Scribd Logo
Upload

Welcome to Scribd!

  • Avdanced Accounting Dayag 2 - Solution Chapter 16 Part 2

    Uploaded by

    Patricia Adora Alcala
    22 views3 pages
    Solution Chapter 16

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Solution Chapter 16

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    22 views3 pages

    Avdanced Accounting Dayag 2 - Solution Chapter 16 Part 2

    Uploaded by

    Patricia Adora Alcala
    Solution Chapter 16

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    ADORA

     Security hazards that are present in a computerized system


     Introduction to System Security Controls
     Controls that detect failures in system security
     Weakness in system security control

    SHANNY

     Controls that provide a secure system


     Controls for recovery from system security failures
     Audit significance of system security controls

    “System security is the protection of computer facilities, equipment, programs, and data from destruction by
    environmental hazards, by equipment, software, or human error, or by computer abuse.”

    SECURITY HAZARDS (ADORA)

    The following are the security hazards that are present in a computerized system:

    1. Environmental Hazards – include fires, floods, tornadoes, earthquakes, and other natural disasters. They generally
    occur infrequently but w/ a high cost per occurrence.
    2. Errors (equipment, software, or human error) – include damage to disk packs by faulty disk drives, mistakes in
    application programs that destroy or damage data, and operator mounting of incorrect files. Errors such as these
    occur frequently but usually at a low cost per incident.
    3. Computer abuse – the violation of a computer system to perform malicious damage, crime, or invasion of privacy.
    The frequency of computer abuse is difficult to determine, and the cost per incident can vary widely.
     Malicious damage – includes looting and sabotage
     Crime – includes embezzlement, industrial espionage, and the sale of commercial secrets
     Invasion of privacy - includes discovery of confidential salary information, and the review of sensitive data by a
    competing company.

    SYSTEM SECURITY CONTROLS (ADORA)

     System security controls are general controls that prevent failures in system security, detect failures in system
    security, and provide for recovery from failures in system security. The prevention of failures in system security is
    provided by limiting access to the equipment, programs, and data and by taking other steps to reduce the
    likelihood of security failures. Unfortunately, it would be prohibitively expensive to eliminate entirely the risk of
    system security failures. Good system security controls, therefore, not only include provisions for the detection of
    failures in security should they occur but also procedures to minimize the impact of security failures.
     System security controls are crucial because of the vulnerability of modern computer systems to loss of assets,
    the possibility of lack of compliance with legal requirements for data retention, and the creation of possible
    material loss contingency in the absence of adequate controls.
     Controls should enhance system security, detect breaches of system security, and provide for recovery from system
    security failures.

    1. Controls that provide a secure system – a major objective of system security control is to reduce the likelihood of
    system security failures. (SHANNY)
    a. Security management – planning system security and management control over system security. The
    following are the steps in security management planning and control:
    i. Establish security objectives
    ii. Evaluate security risks
    iii. Develop a security plan
    iv. Assign responsibilities
    v. Test system security
    vi. Evaluate system security
    b. Facilities security controls – designed to protect computer buildings and equipment from physical
    damage. Controls that prevent physical damage are location controls, construction controls, and access
    controls.
    i. Location controls
    ii. Construction controls
    iii. Access controls
    c. Library controls – restrict access to data files, computer programs, and documentation. These controls are
    provided by a library function and by physical safeguards over file usage.
    i. Library function
    ii. Physical File Controls
    d. On-line access controls – on-line access must be restricted by physical security of terminals, authorization
    controls, identification controls, and data communication access control.
    i. Physical security of terminals
    ii. Authorization controls
    iii. Identification controls
    iv. Data communication access control

    2. Controls that detect failures in system security – controls that provide a secure system do not create absolute
    security, instead they reduce the likelihood of security failures. The likelihood of security failures makes it
    necessary, therefore, to provide a second level of defense against disaster and unauthorized access. This second
    level is the detection of failures in system security through detection control which include detection devices,
    authentication, and system monitoring. (ADORA)
    a. Detection devices – electronic or mechanical devices that detect fire or unauthorized access. Their
    purpose is to provide an opportunity for intervention to minimize damage or loss.
    i. Fire detection devices
    ii. Unauthorized access detection devices
    b. Authentication – authentication controls are used to detect unauthorized usage subsequent to the initial
    identification
    c. System monitoring – particularly effective in detecting repeated attempts to breach the security system

    3. Controls for recovery from system security failures – an effective recovery is one that minimizes loss or damage
    from immediate security failure, and from subsequent operational problems. Recovery controls include controls
    that minimize damage from fire, adequate insurance, failure by-pass procedures, a recovery plan, and recovery
    procedures. (SHANNY)
    a. Fire extinguishment
    b. Insurance
    c. Failure of bypass procedures
    d. Recovery plan
    e. Recovery procedures

    WEAKNESS IN SYSTEM SECURITY CONTROLS (ADORA)

    Weakness in system security controls can endanger assets and data. It can result in unauthorized processing of
    transactions, inaccurate reports and data records, loss of assets, loss of vital data, and disclosure of sensitive information
    such as trade secrets.

    AUDIT SIGNIFICANCE OF SYSTEM SECURITY CONTROLS (SHANNY)

    “The reliability of accounting systems, accuracy of accounting information, and safety of corporate assets are all
    dependent on adequate system security controls.”

    There are several reasons why system security controls are important. These reasons include:

     Impact of system security controls on other general controls


     Vulnerability of computer systems to loss of assets
     Impact of security failures on data reliability
     Possibility of lack of compliance with legal requirements
     Possibility of loss contingency due to severe and uninsured data processing security risks
     Vulnerability of computer systems to unauthorized use

    For all these reasons, the auditor should understand and test system security controls. (pages 278-279, 281-282, 288-289).
    Weak system security controls may make it impossible to assess control risk at a low level on application controls and may
    require the auditor to increase substantive testing.

    You might also like