COPYRIGHT AND CITATION CONSIDERATIONS FOR THIS THESIS/ DISSERTATION

Similar documents
CHAPTER 11 COMPUTER SYSTEMS INFORMATION TECHNOLOGY SERVICES CONTROLS

PART 10 COMPUTER SYSTEMS

INFORMATION TECHNOLOGY CONTROLS

IMPLEMENTING AN EFFECTIVE INFORMATION SECURITY AWARENESS PROGRAM

IT Application Controls Questionnaire

Internal Control Deliverables. For. System Development Projects

Auditing in an Automated Environment: Appendix C: Computer Operations

FINANCIAL ADMINISTRATION MANUAL

Accounts Payable User Manual

ACCOUNTING POLICIES AND PROCEDURES

General Computer Controls

Information Security Policies. Version 6.1

FORM 20A.9 SAMPLE AUDIT PROGRAM FOR TESTING IT CONTROLS. Date(s) Completed. Workpaper Reference

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

IT - General Controls Questionnaire

Accounts Payable System Administration Manual

SESSION 8 COMPUTER ASSISTED AUDIT TECHNIQUE

This interpretation of the revised Annex

General IT Controls Audit Program

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

SUGGESTED CONTROLS TO MITIGATE THE POTENTIAL RISK (Internal Audit)

Volume I, Section 4 Table of Contents

SAS 70 Exams Of EBT Controls And Processors

Internal Control Systems

Solutions to Student Self Assessment Questions

Die vrae uit ou vraestelle, toetsvraestelle, en modelvraestelle is individueel gekies en uitgehaal vir

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Scotland s Commissioner for Children and Young People Records Management Policy

Information security controls. Briefing for clients on Experian information security controls


University of Liverpool

2.2 INFORMATION SERVICES Documentation of computer services, computer system management, and computer network management.

Newcastle University Information Security Procedures Version 3

Software Engineering. Data Capture. Copyright BCA Notes All Rights Reserved.

DELAWARE PUBLIC ARCHIVES POLICY STATEMENT AND GUIDELINES MODEL GUIDELINES FOR ELECTRONIC RECORDS

MHRA GMP Data Integrity Definitions and Guidance for Industry January 2015

External Audit Reviews. Report by Director of Finance

Electronic Data Transfer. Guidebook

REVENUE REGULATIONS NO issued on December 29, 2009 defines the requirements, obligations and responsibilities imposed on taxpayers for the

Accounts Receivable System Administration Manual

OECD SERIES ON PRINCIPLES OF GOOD LABORATORY PRACTICE AND COMPLIANCE MONITORING NUMBER 10 GLP CONSENSUS DOCUMENT

Management of Official Records in a Business System

Product. Prologue Accounts Payable Automate Your Accounts Payable Processing

auditing in a computer-based

Information Resources Security Guidelines

TheFinancialEdge. Administration Guide

Union County. Electronic Records and Document Imaging Policy

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

Information System Audit Report Office Of The State Comptroller

ICAEW Accredited Products Scheme. [Fixed Asset Evaluation] [Company Name] [Product Name Version number] [Company /Product logo]

Chapter 7 Trustee. Internal Control Questionnaire

MHRA GMP Data Integrity Definitions and Guidance for Industry March 2015

Please read these Terms and Conditions of Use carefully. They govern the provision and use of the MyPAYE Online Payroll service and website.

Information Systems and Technology

DETAIL AUDIT PROGRAM Information Systems General Controls Review

Audit of NSERC Award Management Information System

Brown County Information Technology Aberdeen, SD. Request for Proposals For Document Management Solution. Proposals Deadline: Submit proposals to:

Information Technology Audit

Spillemyndigheden s Certification Programme Information Security Management System

RS Official Gazette, No 23/2013 and 113/2013

DIXON MONTESSORI CHARTER SCHOOL FISCAL CONTROL POLICY

TheFinancialEdge. Administration Guide

Agreement of Online Securities Trading

ISACA PROFESSIONAL RESOURCES

ODEX Enterprise. Introduction to ODEX Enterprise 3 for users of ODEX Enterprise 2

Life Cycle of Records

Asset Manager Guide to SAS 70. Issue Date: October 7, Asset

Spillemyndigheden s Certification Programme Information Security Management System

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL. EudraLex The Rules Governing Medicinal Products in the European Union

Full Compliance Contents

Department of Sociology Cash Handling Procedures Fiscal Year 2016

Electronic Document and Record Compliance for the Life Sciences

ELECTRONIC INFORMATION SECURITY A.R.

IT Service Management

UNIVERSITEIT VAN PRETORIA / UNIVERSITY OF PRETORIA DEPT WISKUNDE EN TOEGEPASTE WISKUNDE DEPT OF MATHEMATICS AND APPLIED MATHEMATICS

Dublin City University

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

PORTFOLIO ACCOUNTING SYSTEM

POLICY AND GUIDELINES FOR THE MANAGEMENT OF ELECTRONIC RECORDS INCLUDING ELECTRONIC MAIL ( ) SYSTEMS

Chapter 7 Securing Information Systems

Polish Financial Supervision Authority. Guidelines

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT PAYROLL AUDIT PROGRAM

Performance Audit City s Payment Process

4 Testing General and Automated Controls

Third Party Security Requirements Policy

15 Organisation/ICT/02/01/15 Back- up

Making Automated Accounts Payable a Reality

INFORMATION TECHNOLOGY SECURITY STANDARDS

RHODE ISLAND. Electronic Business Transactions (EBT) Standards. for Electronic Data Interchange (EDI) in a Restructured Electric Industry

Terms and Conditions for Remote Data Transmission

Fundamentals Level Skills Module, F8 (IRL)

