SlideShare a Scribd company logo

Summarizing Our Knowledge of the ApplicationReports .docx

Download as DOCX, PDF
P
picklesvalery

The document provides a comprehensive overview of application processes, control objectives, transaction processing, error handling, and internal controls related to financial reporting and data management. It highlights the fundamental components of internal control frameworks like COSO and COBIT, as well as the significance of adherence to regulations such as Sarbanes-Oxley Act 2002. The focus is on ensuring data accuracy, completeness, and security throughout various areas, including source data preparation, processing cycles, and output controls.

Education
1 of 36
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Summarizing Our Knowledge of the Application Reports created (standard and exception) Report distribution Review Reconciliation Output interfaces to other applications Output Audit trails Error reporting Internal controls
Frequency of application processes Dependency of application on processing cycles and other applications Processing Cycle Initial edits Data correction Maintenance of master files Data Edits How data enters the processing cycle Input interfaces for
other applications Source Data © CPE Interactive, Inc., 2011-2015 2 Application Processes Source Data Preparation & Authorization Source Data Collection and Entry Data Processing Output Review, Reconciliation, & Error Handling © CPE Interactive, Inc., 2011-2015 3 Data Between Other Apps Authentication Completeness Accuracy Integrity
Application Transaction Cycle © CPE Interactive, Inc., 2011-2015 4 Data Origination Data Preparation Data Processing Data Output Internal or external • Internal • Customer via extranet or Web browser • Interfacing application • Edits • Calculation s • Lookups • Logical
processes • Report Distribution • Document Distribution • Reconciliation s INPUT CONTROLS © CPE Interactive, Inc., 2011-2015 5 Application Input Control Objectives – controls to ensure that transactions are: – Correctly input to the system – Received by the system – Accepted by the system – Properly recorded and stored by the system – Processed only once – Are authorized
– Errors are identified, segregated from valid transactions, corrected in a timely manner © CPE Interactive, Inc., 2011-2015 6 Source Data Preparation and Authorization (AC1) – Ensure that documents are prepared by authorized and qualified personnel following established procedures, taking into account segregation of duties regarding the origination and approval of these documents. Minimize errors and omissions through good input form design. Detect errors and irregularities so they can be reported and corrected. © CPE Interactive, Inc., 2011-2015 7 Initial Data Conversion Source Document Web Input eCommerce Partners Process © CPE Interactive, Inc., 2011-2015 8
Internal Source Data Preparation and Authorization – User Data Entry with segregation of duties ng to a bill of authority, with examples of signatures transmittal documents and logs to ensure completeness lowed, and monitored, with appropriate training to originator, and followed-up for re-entry © CPE Interactive, Inc., 2011-2015 9 Transaction Processing Internal Control
Objectives Description Specific Example (using accounts receivable/sales cycles) Occurrence Recorded transactions are valid and documented Recorded sales are supported by invoices, shipping documents, and customer order Completeness All valid transactions are recorded, and none are omitted All shipping documents are prenumbered and matched with sales invoices daily Authorization Transactions are authorized according to company policy Credit sales over $00 receive prior approval by a credit supervisor; credit sales over $,000 receive prior approval by cred manager © CPE Interactive, Inc., 2011-2015 10 Transaction Processing Internal Control (2) Objectives Description Specific Example (using accounts receivable/sales cycles) Accuracy Transaction dollar amounts are properly
calculated Sales invoices contain correct quantities and are mathematically correct Classification Transactions are properly classified in the account • Sales to subsidiaries and affiliates are classified as intercompany transactions • All sales on credit are charged to customers’ individual accounts Cutoff Transactions are recorded in the proper period Sales of the current period are charged to customers in the appropriate period, and sales in the succeeding period are charged in that period © CPE Interactive, Inc., 2011-2015 11 Source Data Collection and Entry – Ensure all transactions prepared for entry are entered – Only authorized users are entering transactions – Separation of duties is in place for mutually exclusive processes
– Transactions are validated to ensure accuracy – Error re-entry processed as transactions are entered, if possible – Transactions not passing edit, are identified, monitored and re-entered © CPE Interactive, Inc., 2011-2015 12 Source Data Collection and Entry TRX Online Update Process © CPE Interactive, Inc., 2011-2015 13 Source Data Collection and Entry Controls are entered – Batch control • Batch headers or trailers with transaction counts, financial totals, and/or has totals • Reconciliation of batch totals at end of entry
– Entry of single entry with confirmation number that must be entered on source document – After the fact batch control • System generates totals • Data entered is totaled – None • Rely on customer to complain © CPE Interactive, Inc., 2011-2015 14 Only Authorized Users Are Entering Transactions ss Controls – Role-based IdM and Access Control – Unique user id’s and no sharing of id’s – Minimize system administration user id’s and limit privileges if possible – Monitor user access – Require manager review and recertification of users having privileges to their assigned data ownership maintained in the record
© CPE Interactive, Inc., 2011-2015 15 Separation of Duties ction assignment based upon job function require separation of duties transactions actions, access, and other identifiable activities © CPE Interactive, Inc., 2011-2015 16 Transaction Validation / Editing -down fields or displayed valid value selection – Telephone numbers – Postal Code – Social insurance number – Internal codes with defined formats
– Invoice has x lines – verify no data missing before accepting the transaction © CPE Interactive, Inc., 2011-2015 17 Transaction Validation / Editing (2) – Type of transaction – Value within the transaction • Payroll class • Vendor payment plan – Require double entry for unusual amounts – Dialog -> ARE YOU SURE? cation – Similar to password entry © CPE Interactive, Inc., 2011-2015 18
Transaction Authorization role achieve separation of duties, or satisfy validation / editing processes transaction record (date, time, id) authorization is not possible © CPE Interactive, Inc., 2011-2015 19 Error Processing identified and require correction prior to acceptance suspended records are subject to “issue monitoring” – Aging of suspended or erroneous record – Timely reporting of issues to appropriate management and staff – Escalation of issues remaining open – Summary reporting of issues, identify
• Systemic issues • Additional training requirements • System modifications © CPE Interactive, Inc., 2011-2015 20 Special Considerations – Client on the workstation has to be the same version as the server – Verification of version levels during connection – Browser Cache emptied after each use – All input is recalculated after entry – Data in the URL of the browser is unreconizable © CPE Interactive, Inc., 2011-2015 21 Special Considerations (2) ata Received from External Source – Defining External Source
• SaaS vendor • Trading partner – Encryption • Symmetric Keys • Public Keys – Header/Trailer Batch Totals © CPE Interactive, Inc., 2011-2015 22 PROCESSING CONTROLS © CPE Interactive, Inc., 2011-2015 23 Processing Controls – Ensure accuracy and completeness of processed data – Ensure data at rest (on a file/database) remains accurate and complete until it is changed as a result of authorized processing or modification © CPE Interactive, Inc., 2011-2015 24
