Chapter Overview Ch 10 PDF

Preview

Summary

CHAPTER 10 PROCESSING INTEGRITY AND AVAILABILITY CONTROLSInstructor’s ManualLearning Objectives ​: Identify and explain controls designed to ensure processing integrity. Identify and explain controls designed to ensure systems availability by minimizing the risk of system downtime and enabling effic...

Description

CHAPTER 10 PROCESSING INTEGRITY AND AVAILABILITY CONTROLS Instructor’s Manual Learning Objectives: 1. Identify and explain controls designed to ensure processing integrity. 2. Identify and explain controls designed to ensure systems availability by minimizing the risk of system downtime and enabling efficient recovery and resumption of operations.

Processing Integrity Table 10-1 on page 298 lists the basic controls that are essential for processing integrity for the process stages input, processing, and output.

Input Controls As the old saying goes: “garbage in, garbage out.” The quality of data that is collected about business activities and entered into the information system is vital. The following source data controls regulate the integrity of input: 1. Forms design. Source documents and other forms should be designed to help ensure that errors and omissions are minimized. ▪

Prenumbered forms. Prenumbering forms improves control by making it possible to verify that none are missing.

▪

Turnaround documents. A turnaround document is a record of company data sent to an external party and then returned by the external party to the system as input.

2. Cancellation and storage of documents. Documents that have been entered into the system should be cancelled so they cannot be inadvertently or fraudulently re-entered into the system. Paper documents should be defaced, e.g., by stamping them “paid.”

2

Electronic documents can be similarly “cancelled” by setting a flag field to indicate that the document has already been processed. 3. Authorization and separation separation of duties. Source documents should be prepared only by authorized personnel acting within their authority. 4. Visual scanning. Source documents should be scanned for reasonableness and propriety before being entered into the system.

Data Entry Controls The following tests are used to validate input data: 1.

A field check determines if the characters in a field are of the proper type.

2.

A limit check tests a numerical amount to ensure that it does not exceed a predetermined value.

3.

A range check is similar to a limit check except that it has both upper and lower limits.

4.

A size check ensures that the input data will fit into the assigned field.

5.

A completeness check on each input record determines if all required data items have been entered.

6.

A validity check compares the ID code or account number in transaction data with similar data in the master file to verify that the account exists.

7.

A reasonableness test determines the correctness of the logical relationship between two data items.

8.

Check digit verification. Authorized ID numbers (such as an employee number) can contain a check digit that is computed from the other digits. For example, the system could assign each new employee a nine-digit number, then calculate a tenth digit from the original nine and append that calculated to the original nine to form a 10-digit ID number. Data entry devices can be programmed to perform check digit verification by using the first nine digits to calculate the tenth digit each time an ID number is entered. If an error is made in entering any of the 10 digits, the calculation made on the first nine digits will not match the tenth, or check digit.

The above tests are used for both batch processing and online real-time processing.

3

Additional Batch Processing Data Entry Controls: 1.

Batch processing works correctly only if the transactions are presorted to be in the same sequence as records in the master file. A sequence check tests if a batch of input data is in the proper numerical or alphabetical sequence.

2.

Information about data input or data processing errors (date they occurred, cause of the error, date corrected, and resubmitted) should be entered in an error log.

3.

Batch totals. Three commonly used batch totals are: ▪

A financial total sums a field that contains dollar values, such as the total dollar amount of all sales for a beach of sales transactions.

▪

A hash total sums a nonfinancial numeric field, such as the total of the quantity ordered field in a batch of sales transactions.

▪

A record count sums the number of records in a batch.

Additional Online Data Entry Controls Whenever possible, the system should automatically enter transaction data, which saves keying time and reduces errors. Other Online Processing Data Entry Controls 1. Prompting, in which the system requests each input data item and waits for an acceptable response. This ensures that all necessary data are entered (e.g., an online completeness check). 2. Preformatting, in which the system displays a document with highlighted blank spaces and waits for the data to be ent

3. Creation of a transaction log that includes a detailed record of all transaction data; a unique transaction identifier; the date and time of entry; terminal, transmission line, and operator identification; and the sequence in which the transaction was entered. 4. Error messages should indicate when an error has occurred, which items are in error, and what the operator should do to correct it.

Processing Controls Controls are also needed to ensure that data are processed correctly.

