Accounting Systems, Transaction Processing, and Internal Control

Module 1: Accounting Systems, Transaction Processing, and Internal Control

Topic: Processing Integrity and Availability Controls

Availability

  • Key Objectives

    • Minimize the risk of system downtime.

    • Ensure quick and complete recovery and resumption of normal operations.

Minimize Risks

  • Preventive Maintenance

    • Cleaning of junk files.

    • Proper storage of disk drives (e.g., in a dry place).

  • Fault Tolerance

    • The ability of a system to continue operating if a part fails due to modular design.

  • Data Centre Location

    • Minimize risk of natural and man-made disasters.

    • Strategies include raised floors, fire detection systems, and surge protection.

  • Training

    • Staff are less likely to make operational mistakes.

    • Employees will be knowledgeable in recovery methods to minimize damage from errors they do commit.

  • Patch Management

    • Regular installation, running, and updating antivirus and anti-spyware programs.

Quick Recovery

  • Backup Strategies

    • Incremental Backup

    • Only copies data that has changed since the last partial backup.

    • Differential Backup

    • Only copies data that has changed since the last full backup.

Comparison of Incremental and Differential Daily Backups

  • Panel A: Incremental Daily Backups

    • Restore Process:

    1. Sunday full backup.

    2. Monday backup.

    3. Tuesday backup.

    4. Wednesday backup.

    • Problem:

    • Data loss exists if any incremental backup file is lost.

  • Panel B: Differential Daily Backups

    • Restore Process:

    1. Sunday full backup.

    2. Wednesday backup.

    • Problem:

    • All changes since the last full backup need to be available.

Business Continuity Plan (BCP)

  • Ensures continuity of not just IT operations, but all business processes.

    • Key strategies include:

    • Relocating to new offices.

    • Hiring temporary replacements.

Disaster Recovery Plan (DRP)

  • Procedures established to restore an organization's IT functions if the data centre is destroyed.

    • Cold Site:

    • An empty building pre-wired for necessary telephone and internet access, with vendors contracted for timely equipment provision.

    • Hot Site:

    • Fully equipped facility with pre-wired access and all necessary computing equipment available for business activities.

    • Second Data Centre:

    • Used for backup and site mirroring.

Processing Integrity

Trust Services Framework

  • Security:

    • Access to systems and data is restricted to legitimate users.

  • Confidentiality:

    • Sensitive organizational information (e.g., marketing plans, trade secrets) is protected from unauthorized disclosure.

  • Privacy:

    • Personal information about customers is collected, stored, and used in compliance with internal policies and external regulations, safeguarding it from unauthorized disclosure.

  • Processing Integrity:

    • Data must be processed accurately, completely, timely, and only with proper authorization.

  • Availability:

    • Systems and their information are accessible to fulfill operational and contractual obligations.

Controls Ensuring Processing Integrity

  • Application Controls for Processing Integrity

    • Process Stages: Input, Processing, Output

    • Threats/Risks:

    • Data can be: Invalid, Unauthorized, Incomplete, Inaccurate.

    • Results in errors in output and stored data, use of inaccurate reports, unauthorized disclosure, and loss or alteration of information in transit.

    • Controls:

    • Input Controls, Processing Controls, Output Controls.

Input Controls

  • General Principle: 'Garbage in, Garbage out'

    • Form Design:

    • All forms should be sequentially numbered to verify missing documents.

    • Use of turnaround documents to minimize input errors.

      • Documents marked as 'paid' upon cancellation and storage.

  • Data Entry Checks:

    • Field check, Sign check, Limit check, Range check, Size check, Completeness check, Validity check, Reasonableness check, Prompting, Closed-loop verification.

Batch Input Controls

  • Batch Processing: Input multiple source documents together.

    • Batch Totals:

    • Financial Sums, Hash Sums, Record Count for accuracy in batch processing.

Processing Controls

  • Data Matching:

    • Requires multiple data values to match before processing (e.g., vendor info on invoices matches P/O and goods received reports).

  • File Labels:

    • Ensure that the correct and most current file is being updated.

  • Batch Total Recalculation:

    • Compares calculated batch totals after processing to input totals.

