Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 10

    Uploaded by

    Ria Bago
    21 views15 pages
    Accounting materials

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Accounting materials

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    Download as pdf
    21 views15 pages

    Chapter 10

    Uploaded by

    Ria Bago
    Accounting materials

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    Download as pdf
    of 15
    Processing Integrity and Availability Controls Wetec ‘After studying this chapter, you should be able to: 41. Identify and explain the input, processing, and output controls designed to ‘ensure pracessing integrity. 2. Identify and explain controls designed to ensure systems availabilty by mini- ‘mizing the rik of system downtime and enabling efficient recovery ancl resumption of operations MTU Northwest Industri Jason Scott began his review of Northwest Industries’ processing integrity and availability ‘controls by meting with the chief financial officer (CFO) and the chief information officer (ClO). The CFO mentioned that she had just read an article about how spreadsheet errors had caused several companies to make poor decisions that cost them millions of dol- lars, She wanted to be sure that such problems did not happen to Northwest Industries. She also stressed the need to continue to improve the monthly closing process 40 that management would have more timely information. The CIO expressed concern about the ‘company's lack of planning for how to continue business operations in the event of a ma- jor natural disaster, such as Hurricane Sandy, which had forced several small businesses to owe Jason Haake effectiveness of Northwest Industries’ procedures for ensuring processing integrity and availabilty. 1 for Maes input and wet ebovut cullecting evideuwe abou Introduction ‘The previous two chapters discussed the first three principles of systems reliability iden- tified in the Trust Services Framework: security, confidentiality, and privacy. This chapter ‘addresses the remaining two Trust Services Framework principles: processing integrity and availability Processing Integrity ‘The processing integrity principle ofthe Trust Services Framework states that a reliable sys- tem is one that produces information that is accurate, complete, timely, and valid, Table 10-1 lists the basic controls over the input, processing, and output of data that COBIT 5 process 'DSS06 identifies as hing essential for processing integrity INPUT CONTROLS ‘The phrase “garbage in, garbage out” highlights the importance of input controls. Ifthe data entered into & system are inaccurate, incomplete, or invalid, the output will be too. Conse quently, only authorized personnel acting within their authority should prepare source docu- ‘ments. In addition, forms design, cancellation and storage of source documents, and automated data enry controls are needed to verify the validity of input data, FORMS DESIGN Source documents and other forms should be designed ta minimize the chances for errors and omissions. Two particularly important forms design controls involve Sequentially prenumbering source documents and using turnaround documents 4. All source documents should be sequentially prenumbered. Prenumbering improves con- trol by making it possible to verify that no documents are missing. (To understand this, consider the difficulty you would have in balancing your checking account if none of ‘your checks were numbered.) When sequentially prenumbered source data documents are ‘used, the system should be programmed to identify and report missing or duplicate source documents. 2. A turnaround document is record of company data sent to an external party and then returned by the external party for subsequent input to the system, Turnaround documents fre prepared in machine-readable form to facilitate their subsequent processing as input records. An example isa uility bill that a special scanning device reads when the bills retumed with a payment. Tumaround documents improve accuracy by eliminating the [tential for ioget errs when eatering Asn msmlly, CANCELLATION AND STORAGE OF SOURGE DOCUMENTS Source documents that have been cntered into the sytem should be canceled so they cennct be inndvertenty or frmidulently reenlered into the system, Paper documents should be defaced for example, by stamping them “paid Electronic documents can be similarly “canceled” by setting a flag field to indicate thatthe document has already been processed. Note: Cancellation des not mean disposal Original source documents (or their electronic images) should be retained for as long 2s needed to satisfy legal and regulatory requirements and provide an audit tral, nay te exert py for isequentinpat othe stem, oar 208 PART II_ CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS. ‘pele mere ana in er fee ave the aprprte arthmesc pendiowrinc res the inat dt wil into te stig ld emeletenae ac tet ‘vel chock ht vs hat Sidnarequreahve been ‘Sarcampues he ce rater fle to very athe hector checks numbers ech wetory tam arbor an fentaina ched digit computed fem hectare check verfeston Rec fulsinga check age tery edger eerhanot TABLE 10-1 Appication Contos fr Processing Integrity [PROCESS STAGE THREATS/RISKS CONTROLS, Input Data that i: Farms desig, cancelation and = oval Storage of documents, autho- 1 Unauthorized ‘aston and segregation of 1 Incomplete duties contol, visual scanning, Inaccurate data entry contols Processing Error in output and stored data Data matching, le