Chapter 10

Computer Controls For Organizations And Accounting

Information Systems
Discussion Questions
10-1.
A security policy is a comprehensive plan that helps protect the organization from
internal and external threats. More and more organizations have become dependent on
networks (of all sorts) to conduct business, share data, and communicate with suppliers,
customers, business partners, and employees who are traveling or working at home.
As a result, more proprietary data and organizational information must be accessible to a wide
variety of individuals. However, very real risks are present and more prevalent than ever before.
Firms are realizing that the traditional approach to security is not efficient or sufficient. That is,
even if a firm has several products, they are usually not integrated and do not work together.
The result is that integrated security has emerged as the most useful plan to protect the firm.
By adopting a comprehensive, holistic strategy that addresses network security at the gateway,
server, and client tiers, organizations may be able to reduce costs, improve manageability,
enhance performance, tighten security, and reduce the risk of exposure
(enterprisesecurity.symantec.com, article ID 1128). This article claims that the following key
security technologies can be integrated to more efficiently protect the firm against a variety of
threats at each tier to minimize the effects of network attacks: firewalls, intrusion detection,
content filtering, virtual private networks, vulnerability management, and virus protection.
In general, integrated security is getting a lot more attention in the business press and in
technical journals. The reason is obvious companies are more aware than ever before that
security breaches can be very costly! As a result, organizations are becoming more attentive to
such precautions as: physical security of computers and networks (access controls),
authentication procedures for access to applications and data, and encryption procedures.
10-2.
The concept of convergence of physical and logical security means that an
organization has integrated these two forms of security. Thus, incidents that might individually
go unnoticed do not go undetected when they are combined. Referring again to Figure 10-3 in
the textbook, we can see how the combination of these two forms of security can make an
organization less vulnerable to embezzlement or fraud.
10-3.
To help organizations comply with SOX and the PCAOB requirements, the IT
Governance Institute (ITGI) issued IT Control Objectives for Sarbanes-Oxley in April 2004.
Neither the SOX legislation, nor PCAOB Standards No. 2 or No.5, includes detailed guidance
for organizations. The ITGI publication provides that detail by starting with the IT controls from
COBIT and linking those to the IT general control categories in the PCAOB standard, and then
the control objectives are linked to the COSO framework. As we discussed in Chapter 9, COBIT
is an IT governance framework that provides company-level objectives and controls around
those objectives, as well as activity-level objectives and controls. Thus, it may be used
effectively by managers at all levels of the firm. It is important to remind students that COBIT
identifies controls that may be used for both operational and compliance objectives. The ITGI
document only focuses on controls that support financial reporting.

SM 10.1

10-4.
First, we should probably define a Local Area Network (LAN). A LAN is where you
have a number of computers that are geographically close together usually in the same
building or a group of buildings. However, one LAN can be connected to other LANs over any
distance via telephone lines and radio waves (which is then called a Wide Area Network or
WAN). LANs are capable of transmitting data at very fast rates, much faster than data can be
transmitted over a telephone line; but the distances are limited, and there is also a limit on the
number of computers that can be attached to a single LAN.
Probably the primary difference between a wireless LAN and a hard-wired LAN is the method
used to transmit information. Wireless LAN technology is based on radio wave transmission,
whereas hard-wired LANs might be based on twisted-pair cable (used by older telephone
networks), coaxial cables (more expensive than standard telephone wire, but is much less
susceptible to interference and can carry much more data), or fiber optic cables (very popular
for LANs data can be transmitted in digital form).
Wireless LAN technology is relatively new, whereas hard-wired LANs (using twisted-pair cable)
have been in use for quite some time.
Security risks are important considerations for both types of LANs, and the technology for each
is different. A wireless local area network (WLAN) must have a secure gateway, such as a
Virtual Private Network (VPN), so that users may safely access the network. Such a VPN
handles authentication of users and appropriately encrypts the information that is transmitted.
Of course, data encryption is an important control for all networks. Others include a checkpoint
control procedure, routing verification procedures, and message acknowledgment procedures
(These procedures are discussed in the chapter).
10-5.
Business continuity planning (BCP) is also called contingency planning and
disaster planning. A business continuity plan is necessary because a variety of unforeseen
disasters might occur that would cause a data processing center to not be operational.
Examples of these disasters include natural events such as fires, floods, hurricanes,
earthquakes, and manmade catastrophes such as terrorist attacks.
A companys BCP should describe procedures to be followed in the event of an emergency, as
well as the role of every member of the disaster recovery team (which is made up of specific
company employees). The companys management should appoint one person to be in charge
of disaster recovery and one person to be second-in-command.
Part of BCP specifies backup sites to use for alternate computer processing. These backup
sites may be other locations owned by the company, such as another branch of the same bank.
Alternatively, these sites may be owned by other organizations and used for short-term periods
in the event of a disaster. It is a good idea for the various hardware locations for data processing
to be some distance away from the original processing sites in case a disaster affects a regional
location. An example would be companies located near the San Andreas Fault in California.
Since a severe earthquake could destroy the data processing centers of those companies within
the earthquake area, organizations within this area should have disaster recovery arrangements
with organizations located outside any area likely to be affected by an earthquake.