4

1. Data matching. In certain cases, two or more items of data must be matched before an action can take place. For example, the system should verify that information on the vendor invoice matches that on both the purchase order and the receiving report before paying a vendor. 2. Recalculation of batch totals. Batch totals can be recomputed as each transaction record is processed and compared to the values in the trailer record. If financial or total discrepancy is evenly divisible by nine, the likely cause is a transposition error, in which two adjacent digits were inadvertently reversed (e.g., 46 instead of 64). 3. Cross-footing and zero-balance test. Often totals can be calculated in multiple ways. For example, in spreadsheets a grand total can often be computed either by summing a column of row totals or by summing a row of column totals. These two methods should produce the same result. ▪

A cross-footing balance test compares the results produced by each method to verify accuracy. For example, the totals for all debit columns are equal to the totals for all credit columns.

▪

A zero-balance test applies the same logic to control accounts. For example, adding the balance for all customers in an accounts receivable subsidiary ledger and comparing to the balance in the accounts receivable general control account should be the same; the difference should be zero.

Output Controls Careful checking of system output provides additional control over processing integrity. Important output controls include: 1. User review of output. Users should carefully examine system output for reasonableness, completeness, and that they are the intended recipient. 2. Reconciliation procedures. Periodically, all transactions and other system updates should be reconciled to control reports, file status/update reports, or other control mechanisms. In addition, general ledger accounts should be reconciled to subsidiary account totals on a regular basis.

5 3. External data reconciliation. Database totals should periodically be reconciled with data maintained outside the system. For example, the number of employee records in the payroll file can be compared with the total from human resources to detect attempts to add fictitious employees to the payroll database. 4.

Data transmission controls. Parity checking and message acknowledgement techniques are two basic types of data transmission controls (Checksums and parity bits).

Processing Controls Updating files includes the customer and inventory database records. Additional validation tests are performed by comparing data in each transaction record with data in the corresponding database record. These tests often include the following: 1. Validity checks on the customer and inventory item numbers. 2. Limit checks that compare each customer’s total amount due with the credit limit. 3. Range checks on the sale price of each item sold relative to the permissible range of prices for that item. 4. Reasonableness tests on the quantity sold of each item relative to normal sales quantities for that customer and that item.

Minimizing Risk of System Downtime Recovery and Resumption of Normal Operations Sr. Management must ask themselves two questions relating to the risk of downtime: 1. How much data are we willing to recreate from source documents (if they exist) or potentially lose (if no source documents exist)? 2. How long can the organization function without its information system? Disaster recovery and business continuity plans are essential if an organization hopes to survive a major catastrophe. Data Backup Procedures

6 A backup is an exact copy of the most current version of a database, file, or software program. The process of installing the backup copy for use is called restoration. Several different backup procedures exist: A full backup is an exact copy of the data recorded on another physical media (tape, magnetic disk, CD, DVD, and so on). Full backups are time-consuming, so most organizations only do full backups weekly and supplement them with daily backups. Real-time mirroring involves maintaining two copies of the database at two separate data centers at all times and updating both copies in real-time as each transaction occurs. Infrastructure Replacement A second key component of disaster recovery includes provisions for replacing the necessary computer infrastructure: computers, network equipment and access, telephone lines, other office equipment (e.g., fax machines), and supplies. Organizations have three basic options for replacing computer and networking equipment: 1. The least expensive approach is to create reciprocal agreements with another organization that uses similar equipment to have temporary access to and use of their information system resources. 2. Another solution involves purchasing or leasing a cold site, which is an empty building that is prewired for necessary telephone and Internet access, plus a contract with one or more vendors to provide all necessary computers, and other office equipment within a specified period of time. 3. A more expensive solution for organizations, such as financial institutions and airlines, which cannot survive any appreciable time period without access to their information system, is to create what is referred to as a hot site. A hot site is a facility that is not only prewired for telephone and Internet access but also contains all the computing and office equipment the organization needs to perform its essential business activities. Documentation Documentation is an important, but often overlooked, component of disaster recovery and business continuity plans.

7 The plan itself, including instructions for notifying appropriate staff and the steps to be taken to resume operations, needs to be well documented. Testing Periodic testing and revision are probably the most important component of effective disaster recovery and business continuity plans. Most plans fail their initial test because it is impossible to anticipate everything that could go wrong. Disaster recovery and business continuity plans need to be tested on at least an annual basis.

Focus 10-2 on page 307 describes how NASDAQ recovered from September 11. Because of their recovery plan, NASDAQ was up and running only six days after the 9/11/01 terrorist attack. Although the Manhattan office phone lines were out, NASDAQ still had offices in Maryland and Connecticut, which allowed it to monitor the regulatory processes....