label, batch totals, ros-foating and ze balance ests, write protection mechanisms, database process Ing itegnty controls Ourput “6 Use ofinaccurate or incom Reviews and raconclations, plete report ‘enrypton and acces controls, ‘+ Unauthorized disclosure of party checks, message sensitive information aeknculedgment techniques 1+ Lass, alteration, or disclosure ‘of information in transit, DATA ENTRY CONTROLS Source documents should be scanned for reasonableness and pro- priety before being entered into the system. However, this manual control must be supple- ‘mented with automated data entry controls, such as the following: ‘© AMield check determines whether the characters in afield are ofthe proper type. For ex- ample, a check on a field that is supposed to contain only numeric values, such as a US. 2p code, would indicate an error if it contained alphabetic characters. ‘© A sign check determines whether the data in a field have the appropriate arithmetic sign. For example, the quantty-ordered field should never be negative. (© A limit check tests a numerical amount against a fixed value. For example, the regular hhours-worked field in weekly payroll input must be les than or equal to 40 hours. Simi- larly the hourly wage field should be greater than or equal tothe minimum wage. ‘© A range check tests whether a numerical amount falls between predetermined lower and ier Hinita Far exarmple, a marketing pronetion might be diveced only to paper ‘with incomes between $50,000 and $99,999. ‘© A size check ensures thatthe input data will fit into the assigned field. For example, te vale-45R.976 25% will on ie cihilgi Geld An is ssn Chaps 8 dee checks are especially important for applications that accept end-user input, providing a ‘way to prevent buffer overflow vulnerabilities ‘© A completeness check (or test) verifies that all required data items have been entered. For example, sales transaction records should not be accepted for processing unless they ‘include the customer's shipping and billing addresses. ‘© A validity check compares the ID code of account number in transaction data with ‘similar data in the master file to verify thatthe account exists. For example, if product ‘number 65432 is entered om a sales orde, the computer must verify that there is indeed a product 65432 in the inventory database. ‘= A reasonableness test determines the correciness ofthe logical relationship between ‘to data items. For example, overtime hours should be zero for someone who has not ‘worked the maximum number of regular hours ina pay period. © [Decode (such as part numbers) can contain a check digit that is computed from the other digits. For example, the system could assign each new inventory item a nine-digit ‘number, then calculate a tenth digit from the original nine and append that calculated ‘number tothe original nine to form a 10-digit part number. Data entry devices can then bbe programmed to perform check digit verification, which involves recalculating the check digit to identify data entry errors. Continuing our example, check digit verfica- tion could be used to verify accuracy ofan inventory item number by using the first nine “digits to calculate what the tenth digit should be. Ifan error is made in entering any of the ten digits, the calculation made on the first nine digits will not match the tenth, or ‘check digit. Note that check digit verification only tests whether an ID code ina transac- tion recond could exist. A validity check is the only way to verify tha the ID code really docs exist. ‘The preceding data entry tests are used for both batch processing and online real-time pro- ‘cessing. Additional data input controls differ forthe two processing methods. ADDITIONAL BATCH PROCESSING DATA ENTRY CONTROLS ‘© Batch processing works more efficiently i the transactions are sorted so that the ac ‘counts affected are i the same sequence as records are stored inthe master file. For ‘example, accurate batch processing of sales transactions to update customer account bal- tances reqjizes thatthe aalestranaections file fiat be sorted by customer account murnber ‘A sequence check tests whether a transaction fie isin the proper numerical or alpha bbetical sequence. ‘© Anerror log that identifies data input errors (date cause, problem) facilitates timely review and resubmission of transactions that cannot be processed. © Batch totals calculate numeric values for a batch of input records, The following are three commonly used batch totals: L.A financial total sums afield that contains monetary values, such asthe total dollar amount of all sales for a batch of sales transactions. 2. A hash total sums a nonfinancial numeric field, such as the total of the quantity- ‘onlered field in a batch of sales transactions. |3. A record count is the number of records in a batch. ADDITIONAL ONLINE DATA ENTRY CONTROLS ‘© Prompting, in which the system requests each input data iter and waits for an accept- able response, ensures that all necessary data are entered (ie, prompting is an online ‘completeness check). © Closed-Loop verification checks the accuracy of input data by using i to retrieve and display other related information. For example, ifa clerk enters an account number, the ‘system could retrieve and display the account name so thatthe clerk could verily that the ‘correct account number had been entered © A transaction log includes a detailed record of al transactions including a unique trans- action identifier the date and time of entry, and who entered the transaction. If an online