Processing Controls (2) – Batch • Reconciliation - Transaction file totals compared to master file totals before and after process – Three-way match: » master file = transaction file + old_masterfile » Transaction file = batch totals of data entry forms • Control totals: – Transaction monetary amount – Item count – Documents count – Hash total of numeric field © CPE Interactive, Inc., 2011-2015 25 Processing Controls (3) eteness (Continued) – Batch and online • Reliance on database management system – Test for DBMS verification of processing success
» Return_code = Addrec or chgrec » Return_code must equal 0 (as defined by DBMS) to indicate successful add or change » Test return_code after each transaction and report to user disposition © CPE Interactive, Inc., 2011-2015 26 Processing Controls (4) – Reliance on change management and testing – Matching transaction to another source • Three way purchase cycle match – invoice/purchase order/receiving document © CPE Interactive, Inc., 2011-2015 27 Processing Controls (5) – Valid classifications based on record type (Chart of Accounts, customer, employee HR level)
– Date established by system at time of entry or processing, not editable – Date defined in process in accordance with accounting rules – Processes started once all data is available © CPE Interactive, Inc., 2011-2015 28 Error Processing – Ensure that all transactions not completing the processing cycle are identified, researched, and either corrected or removed from the processing cycle – Ensure that all transactions with errors are disposed of on a timely basis © CPE Interactive, Inc., 2011-2015 29 Error Processing – Rejecting only transactions with errors – Rejecting the whole batch of transactions – Holding the batch in suspense
– Accepting the batch and flagging error transactions -entry controls – Notification of pending batches – Aging of open batches – Immediate operator notification – Prohibit transaction to continue prior to correction – Suspense transactions that can’t be completed • Unique ID • Follow-up process © CPE Interactive, Inc., 2011-2015 30 Data File or Data Base Tables – Only via authorized programs – Limiting ODBC access toring SA (super user) or equivalent user IDs © CPE Interactive, Inc., 2011-2015 31 OUTPUT CONTROLS
© CPE Interactive, Inc., 2011-2015 32 Output Controls delivered to users and other systems will be: – Relevant and reliable – Presented and formatted to help ensure understandability – Consistent and secure – Available when needed © CPE Interactive, Inc., 2011-2015 33 Output Controls (2) critical forms in a secure place – Checks – Certificates forms and signatures – Control of signature plate – Limit access to the print queue
– Sequential numbering – Inventory of forms © CPE Interactive, Inc., 2011-2015 34 Output Controls (3) – Assignment of process – Process for researching out-of-balance conditions – Correction of out-of-balance conditions file changes – Distribution Lists – Special procedures for confidential and/or negotiable instruments • Limits on forwarding or re-distribution – Verification of receipt of reports © CPE Interactive, Inc., 2011-2015 35 Outbound Transactions
authorized outbound transactions are distributed – Purchase orders – Payments – Auto-adjudicated transactions © CPE Interactive, Inc., 2011-2015 36 Outbound Transactions (2) transactions: – Controlling the set up and change of trading partner details – Comparing transactions with trading partner transaction profiles – Matching the trading partner number to the trading master file, prior to transmission – Limiting the authority of users within the organization to initiate specific EDI transactions © CPE Interactive, Inc., 2011-2015 37 Chapter 10
Accounting Information Systems & Internal Controls Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. Learning Objectives LO#1 Explain essential control concepts and why a code of ethics and internal controls are important. LO#2 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk management framework. LO#3 Describe the overall COBIT framework and its implications for IT governance. LO#4 Describe other governance frameworks related to information systems management and security. 10-2 Sarbanes Oxley Act 2002 SOX requires public companies registered with the SEC and their auditors to annually assess and report on the design and effectiveness of internal control over financial reporting. Established the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of public accounting firms. PCAOB Auditing Standard No. 5 (AS 5) encourages auditors to use a risk-based, top-down approach to identify the key controls. 10-3 LO# 1
Corporate Governance A set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholders. Promotes accountability, fairness, and transparency in the organization’s relationship with its stakeholders. 10-4 LO# 1 Overview of Control Concepts Internal control involves the processes that an organization implements to safeguard assets, provide accurate and reliable information, promote operational efficiency, enforce prescribed managerial policies, and comply with applicable laws and regulations. According to SOX, the establishment and maintenance of internal controls is a management responsibility. 10-5 LO# 1 Overview of Control Concepts Three main functions of internal control: Preventive controls deter problems before they arise. (Authorization) Detective controls find problems when they arise. (Bank reconciliations and monthly trial balances) Corrective controls fix problems that have been identified. (Backup files to recover corrupted data) 10-6 LO# 1 6
Overview of Control Concepts Computerized environment: General controls pertain to enterprise-wide issues such as controls over accessing the network, developing and maintaining applications, documenting changes of programs, etc. Application controls are specific to a subsystem or an application to ensure the validity, completeness and accuracy of the transactions. 10-7 LO# 1 Commonly used Internal Control Frameworks The SEC requires management to evaluate internal controls based on a recognized control framework COSO Internal Control framework -COSO-Committee of Sponsoring Organizations of the Treadway Commission. -AAA, AICPA, FEI, IIA, and IMA -The COSO Internal Control framework is one of the most widely accepted authority on internal control, providing a baseline for evaluating, reporting, and improving internal control. 10-8 LO# 2 Commonly used Internal Control Frameworks COSO 2.0 COSO ERM framework: focuses on the strategic alignment of the firm’s mission with its risk appetite. Control Objectives for Information and related Technology (COBIT): a control framework for the governance and management of enterprise IT. Information Technology Infrastructure Library (ITIL): a set of
concepts and practices for IT service management. International Organization for Standardization (ISO) 27000 Series: address information security issues. 10-9 LO# 2 COSO Internal Control Framework (COSO 2.0) Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself. Internal control is affected by people. It is not merely about policy manuals, systems and forms. Rather, it is about people at every level of a firm that impact internal control. Internal control can provide reasonable assurance, not absolute assurance, to an entity’s management and board. Internal control is geared toward the achievement of objectives in one or more separate but overlapping categories. Internal control is adaptable to the entity structure. 10-10 LO# 2 COSO 2.0 Five components of internal control: Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities 10-11 LO# 2 Control Environment
