 Retest
 Redesign
 Retest
 Run
 Audit
 Binary programs
 Example: 0110 1001 1110 0101
 The symbolic code
 Example:
 PACK RATE, RATE1
 L HRS, HRS1
 MVC REG,4
 FORTRAN
 Example:
 REGPA=RATE*HOURS
 CALL TXCAL
 DED=WITTX+UIF+INS+PENS
 COBOL
 Example:
 NET-PAY CALC-ROUTINE.
 MULTIPLY RATE BY HOURS-WORKED
 GIVING NORMAL-PAY
 Future
 4th Generation Languages
 5th Generation Languages
 No Languages?
 Artificial Intelligence
 Used to control the generation of
programmed systems
 Objective- to produce a quality system, as
specified, on time, within budget
 Primary phases
 Feasibility study
 Outline system design
 Detailed system design
 Code
 Test
 Implement
 Post-implementation review
 Availabilityof user staff
 Access to the right level of staff
 “Technology lust”
 Over-extended timescales
 Inexperienced staff
 Timescale problems
 Too long between milestones
 Key staff change
 Business objectives change
 Costs escalate
 Hardware / software may become obsolete
 Agreed schedules/ schedule review
 Work assignment
 Performance monitoring
 Progress monitoring
 Status reporting and follow-up
 Project planning elements
 Project guidelines
 Work breakdowns
 Start and completion dates
 A monitoring mechanism
 Incomplete economic evaluation
 Management abdication
 Inadequate specifications
 Systems design errors
 Incompetent personnel
 Technical self- gratification
 Poor communication
 No project “kill” points
 Temptations to computer abuse
 Incoherent direction
 Erroneous management decisions
 Unacceptable accounting policies
 Inaccurate record-keeping
 Business interruption
 Built-in fraud
 Violation of legal statutes
 Excessive operating cost
 Inflexibility
 Overrun budgets
 Unfulfilled objectives
 Acquisition of data
 Identification of data
 Development of conversion programs
 Sanitization of input data
 Maintenance of current systems
 File conversion
 Major task
 Requires strict control
 May jeopardize the whole project
 Rubbish in-rubbish out
 Audit involvement essential
 Objective-
to ensure risk is controlled, not
introduced, during a change
 All changes are authorized
 All authorized changes are made
 Only authorized changes are made
 All changes are as specified
 All changes are cost-effective
 Objective-
to control systems during
emergency situations
 Unforeseen changes
 Bypass normal control mechanisms
 May require direct programmer access to live
data
 Must be controlled separately
 Must involve user authorization
 Definition of Terms
 Database – a collection of data logically organized to
meet the information requirements of a universe of
users.
 Database Management System (DBMS)- a hardware /
software system which manages data by providing
organization, access and control functions.
 Data Dictionary/ Data Directory System (DD/DS)- the
software which manages a repository of information
about data and the data base environment.
 Database Administrator- a human function involved in
the co-ordination and control of data related
activities.
 User System Interfaces- components of the
data base environment which request,
manipulate and transform data into
information for an end user.
 Data structures- the interrelationships of
data.
 Storage structures- methods and thecniques
used to physically represent data structures
on storage devices.
 Access methods- software logic procedures
used to retrieve, insert, modify, and delete
data on a storage device.
 Sequential
 Hierarchical
 Network
 Relational
Model
 Components
 Data Definition Language (DDL)
 Storage Structure Definition Language (SSDL)
 Data Manipulation Language (DML)
 DBMS Nucleus and Utilities