file is damaged, the transaction log can be used to reconstruct the file. Ifa malfunetion temporarily shuts down the system, the transaction log can be used to ensure that trans- actions are not lost or entered twice. Controls are also needed to ensure that data is processed correctly, Important processing con- trols include the following: © Data matching. in certain cases, wo or more items of data must be matched before an action can take place. For example, before paying a vendor, the system should verify that {information on the vendor invoice matches information on both the purchase order and the receiving report. © File labels. File labels need to/be checked to ensure that the correct and most current files are being updated. Both extemal labels that are readable by humans and internal labels that are written in machine-readable form on the data recording media should be used. Two important types of internal labels are header and trailer records. The header record is located atthe beginning of each file and contains the fle name, expiration ‘date. and other identification data. The trailer record is located atthe end of the file: in {transaction fies it contains the batch totals calculated during input. Programs should be designed to read the header record prior o processing, to ensure that the correct file is ‘hat determines fa ansaction Spistow noun” batch ote The sam of oaumers eaeused prior Sancta Ape of atch total that equal he sum of ‘ed that conte money ach tot Atgpe of batch tic tors tals armed (ily beta fact cour type oft ‘Stl ht equal he arbor of (co pce st a fray complete heck at ‘ua cached tm ot ‘pu data en at fo ‘tcaprtie espe ato ‘Set tere mand sone lop verison An in atvldaton moth ha uses Sched ine the een Seca Senay peconcan sete Seeuaay of emp ta header record -Type fina (Shel that appear athe i> ting of ech lea cortanes ‘bee am, expraton date, fernennnr tg {Sir caelated dang np 300 PART | CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS. protec eer rom plese semped ose ‘eae record sane. ‘being updated. Programs should also be designe to read the information inthe waler record after processing o verify tha al inpat ecord have been correctly processed © Recalculation of bich totals. Batch tals should be computed a each transaction record is processed, and the total forthe batch should then be compare tthe values the wale record. Any discrepancies indicate a processing err. Often, the nature of the discrepancy provides clue about the type of eror that occured. For example, ithe e- Computed record count is smaller than the orginal. one or more transaction reconls Were ‘ot processed, Conversely, ifthe recomputed record count is larger than the eign, cither additional unauthorized wansactons were procescd, or some ansaction records ‘were processed twice. Ifa financial or hash total discrepancy is evenly divisible by 9, the Tikely caus i a transposition error, i which two adjacent digits were inadvertelly r- ‘versed (46 inscal of 6. Trasposition eros may appear to Be val but can have enormous financial consequences. For example, consider the effect of misrecording the interest rate ona loan. as 6.4% instead of 4.6%. © Cross-foting and zero-balance tests. Otc tals can be calculated in multiple ways. For example, in spreadsheets a grand total can be computed citer by summing a column ‘of ow totals or by summing row of column totals. These two methods should produce the same esul. A eross-footing balance test compares the results produced by each ‘method to verify accuracy. A zerocbalance test applies this same logic to verify the ac- curacy of processing that involves contol accounts. For example the parol clearing account is debited forthe total gross pay ofall employees im a particular time period. It {s them credited forthe amount ofall labor cost allocated to various expense categorie. ‘The payroll clearing account should have a zero balance after both sts of entries have ‘been made; a nonzero balance indicates a processing emor ‘© Write protection mechanisms. These protect against overwriting or erasing of data files stored on magnetic media. Write-protection mechanisms have long been used to protect master files from accidentally being damaged. Technological innovation aso Etceastete the une of writeprotecton mechoniaee to protect the integrity of teomamtion data. For example, radiofrequency identification (RFID) tags wsed to tack Enemy ‘eed to be write-proteced so that unscrupulous customers cannot change the pice of merchandise. © Concurrent update controls. ors can occur when two oF more users temp to update the same record similtancounly. Concurrent update controls prvent such erors by locking out one user until the system has finished processing the transaction entered by the other. (Careful checking of system output provides additional control over processing integrity. Im- ‘portant output controls include the following: © User review of output. Users should carefully examine system output to verify that iis reasonable, that its complete, and that they ae the intended recipients. © Reconciliation procedures. Periodically all transactions and other system updates should be reconciled to control reports, ile status/update reports, or ther control mecha- nisms. In addition, general ledger accounts should be reconciled to subsidiary account totals on a regular basis. For example, the balance of the inventory control account in the general ledger should equal the sum ofthe item balances in the inventory database. ‘The same is true forthe