SM 10.2

There are a number of reasons to test the business continuity plan on a regular basis and these
are identified below.1
To practice a succession plan for the CEO, in the event something happens to the CEO.
To train backup employees to perform emergency tasks. The employees a firm counts
on to lead in an emergency may not always be available.
To practice crisis communication with employees, customers, and the outside world.
To determine alternate means of communication in case the telephone networks go
down.
To involve all employees in the exercises so that they get practice in responding to an
emergency.
To make exercises realistic to tap into employees' emotions so that you can see how
they'll react when the situation gets stressful.
To form partnerships with local emergency response groups (such as firefighters, police
and EMTs) and establish a good working relationship. Let them become familiar with
your company and site.
To evaluate your company's performance during each test, and work toward constant
improvement. Continuity exercises should reveal weaknesses.
To reveal and accommodate changes. Technology, personnel, and facilities are in a
constant state of flux at any company.
10-6.
Backup is an example of a control designed to mitigate or reduce business risk. As
pointed out in the chapter, backup is similar to redundancy in creating fault tolerant systems.
Through backup, a duplicate copy of a data file is created. To illustrate, data that you currently
have stored on your hard drive could be copied onto a CD, flash drive, or other portable media
for backup purposes. An example was provided in this chapter of a common control procedure
that companies use for backing up accounting data called the grandfather-parent-child
procedure of file security.
Backup is extremely important when operating a computerized accounting system. If, for
example, backup copies containing important accounting data become corrupted or lost, all of
the accounting data will be lost. Within a company's computerized accounting system, the loss
of data that is not backed up could result in a severe interruption of business and loss of
income.
The term "backup" is not limited to just the backup of data. A company can also back up its
hardware and electrical power. For example, through its disaster recovery plan, a company
might provide for backup of its hardware by making arrangements for renting computer time
from another organization should the company's own computer become inoperative. Regarding
electrical power backup, surge protectors, for instance, provide protection should short,
intermittent power shortages or failures occur.
10-7.
The unique control risks associated with the use of PCs and laptops compared to
mainframes occur in two basic areas: (1) hardware, and (2) data and software.
Regarding hardware, because laptops are portable, they or any part of their peripheral
equipment can easily be stolen or destroyed. Limiting access to such equipment is difficult. It is
not difficult to remove the hard drive from a PC or take a monitor home. The problem is
1

Source: http://www.csoonline.com/article/print/204450.
SM 10.3

compounded further with laptop computers since many powerful laptops can now be hidden
inside a briefcase.
Regarding data and software, these two items are easy to access, modify, copy, or destroy, and
thus are difficult to control. A person with reasonable computer know-how and access to a PC
can access all the data and software on the machine. Consequently, there is a danger that an
employee of the organization using PCs might make unauthorized access to records and
manipulate the data, or that a disgruntled employee might decide to reformat a PCs hard disk,
destroying all software and data it contained.
Students will likely come up with different lists of the three most important control procedures
that should be implemented for laptops and the reasons these procedures are important. A
suggested list with reasons is presented below.
Control Procedures

Reasons

1. An inventory should be taken of all laptops

used in a company along with the various
applications for which each laptop is used.

