Chapter 8: Controlling Information Systems: Introduction to Pervasive Controls ACCOUNTING INFORMATION SYSTEMS 11e Gelinas ►Dull ► Wheeler ► HILL © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Learning Objectives 1. Describe the major pervasive controls that organizations employ as part of their internal control structure. 2. Explain how pervasive controls help ensure continuous, reliable operational and IT processes. 3. Recognize how an organization uses internal control resources to ensure achievement of its strategic vision. 4. Evaluate the appropriate segregation of duties within a transaction process. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Learning Objectives 5. Comprehend the internal control implications inherent in company employment policies. 6. Recognize the integral part played by the monitoring function in ensuring the overall effectiveness of a system of internal controls. 7. Learn the major controls used to manage the design and implementation of new processes, especially new IT processes. 8. Understand the COBIT 5 framework and its impact on the governance of enterprise IT. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. SYNPOSIS This chapter: Describes four important pervasive controls that comprise a major element in organizational governance and IT governance initiatives: Organizational design with a focus on segregation of duties. Corporate policies with a focus on personnel policies. Monitoring controls. IT general controls. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Introduction The second highest level of control plans are pervasive control plans. Pervasive controls are particularly important because they relate to a multitude of control goals and processes, not just one. Pervasive control plans influence the effectiveness of the control plans at lower levels of the control hierarchy: business process control plans and application control plans. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Organizational Design Control Plans Organizational design: Involves the creation of roles, processes, and formal reporting relationships in an organization. Includes establishing departmental relationships, including the degree of centralization in the organization. Involves personnel reporting structures, such as chain of command and approval levels. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. The segregation of duties Control Plan Segregation of duties: Separates the four basic functions of event processing: Function 1: Authorizing events. Function 2: Executing events. Function 3: Recording events. Function 4: Safeguarding resources resulting from consummating events. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. The segregation of duties Control Plan © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. The segregation of duties Control Plan •Segregation of duties control prevents unauthorized execution of events and helps prevent fraud by ensuring that only valid events are recorded. •Ideal segregation of duties requires that different units (departments) carry out each of the four phases of event processing. •In this way, collusion would need to occur between one or more persons (or departments) to exploit the system and conceal abuse. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. The segregation of duties Control Plan •An organization must be large enough to support at least four independent units to implement segregation of duties effectively. •Alternative control plans are commonly called compensatory controls. •To increase internal control, authorization, execution, and record-keeping functions within a software program are consolidated. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. The segregation of duties Control Plan •Large companies can install segregation of duties (SOD) software, e.g.: •Symantec Corp.’s Security Information Manager (SSIM) and Control Compliance. •Suite and Approva’s Authorization Insight. •Software: •Works with major ERP systems (e.g. SAP, Oracle, PeopleSoft). •Monitors user access levels across the system to prevent, detect, and correct SOD conflicts and inappropriate access to sensitive transactions. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. The segregation of duties Control Plan © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Segregation of Duties Activity © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Personnel policy Control Plans •A policy is a plan or process put in place to guide actions and achieve goals. •Unlike laws which can compel behaviors and enforce penalties, policies guide behavior towards actions that achieve desired goals. •Personnel control plans help protect an organization against certain types of risks (Figure 8.2). © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Personnel policy Control Plans © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Selection and Hiring Control Plans •Selection and hiring policies: Job candidates should be carefully screened, selected, and hired. •Many control plans exist for selection and hiring. •Companies choose which plans to employ based on the salary level and job duties for the position for which the candidate is applying. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Retention Control Plans •Retention plans: Aimed at keeping qualified personnel. •Once an appropriate employee has been hired, organizations want to retain them. •Companies develop policies to provide creative and challenging work opportunities and, when possible, to offer open channels to management-level positions. •Salary and benefit techniques are also used extensively to retain employees. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Personnel Development Control Plans •Personnel development plans: Training and evaluation. •Training must be adequate so that employees have the appropriate skills to perform their work functions. •Evaluation of current performance to determine where training is needed. •Two types of performance evaluation: •Informal day-to-day comments by supervisors. •Formal performance review. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Personnel Management Control Plans •Personnel management control plans: •Personnel planning control plans: Identify the skill requirements needed in employees to accomplish the firm’s goals. •Management controls plans: Forecast the number of employees needed in each position, take turnover into consideration, and develop a strategy for filling necessary positions. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Personnel Management Control Plans •Personnel security control plans: Help prevent the organization’s own personnel from committing acts of fraud or theft of assets. •Rotation of duties: Requires an employee to alternate jobs periodically. •Forced vacations: Requires an employee to take leave from the job and substitutes another employee in his or her place. •Fidelity bond: Indemnifies a company in case it suffers losses from misappropriation of funds committed by its employees. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Personnel Termination Control Plans •Personnel termination control plans: Address the policies in place when an employee leaves the organization either voluntarily or involuntarily. •Voluntary termination: When an employee retires or leaves to pursue other opportunities. •Involuntary termination: When an employee is laid off or fired for cause. •Important because employees fired for cause might do damage to the organization. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Monitoring Control Plans Monitoring: Management assessment to determine whether control plans are functioning appropriately. Monitoring consists of: 1. Putting controls in place to periodically follow up on the operation of control plans. Determine a baseline to know when a control is operating effectively, to identify if there is a change in a process or a control plan, and to periodically test that a control is operating. 2. Ensuring that appropriate communications of control weaknesses occur. Differs from normal control plans in that they verify the operation of the normal control plans. © 2018 Cengage Learning. All rights reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. 
Purchase answer to see full attachment