  • Cross-footing and Zero Balance Tests:

    • Computation through various methods to ensure the same results.

  • Write-Protection:

    • Eliminates the risk of overwriting or erasing data.

  • Concurrent Update:

    • Locks records or fields during updates to prevent simultaneous edits.

Output Controls

  • User Review:

    • Verify the reasonableness and completeness of the output routed to the intended individual.

  • Reconciliation:

    • Ensure inventory control account balances equal the sum of item balances in the inventory database.

  • Data Transmission Controls:

    • Check sums (digest) to compare hashes before and after transmission for verification.

Topic: Confidentiality and Privacy

Trust Services Framework

  • Security: Measures to restrict access to systems from legitimate users.

  • Confidentiality: Protection of sensitive organizational data.

  • Privacy: Collection and management of personal data compliant with regulatory requirements.

  • Processing Integrity and Availability: Basics of data processing and ensuring that systems meet operational obligations.

Encryption and Digital Signatures

  • Encryption:

    • A preventive control that transforms plaintext into unreadable data (ciphertext).

    • The decryption process reverses this transformation.

  • Types of Encryption:

    • Symmetric:

    • One key for encrypting and decrypting.

      • Pros: Speed

      • Cons: Vulnerability.

    • Asymmetric:

    • Uses different keys for encrypting (public) and decrypting (private).

      • Pros: High security

      • Cons: Slower.

    • Hybrid: Combine symmetric encryption for data and asymmetric encryption for the symmetric key itself.

Comparison of Encryption Systems

  • Symmetric Encryption:

    • Advantages: Fast, good for large data volumes.

    • Disadvantages: Requires secure key transferring.

  • Asymmetric Encryption:

    • Advantages: No need for secure key distribution, allows for digital signatures.

    • Disadvantages: Slower processing. Requires a Public Key Infrastructure (PKI).

Hashing

  • Converts information into a fixed-length hashed code that cannot be converted back to its original text.

  • Any change to data will alter the hash, allowing for verification.

  • Differences to Encryption:

    1. Hashing generates a fixed-size output regardless of input size (e.g., SHA-256 produces a 256-bit hash).

    2. Hashing cannot be reversed (one-way function).

    3. Encryption maintains an output size that is approximately the same as the input (reversible).

Digital Signatures

  • Used for creating legally binding agreements.

  • Steps to Create a Digital Signature:

    1. The document creator uses a hashing algorithm to produce a hash of the original document.

    2. The hash is encrypted using the document creator's private key.

Example of Digital Signature Processing

  • Steps:

    1. Create a contract using hashing (SHA-256).

    2. Encrypt this hash with the private key.

    3. On receipt, use the public key to decrypt the digital signature and match it against the hash of the contract to verify authenticity.

Digital Certificate

  • An electronic document that contains an entity’s public key and certifies the identity of its owner.

  • Issued by a certificate authority to maintain PKI standards.

Virtual Private Network (VPN)

  • Used for secure transmission of encrypted data between senders and receivers, ensuring that appropriate keys are held for encryption and decryption.

Protecting Confidentiality and Privacy

Components of Protecting Confidentiality and Privacy

  • Identify and Classify Information

  • Training Employees

  • Preservation of Confidentiality and Privacy

  • Encryption of Data

  • Access Controls

Steps in Securing Intellectual Property (IP)

  • Identification and Classification:

    • Lifecyle of data inventory and determining who accesses it.

    • Implementation of Information Rights Management to control data interactions.

Privacy Concerns

  • Issues include spam and identity theft, necessitating control over customer personal information.

Privacy Regulatory Acts

  • Key enactments include (but not limited to):

    • Spam Act 2003 (Cth)

    • Cybercrime Act 2001

    • Criminal Code Amendment 2000, etc.

Generally Accepted Privacy Principles

  • Management Processes and Policies

  • Notice of Privacy Policies

  • Choice and Consent: Opt-in vs. Opt-out methods for consent.

  • Collection Policies: Only collect necessary information.

  • Access Rights: Enable customers the ability to review and control their data.

  • Security Needs: Protect data from unauthorized access.

  • Quality Control: Monitor and enforce compliance to privacy policies.