Part 1 Section E.1.3. Systems controls and security measures システム統制とシステムセキュリティ

Systems Control システム統制


Transaction processing 処理プロセス

passwords to limit access to input or change data, segregation of duties to safeguard assets, control totals to ensure data accuracy.

Virus protection コンピュータウィルス対策

ensuring that latest edition of anti-virus software is installed and updated, firewalls set up to deter incoming risks, limit internet access to business-related purposes to reduce chances of viruses.

Backup controls バックアップ管理

identification of vital systems to be backed up regularly, development of a disaster recovery plan, testing of backup communications and resources.

Disaster recovery controls 災害復旧管理

  • A sound disaster recovery plan contains the following components:
    • Establish priorities for recovery process
    • Identification of software and hardware needed for critical processes identify all data files and program files required for recovery
    • Store files in off-site storage
    • Identify who has responsibility for various activities, which activities are needed first
    • Set up and check arrangements for backup facilities
    • Test and review recovery plan



Bank deposits do not always correspond with cash receipt.

  • Possible cause
    • Cash received after bank deposit has been made.
  • Action
    • have a separate individual reconcile incoming cash receipts to bank deposits.


Physical inventory counts sometimes differ form perpetual inventory records, and sometimes there have been alterations to physical counts and perpetual records.

  • Possible cause
    • Timing differences.
  • Action
    • limit access to physical inventory, require and document specific approvals for adjustments to records.


Unexpected and unexplained decrease in gross profit percentage has occurred.

  • Possible cause
    • Unauthorized discounts or credits provided to customers.
  • Action
    • Establish policies for discounts and credits, document approvals.


  1. Promoting effectiveness and efficiency of operations in order to achieve the company’s objectives.
  2. Maintaining the reliability of financial reporting through checking the accuracy and reliability of accounting data.
  3. Assuring compliance with all laws and regulations that the company is subject to, as well as adherence to managerial policies.
  4. Safeguarding assets.

Threats to Information Systems 情報システムに対する脅威 

  • Errors can occur in system design.
  • Errors can occur in transmission of data.
  • Data can be stolen over the internet.
  • Data and programs can be damaged.
  • Programs can be altered by dishonest employees.
  • Viruses, trojan horses, and worms can infect a system, causing a system crash, stolen or disasters, illegal activity, or sabotage.

Categories of Systems Controls 情報システム統制の種類 

  • General controls
    • Relate to the environment transactions are processed in.
      1. The organization and operation of the computer facilities, including segregation of duties;
      2. The general operating procedures, including written procedures and manuals;
      3. The equipment and hardware controls, including backup procedures.
      4. The access controls, including both physical access and password access to data and programs.
  • Application controls
    • Are specific to individual applications.
    • They should be designed to prevent, detect and correct errors in transactions.
      • Input controls
      • Processing controls
      • Output controls

General Controls

Segregation of Duties
  • Most important organizational and operating control.
  • IS personnel should be separated from the users of the systems.
  • Responsibilities within IS should be separated from one another.
  • A person with unlimited access to a computer, its programs and its data could both execute and conceal fraud.
Examples of Segregation of Duties
  • Systems analysts should design systems, but not program them.
  • Programmers should not have access to live data
    • (actual business data; they should use “test” data.)
  • Computer operators should not be able to modify programs.
  • Information systems personnel should not have access to physical assets accounted for in the system.
  • Only authorized people should be able to call vendor technical support.

Application Controls

Input Controls
  • Provide assurance that data entered into the system has been authorized and entered correctly.
  • Input is stage with the most human involvement and therefore has the highest risk of errors occurring.
  • Data observation and recording controls help ensure that the data is correct before entering the system.
  • Data transcription controls help ensure that data is entered into the system correctly as it is being entered.
  • Edit tests check the validity and accuracy of data after it has been entered into the system.
Processing Controls
  • Designed to provide reasonable assurance that processing occurred correctly.
  • Data access controls are similar to input controls and help ensure entry and transmission accuracy.
  • Data manipulation controls help ensure that data is processed correctly by the system.
Output Controls
  • Used to provide reasonable assurance that input and processing has resulted in valid output.
  • Validating output results include reconciliations and suspense accounts.
  • Printed output controls are used to help ensure that information printed or displayed by the system is correct and cannot be manipulated, such as by using pre-numbered forms.