Sets the tone of a firm, influences the control consciousness of its employees, and establishes the foundation for the internal control system. Include the management's philosophy and operating style, integrity and ethical values of employees, organizational structure, the role of the audit committee, proper board oversight for the development and performance of internal control, and personnel policies and practices. 10-12 LO# 2 Risk Assessment A dynamic process for identifying and analyzing a firm’s risks from external and internal environments. Allows a firm to understand the extent to which potential events might affect corporate objectives. Risks are analyzed after considering the likelihood of occurrence and the potential loss. The analysis serves as a basis for determining how the risks should be managed. 10-13 LO# 2 13 Control Activities A firm must establish control policies, procedures, and practices that ensure the firm’s objectives are achieved and risk mitigation strategies are carried out. Occur throughout a firm at all levels and in all functions. 10-14 LO# 2
Information and Communication Supports all other control components by communicating effectively to ensure information flows down, across, and up the firm, as well as interact with external parties such as customers, suppliers, regulators, and shareholders and inform them about related policy positions. 10-15 LO# 2 Monitoring Activities The design and effectiveness of internal controls should be monitored by management and other parties outside the process in an ongoing basis. Findings should be evaluated and deficiencies must be communicated in a timely manner. Necessary modifications should be made to improve the business process and the internal control system. 10-16 LO# 2 COSO Enterprise Risk Management—Integrated Framework 10-17 LO# 2 COSO Enterprise Risk Management—Integrated Framework COSO indicates that: -ERM identifies potential events that may affect the firm -ERM manages risk to be within the firm’s risk appetite -ERM provides reasonable assurance regarding the achievement of the firm’s objectives In addition to internal controls, COSO ERM expands the COSO Internal Control framework to provide a broader view on risk
management to maximize firm value. 10-18 LO# 2 COSO Enterprise Risk Management—Integrated Framework Eight components of internal control: Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring 10-19 LO# 2 Event Identification After identifying all possible events, management must distinguish between risks and opportunities. Opportunities are channeled back to management's strategy or objective-setting processes. Identified risks should be forwarded to the next stage for assessment and be managed according to the firm’s risk appetite. 10-20 LO# 2 Risk Response Management selects risk responses and develops a set of actions to align risks with the entity's risk tolerances and risk appetite. The four options to respond to risks are: reducing, sharing,
avoiding, and accepting risks. 10-21 LO# 2 Risk Assessment and Risk Response Given AS 5, risk assessment is also a first step in developing an audit plan to meet the mandate of SOX Section 404. According to COSO ERM, the risks of an identified event are analyzed on an inherent, control, and residual basis. Inherent risk: It exists already before management takes any actions to address it. Control risk: the threat that errors or irregularities in the underlying transactions will not be prevented, detected and corrected by the internal control system. Residual risk: the product of inherent risk and control risk 10-22 LO# 2 Risk Assessment and Risk Response (1) Reduce risks by designing effective business processes and implementing internal controls. (2) Share risks by outsourcing business processes, buying insurance, or entering into hedging transactions. (3) Avoid risks by not engaging in the activities that would produce the risk. (4) Accept risk by relying on natural offsets of the risk within a portfolio, or allowing the likelihood and impact of the risk. 10-23 LO# 2 Process to Assess Risks
10-24 LO# 2 Risk Assessment and Risk Response Cost and benefit analysis is important in determining whether to implement an internal control. The benefits of an internal control should exceed its costs. One way to measure the benefits of a control is using the estimated impact of a risk times the decreased likelihood if the control is implemented. Expected benefit of an internal control = Impact X Decreased Likelihood 10-25 LO# 2 Control Activities Physical Controls: mainly manual but could involve the physical use of computing technology. authorization segregation of duties supervision accounting documents and records access control independent verification 10-26 LO# 2 Control Activities IT controls: processes that provide assurance for information and help to mitigate risks associated with the use of technology. -- IT general controls (ITGC)
IT control environment Access controls Change management controls Project development and acquisition controls Computer operations controls 10-27 LO# 2 Access controls: Who can access what, when, where 27 Control Activities IT controls --IT application controls Input controls (field checks, size checks, range checks, validity checks, completeness checks, Reasonableness checks, Check digit verifications, closed-loop verifications) Processing controls (pre-numbered documents, sequence checks, batch totals, cross-footing balance tests, concurrent update controls) Output controls 10-28 LO# 2 COBIT Framework IT governance is a subset of corporate governance and includes issues regarding IT management and security. IT governance is the responsibility of management, and consists of the leadership, organizational structures and processes that ensure that the firm’s IT sustains and extends its business objectives. COBIT (Control Objectives for Information and related Technology) is a generally accepted framework for IT
governance and management. 10-29 LO# 3 COBIT Framework 10-30 LO# 3 COBIT Framework Provides a business focus to align business and IT objectives; Defines the scope and ownership of IT process and control; Is consistent with accepted IT good practices and standards; Provides a common language with a set of terms and definitions that are generally understandable by all stakeholders; and Meets regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and auditors. 10-31 LO# 3 COBIT Framework Key criteria of business requirements for information: Effectiveness – relevant and timely information Efficiency – information is produced economically Confidentiality – protection of sensitive information Integrity – valid, accurate and complete information Availability – information is available when needed Compliance – information produced complying with the laws and regulations Reliability – reliable information for daily decision making 10-32
LO# 3 Information Technology Infrastructure Library (ITIL) A de facto standard in Europe for the best practices in IT infrastructure management and service delivery. ITIL’s value proposition centers on providing IT service with an understanding the business objectives and priorities, and the role that IT services has in achieving the objectives. ITIL adopts a lifecycle approach to IT services, and organizes IT service management into five high-level categories. 10-33 LO# 4 International Organization for Standardization (ISO) 27000 Series The ISO 27000 series of standards are designed to address information security issues. ISO 27000 series, particularly ISO 27001 and ISO 27002, have become the most recognized and generally accepted sets of information security framework and guidelines. The main objective of the ISO 27000 series is to provide a model for establishing, implementing, operating, monitoring, maintaining, and improving an Information Security Management System (ISMS). 10-34 LO# 4 International Organization for Standardization (ISO) 27000 Series 10-35 LO# 4
Summarizing Our Knowledge of the ApplicationReports .docx