PERFORMANCE EVALUATION AUDIT CHECKLIST EXAMPLE. EIIP Volume VI

Internal Control Guide & Resources

Chapter 7 Information System Security and Control

RECORDS RETENTION AND DISPOSITION SCHEDULE

Accounts Receivable User Manual

Service Agreement. UltraBranch Business Edition. alaskausa.org AKUSA R 05/15

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Transcription:

COPYRIGHT AND CITATION CONSIDERATIONS FOR THIS THESIS/ DISSERTATION o Attribution You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. o NonCommercial You may not use the material for commercial purposes. o ShareAlike If you remi, transform, or build upon the material, you must distribute your contributions under the same license as the original. How to cite this thesis Surname, Initial(s). (2012) Title of the thesis or dissertation. PhD. (Chemistry)/ M.Sc. (Physics)/ M.A. (Philosophy)/M.Com. (Finance) etc. [Unpublished]: University of Johannesburg. Retrieved from: https://ujdigispace.uj.ac.za (Accessed: Date).

metrefile Fie Labels 136668979F

RANDSE AFRIKAANSE UNIVERSITEIT UNIVERSITEITSBIBLIOTEEK Tel. 489-2165 VERVALDATUM it 1-7 i A u ett 2 06-c4-18 ON -a- 2 1 S 5 13 APR 200[ 1 4 APR 2000 26 MAR 2001 APR 200i P.h.-59790 1111 11111131111

Packaged Software : Security and Controls Audit Review by Chris van Heerden SHORT DISSERTATION submitted in partial fulfilment of the requirements for the degree MASTER OF COMMERCE in COMPU I ER AUDITING in the FACULTY OF ECONOMIC AND MANAGEMENT SCIENCE at the RAND AFRIKAANS UNIVERSITY STUDY LEADER: PROF A du Toit Cape Town January 1994

INDEX CHAPTER PAGE NO. OPSOMMING IN AFRIKAANS. ( I ) SYNOPSIS ( VI ) INTRODUCTION 1 LITERATURE SURVEY 7 A FRAMEWORK FOR THE EVALUATION OF PACKAGED SOFTWARE INTEGRITY CONTROLS AND SECURITY FEATURES 51 CONCLUSION 64 BIBLIOGRAPHY 65

OPSOMMING PROGRAMMATUUR PAKKETTE: SEKURITEIT EN KONTROLE OLTDITOORSIG deur Chris van Heerden OP SOMNITNG VAN SKRIPSIE INGEDIEN VIR DIE GRAAD M_AGISTER CONfMERCII IN REKENAAROUDITERING IN DIE FAKUL _LETT EKONOMIESE EN BESTUURSWETENSKAPPE AAN DIE RAND SE AFRTKAANSE UNIVERSITEIT STUDTELEIER: PROF A du Toit Kaapstad Januarie 1994

Die doel van die opsomming is om die agtergrond, metodiek en gevolgtrekking van die navorsing oor die beheerprosedures en selcuriteitmaatreels van programmatuurpakkette weer te gee. Hierdie opsomming is as volg ingedeel : PROBLEEMOMSKRYW1NG EN DOEL VAN HIER= NAVORSING NAVORS1NGSONTWERP EN METODIEK RESULTA 1 E EN GEVOLGTREKKLNG 1. PROBLEEMOMSKRYW1NG EN DOEL VAN HIERDEE NAVORS1NG Gedurende die afgelope jare vervang maatskappye eie ontwikkelde stelsels met programmatuurpakkette. Hierdie gevorderde pakkette sluit gewoonlik 'n hoe mate van stelselintegrasie in, wat beheermaatreels en prosedures insluit am die sekuriteit en integriteit van toevoer, verwerking, afvoer en berging te verseker. Deesdae word dit dikwels van rekenaarouditeure verwag om hierdie gevorderde programmatuurpaldcette te evalueer om te verseker dat die sekuriteitsmaatreels en beheerprosedures voldoende is om aan die organisasie se behoeftes en standaarde te voldoen. Verder moet daar doeltreffende integriteits- en selcuriteitsmaatreels wees om te verseker dat die rekenaarstelsel deurgaans beskikbaar is, en die sekuriteit en integriteit van die stelsel behoue bly. Dit is 'n besondere uitdaging wat aan die rekenaarouditeur gestel word wanneer hy 'n programmatuurpakket se beheerprosedures en sekuriteitmaatreels moet evalueer. Die programmatuur is grotendeels volledig en word aangepas volgens die maatskappy se behoeftes deur die gebruik van tabelle en parameters. Die beheerprosedures en sekuriteitmaatreels van die pakket word nie ontwikkel volgens die organisasie se spesifikasies the, maar deur die ontwildcelaar van die stelsel. Die ouditeur moet daarvolgens die bestaande integriteit-en sekuriteitbeheermaatreels identifiseer en evalueer am te bepaal tot welke mate hy daarop kan steun en indien nodig, tot welke mate bykomende beheermaatreels nodig is. 11

Die doel van die skripsie is om 'n raamwerk te ontwikkel wat gebruik kan word in die evaluasie van die beheerprosedures en sekuriteitsmaatreels van programmatuurpakkette. 2. NAVORSINGSONTWERP, METODIEK EN BEPERKINGE. Die benadering van die navorsing is am 'n raamwerk op te stel wat gebaseer is op die generiese prosesse van gevorderde gekoppelde rekenaarstelsels, naamlik toevoer, verwerking, afvoer en stoor. Vir elke proses is daar kontroles geidentifiseer om te verseker dat die integriteit, beskikbaarheid en sekuriteit van die stelsel behoue bly. Die benadering is om algemene integriteitsprosedures en sekuriteitsmaatreels van gevorderde rekenaarstelsels te identifiseer wat gebruik kan word am programmatuurpalckette daarvolgens te evalueer. Metodiek: 'n Literatuurstudie is gedoen van die mees onlangse gesaghebbende literatuur op die gebied van rekenaarouditeuring, wat deur organisasies wat erken word as leiers op die terrein, gepubliseer is. Die resultate van die studie was genoegsaam om die generiese geoutomatiseerde beheerprosedures en sekuriteitsmaatreels te identifiseer. Beperkinge: Ten einde die studieveld af te baken en sodoende betekenisvolle studie te kon doen, is die volgende beperkings en uitsluitsels gespesifiseer: Slegs aangeleenthede wat direk verband hou met stelselbeheerprosedures en selcuriteitsmaatreels is oorweeg. Ander studievelde soos selektering van die paldcet, beoordeling van stelselfunksies, stelseltoetsing, aanvaardingstoetsing en naimplementeringsouditoorsig is uitgesluit van die studie. Aangeleenthede toepaslik op die oorhoofse sekuriteitsmaatreels en beheerprosedures soos algemene beheermaatreels toepaslik op die rekenaaromgewing, stelselontwerprisiko's, stelselontwerpbeheermaatreels, 111