This control procedure is important because a

company is able to physically account for all of
its laptops and based on the various
applications for which each laptop is used, a
determination can be made of the types of
risks and exposures associated with every
laptops applications. For those laptops whose
applications are subject to greater risks and
exposures, stronger control procedures are
required.

2. Secret passwords that are periodically

changed should be required for all
authorized users of laptops.

This control procedure is important because it

prevents unauthorized individuals from using
laptops to access data files and possibly
tamper with the data within the files.

3. Each employee having a laptop should be

required to place his or her laptop in a
locked cabinet before leaving at night.

This control procedure is important because of

the size of laptops. The laptops smallness of
size makes them susceptible to theft if left on
employees desks when they go home at night.

10-8.
1) Test of completeness: The number should be exactly eight digits.
2) Test of sign: The number should be positive.
3) Test of numeric field content: The number should contain only numeric data; no letters or
special characters.
4) Test of reasonableness: Each eight-digit number should fall within a range of allowable
values.

SM 10.4

5) Redundancy test: The four-digit product number should be valid for the four-digit
"major-category" number.
6) Check digit: A ninth digit can be added to the eight-digit number for checking purposes.
10-9.
a) Edit tests are computer routines that examine selected fields of input data for such attributes
as accuracy, completeness, reasonableness, and sequence. They reject those data items
that fail preestablished standards of data quality.
b) A check digit helps ensure the accurate and complete input of an important number, such as
an account number. If the check digit computed by a computer fails to match the associated
check digit input by the user, the number (and perhaps the associated transaction) is
rejected. Check digits thus help guard against the accidental alteration of the wrong master
file record when an incorrect account number was input.
c) Passwords are sets of numbers or letters that computer system users must input to gain
access to further computer time or files. Well-constructed passwords and associated
lock-out and dial-back systems guard against unauthorized computer access by denying
computer time to "hackers" or other unwarranted users.
d) Activity or proof listings are detailed listings of computerized data processing. Typically,
these listings indicate what data processing was performed for each transaction or account
in the system. Thus, these listings help assure data processing accuracy by providing
system users with hard-copy evidence (and therefore an audit trail) of processing results.
e) Control totals are financial, nonfinancial, hash, or record-count totals that are computed from
input data. The initial control totals, input separately, are recomputed during actual data
processing and ultimately compared. Unmatched values are investigated for causes. Thus,
control totals guard against the loss of data during data processing activities. Matching
control totals also helps assure users that data input was accurate and complete.
10-10.
Logical access to the computer is typically performed by using a remote terminal to
log onto the computer system to obtain access to software and data. Control of such access is
usually accomplished by having procedures that limit access to only those individuals who are
properly authorized (i.e., properly identified and authenticated by the computer system).
Physical access to the computer means being physically able to gain access to the computer
system or the data processing center. Good security requires that both logical and physical
access to the computer system be restricted to only those individuals who have authorization for
such access. Computerized accounting information systems require human interaction with
computers at many levels, including the input of data, the distribution of output, the
programming of computer runs, and the inquiry of the system. However, not everyone involved
with the accounting information system needs logical access to the computer system and few of
the above activities require physical access to the computer. Restrictions on logical access
safeguard computer time and maintain the privacy of the data files available to remote users.
Restrictions on physical access protect the physical assets of the computer system and the data
processing center.
10-11.
The separation of duties control is intended to deter an individual from committing an
intentional accounting error and concealing this error in the normal course of his or her duties.
To the extent that computerized accounting systems will handle functions that would be

SM 10.5

performed by more than one person under a manual system, the computerized version of the
accounting information system can not entirely adhere to this policy of separate responsibilities
for related accounting processing functions. On the other hand, strict control over the
development and use of computer programs, for instance, through the requirement of
authorization for program changes and through the strict distinction between programmers and
operators, is an example of effective separation of duties. Good separation of duties in the data
processing center, for example, would require that a computer operator would not have authority
to make computer program changes and that a programmer would not have access to the
computer for running programs. A computerized accounting information system will tend to
combine certain traditionally separated accounting tasks in its data processing, but use alternate
means for the application of the separation of duties control.
10-12.
The purpose of the hash total in accounting information systems is to ensure
completeness in a set of accounting data. Hash totals, compute meaningless values such as
the sum of customer account numbers.