More Related Content

PPT
Application Security: By Prashant Mali Cyber law Consultant
Shivaami Corporation
 
PPT
Application Security:
Shivaami Corporation
 
PPT
CASE STUDY - THE NEXTGEN POS SYSTEM (2).ppt
Jayaprasanna4
 
DOCX
36315 Topic Argument EssayNumber of Pages 1 (Single Spaced).docx
rhetttrevannion
 
PDF
Accounting Informations System Chapter 4
KinoMarinay1
 
PPT
Accounting Information Systems by James A. Hall 6th ed ch04
olaibrahim36
 
PPT
Revenue cycle (AIS)
Morgan Stanley
 
PPT
CH10-ACISE-Auditing the Expenditure Cycle.ppt
Kenzellawas
 
Application Security: By Prashant Mali Cyber law Consultant
Shivaami Corporation
 
Application Security:
Shivaami Corporation
 
CASE STUDY - THE NEXTGEN POS SYSTEM (2).ppt
Jayaprasanna4
 
36315 Topic Argument EssayNumber of Pages 1 (Single Spaced).docx
rhetttrevannion
 
Accounting Informations System Chapter 4
KinoMarinay1
 
Accounting Information Systems by James A. Hall 6th ed ch04
olaibrahim36
 
Revenue cycle (AIS)
Morgan Stanley
 
CH10-ACISE-Auditing the Expenditure Cycle.ppt
Kenzellawas
 

Similar to Summarizing Our Knowledge of the ApplicationReports .docx (20)

PPTX
Super Strategies 2014 ACL Presentation
David Fernandes
 
PPT
James hall ch 4
David Julian
 
PPT
The Revenue Cycle
Qamar Farooq
 
PPTX
PCI DSS Business as Usual (BAU)
ControlCase
 
PPTX
09.1 audit siklus penjualan dan penerimaan
Mulyadi Yusuf
 
PPTX
1112 agile approach to pci dss development
bezpiecznik
 
PPTX
Finance Transformation - Best Practices for Accounting and Control - Hernan H...
Hernan Huwyler, MBA CPA
 
PPT
Transaction processing system
Vidhu Arora
 
PDF
L08-09-10 Use cases - Use case Diagram- Expanded Use Cases.pdf
MujtabaVlogs
 
PPTX
PCI DSS Business as Usual
ControlCase
 
PPT
Test2
Saad Javaid
 
PPTX
Computer-Assisted Audit Tools and Techniques
_supriadi
 
PPT
Total FBO User Conference
Branden Williams
 
PPTX
Computer-Assisted Audit Tools and Techniques
_supriadi
 
PPTX
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
PPTX
03.2 application control
Mulyadi Yusuf
 
PPT
jameshallch4-150219115009-conversion-gate02.ppt
saiinpeer
 
PPTX
Newgen Banking ppt
Rahul Bhatia
 
PPTX
CWIN17 san francisco-william belding-innovation through insights 2017-12-07
Capgemini
 
PDF
Business Requirement Document
GautamMandal26
 
Super Strategies 2014 ACL Presentation
David Fernandes
 
James hall ch 4
David Julian
 
The Revenue Cycle
Qamar Farooq
 
PCI DSS Business as Usual (BAU)
ControlCase
 
09.1 audit siklus penjualan dan penerimaan
Mulyadi Yusuf
 
1112 agile approach to pci dss development
bezpiecznik
 
Finance Transformation - Best Practices for Accounting and Control - Hernan H...
Hernan Huwyler, MBA CPA
 
Transaction processing system
Vidhu Arora
 
L08-09-10 Use cases - Use case Diagram- Expanded Use Cases.pdf
MujtabaVlogs
 
PCI DSS Business as Usual
ControlCase
 
Test2
Saad Javaid
 
Computer-Assisted Audit Tools and Techniques
_supriadi
 
Total FBO User Conference
Branden Williams
 
Computer-Assisted Audit Tools and Techniques
_supriadi
 
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
03.2 application control
Mulyadi Yusuf
 
jameshallch4-150219115009-conversion-gate02.ppt
saiinpeer
 
Newgen Banking ppt
Rahul Bhatia
 
CWIN17 san francisco-william belding-innovation through insights 2017-12-07
Capgemini
 
Business Requirement Document
GautamMandal26
 

More from picklesvalery (20)

DOCX
NPV, IRR, Payback period,— PA1Correlates with CLA2 (NPV portion.docx
picklesvalery
 
