any potential adverse occurent (or unwanted event)...

that could injure the AIS or org.

process implemented w/in the company...

to provide reasonable assurance...

the 7 control objectives are achieved

1. Safeguard assets
2. Maintain detailed records
3. Accurate & reliable info
4. GAAP accordance
5. ↑ operational efficiency
6. ↑ adherence to mgmt policies
7. comply w/ laws

deter problems before they arise

- ex. -

hire qualified ppl

segregation of duties

physical security

discover problems ASAP

- ex. -

2x check work

reconciliations

trial balances

remedy control problems that have been discovered

...essentially detective controls + fixes

- ex. -

master files

data correction procedures

submission guidelines

make sure an org.'s controls are stable & well-managed

- ex. -

security mgmt

IT infrastructure controls

software controls

Internal Controls

Application Controls

prevent, detect, & correct transaction errors & fraud

...accuracy, completeness, validity, authorization, etc.

prevent bribary of foreign officials in order to obtain business

...effectively forced orgs. to ↑ internal controls

Sarbanes-Oxley Act

Goals

prevent financial statement fraud

↑ transparency

investor protection

↑ internal controls

punish fraud

• Public Company Acctg. Oversight Board
• New Auditor Rules
• New Role for the Audit Committee
• New Rules for Mgmt
• New Internal Control Requirements

Sarbanes-Oxley Act

Public Company Accounting Oversight Board (PCAOB)

controls auditing profession

SEC appoints & oversees

Enforces quality control, ethics, & independence

Sarbanes-Oxley Act

New Auditing Rules

Rotation rules

report to the audit committee

prohibits certain non-auditing roles

Sarbanes-Oxley Act

Audit Committee Role

on Board of Directors, but also "Independent" from mgmt.

1 must be a "financial expert"

oversees external auditors

Sarbanes-Oxley Act

Rules for Management

CEO/CFO certify results

Mgmt responsible for internal controls

Report concerns w/ auditors

Sarbanes-Oxley Act

Internal Control Requirements

Report stating mgmt's responsibility for internal controls

Adequacy of internal control structure

Communicates core values

inspires employees to live values

↑ ethics

sets boundaries for actions

Measures company progress

compares actual vs. planned performance

helps top-level managers w/ high-level activities...

that require frequent & regular attention

...develops proactive tools

Control Objectives for Information & related Technology

(COBIT)

Generally applicable... IS security & controls

1. mgmt. benchmarks for controls
2. assures users of controls
3. auditor opinions & advice

Committee of Sponsoring Organizations

(COSO)

issed the "Internal Control - Integrated Framework"

...generally accepted standard

• defines internal controls
• guidance for evaluation & enhancement

Frameworks

IC vs. ERM

COSO - ERM Cube

Top (x4) - Objectives to acheive org. goals

Strategic - ↑-level goals, aligned w/ mission

Operations - efficiency of operations

Reporting - accuracy, completeness, reliability of internal/external reports

Compliance - compliance w/ applicable laws, etc.

COSO - ERM Cube

8 interrelated risk & control components

(horizontal rows)

Internal Environment - company culture, risk appetite, etc.

Objective Setting - process to set up strategic, operational, etc. objectives

Event Identification - determine events that could affect objectives

Risk Assessment - how to manage them? how will they affect objectives?

Risk Response - align identified risks w/ company's risk appetite...take action

Control Activities - implemented to enable mgmt's risk response

Info & Communication - provide org & ERM info to employees

Monitoring - ongoing basis...changed if necessary

ERM

Internal Environment Components (x7)

1. Mgmt's philosophy, style, risk appetite
2. Board of Directors
3. Commitment to integrity, ethics, etc.
4. Org. Structure
5. Assigment of authority & responsibility
6. HR Standards
7. External Influences

Amount of risk an org. is willing to take on to achieve goals

Must align w/ org. strategy

SOX

Audit Committee Responsibilities

oversee org. internal controls

works w/ external & internal auditors

independent review of mgmt.

Internal Environment

HR Standards

Hire the Right People...need to be qualified

Fair & Aligned Compensation

Training - ethics, strategy, reponsibilities, etc.

External

- Economic

- Natural Environment

- Political

- Social

- Technology

Internal

- Infrastructure

- Personnel

- Process

- Technology

Reduce

implement effective controls to ↓ risk

...most effective

Accept

Take no action...accept likelihood & impact

Share

Transfer some risk

...buy insurance, hedging,etc.