stelselprogammatuur en gebruikerstoepassingsbeheermaatreels is nie in aanmerking geneem nie. 3. RESULTATE EN GEVOLGTREKK1NG Die volgende generiese elemente van gevorderde gekoppelde stelsels is geidentifiseer tydens die literatuurstudie: 3.1 Verwerkingsmetodes, synde gekoppelde intydse, gekoppelde bondel en gekoppelde memo bywerkirig ; 3.2 Generiese transaksievloei naamlik toevoer, verwerking, berging en afvoer; 3.3 Inligtingstelselbeheerprosedures - geldigheid, volleciigheid en akkuraatheid van toevoer, verwerking, berging en afvoer ; 3.4 Identifisering van foute, regstelling en hertoevoerbeheermaatreels, 3.5 Noodsaaklike selcuriteitsmaatreels ; 3.6 Ouditspoor ; 3.7 Verdeling van pligte ; en 3.8 Magtiging. Die volgende tabelle is opgestel gebaseer op die vraag " wat verkeerd kan gaan? " - benadering en welke kontroles in plek behoort te wees om dit te voorkom. Tabel Titel Gekoppelde / intydse toevoer ; Gekoppelde / bondel toevoer ; Eksterne stelselkoppelvialcke ; Verwerking ; BerginOcontroles ; Afvoerkontroles (insluitende ouditspoor) ; en Sekuriteit (insluitende verdeling van pligte). iv

Gevolgtreklcing Die navorsing verskaf 'n basis waarvolgens gevorderde gekoppelde programmatuurpakkette se beheerprosedures en sekuriteitsmaatreels geevalueer kan word. Dit het die algemene elemente van groot kommersiele inligtingstelsels geidentifiseer en die beheerprosedures en sekuriteitsmaatreels wat nodig is om die integriteit, beskikbaarheid en selcuriteit van stelsels en data te verseker. Die tabelle behoort nie as 'n kontrolelys gebruik te word nie, maar eerder as 'n gids van moontlik beheerprosedures en sekuriteitsmaatreels aangesien elke organisasie sy eie vereistes het wat nagekom moet word, wat normaalweg verskil van die een organisasie tot die volgende.

SYNOPSIS 1.1 PROBLEM DESCRIPTION AND OBJECTIVE OF THIS RESEARCH In recent years large organisations that developed mainframe application software in-house are now purchasing software packages to replace these applications. These advanced packages incorporate a high level of integration and include security and control features to ensure that the integrity of input, processing, output and storage are maintained. Computer auditors are required to evaluate these advanced packaged software to ensure that the security and control features are adequate and comply with organisational standards. Furthermore, they must ensure that the integrity of information systems programs and data are maintained. The auditor faces a unique challenge when evaluating the security and control features of software packages as they are substantially complete and are tailored to organisational requirements by the use of parameters and tables. The security and control features within a package are not developed according to the organisation's specifications but are determined by the developer of the software package. The auditor, therefore, has to identify and evaluate the available integrity controls and security features of the package to determine to what etent he may rely on these controls and if they must be supplemented by other control procedures. The objective of this dissertation is to develop a framework that can be used in evaluating the security and control features of advanced packaged software. 1.2 RESEARCH APPROACH The approach consist of the development of a framework based on the generic processes of advanced on-line systems such as input, edit, processing, update and storage. For each process controls are identified to ensure that the integrity, availability and security of the information systems, programs and data are maintained. 1.3 RESEARCH METHODOLOGY A literature survey was conducted on the latest authoritative publications from organisations who are recognised and acknowledged as the leaders in the field of computer auditing. vi

From the results of the literature survey it was possible to identify the generic processes and to identify the automated security and control features that should be in place to ensure that the integrity, availability and security of the system are maintained. 1.4 LIMITATIONS AND EXCLUSIONS 1.4.1 Only issues relating to security and control were considered. Other areas such as the assessment of available packages, selection of the package, acceptance testing, system testing, and post implementation review were ecluded. 1.4.2 Only security and control issues directly related to security and controls for information systems were considered. User controls that form an integral part of any system have not been considered as they are largely dependant on specific organisational requirements. 1.4.3 Areas that have a direct impact on the overall system of internal control such as general information system controls, system development and related risks, and system software were also ecluded from consideration. 1.5 CONCLUSION The research study resulted in the development of the following tables that will assist the auditor in evaluating security and control features of software packages. Table Name On-line / real time input On-line batch update Eternal system interfaces Processing Storage controls Output controls (including audit trails) Security (including segregation of duties) vii

1.6 SUMMARY This research has provided a basis for identifying controls in an advanced on-line information system. It has identified the common elements of major commercial information systems and controls that should be in place to ensure that the integrity, availability and security of the system and data are maintained. The tables should not be used as a checklist to evaluate packaged software but rather as a guideline as to what security and control features should normally be in place. Every organisation's security and control requirements may differ depending on the importance of the application and to what etent the business is dependent on its ongoing availability. viii