Controls Classified


  • Preventive controls
  • Detective controls
  • Corrective controls


  • Feedback controls
    • a feedback loop
    • a cybernetic system
  • Feedforward controls
    • predict
  • Preventive controls

Internet Security

  • Once a computer is connected to an outside network, additional security need to be properly addressed to allow only intended access and prevent unintended or malicious access to the system or data.
    • User account management
    • A firewall
    • Anti-virus protection
    • Encryption

Viruses, Trojan Horses, and Worms

  • A computer virus
    • a program that executes itself and replaces itself, demanding the host computer and others.
  • A Trojan horse does not replicate itself, though it may still damage the computer by causing the less of data, or theft of data.
  • A worm is similar to a virus, but a worm replicates itself without the use of a host file.
  • A virus hoax can cause you to damage your own system by deleting critical system files that it tells you incorrectly are virus files.


  • Intrusions of the telephone system (wiretapping),
    Major computer network intrusions (breaking into company networks),
  • Network integrity violations (installing malicious software into a network to disrupt or intercept transmissions),
  • Privacy violations (customers or employees’ personal data being accessed or leaked),
  • Industrial espionage (any manner of spying on another company),
  • Pirated computer software (may contain malicious code that damages computers or networks).
  • Copyright infringement such as the illegal copying of copyrighted material
  • Denial of Service (DOS) attacks in which a website is accessed repeatedly so that other, legitimate users cannot connect to it,
  • Theft of credit card numbers from retailers’ files
  • Phishing, a high-tech scam that uses spam e-mail to deceive consumers into disclosing sensitive personal information
  • Installation of malware on a computer without the user’s knowledge.

Defenses against Cybercrime

  • Firewalls
  • Proxy servers
  • Antisniffer tools
  • Encryption


  • In a secret key system, each sender and recipient pair has a single key that is used to encrypt and decrypt the messages.
  • The public key/private key encryption system is a better system for companies to use.

Business Continuity Planning

Backup and Contingency Planning

A company must have plans for the backup and recovery of data in the event of a major disruption.

Disaster Recovery

  1. Which employees will participate in disaster recovery and what their responsibilities will be. One person should be designated in charge of disaster recovery and another should be second in command.
  2. What hardware, software and facilities will be used.
  3. The priority of applications that should be processed.

Disaster Recovery Sites

  • Arrangements for alternative facilities as a disaster recovery site and offsite storage of the company’s databases are also part of the disaster recovery plan.
  • An alternative facility might be a different facility owned by the company, or it might be a facility contracted by a different company.
  • The different locations should be a significant distance away from the original processing site.

Types of Recovery Sites

  • Hot site
  • Cold site
  • Warm site
  • Mobile site

System Auditing

Computerized Audit Techniques

Testing the Computer System

These are testing the integrity of the system.

  1. Test data approach
  2. Integrated test facility (ITF)
  3. Parallel simulation

The major difference between “test data” and an “ITF” is that the test data used in an ITF are processed along with real data, whereas test data are not actually processed.

Generalized Audit Software

  • Generalized audit software (GAS) permits the computer to be used by auditors as an auditing tool.
  • The computer van select, extract, and process sample data from computer files.
  • Generalized audit software can check computations, search files for unusual items, and perform statistical selection of sample data.

Embedded Audit Routines

  • Embedded audit routines involve modifying a regular production program by building special auditing routines into it so that transaction data can be analyzed.
  • Transactions are selected by the embedded audit routine according to auditor-determined parameters for limits and reasonableness.
  • This is called a system control audit review file (SCARF).
  • Alternatively, transactions might be selected randomly. This is called a sample audit review file (SARF).

Extended Records

  • Extended records refers to modifying a program to tag specific transactions and save all their processing steps in an extended record, permitting an audit trail to be reconstructed from one file for those transactions.
  • Transactions might be selected randomly. or they might be selected as exceptions to edit tests.


  • This “takes a picture” of a transaction as it is processed.
  • Program code is added to the application to cause it to print out the contents of selected memory areas when the snapshot code is executed.
  • A snapshot is used commonly as a debugging technique.


  • Tracing provides a detailed audit trail of all the instructions executed by a program.
  • Tracing might be used to verify that internal controls in an application are being executed as the program is processing data, either live data or test data.
  • A trace may also reveal sections of unexecuted program code, which can indicate incorrect or unauthorized modifications made to the program.


  • Mapping involves using special software to monitor the execution of a program.
  • The software counts the number of times each program statement in the program is executed.
  • Can help determine whether program application control statements that appear in the source language listing of the program are actually executed when the program runs and have not been bypassed.
  • Mapping can be used with a program running test data.