DOCX
Now that you have had the opportunity to review various Cyber At.docx
picklesvalery
 
DOCX
Now that you have completed a series of assignments that have led yo.docx
picklesvalery
 
DOCX
Now that you have completed your paper (ATTACHED), build and deliver.docx
picklesvalery
 
DOCX
Now that you have identified the revenue-related internal contro.docx
picklesvalery
 
DOCX
Now that you have read about Neandertals and modern Homo sapiens.docx
picklesvalery
 
DOCX
Now that you have had an opportunity to explore ethics formally, cre.docx
picklesvalery
 
DOCX
Novel Literary Exploration EssayWrite a Literary Exploration Ess.docx
picklesvalery
 
DOCX
Notifications My CommunityHomeBBA 3551-16P-5A19-S3, Inform.docx
picklesvalery
 
DOCX
November-December 2013 • Vol. 22No. 6 359Beverly Waller D.docx
picklesvalery
 
DOCX
NOTEPlease pay attention to the assignment instructionsZero.docx
picklesvalery
 
DOCX
NOTE Use below Textbooks only. 400 WordsTopic Which doctrine.docx
picklesvalery
 
DOCX
NOTE Everything in BOLD are things that I need to turn in for m.docx
picklesvalery
 
DOCX
Note Be sure to focus only on the causes of the problem in this.docx
picklesvalery
 
DOCX
Note I’ll provide my sources in the morning, and lmk if you hav.docx
picklesvalery
 
DOCX
Note Here, the company I mentioned was Qualcomm 1. Email is the.docx
picklesvalery
 
DOCX
Note Please follow instructions to the T.Topic of 3 page pape.docx
picklesvalery
 
DOCX
Note A full-sentence outline differs from bullet points because e.docx
picklesvalery
 
DOCX
Notable photographers 1980 to presentAlmas, ErikAraki, No.docx
picklesvalery
 
DOCX
Note 2 political actions that are in line with Socialism and explain.docx
picklesvalery
 
NPV, IRR, Payback period,— PA1Correlates with CLA2 (NPV portion.docx
picklesvalery
 
Now that you have had the opportunity to review various Cyber At.docx
picklesvalery
 
Now that you have completed a series of assignments that have led yo.docx
picklesvalery
 
Now that you have completed your paper (ATTACHED), build and deliver.docx
picklesvalery
 
Now that you have identified the revenue-related internal contro.docx
picklesvalery
 
Now that you have read about Neandertals and modern Homo sapiens.docx
picklesvalery
 
Now that you have had an opportunity to explore ethics formally, cre.docx
picklesvalery
 
Novel Literary Exploration EssayWrite a Literary Exploration Ess.docx
picklesvalery
 
Notifications My CommunityHomeBBA 3551-16P-5A19-S3, Inform.docx
picklesvalery
 
November-December 2013 • Vol. 22No. 6 359Beverly Waller D.docx
picklesvalery
 
NOTEPlease pay attention to the assignment instructionsZero.docx
picklesvalery
 
NOTE Use below Textbooks only. 400 WordsTopic Which doctrine.docx
picklesvalery
 
NOTE Everything in BOLD are things that I need to turn in for m.docx
picklesvalery
 
Note Be sure to focus only on the causes of the problem in this.docx
picklesvalery
 
Note I’ll provide my sources in the morning, and lmk if you hav.docx
picklesvalery
 
Note Here, the company I mentioned was Qualcomm 1. Email is the.docx
picklesvalery
 
Note Please follow instructions to the T.Topic of 3 page pape.docx
picklesvalery
 
Note A full-sentence outline differs from bullet points because e.docx
picklesvalery
 
Notable photographers 1980 to presentAlmas, ErikAraki, No.docx
picklesvalery
 
Note 2 political actions that are in line with Socialism and explain.docx
picklesvalery
 

Recently uploaded (20)

PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PPTX
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
Tissue processing ( HISTOPATHOLOGICAL TECHNIQUE
mathiasmelwyn7
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Lesson notes of climatology university.
sgladness67
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
RMMM.pdf make it easy to upload and study
sajedul2
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 

