WORKED EXAMPLES ON CONTROL OF INFORMATION SYSTEMS AUDIT AND SECURITY.
CONTROL OF INFORMATION SYSTEMS AUDIT AND SECURITY
WORKED EXAMPLES
12.1 A college has 1500 students whose final examination results are declared using computer processing. There are 5 subjects, each carrying 100 marks. Classes are awarded as follows: Marks 60 or above I Class, 50 or above II Class, below 50 Fail. Devise an appropriate control scheme for processing results.
Control Measures
(i) Organizational measures. Each examiner who grades papers sends a separate list for batches of 50 students, number of students getting >= 60, number getting >= 50 and number below 50.
Data entry is done by a person different from the one who enters control information. Control total check from the computer is seen by the head examiner and compared with information on each batch sent by different examiners.
(ii) Input preparation control. Roll nos. appended with self-checking digit using modulus-11 system.
Records stored roll no. wise and sequence checked while processing. Total no. of records in each batch is counted and entered in the control record.
Each mark entered is checked if it is <=100 or >= 0.
If marks in subject P is <= 10 and subject K >= 90 such records are marked and retrieved for inspection.
(iii) Control totals. Make batches of 50. For each batch, total marks in a specified subject. In another subject count no. of students with marks >= 60 and enter no. in control record. Count total records.
Processing Control
Proof figure. In each student record one more field is added which is (100 – marks in subject 2). In processing in each batch this field is added together. The sum of subject 2 marks is also got as control total in each batch. Let N be the no. of records in each batch. Then sum of (100 – marks in subject 2) + sum of marks in subject 2 = 100 * N. This is checked. Checkpoint restart is provided during processing after every 150 seconds.
12.2 What is an audit trail?
Audit trail provides the means of pinpointing where an error occurred once an error is detected.
12.3 What is the difference between control and audit?
Controls are essential to enable an auditor to check the correctness of a system. An auditor checks whether controls put in a system are adequate.
12.4 What is an audit package? Enumerate some of the important features of an audit package.
An audit package is a program developed by an auditor to check whether processing is done by a system as per specifications. Audit packages have features to
(i) Extract data satisfying a specified criterion.
(ii) Total specified fields for inspection.
(iii) Check specified selected fields for inspection.
(iv) Check totals of specified sets with certain characteristics.
(iv) Matching data files with an auditor’s own file.
12.5 What is the purpose of security measures in an information system?
Security measures are used to protect data and programs from accidental loss or theft. They also protect the system from unauthorized access, unauthorized change or copying.
12.6 What is the difference between security and privacy? Do secure systems ensure privacy?
Security is concerned with protecting data and programs of organizations. Privacy is concerned with the need of secrecy of data regarding individuals. For example data on payroll may be secure if it is properly protected from fire, corruption etc. If an authorized person who has access to this
12.7 What is the difference between security measures and control measures?
The security measures are to protect data whereas controls are to ensure that all data is processed and processed data is correct.
12.8 Is a password system sufficient to ensure security of access to files?
No. Passwords can be broken by sustained effort. Double protection is slightly better. In this case two different passwords should be used. After the first password is accepted a second password is needed. Data stored may also be transformed and stored using a secret code (called encryption).
12.9 How can privacy be ensured in an information system?
By proper legal protection given to individuals data. Requiring an individual’s written permission to divulge data on him/her.
12.10 Why are system tests necessary?
System tests are necessary to ensure that a system conforms to specifications during operation, meets user requirements, controls function effectively, and its outputs are correct.
12.11 What are the objectives of system tests?
The main objectives of system testing are:
• To ensure that during operation the system will perform as per specifications.
• To make sure that the system meets users’ requirements during operation.
• To verify that the controls incorporated in the system function as intended.
• To see that when correct inputs are fed to the system the outputs are correct.
• To make sure that during operation, incorrect input, processing and outputs will be detected.
12.12 What is the difference between a pilot test and a parallel test?
In pilot test a set of transactions which have been run on present system are collected. Results of their processing on the existing manual system are also kept. This set is used as test data when a computer-based system is initially developed. The two results are matched. The reason for any discrepancy is investigated to modify the new system.
In parallel tests, both manual and computer-based systems are run simultaneously for a period of time and the results from the two systems are compared. It is good method for complex systems but is expensive.
Comments
Post a Comment