Management Chapter 8 Homework Computer Operations Controls Andom Errors May Occur

Unlock access to all the studying documents.

View Full Document

Management Information Systems, 13TH ED.

MANAGING THE DIGITAL FIRM

Kenneth C. Laudon ● Jane P. Laudon

continued

Learning Track 4: General and Application

Controls for Information Systems

To minimize errors, disaster, computer crime, and breaches of security, special

policies and procedures must be incorporated into the design and implemen–

tation of information systems. fie combination of manual and automated

measures that safeguard information systems and ensure that they perform

according to management standards is termed controls. Controls consist of all

the methods, policies, and organizational procedures that ensure the safety of

In the past, the control of information systems was treated as an afterthought,

addressed only toward the end of implementation, just before the system was

installed. Today, however, organizations are so critically dependent on infor–

mation systems that vulnerabilities and control issues must he identified as

General controls are those that control the design, security, and use of

computer programs and the security of data files in general throughout the

organization. On the whole, general controls apply to all computerized appli-

cations and consist of a combination of system software and manual proce-

dures that create an overall control environment.

controls All the

methods, policies, and

procedures that ensure

of its records, and

operational adherence

to management

standards

general

controls Overall

controls that establish a

framework for

controlling the design,

security, and use of

computer programs

Chapter 8: Securing Information Systems

Chapter 8 Learning Track 4 2

continued

General Controls

General controls are overall controls that ensure the effective operation of

programmed procedures. fiey apply to all application areas. General controls

include the following:

Controls over the system implementation process

◆ Software controls

◆ Physical hardware controls

IMPLEMENTATION CONTROLS

fie systems development audit should also examine the level of user involve-

ment at each stage of implementation and check for the use of a formal cost/

benefit methodology in establishing system feasibility. fie audit should also

look for the use of controls and quality assurance techniques for program

development, conversion, and testing.

An important though frequently neglected requirement of systems building is

SOFTWARE CONTROLS

Controls are essential for the various categories of software used in comput–

er systems. Software controls monitor the use of system software and prevent

unauthorized access of software programs, system software, and computer

programs.

Chapter 8 Learning Track 4 3

continued

FIGURE 1

Points in the processing cycle where errors

can occur. Each of the points illustrated in this

System software controls govern the software for the operating system,

which regulates and manages computer resources to facilitate execution of

application programs. System software controls are also used for compil-

ers, utility programs, reporting of operations, file setup and handling, and

software

controls Controls to

ensure the security and

reliability of software

Chapter 8 Learning Track 4 4

continued

TABLE 1 Essential User and Technical Documentation for an

Information System

TECHNICAL DOCUMENTATION USER DOCUMENTATION

Hardware/operation system requirements Sample reports/output layouts

Narrative program/module descriptions Security profiles

Source program listings Functional description of system

Module cross references Work flows

Job control language listings

Backup/recovery procedures

Run control procedures

File access procedures

HARDWARE CONTROLS

Hardware controls ensure that computer hardware is physically secure and

check for equipment malfunction. Computer hardware should he physical-

ly secured so that it can be accessed only by authorized individuals. Access

to rooms where computers operate should be restricted to computer opera-

hardware

controls Controls to

ensure the physical

security and correct

performance of

Chapter 8 Learning Track 4 5

continued

COMPUTER OPERATIONS CONTROLS

Computer operations controls apply to the work of the computer depart–

ment and help ensure that programmed procedures are consistently and

correctly applied to the storage and processing of data. fiey include controls

over the setup of computer processing jobs, operations software and comput–

er operations, and backup and recovery procedures for processing that ends

abnormally.

Human-operator error at a computer system at the Shell Pipeline Corporation

caused the firm to ship 93,000 barrels of crude oil to the wrong trader. fiis

one error cost Shell $2 million. A computer operator at Exxon Corporation

headquarters inadvertently erased valuable records about the grounding of

the Exxon Valdez tanker and the Alaskan oil spill that were stored on magnet–

ic tape. Such errors could have been avoided had the companies incorporated

tighter operational safeguards.

