Information Systems Controls for Systems Reliability

Accounting Information Systems

CHAPTER 8

INFORMATION SYSTEMS CONTROLS FOR SYSTEMS RELIABILITY

SUGGESTED ANSWERS TO DISCUSSION QUESTIONS

8.1 For the consumer, opt-out represents many disadvantages because the consumer is responsible for explicitly notifying every company that might be collecting the consumer’s personal information and tell them to stop collecting their personal data. Consumers are less likely to take the time to opt-out of these programs and even if they do decide to opt-out, they may not know of all of the companies that are capturing their personal information. For the organization collecting the data, opt-out is an advantage for the same reasons it is a disadvantage to the consumer, the organization is free to collect all the information they want until explicitly told to stop.

8.2 a. The cost here is tangible, consisting of the salaries of additional employees, if any, who must be hired in order to accomplish segregation of duties. The benefit is much less tangible, comprising primarily the reduction in the risk of loss from both fraud and unintentional errors. One approach might be to estimate an "expected benefit" as a product of the possible loss from fraud and the reduction in probability of fraud.

b. The costs here are also relatively tangible, including the costs of maintaining a tape library and of performing special procedures such as file labeling, concurrent update controls, encryption, virus protection, maintaining backup files, and so forth. The benefit is again intangible, consisting of the reduction in risk of loss of vital business data. Once again an "expected benefit" might be estimated as the reduction of the product of the cost of data reconstruction and the probability of data loss.

c. The cost here consists of the extra programming and processing time required to prepare and execute the input validation routines. As in the other cases, the benefits are intangible and difficult to measure in dollars. The primary benefit is the increase in accuracy of files and output. In this case, the decision must be primarily subjective, since a reliable dollar value is unlikely to be available.

8.3 The disadvantage of full backups is time. Organizations do not normally make full backups of their data on a frequent (daily) basis simply due to the time a full backup takes. Most organizations do full backups on a weekly basis. The advantage of frequent full backups is that the full system can be restored from a single backup. An advantage of incremental or partial daily backups is time. Since only files that have been altered since the last incremental backup or full backup are included in the backup, the backup can be done much more quickly. Of course, the downside of incremental backups is that it is likely that more than one backup will be needed to fully restore the system in the event of a system failure. Management decides what the recovery point objective (RPO) should be for their company; i.e., how much they are willing to lose in the event of a catastrophic event. Naturally, the recovery time objective (RTO) would always be “as soon as possible”, but this decision hinges on how long management thinks the company can operate without their data. The advantage of real-time mirroring is that a full and complete backup is always available at a moments notice. The mirror site can instantly step into the shoes of the primary site since it is a real-time replica of the primary site. The disadvantage of real-time mirroring is the cost of creating and maintaining identical databases at two different site locations; however, depending on the needs of the business, real-time mirroring may be a legitimate and necessary business expense since the cost of losing data and then recreating that data from a full or partial backup would be prohibitive. In other words, for these businesses, RPO and RTO are essentially zero; i.e., the data must be available instantaneously.

8.4

A / B / B - A / Divisible by 9?
Original Number / Transposed Number / Difference
10 / 01 / 9 / Yes
11 / 11 / 0 / Not a transposition
12 / 21 / 9 / Yes
13 / 31 / 18 / Yes
14 / 41 / 27 / Yes
15 / 51 / 36 / Yes
16 / 61 / 45 / Yes
17 / 71 / 54 / Yes
18 / 81 / 63 / Yes
19 / 91 / 72 / Yes

When numbers between 10 and 19 are transposed, the difference between the original number and the transposed number is divisible by 9 except for the number 11 since the transposition of 11 is 11 and therefore not a transposition.

8.5 Good internal control procedures dictate the objectives of internal control, but not the techniques by which those objectives are to be achieved. Computer systems can efficiently scan large volumes of records on a regular basis, identify transactions that need to be initiated, and then take appropriate transaction-initiation steps such as document preparation and file updating.

Given that computer systems will be programmed to initiate transactions, the issue is to identify internal control techniques that will achieve the stated objective under these circumstances. These include (1) strong controls over the development and revision of the computer programs that initiate transactions, (2) organizational separation of the programming and computer operations functions, (3) logical access controls to prevent unauthorized access to computer programs, and (4) review by user department personnel of transactions initiated by the computer.

In summary, automatic generation of transactions by computer does not necessarily violate good internal control.

8-25

© 2009 Pearson Education, Inc. Publishing as Prentice Hall

Accounting Information Systems

8.6 Since outsourcing is and will likely continue to be a topic of interest, this question should generate some good discussion from students. Data security and data protection are rated in of the top ten risks of offshore outsourcing by CIO News. Compliance with The Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX) are of particular concern to companies outsourcing work to offshore companies. Since offshore companies are not required to comply with HIPAA, companies that contract with offshore providers do not have any enforceable mechanisms in place to protect and safeguard Protected Health Information; i.e., patient health information, as required by HIPAA. They essentially lose control of that data once it is processed by an offshore provider. Similarly, offshore companies are not governed by SOX and therefore when the CEO and CFO attest to the accuracy of their company’s financial statements which includes documentation of any business processes performed by offshore entities.

One question that may facilitate discussion is to ask the students that once a company sends some operations offshore, does the outsourcing company still have legal control over their data or do the laws of the off shore company dictate ownership? Should the outsourcing company be liable in this country for data that was lost or compromised by an outsourcing offshore partner?

