Beruflich Dokumente
Kultur Dokumente
Internal audit financial audit, test if the operation is in compliance with the orgs
policies, orgs compliance with legal obligations
Internal audit assist external audit for audit efficiency and lessen the audit fees
Factors to consider whether to rely on internal audit:
1) Independence of internal auditors (controller cant, BOD can)
2) Competence of internal auditors
Audit committee must be outsiders
III.
Modifying Principles
Management Responsibility
Methods of data processing
Limitations
(1) possibility of error
(2) circumvention
(3) management override
(4) changing conditions
Reasonable assurance
COSO Framework
1) Control Environment
a. Integrity and ethical values of management
b. Structure of the organization
c. Participation of the organizations board of directors and the audit
committee
d. Managements philosophy and operating style
e. Procedures for delegating responsibility and authority
f. Managements methods for assessing performance
g. External influences
h. Organizations policies and practices for managing its human resources
2) Risk Assessment
3) Control Activities
a. Transaction Authorization
b. Segregation of Duties
i. Authorization and Processing
ii. Record keeping and asset custody
iii. Incompatible functions (/ Supervision)
4) Monitoring
5) Information and Communication
Chapter 2
CENTRALIZED DATA PROCESSING
Primary Service Areas: Database Administration, Data Processing, Systems
Development and Maintenance
Database Administration maintaining data resources in a central location
shared by the end users
Data Processing manages the computer resources used to perform the day-today processing of transactions
Data Conversion transcribes transaction data from hard-copy source
documents into computer input
Computer Operations electronic files are processed by the central computer
Data Library provides safe storage for the off-line datafiles; can be backups
or current data file
Systems Development and Maintenance
System development analyzing user needs and designing new systems to
satisfy those needs
System maintenance responsibility for keeping it current with user needs
Segregation of Incompatible IT Functions
(1) Systems Development from Computer Operations
(2) Database Administration from Other Functions
(3) New Systems Development from Maintenance
a. Inadequate Documentation
b. Program Fraud
DISTRIBUTED DATA PROCESSING
Risks associated:
1) Inefficient Use of Resources
a. Mismanagement of organization-wide IT resources by end users
b. Operational inefficiency as the tasks are being performed redundantly
c. Incompatible hardware and software among end-user functions
2) Destruction of Audit Trails
3) Inadequate Segregation of Duties
4) Hiring Qualified Professionals
5) Lack of Standards
Advantages of DDP
1) Cost reductions
2) Improved cost control responsibility
3) Improved user satisfaction
a. Users want to control the resources that influence their profitability
Audit Objective: To verify that the structure of the IT function is such that
individuals in incompatible areas are segregated in accordance with the level of
potential risk and in a manner that promotes a working environment
Audit Procedures:
Centralized
1) Review relevant documentation
2) Review systems documentation and maintenance records
3) Verify that computer operators do not have access to the operational details
of a systems internal logic
4) Determine that segregation policy is being followed in practice
DDP
1) Review relevant documentation
2) Verify that corporate policies and standards for systems design,
documentation, and hardware and software acquisition are published and
provided to distributed IT units
3) Verify that compensating controls are employed when segregation of duties is
economically infeasible
4) Review systems documentation to verify that applications, procedures, and
databases are designed and functioning in accordance with corporate
standards
COMPUTER CENTER
1)
2)
3)
4)
5)
Physical Location
Construction
Access
Air Conditioning
Fire Suppression
a. Automatic and manual alarms should be placed in strategic locations
around the installation
b. There must be an automatic fire extinguishing system that dispenses
the appropriate type of suppressant for the location
c. Manual fire extinguishers should be placed at strategic locations
OUTSOURCING
-
Risks:
1) Failure to Perform: once a company outsource its IT function, its performance
becomes linked to the vendors performance
2) Vendor Exploitation: Dependency of the client to the vendor may threaten the
clients long-term flexibility, agility, and competitiveness and result in even
greater vendor dependency
3) Outsourcing Costs Exceed Benefits
4) Reduced Security
5) Loss of Strategic Advantage
Chapter 3
OPERATING SYSTEM
-
The
The
The
The
The
operating
operating
operating
operating
operating
system
system
system
system
system
must
must
must
must
must
1)
2)
3)
4)
Involves policies, procedures, and controls that determine who can access
the operating system, which resources they can use, and what actions
they can take
Log-On Procedure
Access Token: contains key information about the user, including privileges
granted to the user; used to approve all actions the user attempts during the
session
Access Control List: assigned to each IT resource which controls access to te
resources
Discretionary Access Privileges: resource owners privileges in DDPs which
allow them to grant access privileges to other users
Audit Objectives: to verify that access privileges are granted in a manner that
is consistent with the need to separate incompatible functions and is in
accordance with the organizations policy
Audit Procedures:
(1) Review the organizations policies for separating incompatible functions
and ensure that they promote reasonable security
(2) Review the privileges of a selection of user groups and individuals to
determine if their access rights are appropriate for their job descriptions and
positions
(3) Review personnel records to determine whether privileged employees
undergo an adequately intensive security clearance check
Review employee records to determine whether users have formally
acknowledged their responsibility to maintain the confidentiality of company
data
(4) Review the users permitted log-on times
2) Password Control
Contra-security behaviors:
(1) Forgetting passwords and being locked out of the system
(2) Failing to change passwords on a frequent basis
(3) The post-it syndrome
(4) Simplistic passwords
A. Reusable Passwords: should be changed regularly and disallow weak
passwords
B. One-Time Passwords: users password changes continuously
Audit Objective: to ensure that the organization has an adequate and