accounts receivable, capital assets, and accounts payable control ‘© External data reconciliation. Database totals should periodically be reconciled with data maintained outside the system. For example, the number of employee records in the ‘payroll fle can be compared with the total number of employee: in the human resource: database to detect attempts to add fictitious employees to the payroll database. Similarly, inventory om hand should be physically counted and compared tothe quantity on hand recorded in the database ‘© Data transmission controls. Organizations also need to implement controls designed to ‘minimize the risk of data transmission errors. Whenever the receiving device detects @ CHAPTER 10 PROCESSING INTEGRITY AND AVAILABILITY CONTROLS 30 ‘data transmission eror, it requests the sending device to retransmit that data. Generally, this happens automatically, and the user is unaware that it has occurred. For example, the ‘Transmission Control Protocol (TCP) discussed in Chapter 8 assigns a sequence number tocach packet and uses that information to verify that all packets have been received and to reassemble them in the correct order. Two other common data transmission controls are checksums and parity bits A. Checksums. When data are transmitted, the sending device can calculate a hash of the file, called a checksum. The receiving device performs the same calculation and sends the result 10 the sending device. Ifthe two hashes agree, the transmission is, presumed to be accurate. Otherwise, the file is resent. 2. Parity bis. Computers represent characters asa st of binary digits called bits. Fach bit has two possible values: O or 1. Many computers use a seven-bit coding scheme, Which is more than enough to represent the 26 leters inthe English alphabet (both upper- and lowercase), the numbers 0 through 9, and a variety of special symbols (S, %, &, etc). A parity bit i an extra digit added tothe beginning of every character that can be used to check trmamission accuracy. Two basic schemes are referred toa even parity and odd parity. In even parity, the parity bit is et so that each character hasan even numberof bits with the value I; in odd parity the parity bits set so that an odd number of bits inthe character have the value 1. For example, the digits Sand can be represented by the Seven-bit patterns 0000101 and 00001 11, respectively. ‘An even parity system would set the parity bit for Sto 0, so that it would be transmit- ted as 00000101 (because the binary code for 5 already has two bits with the value 1), The parity bit for 7 would be set to | so that it would be transmitted as 10000111 (because the binary code for 7 has 3 bits with the value 1). The receiving device per- forms parity checking, which entails verifying thatthe proper number of bits are set to the value | in each character received. ILLUSTRATIVE EXAMPLE: CREDIT SALES PROCESSING We now use the processing of credit sles to illustrate how many ofthe application controls that have been discussed actually function. Each transaction record includes the following ‘data sales invoice number, customer account number, inventory item number, quantity sold, sale price, and delivery date. If the customer purchases more than one product, there will, bbe multiple inventory item numbers, quantities sold, and prices associated with each sales transaction, Processing these transactions includes the following steps: (1) entering and edit- {ng the transaction data; (2) updating the customer and inventory records (the amount ofthe ‘credit purchase is added to the customer's balance; for each inventory item, the quantity sold is subtracted from the quantity on hand); and (3) preparing and distributing shipping and/or billing documents, INPUT CONTROLS As sales transactions are entered, the system performs several preliminary validation tests. Validity checks identify transactions with invalid account numbers or invalid inventory item numbers. Field checks verify that the quantty-ordered and price Fields con- tain only numbers and that the date field follows the correct MM/DDIYYYY format. Sign ‘checks verify that the quantity sold and sale price fields contain positive numbers. range ‘check verifies that the delivery date isnot earlier than the current date nor later than the com- pany's advertised delivery polices. A completeness check tests whether any necessary fields (ee. delivery address) are blank. If batch processing is being used, the sales are grouped into batches (typical size = 50) and one of the following batch totals is caleulated and stored ‘with the batch: a financial total ofthe total sales amount, a hash total of invoice numbers, or a record count. PROCESSING CONTROLS The system reads the header records forthe customer and inven- tory master fles and verifies thatthe most current version is being used. As each sales invoice is processed, limit checks are used to verify thatthe new sale doesnot increase that customer's account balance beyond the pre-established credit limit. If it does, the transaction is emporar- Steticcag seit An ied party hcg At ae Senay bt ery scuy 302 PART II. CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS me. FOCUS 10-1 Ensuring the Proce Electronic voting may eliminate some ofthe types ofprab- Jems that occur with manual or mechanical voting. Forex: ‘ample, electronic voting sofware could use limit checks to [prevent voters fram attempting to select more candidates than permitted in a particular race. A completeness check would identify @ voter faliure to make a choice