CH 13 SLATER: Processing Integrity and Availability Controls

Accounting Information Systems: Processing Integrity and Availability Controls

Learning Objectives

• Input, Processing, and Output Controls: Identify and explain the controls to ensure processing integrity.

• Systems Availability: Identify and explain controls designed to minimize system downtime and enable efficient recovery and resumption of operations.

Processing Integrity

The three categories of integrity controls designed to ensure processing integrity are:

1. Input Controls

2. Processing Controls

3. Output Controls

Input Controls

• Input controls aim to ensure that the data entered into the system is valid, accurate, complete, and timely (the principle of "Garbage in, garbage out").

• Companies must establish control procedures for all source documents:

  • Authorized: Valid documents must be authenticated.

  • Accurate: Data must be precise.

  • Complete: No details should be omitted.

  • Timely: Data must be submitted in a reasonable period.

Specific Input Controls:

1. Forms Design:

   • Documentation should minimize errors through thoughtful design.

2. Pre-numbered Forms:

   • Helps verify that no items are missing. The system should report missing or duplicate numbers.

3. Turnaround Documents:

   • Machine-readable documents sent to external parties for processing, e.g., utility payment stubs.

4. Cancellation and Storage of Documents:

   • Documents should be marked to show they've been processed but not destroyed. They need to be retained as per legal requirements.

Data Entry Controls

These are needed to ensure correct entry of data after it has been collected.

• Field Check: Ensures characters in a field are of the correct type (e.g., numeric for social security).

• Sign Check: Confirms data has the appropriate sign (e.g., student hours cannot be negative).

• Limit Check: Tests if an amount varies from a predetermined value. Examples include ensuring payroll hours do not exceed specified limits.

• Range Check: Verifies that numbers fall within a set range (e.g., hours between zero and thirty-six).

• Size Check: Confirms the data fits into the designated field (e.g., SSN of 9 digits).

• Completeness Check: Validates that all required fields are filled (e.g., billing address for university enrollment).

• Validity Check: Compares entered values to acceptable ranges (e.g., state code).

• Reasonableness Test: Checks if relationships are logical (e.g., financial aid amounts for students).

• Check Digit Verification: Ensures accuracy by verifying an appended check digit against the computed value.

Batch Processing Controls

For batch processing, specific controls include:

• Sequence Check: Confirms records are in the proper order.

• Error Log: Tracks input processing errors and their corrections.

• Batch Totals: Framed for financial and non-financial data (like employee social security numbers).

Online Processing Controls

For online systems, controls include:

• Prompting: Asks for input items iteratively, ensuring completeness.

• Closed-loop Verification: Ensures accuracy by matching inputs to known outputs (e.g., customer name from account number).

• Transaction Logs: Document all entries with details for tracking and potential recovery.

Processing Controls

Processing controls ensure that data is processed accurately.

• Data Matching: Requires multiple items to match (e.g., quantities billed must agree across all documentation).

• File Labels: Ensure that the correct files are in use through visual verification of headers and trailers.

• Recalculation of Batch Totals: Comparing totals during processing to prevent errors.

• Cross-footing Balance Test: Confirms consistency using different calculation approaches.

• Write-protection Mechanisms: Prevent accidental data overwriting.

• Concurrent Update Controls: Protect data from simultaneous updates by multiple users through locking mechanisms.

Output Controls

Careful review of output can enhance processing integrity:

• User Review of Output: Users should verify output for completeness and accuracy.

• Reconciliation Procedures: Regularly reconciling transactions and system updates to control reports.

• External Data Reconciliation: Comparing internal data with external sources (e.g., payroll vs. HR records).

• Data Transmission Errors: Controls like checksums and parity checks minimize transmission errors.

  • Checksums: Verify that data matches at the sending and receiving end.

Availability

Ensuring systems are reliably available is critical, as downtime can result in financial losses.

Minimizing Risk of System Downtime

• Access Controls: Reduce risks of denial-of-service attacks.

• Preventative Maintenance: Keep systems running smoothly (e.g., clean hardware, store media correctly).

• Physical Design: Properly format server rooms to minimize risks (floors to prevent flooding, fire systems, air conditioning).

• Uninterruptible Power Supply (UPS): Ensures systems remain functional during power outages.

Training and Awareness

Regular training helps mitigate the risk of human error and promotes knowledge about security practices.

Disaster Recovery and Business Continuity Planning

• Disaster Recovery Plan (DRP): Focuses on recovery from disasters.

• Business Continuity Plan (BCP): Ensures business operations can continue during and after a disaster.

• Objectives of DRP/BCP: Minimize damage, provide temporary processing means, resume operations promptly, train personnel.

• Recovery Point Objective (RPO): Determines how much data loss is acceptable during recovery.

• Recovery Time Objective (RTO): Establishes how long systems can be offline.

Key Components of Effective Plans:

• Data Backup Procedures: Back up all current data regularly.

• Infrastructure Replacement: Ensuring systems are restored quickly post-disaster (cold/hot sites).

• Documentation: Keeps clear instructions and records of plans and procedures.

• Testing: Regularly test plans to identify weaknesses and ensure efficacy.

• Insurance: Secure proper insurance to cover costs related to recovery efforts.

Backup Procedures

• Full Backup: Complete data copy.

• Incremental Backup: Backs up only changed data since last backup; restoration requires the last full back plus all subsequent incrementals.

• Differential Backup: Captures all changes since the last full backup; simpler restoration than incremental.

• Backups should be stored securely, with care for archival copies meeting regulatory requirements.

Backup Duration

• Backups are for a limited time, while archives should be kept indefinitely for recordkeeping.

Infrastructure Replacement Options

1. Cold Sites: Empty buildings ready for setup but require time for equipment to be deployed.

2. Hot Sites: Fully equipped facilities ready for immediate use.

3. Real-time Mirroring: Synchronized data copies at multiple locations for maximum uptime.

Importance of Documentation

• Should include detailed DRP/BCP, assignment of responsibilities, and equipment/user guidelines.

Emphasis on Testing

Regular tests help unveil potential issues before they manifest in real emergencies, allowing for adjustments to plans as needed.

Final Note

Organizations must invest in disaster recovery and business continuity strategies to safeguard against risks, ensuring the resilience of their information systems.