SUMMARY OF STUDY OBJECTIVES
An overview of internal controls for IT systems. Threats and risks that interrupt or stop computer operations can be severely damaging to the organization. Not only can they disrupt or shut down normal operations, but they also can lead to incorrect or incomplete accounting information. There are three important areas of knowledge regarding threats and risks to IT systems: The first is the description of the general controls and application controls that should exist in IT systems. The second is the type and nature of risks in IT systems. Third, and most important, is the recognition of how these controls can be used to reduce the risks to IT systems.
General controls for IT systems. These are controls on the overall IT system and can be categorized by the following risk areas they are intended to lessen: unauthorized access, hacking and other network break-ins, exposures in organizational structure, threats in the physical environment and physical security of the system, and disruption to business continuity.
General controls from a Trust Services Principles perspective. The AICPA Trust Services Principles define five objectives for IT controls: security, availability, processing integrity, confidentiality, and online privacy. Security means that the system is protected against unauthorized (physical and logical) access. Availability means the system is available for operation and use as committed or agreed. Processing integrity means that the system processing is complete, accurate, timely, and authorized. Online privacy means that personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed. Confidentiality means that information designated as confidential is protected as committed or agreed.
Hardware and software exposures in IT systems. The various hardware and software parts of IT systems are sources of risk or exposure. Examples of these risks are altered, deleted, or stolen data; systems that are shut down or rendered unusable; and virus or worm infections. The parts of the IT system that have these potential exposures are the operating system, the database, the database management system (DBMS), a local area network (LAN), a wireless network, e-business systems, telecommuting workers, electronic data interchange (EDI) systems, and application software. Public cloud computing is a newer computing model that increases the risk categories outlined in the Trust Services Principles.
Application software and application controls. These are input controls, processing controls, and output controls. Input controls are intended to prevent, detect, or correct errors during data input; thus, they should help ensure the accuracy and completeness of any data that are input. Processing controls are intended to ensure accurate and complete processing. Output controls are intended to ensure that output is properly distributed and disposed of, and that it is accurate and complete.
Ethical issues in IT systems. IT systems and computers within IT systems can be used unethically. Examples of unethical behavior with IT systems are misuse of confidential customer information, theft of customer or company data, employee use of IT systems for personal use, and misuse of company e-mail systems to send offensive, threatening, or sexually explicit material.