Summarizing Our Knowledge of the ApplicationReports .docx

  • 1. Summarizing Our Knowledge of the Application Reports created (standard and exception) Report distribution Review Reconciliation Output interfaces to other applications Output Audit trails Error reporting Internal controls
  • 2. Frequency of application processes Dependency of application on processing cycles and other applications Processing Cycle Initial edits Data correction Maintenance of master files Data Edits How data enters the processing cycle Input interfaces for
  • 3. other applications Source Data © CPE Interactive, Inc., 2011-2015 2 Application Processes Source Data Preparation & Authorization Source Data Collection and Entry Data Processing Output Review, Reconciliation, & Error Handling © CPE Interactive, Inc., 2011-2015 3 Data Between Other Apps Authentication Completeness Accuracy Integrity
  • 4. Application Transaction Cycle © CPE Interactive, Inc., 2011-2015 4 Data Origination Data Preparation Data Processing Data Output Internal or external • Internal • Customer via extranet or Web browser • Interfacing application • Edits • Calculation s • Lookups • Logical
  • 5. processes • Report Distribution • Document Distribution • Reconciliation s INPUT CONTROLS © CPE Interactive, Inc., 2011-2015 5 Application Input Control Objectives – controls to ensure that transactions are: – Correctly input to the system – Received by the system – Accepted by the system – Properly recorded and stored by the system – Processed only once – Are authorized
  • 6. – Errors are identified, segregated from valid transactions, corrected in a timely manner © CPE Interactive, Inc., 2011-2015 6 Source Data Preparation and Authorization (AC1) – Ensure that documents are prepared by authorized and qualified personnel following established procedures, taking into account segregation of duties regarding the origination and approval of these documents. Minimize errors and omissions through good input form design. Detect errors and irregularities so they can be reported and corrected. © CPE Interactive, Inc., 2011-2015 7 Initial Data Conversion Source Document Web Input eCommerce Partners Process © CPE Interactive, Inc., 2011-2015 8
  • 7. Internal Source Data Preparation and Authorization – User Data Entry with segregation of duties ng to a bill of authority, with examples of signatures transmittal documents and logs to ensure completeness lowed, and monitored, with appropriate training to originator, and followed-up for re-entry © CPE Interactive, Inc., 2011-2015 9 Transaction Processing Internal Control
  • 8. Objectives Description Specific Example (using accounts receivable/sales cycles) Occurrence Recorded transactions are valid and documented Recorded sales are supported by invoices, shipping documents, and customer order Completeness All valid transactions are recorded, and none are omitted All shipping documents are prenumbered and matched with sales invoices daily Authorization Transactions are authorized according to company policy Credit sales over $00 receive prior approval by a credit supervisor; credit sales over $,000 receive prior approval by cred manager © CPE Interactive, Inc., 2011-2015 10 Transaction Processing Internal Control (2) Objectives Description Specific Example (using accounts receivable/sales cycles) Accuracy Transaction dollar amounts are properly
  • 9. calculated Sales invoices contain correct quantities and are mathematically correct Classification Transactions are properly classified in the account • Sales to subsidiaries and affiliates are classified as intercompany transactions • All sales on credit are charged to customers’ individual accounts Cutoff Transactions are recorded in the proper period Sales of the current period are charged to customers in the appropriate period, and sales in the succeeding period are charged in that period © CPE Interactive, Inc., 2011-2015 11 Source Data Collection and Entry – Ensure all transactions prepared for entry are entered – Only authorized users are entering transactions – Separation of duties is in place for mutually exclusive processes
  • 10. – Transactions are validated to ensure accuracy – Error re-entry processed as transactions are entered, if possible – Transactions not passing edit, are identified, monitored and re-entered © CPE Interactive, Inc., 2011-2015 12 Source Data Collection and Entry TRX Online Update Process © CPE Interactive, Inc., 2011-2015 13 Source Data Collection and Entry Controls are entered – Batch control • Batch headers or trailers with transaction counts, financial totals, and/or has totals • Reconciliation of batch totals at end of entry
  • 11. – Entry of single entry with confirmation number that must be entered on source document – After the fact batch control • System generates totals • Data entered is totaled – None • Rely on customer to complain © CPE Interactive, Inc., 2011-2015 14 Only Authorized Users Are Entering Transactions ss Controls – Role-based IdM and Access Control – Unique user id’s and no sharing of id’s – Minimize system administration user id’s and limit privileges if possible – Monitor user access – Require manager review and recertification of users having privileges to their assigned data ownership maintained in the record
  • 12. © CPE Interactive, Inc., 2011-2015 15 Separation of Duties ction assignment based upon job function require separation of duties transactions actions, access, and other identifiable activities © CPE Interactive, Inc., 2011-2015 16 Transaction Validation / Editing -down fields or displayed valid value selection – Telephone numbers – Postal Code – Social insurance number – Internal codes with defined formats
  • 13. – Invoice has x lines – verify no data missing before accepting the transaction © CPE Interactive, Inc., 2011-2015 17 Transaction Validation / Editing (2) – Type of transaction – Value within the transaction • Payroll class • Vendor payment plan – Require double entry for unusual amounts – Dialog -> ARE YOU SURE? cation – Similar to password entry © CPE Interactive, Inc., 2011-2015 18
  • 14. Transaction Authorization role achieve separation of duties, or satisfy validation / editing processes transaction record (date, time, id) authorization is not possible © CPE Interactive, Inc., 2011-2015 19 Error Processing identified and require correction prior to acceptance suspended records are subject to “issue monitoring” – Aging of suspended or erroneous record – Timely reporting of issues to appropriate management and staff – Escalation of issues remaining open – Summary reporting of issues, identify
  • 15. • Systemic issues • Additional training requirements • System modifications © CPE Interactive, Inc., 2011-2015 20 Special Considerations – Client on the workstation has to be the same version as the server – Verification of version levels during connection – Browser Cache emptied after each use – All input is recalculated after entry – Data in the URL of the browser is unreconizable © CPE Interactive, Inc., 2011-2015 21 Special Considerations (2) ata Received from External Source – Defining External Source
  • 16. • SaaS vendor • Trading partner – Encryption • Symmetric Keys • Public Keys – Header/Trailer Batch Totals © CPE Interactive, Inc., 2011-2015 22 PROCESSING CONTROLS © CPE Interactive, Inc., 2011-2015 23 Processing Controls – Ensure accuracy and completeness of processed data – Ensure data at rest (on a file/database) remains accurate and complete until it is changed as a result of authorized processing or modification © CPE Interactive, Inc., 2011-2015 24
  • 17. Processing Controls (2) – Batch • Reconciliation - Transaction file totals compared to master file totals before and after process – Three-way match: » master file = transaction file + old_masterfile » Transaction file = batch totals of data entry forms • Control totals: – Transaction monetary amount – Item count – Documents count – Hash total of numeric field © CPE Interactive, Inc., 2011-2015 25 Processing Controls (3) eteness (Continued) – Batch and online • Reliance on database management system – Test for DBMS verification of processing success