in every ‘race, and closed-loop verification could then be used to very whether that was intentional. (This would eliminate the “hanging chad” prablem created when voters fall to punch cut the hole completely on a paper allt) [Nevertheless there are concems about electronic vot- Ing, particularly its audit tail capabilities, Atiesueis the ablity to very that only propery registered voters did in- {deed vote and that they voted only once. Although no ‘one disagrees with the need for such authentication, there | debate over whether electronic voting machines can Create adequate aut tals without risking the loss of vot fee anonymity. ‘There is also debate about the overall security and celiablity of electronic voting, Some securty experts ug- (gest that election oficial should adopt the methods used by the state of Nevada to ensure that elactranie gambling 9 Integrity of Electronic Voting ‘machines operate honesty and accurately, which include the folowing: ‘+ Access to the source code. The Nevada Gaming Control Board keeps copies of all software. tiillegal for casinos to use any unregistered sofware, Similarly, security experts recommend that the government should keep copies of the source code of electronic voting software. “+ Hardware checks. Frequent on-site spot chacks of the computer chips in gambling machines are made to ven compliance with the Nevada Gaming Contra! Board's records. Similar tests should be done to voting ‘machines. «+ Tests of physical security. The Nevada Gaming Con- trol Board extensively tests how machines react to ‘tun guns and large electric shocks. Voting machines should be sila teste. ‘+ Background checks. All gambling machine manufac turers ae carefully crutinzed and registered. Similar checks should be performed on voting machine manu facturers, 35 well as election software developers. ‘verifies that the new quantity on hand for each inventory item is greater than or equal to zero. ‘Arrange check verifies that each item's sales price falls within preset limits. A reasonable- ress check compares the quantity sold to the item number and compares both to historical averages. If batch processing is being used, the system calculates the appropriate batch total land compares ito the batch total created during input: if financial total was calculated, its ‘compared tothe change in total accounts receivable: if a hash total was calculated, itis recal- culated as each transaction is processed; if a record count was created, the system tracks the ‘numberof records processed in that batch. Ifthe two batch totals do not agree, an error report is generated and someone investigates the cause ofthe discrepancy. OUTPUT CONTROLS Billing and shipping documents are routed to only authorized employ- ces in the accounting and shipping departments, who visually inspect them for obvious erors. ‘A control report that summarizes the transactions that were processed is sent tothe sales, ac ‘counting, and inventory control managers for review. Each quarter inventory inthe warehouse is physically counted and the results compared to recorded quantities on hand for each iter ‘The cause of discrepancice is vestigated and adjusting entries are made to correct recorded quantities. "The preceding example illustrated the use of application controls to ensue the integrity of processing business transactions. Focus 10-1 explains the importance of processing integrity controls in nonbusiness settings, oo. PROCESSING INTEGRITY CONTROLS IN SPREADSHEETS ‘Most organizations have thousands of spreadsheets that are used to support decision-making. ‘Yet, because end users almost always develop spreadsheets, they seldom contain adequate ap- plication controls. Therefore, iis not surprising that many organizations have experienced se- ‘ous problems caused by spreadcheet errors For example, an August 17, 2007, article in CIO CHAPTER 10 PROCESSING INTEGRITY AND AVAILABILITY CONTROLS Magacine! desesibes bow spreadsheet cuors caused companies w lose mouey, issue exroncous dividend payout announcements, and misteport financial results. ‘Careful testing of spreadsheets before use could have prevented these kinds of costly. mistakes. Although most spreadsheet software contains built-in “audit” features that can eas- ily detect common errors. spreadsheets intended to support important decisions need more thorough testing to detect subtle errors. tis especially important to check for harawiring, where formulas contain specific numeric values (e.g. sales tax = 8.54 x A33). Best practice is to.use reference cells (e.g, store the sales tax rate in cell AS) and then write formulas that include the reference cell .. change the previous example to sales tax = A8 X A33). The problem with hardwiring is thatthe spreadsheet intially produces correct answers, but when the hardwired variable (e-., the sales tax rate in the preceding example) changes, the formula may not be corrected in every cell that includes that hardwired value. In contrast, following the recommended best practice and storing the sales tax value in a clearly labeled cell means that when the sales tax rate changes. only that one cell needs to be updated. This best practice also ensures thatthe updated sales tax rate is used in every formula that involves calculating sales taxes. Availability Interruptions to business processes due to the unavailability of systems or information can ‘cause significant financial losses. Consequently, COBIT 5 control processes DSSO1 and DS804 address the importance of ensuring that systems and information