Avoid

avoid risky activities

...sell a bad division, avoid new products, etc.

Risk Assessment & Response

(Steps...x5)

Estimate likelihood & impact of risk

↓

Identify Controls

↓

Estimate Costs & Benefits

↓

Determine Cost/Benefit Feasibility

↓

Implement Control...or Avoid, Share, Accept risk

ERM

Control Activities

policies, procedures, & rules...

that provide reasonable assurance...

that mgmt's control objectives are met...

& risk response occurs

Authorization

Digital Signature

Authorization

Specific Authorization

Major activities/transactions that are...

important, big, unique enough

...to warrant singular attention

Authorization

General Authorization

authorize employees to handle...

routine transactions...

w/o special approval

Segregation of Acctg. Duties

...what activities need to be seperated

• Authorization - approving transactions
• Recording - source docs, journals, etc.
• Custody - handling cash, writing checks, inv.

Segregation of Duties

System Duties

Systems Admin - admins ensure smooth operations

Ntwk Mgmt - ensure devices are linked

Security Mgmt - secure ntwk

Change Mgmt - smooth, error-free ntwk changes

Users - record transactions, authorize, outputs

Systems Analysis - determine needs & develop system

Progamming - write programs based on ↑

Comp. Operations - run software on comps.

IS Library - maintain storage databases

Data Control - monitor data flows, ensure authorizations, etc.

Safeguarding info & physical assets

Methods

Creat & Enforce appropriate policies & procedures

Maintain accurate asset records

Restrict access to assets

Protect records & docs. - offsite backups, etc.

• Top-level reviews
• Analytical reviews
• Reconcile 2+ independent records
• Actual Quantities vs. Recorded amounts
• Double-entry Acctg.
• Independent review

ERM - #7. Info & Communication

Audit Trail

trace individual transactions through system from

...start → finish

Must Understand How:

1. transactions are initiated
2. source docs → machine-readable form
3. files are updated & accessed
4. data processed
5. info is reported to in/external users

Systems Development

Reasons to change the system (x8)

1. Need changes - user, biz, etc.
2. Technology change
3. Improved biz process
4. Competitive Advantage
5. ↑ Productivity
6. Growth
7. ↓ Costs
8. System Integration & Age

Systems Development Life Cycle (SDLC)

Definition

5-step process used to role out new systems

1. Systems Analysis
2. Conceptual Design
3. Physical Design
4. Implementation & Conversion
5. Operations & Maintenance

Systems Development Life Cycle (SDLC)

1 - Systems Analysis

Gather info needed to develop new system

Initial Investigation - is the current system OK? Improvement needed?

Systems Survey - Identify info needs

Feasibility Study

Determine & Deliver system requirements

Systems Development Life Cycle (SDLC)

2 - Conceptual Design

How to meet user needs?

Identify & Evaluate Design Alternatives - Boxed? Modified? Custom? (Buy, Develop, Outsource?)

Develop & Design Specifications - what should the system accomplish

Deliver Conceptual Design Requirements 

       → steering committee

Systems Development Life Cycle (SDLC)

3 - Physical Design

Conceptual Design → detailed specs → code/test programs

Design outputs, databases, inputs, controls

Develop programs & procedures

Deliver developed systems

Systems Development Life Cycle (SDLC)

Implementation & Conversion

bring system together...(capstone)

• Develop implementation & conversion plan
• Install hard/software
• Test system
• Train users
• Documentation
• Deliver operational system

Systems Development Life Cycle (SDLC)

5 - Operation & Maintenance

use system & modify as needed

• post-implementation review
• Operate system
• Modify system
• Ongoing maintenance

• Deliver improved system

Systems Development Life Cycle (SDLC)

User Roles

Management

Support, $$$, staff, big-picture decisions

Accountants

specify needs

development or steering committee members

design controls & monitor

IS Steering Committee - high-level employees

plan & oversee project

↑ goal congruence

Project Development Team -full-time on project

Design, test, review, & sell/deliver system

System Analysts & Programmers

Analysts - study, design, & prepare new systems

Programmers - code based on ↑ specs

Systems Development Life Cycle (SDLC)

Project Development Plan

Master Plan

Project Development Plan

cost/benefit

requirements/needs

schedule of activities

Master Plan

long-range of where AIS is headed

system components, development, players, resources

identifies all activites & their relationships

diagram w/ arrows, nodes, & completion estimates

more detailed than Gantt Chart

Critical Path

path w/ most time to complete

if delayed...the whole project is delayed

is the project feasible?...should we continue?, etc.