  • 18. » Return_code = Addrec or chgrec » Return_code must equal 0 (as defined by DBMS) to indicate successful add or change » Test return_code after each transaction and report to user disposition © CPE Interactive, Inc., 2011-2015 26 Processing Controls (4) – Reliance on change management and testing – Matching transaction to another source • Three way purchase cycle match – invoice/purchase order/receiving document © CPE Interactive, Inc., 2011-2015 27 Processing Controls (5) – Valid classifications based on record type (Chart of Accounts, customer, employee HR level)
  • 19. – Date established by system at time of entry or processing, not editable – Date defined in process in accordance with accounting rules – Processes started once all data is available © CPE Interactive, Inc., 2011-2015 28 Error Processing – Ensure that all transactions not completing the processing cycle are identified, researched, and either corrected or removed from the processing cycle – Ensure that all transactions with errors are disposed of on a timely basis © CPE Interactive, Inc., 2011-2015 29 Error Processing – Rejecting only transactions with errors – Rejecting the whole batch of transactions – Holding the batch in suspense
  • 20. – Accepting the batch and flagging error transactions -entry controls – Notification of pending batches – Aging of open batches – Immediate operator notification – Prohibit transaction to continue prior to correction – Suspense transactions that can’t be completed • Unique ID • Follow-up process © CPE Interactive, Inc., 2011-2015 30 Data File or Data Base Tables – Only via authorized programs – Limiting ODBC access toring SA (super user) or equivalent user IDs © CPE Interactive, Inc., 2011-2015 31 OUTPUT CONTROLS
  • 21. © CPE Interactive, Inc., 2011-2015 32 Output Controls delivered to users and other systems will be: – Relevant and reliable – Presented and formatted to help ensure understandability – Consistent and secure – Available when needed © CPE Interactive, Inc., 2011-2015 33 Output Controls (2) critical forms in a secure place – Checks – Certificates forms and signatures – Control of signature plate – Limit access to the print queue
  • 22. – Sequential numbering – Inventory of forms © CPE Interactive, Inc., 2011-2015 34 Output Controls (3) – Assignment of process – Process for researching out-of-balance conditions – Correction of out-of-balance conditions file changes – Distribution Lists – Special procedures for confidential and/or negotiable instruments • Limits on forwarding or re-distribution – Verification of receipt of reports © CPE Interactive, Inc., 2011-2015 35 Outbound Transactions
  • 23. authorized outbound transactions are distributed – Purchase orders – Payments – Auto-adjudicated transactions © CPE Interactive, Inc., 2011-2015 36 Outbound Transactions (2) transactions: – Controlling the set up and change of trading partner details – Comparing transactions with trading partner transaction profiles – Matching the trading partner number to the trading master file, prior to transmission – Limiting the authority of users within the organization to initiate specific EDI transactions © CPE Interactive, Inc., 2011-2015 37 Chapter 10
  • 24. Accounting Information Systems & Internal Controls Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education. Learning Objectives LO#1 Explain essential control concepts and why a code of ethics and internal controls are important. LO#2 Explain the objectives and components of the COSO internal control framework and the COSO enterprise risk management framework. LO#3 Describe the overall COBIT framework and its implications for IT governance. LO#4 Describe other governance frameworks related to information systems management and security. 10-2 Sarbanes Oxley Act 2002 SOX requires public companies registered with the SEC and their auditors to annually assess and report on the design and effectiveness of internal control over financial reporting. Established the Public Company Accounting Oversight Board (PCAOB) to provide independent oversight of public accounting firms. PCAOB Auditing Standard No. 5 (AS 5) encourages auditors to use a risk-based, top-down approach to identify the key controls. 10-3 LO# 1
  • 25. Corporate Governance A set of processes and policies in managing an organization with sound ethics to safeguard the interests of its stakeholders. Promotes accountability, fairness, and transparency in the organization’s relationship with its stakeholders. 10-4 LO# 1 Overview of Control Concepts Internal control involves the processes that an organization implements to safeguard assets, provide accurate and reliable information, promote operational efficiency, enforce prescribed managerial policies, and comply with applicable laws and regulations. According to SOX, the establishment and maintenance of internal controls is a management responsibility. 10-5 LO# 1 Overview of Control Concepts Three main functions of internal control: Preventive controls deter problems before they arise. (Authorization) Detective controls find problems when they arise. (Bank reconciliations and monthly trial balances) Corrective controls fix problems that have been identified. (Backup files to recover corrupted data) 10-6 LO# 1 6
  • 26. Overview of Control Concepts Computerized environment: General controls pertain to enterprise-wide issues such as controls over accessing the network, developing and maintaining applications, documenting changes of programs, etc. Application controls are specific to a subsystem or an application to ensure the validity, completeness and accuracy of the transactions. 10-7 LO# 1 Commonly used Internal Control Frameworks The SEC requires management to evaluate internal controls based on a recognized control framework COSO Internal Control framework -COSO-Committee of Sponsoring Organizations of the Treadway Commission. -AAA, AICPA, FEI, IIA, and IMA -The COSO Internal Control framework is one of the most widely accepted authority on internal control, providing a baseline for evaluating, reporting, and improving internal control. 10-8 LO# 2 Commonly used Internal Control Frameworks COSO 2.0 COSO ERM framework: focuses on the strategic alignment of the firm’s mission with its risk appetite. Control Objectives for Information and related Technology (COBIT): a control framework for the governance and management of enterprise IT. Information Technology Infrastructure Library (ITIL): a set of
  • 27. concepts and practices for IT service management. International Organization for Standardization (ISO) 27000 Series: address information security issues. 10-9 LO# 2 COSO Internal Control Framework (COSO 2.0) Internal control is a process consisting of ongoing tasks and activities. It is a means to an end, not an end in itself. Internal control is affected by people. It is not merely about policy manuals, systems and forms. Rather, it is about people at every level of a firm that impact internal control. Internal control can provide reasonable assurance, not absolute assurance, to an entity’s management and board. Internal control is geared toward the achievement of objectives in one or more separate but overlapping categories. Internal control is adaptable to the entity structure. 10-10 LO# 2 COSO 2.0 Five components of internal control: Control Environment Risk Assessment Control Activities Information and Communication Monitoring Activities 10-11 LO# 2 Control Environment