CHAPTER 1. INTRODUCTION In this chapter the background, methodologies and conclusions of this research study on packaged software integrity and security features are eplained. The issues are discussed under the following headings: 1.1 PROBLEM DESCRIPTION AND OBJECTIVE OF THIS RESEARCH 1.2 RESEARCH APPROACH 1.3 RESEARCH METHODOLOGY 1.4 LIMITATIONS AND EXCLUSIONS 1.5 CONCLUSION 1.6 SUMMARY 1.1 PROBLEM DESCRIPTION AND OBJECTIVE OF THIS RESEARCH 1.1.1 Problem description Internal and eternal auditors usually have the opportunity to review the integrity controls and access security features incorporated in the design and development of in-house applications. Where necessary it will be recommended that additional controls and security features be included in the application design to ensure compliance with the required standards. In recent years large organisations who developed their own mainframe application software are now purchasing software packages to replace these applications, for eample, general ledger, accounts payable, accounts receivable, sales, stocks and distribution systems. Vendor supplied system and application software, also referred to as "off-theshelf' software is available for most mainframe applications today. System software required for the functioning of computer hardware function has been available for the last three decades. These packages include applications such as operating systems, communication software, teleprocessing software and data base sytems. Very few companies (if any) develop their own system software because of the compleity of these systems and resources required in such developments. Furthermore, vendor supplied software has proven reliable with adequate support provided by major suppliers.

Murphy and Parker (1989) give the following reasons why organisations are now buying application packages in preference to developing their own application software: Cost effectiveness "Most of the widely used applications for business are available as packaged software, since packaged software is usually more cost-effective than inhouse developments of software programs to accomplish common tasks. Packaged software is so widely used that consideration for its acquisition have been added as a procurement portion to many system development methodologies, to provide control over the selection and implementation process" (Murphy & Parker, 1989:1-3). Economy "The major advantage of purchased software is the economy it can offer, compared to designing and implementing systems internally. Further, software maintenance can be assigned to the vendor, helping to lessen the epense incurred by many organisations that keep a staff of programmers to maintain their systems." (Murphy & Parker, 1989:1-7). Etensive Integration "... the etensive integration between systems in most purchased software packages has been one of the major reasons for the rapid growth of their use. The packages normally divide the information recording system into a number of applications or modules that can be used either individually or as part of an integrated system. This allows the users the fleibility to implement the systems that meet their particular requirements while still enjoying the advantages of integration." (Murphy & Parker, 1989:8-23). Software packages are substantially complete and are customised by system parameters and tables according to the organisation's requirements. The auditor therefore does not participate in the development process that results in the incorporation of the security and control deemed necessary for the organisation. These advanced packages incorporate a high level of integration and include controls to ensure the integrity of input, processing, output and storage. Consequently the auditor has to identify and evaluate the available integrity controls and access control features of the package to determine to what etent 2

he may rely on these controls. Where weaknesses and deficiencies are identified, compensating integrity controls and user controls should be considered. At the time of evaluating packages it is not possible to check the security and control features in detail due to a number of reasons such as system compleity, unique design concepts and a lack of security - and control-related documentation. Although security and controls are important factors to consider when a package is evaluated, these factors are usually not the primary reasons why organisations purchase a particular package. Therefore, the auditor is faced with an unique challenge when evaluating the security and control features of software packages. He or she is required to identify and evaluate these controls to determine to what etent reliance can be placed on them to satisfy the organisations' requirements, and if necessary, where those security and control features should be supplerriented by user controls. While the literature discusses the difference between in-house and packaged software and refers to the auditor's role in the reviewing packages for security and control features, none of the publications surveyed indicate how the auditor should carry out such a review. 1.1.2 OBJECTIVE OF THIS RESEARCH The objective of this study is to develop a guideline / framework on how to identify and evaluate the automated controls and security features of purchased on-line software packages. 1.2 RESEARCH APPROACH Integrity controls and security features for advanced information systems may vary from one system to another. However, on-line systems do have certain generic features such as input, edit, processing, update and storage processes. A study was done of advanced on-line information systems to identify the generic on-line processing methods, processing cycles and the transactions processing flow within these cycles. The relevant security and control features that should be in place to ensure the integrity, availability and security of information systems were then identified. 3

1.3 RESEARCH METHODOLOGY A literature survey was conducted on the latest authoritative publications from organisations who are recognised and acknowledged as the leaders in the field of computer auditing and who are representative of the organisations that conduct ongoing research in this field. From the results of the literature survey it was possible to identify the generic automated security and controls features that should be in place to ensure that the integrity of on-line information systems is maintained. 1.4 LIMITATIONS AND EXCLUSIONS For the purposes of this research study only information system integrity controls and access control security features were considered. The following issues have been ecluded. 1.4.1 Auditor's involvement in system developments The auditor's main responsibility regarding system developments is to ensure that the integrity controls, application controls and security features are incorporated in the design and development of the application. Depending on the organisation the auditor may also be required to assist in areas such as: package assessment ; package selection ; acceptance testing ; system testing ; and post implementation review. The emphasis was specifically on audit risk, and not on the broader involvement of the auditor. 1.4.2 System,software controls. 1.4.3 General information systems controls. 1.4.4 System development controls. 4

1.4.5 Risks involved in system developments. The risks involved in system development and the implementation of software are of paramount importance to the auditor and should be considered and addressed during the auditor's review. However, this area is a research topic on its own and is not addressed in this dissertation. In his research essay: "Risks in Traditional Computer Development", Du Toit (1989) discusses the primary and secondary risks and the cause for these risks very comprehensively. 1.4.6 User controls. User controls are an important and integral part of most information systems. These controls have not been considered in the evaluation of packaged software integrity controls as they are largely dependant on the specific environment in which the application is being used. 1.5 CONCLUSION The research study identified the following generic elements as being necessary for advanced on-line systems integrity, availability and security features : 1.5.1 Processing methods : on-line real time, on-line batch and on-line memo update ; 1.5.2 On-line transaction processing flow : input, processing, storage and output ; 1.5.3 Information system processing controls validity, completeness and accuracy of input, processing, storage and output ; 1.5.4 Error identification, correction and re-submission controls ; 1.5.5 Security features ; 1.5.6 Audit trails ; 1.5.7 Segregation of duties ; and 5

