9/23/2025

ACCOUNTING INFORMATION SYSTEMS

CHAPTER 5

CONTROLLING AIS

LEARNING OBJECTIVES
• Explain the controls that can be used to protect the organization’s
information system security
• Explain the controls that can be used to protect the confidentiality of an
organization’s information
• Explain the controls that can be used to protect the privacy of personal
information collected from stakeholders.
• Explain the controls that can be used to ensure the systems’ processing
integrity
• Explain the controls that can be used to ensure systems availability

1
 9/23/2025

CONTENT
1. Information security controls
2. Confidentiality controls
3. Privacy controls
4. Processing integrity controls
5. Availability controls

TRUST SERVICES FRAMEWORK

Based on The Trust Services Framework, there are five
IT-related control groups that jointly contribute to
systems reliability:
– Information security (foundation)
– Confidentiality
– Privacy
– Processing integrity
– Availability

2
 9/23/2025

INFORMATION SECURITY CONTROLS

Aims: control & restrict access (both physical and logical) to the system & its
data to legitimate users.

Two fundamental information security concepts:

• Security life cycle
• The time-based model of information security

SECURITY LIFE CYCLE

1. Assess threats &

select risk response

2. Develop &
4. Monitor performance
communicate policy

3. Acquire & implement

solutions

3
 9/23/2025

THE TIME-BASED MODEL OF INFORMATION

SECURITY

The time-based model of information security:

– Employ a combination of preventive, detective & corrective controls
that protect information assets long enough to enable an
organization to recognize that an attack is occurring & take steps to
thwart it before any information is lost or compromised.
Formula for the time-based model of information security
P >
D C
The time it takes an The time it takes + The time it takes
attacker to break through for the organization to response to &
various controls that to detect that an stop the attack
protect the organization’s attack is in
information security progress

PREVENTIVE CONTROLS

People – the critical factor

User access controls

Physical access controls

IT solutions

4
 9/23/2025

PREVENTIVE CONTROLS
User Access Controls

1. Authentication controls

2. Authorization controls

PREVENTIVE CONTROLS
User Access Controls
Authentication controls
 Is the process of verifying the identity of the person or device attempting to access the
system. The objective is to ensure that only legitimate users can access the system.

 Three types of credentials to verify a person’s identity:

• Something they know (passwords, ID number)
• Something they have (smart cards)
• Some physical or behavioral characteristic (biometric identifier)

 When applying the principle of defense-in-depth, there are 02 authentication control groups
• Multifactor authentication: use two or three types
• Multimodal authentication: use multiple credentials of the same type.

5
 9/23/2025

PREVENTIVE CONTROLS
User Access Controls

Authoriztion controls
• The process of restricting access of authenticated users to specific
portions of the system and limiting what actions they are permitted to
perform.
• Authorization controls are often implemented by creating an access
control matrix.

PREVENTIVE CONTROLS
Physical Access Controls

Limit entry to the building: entering codes, alarm

system, receptionist or security guard, visitors required
to sign in and be monitored by employee whenever
they go in the building

Physical access to rooms: locks with stronger

technologies - card readers, numeric keypads,
various biometric devices…

Closets contain telecommunications

equipment must be locked

Laptops, cellphones, tablets

need to be kept safely

6
 9/23/2025

PREVENTIVE CONTROLS
IT Solutions

 Anti-malware controls:
• Implement awareness education on Anti-malware
• Install Anti-malware protection software on all devices
• Review regularly new malware threats
• Train employees not to install shared or upapproved software
 Network access controls
• Some companies maintain their own network to limit remote access to their information
system.
• Firewall is used to control inbound & outbound communication between the system behind
the firewall and other networks.
 Encryption: Encryption provides a final layer of defense to prevent unauthorized
access to sensitive information.

DETECTIVE CONTROLS

7
 9/23/2025

CONFIDENTIALITY CONTROLS
Aims: to protect sensitive organizational information from unauthorized
disclosure.
Sensitive information including strategic plans, trade secrets, cost
information, legal documents, and process improvements often is crucial to
the organization’s long-run competitive advantage and success.
The four basic actions that must be taken to preserve the confidentiality of
sensitive information:
- Identify and classify the information to be protected
- Encrypt the information
- Control access to the information
- Train employees to properly handle the information.

IDENTIFY AND CLARIFY INFORMATION

TO BE PROTECTED
 Identify what 3. Control
2. Encrypt
information must be information
access to
information
protected, identify
where such information
is stored and who has 1. Identify & 4. Train
access to it. classify employees to
information to properly handle
be protected information
 Clarify the information Protect
confidentiality
in terms of its value to
the organization.

8
 9/23/2025

ENCRYPT INFORMATION
 Encryption is an effective tool to protect confidentiality.
- To information in transit over the Internet: encryption is the only way
- To information stored on websites or in a public cloud: encryption is a
part of defense-in-depth
 Encryption is not a panacea. E.g.:
process shortcuts are not stored
digitally, therefore, cannot be
protected by being encrypted.

 Encryption needs to be combined

with authentication controls and
physical access controls.

CONTROL ACCESS TO INFORMATION

 Authentication & authorization controls
 Information rights management (IRM)
 Data loss prevention (DLP)
 Restrict access to rooms that
contains printers, digital copies
and fax machines
 Laptops and workstations should
run password-protected screen
savers automatically after a few
minutes and use screen protection
devices.

