978-1118742938 Chapter 14 Part 1

Core Concepts of Accounting Information Systems, 13th Edition, by Simkin, Rose, and Norman

SM 14.1

Chapter 14

COMPUTER CONTROLS FOR ORGANIZATIONS AND

ACCOUNTING INFORMATION SYSTEMS

Discussion Questions

14-1. A security policy is a comprehensive plan that helps protect the organization from

internal and external threats. More and more organizations have become dependent on networks

As a result, more proprietary data and organizational information must be accessible to a wide

variety of individuals. However, very real risks are present and more prevalent than ever before.

server, and client tiers, organizations may be able to reduce costs, improve manageability,

enhance performance, tighten security, and reduce the risk of exposure

In general, integrated security is getting a lot more attention in the business press and in technical

14-2. The concept of convergence of physical and logical security means that an

organization less vulnerable to embezzlement or fraud.

14-3. To help organizations comply with SOX and the PCAOB requirements, the IT

Governance Institute (ITGI) issued “IT Control Objectives for Sarbanes–Oxley” in April 2004.

is an IT governance framework that provides company-level objectives and controls around

those objectives, as well as activity-level objectives and controls. Thus, it may be used

SM 14.2

effectively by managers at all levels of the firm. It is important to remind students that COBIT

identifies controls that may be used for both operational and compliance objectives. The ITGC

14-4. First, we should probably define a Local Area Network (LAN). A LAN is where you

have a number of computers that are geographically close together – usually in the same building

computers that can be attached to a single LAN.

Probably the primary difference between a wireless LAN and a hard-wired LAN is the method

LANs – data can be transmitted in digital form).

Security risks are important considerations for both types of LANs, and the technology for each

is different. A wireless local area network (WLAN) must have a secure gateway, such as a

Of course, data encryption is an important control for all networks. Others include a checkpoint

14-5. Business continuity planning (BCP) is also called contingency planning and disaster

Part of BCP specifies backup sites to use for alternate computer processing. These backup sites

SM 14.3

be some distance away from the original processing sites in case a disaster affects a regional

There are a number of reasons to test the business continuity plan on a regular basis and these are

identified below.1

 To practice a succession plan for the CEO, in the event something happens to the CEO.

improvement. Continuity exercises should reveal weaknesses.

 To reveal and accommodate changes. Technology, personnel, and facilities are in a

constant state of flux at any company.

14-6. Backup is an example of a control designed to mitigate or reduce business risk. As

pointed out in the chapter, backup is similar to redundancy in creating fault tolerant systems.

procedure of file security.

The term “backup” is not limited to just the backup of data. A company can also back up its

intermittent power shortages or failures occur.

1 Source: http://www.csoonline.com/article/print/204450.

14-7. Large organizations can afford to have alternate sites with the capability to recover

quickly should a disaster occur which disrupts the functioning of the business. However, smaller

up to an offsite data center and can be ready to use in a matter of minutes. Since the virtual

server is hardware independent, the operating system, applications, patches and data can be

the data can be restored.2

14-8. The unique control risks associated with the use of PCs and laptops compared to

mainframes occur in two basic areas: (1) hardware, and (2) data and software.

Regarding hardware, because laptops are portable, they or any part of their peripheral equipment

Regarding data and software, these two items are easy to access, modify, copy, or destroy, and

thus are difficult to control. A person with reasonable computer know-how and access to a PC

Students will likely come up with different lists of the three most important control procedures

Control Procedures

Reasons

1. An inventory should be taken of all laptops

used in a company along with the various

applications for which each laptop is used.

This control procedure is important because a

company is able to physically account for all of

its laptops and based on the various

applications for which each laptop is used, a

determination can be made of the types of risks

and exposures associated with every laptop’s

applications. For those laptops whose

applications are subject to greater risks and

exposures, stronger control procedures are

required.

2. Secret passwords that are periodically

changed should be required for all

authorized users of laptops.

This control procedure is important because it

prevents unauthorized individuals from using

laptops to access data files and possibly tamper

with the data within the files.

3. Each employee having a laptop should be

required to place his or her laptop in a

locked cabinet before leaving at night.

This control procedure is important because of

the size of laptops. The laptops’ smallness of

size makes them susceptible to theft if left on

employees’ desks when they go home at night.

14-9.

1) Test of completeness: The number should be exactly eight digits.

special characters.

values.

5) Redundancy test: The four-digit product number should be valid for the four-digit

“major-category” number.

14-10.

a) Edit tests are computer routines that examine selected fields of input data for such attributes

fail preestablished standards of data quality.

b) A check digit helps ensure the accurate and complete input of an important number, such as

when an incorrect account number was input.

c) Passwords are sets of numbers or letters that computer system users must input to gain

SM 14.6

and dial-back systems guard against unauthorized computer access by denying computer

time to “hackers” or other unwarranted users.

e) Control totals are financial, nonfinancial, hash, or record-count totals that are computed from

14-11. Logical access to the computer is typically performed by using a remote terminal to

log onto the computer system to obtain access to software and data. Control of such access is

Physical access to the computer means being physically able to gain access to the computer

system or the data processing center.

the system. However, not everyone involved with the accounting information system needs

logical access to the computer system and few of the above activities require physical access to

14-12. The separation of duties control is intended to deter an individual from committing an

intentional accounting error and concealing this error in the normal course of his or her duties.

development and use of computer programs, for instance, through the requirement of

authorization for program changes and through the strict distinction between programmers and

combine certain traditionally separated accounting tasks in its data processing, but use alternate

means for the application of the separation of duties control.

SM 14.7

Problems

14-13.

a. It is likely that former employees are going to work for the competition – and taking

remote access to Bentley’s information system.

b. There are several controls that could help here. One is to have each employee sign a

the company.

14-14. These transactions might have been discovered by the absence of merchandise in the

company warehouse. However, the problem with this is timing: the final proof of fraud could

company should require cash disbursement checks be issued for merchandise purchases only

after the purchase order, the purchase invoice, and the inventory receiving report have all been

Other effective controls would include:

1) Require a supervisor’s authorization for creation of all accounts payable master-file

records.

the merchandise.

14-15. We agree with the seminar leader’s statement that all errors in processing accounting

data can be classified as either accidental or intentional. A key point to emphasize is that many

Not all personnel controls are concerned with intentional errors, but the vast majority of them are

concerned with this matter. An example of a personnel control which is not necessarily aimed at

system are aimed at thwarting intentional errors.