1.5.8 Authorisation. From the above, various tables were developed that can be used in the evaluation of packaged software. These tables deal with on-line system processing methods and transaction processing flows : data preparation, input and edit, processing, storage and output. For each processing method the input, processing, storage and output controls are depicted in the tables based on "what can go wrong", indicating the relevant controls necessary to prevent errors, omissions and possible fraudulent transactions. The indicated control is not necessarily the only control but is based on an available integrity control ; where no satisfactory integrity controls eit, user controls are suggested. The following tables have been developed: Table Name On-line / real time input On-line batch update Eternal system interfaces Processing Storage controls Output controls (including audit trails) ), Security (including segregation of duties) 1.6 SUMMARY This research has provided a basis for identifying controls in an on-line information system. It has identified the common elements of major commercial information systems and controls that should be in place to ensure that the integrity of the system and data are maintained. Although the framework developed was not applied to a specific software application it provides the theoretical foundation that will encourage future research and application in the area of packaged software. 6

CHAPTER 2. LITERATURE SURVEY The literature survey is set out under the following headings: 2.1 OBJECTIVES, NATURE, SCOPE AND DEFINITIONS 2.2 ANALYSIS OF REFERENCES 2.3 CONCLUSIONS 2.4 BIBLIOGRAPHY 2.1 OBJECTIVES, NATURE, SCOPE AND DEFINITIONS 2.1.1 OBJECTIVES To derive the maimum benefit from the literature survey, the objectives were defined to facilitate a comparative analysis of references. This allows for the identification of the relevant manual and automated control elements and security features that are important to ensure that advanced on-line information systems integrity is maintained. The objectives are: 2.1.1.1 To obtain authoritative views on the on-line systems processing methods, processing functions and the transaction flow within these functions to identify areas that should be subjected to security and controls. 2.1.1.2 To obtain authoritative views on information systems control objectives in order to identify the required security and control features that should be present to ensure that these objectives are met. 2.1.1.3 To obtain authoritative views on manual and automated aspects of online information system security and control. 2.1.1.4 To obtain authoritative views on non-processing controls that should be considered in formalising the security and control requirements. 7

2.1.2 NATURE A literature survey was conducted on the latest authoritative publications in the area of computer auditing. Publications from the following organisations were eamined: American Institute of Certified Public Accountants (AICPA), The EDP Auditors Foundation (EDPAA) ; The Institute of Chartered Accountants in England and Wales (ICAEW), The Institute of Internal Auditors (IA); Chartered Institute of Public Finance and Accountancy (CIPFA), International Federation of Accountants (IFA) ; International Chartered Accountant firms ; and Rand Afrikaans University (RAU). The above institutions are recognised as leaders in the field of computer auditing and represent organisations that conduct ongoing research in this field The literature survey was restricted to these publications to ensure acceptance and credibility of the findings of this research essay. 2.1.3 SCOPE The emphasis of this short dissertation is on the automated security aspects and processing controls that should be considered when advanced on-line packaged software are evaluated. To achieve the objectives of the literature survey it was necessary to eamine the generic computer control aspects and security features applicable to on-line systems. 2.1.3.1 Restrictions The following restrictions were placed on the scope of the literature survey. * Only issues that have a direct impact on information systems control and security kssues were considered ; * Control procedures and control techniques are referred to but not dealt with in any great detail ; 8

* Hardware and system software availability and reliability were ecluded ; and * Risks involved in the computer system development process were not considered. 2.1.4 DEFINITIONS 2.1.4.1 Packaged software Jenkins, Cooke and Quest (1992 : 221) define software packages as follows: " Packages are systems developed by computer manufacturers or software houses for the more common and widely used applications such as payroll, sales, purchases and general ledger. The facilities available within each package are fied, but the purchaser can frequently select between available facilities and vary the way in which they are used by means of parameters specified when the system is first set up." 2.2 ANALYSIS OF REFERENCES The analysis is done in the following sections and sub sections: 2.2.1 ON-LINE SYSTEMS PROCESSING METHODS 2.2.2 GENERIC ON-LINE SYSTEMS TRANSACTION PROCESSING FLOWS 2.2.3 INFORMATION SYSTEM CONTROLS 2.2.4 CONTROL DESCRIPTION 2.2.4.1 Interface and dependency of manual and automated controls 2.2.4.2 Control identification 2.2.4.3 Data preparation controls 2.2.4.4 Input controls 2.2.4.5 Processing controls 9

2.2.4.6 Processing interruption controls 2.2.4.7 Storage controls 2.2.4.8 Output controls 2.2.4.9 Error identification, correction and re-submission 2.2.4.10 Control evaluation 2.2.4.11 Control testing 2.2.5 SECURITY CONSIDERATIONS 2.2.6 OTHER CONSIDERATIONS 2.2.1 ON-LINE S YS lem PROCESSING METHODS Modern computer systems are often referred to as "on-he real time" or "online batch systems". This distinction has a direct bearing on data input and processing features of the system. The International Federation of Accountants (EFA) identifies the following main categories of processing methods in use : 2.2.1.1 On-line / Real Time Processing. "In an on-line / real time processing system, individual transactions are entered at terminals devices, validated and used to update related computer files immediately." (1989: JAG 20.08). This processing method places a very high demand on computer resources such as memory requirements and disk space and is therefore more epensive than on-line batch processing. 2.2.1.2 On-line / Batch Processing "In a system with on-line input and batch processing, individual transactions are entered at a terminal device, subjected to certain validation checks and added to a transaction file that contains other transactions entered during the period. Later, during a subsequent processing cycle, the transaction file may be validated further and then used to update the relevant file." (1989: IAG 20.09). 10

