AIS615 Handy Notes CH 13 Processing Integrity & Availability Controls PDF

lOMoARcPSD|18760904 HANDY CHAPTER 13 PROCESSING INTEGRITY AND AVAILABILITY CONTROLS KEY POINTS: 1. Identify and explain controls designed to ensure processing integrity. 2. Identify and explain controls designed to ensure systems availability by minimizing the risk of system downtime and enabling efficient recovery and resumption of Input Controls operations. As saying goes: “garbage in, garbage out.” Processing Integrity The quality of data that is collected about Table below lists the basic controls that business activities and entered into the are essential for processing integrity for the information system is vital. process stages input, processing, and output. The following source data controls regulate the integrity of input: 1. Forms design. Source documents and other forms should be designed to help ensure that errors and omissions are minimized.  Prenumbered forms. Prenumbering forms improves control by making it possible to verify that none are missing.  Turnaround documents. A turnaround document is a record of company data sent to an external party and then returned by the external party to the system as input. 2. Cancellation and storage of documents. Documents that have been entered into the system should be cancelled so they cannot be inadvertently or fraudulently re-entered into the system. Paper documents should be defaced, e.g., by stamping them “paid.” 1 Downloaded by pe pe ([email protected]) lOMoARcPSD|18760904 Electronic documents can be similarly 5. A size check ensures that the input “cancelled” by setting a flag field to data will fit into the assigned field. indicate that the document has already been processed. 6. A completeness check on each input record determines if all required data 3. Authorization and segregation of items have been entered. duties. Source documents should be prepared only by authorized personnel 7. A validity check compares the ID code acting within their authority. or account number in the transaction data with similar data in the master file 4. Visual scanning. Source documents to verify that the account exists. should be scanned for reasonableness and propriety before being entered into 8. A reasonableness test determines the the system. correctness of the logical relationship between two data items. Data Entry Controls 9. Check digit verification. Authorized ID numbers (such as an employee number) can contain a check digit that is computed from the other digits. For example, the system could assign each new employee a nine-digit number, then calculate a tenth digit from the original nine and append that calculated digit to the original nine to form a 10-digit ID number. Data entry devices can be programmed to perform check digit verification by using the first nine digits to calculate the tenth digit each time an ID number is entered. If an error is made in entering any of the 10 The following tests are used to validate digits, the calculation made on the first nine input data: digits will not match the tenth, or check digit. 1. A field check determines if the The above tests are used for both batch characters in a field are of the proper processing and online real-time type. processing. 2. A sign check(+/-) determines if the data in a field have the appropriate arithmetic sign. 3. A limit check tests a numerical amount to ensure that it does not exceed a predetermined value. 4. A range check is similar to a limit check except that it has both upper and lower limits. 2 Downloaded by pe pe ([email protected]) lOMoARcPSD|18760904 Additional Batch Processing Data Entry Additional Online Data Entry Controls Controls: Whenever possible, the system should automatically enter transaction data, which saves keying time and reduces errors. Other Online Processing Data Entry Controls 1. Prompting, in which the system requests each input data item and waits for an acceptable response. This ensures that all necessary data are entered (e.g., an online completeness check). 2. Preformatting, in which the system displays a document with highlighted 1. Batch processing works correctly only blank spaces and waits for the data to if the transactions are presorted to be be entered. in the same sequence as records in the master file. A sequence check 3. Closed-loop verification checks the tests if a batch of input data is in the accuracy of input data by using it to proper numerical or alphabetical retrieve and display other related sequence. information. 2. Information about data input or data 4. Creation of a transaction log that processing errors (date they includes a detailed record of all occurred, cause of the error, date transaction data; a unique transaction corrected, and resubmitted) should identifier; the date and time of entry; be entered in an error log. terminal, transmission line, and operator identification; and the 3. Batch totals. Three commonly used sequence in which the transaction was batch totals are: entered.  A financial total sums a field that 5. Error messages should indicate when contains dollar values, such as the an error has occurred, which items are total dollar amount of all sales for a in error, and what the operator should batch of sales transactions. do to correct it.  A hash total sums a nonfinancial numeric field, such as the total of the quantity ordered field in a batch of sales transactions.  A record count sums the number of records in a batch. 3 Downloaded by pe pe ([email protected]) lOMoARcPSD|18760904 Processing Controls If financial or total discrepancy is evenly divisible by nine, the likely cause is a transposition error, in which two adjacent digits were inadvertently reversed (e.g., 46 instead of 64). 4. Cross-footing and zero-balance test. Often totals can be calculated in multiple ways. For example, in spreadsheets a grand total can often be computed either by summing a column of row totals or by summing a row of column totals. These two methods should produce the same Controls are also needed to ensure that result. data are processed correctly.  