Problems
10-13.
We agree with the seminar leader's statement that all errors in processing
accounting data can be classified as either accidental or intentional. A key point to emphasize is
that many of the controls installed in an accounting information system are designed to detect
accidental errors, not intentional errors. Edit tests are particularly important in this regard
inasmuch as they are performed at the time of data input and therefore early in the processing
stream of the system.
Not all personnel controls are concerned with intentional errors, but the vast majority of them
are concerned with this matter. An example of a personnel control which is not necessarily
aimed at thwarting intentional errors is the requirement that employees take their earned
vacations to relax from a stressful job. Nonetheless, intentional errors are, by definition, not
accidents. If an error is intentional, it is committed purposefully and therefore involves an
individual. Controls that limit the amount of harm an employee or outsider can do to a
company's accounting information system are aimed at thwarting intentional errors.
10-14.
Among other things, this question is intended to emphasize the importance of
employee relations as a component of computer security. Thus, perhaps the most important
control which the organization might have used would be adherence to the general policy of
dismissing employees who are not happy with their jobs. Additional controls are also possible,
however. The pre-testing of computer programs by alternate programming staff members and
the requirement that only authorized versions of computer programs be used to update and
maintain computer files might also have prevented the problem. It is also likely that record
counts were not being used since, if they were, there would have been a discrepancy between
the number of records written on the new file and the number of records read from the old file.
10-15.
These transactions might have been discovered by the absence of merchandise in
the company warehouse. However, the problem with this is timing: the final proof of fraud could
only be established after it had been established that the merchandise was not lost in shipment
or misplaced at the warehouse. A perpetual inventory system with close monitoring of
discrepancies between actual physical inventory on hand and the quantity balances recorded in
the accounting records would be an effective control for the present situation. Also, the
company should require cash disbursement checks be issued for merchandise purchases only

SM 10.6

after the purchase order, the purchase invoice, and the inventory receiving report have all been
reviewed by an authorized employee, other than the check writer.
Other effective controls would include:
1) Requiring a supervisors authorization for creation of all accounts payable master-file
records.
2) Requiring a supervisors authorization for all orders exceeding a pre-determined level.
3) Requiring a computer printout of all orders exceeding a given dollar level.
4) Authorizing payment for merchandise only upon documented receipt of merchandise in
good condition. The receipts voucher must include a signature of the person receiving
the merchandise.
10-16.
a. An edit test for a reasonable number of hours worked would guard against this problem.
Requiring a supervisor to verify hours worked would also be useful.
b. A control should be programmed into the computer enabling the credit manager to cut off
credit sales to delinquent accounts. The account representative for Grab and Run
Electronics should also be notified that no new sales on credit are to be made to this
account.
c. This problem could be solved through a separation of duties control procedure and
insistence on the two-week vacation rule.
d. The system should prompt any key-entry operator about which account is being accessed.
The system should also be programmed to:
1. Require the input of the account number as part of the update process
2. Indicate an error message when account numbers fail to match
3. Refuse to create multiple account records with identical account numbers.
e. The creation of vendor records for suppliers eligible for payments should require an
authorization procedure. This controls against the creation of dummy companies. Also, the
existence of damaged merchandise should be confirmed by more than one person; for
example, through a supervisory control. Finally, an informal knowledge of Ben Landsford
may have provided clues to his fraud.
10-17.
a. Bank transactions should be pre-coded with either a deposit code or withdrawal code.
Transactions encoded on different colored paper may help. Also, the bank should batch
transactions by type. Finally, the error would cause a teller to be out of balance at the end of
the day.
b. An edit test of length would guard against this error.
c. An edit test of reasonableness should be used.
d. This is a programming error. The program should also be tested first with a test deck. The
program should not be permitted to withhold deductions in excess of earnings and a sign
test would be useful.
e. A check digit with ordering of digits feature would catch this error at run time.

SM 10.7

f.

