1. Write: Develop a bulleted list of 1or 2 issues or best practices that you identified based on your reading of this article and how it may impact you while performing in an accounting position.

Information Systems and Internal Control:

[1] Variability of Control Techniques Like other functions, the control techniques that may be present in IS environments are not constant. The factors that affect the degree of variability are the same as those for other internal control systems. These include:

• overall size of the company;

• geographic dispersion of operating units;

• degree of centralization or decentralization;

• style of management;

• type of industry;

• relative amount of foreign versus domestic operations; and

• management philosophy.

[2] Perspective on Control Techniques Internal control techniques that limit access to, and afford protection of, information include a company-wide policy that:

• establishes the principle of information being an asset; • provides definitions of “data classes” and establishes responsibilities;

• makes data owners responsible for specifying control requirements and authorizing individuals permitted access;

• makes data custodians and data users responsible for complying with requirements established by data owners;

• establishes a data security administrator to administrate and monitor compliance with information security policy and procedures;

• classifies data into various categories, such as unrestricted and restricted (e.g., internal use only and company private); and

• specifies control objectives for each class of data. Among specific control techniques that are used to protect data are:

• two-factor authentication;

• passwords;

• security software;

• VPNs;

• encryption;

• firewalls;

• intrusion detection/prevention systems;

• distributed and standalone computing;

• data backup and recovery provisions;

• security consciousness; and

• firm disciplinary action for security violations.

Company managements often have been incomplete in efforts to provide adequate data security. One reason is that data security weaknesses do not often produce tangible, measurable adverse consequences. Thus, computer tampering, data loss, and data misuse often go undetected, except for some highly publicized hacking incidents that occur from time to time (see Chapter H4 on computer fraud). Furthermore, the extent to which vital company information is exposed usually is not known by managements. The technical knowledge necessary to perceive potential risks caused by expanding communications capabilities simply does not move very far up the organizational chart.

[3] Control Objectives Much information has been published that defines IS objectives and internal control techniques. A brief list of these is as follows:

• SAS No. 48, “The Effects of Computer Processing on the Audit of Financial Statements,” American Institute of Certified Public Accountants, 1984

• SAS No. 94, “The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit,” American Institute of Certified Public Accountants, 2001

• IT Control Objectives for Sarbanes-Oxley, 3rd ed., ISACA, 2014

• Global Technology Audit Guide (GTAG) series, The IIA, 2006–2016

• COBIT 5, ISACA, 2012