9
 9/23/2025

TRAINING EMPLOYEES
 Employees need to know what information they can share with outsiders and
what information needs to be protected.
 Employees need to be taught how to protect confidential data:
- Know how to use encryption software
- Always log out of applications
- Use a password-protected screen saver
before leaving their laptop to prevent
others from unauthorized access.
- Know how to code reports including
important information.
- Know how to use emails, blogs, and
messages properly.

PRIVACY CONTROLS
Aims: To protect personal information about customers, employees,
suppliers, or business partners from unauthorized disclosure.
Personal information and business partners are collected, used, disclosed,
and maintained only in compliance with internal policies and external
regulatory requirements.
What is the difference between confidential and privacy protection?
Confidentiality Privacy protection
Protect the general sensitive Protect personal information
information of the organizations about customers, employees,
suppliers, or business partners

10
 9/23/2025

PRIVACY CONTROLS
- Authentication & authorization controls
- Data masking programs to replace personal information with fake values

PROCESSING INTEGRITY CONTROLS

Aims: to ensure information created that are accurate, complete, timely
and valid.

Application controls for processing integrity:

- Input controls

- Processing controls

- Output controls

11
 9/23/2025

INPUT CONTROLS
Aims: to ensure the data entered into a system are accurate, complete
and valid.
Types of Input controls:
- Form design (sequentially prenumbered)
- Turnaround document
- Cancelation and storage of source documents
- Data entry controls
- Additional data entry controls (batch processing)
- Additional data entry controls (online processing)

DATA ENTRY CONTROLS

Field check
Sign check
Limit check và range check
Size check
Completeness check
Validity check
Reasonableness test
Check digit verification

12
 9/23/2025

DATA ENTRY CONTROLS

Field check Determines if the characters in The characters in a social security
a field are of the proper type. field should all be numeric.
Sign check Determines whether the data in The number of hours a student is
a field have the appropriate enrolled in during a semester could
arithmetic sign (+/-) not be a negative number
Limit check and Limit check: Tests whether an A university might use a limit check
Range check amount exceeds a to make sure that the hours a
predetermined value student is enrolled in do not exceed
21
Range check: Similar to a field Perhaps a wage rate is checked to
check, but it checks both ends ensure that it does not exceed $15
of a range and is not lower than the minimum
wage rate.

DATA ENTRY CONTROLS

Size check Ensures that the data will fit into A social security number of 10 digits
the assigned field would not fit in the 9-digit social
security field

Completeness Determines if all required items Has the student’s billing address
check have been entered been entered along with enrollment
details?

Validity check Compares the value entered to a Does the state code entered for an
file of acceptable values. address match one of the 50 valid
state codes?

Reasonableness Determines whether a logical A freshman with annual financial aid

test relationship seems to be of $60,000 is probably not
correct. reasonable.

13
 9/23/2025

DATA ENTRY CONTROLS

Check digit ID numbers (such as employee number) can contain a
check digit computed from the other digits

Check digit verification • Data entry devices then perform check digit
verification by using the original digits in the number
to recalculate the check digit
• If the recalculated check digit does not match the
digit recorded on the source document, that result
suggests that an error was made in recording or
entering the number

BATCH PROCESSING
Sequence check
Error log
Batch totals
- Financial total

- Hash total

- Record count

14
 9/23/2025

BATCH PROCESSING
In addition to the preceding controls, when using batch processing, the
following data entry controls should be incorporated

Sequence check Tests whether a batch of input data is in the proper

numerical or alphabetical sequence.

Error log Xác định lỗi đầu vào dữ liệu (ngày, nguyên nhân, vấn
đề) tạo điều kiện xem xét kịp thời và gửi lại các giao
dịch không thể xử lý
Identifies data input errors (date, cause, problem)
facilitates timely review and resubmission of
transactions that cannot be processed

15
 9/23/2025

BATCH PROCESSING
Batch totals Financial totals: sums of fields that contain dollar
values, such as total sales.
Hash totals: sums of nonfinancial fields, such as the
sum of all social security numbers of employees
being paid.
Record count: count of the number of records in a
batch.
These batch totals are calculated and recorded when
data is entered and used later to verify that all input
was processed correctly.

ONLINE PROCESSING

Prompting
Closed-loop verification
Transaction log

16
 9/23/2025

ONLINE PROCESSING
Prompting System requests each input item and waits for an
acceptable response.

Closed-loop Checks accuracy of input data by retrieving related

verification information.

Transaction Includes a detailed record of all transactions, including a

logs unique transaction identifier, the date and time of entry,
and who entered the transaction

PROCESSING CONTROLS
Aims: to ensure data that are processed accurately and timely
Processing controls:
– Data matching
– File labels
– Recalculation of batch totals
– Cross-footing test
– Zero-balance test
– Write-protection mechanism
– Concurrent update control

17
 9/23/2025

OUTPUT CONTROLS
 Aims: to ensure information provided that is reliable.
 Output controls:
– User review of output
– Reconciliation procedures
• Procedures to reconcile to control reports (e.g., general ledger A/R
account reconciled to Accounts Receivable Subsidiary Ledger)
• External data reconciliation
– Data transmission controls
• Checksums
• Parity bits
• Blockchain

AVAILABILITY CONTROLS
 Aims: to ensure the system and its information that are
available when needed.
 Availability controls :
– Minimizing risk of system downtime
– Recovery and resumption of normal operations
• Data backup procedures
• Disaster recovery and business continuity planning

18
 9/23/2025

AVAILABILITY CONTROLS
Data backup procedures

AVAILABILITY CONTROLS
Data backup procedures

19
 9/23/2025

AVAILABILITY CONTROLS
Data backup procedures

20