2.2.1.3 On-line / Memo update (and subsequent Processing). "On-line input with memo update processing, also known as shadow update, combines on-line / real time processing and on-line / batch processing. Individual transactions immediately update a memo file containing information which has been etracted from the recent version of master file. Inquiries are made from this memo file. These same transactions are added to a transaction file for subsequent validation and updating of the master file on a batch basis" (1989: IAG 20.10). On-line / batch processing and on-line / memo update processing systems are the most widely used commercial systems because of the lesser demand on computer resources. The processing method has a direct impact on the nature, timing and etent of the data input, processing, storage and output controls. 2.2.2 GENERIC FLOW OF ON-LINE SYSTEM PROCESSING \ Data capture Data entry Edit / validation Processing Storage Output Fig 2-1 Data processing cycle with data entry via a terminal (adapted). (Davis, Adams and Schaller, 1983 : 136) Fig 2-1 clearly identifies the generic processing cycle of data input, edit, processing, storage and output. 11

2.2.3 INFORMATION SYSTEM CONTROLS. 2.2.3.1 Information system controls. Gallegos, Richardson and Borthick (1987:155) categorise controls over individual applications as follows: "- Input controls cover authorisation, conversion, completeness of data, and procedures for rejection or re-entry of data. - Programmed, or processing controls deals with actual computer processing and are applied by equipment and software. - Output controls deal with completeness and reasonableness of processing results, as well as the distribution of computer output only to authorised users. - Transmission controls deal with actual transmission of data and information over communication channels." Murphy and Parker (1989:chapter 14 and 15) define the control objectives as: completeness of input and update ; accuracy of input and update ; validity ; and maintenance (storage). 2.2.3.2 Classification The control objectives have been classified as follows to facilitate the identification and defining of the essential control procedures : * Input, processing, storage and output procedures Control objectives: - Validity (authorisation); 12

Accuracy; and Completeness. * Security Control objectives: Integrity; - Confidentiality; and Availability. * Other considerations - Segregation of duties; Authorisation; and - Audit trails. 2.2.4 CONTROLS DESCRIPTION Davis, et al. (1983 : 134) describe processing controls as procedures to prevent, detect and correct errors as the application transactions flow through data preparation, input, processing, storage and output. 2.2.4.1 Interface and dependency of manual and automated controls Application controls are a combination of programmed procedures (integrity) and user (manual) controls. "From a software perspective, application controls should be considered as complementary to vendor controls in that, in combination, they should provide a complete picture of information processing operations as they take place within the computer. The application controls that are relevant to information system processing are those that interface or report to the operators of the system." (Gilhooley, 1991:255). The combination of manual and automated application controls will differ from one system to the net, depending on the processing method. Application controls for an on-line real time system will be different to an on-line / batch processing system. The norm is that the more comple the system, the less likely manual intervention becomes. 1-3

Boshoff (1985) has proven the interface, relationship and dependency between application controls and integrity controls. The following observations can be deduced from his research study "The interface between application controls and integrity controls in modern computer systems" : The audit objectives for information systems remain the same regardless of how these software applications are developed ; In any computer system there is a combination of integrity and application controls ; Integrity and application controls are a useful classification of control techniques needed to achieve the control objectives ; The techniques used to achieve these control objectives for information systems may change depending on the system that is evaluated ; and Integrity controls may in certain circumstances be regarded as a primary control and application controls as secondary controls depending on the effectiveness of the integrity control. The interface and dependency of integrity controls and application controls in any given system will depend on the following factors : system compleity ; absence of input documentation ; lack of management or audit trail ; lack of control evidence ; electronic authorisation ; application controls not evidenced by output from the computer ; internally (computer) generated transactions ; single source transaction with multiple update tasks ; and record keeping in electronic format. The manual and automated aspects of the transaction processing flows are input, processing, storage and output. For each process flow there should be an adequate combination of manual and automated controls in place to ensure validity, accuracy and completeness of processing. 14

2.2.4.2 Control Identification Controls may be classified as follows: Hardware controls (H) ; System software controls (S) ; Manual controls (M) ; and Application system controls (A). A chart prepared by the U.S. Government Accounting Office based on the System Auditability and Control Study by Stanford Research Institute (January 1977) is used to identify the manual and automated aspects of data processing controls for advanced on-line information systems (Gallegos, et al. 1987 : 140-145). Modifications and changes to the chart are indicated by an asterisk (*). The transaction processing flow is depicted under the following headings: Transaction origination; Data processing transaction entry; Data communication control; Computer processing; Data storage and retrieval; and Output processing. These are set out in table 2.1 below. 15

(a) Transaction origination Control description (*) H * S MA * * * (1.0) Source document origination (1.1) Written procedures Contract (*) Agreement (*) Control documentation User procedures and manuals On-line help (*) On-line data capture procedures (*) (1.2) Source Document Special purpose forms design Source document numbers Transaction identification Cross reference Sequence log Pre-formatted input screens (*) (1.3) Source Document storage Restricted access Accountable source document storage Intermediate storage and transportation Electronic storage (*) (1.4) Source document Dual custody handling (1.5) System generated Access control (*) transactions(*) Contracts (*) Agreements (*) Programmed procedures(*), 16

(2.0) Authorisation H S MA (2.1) Source document Access control (*) preparation Segregation of duties Signature On-line verification (*) (2.2) Written procedures Written authorisation (2.3) Approval of source Access control (*) documents Evidence of approval Transaction conflict matri On-line verification (*) On-line authorisation (*) (3.0) Data processing input preparation (3.1) Transaction Transaction numbering identification User identification Schedule desk (3.2) User review of input Manual review (3.3) Batching Batch serial number Limit the number of transactions in batch Batch and balance source data at point of origin (3.4) Logging Logs of source documents Transmittal between organisations (3.5) Transmittal Transmittal document (continue) Mail and message carrier Physical security input 17