DATA SECURITY CONTROLS

Data security controls ensure that valuable business data files are not subject

to unauthorized access, change, or destruction. Such controls are required for

data files when they are in use and when they are being held for storage. It is

computer operations

controls Procedures to

ensure that

programmed

procedures are

consistently and

correctly applied to

data storage and

data security

controls Controls to

ensure that data files on

either disk or tape are

Chapter 8 Learning Track 4 6

continued

When data can be input online through a terminal, entry of unauthorized

input must be prevented. For example, a credit note could be altered to match

a sales invoice on file. In such situations, security can be developed on several

levels:

◆ Terminals can be physically restricted so that they are available only to

authorized individuals.

◆ System software can include the use of passwords assigned only to

authorized individuals. No one can log on to the system without a valid

password.

◆ Additional sets of passwords and security restrictions can be developed

Systems that allow online inquiry and reporting must have data files secured.

Figure 2 illustrates the security allowed for two sets of users of an online

personnel database with sensitive information such as employees’ salaries,

benefits, and medical histories. One set of users consists of all employees who

perform clerical functions such as inputting employee data into the system.

continued

FIGURE 2

Security profiles for a personnel system. These two examples represent two secu-

rity profiles or data security patterns that might be found in a personnel system.

Depending upon the security profile, a user would have certain restrictions on

access to various systems, locations, or data in an organization.

Although the security risk of files maintained oine is smaller, such data

files on disk or tape can he removed for unauthorized purposes. ‘fiese can

Chapter 8 Learning Track 4 8

continued

ADMINISTRATIVE CONTROLS

Administrative controls are formalized standards, rules, procedures, and

control disciplines to ensure that the organization’s general and application

controls are properly executed and enforced. fie most important administra-

assets. fie individuals responsible for operating systems should not be the

same ones who can initiate transactions that change the assets held in these

program files and end users responsible for initiating input transactions or

correcting errors. Within the information systems department, the duties of

programmers and analysts are segregated from those of computer equipment

operators.

Written policies and procedures establish formal standards for controlling

information system operations. Procedures must be formalized in writing

and authorized by the appropriate level of management. Accountabilities and

responsibilities must be clearly specified.

administrative

controls Formalized

standards, rules,

procedures, and

and assign tasks among

people so that job

functions do not

Chapter 8 Learning Track 4 9

continued

TABLE 2 Effect of Weakness in General Controls

WEAKNESS AREA IMPACT

Implementation controls New systems or systems that have been modified will have errors or

fail to function as required

Software controls (program security) Unauthorized changes can be made in processing. The organization

may not be sure of which programs or systems have been changed.

APPLICATION CONTROLS

Application controls are specific controls within each separate computer

application, such as payroll or order processing. fiey include both automated

and manual procedures that ensure that only authorized data are completely

and accurately processed by that application. fie controls for each application

should take account of the whole sequence of processing, manual and comput–

Not all of the application controls discussed here are used in every infor–

mation system. Some systems require more of these controls than others,

depending on the importance of the data and the nature of the application.

Application controls focus on the following objectives:

1. Completeness of input and update. All current transactions must reach

the computer and be recorded on computer files.

2. Accuracy of input and update. Data must be accurately captured by the

Chapter 8 Learning Track 4 10

4. Maintenance. Data on computer files must continue to remain correct

and current.

TABLE 3 Important Edit Techniques

Edit Technique Description Example

Reasonableness checks To be accepted, the data must

fall within certain limits set in

advance, or they will be

rejected.

If an order transaction is for 20,000

units and the largest order on record

was 50 units, the transaction will be

rejected.

Format checks Characteristics of the contents

A nine-position Social Security

Existence checks The computer compares input

reference data to tables or

master files to make sure that

valid codes are being used.