The computer program which processes this form should compare the first two digits of the
employee number against a list of acceptable codes by performing an edit check. The input
should be rejected if a nonexistent department was encoded on the form.

g. The computer system involved should use passwords (or ID cards and passwords) limiting
access to authorized users.
h. A batch control total should be used.
10-18.

Some of the ways that this separation of duties is achieved is as follows:

1. All systems changes and transactions should be initiated and authorized by user
departments.
2. Asset custody should reside with designated operational departments.
3. Corrections for errors detected in processing data should be entered on an error log,
referred back to the specific user department for correction, and subsequently followed up
on by the data control group.
4. Changes to existing systems as well as all new systems should involve a formal written
authorization from the user department.
10-19.
a. It is likely that former employees are going to work for the competition - and taking
proprietary information with them! The former employees may even continue to have
remote access to Bristol's information system.
b. There are several controls that could help here. One is to have each employee sign a
confidentiality agreement or a non-compete agreement. Another is to allow employees
limited access only to the database on a "need to know" basis. A third control would be to
make sure that employee user IDs (access privileges) are deactivated upon termination with
the company.

SM 10.8

10-20.

INVOICING:
Customer number
Customer name
Salesperson number
Invoice number
Item catalog number
Quantity sold
Unit price
Total price
SALESPERSON ACTIVITY:
Salesperson number
Salesperson name
Department number
Sales volume
Regular hours worked
Overtime hours worked
INVENTORY CONTROL:
Item catalog number
Item description
Unit cost
Units out
Units in
PURCHASING:
Vendor catalog number
Item description
Vendor number
Number ordered
Cost per unit
Total amount

Consistency

Sequence

Code from Internal Table

Redundancy

Sign

Completeness

Reasonableness

Alphabetic Data

APPLICATIONS:
Field name

Numerical Data

-----------------------------------------Test for---------------------------------

X
X
X
X
X
X

X
X
X
X
X
X

X
X
X
X
X
X

X
X
X

X
X

X
X

X
X
X
X

X
X
X
X

X
X
X
X

X
X
X
X

X
X
X

X
X
X

X
X
X

X
X
X
X

X
X
X
X

X
X
X
X

X
X
X
X
X
X
X
X
X

X
X
X
X
X

X
X
X
X
X

SM 10.9

Case Analyses
10-21.

The Big Corporation (Controls in Large, Integrated Systems)

1. The Big Corporation could experience several data security problems if proper controls are
not instituted with the new system. Without proper controls, unauthorized employees could
gain access to the data files, authorized employees could gain access to the data files
outside their jurisdiction and responsibility, or outsiders could monitor data transmission lines
without the managements knowledge. As a result, data could be used improperly,
interpreted improperly, or altered, causing significant problems for the company.
Confidential data files of a sensitive nature should be protected from unauthorized use.
Personal data, such as personnel records (health records, salary) and customer records
(account balance, credit rating), could be damaging to the company if they were
disseminated improperly. If proprietary information (i.e., product profit margin) were not
restricted, competitors eventually would learn of this information, which could put The Big
Corporation at a competitive disadvantage.
2. The Big Corporation must incorporate control measures to limit access to the system itself
and to the data files. Only those individuals who need to use the system should be provided
access to the system and data files. Access can be restricted by the use of secret password
codes or by the use of both ID cards and passwords, or by the use of biometric
identifications.
Some users may be authorized to use the system, but are not authorized to access all data
within the files. Protective techniques can be extended below the file level at the data-set
level. This entails an examination of the field of each record involved before data are
released for use. If the company is concerned with unauthorized access by outsiders, data
encryption could be employed.
3.
(a) The following are some of the physical safeguards The Big Corporation could adopt to
protect its computer equipment:
1)
Restrict access to only those who are authorized to use the equipment.
2) Protect against fire damage by installing water-fed sprinkler or carbon dioxide systems.
3)
Protect against water damage by providing a proper water drainage system
under the floor of the computer room. In addition, plastic covers should be available to
place over the equipment to provide protection from overhead leakage.
4)
Properly insure all equipment.
(b) Some physical safeguards which can be employed to provide protection for the data are as
follows:
1) Protect the files from deliberate damage by limiting the number of people who have
access to them, by limiting access to the data processing facilities, and by establishing a
strong librarian function.
2) Files should be stored in a fire-resistant cabinet or vault when not in use. In addition, the
company should have regularly scheduled backup of files (and they should be stored in
a safe location perhaps electronic vaulting) in case the current copy of a file is
damaged or destroyed.
3)
All files should have external labels for easy identification.