(4.0) Source document retention H S MA (4.1) Source document retention characteristics Source turnaround Retention dates on source documents Source document storage inde Electronic media storage (*) (4.2) Filing of source File of source documents. document Batch storage Source document maintained at origin Electronic media storage (*) (4.3) Retention storage Filing in user area Limited access to retention facilities Removal from retention Electronic media storage (*) (5.0) Source document error handling (5.1) Error procedures Written error handling procedures Source document correction procedures Responsibility for error correction On-line help (*) (5.2) Error detection Error logging Visual review of source document Programmed procedures (*), 18

H S MA (5.3) Error correction Error notification processing Identification of error correction (5.4) Corrected data Verification of re-entered data resubmitted Monitoring of error corrections (b) Data Processing Transaction Entry (1.0) Transaction batch H S M A data entry (1.1) Written procedures Control documentation User procedures (1.2) Physical hardware Location of data conversion operations Simultaneous recording 2.0 Terminal data entry (2.1) Terminal software Security of data entry terminals features Pre-formatting Interactive display Computer aided instruction User application system access Terminal authority levels Data access matri Master commands Terminal sign-on procedures Review of terminal assignments. (2.2) Hardware control Terminal features features Intelligent terminals 19

(3.0) Transaction data verification H S MA (3.1) Transaction Key verification verification techniques Pre-programmed keying formats (3.2) Data content Editing and validation routines validation Transaction data cut-off techniques Passwords (4.0) Batch proof and balancing (4.1) Data input controls Processing schedule Turnaround documents Cancellation of source documentation Logging (4.2) Proof and balancing methods Manual check of control figures Batch control Batch header records (4.3) Error detection Error display Unauthorised access attempts Error listings (5.0) Transaction entry error handling (5.1) Error correction Corrective action Warning messages Error messages 20

(c) Data communication controls (1.0) Message input HS MA (1.1) Hardware related Electronic identification code (1.2) Software and procedure related Secure phone equipment rooms Network configuration polling table Sending message identification Security table Communication system control log (2.0) Message transmission (2.1) Hardware related Communication line routing Line conditioning Automatic store and forward Automatic dial backup Modern loop back switch Forward error correction Validity checks Echo checking Message interrupt function Packet switching networks Local loop security Encryption techniques Multipurpose modems Backup modems Backup lines (2.2) Software and Transmission batch controls procedure related 21

(3.0) Message reception and accounting HS MA (3.1) Hardware related Detection with re-transmission Backup electrical power (3.2) Software and Validation procedure related Line usage records Message sequence number Input / output message log Dialup modems Message backup log Error recording Error correction procedures (d) Computer processing (1.0) Computer process integrity H S MA (1.1) Transaction identification Transaction codes Monitoring computer generated transactions (1.2) Computation and Control totals logic Default options Anticipation control Dual fields Arrhythmic accuracy Eception reporting File control totals File completion checks (1.3) File maintenance Balancing the computer file, Dummy records 22

H S MA (1.4) Computer operations personnel Operator instructions Computer program run book Computer console Display messages (2.0) Computer processing error handling (2.1) Error reporting Batch control header balancing Production report of rejected conditions (2.2) Error correction Automated error suspense file Discrepancy report Error serial number (2.3) Corrected data Destructive update re-submission Error suspense re-entry (e) Data storage and retrieval (1.0) File handling H S M A (1.1) Library Operating procedures On-line library Source program statement library (1.2) File access Conflict prevention features Group files File classification Database control table 23

Passwords Program linkage control table Header / trailer labels System inquiries System logging Manual authorisation of security table H S MA (1.3) File maintenance, Folio number Before and after looks Masterfile changes Dormant files Ecessive activity Scanning of critical files (1.4) Backup Activity tape Separate computer Copy master files Backup procedures Disaster plan Recovery procedures (1.5) Electronic source document retention Restricted access (2.0) File error handling (2.1) Error reporting Operator intervention Comparison Programs (2.2) Error correction Restart procedure Backup file usage (2.3) Correction re-entry Job stream log, 24

(f) Output processing: (1.0) Data processing balancing and reconciliation H S MA (1.1) Data processing Reconciliation transaction log control group Computer console log System output logs Record of output reports (1.1) Data processing Monitoring process flows control group Job control card review Graphical charts (2.0) Output distribution (2.1) Output handling Handling procedures for computer output Output report distribution Report copies (3.0) User balancing and reconciliation (3.1) Monitoring procedures User departments changes in master files Report heading Transaction tracing list Internally generated transactions Control totals (3.2) Testing procedure, Statistical sampling of final report List of all transactions 25

(4.0) Record retention H S MA (4.1) User retention and disposal methods Waste disposal procedures Elimination of unused reports (5.0) Accountable documents (5.1) Accountable document handling Negotiable document storage Printing of additional sequence number on pre-printed forms On-line storage (6.0) Output error handling (6.1) Error reporting Independent history file of errors Ageing open items Error logging by control groups Output activity review (6.2) Error correction Identification of error Error correction processing Correction procedures Responsibility for error correction 6.3) Correction re-entry Error logging Verification re-entered data Monitoring of error conditions Table 2.1 Internal Controls for automatic data processing. (Gallegos, et al., 1987: 141-145). 26