  • 28. Sets the tone of a firm, influences the control consciousness of its employees, and establishes the foundation for the internal control system. Include the management's philosophy and operating style, integrity and ethical values of employees, organizational structure, the role of the audit committee, proper board oversight for the development and performance of internal control, and personnel policies and practices. 10-12 LO# 2 Risk Assessment A dynamic process for identifying and analyzing a firm’s risks from external and internal environments. Allows a firm to understand the extent to which potential events might affect corporate objectives. Risks are analyzed after considering the likelihood of occurrence and the potential loss. The analysis serves as a basis for determining how the risks should be managed. 10-13 LO# 2 13 Control Activities A firm must establish control policies, procedures, and practices that ensure the firm’s objectives are achieved and risk mitigation strategies are carried out. Occur throughout a firm at all levels and in all functions. 10-14 LO# 2
  • 29. Information and Communication Supports all other control components by communicating effectively to ensure information flows down, across, and up the firm, as well as interact with external parties such as customers, suppliers, regulators, and shareholders and inform them about related policy positions. 10-15 LO# 2 Monitoring Activities The design and effectiveness of internal controls should be monitored by management and other parties outside the process in an ongoing basis. Findings should be evaluated and deficiencies must be communicated in a timely manner. Necessary modifications should be made to improve the business process and the internal control system. 10-16 LO# 2 COSO Enterprise Risk Management—Integrated Framework 10-17 LO# 2 COSO Enterprise Risk Management—Integrated Framework COSO indicates that: -ERM identifies potential events that may affect the firm -ERM manages risk to be within the firm’s risk appetite -ERM provides reasonable assurance regarding the achievement of the firm’s objectives In addition to internal controls, COSO ERM expands the COSO Internal Control framework to provide a broader view on risk
  • 30. management to maximize firm value. 10-18 LO# 2 COSO Enterprise Risk Management—Integrated Framework Eight components of internal control: Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring 10-19 LO# 2 Event Identification After identifying all possible events, management must distinguish between risks and opportunities. Opportunities are channeled back to management's strategy or objective-setting processes. Identified risks should be forwarded to the next stage for assessment and be managed according to the firm’s risk appetite. 10-20 LO# 2 Risk Response Management selects risk responses and develops a set of actions to align risks with the entity's risk tolerances and risk appetite. The four options to respond to risks are: reducing, sharing,
  • 31. avoiding, and accepting risks. 10-21 LO# 2 Risk Assessment and Risk Response Given AS 5, risk assessment is also a first step in developing an audit plan to meet the mandate of SOX Section 404. According to COSO ERM, the risks of an identified event are analyzed on an inherent, control, and residual basis. Inherent risk: It exists already before management takes any actions to address it. Control risk: the threat that errors or irregularities in the underlying transactions will not be prevented, detected and corrected by the internal control system. Residual risk: the product of inherent risk and control risk 10-22 LO# 2 Risk Assessment and Risk Response (1) Reduce risks by designing effective business processes and implementing internal controls. (2) Share risks by outsourcing business processes, buying insurance, or entering into hedging transactions. (3) Avoid risks by not engaging in the activities that would produce the risk. (4) Accept risk by relying on natural offsets of the risk within a portfolio, or allowing the likelihood and impact of the risk. 10-23 LO# 2 Process to Assess Risks
  • 32. 10-24 LO# 2 Risk Assessment and Risk Response Cost and benefit analysis is important in determining whether to implement an internal control. The benefits of an internal control should exceed its costs. One way to measure the benefits of a control is using the estimated impact of a risk times the decreased likelihood if the control is implemented. Expected benefit of an internal control = Impact X Decreased Likelihood 10-25 LO# 2 Control Activities Physical Controls: mainly manual but could involve the physical use of computing technology. authorization segregation of duties supervision accounting documents and records access control independent verification 10-26 LO# 2 Control Activities IT controls: processes that provide assurance for information and help to mitigate risks associated with the use of technology. -- IT general controls (ITGC)
  • 33. IT control environment Access controls Change management controls Project development and acquisition controls Computer operations controls 10-27 LO# 2 Access controls: Who can access what, when, where 27 Control Activities IT controls --IT application controls Input controls (field checks, size checks, range checks, validity checks, completeness checks, Reasonableness checks, Check digit verifications, closed-loop verifications) Processing controls (pre-numbered documents, sequence checks, batch totals, cross-footing balance tests, concurrent update controls) Output controls 10-28 LO# 2 COBIT Framework IT governance is a subset of corporate governance and includes issues regarding IT management and security. IT governance is the responsibility of management, and consists of the leadership, organizational structures and processes that ensure that the firm’s IT sustains and extends its business objectives. COBIT (Control Objectives for Information and related Technology) is a generally accepted framework for IT
  • 34. governance and management. 10-29 LO# 3 COBIT Framework 10-30 LO# 3 COBIT Framework Provides a business focus to align business and IT objectives; Defines the scope and ownership of IT process and control; Is consistent with accepted IT good practices and standards; Provides a common language with a set of terms and definitions that are generally understandable by all stakeholders; and Meets regulatory requirements by being consistent with generally accepted corporate governance standards (e.g., COSO) and IT controls expected by regulators and auditors. 10-31 LO# 3 COBIT Framework Key criteria of business requirements for information: Effectiveness – relevant and timely information Efficiency – information is produced economically Confidentiality – protection of sensitive information Integrity – valid, accurate and complete information Availability – information is available when needed Compliance – information produced complying with the laws and regulations Reliability – reliable information for daily decision making 10-32
  • 35. LO# 3 Information Technology Infrastructure Library (ITIL) A de facto standard in Europe for the best practices in IT infrastructure management and service delivery. ITIL’s value proposition centers on providing IT service with an understanding the business objectives and priorities, and the role that IT services has in achieving the objectives. ITIL adopts a lifecycle approach to IT services, and organizes IT service management into five high-level categories. 10-33 LO# 4 International Organization for Standardization (ISO) 27000 Series The ISO 27000 series of standards are designed to address information security issues. ISO 27000 series, particularly ISO 27001 and ISO 27002, have become the most recognized and generally accepted sets of information security framework and guidelines. The main objective of the ISO 27000 series is to provide a model for establishing, implementing, operating, monitoring, maintaining, and improving an Information Security Management System (ISMS). 10-34 LO# 4 International Organization for Standardization (ISO) 27000 Series 10-35 LO# 4