are available for tuse whenever needed. The primary objective isto minimize the risk of system downtime. It i impossible, however, to completely eliminate the risk of downtime. Therefore, organiza- tions also need controls designed to enable quick resumption of normal operations after an ‘event disrupts system availability. Table 10-2 summarizes the key controls related to these wo. “objectives Organizations can undertake a variety of actions to minimize the risk of system downtime. ‘COBIT 5 management practice DS$0105 identifies the need for preventive maintenance, such as cleaning disk drives and properly storing magnetic and optical media, to reduce the risk of hardware and software failure. The use of redundant components provides fault tolerance, ‘hich isthe ability ofa system to continue functioning in the event that a particular compo- nent fails. For example, many organizations use redundant arrays of independent drives (RAID) instead of just one disk drive. With RAID, data is written to multiple disk drives simultaneously. Thus, ifone disk drive fails the data can be readily accessed from another. TABLE 10-2 Availabilty: Objectives and Key Controls ‘OBJECTIVE ‘KEY CONTROLS 11 Tevmininine ra system dete 2. Quick and complete recovery and resump- tion of normal operations faut tlrance- The capa Slaaytemis continue per forming whan tare shard. feet ves (AID) -A faut (eareetecngue that records Sonne dt dee featetans 20 PART | CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS, rine per siety (UPS) An ater power ‘Seely devce tat pears eee tyringtery poner to het pater fo operate long rough to backup arta! Sat Sedat don recovery pint objectne (0) The amour of tthe (enanton ning torment cr potent xe, FIGURE 10-1 Relationship of Recovery Point Objective and Recovery Time Objective COBIT 5 management practices DSS01.04 and DSS01.05 address the importance of lo- cating and designing the data centers housing mission-critical servers and databases so as 10 ‘minimize the risks associated with natural and human-caused disasters. Common design fea- tures include the following: «Raise floors provide protection from damage caused by flooding. Fre detection an suppression devioes reduce the klibood af fire damage. © Adzyuats air condiGing eysicms redace the Hklbood of damage to computer equip- tment duc to overheating or bay. Cables with special pops that cannot be easily removed redace the rskof sytem dam- ge dw to acetal unplagging of the device. Strge-procction devices provide protectin agama teoporary power uctintions hat ‘might eherwise case computers and ether network equipment to crash «An uninterruptible power supply (UPS) stem provides protection in the event of ‘prolonged poner stage sing bltery power to enable the system to operas long ough o hick up ercal data and safely shutdown (However, ts important to ep lary inspect and test the bateris ina UPS to ensure that it wil function when needed.) Physical access controls rece the risk ofthe or damage. ‘Training can also reduce the risk of system downtime. Welltrained operators are less likely to make mistakes and will know how to recover, with minimal damage, from errors they do commit. That is why COBIT 5 management practice DSS01.01 stresses the importance of defining and documenting operational procedures and ensuring that IT staf understand their responsibilities. ‘System downtime can also occur because of computer malware (viruses and worms). ‘Therefore, its important to install, run, and keep current antivirus and anti-spyware programs. ‘These programs should be automatically invoked not only to scan e-mail, bt also any remov- able computer media (CDs, DVDs, USB drives, ec.) that are brought into the organization. A patch management system provides additional protection by ensuring that vulnerabilities that ccan be exploited by malware are fixed in a timely manner. RECOVERY AND RESUMPTION OF NORMAL OPERATIONS ‘The preventive controls discussed in the preceding section can minimize, but not entirely climinat, the risk of system downtime. Hardware malfunctions, software problems, or human error can cause data to become inaccessible. That's why senior management needs to answer ‘00 fundamental questions: 1. Hlow much data are we willing to recreate from source documents (if they exist) or poten- tially lose if no source documents exist)? 2. How long can the organization function without its information system? Figure 10-1 shows the relationship between these two questions. When a problem occurs, data about everything that has happened since the last backup is lost unless it can be reentered into the system. Thus, management's answer to the first question determines the organiza tion's recovery point abjective (RPO), which represents the maximum amount of data that the organization is willing to have to reenter or potentially Lose. The RPO is inversely related to the frequency of backups: the smaller the desired RPO, the more frequently backups need CHAPTER 19 PROCESSING INTEGRITY AND AVAILABILITY CONTROLS 205, to be made. The answer tothe second question determines the organization's recovery time “objective (RTO), which is the maximum tolerable time to restore an information system after a disaster. Thus, the RTO represents the length of time thatthe organization is willing to at- tempt to function without its information system, DATA BACKUP PROCEDURES Data backup procedures are designed to deal with situations ‘where information is not accessible because the relevant files or databases have become cor- rupted asa result of haniware failure, software problems, or human error, but the information system itself is still functioning. Several different backup procedures exist A full backup is an exact copy of the entire database, Pll backups are time-consuming, so most organizations ‘only do full backups weekly and supplement them with daily partial backups. Figure 10-2 ‘compares the two types of daily partial backups: 1. An incremental backup involves copying only the data items that have changed since the last partial backup. This produces a set of incremental backup files, each containing the results of one day's transactions. Restoration involves first loading the last ull backup and then installing each subsequent incremental backup inthe proper sequence. 