8.7 Since most students will encounter this question as an employee and as a future manager, the concept of personal email use during business hours should generate significant discussion. One question that may help facilitate discussion is to ask whether personal emails are any different than personal phones calls during business hours. The instructor may also want to use this opportunity to discuss security issues with email. Viruses are frequently spread through email and although a virus could infect company computers through a business related email, personal email will also expose the company to viruses and therefore warrant the policy of disallowing any personal emails. In addition, there is the risk that employees could overtly or inadvertently release confidential company information through personal email. Once the information is written in electronic form it is easy and convenient for the recipient to disburse that information.

8.8 Many people may view biometric authentication as invasive. That is, in order to gain access to a work related location or data, that they must provide a very personal image of part of their body such as their retina, finger or palm print, their voice, etc. Providing such personal information may make some individuals fearful of identity theft in that unlike a social security number or a bank account number, biometric identification characteristics cannot simply be “reset”. If someone’s digitized biometric identification such as a finger print is stolen, then how can they prevent their identity from being used to lie, cheat, and steal? Indeed, facial scans and voice scans can be obtained and recorded without the consent and knowledge of the person being scanned. RFID tags that are embedded or attached to a persons clothing would allow anyone with that particular tag’s frequency to track the exact movements of the “tagged” person. For police tracking criminals that would be a tremendous asset, but what if criminals were tracking people who they wanted to rob or whose property they wanted to rob when they knew the person would not be at home. Already one elementary school tried using RFID tags on students to track attendance, but stopped the program due to parental complaints and because the company that donated the equipment decided to stop supplying the RFID tags to the school.

SUGGESTED SOLUTIONS TO THE PROBLEMS

8.1 There is no single correct solution for this problem. Student responses will vary depending on their experience with various businesses. One minimal classification scheme could be highly confidential or top-secret, confidential or internal only, and public. The following table lists some examples of items that could fall into each basic category.

Highly Confidential (Top Secret) / Confidential (Internal) / Public
Research Data / Payroll / Financial Statements
Product Development Data / Cost of Capital / Security and Exchange Commission Filings
Proprietary Manufacturing Processes / Tax / Marketing Information
Proprietary Business Processes / Manufacturing Cost Data / Product Specification Data
Competitive Bidding Data / Financial Projections / Earnings Announcement Data

8.2 a. Record Count: 4 records

Hash and Financial Totals are shown in the table below.

Employee Number / Pay Rate / Hours Worked / Gross Pay / Deductions / Net Pay
121 / 6.50 / 38 / $247.00 / 25.50 / 221.50
123 / 7.25 / 40 / 290.00 / 60.00 / 230.00
125 / 6.75 / 90 / 607.5 / 450.00 / 57.50
122 / 67.5 / 40 / 2700.00 / 500.00 / 2200.00
491 / 88 / 208 / 3824.50 / 1135.50 / 2679.00
Hash Total / Hash Total / Hash Total / Financial Total / Financial Total / Financial Total

b. Field Check: $247 Gross Pay for Employee 121 should not contain the $ symbol.

Sequence Check: Employee 122 is out of order. This record should appear directly after Employee 121.

Limit Check: 90 Hours Worked for Employee 125 is probably too high. Employee 122’s pay rate of $67.5 seems high.

Reasonableness Test: $450 in Deductions for Employee 125 seems too high given a Gross Pay of $607.50.

Crossfooting Balance Test: $57.50 net pay for employee 125 does not equal $607.50-$450. Net pay should be $157.50 if the gross pay and deductions are correct. In addition, the deductions for employee 125 also appear to be unreasonably high, so the correct net pay should be much higher than $57.50.

.

8.3

a. Field 1 - Member number:

·  Range check to verify that the field contains only four digits within the range of 0001 to 1368.

·  Validity check on member number if a file of valid member numbers is maintained.

Field 2 - Date of flight start:

·  Check that day, month, and year corresponds to the current date.

·  Field check to verify that the field contains six digits.

Field 3 - Plane used:

·  Validity check that character is one of the legal characters to describe a plane (G, C, P, or L).

·  Check that only a single character is used. (field check)

Field 4 - Time of take off:

·  Range check that both pairs of numbers are within the acceptable range (first two digits are within range 00 to 23, and second two digits are within the range 00 to 59).

·  Field check to verify that the field contains four digits.

Field 5 - Time of landing:

·  Range check that both pairs of numbers are within the acceptable range described for field 4.

·  Reasonableness test that field 5 is greater than field 4.

b. Five of the six records contain errors as follows:

1st - Wrong date is used (Nov. 31 instead of Nov. 1).

2nd - Member number is outside range (4111 is greater than 1368).

4th - Plane code is not legal.

5th - Member number contains a character.

6th - Plane landing time is earlier than the take off time.

c. Other possible controls to prevent input errors are:

·  user ID numbers and passwords to limit system access to authorized personnel.

·  compatibility test to ensure that authorized personnel have access to the correct data.

·  prompting to request each required input item.

·  preformatting to display an input form including all required input items.

·  completeness check on each input record to ensure all item have been entered.

·  default values such today=s date for the flight date.

·  closed-loop verification (member name would appear immediately after the member number)

(SMAC Examination, adapted)

8-25

© 2009 Pearson Education, Inc. Publishing as Prentice Hall

Accounting Information Systems

8.4 Differences between the correct batch total and the batch totals obtained after processing: