Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: zz-x2580
ACCOUNTING SYSTEMS and PROCESSES (M)
TUTORIAL 9 – Answers Guide
BEFORE TUTORIAL 9
Prepare the answers to the following Accounting information systems Confidentiality
and Privacy Controls and Processing Integrity and Availability Controls (Romney Et
Al Chapters 12 and 13):
Question 1
The department of taxation in your state is developing a new computer system for
processing individual and corporate income-tax returns. The new system features
direct data input and inquiry capabilities. Identification of taxpayers is provided by
using the Social Security number for individuals and federal tax identification number
for corporations. The new system should be fully implemented in time for the next tax
season.
The new system will serve three primary purposes:
1 Data will either be automatically input directly into the system if the taxpayer
files electronically or by a clerk at central headquarters scanning a paper return
received in the mail.
2 The returns will be processed using the main computer facilities at central
headquarters. Processing will include four steps:
i. Verifying mathematical accuracy
ii. Auditing the reasonableness of deductions, tax due, and so on, through
the use of edit routines, which also include a comparison of current and
prior years’ data.
iii. Identifying returns that should be considered for audit by department
revenue agents
iv. Issuing refund checks to taxpayers
3 Inquiry services. A taxpayer will be allowed to determine the status of his or
her return or get information from the last three years’ returns by calling or
visiting one of the department’s regional offices, or by accessing the
department’s web site and entering their social security number.
The state commissioner of taxation and the state attorney general are concerned about
protecting the privacy of personal information submitted by taxpayers. They want to
have potential problems identified before the system is fully developed and
implemented so that the proper controls can be incorporated into the new system.
Required
Describe the potential privacy problems that could arise in each of the following three
areas of processing, and recommend the corrective action(s) to solve each problem
identified:
a. Data input
b. Processing of returns
c. Data inquiry
Accounting Systems and Processes (M) Tutorial 9 Page 2
a. Privacy problems that could arise in the processing of input data, and
recommended corrective actions, are as follows:
Problem
Controls
Unauthorized employee
accessing paper returns
submitted by mail.
Restrict physical access to room used to house
paper returns and scanning equipment by
• Using ID badges or biometric controls
• Logging all people who enter.
Unauthorized employee
accessing the electronic files.
Multi-factor authentication of all employees
attempting to access tax files.
Interception of tax information
submitted electronically.
Encrypt all information submitted to the tax
website.
b. Privacy problems that could arise in the processing of returns, and
recommended corrective actions, are as follows:
Problem
Controls
Operator intervention to
input data or to gain
output from files.
Limit operator access to only that part of the documentation
needed for equipment operation.
Prohibit operators from writing programs and designing the
system.
Daily review of console log messages and/or run times.
Encryption of data by the application program.
Attempts to screen
individual returns on the
basis of surname, sex,
race, etc., rather than
tax liability.
Training about proper procedures
Multi-factor authentication to limit access to system.
Encrypt of tax return data stored in system
c. Privacy problems that could arise in the inquiry of data, and recommended
corrective actions, are as follows:
Problem
Controls
Unauthorized access
to taxpayer
information on web
site
Strong authentication of all people making inquiries via the
web site using something other than social security numbers
– preferably multi-factor, not just passwords.
Encryption of all tax return data while in storage
Encryption of all traffic to/from the web site
Unauthorized release
of information in
response to telephone
inquiry
Training on how to properly authenticate taxpayers who
make telephone inquiries
Strong authentication of taxpayers making telephone
inquiries
Disclosure of
taxpayer information
through improper
disposal of old files
Training on how to shred paper documents prior to disposal
Training on how to wipe or erase media that contained tax
return information prior to disposal
Accounting Systems and Processes (M) Tutorial 9 Page 3
Question 2
MonsterMed Inc. (MMI) is an online pharmaceutical firm. MMI has a small systems
staff that designs and writes MMI’s customized software. The data center is installed
in the basement of its two-story headquarters building. The data center is equipped
with halon-gas fire suppression equipment and an uninterruptible power supply
system.
Because the programming staff is small and the work demands have increased,
backups are only made whenever time permits. The backup files are stored in a locked
cabinet in the data center. Recently, due to several days of heavy rains, MMI’s
building recently experienced serious flooding that destroyed not only the computer
hardware but also all the data and program files that were on-site.
Required
Identify at least five weaknesses in MonsterMed Inc.’s backup and DRP procedures.
1. No written backup plan.
2. No written disaster recovery plan.
3. Backups are not done on a regular basis.
4. Restoration of backups is not tested.
5. The programming staff has access to the computer room without
supervision of the operations staff. The programmers could alter the
data files or operational programs.
6. The location of the computing facility in the basement increases the
risk of damage due to flooding.
7. Backups stored in data centre are subject to the same risk. Backups
should be stored offsite.
8. No evidence of written request, approval process, testing process or
documentation for systems changes
Question 3
Discuss how cloud computing could both positively and negatively affect system
availability.
Answer: Cloud computing significantly reduces the risk that a single event would
result in system unavailability, since the 'cloud' consists of banks of redundant servers,
in multiple locations. However, since users don't own the cloud, if a provider goes out
of business, users may find it very difficult to access applications and data stored in
the cloud. Additionally, users should evaluate the security and availability controls of
the cloud provider before transacting business.
DURING TUTORIAL 9
• Contribute to the class discussion of the above questions.
Please remember that you’ll enhance your learning by ACTIVELY
PARTICIPATING in the discussions.
