ACB2420 Accounting Information Systems Tutorial 7
Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit
ACB2420 Accounting Information Systems
Tutorial 7 – System Availability; Confidentiality and Privacy; Data Analysis Tools for FM (Autofilter, Conditonal Formatting, Find&Replace & Text functions) & Control Framework for Protecting Data – Suggested Solutions
Part 1: Group Activity
Protecting Privacy of Tax Returns [CMA examination, adapted]
The department of taxation in your state is developing a new computer system for processing individual and corporate income-tax returns. The new system features direct data input and inquiry capabilities. Identification of taxpayers is provided by using the Social Security number for individuals and federal tax identification number for corporations. The new system should be fully implemented in time for the next tax season.
The new system will serve three primary purposes:
1. Tax return data will either be automatically input directly into the system if the taxpayer files electronically or by a clerk at central headquarters scanning a paper return received in the mail.
2. The returns will be processed using the main computer facilities at central headquarters. Processing will include four steps:
a. Verifying mathematical accuracy
b. Auditing the reasonableness of deductions, tax due, and so on, through the use of edit routines, which also include a comparison of current and prior years’ data
c. Identifying returns that should be considered for audit by department revenue agents
d. Issuing refund cheques to taxpayers
3. Inquiry services. A taxpayer will be allowed to determine the status of his or her return or get information from the last three years’ returns by calling or visiting one of the department’s regional offices, or by accessing the department’s web site and entering their social security number.
The state commissioner of taxation and the state attorney general are concerned about protecting the privacy of personal information submitted by taxpayers. They want to have potential problems identified before the system is fully developed and implemented so that the proper controls can be incorporated into the new system.
Required
Describe the potential privacy problems that could arise in each of the following three areas of processing, and recommend the corrective action(s) to solve each problem identified:
a. Data input
b. Processing of returns
c. Data inquiry [CMA examination, adapted]
a. Privacy problems that could arise in the processing of input data, and recommended corrective actions, are as follows:
Problem |
Corrective Controls |
Unauthorised employee accessing paper returns submitted by mail. |
Restrict physical access to room used to house paper returns and scanning equipment by • Using ID badges or biometric controls • Logging all people who enter. |
Unauthorised employee accessing the electronic files. |
Multi-factor authentication of all employees attempting to access tax files. |
Interception of tax information submitted electronically. |
Encrypt all information submitted to the tax website. |
b. Privacy problems that could arise in the processing of returns, and recommended corrective actions, are as follows:
Problem |
Corrective Controls |
Operator intervention to input data or to gain output from files. |
• Limit operator access to only that part of the documentation needed for equipment operation. • Prohibit operators from writing programs and designing the system. • Daily review of console log messages and/or run times. • Encryption of data by the application program. |
Attempts to screen individual returns on the basis of surname, sex, race, etc., rather than tax liability. |
• Training about proper procedures • Multi-factor authentication to limit access to system • Encrypt of tax return data stored in system |
c. Privacy problems that could arise in the inquiry of data, and recommended corrective actions, are as follows:
Problem |
Corrective Controls |
Unauthorised access to taxpayer information on web site |
• Strong authentication of all people making inquiries via the web site using something other than social security numbers – preferably multi-factor, not just passwords. • Encryption of all tax return data while in storage • Encryption of all traffic to/from the web site |
Unauthorised release of information in response to telephone inquiry |
• Training on how to properly authenticate taxpayers who make telephone inquiries • Strong authentication of taxpayers making telephone inquiries |
Disclosure of taxpayer information through improper disposal of old files |
• Training on how to shred paper documents prior to disposal • Training on how to wipe or erase media that contained tax return information prior to disposal |
Part 2: Data Analysis Tools for FM (Autofilter, Conditonal Formatting, Find&Replace & Text functions) & Control Framework for Protecting Data
Download Tutorial7.xlsx from Moodle (Week7>Tutorial 7) . Instructions are in the workbook.
See Tutorial7_solutions.xlsx
Part 3: Questions to complete at home (Good revision questions for your final exam)
Question 1 (Source: Romney et.al.(2020) Problem 13.7 pp. 443-444)
Which control(s) would best mitigate the following threats?
a. A company was planning on introducing fault tolerance into its system architecture but had not finalized its decision yet. In the meantime, the IT department ensured that all backups were made —full backups every Friday night and daily incremental backups. However, the main hard drive, housing all the company data, crashed. The IT department secured a replacement hard drive, but they were unable to restore the company data.
• Ensure that all backups are regularly tested to ensure that backups can actually be restored in the case of any disaster.
• Having fault tolerance (e.g. in terms of mirroring disks using RAID) could also mitigate this risk.
b. Overnight, a fire broke out in the server room of a large company. Luckily the fire was quickly contained since smoke detectors were triggered, spraying water and killing the fire. The manager and IT staff member on standby were notified. They rushed to the office to ensure that the disaster recovery plan was implemented. Since damage to the server room was mostly superficial, it was possible to resume operations as soon as the file servers were up and running again. The manager and IT staff member on standby could not agree on the process of getting everything up and running again.
• It is of no use if there is a disaster recovery plan (DRP) in place, but the plan is not documented appropriately with specific instructions on who should be notified (in this case, this step might have been clear) and what steps should be followed to resume operations. The DRP should also be tested periodically to ensure that changes in equipment and procedures are also recorded.
c. In several countries, electricity supply is often suspended, referred to as load-shedding or rolling blackout, during specific set times to balance the supply-and-demand on the power grid. Unfortunately, often the load-shedding is not managed according to the scheduled time, and companies face problems with their database servers.
• The first step would be to install an uninterruptible power supply (UPS) to provide protection in the event of a power failure (or load-shedding, in his case). The UPS should allow enough time for the system to at least be powered down gracefully in the event of an extended power outage. It is important to regularly check the batteries in the UPS to ensure that it will function when needed. In cases of long power outages, it would be best to have backup generators.
2023-02-20
System Availability; Confidentiality and Privacy; Data Analysis Tools for FM (Autofilter, Conditonal Formatting, Find&Replace & Text functions) & Control Framework for Protecting Data