SM 10.10

(c) Possible measures which can be employed to provide physical security for the data
processing center facilities are listed below:
1) Select a location for the data processing facilities that is away from possible hazards or
high risk areas. Factors which should be considered are location above anticipated
flood levels, location away from steam lines, water lines, and windows, and limit the
number of doors.
2) Limit access to the data processing center facilities by employing guards, by requiring
personnel to wear security badges, and/or by the use of dial-lock combinations.
3) Fire-resistant materials should be employed in the construction of the facilities. Smoke
detectors and/or heat sensors should be installed to detect fires; water-fed sprinkler or
carbon dioxide systems should be installed to extinguish fires.
4)
The company should make arrangements for backup sites (or electronic vaulting)
in case there is a major breakdown for an extended period of time. Arranging for backup
sites should be part of the companys development of a formal disaster recovery plan.
10-22.

MailMed Inc. (Control Weaknesses and a Disaster Recovery Plan)

1. At least four computer control weaknesses that existed at MailMed Inc. prior to the flood
occurrence include:
1) Systems documentation being prepared only when time is available; consequently,
documentation will likely be incomplete and not current.
2) The systems and programming staff having access to the data processing center without
supervision of the operations staff; programmers could alter data files or operational
programs.
3) The location of the facility on the ground floor behind large plate glass windows which
invites attention and possible exposure risk, as well as failure to protect against flooding.
4) No regularly scheduled backups being prepared, thus exposing the company to loss of
data processed between backups.
2. At least five components that should be incorporated in a formal disaster recovery plan in
order for MailMed Inc. to become operational within 72 hours after a disaster affects its
computer operations capability include:
1) Off-site alternatives for continuation of service (e.g., contingency plans for operations on
a temporary basis) and backup hardware sites such as hot sites.
2) Off-site storage of program and data files, documentation (systems and operations), and
supplies.
3) Detailed written procedures for recovery of operations, which should include instructions
on obtaining critical information from off-site storage, planning of a communications link
between headquarters and the emergency site, as well as telephone numbers of all the
team members.
4) Procedures for on-going control and maintenance of a temporary site.
5) The testing and training for plan implementation, including testing each department
individually, testing the whole plan (mock disaster), trial runs, testing backup procedures,
testing restore operations, and recording test results.
3. At least three factors, other than the plan itself, that MailMed Inc.s management should
consider in formulating a formal disaster recovery plan include:
1) Maintaining business operations and cash flows as well as meeting obligations and
contractual requirements.
2) Maintaining customer service and competitive position.

SM 10.11

3) Determining appropriate levels of business interruption insurance and/or other

insurance.
10-23.

Bad, Bad Benny: A True Story (Identifying Controls for a System)

1. The same person handles all cash functions/lack of segregation of duties, lack of sufficient
oversight or reviews (e.g., internal/external audits), no control infrastructure, no forced
vacations or cross-training, improper monitoring of key employee, organizational structure
not set up to encourage ethical behavior, too much trust put in family for sensitive positions,
too much authority given to one employee.
2. Set policies for cash handling (e.g., require two signatures on checks over a certain amount,
procedures for vendor selection), mandatory vacations and cross-training; separate
recording, reconciliation, custody functions; institute regular audits (both internal and
external); set up an internal control structure to include authorization/signature
requirements; define organizational structure and responsibilities; keep updated list of
approved vendors and customers; segregate duties related to cash and liquid asset
oversight.
3. Testing audit trails (transactions from origination to destination), reconciliations of account
balances, confirmation of bank balances, accounts receivable and accounts payable,
physical counts of inventory compared to records, visit vendors, tests of logical relationship
with business activity, review of procedures for purchases and cash disbursements.

SM 10.12