2. A differential backup copies all changes made since the last ull backup. Thus, each ‘ew differential backup file contains the cumulative effects of all activity since the last full backup. Consequently, except for the first day following full backup, daily dlferen- tial backups take longer than incremental backups. Restoration is simpler, however, be- ‘cause the last fll backup aceds tobe supplemented with only the most recent differential backup, instead of a set of daily incremental backup files. No matter which backup procedure is used, multiple backup copies should be created. (One copy can be stored on-site, for use inthe event of relatively minor problems, such as fail- ure ofa hard drive. In the event of a more serious problem, such asa fie or flood, any backup ‘copies stored on-site will likely be destroyed or inaccessible. Therefore, a second backup copy reds to be stored off-site, These backup files can be transported tothe remote storage site cither physically (e...by courier) or electronically. In either case, the same security controls rced to be applied to backup files as are used to protect the original copy of the informa tion. This means that backup copies of sensitive data should be encrypted both in storage and Panel A: Incremental Daily Backups (10) The mannan ttre {tne toresore an erganation ‘Rlomaton tem lowing 2 ater rpreserng he length fe athe ose ‘atoning tanpt ‘etn witha te infrmation om eremeral backp Aye ‘pari bad hat mes ‘ping ny he data te ‘athave nged nce he irsltacip Tos pocuces ofinceea bacon fe, Gre aye eon earl bacap-A ype Sijngal Rng mde ‘Src cata. Tn ech Shonen lc ‘Satacoty snce he fal Soe FIGURE 10-2 ‘Comparison of Incremental and Differential Daly Backups 305 “PART I|_ CONTROL AND AUDIT OF ACCOUNTING INFORMATION SYSTEMS secive-Reapy of taba, ‘reid inden a2 enone eco yea ta egal oder, fee recovery lan (ORP)-A thane rates arenas Frepaty nthe event tte (haere detoyed ‘pon tres on scans ean aerate cy tat ‘rete for neceeay ale hone and tere ccs at Soar at esti any comput ingecuienent| pt tat son acess Some operon ater reece nin it nan Soa. = ae during electronic transmission. Access to backup files also needs to be carefully controlled ‘and monitored, Is also important to periodically practice restoring a system from its backups. This veri- fies tha the backup procedure is working correctly and thatthe backup media (tape or disk) ccan be successfully read by the hardware in use. [Backups are retained for only a relatively short period of time. For example, many or- ‘ganizations maintain only several months of backups. Some information, however, must be stored much longer. An archive is a copy of a database, master file, or software that is retained indefinitely as ahistorical record, usually to satisfy legal and regulatory requirements. As with ‘backups, multiple copies of archives should be made and stored in different locations. Unlike backups, archives ae seldom encrypted because their long retention times increase the risk of losing the decryption key. Consequently, physical andl logical access controls are the primary ‘means of protecting archive files. ‘What media should be used for backups and archives, tape or disk? Disk backup is faster, and disks are less easily Lost. Tape, however, is cheaper, easier to transport, and more durable. Consequently, many organizations use both media. Data ae first backed up to disk, for speed, and then transferred to tape. Special attention needs to be paid to backing up and archiving e-mail, because it has become an important repository of organizational behavior and information. Indeed, e-mail ‘often contains solutions to specific problems. E-mail also frequently contains information rel- evant to lawsuits. It may be tempting for an organization to considera policy of periodically deleting all e-mail, to prevent a plaintiff's attorney from finding a “smoking gun” and to avoid the costs of finding the e-mail requested by the other party. Most experts, however, advise against such policies, because there are likely to be copies ofthe e-mail stored in archives outside the organization. Therefore, a policy of regularly deleting all e-mail means that the ‘organization will not be able to tll ts side of the story: instead, the court (and jury) will only read the e-mail created by the other party to the dispute. There have also been cases where the courts have fined organizations millions of dollars for filing to produce requested e-mail. ‘Therefore, organizations accd w buck up and atchive impontant cil while also petealially purging the large volume of routine, ivi e-mail. DISASTER RECOVERY AND BUSINESS CONTINUITY PLANNING Backups are designed to ‘mitigate problems when one or more files or databases become corrupted because of hard- ‘ware, software, or