An employee can have a Fair Labor

Standards Act code of only 1, 2, 3,

4, or 5. All other values for this field

will be rejected.

Dependency checks The computer checks whether a

logical relationship is main-

tained between the data for the

same transaction. When it is

not, the transaction is rejected.

A car loan initiation transaction

should show a logical relationship

between the size of the loan, the

number of loan repayments, and the

size of each installment.

Check digit An extra reference number

called a check digit follows an

A product code with the last posi-

tion as a check digit, as developed

Application controls can be classified as (1) input controls, (2) processing

controls, and (3) output controls.

INPUT CONTROLS

input

controls Procedures to

check data for accuracy

Chapter 8 Learning Track 4 11

continued

Input authorization. Input must be properly authorized, recorded, and moni-

tored as source documents ow to the computer. For example, formal proce-

Data conversion. Input must be properly converted into computer trans-

actions, with no errors as it is transcribed from one form to another.

Batch control totals can be established beforehand for transactions grouped

in batches. fiese totals can range from a simple document count to totals for

Edit checks. Various routines can he performed to edit input data for errors

before they are processed. Transactions that do not meet edit criteria will be

PROCESSING CONTROLS

Processing controls establish that data are complete and accurate during

updating. fie major processing controls are run control totals, computer

matching, and programmed edit checks.

input

authorization Proper

authorization,

data

conversion Process of

batch control totals A

type of input control

that requires counting

reconciliation after

processing

edit checks Routines

processing

controls Routines for

establishing that data

are complete and

accurate during

updating

Chapter 8 Learning Track 4 12

continued

Run control totals reconcile the input control totals with the totals of items

that have updated the file. Updating can he controlled by generating control

Computer matching matches the input data with information held on master

or suspense files, with unmatched items noted for investigation. Most match–

OUTPUT CONTROLS

Output controls ensure that the results of computer processing are accu–

rate, complete, and properly distributed. Typical output controls include the

following:

◆ Balancing output totals with input and processing totals

◆ Reviews of the computer processing logs to determine that all of the

Developing a Control Structure: Costs and

Benefits

Information systems can make exhaustive use of all of the control mecha–

nisms previously discussed. But they may be so expensive to build and so

complicated to use that the system is economically or operationally unfeasi–

ble. Some cost/benefit analysis must be performed to determine which control

run control

totals Procedures for

totals before and after

processing

output controls Ensure

that the results of

computer processing

are accurate, complete,

and properly distributed

Chapter 8 Learning Track 4 13

mechanisms provide the most effective safeguards without sacrificing opera-

tional eciency or cost.

One of the criteria that determine how much control is built into a system

is the importance of its data. Major financial and accounting systems, for

example, such as a payroll system or one that tracks purchases and sales on

the stock exchange, must have higher standards of controls than a system to

Standing data, the data that are permanent and that affect transactions

owing into and out of a system (e.g., codes for existing products or cost

centers) require closer monitoring than individual transactions. A single error

in transaction data will affect only that transaction, while a standing data

error may affect many or all trans-actions each rime the file is processed.

A third consideration is the level of risk if a specific activity or process is not

properly controlled. System builders can undertake a risk assessment, deter–

mining the likely frequency of a problem and the potential damage if it were

to occur. For example, if an event is likely to occur no more than once a year,

with a maximum of a $1000 loss to the organization, it would not be feasi–

Chapter 8 Learning Track 4 14

continued

TABLE 4 Online Order Processing Risk Management

Exposure

Probability of

Occurrence

Loss range /

Average ($)

Expected Annual

Loss ($)

Power failure 30 5000-200,000

(102,500)

30,750

In some situations, organizations may not know the precise probability of

threats occurring to their information systems, and they may not be able to

quantify the impact of events that disrupt their information systems. In these

instances, management may choose to describe risks and their likely impact in

a qualitative manner.

To decide which controls to use, information system builders must examine

various control techniques in relation to each other and to their relative

Chapter 8 Learning Track 4 15