I would like prefer following e-commercial1. Bestbuy2. BohmeRequired: 1. Analyze the general computer controls (GCC) and application controls of an E-commerce website that you
General computer controls
Computer controls in context.
Confidentiality
As accountants, we want to understand the risk and controls in our software. How likely is it that someone can break in and make changes?
Application Audit
An app, something that processes information, takes inputs, puts them into accounts, ledgers, shipping activity, payroll activity.
We programmed it ourselves, self developed software, or it came out of a can, Oracle, canned software, Quickbooks.
ITGC Audit
IT General Controls
Keep the bad stuff out of the machine
Mostly concerns with things that affect the machine we use to do our work.
Application controls: how the software checks itself as it is doing its job.
GCCs
General Computer Controls is the same as ITGC
Administrative
Baseline
Risk assessment
Approvals of projects/budgets/steering committee
Coordination between business and IT
Training, background checks, evaluations
Documented policies and procedures
Segregation of IT duties
Over finance:
Record
Authorization
Custody
In I.T.
Programmers/coders
Developers
Production
Launched version of the software developed by programmers
Users
Security professionals
Logical security/logical controls
Access
Minimize principal (few users, few rights)
Approvals
Terminations/transfers
Review of rights (data owners)
Special rights (admins, DBA, etc.)
Applications, OS, Database
Passwords
What you know
What you have-token based, RSA cards, USB drives, swipe cards
Change them often
Be mysterious
Don’t leave them lying around
Don’t share
The longer, the better
Change control
SDLC
Authorization
Steering committee
Tested
Approved
Back outs
Segregation of duties
Network operations
Help desk
Executables
Monitoring
Hardening
Incident management
Malware
Destruction of info
Backups
Rotation
Offsite
Restorations
Access
Encryption
Physical/Environmental security
Colocation
Stopping the environment or physical factors from doing something to your machines
Redundancy
Security
Biometrics, key cards, mantraps, cameras, motion sensors
Environmental
Temperature, humidity, fire, water, dust, airflow
Power
UPS, generators, conditioners
Recovery/Continuity
DRP (Disaster recovery plan)
Hot sites
Warm sites
Cold sites
BCP (Business Continuity plan)
Risk Assessment
Test
Refine
Levels within GCC
Internet
Getting information out to external users
Networks
By which employees move information
Database
Storing files
Application
Operating System
Hardware
Background information
How are controls within GCCs and BCCs integrated?
Network security-browser transfer security
Monitoring
Zones
IDS/IPS
Wireless
VPN
E-commerce
Application Controls:
Input
E-commerce; entering order information
Processing
Affects shipping, invoicing
Output
Affects reporting - invoice, bill of lading
Reports are linked to queries, those queries have to be created correctly - i.e. new information/column but query is not aware of it
Objectives:
All input data is accurate, complete, authorized, and correct
All data is processed as intended
All data stored is accurate and complete
All output is accurate and complete
A record is maintained to track the process of data from input to storage, and to the eventual output
Access to data is limited based on business need
Incompatible duties within an application are systematically prevented
It is important to track who is performing transactions, journal entries, etc, in a “black box.” Limiting access goes back to general controls, duties, determining who can do what within the system.
Input Controls:
Designed by an organization to ensure that the info being collected for processing is authorized, accurate, and complete
Controlling the users
These controls are used to check the integrity of the data entered into a business application
Users limited to selecting values in a pre-populated dropdown, radio buttons, etc.
System validates that a valid # is entered into a field where a $amount is expected
Five components
Validation
Has someone looked at the data and “approved it?”
Matching of data
Matching input to existing valid/authorized data
Customer number matches to existing/active customer
Order entry - match to inventory levels for availability
Purchasing - match vendor ID to an approved vendor lists prior to payment
Programmed check
Program matches input with pre-established rules or data held in a reference table or master file
i.e. sales tax auto populated based on zip code
Stops unauth discounts
Matching transactions to another file
SKU: shop keeping unit, # references price table
Helps calc tax, shipping, lower inventory
Authorization
i. username and passwordModular with access restrictions
Enter prices
Enter vendors
Enter employees
Enter customer credit approval (or programmed)
Enter sales orders
Enter adjustments
Enter useful lives
Triggers approvals based on user before processing requests
Approve journal entries
Completeness
Pertinent, key data has to be entered into the fields, no open fields
Batching - pieces of paper, filled in by hand, catalog orders, making sure everything in a stack was put in the system
Sequence check - chronological ordered checks
Match with previously processed data
completeness check
Batch controls
Financial total - foot/total every one of the financial dollar amounts in that batch
Hash total - nonsensical number processed to check for accuracy, i.e. adding up customer IDs as numerical values
Record count - hand count of batch quantities
Completeness of Input - computer matching with previously processed documents
Invoice is created based on completed sales order number and valid shipping doc #
In the input stage, not letting something process unless all the relevant input fields are filled - testing stage
Payment of invoice will not take place until certain matching occurs between previously processed documents
invoice will be matched to
previously processed P.O.
previously processed receipt of goods
Accuracy
Ensuring the data is right as you put it in, no extra zeros
Edit checks
Reasonableness (be concerned) limit/arraigned
Checking to see if input falls within reasonable range of limits
Prevents possible mistakes or manipulation activities
Applied to data fields
Example: New inventory cost exceeds previous price by more than 10%
System warns user of unusual input
Prevents entry altogether
Asks for approval code
Warns, then allows
Dependency
Looking for logical relationships
Comparing 2+ elements or fields on a transaction for correct logical relationships
Example: Inventory quantity ordered does not exceed 120% of average quantity ordered for prior year
Format
Checks the existence of expected numeric or alphabetic characters
Ex: only allows numerical input in a field, only allow text, do not allow blanks.
Mathematical Accuracy checks
Re-footing live
Check Digits
Using algorithms to check validity of entered data
Existence
Look to see what’s been populating
Matches data codes with other files for validity
Ex: purchase orders are processed, GL & AP codes used, program checks for matching or existence.
Supplement with check digits
Processing Controls
Provide automated means to ensure processing is complete, accurate, and authorized
Ex: transactions exceeding a specific dollar amount must be approved by an exec before being applied in the system
Automated file id and validation
Automated functionality and calculations controls
Audit trails and overrides controls
Duplicate controls - no duplicate checks
Output controls
reconciliation for completeness and accuracy
Focus on detecting errors after processing is completed rather than on preventing errors
Security over reports
Ex: system generated POs, reports, invoices
Integrity
No changes in form from input to output
Exceptions; payroll, etc.