human error. Disaster recovery plans and business continuity plans are de- signed to mitigate more serious problems. ‘A disaster recovery plan (DRP) outlines the procedures to restore an organization's IT function in the event that its data center is destroyed. Organizations have three basic options for replacing their IT infrastructure, which includes not just computers, but also network com- ponents such as routers and switches, software, data, Internet access, printers, and supplies. ‘The first option sto contract for use ofa cold site, which is an empty building that is prewired for necessary telephone and Intemet access, plus a contract with one or more vendors to pro- vide all necessary equipment within a specified period of time. ‘A second option is to contrat for use of a hot site, which is a facility that is not only prewired for telephone and Internet access but also contains all the computing and office ‘equipment the organization needs to perform its essential business activities. The third op- tion is real-time mirroring, which involves maintaining two copies of the database at wo separate data centers at all times and updating both databases in real-time as each transaction ‘The different DRP options (cold site. hot site. or real-time mirroring) vary in cost with cold sites being least expensive and real-time mirroring most expensive. However, the choice should not be driven by cost but should reflect management's decisions about tolerable RPO and RTO. For some organizations, both RPO and RTO must be as close to zero as possible. Airlines and financial institutions, for example, cannot operate without their information sys- tems, nor can they afford to lose data about transactions because they have so many every ‘minute. For such organizations, the goal isnot recovery but resiliency (i... hey must be able {o continue functioning no matter what happens). Real-time mirroring provides maximum re- siliency because both RPO and RTO are close to zero, Transactions are backed up in real CHAPTER 10 PROCESSING INTEGRITY AND AVAILABILITY CONTROLS 07 time, and if something happens o one datacenter, the organization can immediatly shift ll processing o the other. This real-time miroring isthe appropriate DRP choice when RPO, RTO, or both must be close to zero. ‘Some organizations can tolerate the polental loss of some dala and have the ability to ‘operate fora period of time without their AIS. If management has decided that it can tolerate RTO and RPO ranging from hours up ta full day, the choice ofa bot site asa DRP strategy is warranted. And if management can tolerate having both RTO and RPO be grater than one day, using aco site for DRP may be appropriate Organization can choose to build their own hot ste or cold site, or they can contact with third party forthe use of sch facilites. Using a third-party sites less expensive, but it does cary the risk of not beng available when needed. Most providers of hot and cold sites “oversell their capacity under the assumption that at any onetime nly afew cients will eed tose the facilis. Normally, that isa safe assumption. However, inthe event of a major lamity, suchas Hurricanes Katrina and Sandy, that affects every organization ina geographic area, it means that some organizations may not be able to use the services for which they contracted ‘Whereas a DRP focuses on how to resume IT operations inthe event that an organi- zation’s main datacenter becomes unavailable, a business continuity plan (BCP) specifies tunes: cartnutyon how to resume not only IT operations, but ll business processes, inclding relocating to new ©CP-Aptn dt pcos ‘offices and hiring temporary replacements inthe event of a major calamity. Such planing ‘o™rmomme ston js important, Because more than half ofthe organizations without a DRP and a BCP nevet cane be enter reopen after beng forced to close down for more than afew days because ofa disaster. Thus, = having both a DRP and a BCP can mean the difference between surviving a major caasrophc such asa hurricane or terrorist attack and going out of busines. Pocus 10-2 describes how — FOCUS 10-2 How NASDAQ Recovered from September 11 ‘Thanks to its effective disaster recovery and BCPs, NASDAQ was up and running si days after the Septem” bber 11, 2001, terorist attack that destroyed the twin tow fers of the World Trade Center. NASDAQ's headquarters were located on the 49th and! S0th floors of One Liberty Plaza, ust across the street from the World Trade Cen- ter. When the fst plane hit, NASDAQ) security guards Immediately evacuated personnel fom the building. Most cof the employees were out of the building by the ime the second plane crashed into the other tower. Although em- ployees were evacuated from the headquarters and the ‘office in Times Square had termporaily lost telephone se- vice, NASDAQ was able to relocate to a backup center at the nearby Marriott Marquis hotel. Once there, NASDAQ ‘executives went though their lat of priorities! frst, their ‘employees; next, the physical damage; and last, the track ing industry situation. Effective communication became estential in de- termining the condition of these priorties. NASDAQ attributes much of its success in communicating and coordinating with the rst of the industry to its dress re- hearsals for Y2K. While preparing far the changeover, NASDAQ had regular nationwide teleconferences with all the exchanges. This helped it organize similar con- ferences after the 9/11 attack. NASDAQ had already ‘planned for one potential

    You might also like