• Economic - cost/benefit
• Technical - can existing tech build system?
• Legal
• Scheduling - timely? on schedule?
• Operational - are the right ppl building/using system?

basic framework for feasibility studies

cost savings, other benefits, intial investments...

translated → $$$ estimates

- ex. -

Payback period

NPV, IRR

SDLC - Systems Analysis

Systems Survey

study the present AIS

• understand operations, policies, strengths, weaknesses, available tech, etc.
• assess current & future needs
• relationships w/ users... ↑ support
• identify user needs (interviews, questionnaires, documents, etc.)

Physical Model

how a system functions

describes doc. flow, comp. processes, users, etc.

Logical Model

what is being done

essential activities

information flow

Canned Software

sold to users w/ similar requirements

Turnkey Systems

vendor installation of entire system

sold as a package

Application Service Provider (ASP)

web-based software

"rent" the software

invitation to propose a system

Large companies → vendors

Benchmark Problem

Measure times for RFP solutions to complete tasks

Point Scoring

weight categories

give pts. to vendor solutions

Requirements Costing

estimate cost of buying components separately

total...provides a basis of comparison to RFP

hands-on development, use, & control...

of comp.-based IS by users

Development

users develop their own applications

best for simple projects

Benefits

user interaction

meets user needs

timely

versatile

uses fewer resources

Risks

development errors

↓ testing

inefficient

poor documentation

system incompatibility

analysis & redesign of biz processes & IS...

to achieve significant performance improvements

assisted by BPM - Biz Process Mgmt

approach to system design...

a simplified working model of a system is developed

Used when:

• users don't fully know needs
• requirements are hard to define
• unknown in/outputs
• un/semi-structured tasks
• uncertain technology to use
• system is needed ASAP

Prototyping

Advantages & Disadvantages

Advantages

clarify user needs

↑ user involvement

timely

↓ cost to implement change

Disadvantages

takes up a lot of users' time

↓ efficient use of resources

incomplete system development

possible poor behavioral reactions if abandoned

constant development

Prototyping

Operational vs. Non-operational

Operational

Prototype placed into full-use

Controls, efficiency, backup/recovery, etc. added

Non-operational (throwaway)

used to identify needs for 2nd-gen system

used as a model

integrated package of comp-based tools...

automate important aspects of the software development process

Used to plan, analyze, design, program, & maintain an IS

SDLC - Conceptual Design

Conceptual Design Specifications

Output - what's necessary? how often? online?

Data Storage - what's needed to produce reports?  How should if be stored?

Input - how?...based on the output

Processing Procedures & Operations - how is info processed? frequency?

@ end of conceptual design phase

1. guide physical design
2. communicate how needs will be met
3. help steering committee assess feasibility

Scheduled Reports

prespecified content & format....regularly prepared

Special-Purpose Analysis Reports

opposite of scheduled reports

no pre-perscribed guidelines, etc.

Triggered Exception Reports

like schedule reports, but only prepared in response to abnormal conditions

Demand Reports

like scheduled reports, but only prepared when requested

small, well-defined modules

↓ complexity, ↑ reliability & modifiability

designing a program...

from the top-down (less → more detailed)

summarizes what was accomplished

serves as the basis for mgmt's decision...

to proceed to implementation phase

SDLC - Implementation

Testing the System

Walk-throughs

step-by-step reviews of procedures or program logic

Processing Test Transactions

determines if a program operates as designed

checks transactions to see if they're handled right

Acceptance Tests

use copies of real transactions/files vs. hypothetical ones

Systems Conversion

Conversion Approaches (x4)

Direct Conversion

immediately terminates the old AIS when the new one becomes operational

Parallel Conversion

operate the old & new AIS simultaneously for a time

ex. - process sales w/ both, compare outputs, & correct problems w/ new AIS

Phase-In Conversion

elements of old AIS are gradually replaced by new AIS

ex. - inv. system → disbursements → collections

Pilot Conversion

implement new AIS in just one part of the org.

ex. - 1 branch location vs. all

necessary to transition between systems

mgmt. needs info from old & new AIS

what data should be transferred? presentation? etc.

SDLC - Operation & Maintenance

Post-Implementation Review

performed on new AIS to ensure it meets its planned objectives

results placed in post-implemenation review report

• objectives met?
• users satisfied?
• actual costs?
• reliable, accurate, timely?

