Action Items

1. Read the article below: Information Systems and Internal Control.
2. Write: Develop a bulleted list of 1or 2 issues or best practices that you identified based on your reading of this article and how it may impact you while performing in an accounting position.

;;;;;;;;;;;;;;;;;;;;;;;;

Information Systems and Internal Control:

G1.07 Internal Control In An IS Environment [1] Variability of Control Techniques Like other functions, the control techniques that may be present in IS environments are not constant. The factors that affect the degree of variability are the same as those for other internal control systems. These include: overall size of the company; geographic dispersion of operating units; degree of centralization or decentralization; style of management; type of industry; relative amount of foreign versus domestic operations; and management philosophy. [2] Perspective on Control Techniques Internal control techniques that limit access to, and afford protection of, information include a company-wide policy that: establishes the principle of information being an asset; provides definitions of data classes and establishes responsibilities; makes data owners responsible for specifying control requirements and authorizing individuals permitted access; makes data custodians and data users responsible for complying with requirements established by data owners; establishes a data security administrator to administrate and monitor compliance with information security policy and procedures; classifies data into various categories, such as unrestricted and restricted (e.g., internal use only and company private); and specifies control objectives for each class of data. Among specific control techniques that are used to protect data are: two-factor authentication; passwords; security software; VPNs; encryption; firewalls; intrusion detection/prevention systems; distributed and standalone computing; data backup and recovery provisions; security consciousness; and firm disciplinary action for security violations. Company managements often have been incomplete in efforts to provide adequate data security. One reason is that data security weaknesses do not often produce tangible, measurable adverse consequences. Thus, computer tampering, data loss, and data misuse often go undetected, except for some highly publicized hacking incidents that occur from time to time (see Chapter H4 on computer fraud). Furthermore, the extent to which vital company information is exposed usually is not known by managements. The technical knowledge necessary to perceive potential risks caused by expanding communications capabilities simply does not move very far up the organizational chart. [3] Control Objectives Much information has been published that defines IS objectives and internal control techniques. A brief list of these is as follows: SAS No. 48, The Effects of Computer Processing on the Audit of Financial Statements, American Institute of Certified Public Accountants, 1984 SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit, American Institute of Certified Public Accountants, 2001 IT Control Objectives for Sarbanes-Oxley, 3rd ed., ISACA, 2014 Global Technology Audit Guide (GTAG) series, The IIA, 20062016 COBIT 5, ISACA, 2012