Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman
SM 14.1
Chapter 14
COMPUTER CONTROLS FOR ORGANIZATIONS AND
ACCOUNTING INFORMATION SYSTEMS
Discussion Questions
14-1. A security policy is a comprehensive plan that helps protect the organization from
internal and external threats. More and more organizations have become dependent on networks
As a result, more proprietary data and organizational information must be accessible to a wide
variety of individuals. However, very real risks are present and more prevalent than ever before.
server, and client tiers, organizations may be able to reduce costs, improve manageability,
enhance performance, tighten security, and reduce the risk of exposure
In general, integrated security is getting a lot more attention in the business press and in technical
14-2. The concept of convergence of physical and logical security means that an
organization less vulnerable to embezzlement or fraud.
14-3. To help organizations comply with SOX and the PCAOB requirements, the IT
Governance Institute (ITGI) issued “IT Control Objectives for Sarbanes-Oxley” in April 2004.
is an IT governance framework that provides company-level objectives and controls around
those objectives, as well as activity-level objectives and controls. Thus, it may be used
SM 14.2
effectively by managers at all levels of the firm. It is important to remind students that COBIT
identifies controls that may be used for both operational and compliance objectives. The ITGC
14-4. First, we should probably define a Local Area Network (LAN). A LAN is where you
have a number of computers that are geographically close together – usually in the same building
computers that can be attached to a single LAN.
Probably the primary difference between a wireless LAN and a hard-wired LAN is the method
LANs – data can be transmitted in digital form).
Security risks are important considerations for both types of LANs, and the technology for each
is different. A wireless local area network (WLAN) must have a secure gateway, such as a
Of course, data encryption is an important control for all networks. Others include a checkpoint
14-5. Business continuity planning (BCP) is also called contingency planning and disaster
Part of BCP specifies backup sites to use for alternate computer processing. These backup sites
SM 14.3
be some distance away from the original processing sites in case a disaster affects a regional
There are a number of reasons to test the business continuity plan on a regular basis and these are
identified below.1
To practice a succession plan for the CEO, in the event something happens to the CEO.
improvement. Continuity exercises should reveal weaknesses.
To reveal and accommodate changes. Technology, personnel, and facilities are in a
constant state of flux at any company.
14-6. Backup is an example of a control designed to mitigate or reduce business risk. As
pointed out in the chapter, backup is similar to redundancy in creating fault tolerant systems.
procedure of file security.
The term "backup" is not limited to just the backup of data. A company can also back up its
intermittent power shortages or failures occur.
1 Source: http://www.csoonline.com/article/print/204450.
14-7. Large organizations can afford to have alternate sites with the capability to recover
quickly should a disaster occur which disrupts the functioning of the business. However, smaller
up to an offsite data center and can be ready to use in a matter of minutes. Since the virtual
server is hardware independent, the operating system, applications, patches and data can be
the data can be restored.2
14-8. The unique control risks associated with the use of PCs and laptops compared to
mainframes occur in two basic areas: (1) hardware, and (2) data and software.
Regarding hardware, because laptops are portable, they or any part of their peripheral equipment
Regarding data and software, these two items are easy to access, modify, copy, or destroy, and
thus are difficult to control. A person with reasonable computer know-how and access to a PC
Students will likely come up with different lists of the three most important control procedures
Control Procedures
Reasons
1. An inventory should be taken of all laptops
used in a company along with the various
applications for which each laptop is used.
This control procedure is important because a
company is able to physically account for all of
its laptops and based on the various
applications for which each laptop is used, a
determination can be made of the types of risks
and exposures associated with every laptop’s
applications. For those laptops whose
applications are subject to greater risks and
exposures, stronger control procedures are
required.
2. Secret passwords that are periodically
changed should be required for all
authorized users of laptops.
This control procedure is important because it
prevents unauthorized individuals from using
laptops to access data files and possibly tamper
with the data within the files.
3. Each employee having a laptop should be
required to place his or her laptop in a
locked cabinet before leaving at night.
This control procedure is important because of
the size of laptops. The laptops’ smallness of
size makes them susceptible to theft if left on
employees’ desks when they go home at night.
14-9.
1) Test of completeness: The number should be exactly eight digits.
special characters.
values.
5) Redundancy test: The four-digit product number should be valid for the four-digit
"major-category" number.
14-10.
a) Edit tests are computer routines that examine selected fields of input data for such attributes
fail preestablished standards of data quality.
b) A check digit helps ensure the accurate and complete input of an important number, such as
when an incorrect account number was input.
c) Passwords are sets of numbers or letters that computer system users must input to gain
SM 14.6
and dial-back systems guard against unauthorized computer access by denying computer
time to "hackers" or other unwarranted users.
e) Control totals are financial, nonfinancial, hash, or record-count totals that are computed from
14-11. Logical access to the computer is typically performed by using a remote terminal to
log onto the computer system to obtain access to software and data. Control of such access is
Physical access to the computer means being physically able to gain access to the computer
system or the data processing center.
the system. However, not everyone involved with the accounting information system needs
logical access to the computer system and few of the above activities require physical access to
14-12. The separation of duties control is intended to deter an individual from committing an
intentional accounting error and concealing this error in the normal course of his or her duties.
development and use of computer programs, for instance, through the requirement of
authorization for program changes and through the strict distinction between programmers and
combine certain traditionally separated accounting tasks in its data processing, but use alternate
means for the application of the separation of duties control.
SM 14.7
Problems
14-13.
a. It is likely that former employees are going to work for the competition - and taking
remote access to Bentley's information system.
b. There are several controls that could help here. One is to have each employee sign a
the company.
14-14. These transactions might have been discovered by the absence of merchandise in the
company warehouse. However, the problem with this is timing: the final proof of fraud could
company should require cash disbursement checks be issued for merchandise purchases only
after the purchase order, the purchase invoice, and the inventory receiving report have all been
Other effective controls would include:
1) Require a supervisor’s authorization for creation of all accounts payable master-file
records.
the merchandise.
14-15. We agree with the seminar leader's statement that all errors in processing accounting
data can be classified as either accidental or intentional. A key point to emphasize is that many
Not all personnel controls are concerned with intentional errors, but the vast majority of them are
concerned with this matter. An example of a personnel control which is not necessarily aimed at
system are aimed at thwarting intentional errors.