effective password policy for controlling access to the operating system
3) Controlling Against Malicious and Destructive Programs
Audit Objective: to verify that effective management policies and procedures
are in place to prevent introduction and spread of destructive programs,
including viruses, worms, back doors, logic bombs, and Trojan horses
4) System Audit Trail Controls
(1) Keystroke Monitoring: involves recording both the users keystrokes and
systems responses
(2) Event Monitoring: summarizes key activities related to system resources
Audit Trail Objectives
(1) Detecting Unauthorized Access
(2) Reconstructing Events: audit trail analysis can be used to reconstruct the
steps that led to events such as systems failures
(3) Personal Accountability: can be used to monitor user activity at the lowest
level of detail
Audit Objectives: to ensure that the established system audit trail is adequate
for preventing and detecting abuses, reconstructing key events that precede
systems failures and planning resource allocation
Internet Risks
1) IP Spoofing a form of masquerading to gain unauthorized access to a web
server and/or perpetrate an unlawful act without revealing ones identity
2) Denial of Service Attack an assault on a Web server to prevent it from
servicing its legitimate users
a. SYN Flood Attack: accomplished by not sending the final
acknowledgement to the server
b. Smurf Attack: using ping
c. DDos: may take the form of SYN Flood or Smurf attack but massively
larger
Controlling Risks from Subversive Threats
1) Firewall: a system that enforces access control between two networks
(1) Network level: provide efficient but low-security access control;
designed to facilitate the free flow of information rather than
restrict it; does not explicitly authenticate outside users
(2) Application level: provide a higher level of customizable
network security but hey add overhead to connectivity; can
perform sophisticated functions such as user authentication
2) Controlling Denial of Service Attacks
(1) Smurf Attack: can program its firewall to ignore all communication from
the attacking site
(2) SYN flood: internet hosts must program their firewalls to block outbound
message packets that contain invalid internal IP addresses; security
software for targeted sites that scan for half-open connections
(3) DDos: instrument prevention systems that employ deep packet inspection
3) Encryption: the conversion of data into a secret code for storage in databases
and transmission over networks
Key: a mathematical value that the sender selects
Algorithm: the procedure of shifting each letter in the cleartext (original)
message the number of positions that the key value indicates
(1) Private Key Encryption
a. Advance encryption standard
b. Triple-DES encryption
i. EE3 three keys for encoding
ii. ED3 one key for encrypting, decoding, and encrypting the
garbled message
(2) Public Key Encryption: one for encrypting (public) and one for decoding
(private)
4) Digital Signatures: an electronic authentication that cannot be forged; proves
that the message received was not tampered
5) Digital Certificate: to verify the senders identity
Benefits of EDI
1) Data Keying: EDI reduces or even eliminates the need for data entry
2) Error reduction: firms using EDI see reductions in data keying errors, human
interpretation and classification errors, and filing errors
3) Reduction of paper: the use of electronic envelopes and documents drastically
reduces the paper forms in the system
4) Postage: mailed documents are replaced with much cheaper data transmissions
5) Automated Procedures: EDI automates manual activities
6) Inventory Reduction: EDI reduces lag time that promotes inventory accumulation
Controls
Transaction Authorization and Validation
(1) VANs have the capability of validating passwords and user ID codes for the
vendor by matching these against a valid customer file
(2) Before being converted, the translation software can validate the trading
Audit Objectives:
1) All transactions are authorized, validated, and in compliance with the trading
partner agreement
2) No unauthorized organizations gain access to database records
3) Authorized trading partners have access only to approved data
4) Adequate controls are in place to ensure a complete audit trail of all EDI
transaction
Chapter 4
DATA MANAGEMENT APPROACHES
Flat-File Approach
-
Database Approach
-
3) Database Administrator
- Responsible for managing the database resource
- Functions of the Database Administrator
o Database Planning
o Database Design
o Database Implementation
o Database Operation and Maintenance
o Database Growth and Change
o Creation and maintenance of Data Dictionary: describes every data
element in the database
4) Physical Database
o Data Structures: allows records to be located, stored, and retrieved,
and enables movement from one record to another
Data organization: refers to the way records are physically
arranged on the secondary storage device; may either be
sequential or random
Data access methods: technique used to locate records and
to navigate through database
o Criteria that influence the selection of data structure:
Rapid file access and data retrieval
Efficient use of disk storage space
High throughput for transaction processing
Protection from data loss
Ease of recovery from system failure
Accommodation of file growth
5) DBMS Models
- An abstract representation of the data about the entities, including
resources, events, and agents
o Hierarchical constructed of sets that describe the relationship
between two linked files; parent and child structure or tree structure
Limitations
A parent record may have one or more child records
No child records can have more than one parent
o Network permits a child record to have multiple parents
o Relational portrays data in the form of two-dimensional tables
Characteristics of properly designed tables
All occurrences at the intersection of a row and a
column are a single value
e. Biometric devices
f. Inference controls: prevent users from interfering, through query
features, specific data values that they otherwise are unauthorized to
access
2) Backup Controls
Flat-file Environment
a. Sequential/GPC Backup Technique
b. Direct Access File Backup
c. Off-Site Storage: the backups made from the two approaches should be
stored off-site
DBMS
a. Backup
b. Transaction Log: provides an audit trail of all processed transactions
c. Checkpoint Feature: suspends all data processing while the system
reconciles the transaction log and the database change log against
the database
d. Recovery module: uses the logs and backup files to restart the
system after a failure
Chapter 5