GENERAL CONTROLS FROM AN AICPA TRUST SERVICES PRINCIPLES PERSPECTIVE (STUDY OBJECTIVE 3)
A reference list for the general controls described in the previous section appears at the end of this chapter as Exhibit 4-11 (page 177). Each of the general controls is intended to prevent, detect, or correct risks and exposures in IT systems. A company may choose not to use all of the controls described previously. Each organization should decide which combination of IT controls is most suitable for its IT systems, making sure that the benefits of each control outweigh its costs. As an example, you probably would not spend money to install an extensive car burglar alarm system in your 1988 Honda Civic. The cost of the burglar alarm would outweigh the benefits.
When considering IT risks, organizations should implement those IT controls which are cost beneficial. As a framework to discuss these IT risks, the AICPA Trust Services Principles categorizes IT controls and risks into five categories:4
- Security. The system is protected against unauthorized (physical and logical) access.
- Availability. The system is available for operation and use as committed or agreed.
- Processing integrity. System processing is complete, accurate, timely, and authorized.
- Online privacy. Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed.
- Confidentiality. Information designated as confidential is protected as committed or agreed.
The fourth ...
Get Accounting Information Systems: The Processes and Controls, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.