2.2.4.3 Data preparation controls The nature and etent of data preparation controls depends on the technology used in data capture. * Data capture activities Data preparation techniques are normally applied to batch processing systems where data is recorded on documents and then converted to a machine readable form. Davis, et al. (1983: 38) define data preparation activities as follows: The manual review of source documents, if necessary, corrections, additions and deletion of data ; - Preparation of documents for processing controls, using techniques such as batches and batch control totals ; Transcription to machine readable format, verification of the correctness thereof and validation of some data items ; and - Conversion from one machine readable form to another. * On-line data capture and on-line help facilities Most advanced on-line systems have data capture and on-line help facilities that users of the system can refer to during on-line data capture. This information is based on the system parameters defined in tables and system files. 2.2.4.4 Input controls The main objective of input controls is to identify and correct errors as early as possible in the processing cycle. Davis, et al. (1983 :171) relate the input method to the control technique and the relevant data validation techniques as follows: 27

Direct terminal entry and immediate processing of transactions with immediate data validation ; Immediate terminal entry of transactions, which are stored for subsequent processing with immediate data validation or / and delayed validation processing ; and Periodic preparation of batched transaction documents and periodic processing of the batched transactions. (a) On-line systems Jenkins, etal. (1992 :173-174) classify these controls as follows: * Edit and validation checks Edit and validation routines are used to ensure the accuracy and completeness for on-line input. The main edits checks are: - Format checks Format checks are designed to ensure the data format is valid and accurate, for eample, correct date format and alphabetic or numeric character fields only. - Screen checks Interactive programmed processing techniques reduce the likelihood of transactions being incorrectly recorded. Eamples of screen checks are formatted input screens, the electronic equivalent of pre-printed input documents, program prompts for the net logical input by moving to the appropriate part of the screen and echo checks whereby the operator verifies the information as it is punched into the system. - Eistence checks 28

Programmed routines that prevent processing of input data unless the information matches related standing data or tables such as valid company number, customer number and product code. - Check digit verification This is a programmed technique to detect transcription and disposition errors. A redundant number is added to the permanent data record such as a general ledger account number. * Reasonableness checks Programmed procedures to check ranges and limits of input data based on pre-defined parameters or tables. * Dependency checks Dependency tests detei mine if there is a logical relationship between two or more data elements in an input data record, for eample customer number and customer name. Linked to dependency tests are default options that alleviate further input, that is based on the customer number the customer name is automatically entered in the required input fields. Gilhooley (1991:271) identifies a further category namely: * Mandatory input fields Mandatory input fields ensure completeness and accuracy of input by not allowing any further processing unless the required input is made. Normally an error message is displayed indicating the nature of the error for eample when a transaction code is entered that is not defined to the system it will display an error message: "invalid transaction code". 29

* Duplicate recording of transaction data Programmed routines that match current input data to historic data is one way of detecting duplicate recording of transaction data. On identification of a duplicate transaction the system should prevent further data input. * Eception reporting Entries that do not pass the editing rules in the application system should be listed in an eception report and followed up by the users of the system. (b) Batch systems On-line real time processing is used in combination with batch processing to ensure maimum utilisation of hardware and software. "On-line input with memo update processing, also known as shadow update, combines on-line / real time processing and on-line / batch processing. Individual transactions immediately update a memo file containing information which has been etracted from the recent version of master file. Inquiries are made from this memo file. These same transactions are added to a transaction file for subsequent validation and updating of the master file on a batch basis" (1989: JAG 20.10). Gilhooley (1991:271) categorises input validations and edit checks applicable to batch systems as follows: * Batch header Every batch should have a batch header with details of the application and summary details on how the completeness and accuracy of processing will be assured. * Control total reconciliation 30

There should be a reconciliation process in place to ensure the integrity of processing. Hash total checks This is a common and effective control to ensure accuracy and validity of processing. Crossfoot and balance checks All batches should have crossfoot and balance checks in place that will enable users to balance input to output. Record count There should be a record count of the number of transactions in the batch which is used for input and output balancing. In a batch only environment the validation and editing techniques as defined for on-line editing will be applied during the processing stage. Eternal system interfaces Eternal interfaces are data output from one system required as input for the net system. An eample is data from the payroll system that is required as input for the cost centre epense analysis system. Control techniques are run to run control totals and record count totals., data edit and validation routines and eception reporting to ensure the accuracy and completeness of processing. System generated transactions Transactions can be generated by the information systems based on predefined conditions, for eample the generation of a purchase order when stock levels go below a certain level. 31

Control techniques to maintain validity, accuracy and completeness are access control and strong user controls that ensure that the conditions on which the transaction generations are based, remain valid in times of changing circumstances. 2.2.4.5 Processing controls * On-line systems On-line systems consist of the following components that enable users to access data and programs: Telecommunication software ; Transaction processing software ; Application system software ; Data base management systems ; and Operating system software. Should components (a), (b), (d) or (e) fail it will affect all on-line applications. Controls applicable to this scenario are not dealt with in this research dissertation. The application system software component (point c above) should have automated and manual controls in place to ensure that processing is carried out accurately and completely. Eamples of controls are daily reports produced by the system that states successful completion of the update tasks and user controls such as balancing system output to input. * Batch systems Sufficient manual and automated controls should be incorporated into the application systems to ensure accuracy and completeness of processing. Gallegos, et al (1987: 160-167) give the following eamples of batch system controls: 32

Tape header and trailer labels Header and trailer labels are records containing information about the tape such as identification, control and retention details. This control prevents accidental changes to, or destruction of the tape. File verification The verification of the file version is crucial for reliable processing. This checks that the correct generation of the file is used for processing. File labelling This procedure identifies the tape or disk which must reconcile with the application control details before processing can continue. Run to run controls These totals should be maintained to ensure that no records are added, deleted or lost during processing. Warning and error messages Depending on the nature of the error detected during processing, warning / error messages will be printed. In the case of warning messages processing will normally continue, allowing for subsequent follow up by the user. In the case of an error condition, processing of the records will not be completed until the record has been corrected. Eception reports listing the errors in input. All records that do not pass the validation process should be logged and printed on a report for the users to follow up, correct and resubmit for processing. 33

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information