Systems Reliability

5 Principles

1. Security
2. Confidentiality
3. Privacy
4. Processing Integrity
5. Availibility

Systems Reliability

#1 - Security

Systems Reliability

#2 - Confidentiality

Systems Reliability

#3 - Privacy

Appropriately...

collect, use, disclose, & maintain...

customer's personal info

Systems Reliability

#4 - Processing Integrity

data processed accurately, completely, & timely

w/ proper authorization

Systems Reliability

#5 - Availability

1) Security is Mgmt's Issue...not a technical one

SOX requirements

mgmt governing policies

2) Time Based Model of Security

time it takes to respond to events that get past detective & preventative controls

3) Defense in Depth

Multiple control layers to prevent "single-point" failure

↑ redundancy = ↑ effectiveness

Preventative Controls

Authentication

Preventative Controls

Multifactor Authentication

requiring 2+ basic authentication controls

1. something you know: passwords, etc.
2. something you have: ID cards, etc.
3. biometric identifier: fingerprints, etc.

restricts access of authenticated users to specific portions of the system

specifies what actions they can perform

implements authorization controls

table specifying which portions of the system users can access & what they can then do

uses compatibility tests to match user credentials vs. matrix to allow access

Border Router - connects org IS to internet

Firewall - sits behind the border router...protects access to info

filters designed to identify & drop packets that are part of an attack

includes deep packet inspection - firewalls that examine the data w/in an IP packet

Detective Controls

Log Analysis

examining logs to monitor security

- ex. -

How many times have ppl tried & failed to access system?

How frequently are attacks?

Detective Controls

Intrusion Detection Systems (IDS)

logs of ntwk traffic that was allowed to pass firewall

...look for attempted & successful intrusions

turns plaintext → ciphertext

ciphertext → plaintext = decryption

Computer Emergency Response Team (CERT)

&

Steps in incident response (x4)

response team that deals w/ major incidents

1. Recognition a problem exists
2. Contain the problem
3. Recovery
4. Follow-up...minimize likelihood of similar incidents

Symmetric Encryption Systems

uses the same key to encrypt/decrypt

Asymmetric Encryption Systems

2 encryption keys: public & private

only private key can decrypt

e-document...

created & digitally signed by a 3rd party...

verifies the identity of the owner of a public key

info encrypted w/ the creator's private key

created by asymmetrick encryption & hashing

Detective Controls

Managerial Reports

COBIT mgmt guidelines - performance indicators:

• downtime caused by security incidents
• # of incidents w/ IDS installed
• time to react

Detective Controls

Security Testing

test the effectiveness of existing security procedures:

Vulnerability Scans
automated tools
identifies if well-known vulnerabilities exist

Penetration Test

authorized attempt to break into an AIS

5 Principles of System Reliability

4 Criteria for Successfully Implementation

1. Develop & Document...policies
2. Communicate #1 to users
3. Use controls to implement policies
4. Monitor system & correct as needed

encrypting info before sending it over the internet

...provides the functionality of a private network

AICPA/CICA - 10 Best Practices

...for protecting privacy of customer info

1. Management - set policies
2. Notice - privacy policies → customers @ collection
3. Choice/Consent - opt-out vs. opt-in
4. Collection - only necessary info
5. Use & Retention - retain only as long as needed
6. Access - customers can't delete their info
7. 3rd Party Disclosure - as described w/ equal protection
8. Security - protect from loss or unauthorized disclosure
9. Quality - maintain info integrity
10. Monitoring & Enforcement - verifies compliance w/ privacy policy

Examples of Data Entry Controls

...Checks

Field Check

are characters right?  ###s vs. letters

Sign Check

+ vs. -

Limit Check

# value < limit

Range Check

# value w/in a range

Size Check

input data will fit into field

Completeness Check

have all required fields been filled?

Validity Check

verifies entered data w/ master record

Reasonableness Test

Logical relationship...does the entry make sense?

Processing Integrity

Source Data Controls

Form Design

designed to minimize mistakes

Pre-Numbered

ensure all docs are included

Turnaround Docs

returned from outsiders...machine-readable form

Cancellation & Storage

deface doc (void, paid, etc.)

stored securely

Authorization & Duty Segregation

only the right ppl have access

no one person has too much access

Visual Scanning

"eye check"...docs should make sense

Incremental Backup

copying only data changed since last backup

results of one day

Differential Backup

copies all changes since the last full backup