A cross-footing balance test 1. Data matching. In certain cases, two compares the results produced by each or more items of data must be matched method to verify accuracy. For before an action can take place. For example, the totals for all debit columns example, the system should verify that are equal to the totals for all credit information on the vendor invoice columns. matches that on both the purchase order and the receiving report before  A zero-balance test applies the same paying a vendor. logic to control accounts. For example, adding the balance for all customers in 2. File labels. File labels need to be an accounts receivable subsidiary checked to ensure that the correct and ledger and comparing to the balance in most current files are being updated. the accounts receivable general control account should be the same; the Two important types of internal labels difference should be zero. are header and trailer records. 5. Write-protection mechanisms. These The header record is located at the protect against the accidental writing beginning of each file and contains the over or erasing of data files stored on file name, expiration date, and other magnetic media. identification data. 6. Concurrent update controls protect The trailer record is located at the end records from errors that occur when of the file and contains the batch totals two or more users attempt to update calculated during input. the same record simultaneously. This is accomplished by locking out one user 3. Recalculation of batch totals. Batch until the system has finished totals can be recomputed as each processing the update entered by the transaction record is processed and other. compared to the values in the trailer record. 4 Downloaded by pe pe ([email protected]) lOMoARcPSD|18760904 Output Controls Checksums use a hash of a file to verify accuracy. Parity Checking Computers represent characters as a set of binary digits (bits). When data are transmitted, some bits may be lost or received incorrectly due to media disruptions or failures. To detect these types of errors, an extra digit, called a parity bit, is added to every character. For example, the digits 5 and 7 can be represented by the seven-bit patterns 0000101 and 0000111, respectively. An eighth bit could be added to each Careful checking of system output provides character to serve as the parity bit. Two additional control over processing integrity. basic schemes are referred to as even Important output controls include: parity and odd parity. In even parity, the parity bit is set so that each 1. User review of output. Users should character has an even number of bits carefully examine system output for with the value 1; in odd parity, the reasonableness, completeness, and parity bit is set so that an odd number that they are the intended recipient. of bits in the character have the value 1. 2. Reconciliation procedures. Periodically, all transactions and other system updates should be reconciled to Example Case: Credit Sales control reports, file status/update Processing reports, or other control mechanisms. In addition, general ledger accounts The following is an example of processing should be reconciled to subsidiary integrity controls using a credit sale as an account totals on a regular basis. example. 3. External data reconciliation. The following transaction data are used: Database totals should periodically be sales order number, customer account reconciled with data maintained outside number, inventory item number, quantity the system. For example, the number sold, sale price, and delivery date. of employee records in the payroll file can be compared with the total from Processing these transactions includes the human resources to detect attempts to following steps: add fictitious employees to the payroll database. 1. Entering and editing the transaction data. 4. Data transmission controls. Parity checking and message 2. Updating the customer and inventory acknowledgement techniques are two records (the amount of the credit basic types of data transmission purchase is added to the customer’s controls (Checksums and parity bits). balance; for each inventory item, the quantity sold is subtracted from the 5 Downloaded by pe pe ([email protected]) lOMoARcPSD|18760904 quantity on hand). Processing Controls 3. Preparing and distributing shipping or Updating files includes the customer and billing documents. inventory database records. Processing Integrity Controls using the Additional validation tests are performed by example above: comparing data in each transaction record with data in the corresponding database 1. When a user accesses the online record. system, logical access controls confirm the identity of the data entry device These tests often include the following: (personal computer, terminal) and the validity of the user’s ID number and 1. Validity checks on the customer and password. inventory item numbers. 2. A compatibility test is performed on all 2. Sign checks on inventory-on-hand user interactions to ensure that only balance (after subtracting quantities authorized tasks are performed. sold). 3. The system automatically assigns the 3. Limit checks that compare each transaction the next sequential sales customer’s total amount due with the order number and the current date as credit limit. the date of the invoice. 4. Range checks on the sale price of 4. To assist authorized personnel in each item sold relative to the entering sales data, the system permissible range of prices for that prompts for all required input item. (completeness test). After each prompt, the system waits for a response. 5. Reasonableness tests on the quantity sold of each item relative to normal 5. Each response is tested using one or sales quantities for that customer and more of the following controls: validity that item. checks (valid customer and inventory numbers), field and sign checks (only Output Controls positive, numeric characters in the quantity, date, and price fields), and Output controls that can be utilized are as limit or range checks (delivery date follows: versus current date). 1. Billing and shipping documents are 6. When the customer number is entered, forwarded electronically to only the system retrieves the corresponding preauthorized users. customer name from the database and displays it on the screen (closed-loop 2. Users in the shipping and billing verification). departments perform a limited review of the documents by visually inspecting 7. When the inventory item number is them for incomplete data or other entered, the system and the operator obvious errors. go through the same procedures as they do with the customer number. 3. The control report is sent automatically to its intended recipients, or they can query the system for the 6 Downloaded by pe pe ([email protected]) lOMoARcPSD|18760904 report. Minimizing Risk of System Downtime Availability The loss of system availability can cause significant financial losses. Organizations can take a variety of steps to minimize the risk of system downtime. The physical and logical access controls can reduce the risk of successful denial-of- service attacks. Good computer security reduces the risk of system downtime due to the theft or sabotage of information system resources. The use of redundant components, such as dual processors and redundant arrays of independent hard drives (RAID), provides Reliable systems and information are fault tolerance, enabling a system to available for use whenever needed. continue functioning in the event that a particular component fails. Threats to system availability originate from many sources, including: Surge protection devices provide protection against temporary power 1. Hardware and software failures. fluctuation that might otherwise cause computers and other network equipment to 2. Natural and man-made disasters. crash. 3. Human error. An uninterruptible power supply (UPS) system provides protection in the event of a 4. Worms and viruses. prolonged power outage. 5. Denial-of-service attacks and other Recovery and Resumption of Normal acts of sabotage. Operations Table below summarizes the key controls Sr. Management must ask themselves two related to ensure system availability which questions relating to the risk of downtime: minimize system downtime and provide timely recovery. 1. How much data are we willing to recreate from source documents (if they exist) or potentially lose (if no source documents exist)? 2. How long can the organization function without its information system? 7 Downloaded by pe pe ([email protected]) lOMoARcPSD|18760904 Figure 13-1 on page 431 shows the relationship of these two questions. 3. Deduplication is a process that uses hashing to identify and backup only those portions of a file or database that have been updated since the last backup. Management must establish an RPO, which represents the maximum length of time for which it is willing to risk the possible loss of Management’s answer to the first question transaction data. determines the organization’s recovery point objective (RPO). RPO is inversely related to Real-time mirroring involves maintaining the frequency of backups. two copies of the database at two separate data centers at all times and updating both The answer to the second question copies in real-time as each transaction determines the organization’s recovery time occurs. objective (RTO). Periodically, the system makes a copy of Disaster recovery and business continuity the database at that point in time, called a plans are essential if an organization hopes checkpoint, and stores it on backup media. to survive a major catastrophe. An archive is a copy of a database, master Data Backup Procedures file, or software that will be retained indefinitely as a historical record, usually to A backup is an exact copy of the most satisfy legal and regulatory requirements. current version of a database, file, or Infrastructure Replacement software program. A second key component of disaster The process of installing the backup copy for use is called restoration. recovery includes provisions for replacing the necessary computer infrastructure: Several different backup procedures computers, network equipment and access, exist: telephone lines, other office equipment (e.g., fax machines), and supplies. A full backup is an exact copy of the data The RTO represents the time following a recorded on another physical media (tape, disaster by which the organization’s magnetic disk, CD, DVD, and so on). Full information system must be available again. backups are time-consuming, so most organizations only do full backups weekly Organizations have three basic options for and supplement them with daily backups. replacing computer and networking equipment: Two types of partial backups are: 1. An incremental backup involves 1. The least expensive approach is to create reciprocal agreements with copying only the data items that have another organization that uses similar changed since the last backup. equipment to have temporary access to 2. Differential backup copies all changes and use of their information system resources. made since the last full backup. 8 Downloaded by pe pe ([email protected]) lOMoARcPSD|18760904 2. Another solution involves purchasing or leasing a cold site, which is an empty building that is prewired for necessary telephone and Internet access, plus a contract with one or more vendors to provide all necessary computers, and other office equipment within a specified period of time. 3. A more expensive solution for organizations, such as financial institutions and airlines, which cannot survive any appreciable time period without access to their information system, is to create what is referred to as a hot site. A hot site is a facility that is not only prewired for telephone and Internet access but also contains all the computing and office equipment the organization needs to perform its essential business activities. Documentation Documentation is an important, but often overlooked, component of disaster recovery and business continuity plans. The plan itself, including instructions for notifying appropriate staff and the steps to be taken to resume operations, needs to be well documented. Testing Periodic testing and revision are probably the most important component of effective disaster recovery and business continuity plans. Most plans fail their initial test because it is impossible to anticipate everything that could go wrong. Disaster recovery and business continuity plans need to be tested on at least an annual basis. 9 Downloaded by pe pe ([email protected])

AIS615 Handy Notes CH 13 Processing Integrity & Availability Controls PDF

Document Details

Tags

Related

Summary

Full Transcript